[{"data":1,"prerenderedAt":5854},["ShallowReactive",2],{"application-flags":3,"navbar":7,"always-visible-banner":36,"navbar-about-highlight":99,"navbar-resource-highlight":173,"use-case-page":219,"fa-icon-regular-faFishingRod":1241,"fa-icon-regular-faPuzzlePiece":1245,"fa-icon-regular-faUserSecret":1247,"fa-icon-regular-faRadar":1249,"fa-icon-regular-faLaptopCode":1251,"fa-icon-regular-faSatelliteDish":1253,"fa-icon-regular-faShieldCheck":1255,"fa-icon-regular-faBrainCircuit":1257,"blog/analyzing-the-instructure-breach":1259},[4],{"name":5,"enabled":6},"maintenanceMode",false,[8],{"createdDate":9,"id":10,"name":11,"modelId":12,"published":13,"query":14,"data":15,"variations":20,"lastUpdated":21,"firstPublished":22,"testRatio":23,"createdBy":24,"lastUpdatedBy":25,"folders":26,"meta":27,"rev":35},1742208588866,"1c7a4e423bf54ac1a328bb4063459ef2","Banner","1c6207a5f24948ab82d4a0b17f251193","published",[],{"type":16,"url":17,"text":18,"link":19},"web-banner","https://pushsecurity.com/resources/browser-attacks-report","Get our latest report analyzing browser attack techniques in 2026",{},{},1774258294825,1742208637545,1,"CydmZnOWU1XuAaLhEDCoYNM4Z8W2","jKjF9r5jcvXU8tzZEfFQm31Iyvr2",[],{"kind":28,"lastPreviewUrl":29,"breakpoints":30,"hasAutosaves":34},"data","",{"xsmall":31,"small":32,"medium":33},320,640,768,true,"7qimqaf0to7",{"createdDate":37,"id":38,"name":39,"modelId":40,"published":13,"query":41,"data":42,"variations":88,"lastUpdated":89,"firstPublished":90,"testRatio":23,"createdBy":91,"lastUpdatedBy":92,"folders":93,"meta":94,"rev":98},1774965361051,"fd266d0172cc47429be7ad10f48c99ad","always visible banner","0678d178ec8b41efb8a23c09dba7874d",[],{"ctaText":43,"text":44,"url":29,"blocks":45,"state":84},"ewrererw","testrfesssssssssss",[46,72],{"@type":47,"@version":48,"id":49,"component":50,"responsiveStyles":62},"@builder.io/sdk:Element",2,"builder-ca12c06a52de41d7b8743da53118cd38",{"name":51,"tag":51,"options":52,"isRSC":61},"TopBannerContent",{"text":53,"ctaText":54,"url":55,"mainText":56,"cta":59},"New Webinar Series: Join John Hammond, Troy Hunt, and Matt Johansen for the State of Browser Attacks","Save Your Spot","https://pushsecurity.com/webinar/state-of-browser-security",{"content":57,"fontSize":58},"\u003Cp>New Webinar Series: Join John Hammond, Troy Hunt, and Matt Johansen for the State of Browser Attacks\u003C/p>","text-base",{"content":60,"fontSize":58,"url":55},"\u003Cp>\u003Cstrong style=\"font-weight:700;\">Save Your Spot\u003C/strong>\u003C/p>\n",null,{"large":63},{"display":64,"flexDirection":65,"position":66,"flexShrink":67,"boxSizing":68,"marginTop":69,"marginBottom":69,"fontSize":70,"fontWeight":71},"flex","column","relative","0","border-box",".56rem","1.125rem","700",{"id":73,"@type":47,"tagName":74,"properties":75,"responsiveStyles":79},"builder-pixel-tdeovv8scb","img",{"src":76,"aria-hidden":77,"alt":29,"role":78,"width":67,"height":67},"https://cdn.builder.io/api/v1/pixel?apiKey=f3a1111ff5be48cdbb123cd9f5795a05","true","presentation",{"large":80},{"height":67,"width":67,"display":81,"opacity":67,"overflow":82,"pointerEvents":83},"block","hidden","none",{"deviceSize":85,"location":86},"large",{"path":29,"query":87},{},{},1775137295127,1774968080803,"ST0tXQM8slWpFrmioqKHmENB2qe2","ax7YYfD0OCeqT1Vxxv1G4FUbqVr1",[],{"breakpoints":95,"hasLinks":6,"kind":96,"lastPreviewUrl":97,"hasAutosaves":6},{"xsmall":31,"small":32,"medium":33},"component","https://pushsecurity.com/?builder.space=f3a1111ff5be48cdbb123cd9f5795a05&builder.user.permissions=read%2Ccreate%2Cpublish%2CeditCode%2CeditDesigns%2CeditLayouts%2CeditLayers%2CeditContentPriority%2CeditFolders%2CeditProjects%2CmodifyMcpServers%2CmodifyWorkflowIntegrations%2CmodifyProjectSettings%2CconnectCodeRepository%2CcreateProjects%2CindexDesignSystems%2CsendPullRequests%2CmergePullRequests&builder.user.role.name=Developer&builder.user.role.id=developer&builder.cachebust=true&builder.preview=always-visible-banner&builder.noCache=true&builder.allowTextEdit=true&__builder_editing__=true&builder.overrides.always-visible-banner=fd266d0172cc47429be7ad10f48c99ad&builder.overrides.fd266d0172cc47429be7ad10f48c99ad=fd266d0172cc47429be7ad10f48c99ad&builder.options.locale=Default","k4msu89s14k",[100,136],{"createdDate":101,"id":102,"name":103,"modelId":104,"published":13,"stageModifiedSincePublish":6,"query":105,"data":106,"variations":129,"lastUpdated":130,"firstPublished":131,"testRatio":23,"createdBy":24,"lastUpdatedBy":24,"folders":132,"meta":133,"rev":135},1776247359804,"9136a8f18b3b4a6ba29b8653a99372b1","testimonial-inductive-automation","20d9eaa352304613b3d1a794b400703d",[],{"link":107,"type":108,"testimonialLink":109,"testimonial":110},{},"testimonial","/customer-stories/inductive-automation",{"@type":111,"id":112,"model":108,"value":113},"@builder.io/core:Reference","f028f2b685bb47cd8bf9e82a26dd5a79",{"query":114,"folders":115,"createdDate":116,"id":112,"name":117,"modelId":118,"published":13,"data":119,"variations":123,"lastUpdated":124,"firstPublished":125,"testRatio":23,"createdBy":91,"lastUpdatedBy":91,"meta":126,"rev":128},[],[],1735823466309,"We found Push to be more accurate when compared to competitors and the browser agent offered features that others couldn’t match.","42035571a56940ac98bff4544aa79aa5",{"author":120,"jobTitle":121,"quote":117,"image":122},"Jason Waits","\u003Cp>CISO at Inductive Automation\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Ff04c0c0689ce4a89ac0f0708d78c0a07",{},1735910703862,1735823501152,{"kind":28,"lastPreviewUrl":29,"breakpoints":127,"hasAutosaves":34},{"small":32,"medium":33},"hfgeu9mrt16",{},1776247404986,1776247404973,[],{"breakpoints":134,"kind":28,"lastPreviewUrl":29,"hasAutosaves":6},{"xsmall":31,"small":32,"medium":33},"y60xx2hbxz",{"createdDate":137,"id":138,"name":139,"modelId":104,"published":13,"meta":140,"stageModifiedSincePublish":6,"query":142,"data":143,"variations":169,"lastUpdated":170,"firstPublished":171,"testRatio":23,"createdBy":24,"lastUpdatedBy":24,"folders":172,"rev":135},1776255761419,"05a9322735fc427db12e2740e4302300","Report: 2026 Browser Attack Techniques",{"breakpoints":141,"kind":28,"lastPreviewUrl":29,"hasAutosaves":6},{"xsmall":31,"small":32,"medium":33},[],{"testimonial":144,"link":163,"type":166,"title":139,"description":167,"image":168},{"@type":111,"id":145,"model":108,"value":146},"192acbb1f9ca4cac918c0ec435a8bae3",{"query":147,"folders":148,"createdDate":149,"id":145,"name":150,"modelId":118,"published":13,"data":151,"variations":157,"lastUpdated":158,"firstPublished":159,"testRatio":23,"createdBy":91,"lastUpdatedBy":24,"meta":160,"rev":162},[],[],1728981467463,"Push does for identity what CrowdStrike did for the endpoint",{"video":152,"jobTitle":153,"author":154,"qoute":29,"quote":155,"image":156},"https://cdn.builder.io/o/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F8b30e8ca50064058bbaef0f3c6164575%2Fcompressed?apiKey=f3a1111ff5be48cdbb123cd9f5795a05&token=8b30e8ca50064058bbaef0f3c6164575&alt=media&optimized=true","\u003Cp>Deputy CISO at Microsoft\u003C/p>\u003Cp>Former LinkedIn, Slack, Palantir\u003C/p>","Geoff Belknap","Push does for identity what CrowdStrike did for the endpoint.","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F748f0ad0a5064a00a13f4721fcc8dea1",{},1742902158597,1728981782923,{"kind":28,"lastPreviewUrl":29,"breakpoints":161,"hasAutosaves":34},{"small":32,"medium":33},"wpie22o3top",{"text":164,"url":165},"Download now","/resources/browser-attacks-report","resource","Learn about the latest techniques being used in the wild.","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F7b4a5ebf81d64e8c9d7fc35f6c96c4a9",{},1776255810913,1776255810900,[],[174,197],{"createdDate":175,"id":176,"name":139,"modelId":177,"published":13,"meta":178,"stageModifiedSincePublish":6,"query":180,"data":181,"variations":192,"lastUpdated":193,"firstPublished":194,"testRatio":23,"createdBy":24,"lastUpdatedBy":24,"folders":195,"rev":196},1776256900280,"1f429607996e4e5fae8fe3f9b9610e55","4829faa81e7c4ee8bd2d000e160e8d3c",{"breakpoints":179,"kind":28,"lastPreviewUrl":29,"hasAutosaves":6},{"xsmall":31,"small":32,"medium":33},[],{"testimonial":182,"link":191,"type":166,"title":139,"description":167,"image":168},{"@type":111,"id":145,"model":108,"value":183},{"query":184,"folders":185,"createdDate":149,"id":145,"name":150,"modelId":118,"published":13,"data":186,"variations":187,"lastUpdated":158,"firstPublished":159,"testRatio":23,"createdBy":91,"lastUpdatedBy":24,"meta":188,"rev":190},[],[],{"video":152,"jobTitle":153,"author":154,"qoute":29,"quote":155,"image":156},{},{"kind":28,"lastPreviewUrl":29,"breakpoints":189,"hasAutosaves":34},{"small":32,"medium":33},"n66htv2mzw",{"text":164,"url":165},{},1776256937553,1776256937540,[],"9nln2do1phi",{"createdDate":198,"id":199,"name":200,"modelId":177,"published":13,"stageModifiedSincePublish":6,"query":201,"data":202,"variations":213,"lastUpdated":214,"firstPublished":215,"testRatio":23,"createdBy":24,"lastUpdatedBy":24,"folders":216,"meta":217,"rev":196},1776256949234,"ce043785b71b4ece98eac811ecf4ba10","inductive-automation",[],{"link":203,"type":108,"testimonial":204,"testimonialLink":109},{},{"@type":111,"id":112,"model":108,"value":205},{"query":206,"folders":207,"createdDate":116,"id":112,"name":117,"modelId":118,"published":13,"data":208,"variations":209,"lastUpdated":124,"firstPublished":125,"testRatio":23,"createdBy":91,"lastUpdatedBy":91,"meta":210,"rev":212},[],[],{"author":120,"jobTitle":121,"quote":117,"image":122},{},{"kind":28,"lastPreviewUrl":29,"breakpoints":211,"hasAutosaves":34},{"small":32,"medium":33},"pa0nzzjqgcq",{},1776256974140,1776256974130,[],{"breakpoints":218,"kind":28,"lastPreviewUrl":29,"hasAutosaves":6},{"xsmall":31,"small":32,"medium":33},[220,404,523,642,760,880,1000,1120],{"createdDate":221,"id":222,"name":223,"modelId":224,"published":13,"stageModifiedSincePublish":6,"query":225,"data":231,"variations":392,"lastUpdated":393,"firstPublished":394,"testRatio":23,"screenshot":395,"createdBy":91,"lastUpdatedBy":396,"folders":397,"meta":398,"rev":403},1744829487099,"387451215c314dd5bd654668cdc1a197","Zero-day phishing","cca4143377554c5a9163cc203a8ed2ba",[226],{"@type":227,"property":228,"operator":229,"value":230},"@builder.io/core:Query","urlPath","is","/uc/zero-day-phishing-protection",{"inputs":232,"customFonts":233,"seoTitle":281,"title":281,"tsCode":29,"seoDescription":282,"fontAwesomeIcon":283,"jsCode":29,"blocks":284,"url":230,"state":389},[],[234],{"family":235,"kind":236,"version":237,"lastModified":238,"files":239,"category":258,"menu":259,"subsets":260,"variants":263},"DM Sans","webfonts#webfont","v14","2023-07-13",{"100":240,"200":241,"300":242,"500":243,"600":244,"700":245,"800":246,"900":247,"800italic":248,"900italic":249,"700italic":250,"100italic":251,"italic":252,"regular":253,"200italic":254,"500italic":255,"300italic":256,"600italic":257},"https://fonts.gstatic.com/s/dmsans/v14/rP2tp2ywxg089UriI5-g4vlH9VoD8CmcqZG40F9JadbnoEwAop1hTmf3ZGMZpg.ttf","https://fonts.gstatic.com/s/dmsans/v14/rP2tp2ywxg089UriI5-g4vlH9VoD8CmcqZG40F9JadbnoEwAIpxhTmf3ZGMZpg.ttf","https://fonts.gstatic.com/s/dmsans/v14/rP2tp2ywxg089UriI5-g4vlH9VoD8CmcqZG40F9JadbnoEwA_JxhTmf3ZGMZpg.ttf","https://fonts.gstatic.com/s/dmsans/v14/rP2tp2ywxg089UriI5-g4vlH9VoD8CmcqZG40F9JadbnoEwAkJxhTmf3ZGMZpg.ttf","https://fonts.gstatic.com/s/dmsans/v14/rP2tp2ywxg089UriI5-g4vlH9VoD8CmcqZG40F9JadbnoEwAfJthTmf3ZGMZpg.ttf","https://fonts.gstatic.com/s/dmsans/v14/rP2tp2ywxg089UriI5-g4vlH9VoD8CmcqZG40F9JadbnoEwARZthTmf3ZGMZpg.ttf","https://fonts.gstatic.com/s/dmsans/v14/rP2tp2ywxg089UriI5-g4vlH9VoD8CmcqZG40F9JadbnoEwAIpthTmf3ZGMZpg.ttf","https://fonts.gstatic.com/s/dmsans/v14/rP2tp2ywxg089UriI5-g4vlH9VoD8CmcqZG40F9JadbnoEwAC5thTmf3ZGMZpg.ttf","https://fonts.gstatic.com/s/dmsans/v14/rP2rp2ywxg089UriCZaSExd86J3t9jz86Mvy4qCRAL19DksVat8JCm3zRmYJpso5.ttf","https://fonts.gstatic.com/s/dmsans/v14/rP2rp2ywxg089UriCZaSExd86J3t9jz86Mvy4qCRAL19DksVat8gCm3zRmYJpso5.ttf","https://fonts.gstatic.com/s/dmsans/v14/rP2rp2ywxg089UriCZaSExd86J3t9jz86Mvy4qCRAL19DksVat9uCm3zRmYJpso5.ttf","https://fonts.gstatic.com/s/dmsans/v14/rP2rp2ywxg089UriCZaSExd86J3t9jz86Mvy4qCRAL19DksVat-JDG3zRmYJpso5.ttf","https://fonts.gstatic.com/s/dmsans/v14/rP2rp2ywxg089UriCZaSExd86J3t9jz86Mvy4qCRAL19DksVat-JDW3zRmYJpso5.ttf","https://fonts.gstatic.com/s/dmsans/v14/rP2tp2ywxg089UriI5-g4vlH9VoD8CmcqZG40F9JadbnoEwAopxhTmf3ZGMZpg.ttf","https://fonts.gstatic.com/s/dmsans/v14/rP2rp2ywxg089UriCZaSExd86J3t9jz86Mvy4qCRAL19DksVat8JDW3zRmYJpso5.ttf","https://fonts.gstatic.com/s/dmsans/v14/rP2rp2ywxg089UriCZaSExd86J3t9jz86Mvy4qCRAL19DksVat-7DW3zRmYJpso5.ttf","https://fonts.gstatic.com/s/dmsans/v14/rP2rp2ywxg089UriCZaSExd86J3t9jz86Mvy4qCRAL19DksVat_XDW3zRmYJpso5.ttf","https://fonts.gstatic.com/s/dmsans/v14/rP2rp2ywxg089UriCZaSExd86J3t9jz86Mvy4qCRAL19DksVat9XCm3zRmYJpso5.ttf","sans-serif","https://fonts.gstatic.com/s/dmsans/v14/rP2tp2ywxg089UriI5-g4vlH9VoD8CmcqZG40F9JadbnoEwAopxRT23z.ttf",[261,262],"latin","latin-ext",[264,265,266,267,268,269,71,270,271,272,273,274,275,276,277,278,279,280],"100","200","300","regular","500","600","800","900","100italic","200italic","300italic","italic","500italic","600italic","700italic","800italic","900italic","Zero-day phishing protection","Detect phishing TTPs directly in the browser and stop credential theft.","faFishingRod",[285,384],{"@type":47,"@version":48,"tagName":286,"id":287,"children":288},"div","builder-76c6b8d1499346c7bc1fd56ae4e93638",[289,306,314,321,333,348,359,370,376],{"@type":47,"@version":48,"layerName":290,"id":291,"component":292,"responsiveStyles":303},"UseCaseHero","builder-5228fe062bef4a40a91e43f1112832fa",{"name":290,"options":293,"isRSC":61},{"title":281,"description":294,"points":295,"video":302},"\u003Cp>Push detects phishing as it happens. Autonomous agents hunt for new phishing techniques, identify kit signatures, and deploy detections within minutes of a new attack being analyzed. From cloned login pages to AiTM credential harvesting, Push sees what traditional filters miss and stops threats before they escalate.\u003C/p>",[296,298,300],{"item":297},"Detect phishing that bypasses traditional filters, including AiTM, SSO password theft, and fake login pages",{"item":299},"Stop never-before-seen attacks with AI-native behavioral and on-page analysis inside the browser",{"item":301},"Investigate faster with unified browser, user, and page context","https://cdn.builder.io/o/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F40433ceeb4f94b43a82e039a0f4fd411%2Fcompressed?apiKey=f3a1111ff5be48cdbb123cd9f5795a05&token=40433ceeb4f94b43a82e039a0f4fd411&alt=media&optimized=true",{"large":304},{"display":64,"flexDirection":65,"position":66,"flexShrink":67,"boxSizing":68,"backgroundColor":305},"transparent",{"@type":47,"@version":48,"id":307,"component":308,"responsiveStyles":311},"builder-96634044407e491299e291ed64669e39",{"name":309,"options":310,"isRSC":61},"TrustedBy",{"AllPartners":34,"backgroundTransparent":6},{"large":312},{"display":64,"flexDirection":65,"position":66,"flexShrink":67,"boxSizing":68,"backgroundColor":313},"#000",{"@type":47,"@version":48,"id":315,"component":316,"responsiveStyles":319},"builder-2c3768f930534557bb8978e32b6a6a0f",{"name":317,"options":318,"isRSC":61},"Diagonal",{"darkMode":34},{"large":320},{"display":64,"flexDirection":65,"position":66,"flexShrink":67,"boxSizing":68},{"@type":47,"@version":48,"layerName":322,"id":323,"component":324,"responsiveStyles":331},"TextImageBlockVertical","builder-7c3c1c2840424db2ad2ccbfaf382dd64",{"name":322,"tag":322,"options":325,"isRSC":61},{"darkMode":6,"maxWidth":326,"maxTextWidth":327,"title":328,"description":329,"animatedTitle":29,"image":330,"reverse":6,"descriptionPaddingHorizontal":61},1200,800,"\u003Ch2>Why stop at the inbox?\u003C/h2>","\u003Cp>Phishing attacks have evolved. Whether attackers lure users with QR codes, instant messages, or OAuth consent screens, the outcome is the same: it plays out in the browser. Push gives you real-time detection for in-browser threats, stopping phishing and consent-based attacks before they lead to compromise\u003C/p>\u003Cp>\u003Cbr>\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F7fdcac241f0e4a049166d7076858adeb",{"large":332},{"display":64,"flexDirection":65,"position":66,"flexShrink":67,"boxSizing":68},{"@type":47,"@version":48,"id":334,"component":335,"responsiveStyles":343},"builder-41c978b3669749cf947e622b4e79e4d7",{"name":336,"options":337,"isRSC":61},"TextImageBlockHorizontal",{"darkMode":6,"maxWidth":326,"imageMaxWidth":338,"textPaddingTop":339,"title":340,"description":341,"reverse":34,"image":342},600,100,"\u003Cp>Detect phishing at the edge\u003C/p>","\u003Cp>Push uses industry-first telemetry to detect phishing based on behavior, not static indicators. Autonomous agents analyze how phishing pages behave and how users interact with them, uncovering fake logins, credential theft, and phishing kits the moment they load in the browser.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F9df3d180c97b4e61af142af2ccd68721",{"large":344},{"display":64,"flexDirection":65,"position":66,"flexShrink":67,"boxSizing":68,"fontFamily":345,"paddingTop":346,"marginTop":347},"DM Sans, sans-serif","20px","0px",{"@type":47,"@version":48,"id":349,"component":350,"responsiveStyles":356},"builder-d2a7bc941feb43cdb898bc116b203cf9",{"name":336,"options":351,"isRSC":61},{"darkMode":6,"maxWidth":326,"imageMaxWidth":338,"textPaddingTop":352,"title":353,"description":354,"reverse":6,"image":355},120,"\u003Ch2>Go beyond blocklists and IOCs\u003C/h2>","\u003Cp>Push goes beyond URLs and easy-to-change indicators. It reads the full phishing playbook like script behavior, session hijacks, DOM changes, user inputs, then connects the dots in real time. This gives your team a complete picture of how the phishing attempt worked, not just an alert.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Fabfd58db169b433e96d3f1261797156e",{"large":357},{"display":64,"flexDirection":65,"position":66,"flexShrink":67,"boxSizing":68,"paddingTop":358},"36px",{"@type":47,"@version":48,"layerName":336,"id":360,"component":361,"responsiveStyles":367},"builder-42c32198083f4880acb37c5cb76934da",{"name":336,"options":362,"isRSC":61},{"darkMode":6,"maxWidth":326,"imageMaxWidth":338,"textPaddingTop":363,"title":364,"description":365,"reverse":34,"image":366},140,"\u003Ch2>Enhance your phishing response\u003C/h2>","\u003Cp>When phishing enters your environment, speed matters. Push gives you instant access to the telemetry that counts like session data, user behavior, and page activity, so you can investigate fast, trigger in-browser prompts, or forward alerts to your SIEM or SOAR for response. All in real time, right from the browser.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Fbb195aec46904056b85e8688629e558e",{"large":368},{"display":64,"flexDirection":65,"position":66,"flexShrink":67,"boxSizing":68,"paddingTop":369},"47px",{"@type":47,"@version":48,"id":371,"component":372,"responsiveStyles":374},"builder-9a95b9cbc4854421a92ef7b90f6c7adb",{"name":317,"options":373,"isRSC":61},{"darkMode":6},{"large":375},{"display":64,"flexDirection":65,"position":66,"flexShrink":67,"boxSizing":68},{"@type":47,"@version":48,"id":377,"component":378,"responsiveStyles":382},"builder-0afa17a9f25c4661a90f314d5578aa18",{"name":379,"tag":379,"options":380,"isRSC":61},"LatestResources",{"sectionHeading":29,"customClass":381},"bg-black",{"large":383},{"display":64,"flexDirection":65,"position":66,"flexShrink":67,"boxSizing":68},{"id":385,"@type":47,"tagName":74,"properties":386,"responsiveStyles":387},"builder-pixel-1vm3pu901lj",{"src":76,"aria-hidden":77,"alt":29,"role":78,"width":67,"height":67},{"large":388},{"height":67,"width":67,"display":81,"opacity":67,"overflow":82,"pointerEvents":83},{"deviceSize":85,"location":390},{"path":29,"query":391},{},{},1776275046831,1745499158657,"https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Fff60c30a8442489c8ed7e0af9599d14f","kYgMv6WsbvfmlOUYqR2SFwGzw6e2",[],{"lastPreviewUrl":399,"winningTest":61,"breakpoints":400,"kind":401,"hasLinks":6,"originalContentId":402,"hasAutosaves":6},"https://pushsecurity.com/uc/zero-day-phishing-protection?builder.space=f3a1111ff5be48cdbb123cd9f5795a05&builder.user.permissions=read%2Ccreate%2Cpublish%2CeditDesigns%2CeditLayouts%2CeditLayers%2CeditContentPriority%2CeditFolders%2CcreateProjects%2CsendPullRequests&builder.user.role.name=Designer&builder.user.role.id=creator&builder.cachebust=true&builder.preview=use-case-page&builder.noCache=true&builder.allowTextEdit=true&__builder_editing__=true&builder.overrides.use-case-page=387451215c314dd5bd654668cdc1a197&builder.overrides.387451215c314dd5bd654668cdc1a197=387451215c314dd5bd654668cdc1a197&builder.overrides.use-case-page:/uc/zero-day-phishing-protection=387451215c314dd5bd654668cdc1a197&builder.options.locale=Default",{"xsmall":31,"small":32,"medium":33},"page","2daa5670b8504fc7ba4700633e8bd921","kpmzg6f3up",{"createdDate":405,"id":406,"name":407,"modelId":224,"published":13,"stageModifiedSincePublish":6,"query":408,"data":411,"variations":515,"lastUpdated":516,"firstPublished":517,"testRatio":23,"screenshot":518,"createdBy":91,"lastUpdatedBy":396,"folders":519,"meta":520,"rev":403},1756833377777,"54f8256648f54d439303734b1e69221b","Browser extension security",[409],{"@type":227,"property":228,"operator":229,"value":410},"/uc/browser-extension-security",{"seoDescription":412,"jsCode":29,"fontAwesomeIcon":413,"tsCode":29,"title":407,"seoTitle":407,"customFonts":414,"inputs":419,"blocks":420,"url":410,"state":512},"Shine a light on risky browser extensions.","faPuzzlePiece",[415],{"kind":236,"family":235,"version":237,"files":416,"category":258,"lastModified":238,"subsets":417,"variants":418,"menu":259},{"100":240,"200":241,"300":242,"500":243,"600":244,"700":245,"800":246,"900":247,"100italic":251,"italic":252,"regular":253,"900italic":249,"800italic":248,"700italic":250,"200italic":254,"300italic":256,"500italic":255,"600italic":257},[261,262],[264,265,266,267,268,269,71,270,271,272,273,274,275,276,277,278,279,280],[],[421,507],{"@type":47,"@version":48,"tagName":286,"id":422,"meta":423,"children":424},"builder-71d0648c1d2f4ede8d0d0b5b28b7b94c",{"previousId":287},[425,441,448,455,464,474,484,494,501],{"@type":47,"@version":48,"id":426,"meta":427,"component":428,"responsiveStyles":439},"builder-ff325b4b8fad4edea53f38865947e854",{"previousId":291},{"name":290,"options":429,"isRSC":61},{"title":407,"description":430,"points":431,"video":438},"\u003Cp>Browser extensions introduce new code, new permissions, and new potential for risk. Many include AI features, and most go completely unnoticed. Push gives you full visibility into every extension used across your workforce, across major browsers, so you can uncover shadow IT, assess risky permissions, and block unsafe tools before they lead to compromise.\u003C/p>",[432,434,436],{"item":433},"Discover every browser extension in use",{"item":435},"Spot risky or unsanctioned behavior",{"item":437},"Make informed decisions on extension policy","https://cdn.builder.io/o/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Fc538aad95d7f403aa3c3551af72f67c0?alt=media&token=1411fa6d-2eac-4e6c-94bf-ea117da12d67&apiKey=f3a1111ff5be48cdbb123cd9f5795a05",{"large":440},{"display":64,"flexDirection":65,"position":66,"flexShrink":67,"boxSizing":68,"backgroundColor":305},{"@type":47,"@version":48,"id":442,"meta":443,"component":444,"responsiveStyles":446},"builder-fb89d128c64e47cf9cbb11d90fc24523",{"previousId":307},{"name":309,"options":445,"isRSC":61},{"AllPartners":34,"backgroundTransparent":6},{"large":447},{"display":64,"flexDirection":65,"position":66,"flexShrink":67,"boxSizing":68,"backgroundColor":313},{"@type":47,"@version":48,"id":449,"meta":450,"component":451,"responsiveStyles":453},"builder-54388d35126c4d0096eeebaf8c4448cd",{"previousId":315},{"name":317,"options":452,"isRSC":61},{"darkMode":34},{"large":454},{"display":64,"flexDirection":65,"position":66,"flexShrink":67,"boxSizing":68},{"@type":47,"@version":48,"layerName":322,"id":456,"component":457,"responsiveStyles":462},"builder-3c8fa6785dd6466abf52a2470d66d85a",{"name":322,"tag":322,"options":458,"isRSC":61},{"darkMode":6,"maxWidth":326,"maxTextWidth":327,"title":459,"description":460,"image":461,"reverse":6},"\u003Ch2>Take control of browser extensions\u003C/h2>","\u003Cp>Attackers are increasingly using malicious browser extensions to gain access to data processed and stored in the browser. And the problem is, most security teams have no visibility into what extensions are being used. Push changes that. With browser-native telemetry, the Push extension continuously inventories browser extensions across your environment, flags the risky ones, and gives you intelligence to act. \u003C/p>\u003Cp>\u003Cbr>\u003C/p>\u003Cp>\u003Cbr>\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F0a004f16a6874f4c8fdf14344acc9fec",{"large":463},{"display":64,"flexDirection":65,"position":66,"flexShrink":67,"boxSizing":68},{"@type":47,"@version":48,"id":465,"meta":466,"component":467,"responsiveStyles":472},"builder-93738f98109a4009affb349afd7bb182",{"previousId":334},{"name":336,"options":468,"isRSC":61},{"darkMode":6,"maxWidth":326,"imageMaxWidth":338,"textPaddingTop":339,"title":469,"description":470,"reverse":34,"image":471},"\u003Ch2>Discover every extension in use\u003C/h2>","\u003Cp>Push gives you structured, searchable data about every extension in your environment, so you’re not just seeing what’s there, but also understanding how it got there, what it can do, and who it affects. It’s the kind of granular insight that’s nearly impossible to get from traditional tools, and it lays the groundwork for better policy decisions and faster investigations.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F0e5727ca99474f14b1b7916bf6bbb782",{"large":473},{"display":64,"flexDirection":65,"position":66,"flexShrink":67,"boxSizing":68,"fontFamily":345,"paddingTop":346,"marginTop":347},{"@type":47,"@version":48,"id":475,"meta":476,"component":477,"responsiveStyles":482},"builder-83393acb12ee4fdd840839185b51edb4",{"previousId":349},{"name":336,"options":478,"isRSC":61},{"darkMode":6,"maxWidth":326,"imageMaxWidth":338,"textPaddingTop":352,"title":479,"description":480,"reverse":6,"image":481},"\u003Ch2>Spot risky or malicious extensions\u003C/h2>","\u003Cp>Push highlights extensions with dangerous permissions, broad access, or poor reputations. This includes AI extensions that request access far beyond what their stated purpose requires. You can quickly detect sideloaded, manually installed, or development-mode extensions that bypass normal controls. And because Push shows you who’s using them and where, you can respond precisely and effectively.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Fa104d58c8da34fbb8901f738fb21453b",{"large":483},{"display":64,"flexDirection":65,"position":66,"flexShrink":67,"boxSizing":68,"paddingTop":358},{"@type":47,"@version":48,"layerName":336,"id":485,"meta":486,"component":487,"responsiveStyles":492},"builder-da98e3de949646d89c53a0d1c2784664",{"previousId":360},{"name":336,"options":488,"isRSC":61},{"darkMode":6,"maxWidth":326,"imageMaxWidth":338,"textPaddingTop":363,"title":489,"description":490,"reverse":34,"image":491},"\u003Ch2>Accelerate security reviews\u003C/h2>","\u003Cp>Most teams have extension policies, they just don’t have the data to enforce them. Push reveals how each extension entered your environment, whether it was installed manually, sideloaded, or deployed in dev mode. You’ll see which users are running what, and where, so you can surface violations, investigate quickly, and respond with confidence.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F229f355be6f243b180f410d237a75bb3",{"large":493},{"display":64,"flexDirection":65,"position":66,"flexShrink":67,"boxSizing":68,"paddingTop":369},{"@type":47,"@version":48,"id":495,"meta":496,"component":497,"responsiveStyles":499},"builder-1a689287d1a1418997d57db578a71105",{"previousId":371},{"name":317,"options":498,"isRSC":61},{"darkMode":6},{"large":500},{"display":64,"flexDirection":65,"position":66,"flexShrink":67,"boxSizing":68},{"@type":47,"@version":48,"id":502,"component":503,"responsiveStyles":505},"builder-feb4e75029f84c10b6498ef1f8f79128",{"name":379,"tag":379,"options":504,"isRSC":61},{"sectionHeading":29,"customClass":381},{"large":506},{"display":64,"flexDirection":65,"position":66,"flexShrink":67,"boxSizing":68},{"id":508,"@type":47,"tagName":74,"properties":509,"responsiveStyles":510},"builder-pixel-bnd8zbe7z8g",{"src":76,"aria-hidden":77,"alt":29,"role":78,"width":67,"height":67},{"large":511},{"height":67,"width":67,"display":81,"opacity":67,"overflow":82,"pointerEvents":83},{"deviceSize":85,"location":513},{"path":29,"query":514},{},{},1776275365038,1757000441666,"https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F8d496cf111644ee5afcc046b72d1ca5a",[],{"kind":401,"winningTest":61,"breakpoints":521,"lastPreviewUrl":522,"hasLinks":6,"originalContentId":222,"hasAutosaves":6},{"xsmall":31,"small":32,"medium":33},"https://pushsecurity.com/uc/browser-extension-security?builder.space=f3a1111ff5be48cdbb123cd9f5795a05&builder.user.permissions=read%2Ccreate%2Cpublish%2CeditDesigns%2CeditLayouts%2CeditLayers%2CeditContentPriority%2CeditFolders%2CcreateProjects%2CsendPullRequests&builder.user.role.name=Designer&builder.user.role.id=creator&builder.cachebust=true&builder.preview=use-case-page&builder.noCache=true&builder.allowTextEdit=true&__builder_editing__=true&builder.overrides.use-case-page=54f8256648f54d439303734b1e69221b&builder.overrides.54f8256648f54d439303734b1e69221b=54f8256648f54d439303734b1e69221b&builder.overrides.use-case-page:/uc/browser-extension-security=54f8256648f54d439303734b1e69221b&builder.options.locale=Default",{"createdDate":524,"id":525,"name":526,"modelId":224,"published":13,"query":527,"data":530,"variations":633,"lastUpdated":634,"firstPublished":635,"testRatio":23,"screenshot":636,"createdBy":91,"lastUpdatedBy":637,"folders":638,"meta":639,"rev":403},1744923509705,"94bebb7bb99d48629ad157e80cf4d81d","Account takeover detection",[528],{"@type":227,"property":228,"operator":229,"value":529},"/uc/account-takeover-detection",{"title":526,"customFonts":531,"jsCode":29,"seoTitle":526,"seoDescription":536,"fontAwesomeIcon":537,"tsCode":29,"blocks":538,"url":529,"state":630},[532],{"kind":236,"category":258,"variants":533,"menu":259,"files":534,"family":235,"subsets":535,"version":237,"lastModified":238},[264,265,266,267,268,269,71,270,271,272,273,274,275,276,277,278,279,280],{"100":240,"200":241,"300":242,"500":243,"600":244,"700":245,"800":246,"900":247,"300italic":256,"500italic":255,"800italic":248,"700italic":250,"italic":252,"900italic":249,"600italic":257,"200italic":254,"regular":253,"100italic":251},[261,262],"Stop ATO with stolen credential and compromised token detection.","faUserSecret",[539,625],{"@type":47,"@version":48,"tagName":286,"id":540,"meta":541,"children":542},"builder-e7913a774cae44c5a23d6081c5c30a52",{"previousId":287},[543,559,566,573,582,592,602,612,619],{"@type":47,"@version":48,"id":544,"meta":545,"component":546,"responsiveStyles":557},"builder-f1f1ab1601bc4c0f8c2a8aafd173675d",{"previousId":291},{"name":290,"options":547,"isRSC":61},{"title":526,"description":548,"points":549,"video":556},"\u003Cp>Attackers don’t need to phish, they just need a password that works. Push monitors for signs of credential-based attacks in real time, directly in the browser, catching account takeover attempts before the damage spreads. From ghost logins to credential stuffing, Push cuts off the paths attackers use to quietly slip in the back door.\u003C/p>\u003Cp>\u003Cbr>\u003C/p>",[550,552,554],{"item":551},"Identify credential-based ATO as it unfolds",{"item":553},"Surface hijacked sessions and token misuse",{"item":555},"Strengthen authentication where your IdP can’t","https://cdn.builder.io/o/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Fb4dd9db24bc9495b8a686b1b4d492016%2Fcompressed?apiKey=f3a1111ff5be48cdbb123cd9f5795a05&token=b4dd9db24bc9495b8a686b1b4d492016&alt=media&optimized=true",{"large":558},{"display":64,"flexDirection":65,"position":66,"flexShrink":67,"boxSizing":68,"backgroundColor":305},{"@type":47,"@version":48,"id":560,"meta":561,"component":562,"responsiveStyles":564},"builder-0bc0d1c78ece4994993c3a6427a4d533",{"previousId":307},{"name":309,"options":563,"isRSC":61},{"AllPartners":34,"backgroundTransparent":6},{"large":565},{"display":64,"flexDirection":65,"position":66,"flexShrink":67,"boxSizing":68,"backgroundColor":313},{"@type":47,"@version":48,"id":567,"meta":568,"component":569,"responsiveStyles":571},"builder-e45de8f3768c4f16938dbf78e4e87524",{"previousId":315},{"name":317,"options":570,"isRSC":61},{"darkMode":34},{"large":572},{"display":64,"flexDirection":65,"position":66,"flexShrink":67,"boxSizing":68},{"@type":47,"@version":48,"id":574,"component":575,"responsiveStyles":580},"builder-c98e8bfd341146c1b67c02d5698ff093",{"name":322,"tag":322,"options":576,"isRSC":61},{"darkMode":6,"maxWidth":326,"maxTextWidth":327,"title":577,"description":578,"image":579,"reverse":6},"\u003Ch2>Assume less. See more.\u003C/h2>","\u003Cp>Most account takeovers don’t start with a breach, they start with a login. Whether it’s a reused password, a local account, or an outdated login flow, Push shows you how accounts are actually accessed day to day, not just how policies say they should be. That means no more blind spots around ghost logins, bypassed SSO, or stale access paths that quietly persist.\u003C/p>\u003Cp>\u003Cbr>\u003C/p>\u003Cp>\u003Cbr>\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F18630ad2746d4eb7b7fcc0428b11a8f0",{"large":581},{"display":64,"flexDirection":65,"position":66,"flexShrink":67,"boxSizing":68},{"@type":47,"@version":48,"id":583,"meta":584,"component":585,"responsiveStyles":590},"builder-55c1fc38ddc04fd1a0d6a8e2fb819e00",{"previousId":334},{"name":336,"options":586,"isRSC":61},{"darkMode":6,"maxWidth":326,"imageMaxWidth":338,"textPaddingTop":339,"title":587,"description":588,"reverse":34,"image":589},"\u003Ch2>Catch stolen credential use in real time\u003C/h2>","\u003Cp>Push monitors login activity directly in the browser to detect signs of credential-based attacks like leaked password use or suspicious login flows. By analyzing attacker TTPs instead of relying on known indicators, Push spots credential stuffing and account takeover attempts the moment they begin, not after they’ve succeeded.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F52b0123cac2c4dfdb1dc0af6adf9d603",{"large":591},{"display":64,"flexDirection":65,"position":66,"flexShrink":67,"boxSizing":68,"fontFamily":345,"paddingTop":347,"marginTop":347},{"@type":47,"@version":48,"id":593,"meta":594,"component":595,"responsiveStyles":600},"builder-dfb31737b30948c6b95323655d571a50",{"previousId":349},{"name":336,"options":596,"isRSC":61},{"darkMode":6,"maxWidth":326,"imageMaxWidth":338,"textPaddingTop":352,"title":597,"description":598,"reverse":6,"image":599},"\u003Ch2>Detect session hijacks and stealth access\u003C/h2>","\u003Cp>Attackers don’t always need a login screen, they often sidestep it entirely using stolen session tokens. Push detects when valid sessions are reused in unexpected ways, identifying hijacked sessions and stealth access attempts that traditional tools miss. Because we monitor directly in the browser, you see what’s happening inside active sessions in real time.\u003C/p>\u003Cp>\u003Cbr>\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F94a6859a99e04d309ffe5841f3dbdf5c",{"large":601},{"display":64,"flexDirection":65,"position":66,"flexShrink":67,"boxSizing":68,"paddingTop":358},{"@type":47,"@version":48,"layerName":336,"id":603,"meta":604,"component":605,"responsiveStyles":610},"builder-f7585b90eb974d03a7dc7eae5b58d227",{"previousId":360},{"name":336,"options":606,"isRSC":61},{"darkMode":6,"maxWidth":326,"imageMaxWidth":338,"textPaddingTop":363,"title":607,"description":608,"reverse":34,"image":609},"\u003Ch2>Harden accounts before they’re compromised\u003C/h2>","\u003Cp>Push goes beyond alerts. It identifies apps that still allow local logins, even when SSO is configured, so you can remove weak access paths. Push also flags users without MFA, reused work credentials, or weak passwords, and prompts users in-browser to fix risky behaviors before they’re exploited.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F01c1b638f1b6497093a4f2b8ceddb5bb",{"large":611},{"display":64,"flexDirection":65,"position":66,"flexShrink":67,"boxSizing":68,"paddingTop":369},{"@type":47,"@version":48,"id":613,"meta":614,"component":615,"responsiveStyles":617},"builder-ad81d1e3afec49a791214194eae09bdc",{"previousId":371},{"name":317,"options":616,"isRSC":61},{"darkMode":6},{"large":618},{"display":64,"flexDirection":65,"position":66,"flexShrink":67,"boxSizing":68},{"@type":47,"@version":48,"id":620,"component":621,"responsiveStyles":623},"builder-8dac1aa4b9d148628d92252bd8eff822",{"name":379,"tag":379,"options":622,"isRSC":61},{"sectionHeading":29,"customClass":381},{"large":624},{"display":64,"flexDirection":65,"position":66,"flexShrink":67,"boxSizing":68},{"id":626,"@type":47,"tagName":74,"properties":627,"responsiveStyles":628},"builder-pixel-cw9nfqj6jg5",{"src":76,"aria-hidden":77,"alt":29,"role":78,"width":67,"height":67},{"large":629},{"height":67,"width":67,"display":81,"opacity":67,"overflow":82,"pointerEvents":83},{"deviceSize":85,"location":631},{"path":29,"query":632},{},{},1770892814499,1745499162732,"https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F58b660fa94aa4b30b0faeb9b663ae41a","SfUPqW5tkibIPby49keNFMdHFTr1",[],{"lastPreviewUrl":640,"hasLinks":6,"originalContentId":222,"breakpoints":641,"winningTest":61,"kind":401,"hasAutosaves":34},"https://pushsecurity.com/uc/account-takeover-detection?builder.space=f3a1111ff5be48cdbb123cd9f5795a05&builder.user.permissions=read%2Ccreate%2Cpublish%2CeditCode%2CeditDesigns%2CeditLayouts%2CeditLayers%2CeditContentPriority%2CeditFolders%2CeditProjects%2CmodifyMcpServers%2CmodifyWorkflowIntegrations%2CmodifyProjectSettings%2CconnectCodeRepository%2CcreateProjects%2CindexDesignSystems%2CsendPullRequests&builder.user.role.name=Developer&builder.user.role.id=developer&builder.cachebust=true&builder.preview=use-case-page&builder.noCache=true&builder.allowTextEdit=true&__builder_editing__=true&builder.overrides.use-case-page=94bebb7bb99d48629ad157e80cf4d81d&builder.overrides.94bebb7bb99d48629ad157e80cf4d81d=94bebb7bb99d48629ad157e80cf4d81d&builder.overrides.use-case-page:/uc/account-takeover-detection=94bebb7bb99d48629ad157e80cf4d81d&builder.options.includeRefs=true&builder.options.enrich=true&builder.options.locale=Default",{"xsmall":31,"small":32,"medium":33},{"createdDate":643,"id":644,"name":645,"modelId":224,"published":13,"query":646,"data":649,"variations":752,"lastUpdated":753,"firstPublished":754,"testRatio":23,"screenshot":755,"createdBy":91,"lastUpdatedBy":637,"folders":756,"meta":757,"rev":403},1745009370904,"23eb48fb56d3451cab77cb6ed140ee6d","Attack path hardening",[647],{"@type":227,"property":228,"operator":229,"value":648},"/uc/attack-path-hardening",{"tsCode":29,"seoDescription":650,"jsCode":29,"customFonts":651,"fontAwesomeIcon":656,"seoTitle":645,"title":645,"blocks":657,"url":648,"state":749},"Harden access paths with visibility,  detection, and guardrails.",[652],{"kind":236,"files":653,"version":237,"lastModified":238,"subsets":654,"menu":259,"category":258,"variants":655,"family":235},{"100":240,"200":241,"300":242,"500":243,"600":244,"700":245,"800":246,"900":247,"regular":253,"italic":252,"800italic":248,"500italic":255,"600italic":257,"200italic":254,"900italic":249,"700italic":250,"100italic":251,"300italic":256},[261,262],[264,265,266,267,268,269,71,270,271,272,273,274,275,276,277,278,279,280],"faRadar",[658,744],{"@type":47,"@version":48,"tagName":286,"id":659,"meta":660,"children":661},"builder-1d8553eddcaa44d7bba9e2f4ca13af2a",{"previousId":540},[662,678,685,692,701,711,721,731,738],{"@type":47,"@version":48,"id":663,"meta":664,"component":665,"responsiveStyles":676},"builder-84fe3d7c85a743cf8cef649aa974f1ef",{"previousId":544},{"name":290,"options":666,"isRSC":61},{"title":645,"description":667,"points":668,"video":675},"\u003Cp>Push continuously monitors your environment for exposed login paths, weak credentials, and missing protections like MFA. It detects the gaps attackers exploit and helps you close them before they’re used.\u003C/p>",[669,671,673],{"item":670},"Find weak spots like reused passwords, local logins, and missing MFA",{"item":672},"Monitor how users actually log in across apps, flows, and tools",{"item":674},"Enforce secure access with in-browser guardrails","https://cdn.builder.io/o/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Fdbdcf52892034f1bbddded77f753a343%2Fcompressed?apiKey=f3a1111ff5be48cdbb123cd9f5795a05&token=dbdcf52892034f1bbddded77f753a343&alt=media&optimized=true",{"large":677},{"display":64,"flexDirection":65,"position":66,"flexShrink":67,"boxSizing":68,"backgroundColor":305},{"@type":47,"@version":48,"id":679,"meta":680,"component":681,"responsiveStyles":683},"builder-b3f66f5b08054cc78a06fecfc3ae2337",{"previousId":560},{"name":309,"options":682,"isRSC":61},{"AllPartners":34,"backgroundTransparent":6},{"large":684},{"display":64,"flexDirection":65,"position":66,"flexShrink":67,"boxSizing":68,"backgroundColor":313},{"@type":47,"@version":48,"id":686,"meta":687,"component":688,"responsiveStyles":690},"builder-4c73418b84be49ed85e6e13d2625c5a0",{"previousId":567},{"name":317,"options":689,"isRSC":61},{"darkMode":34},{"large":691},{"display":64,"flexDirection":65,"position":66,"flexShrink":67,"boxSizing":68},{"@type":47,"@version":48,"id":693,"component":694,"responsiveStyles":699},"builder-dec0246085e1485c803f7152b1922a81",{"name":322,"tag":322,"options":695,"isRSC":61},{"darkMode":6,"maxWidth":326,"maxTextWidth":327,"title":696,"description":697,"image":698,"reverse":6},"\u003Ch2>Find the gaps that lead to compromise\u003C/h2>","\u003Cp>Misconfigurations don’t show up in your config files, they show up in how users actually access apps. Push monitors real login behavior in the browser, surfacing risky patterns like local login access, duplicate accounts, or missing protections that leave doors wide open.\u003C/p>\u003Cp>\u003Cbr>\u003C/p>\u003Cp>\u003Cbr>\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F309a59bba8d247a19476bb369397460e",{"large":700},{"display":64,"flexDirection":65,"position":66,"flexShrink":67,"boxSizing":68},{"@type":47,"@version":48,"id":702,"meta":703,"component":704,"responsiveStyles":709},"builder-ebf049a645604a249550996a88f8f3b6",{"previousId":583},{"name":336,"options":705,"isRSC":61},{"darkMode":6,"maxWidth":326,"imageMaxWidth":338,"textPaddingTop":339,"title":706,"description":707,"reverse":34,"image":708},"\u003Ch2>See real login behavior\u003C/h2>","\u003Cp>Push watches authentication flows as they happen, giving you a live view of how users log in, which methods they choose, and where protections like MFA are missing. Plus, uncover every app and account in use, even shadow IT you didn’t know existed, without relying on stale config files or IdP assumptions. \u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Fb51f6b0357cc451b87a7a5016d984e5e",{"large":710},{"display":64,"flexDirection":65,"position":66,"flexShrink":67,"boxSizing":68,"fontFamily":345,"paddingTop":346,"marginTop":347},{"@type":47,"@version":48,"id":712,"meta":713,"component":714,"responsiveStyles":719},"builder-431d175c59004669b0b2776b07d71737",{"previousId":593},{"name":336,"options":715,"isRSC":61},{"darkMode":6,"maxWidth":326,"imageMaxWidth":338,"textPaddingTop":352,"title":716,"description":717,"reverse":6,"image":718},"\u003Ch2>Find and fix posture drift\u003C/h2>","\u003Cp>Security posture isn’t static. Push continuously monitors for issues like missing MFA or legacy login methods. When something falls out of policy, you know immediately with custom notifications so you can act before it turns into risk.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F324e39127dfc41e592b1183dfb39892d",{"large":720},{"display":64,"flexDirection":65,"position":66,"flexShrink":67,"boxSizing":68,"paddingTop":358},{"@type":47,"@version":48,"layerName":336,"id":722,"meta":723,"component":724,"responsiveStyles":729},"builder-3dffdcbe0a484e2ca4c03f019b6d40ee",{"previousId":603},{"name":336,"options":725,"isRSC":61},{"darkMode":6,"maxWidth":326,"imageMaxWidth":338,"textPaddingTop":363,"title":726,"description":727,"reverse":34,"image":728},"\u003Ch2>Guide users with in-browser guardrails\u003C/h2>","\u003Cp>Push doesn’t just surface problems, it helps you fix them. When users sign in without MFA, reuse a password, or use insecure credentials, Push prompts them directly in the browser to secure their access. It’s faster, more effective, and actually gets results.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Fee8b75d13e45488aba55434a8b49ebb0",{"large":730},{"display":64,"flexDirection":65,"position":66,"flexShrink":67,"boxSizing":68,"paddingTop":369},{"@type":47,"@version":48,"id":732,"meta":733,"component":734,"responsiveStyles":736},"builder-976bc222cd7647ff905f1e01cfedc453",{"previousId":613},{"name":317,"options":735,"isRSC":61},{"darkMode":6},{"large":737},{"display":64,"flexDirection":65,"position":66,"flexShrink":67,"boxSizing":68},{"@type":47,"@version":48,"id":739,"component":740,"responsiveStyles":742},"builder-8c47ec2fd0f74382bb3e6c870555632c",{"name":379,"tag":379,"options":741,"isRSC":61},{"sectionHeading":29,"customClass":381},{"large":743},{"display":64,"flexDirection":65,"position":66,"flexShrink":67,"boxSizing":68},{"id":745,"@type":47,"tagName":74,"properties":746,"responsiveStyles":747},"builder-pixel-qhy5r7a4k2",{"src":76,"aria-hidden":77,"alt":29,"role":78,"width":67,"height":67},{"large":748},{"height":67,"width":67,"display":81,"opacity":67,"overflow":82,"pointerEvents":83},{"deviceSize":85,"location":750},{"path":29,"query":751},{},{},1770892844854,1745499166112,"https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F6ca12bf728a045f1a31d40c0beb3bfe5",[],{"kind":401,"lastPreviewUrl":758,"breakpoints":759,"hasLinks":6,"originalContentId":525,"winningTest":61,"hasAutosaves":34},"https://pushsecurity.com/uc/attack-path-hardening?builder.space=f3a1111ff5be48cdbb123cd9f5795a05&builder.user.permissions=read%2Ccreate%2Cpublish%2CeditCode%2CeditDesigns%2CeditLayouts%2CeditLayers%2CeditContentPriority%2CeditFolders%2CeditProjects%2CmodifyMcpServers%2CmodifyWorkflowIntegrations%2CmodifyProjectSettings%2CconnectCodeRepository%2CcreateProjects%2CindexDesignSystems%2CsendPullRequests&builder.user.role.name=Developer&builder.user.role.id=developer&builder.cachebust=true&builder.preview=use-case-page&builder.noCache=true&builder.allowTextEdit=true&__builder_editing__=true&builder.overrides.use-case-page=23eb48fb56d3451cab77cb6ed140ee6d&builder.overrides.23eb48fb56d3451cab77cb6ed140ee6d=23eb48fb56d3451cab77cb6ed140ee6d&builder.overrides.use-case-page:/uc/attack-path-hardening=23eb48fb56d3451cab77cb6ed140ee6d&builder.options.includeRefs=true&builder.options.enrich=true&builder.options.locale=Default",{"xsmall":31,"small":32,"medium":33},{"createdDate":761,"id":762,"name":763,"modelId":224,"published":13,"query":764,"data":767,"variations":872,"lastUpdated":873,"firstPublished":874,"testRatio":23,"screenshot":875,"createdBy":91,"lastUpdatedBy":637,"folders":876,"meta":877,"rev":403},1761675020232,"ea4f309d2ffe46c5aa97ebf0fda4e2e3","ClickFix Protection",[765],{"@type":227,"property":228,"operator":229,"value":766},"/uc/clickfix-protection",{"seoDescription":768,"fontAwesomeIcon":769,"customFonts":770,"seoTitle":775,"jsCode":29,"tsCode":29,"title":775,"blocks":776,"url":766,"state":869},"Block attacks that trick users into running malicious code.","faLaptopCode",[771],{"files":772,"subsets":773,"menu":259,"version":237,"kind":236,"family":235,"lastModified":238,"variants":774,"category":258},{"100":240,"200":241,"300":242,"500":243,"600":244,"700":245,"800":246,"900":247,"200italic":254,"800italic":248,"700italic":250,"600italic":257,"100italic":251,"italic":252,"regular":253,"300italic":256,"500italic":255,"900italic":249},[261,262],[264,265,266,267,268,269,71,270,271,272,273,274,275,276,277,278,279,280],"ClickFix protection",[777,864],{"@type":47,"@version":48,"tagName":286,"id":778,"meta":779,"children":780},"builder-d7eefdde0f2a4b2b9de3dcb2978fd6cb",{"previousId":659},[781,797,804,811,821,831,841,851,858],{"@type":47,"@version":48,"id":782,"meta":783,"component":784,"responsiveStyles":795},"builder-56e2c54bcce040a4af8b92ae03706c12",{"previousId":663},{"name":290,"options":785,"isRSC":61},{"title":775,"description":786,"points":787,"image":794},"\u003Cp>ClickFix attacks are one of the fastest-growing threats, tricking users into copying malicious code from a webpage and running it locally. This technique bypasses traditional EDR, email gateways, and network filters, leading directly to ransomware and data theft. Push stops this attack at the source, in the browser, by detecting and blocking the malicious behavior before the user can ever paste the code.\u003C/p>\u003Cp>\u003Cbr>\u003C/p>",[788,790,792],{"item":789},"Detect ClickFix, FileFix, and fake CAPTCHA in the browser",{"item":791},"Block malicious copy-and-paste actions before code is executed",{"item":793},"See full telemetry into which users were targeted and what they saw","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F7b74af62889847ebb3927364485b0546",{"large":796},{"display":64,"flexDirection":65,"position":66,"flexShrink":67,"boxSizing":68,"backgroundColor":305},{"@type":47,"@version":48,"id":798,"meta":799,"component":800,"responsiveStyles":802},"builder-05f9614d4e3e4dc88b3ee8658f54e10e",{"previousId":679},{"name":309,"options":801,"isRSC":61},{"AllPartners":34,"backgroundTransparent":6},{"large":803},{"display":64,"flexDirection":65,"position":66,"flexShrink":67,"boxSizing":68,"backgroundColor":313},{"@type":47,"@version":48,"id":805,"meta":806,"component":807,"responsiveStyles":809},"builder-c4fb5179366243c1b6c32d368675cf47",{"previousId":686},{"name":317,"options":808,"isRSC":61},{"darkMode":34},{"large":810},{"display":64,"flexDirection":65,"position":66,"flexShrink":67,"boxSizing":68},{"@type":47,"@version":48,"id":812,"meta":813,"component":814,"responsiveStyles":819},"builder-261af50705fd445d8cca4a6ba20d5391",{"previousId":693},{"name":322,"tag":322,"options":815,"isRSC":61},{"darkMode":6,"maxWidth":326,"maxTextWidth":327,"title":816,"description":817,"reverse":6,"image":818},"\u003Ch2>Stop ClickFix-style attacks before they become a breach\u003C/h2>","\u003Cp>Traditional security tools are blind to malicious copy and paste attacks because the attack exploits a gap between the browser and the endpoint. EDR only sees the payload after it runs, and network tools see only part of the picture.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F98b2f7e08dec4eafaf8e24937605b8cf",{"large":820},{"display":64,"flexDirection":65,"position":66,"flexShrink":67,"boxSizing":68},{"@type":47,"@version":48,"id":822,"meta":823,"component":824,"responsiveStyles":829},"builder-7d21b8aab8064c40b1e5dd23c4749309",{"previousId":702},{"name":336,"options":825,"isRSC":61},{"darkMode":6,"maxWidth":326,"imageMaxWidth":338,"textPaddingTop":339,"title":826,"description":827,"reverse":34,"image":828},"\u003Ch2>Discover lures at the source\u003C/h2>","\u003Cp>Push inspects page behavior to identify ClickFix attacks as they happen. By inspecting the page, its structure, and how the user interacts with it, Push can detect and block these in-browser threats in real time. This deep, TTP-based inspection spots the trap even on novel pages that are built to bypass traditional web filters and blocklists.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F665bf47e01544c75bf9ddafd3917927b",{"large":830},{"display":64,"flexDirection":65,"position":66,"flexShrink":67,"boxSizing":68,"fontFamily":345,"paddingTop":346,"marginTop":347},{"@type":47,"@version":48,"id":832,"meta":833,"component":834,"responsiveStyles":839},"builder-fb91943adf6149259ed9e1e6566c9afe",{"previousId":712},{"name":336,"options":835,"isRSC":61},{"darkMode":6,"maxWidth":326,"imageMaxWidth":338,"textPaddingTop":352,"title":836,"description":837,"reverse":6,"image":838},"\u003Ch2>Block the malicious action\u003C/h2>","\u003Cp>When Push detects a malicious script, it intercepts the user's action and blocks the code from being copied to the clipboard. The user is protected, the attack is stopped, and no malicious code ever reaches the endpoint. Unlike broad DLP tools, this action is surgical, targeting only malicious behavior without disrupting normal work.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F5ee68f81f1ac416685cbfe91298cf827",{"large":840},{"display":64,"flexDirection":65,"position":66,"flexShrink":67,"boxSizing":68,"paddingTop":358},{"@type":47,"@version":48,"layerName":336,"id":842,"meta":843,"component":844,"responsiveStyles":849},"builder-bfac95fada864e5a8259b955b5b5f98b",{"previousId":722},{"name":336,"options":845,"isRSC":61},{"darkMode":6,"maxWidth":326,"imageMaxWidth":338,"textPaddingTop":363,"title":846,"description":847,"reverse":34,"image":848},"\u003Ch2>Accelerate ClickFix investigations\u003C/h2>","\u003Cp>When an attack happens, knowing what the user saw or did is critical. Push provides rich browser session data for rapid investigation and containment. Security teams get detailed telemetry on which users were targeted, what lure they were served, and when the block occurred. This enables defenders to reconstruct what happened and respond quickly, even when other tools miss the activity entirely.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F6cdf2a8aeddc4e9a9023cbf974e40239",{"large":850},{"display":64,"flexDirection":65,"position":66,"flexShrink":67,"boxSizing":68,"paddingTop":369},{"@type":47,"@version":48,"id":852,"meta":853,"component":854,"responsiveStyles":856},"builder-136892e831684a6987f87d3be67c33d1",{"previousId":732},{"name":317,"options":855,"isRSC":61},{"darkMode":6},{"large":857},{"display":64,"flexDirection":65,"position":66,"flexShrink":67,"boxSizing":68},{"@type":47,"@version":48,"id":859,"component":860,"responsiveStyles":862},"builder-dec26b739f2f42beb5a73cfc6c675b60",{"name":379,"tag":379,"options":861,"isRSC":61},{"sectionHeading":29,"customClass":381},{"large":863},{"display":64,"flexDirection":65,"position":66,"flexShrink":67,"boxSizing":68},{"id":865,"@type":47,"tagName":74,"properties":866,"responsiveStyles":867},"builder-pixel-sc4662fwhmq",{"src":76,"aria-hidden":77,"alt":29,"role":78,"width":67,"height":67},{"large":868},{"height":67,"width":67,"display":81,"opacity":67,"overflow":82,"pointerEvents":83},{"deviceSize":85,"location":870},{"path":29,"query":871},{},{},1770892881888,1761847585203,"https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F375467b8bef34ed1a8a1cc5b8b67d75f",[],{"lastPreviewUrl":878,"originalContentId":644,"winningTest":61,"hasLinks":6,"kind":401,"breakpoints":879,"hasAutosaves":6},"https://pushsecurity.com/uc/clickfix-protection?builder.space=f3a1111ff5be48cdbb123cd9f5795a05&builder.user.permissions=read%2Ccreate%2Cpublish%2CeditCode%2CeditDesigns%2CeditLayouts%2CeditLayers%2CeditContentPriority%2CeditFolders%2CeditProjects%2CmodifyMcpServers%2CmodifyWorkflowIntegrations%2CmodifyProjectSettings%2CconnectCodeRepository%2CcreateProjects%2CindexDesignSystems%2CsendPullRequests&builder.user.role.name=Developer&builder.user.role.id=developer&builder.cachebust=true&builder.preview=use-case-page&builder.noCache=true&builder.allowTextEdit=true&__builder_editing__=true&builder.overrides.use-case-page=ea4f309d2ffe46c5aa97ebf0fda4e2e3&builder.overrides.ea4f309d2ffe46c5aa97ebf0fda4e2e3=ea4f309d2ffe46c5aa97ebf0fda4e2e3&builder.overrides.use-case-page:/uc/clickfix-protection=ea4f309d2ffe46c5aa97ebf0fda4e2e3&builder.options.includeRefs=true&builder.options.enrich=true&builder.options.locale=Default",{"xsmall":31,"small":32,"medium":33},{"createdDate":881,"id":882,"name":883,"modelId":224,"published":13,"query":884,"data":887,"variations":992,"lastUpdated":993,"firstPublished":994,"testRatio":23,"screenshot":995,"createdBy":91,"lastUpdatedBy":637,"folders":996,"meta":997,"rev":403},1745009743870,"a9d5556e77f84a37b5bd52310a7110c1","Incident response",[885],{"@type":227,"property":228,"operator":229,"value":886},"/uc/incident-response",{"seoDescription":888,"customFonts":889,"title":883,"jsCode":29,"fontAwesomeIcon":894,"seoTitle":895,"tsCode":29,"blocks":896,"url":886,"state":989},"Investigate and respond faster with unique browser telemetry.",[890],{"kind":236,"subsets":891,"menu":259,"variants":892,"category":258,"family":235,"version":237,"lastModified":238,"files":893},[261,262],[264,265,266,267,268,269,71,270,271,272,273,274,275,276,277,278,279,280],{"100":240,"200":241,"300":242,"500":243,"600":244,"700":245,"800":246,"900":247,"900italic":249,"600italic":257,"200italic":254,"300italic":256,"100italic":251,"700italic":250,"800italic":248,"regular":253,"italic":252,"500italic":255},"faSatelliteDish","Browser based incident response",[897,984],{"@type":47,"@version":48,"tagName":286,"id":898,"meta":899,"children":900},"builder-653c4aed737b4def88dc4cd2d695660a",{"previousId":659},[901,918,925,932,941,951,961,971,978],{"@type":47,"@version":48,"id":902,"meta":903,"component":904,"responsiveStyles":916},"builder-18190bd36518467d9154d27d7e945b9b",{"previousId":663},{"name":290,"options":905,"isRSC":61},{"title":906,"description":907,"points":908,"video":915},"Browser-based incident response","\u003Cp>Push gives you real-time visibility into what actually happened during a breach, right in the browser where the attack played out. From credential theft to session hijacking, Push captures high-fidelity telemetry so you can investigate quickly, contain confidently, and shut it down before it spreads.\u003C/p>\u003Cp>\u003Cbr>\u003C/p>",[909,911,913],{"item":910},"Reconstruct what happened with real browser session context",{"item":912},"Investigate faster with real-world session context",{"item":914},"Trigger response actions automatically through your SIEM or SOAR","https://cdn.builder.io/o/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Fd00e39d3b6e346c296261d875cf55652%2Fcompressed?apiKey=f3a1111ff5be48cdbb123cd9f5795a05&token=d00e39d3b6e346c296261d875cf55652&alt=media&optimized=true",{"large":917},{"display":64,"flexDirection":65,"position":66,"flexShrink":67,"boxSizing":68,"backgroundColor":305},{"@type":47,"@version":48,"id":919,"meta":920,"component":921,"responsiveStyles":923},"builder-8a0a8ea63f5d48dd8a6726f2d49cf0ca",{"previousId":679},{"name":309,"options":922,"isRSC":61},{"AllPartners":34,"backgroundTransparent":6},{"large":924},{"display":64,"flexDirection":65,"position":66,"flexShrink":67,"boxSizing":68,"backgroundColor":313},{"@type":47,"@version":48,"id":926,"meta":927,"component":928,"responsiveStyles":930},"builder-2df65c3f54334df2b26e7cb744886cdc",{"previousId":686},{"name":317,"options":929,"isRSC":61},{"darkMode":34},{"large":931},{"display":64,"flexDirection":65,"position":66,"flexShrink":67,"boxSizing":68},{"@type":47,"@version":48,"id":933,"component":934,"responsiveStyles":939},"builder-2c32c869efc2423ab69ef06b150e9f97",{"name":322,"tag":322,"options":935,"isRSC":61},{"darkMode":6,"maxWidth":326,"maxTextWidth":327,"title":936,"description":937,"image":938,"reverse":6},"\u003Ch2>See attacks unfold, not just their aftermath\u003C/h2>","\u003Cp>Attacks happen in the browser, not in logs. Push captures what traditional tools miss: what users clicked, what loaded, what was entered, and how attackers moved. That gives you real-world evidence, not just assumptions, when every second matters.\u003C/p>\u003Cp>\u003Cbr>\u003C/p>\u003Cp>\u003Cbr>\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F36fc719bd1de4a38b916f4d25c81a26d",{"large":940},{"display":64,"flexDirection":65,"position":66,"flexShrink":67,"boxSizing":68},{"@type":47,"@version":48,"id":942,"meta":943,"component":944,"responsiveStyles":949},"builder-370e53c6016e432db01e9193a2ce90f6",{"previousId":702},{"name":336,"options":945,"isRSC":61},{"darkMode":6,"maxWidth":326,"imageMaxWidth":338,"textPaddingTop":339,"title":946,"description":947,"reverse":34,"image":948},"\u003Ch2>Investigate faster with high-fidelity data\u003C/h2>","\u003Cp>Reconstructing an incident shouldn’t feel like guesswork. Push records detailed telemetry from inside the browser: page loads, credential inputs, DOM changes, session activity, user behavior. It’s structured, exportable, and ready to plug into your investigation workflows, so you can move fast without digging through proxy logs or relying on user reports.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Fa6adda040e684e67a8d68a55c5ce5f6d",{"large":950},{"display":64,"flexDirection":65,"position":66,"flexShrink":67,"boxSizing":68,"fontFamily":345,"paddingTop":347,"marginTop":347},{"@type":47,"@version":48,"id":952,"meta":953,"component":954,"responsiveStyles":959},"builder-a7f3767a8d184bd08fb24520bf210e95",{"previousId":712},{"name":336,"options":955,"isRSC":61},{"darkMode":6,"maxWidth":326,"imageMaxWidth":338,"textPaddingTop":352,"title":956,"description":957,"reverse":6,"image":958},"\u003Ch2>Contain and respond in real time\u003C/h2>","\u003Cp>When something looks off, Push doesn’t just alert you, it gives you options. Guide users with in-browser prompts. Terminate sessions. Trigger SOAR workflows. Enrich SIEM alerts. Push gives you the context and control to stop spread before it starts.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Fb3dedeed5aba4847a2c2d22e10d0ec12",{"large":960},{"display":64,"flexDirection":65,"position":66,"flexShrink":67,"boxSizing":68,"paddingTop":358},{"@type":47,"@version":48,"layerName":336,"id":962,"meta":963,"component":964,"responsiveStyles":969},"builder-b92036ee0ece4b32acdbdcc7c377366b",{"previousId":722},{"name":336,"options":965,"isRSC":61},{"darkMode":6,"maxWidth":326,"imageMaxWidth":338,"textPaddingTop":363,"title":966,"description":967,"reverse":34,"image":968},"\u003Ch2>Prevent the next one\u003C/h2>","\u003Cp>Push helps you respond fast, but it also helps you fix what went wrong. It surfaces misconfigurations and risky behaviors that made the attack possible in the first place, then guides users in-browser to remediate. One tool. Full loop. No loose ends.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Fc1ecc2d5d3814b62b072fac01827ff96",{"large":970},{"display":64,"flexDirection":65,"position":66,"flexShrink":67,"boxSizing":68,"paddingTop":369},{"@type":47,"@version":48,"id":972,"meta":973,"component":974,"responsiveStyles":976},"builder-5e8ae39655274de89da32ab573a2525a",{"previousId":732},{"name":317,"options":975,"isRSC":61},{"darkMode":6},{"large":977},{"display":64,"flexDirection":65,"position":66,"flexShrink":67,"boxSizing":68},{"@type":47,"@version":48,"id":979,"component":980,"responsiveStyles":982},"builder-dfd6850cfb4741d2b8a0c16c2780f00a",{"name":379,"tag":379,"options":981,"isRSC":61},{"sectionHeading":29,"customClass":381},{"large":983},{"display":64,"flexDirection":65,"position":66,"flexShrink":67,"boxSizing":68},{"id":985,"@type":47,"tagName":74,"properties":986,"responsiveStyles":987},"builder-pixel-et67rxt22v",{"src":76,"aria-hidden":77,"alt":29,"role":78,"width":67,"height":67},{"large":988},{"height":67,"width":67,"display":81,"opacity":67,"overflow":82,"pointerEvents":83},{"deviceSize":85,"location":990},{"path":29,"query":991},{},{},1770892908052,1745427419274,"https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Fb07017bfd318431690a5bb35bda35b99",[],{"kind":401,"breakpoints":998,"originalContentId":644,"winningTest":61,"lastPreviewUrl":999,"hasLinks":6,"hasAutosaves":6},{"xsmall":31,"small":32,"medium":33},"https://pushsecurity.com/uc/incident-response?builder.space=f3a1111ff5be48cdbb123cd9f5795a05&builder.user.permissions=read%2Ccreate%2Cpublish%2CeditCode%2CeditDesigns%2CeditLayouts%2CeditLayers%2CeditContentPriority%2CeditFolders%2CeditProjects%2CmodifyMcpServers%2CmodifyWorkflowIntegrations%2CmodifyProjectSettings%2CconnectCodeRepository%2CcreateProjects%2CindexDesignSystems%2CsendPullRequests&builder.user.role.name=Developer&builder.user.role.id=developer&builder.cachebust=true&builder.preview=use-case-page&builder.noCache=true&builder.allowTextEdit=true&__builder_editing__=true&builder.overrides.use-case-page=a9d5556e77f84a37b5bd52310a7110c1&builder.overrides.a9d5556e77f84a37b5bd52310a7110c1=a9d5556e77f84a37b5bd52310a7110c1&builder.overrides.use-case-page:/uc/incident-response=a9d5556e77f84a37b5bd52310a7110c1&builder.options.includeRefs=true&builder.options.enrich=true&builder.options.locale=Default",{"createdDate":1001,"id":1002,"name":1003,"modelId":224,"published":13,"query":1004,"data":1007,"variations":1112,"lastUpdated":1113,"firstPublished":1114,"testRatio":23,"screenshot":1115,"createdBy":91,"lastUpdatedBy":637,"folders":1116,"meta":1117,"rev":403},1746122471259,"5f118e24433d46ceb79f5099987156d7","Shadow SaaS",[1005],{"@type":227,"property":228,"operator":229,"value":1006},"/uc/shadow-saas",{"seoTitle":1008,"seoDescription":1009,"customFonts":1010,"fontAwesomeIcon":1015,"title":1016,"jsCode":29,"tsCode":29,"blocks":1017,"url":1006,"state":1109},"Find and secure shadow SaaS","See and control shadow SaaS in the browser.",[1011],{"kind":236,"variants":1012,"files":1013,"family":235,"version":237,"subsets":1014,"lastModified":238,"category":258,"menu":259},[264,265,266,267,268,269,71,270,271,272,273,274,275,276,277,278,279,280],{"100":240,"200":241,"300":242,"500":243,"600":244,"700":245,"800":246,"900":247,"300italic":256,"500italic":255,"regular":253,"900italic":249,"italic":252,"100italic":251,"200italic":254,"600italic":257,"700italic":250,"800italic":248},[261,262],"faShieldCheck","Secure shadow SaaS",[1018,1104],{"@type":47,"@version":48,"tagName":286,"id":1019,"meta":1020,"children":1021},"builder-04da805c4cd34652a2db452fcda52e1d",{"previousId":898},[1022,1038,1045,1052,1061,1071,1081,1091,1098],{"@type":47,"@version":48,"id":1023,"meta":1024,"component":1025,"responsiveStyles":1036},"builder-830d414faeaf41439142f9157e8288c8",{"previousId":902},{"name":290,"options":1026,"isRSC":61},{"title":1008,"description":1027,"points":1028,"video":1035},"\u003Cp>SaaS sprawl is one of today’s fastest-growing security blind spots because most tools monitor around the edges. Push sees it at the source, in the browser, revealing every app users access, flagging risky tools, and helping you shut down exposure before it leads to a breach. No guesswork. No nasty surprises. Just real-time visibility and control.\u003C/p>",[1029,1031,1033],{"item":1030},"Discover every SaaS app users access, managed or not",{"item":1032},"Spot accounts with weak security postures like missing MFA, unmanaged access, and no SSO",{"item":1034},"Control usage with in-browser prompts, blocks, and security guardrails","https://cdn.builder.io/o/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F3e4eece318d04d6586e691d59d0741cf%2Fcompressed?apiKey=f3a1111ff5be48cdbb123cd9f5795a05&token=3e4eece318d04d6586e691d59d0741cf&alt=media&optimized=true",{"large":1037},{"display":64,"flexDirection":65,"position":66,"flexShrink":67,"boxSizing":68,"backgroundColor":305},{"@type":47,"@version":48,"id":1039,"meta":1040,"component":1041,"responsiveStyles":1043},"builder-cd7833f966cb4c7e8adf0d6c979414a6",{"previousId":919},{"name":309,"options":1042,"isRSC":61},{"AllPartners":34,"backgroundTransparent":6},{"large":1044},{"display":64,"flexDirection":65,"position":66,"flexShrink":67,"boxSizing":68,"backgroundColor":313},{"@type":47,"@version":48,"id":1046,"meta":1047,"component":1048,"responsiveStyles":1050},"builder-49d720b45430454e8b08c526f267c19f",{"previousId":926},{"name":317,"options":1049,"isRSC":61},{"darkMode":34},{"large":1051},{"display":64,"flexDirection":65,"position":66,"flexShrink":67,"boxSizing":68},{"@type":47,"@version":48,"id":1053,"component":1054,"responsiveStyles":1059},"builder-3dde0bf6c8544e5e9ab41b18a9d68034",{"name":322,"tag":322,"options":1055,"isRSC":61},{"darkMode":6,"maxWidth":326,"maxTextWidth":327,"title":1056,"description":1057,"image":1058,"reverse":6},"\u003Ch2>Use your browser to curb Saas Sprawl\u003C/h2>","\u003Cp>Shadow SaaS isn’t hiding in your network, it’s in your browser. From AI tools to unsanctioned file-sharing sites, security risks live in the apps your users sign into every day. Push maps your organization's true SaaS footprint in real time, exposing apps and accounts with unmanaged access, poor authentication, or no security oversight.\u003C/p>\u003Cp>\u003Cbr>\u003C/p>\u003Cp>\u003Cbr>\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Fb6811a214c7949b6bbe0b9a3bca62efd",{"large":1060},{"display":64,"flexDirection":65,"position":66,"flexShrink":67,"boxSizing":68},{"@type":47,"@version":48,"id":1062,"meta":1063,"component":1064,"responsiveStyles":1069},"builder-e2420451ccdc4f088d0a4904cff45935",{"previousId":942},{"name":336,"options":1065,"isRSC":61},{"darkMode":6,"maxWidth":326,"imageMaxWidth":338,"textPaddingTop":339,"title":1066,"description":1067,"reverse":34,"image":1068},"\u003Ch2>Discover hidden SaaS usage\u003C/h2>","\u003Cp>Push captures live browser telemetry across every tab and session. Whether a user signs into a sanctioned app with a personal account or tries a new AI plugin, you’ll see it in real time, with no integrations or manual tagging.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Fe16e301f9af94665b95d98232a863d8a",{"large":1070},{"display":64,"flexDirection":65,"position":66,"flexShrink":67,"boxSizing":68,"fontFamily":345,"paddingTop":347,"marginTop":347},{"@type":47,"@version":48,"id":1072,"meta":1073,"component":1074,"responsiveStyles":1079},"builder-b36de7fce7994beea9e58d94662e7166",{"previousId":952},{"name":336,"options":1075,"isRSC":61},{"darkMode":6,"maxWidth":326,"imageMaxWidth":338,"textPaddingTop":352,"title":1076,"description":1077,"reverse":6,"image":1078},"\u003Ch2>Spot risky access and unsafe usage\u003C/h2>","\u003Cp>Discovery is just the beginning. Push flags apps with risky traits, no MFA, no SSO, known vulnerabilities, or broad access scopes. You’ll know which tools introduce real risk, and which users are exposed so you can act with precision.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F6585f3c242da4d70ae3cb7d02f481bef",{"large":1080},{"display":64,"flexDirection":65,"position":66,"flexShrink":67,"boxSizing":68,"paddingTop":358},{"@type":47,"@version":48,"layerName":336,"id":1082,"meta":1083,"component":1084,"responsiveStyles":1089},"builder-dc366b5134684fe7a508edf8913103ea",{"previousId":962},{"name":336,"options":1085,"isRSC":61},{"darkMode":6,"maxWidth":326,"imageMaxWidth":338,"textPaddingTop":363,"title":1086,"description":1087,"reverse":34,"image":1088},"\u003Ch2>Close gaps before they grow\u003C/h2>","\u003Cp>Push turns insight into action. When risky SaaS use is detected, guide users to enable MFA, block high-risk apps, or apply in-browser guardrails automatically. All without deploying new infrastructure or managing dozens of integrations.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Fe6d60b6d91414819bc6258a318f00557",{"large":1090},{"display":64,"flexDirection":65,"position":66,"flexShrink":67,"boxSizing":68,"paddingTop":369},{"@type":47,"@version":48,"id":1092,"meta":1093,"component":1094,"responsiveStyles":1096},"builder-8708f6f0d8da4b3f9e17bf16cda70219",{"previousId":972},{"name":317,"options":1095,"isRSC":61},{"darkMode":6},{"large":1097},{"display":64,"flexDirection":65,"position":66,"flexShrink":67,"boxSizing":68},{"@type":47,"@version":48,"id":1099,"component":1100,"responsiveStyles":1102},"builder-8ff4b38d60534cf28cb523ab0f754875",{"name":379,"tag":379,"options":1101,"isRSC":61},{"sectionHeading":29,"customClass":381},{"large":1103},{"display":64,"flexDirection":65,"position":66,"flexShrink":67,"boxSizing":68},{"id":1105,"@type":47,"tagName":74,"properties":1106,"responsiveStyles":1107},"builder-pixel-0aegqcgyfoy9",{"src":76,"aria-hidden":77,"alt":29,"role":78,"width":67,"height":67},{"large":1108},{"height":67,"width":67,"display":81,"opacity":67,"overflow":82,"pointerEvents":83},{"deviceSize":85,"location":1110},{"path":29,"query":1111},{},{},1770892936802,1746714967208,"https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F01bfb2304521412fbd2e1a1180904d40",[],{"originalContentId":882,"winningTest":61,"lastPreviewUrl":1118,"breakpoints":1119,"kind":401,"hasLinks":6,"hasAutosaves":6},"https://pushsecurity.com/uc/shadow-saas?builder.space=f3a1111ff5be48cdbb123cd9f5795a05&builder.user.permissions=read%2Ccreate%2Cpublish%2CeditCode%2CeditDesigns%2CeditLayouts%2CeditLayers%2CeditContentPriority%2CeditFolders%2CeditProjects%2CmodifyMcpServers%2CmodifyWorkflowIntegrations%2CmodifyProjectSettings%2CconnectCodeRepository%2CcreateProjects%2CindexDesignSystems%2CsendPullRequests&builder.user.role.name=Developer&builder.user.role.id=developer&builder.cachebust=true&builder.preview=use-case-page&builder.noCache=true&builder.allowTextEdit=true&__builder_editing__=true&builder.overrides.use-case-page=5f118e24433d46ceb79f5099987156d7&builder.overrides.5f118e24433d46ceb79f5099987156d7=5f118e24433d46ceb79f5099987156d7&builder.overrides.use-case-page:/uc/shadow-saas=5f118e24433d46ceb79f5099987156d7&builder.options.includeRefs=true&builder.options.enrich=true&builder.options.locale=Default",{"xsmall":31,"small":32,"medium":33},{"createdDate":1121,"id":1122,"name":1123,"modelId":224,"published":13,"stageModifiedSincePublish":6,"query":1124,"data":1127,"variations":1233,"lastUpdated":1234,"firstPublished":1235,"testRatio":23,"screenshot":1236,"createdBy":91,"lastUpdatedBy":396,"folders":1237,"meta":1238,"rev":403},1764707470172,"b62629ce2f3741158d961cd10fe74b31","Shadow AI",[1125],{"@type":227,"property":228,"operator":229,"value":1126},"/uc/shadow-ai",{"seoTitle":1128,"fontAwesomeIcon":1129,"title":1130,"seoDescription":1131,"customFonts":1132,"tsCode":29,"jsCode":29,"blocks":1137,"url":1126,"state":1230},"Secure AI native and AI enhanced apps. ","faBrainCircuit","Secure AI","See and control AI apps in the browser.",[1133],{"version":237,"files":1134,"kind":236,"family":235,"lastModified":238,"category":258,"variants":1135,"subsets":1136,"menu":259},{"100":240,"200":241,"300":242,"500":243,"600":244,"700":245,"800":246,"900":247,"700italic":250,"100italic":251,"600italic":257,"italic":252,"300italic":256,"200italic":254,"500italic":255,"800italic":248,"900italic":249,"regular":253},[264,265,266,267,268,269,71,270,271,272,273,274,275,276,277,278,279,280],[261,262],[1138,1225],{"@type":47,"@version":48,"tagName":286,"id":1139,"meta":1140,"children":1141},"builder-a6e5717a2c914d5695058e4ee201a05d",{"previousId":1019},[1142,1158,1165,1172,1182,1192,1202,1212,1219],{"@type":47,"@version":48,"id":1143,"meta":1144,"component":1145,"responsiveStyles":1156},"builder-3e0ed678683f4a0eb7aa00253cf263b2",{"previousId":1023},{"name":290,"options":1146,"isRSC":61},{"title":1130,"description":1147,"points":1148,"image":1155},"\u003Cp>Every AI interaction traverses the browser. Employees use GenAI tools, connect AI apps to corporate accounts, and run agentic workflows, often outside security oversight. Push gives security teams the visibility to see what AI is doing across their environment and the controls to intervene before sensitive data leaves or access gets abused.\u003C/p>",[1149,1151,1153],{"item":1150},"Discover every AI tool and agent active across your workforce",{"item":1152},"Detect sensitive data being submitted to AI apps",{"item":1154},"Enforce AI policy directly in the browser","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F33cf153d920f4e389f3650253577cff7",{"large":1157},{"display":64,"flexDirection":65,"position":66,"flexShrink":67,"boxSizing":68,"backgroundColor":305},{"@type":47,"@version":48,"id":1159,"meta":1160,"component":1161,"responsiveStyles":1163},"builder-76968f8471d14893b8189d75b08fb426",{"previousId":1039},{"name":309,"options":1162,"isRSC":61},{"AllPartners":34,"backgroundTransparent":6},{"large":1164},{"display":64,"flexDirection":65,"position":66,"flexShrink":67,"boxSizing":68,"backgroundColor":313},{"@type":47,"@version":48,"id":1166,"meta":1167,"component":1168,"responsiveStyles":1170},"builder-b55b9d4bc5a649d8839ce7f6c2043d95",{"previousId":1046},{"name":317,"options":1169,"isRSC":61},{"darkMode":34},{"large":1171},{"display":64,"flexDirection":65,"position":66,"flexShrink":67,"boxSizing":68},{"@type":47,"@version":48,"id":1173,"meta":1174,"component":1175,"responsiveStyles":1180},"builder-c3f38ef4d75d4989a29b5903175ed8a1",{"previousId":1053},{"name":322,"tag":322,"options":1176,"isRSC":61},{"darkMode":6,"maxWidth":326,"maxTextWidth":327,"title":1177,"description":1178,"image":1179,"reverse":6},"\u003Ch2>The browser is where AI lives\u003C/h2>","\u003Cp>AI activity doesn't happen at the network layer or the endpoint. It happens in the browser, where employees interact with AI tools, where agents execute tasks, and where sensitive data gets submitted to external services. Push captures live telemetry from inside the browser session, identifying every AI-native and AI-enhanced application in use. \u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F30b43bda6f1644c19478fb1efa20050c",{"large":1181},{"display":64,"flexDirection":65,"position":66,"flexShrink":67,"boxSizing":68},{"@type":47,"@version":48,"id":1183,"meta":1184,"component":1185,"responsiveStyles":1190},"builder-90ee9cb9afc44e7f885523715bf51a53",{"previousId":1062},{"name":336,"options":1186,"isRSC":61},{"darkMode":6,"maxWidth":326,"imageMaxWidth":338,"textPaddingTop":339,"title":1187,"description":1188,"reverse":34,"image":1189},"\u003Ch2>Discover every AI tool users touch\u003C/h2>","\u003Cp>Most organisations are using far more AI than they've approved. Push identifies every AI-native and AI-enhanced application accessed across the workforce, which corporate identities are connected, and what new tools appear in the environment. Applications are categorized by risk and policy status so security teams can prioritize exposure before it becomes an incident.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F636e65ad0c4c43faa3e626c41e90d8a3",{"large":1191},{"display":64,"flexDirection":65,"position":66,"flexShrink":67,"boxSizing":68,"fontFamily":345,"paddingTop":347,"marginTop":347},{"@type":47,"@version":48,"id":1193,"meta":1194,"component":1195,"responsiveStyles":1200},"builder-9e44539fa53c4d8e87406036c921fc46",{"previousId":1072},{"name":336,"options":1196,"isRSC":61},{"darkMode":6,"maxWidth":326,"imageMaxWidth":338,"textPaddingTop":352,"title":1197,"description":1198,"reverse":6,"image":1199},"\u003Ch2>Prevent sensitive data from reaching the wrong AI tools\u003C/h2>","\u003Cp>Employees paste credentials, customer data, and internal documents into AI tools without realizing the risk. Push detects sensitive data interactions in the browser in real time, including file uploads, clipboard activity, and form submissions to unsanctioned or high-risk AI applications. Controls can be applied to warn users, require policy acknowledgment, or block the interaction entirely.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F011332d42dab4a299f25ab3847741ed9",{"large":1201},{"display":64,"flexDirection":65,"position":66,"flexShrink":67,"boxSizing":68,"paddingTop":358},{"@type":47,"@version":48,"layerName":336,"id":1203,"meta":1204,"component":1205,"responsiveStyles":1210},"builder-44c1a891926f4bdeaaa37e90721fe6ac",{"previousId":1082},{"name":336,"options":1206,"isRSC":61},{"darkMode":6,"maxWidth":326,"imageMaxWidth":338,"textPaddingTop":363,"title":1207,"description":1208,"reverse":34,"image":1209},"\u003Ch2>Govern agentic AI permissions and activity\u003C/h2>","\u003Cp>AI agents operating in the browser can access applications, execute actions, and handle data on behalf of users, often with permissions that were never explicitly reviewed. Push surfaces agentic permissions and data flows so security teams can see what agents are doing, where they have access, and apply controls before that access is exploited or abused.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F71549a73d0b84f1c8cb151c05e493e8d",{"large":1211},{"display":64,"flexDirection":65,"position":66,"flexShrink":67,"boxSizing":68,"paddingTop":369},{"@type":47,"@version":48,"id":1213,"meta":1214,"component":1215,"responsiveStyles":1217},"builder-dcc906f9cbe54dc68b3c672668e7a38f",{"previousId":1092},{"name":317,"options":1216,"isRSC":61},{"darkMode":6},{"large":1218},{"display":64,"flexDirection":65,"position":66,"flexShrink":67,"boxSizing":68},{"@type":47,"@version":48,"id":1220,"component":1221,"responsiveStyles":1223},"builder-d2d64780c31b4349bc75805b23a07e38",{"name":379,"tag":379,"options":1222,"isRSC":61},{"sectionHeading":29,"customClass":381},{"large":1224},{"display":64,"flexDirection":65,"position":66,"flexShrink":67,"boxSizing":68},{"id":1226,"@type":47,"tagName":74,"properties":1227,"responsiveStyles":1228},"builder-pixel-yzy10h0oyrq",{"src":76,"aria-hidden":77,"alt":29,"role":78,"width":67,"height":67},{"large":1229},{"height":67,"width":67,"display":81,"opacity":67,"overflow":82,"pointerEvents":83},{"deviceSize":85,"location":1231},{"path":29,"query":1232},{},{},1778073860450,1764950077593,"https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F9b4d5666fc9e495a9a8de4258975cd9f",[],{"lastPreviewUrl":1239,"hasLinks":6,"originalContentId":1002,"winningTest":61,"breakpoints":1240,"kind":401,"hasAutosaves":6},"https://pushsecurity.com/uc/shadow-ai?builder.space=f3a1111ff5be48cdbb123cd9f5795a05&builder.user.permissions=read%2Ccreate%2Cpublish%2CeditDesigns%2CeditLayouts%2CeditLayers%2CeditContentPriority%2CeditFolders%2CcreateProjects%2CsendPullRequests&builder.user.role.name=Designer&builder.user.role.id=creator&builder.cachebust=true&builder.preview=use-case-page&builder.noCache=true&builder.allowTextEdit=true&__builder_editing__=true&builder.overrides.use-case-page=b62629ce2f3741158d961cd10fe74b31&builder.overrides.b62629ce2f3741158d961cd10fe74b31=b62629ce2f3741158d961cd10fe74b31&builder.overrides.use-case-page:/uc/shadow-ai=b62629ce2f3741158d961cd10fe74b31&builder.options.locale=Default",{"xsmall":31,"small":32,"medium":33},{"w":1242,"h":1243,"d":1244},448,512,"M280.4 48c-3.2 0-6.3 .5-9.3 1.4L206.6 69.2C136.1 90.9 88 156.1 88 229.8l0 42.9c22.7 3.8 40 23.6 40 47.3l0 144c0 26.5-21.5 48-48 48l-32 0c-26.5 0-48-21.5-48-48L0 320c0-23.8 17.3-43.5 40-47.3l0-42.9C40 135 101.8 51.2 192.5 23.4L256.9 3.5c7.6-2.3 15.5-3.5 23.4-3.5 44 0 79.6 35.7 79.6 79.6l0 56.4c0 13.3-10.7 24-24 24s-24-10.7-24-24l0-56.4C312 62.2 297.8 48 280.4 48zM48 320l0 144 32 0 0-144-32 0zm208 24c0-71.6 55.6-127.8 89-148.1 4.3-2.6 9.6-2.6 14 0 33.5 20.3 89 76.6 89 148.1 0 32-16 80-64 112l27.3 27.3c3 3 4.7 7.1 4.7 11.3l0 1.4c0 8.8-7.2 16-16 16l-96 0c-8.8 0-16-7.2-16-16l0-1.4c0-4.2 1.7-8.3 4.7-11.3L320 456c-48-32-64-80-64-112zm128-32a24 24 0 1 0 -48 0 24 24 0 1 0 48 0z",{"w":1243,"h":1243,"d":1246},"M201.1 57.3c-7 5.3-9.1 10.7-9.1 14.7 0 4.2 2.4 10.1 10.4 15.6 7.8 5.3 13.6 14.6 13.6 25.6 0 17-13.8 30.7-30.7 30.7L56 144c-4.4 0-8 3.6-8 8l0 52.5c7.4-2.9 15.5-4.5 24-4.5 43.1 0 72 39.4 72 80s-28.9 80-72 80c-8.5 0-16.6-1.6-24-4.5L48 456c0 4.4 3.6 8 8 8l100.5 0c-2.9-7.4-4.5-15.5-4.5-24 0-43.1 39.4-72 80-72s80 28.9 80 72c0 8.5-1.6 16.6-4.5 24l52.5 0c4.4 0 8-3.6 8-8l0-129.3c0-17 13.8-30.7 30.7-30.7 11.1 0 20.3 5.8 25.6 13.6 5.5 8 11.4 10.4 15.6 10.4 4 0 9.5-2.1 14.7-9.1s9.3-17.9 9.3-30.9-4-23.8-9.3-30.9-10.7-9.1-14.7-9.1c-4.2 0-10.1 2.4-15.6 10.4-5.3 7.8-14.6 13.6-25.6 13.6-17 0-30.7-13.8-30.7-30.7l0-81.3c0-4.4-3.6-8-8-8l-81.3 0c-17 0-30.7-13.8-30.7-30.7 0-11.1 5.8-20.3 13.6-25.6 8-5.5 10.4-11.4 10.4-15.6 0-4-2.1-9.5-9.1-14.7S245 48 232 48 208.2 52 201.1 57.3zM172.3 18.9C188.5 6.8 209.6 0 232 0S275.5 6.8 291.7 18.9 320 49.5 320 72c0 8.6-1.8 16.7-4.9 24L360 96c30.9 0 56 25.1 56 56l0 44.9c7.3-3.1 15.4-4.9 24-4.9 22.5 0 41 12.2 53.1 28.3s18.9 37.3 18.9 59.7-6.8 43.5-18.9 59.7-30.6 28.3-53.1 28.3c-8.6 0-16.7-1.8-24-4.9l0 92.9c0 30.9-25.1 56-56 56l-78.1 0c-18.7 0-33.9-15.2-33.9-33.9 0-10.1 4.5-18.5 9.9-24.2 4.2-4.3 6.1-9.2 6.1-13.9 0-9.9-10.7-24-32-24s-32 14.1-32 24c0 4.7 1.9 9.5 6.1 13.9 5.5 5.7 9.9 14.1 9.9 24.2 0 18.7-15.2 33.9-33.9 33.9L56 512c-30.9 0-56-25.1-56-56L0 329.9c0-18.7 15.2-33.9 33.9-33.9 10.1 0 18.5 4.5 24.2 9.9 4.3 4.2 9.2 6.1 13.9 6.1 9.9 0 24-10.7 24-32s-14.1-32-24-32c-4.7 0-9.5 1.9-13.9 6.1-5.7 5.5-14.1 9.9-24.2 9.9-18.7 0-33.9-15.2-33.9-33.9L0 152c0-30.9 25.1-56 56-56l92.9 0c-3.1-7.3-4.9-15.4-4.9-24 0-22.5 12.2-41 28.3-53.1z",{"w":1242,"h":1243,"d":1248},"M102.7 96c10.4-53.7 31.9-112 68.3-112 9.6 0 19 3.9 27.5 8.2 8.2 4.1 18.4 7.8 25.5 7.8s17.3-3.7 25.5-7.8c8.5-4.3 17.9-8.2 27.5-8.2 36.4 0 57.8 58.3 68.3 112L376 96c13.3 0 24 10.7 24 24s-10.7 24-24 24l-24 0 0 32c0 17-3.3 33.2-9.3 48l33.3 0c8.1 0 15.6 4 20 10.8s5.2 15.2 2.1 22.6l-31.5 74.2c48.9 31.2 81.4 86 81.4 148.5l0 8c0 13.3-10.7 24-24 24s-24-10.7-24-24l0-8c0-51.4-30.3-95.8-74.1-116.1-11.7-5.5-17-19.2-12-31.2l25.8-60.7-27.7 0c-1.1 0-2.1-.1-3.1-.2-22.6 20-52.3 32.2-84.9 32.2s-62.3-12.2-84.9-32.2c-1 .1-2.1 .2-3.1 .2l-27.7 0 25.8 60.7c5.1 11.9-.2 25.7-12 31.2-43.8 20.4-74.1 64.7-74.1 116.1l0 8c0 13.3-10.7 24-24 24S0 501.3 0 488l0-8c0-62.4 32.5-117.2 81.4-148.5L49.9 257.4c-3.2-7.4-2.4-15.9 2.1-22.6S63.9 224 72 224l33.3 0c-6-14.8-9.3-31-9.3-48l0-32-24 0c-13.3 0-24-10.7-24-24S58.7 96 72 96l30.7 0zm45.9 107c11.1 30.9 40.6 53 75.3 53s64.2-22.1 75.3-53c-5.7 3.2-12.3 5-19.3 5l-12.4 0c-16.5 0-31.1-10.6-36.3-26.2-2.3-7-12.2-7-14.5 0-5.2 15.6-19.9 26.2-36.3 26.2L168 208c-7 0-13.6-1.8-19.3-5zm44.8 133l61 0c9.7 0 17.5 7.8 17.5 17.5 0 4.2-1.5 8.2-4.2 11.4l-27.9 32.5 28.9 82.6c5.5 15.6-6.1 31.9-22.7 31.9l-44.3 0c-16.5 0-28.1-16.3-22.7-31.9l28.9-82.6-27.9-32.5c-2.7-3.2-4.2-7.2-4.2-11.4 0-9.7 7.8-17.5 17.5-17.5z",{"w":1243,"h":1243,"d":1250},"M304.8 173.3c-14.3-8.4-31-13.3-48.8-13.3-53 0-96 43-96 96s43 96 96 96 96-43 96-96l48 0c0 79.5-64.5 144-144 144s-144-64.5-144-144 64.5-144 144-144c31.1 0 59.9 9.9 83.4 26.6l45.7-45.7C349.7 64.8 304.8 48 256 48 141.1 48 48 141.1 48 256s93.1 208 208 208 208-93.1 208-208l48 0c0 141.4-114.6 256-256 256S0 397.4 0 256 114.6 0 256 0c62.1 0 118.9 22.1 163.3 58.8L463 15c9.4-9.4 24.6-9.4 33.9 0s9.4 24.6 0 33.9L273 273c-9.4 9.4-24.6 9.4-33.9 0s-9.4-24.6 0-33.9l65.7-65.7z",{"w":32,"h":1243,"d":1252},"M128 80l384 0c8.8 0 16 7.2 16 16l0 208 48 0 0-208c0-35.3-28.7-64-64-64L128 32C92.7 32 64 60.7 64 96l0 208 48 0 0-208c0-8.8 7.2-16 16-16zM52.8 400l534.4 0c-8.5 18.9-27.5 32-49.6 32l-435.2 0c-22.1 0-41.1-13.1-49.6-32zM25.6 352C11.5 352 0 363.5 0 377.6 0 434.2 45.8 480 102.4 480l435.2 0c56.6 0 102.4-45.8 102.4-102.4 0-14.1-11.5-25.6-25.6-25.6L25.6 352zM281 169c9.4-9.4 9.4-24.6 0-33.9s-24.6-9.4-33.9 0l-48 48c-9.4 9.4-9.4 24.6 0 33.9l48 48c9.4 9.4 24.6 9.4 33.9 0s9.4-24.6 0-33.9l-31-31 31-31zM393 135c-9.4-9.4-24.6-9.4-33.9 0s-9.4 24.6 0 33.9l31 31-31 31c-9.4 9.4-9.4 24.6 0 33.9s24.6 9.4 33.9 0l48-48c9.4-9.4 9.4-24.6 0-33.9l-48-48z",{"w":1243,"h":1243,"d":1254},"M232 0c-13.3 0-24 10.7-24 24s10.7 24 24 24c128.1 0 232 103.9 232 232 0 13.3 10.7 24 24 24s24-10.7 24-24C512 125.4 386.6 0 232 0zM48 256c0-23 3.7-45 10.5-65.6l263 263C301 460.3 279 464 256 464 141.1 464 48 370.9 48 256zM72.8 136.8c-14.1-14.1-37.6-12-46.5 5.8-16.9 34.2-26.4 72.6-26.4 113.3 0 141.4 114.6 256 256 256 40.7 0 79.2-9.5 113.3-26.4 17.9-8.8 19.9-32.4 5.8-46.5L241 305 281 265c9.4-9.4 9.4-24.6 0-33.9s-24.6-9.4-33.9 0L207 271 72.8 136.8zM208 120c0 13.3 10.7 24 24 24 75.1 0 136 60.9 136 136 0 13.3 10.7 24 24 24s24-10.7 24-24c0-101.6-82.4-184-184-184-13.3 0-24 10.7-24 24z",{"w":1243,"h":1243,"d":1256},"M256.1 0c4.6 0 9.2 1 13.3 2.9L457.8 82.8c22 9.3 38.4 31 38.3 57.2-.5 99.2-41.3 280.7-213.6 363.2-16.7 8-36.1 8-52.8 0-172.4-82.5-213.2-263.9-213.7-363.2-.1-26.2 16.3-47.9 38.3-57.2L242.7 2.9C246.8 1 251.4 0 256.1 0zM73.1 127c-5.9 2.5-9.1 7.7-9 12.7 .5 91.4 38.4 249.3 186.4 320.1 3.6 1.7 7.8 1.7 11.3 0 148-70.8 185.9-228.7 186.3-320.1 0-5-3.1-10.2-9-12.7l-183-77.6-183 77.6zm240.3 34.9c7.8-10.7 22.8-13.1 33.5-5.3 10.7 7.8 13.1 22.8 5.3 33.5L249.8 330.9c-4.2 5.7-10.7 9.3-17.8 9.8s-14-2.2-18.9-7.3l-46.4-48c-9.2-9.5-9-24.7 .6-33.9 9.5-9.2 24.7-8.9 33.9 .6l26.5 27.4 85.6-117.7z",{"w":1243,"h":1243,"d":1258},"M123 58.1c9.5-33.5 40.4-58.1 77-58.1 21.8 0 41.6 8.7 56 22.9 14.4-14.1 34.2-22.9 56-22.9 36.6 0 67.4 24.6 77 58.1 47.4 9.7 83 51.6 83 101.9 0 11.3-1.8 22.2-5.1 32.3 22.7 19.1 37.1 47.7 37.1 79.7 0 23.7-8 45.6-21.3 63.1 3.5 10.4 5.3 21.4 5.3 32.9 0 54-41.2 98.5-93.9 103.5-15.6 24.3-42.9 40.5-74.1 40.5-25.2 0-48-10.6-64-27.6-16 17-38.8 27.6-64 27.6-31.1 0-58.4-16.2-74.1-40.5-52.7-5.1-93.9-49.5-93.9-103.5 0-11.5 1.9-22.5 5.3-32.9-13.4-17.5-21.3-39.4-21.3-63.1 0-32 14.5-60.6 37.1-79.7-3.3-10.2-5.1-21.1-5.1-32.3 0-50.3 35.6-92.2 83-101.9zM200 48c-17.7 0-32 14.3-32 32 0 13.3-10.7 24-24 24-30.9 0-56 25.1-56 56 0 10.5 2.9 20.3 7.9 28.6 3.4 5.7 4.3 12.5 2.5 18.9s-6.2 11.7-12 14.7c-18 9.3-30.3 28.1-30.3 49.8 0 16.1 6.8 30.7 17.8 40.9 7.9 7.4 9.9 19.2 4.8 28.8-4.2 7.8-6.5 16.7-6.5 26.3 0 30.9 25.1 56 56 56 1.1 0 2.2 0 3.2-.1 10.3-.6 19.8 5.5 23.6 15 5.9 14.7 20.4 25.1 37.1 25.1 20.4 0 37.2-15.3 39.7-35 .1-.6 .2-1.3 .3-1.9l0-135.1-40 0c-6.6 0-12 5.4-12 12l0 4.4c16.5 7.6 28 24.3 28 43.6 0 26.5-21.5 48-48 48s-48-21.5-48-48c0-19.4 11.5-36.1 28-43.6l0-4.4c0-28.7 23.3-52 52-52l40 0 0-56-12.4 0c-7.6 16.5-24.3 28-43.6 28-26.5 0-48-21.5-48-48s21.5-48 48-48c19.4 0 36.1 11.5 43.6 28l12.4 0 0-76c0-17.7-14.3-32-32-32zm80 148l0 152 40 0c6.6 0 12-5.4 12-12l0-4.4c-16.5-7.6-28-24.3-28-43.6 0-26.5 21.5-48 48-48s48 21.5 48 48c0 19.4-11.5 36.1-28 43.6l0 4.4c0 28.7-23.3 52-52 52l-40 0 0 39.1c.1 .6 .2 1.2 .3 1.9 2.5 19.7 19.3 35 39.7 35 16.8 0 31.2-10.3 37.1-25.1 3.8-9.6 13.3-15.6 23.6-15 1.1 .1 2.2 .1 3.2 .1 30.9 0 56-25.1 56-56 0-9.5-2.4-18.5-6.5-26.3-5.1-9.6-3.1-21.4 4.8-28.8 11-10.2 17.8-24.8 17.8-40.9 0-21.6-12.2-40.4-30.3-49.8-5.9-3-10.2-8.4-12-14.7s-.9-13.2 2.5-18.9c5-8.4 7.9-18.1 7.9-28.6 0-30.9-25.1-56-56-56-13.3 0-24-10.7-24-24 0-17.7-14.3-32-32-32s-32 14.3-32 32l0 76 12.4 0c7.6-16.5 24.3-28 43.6-28 26.5 0 48 21.5 48 48s-21.5 48-48 48c-19.4 0-36.1-11.5-43.6-28L280 196zm56-36a16 16 0 1 0 0 32 16 16 0 1 0 0-32zm0 128a16 16 0 1 0 32 0 16 16 0 1 0 -32 0zM144 352a16 16 0 1 0 32 0 16 16 0 1 0 -32 0zm16-176a16 16 0 1 0 32 0 16 16 0 1 0 -32 0z",{"id":1260,"title":1261,"authorsCollection":1262,"content":1270,"extension":2237,"hashTags":61,"meta":2238,"metaTitle":2239,"ogImage":61,"publishedDate":2240,"relatedBlogPostsCollection":2241,"slug":5830,"stem":5831,"subtitle":61,"summary":5832,"synopsis":5843,"sys":5844,"tagsCollection":5847,"__hash__":5853},"blog/blog/analyzing-the-instructure-breach.json","Analyzing the Instructure breach: The three attack techniques behind ShinyHunters' 2026 campaigns ",{"items":1263},[1264],{"fullName":1265,"firstName":1266,"jobTitle":1267,"profilePicture":1268},"Dan Green","Dan","Threat Research",{"url":1269},"https://images.ctfassets.net/y1cdw1ablpvd/7jik1VhFgA3kgzXBXTm2Vw/fcd8c171da644903d0827eafcfbcaad0/Dan_Headshot_2025.png",{"json":1271,"links":2112},{"nodeType":1272,"data":1273,"content":1274},"document",{},[1275,1309,1318,1325,1331,1338,1347,1354,1358,1367,1398,1410,1413,1421,1475,1482,1505,1511,1514,1522,1553,1560,1568,1574,1577,1585,1592,1610,1617,1660,1667,1670,1678,1697,1706,1733,1756,1780,1788,1795,1802,1805,1823,1826,1834,1853,2106],{"nodeType":1276,"data":1277,"content":1278},"paragraph",{},[1279,1284,1293,1297,1305],{"nodeType":1280,"value":1281,"marks":1282,"data":1283},"text","ShinyHunters' ",[],{},{"nodeType":1285,"data":1286,"content":1288},"hyperlink",{"uri":1287},"https://www.bleepingcomputer.com/news/security/canvas-login-portals-hacked-in-mass-shinyhunters-extortion-campaign/",[1289],{"nodeType":1280,"value":1290,"marks":1291,"data":1292},"breach of Instructure",[],{},{"nodeType":1280,"value":1294,"marks":1295,"data":1296},", the company behind Canvas (one of the most widely used learning management systems in education) has escalated rapidly over the past week, with 275 million individuals impacted across 9000 schools worldwide, ",[],{},{"nodeType":1285,"data":1298,"content":1300},{"uri":1299},"https://krebsonsecurity.com/2026/05/canvas-breach-disrupts-schools-colleges-nationwide/",[1301],{"nodeType":1280,"value":1302,"marks":1303,"data":1304},"defaced login portals at roughly 330 schools",[],{},{"nodeType":1280,"value":1306,"marks":1307,"data":1308},", and a public ransom deadline.",[],{},{"nodeType":1310,"data":1311,"content":1317},"embedded-entry-block",{"target":1312},{"sys":1313},{"id":1314,"type":1315,"linkType":1316},"2yE4PCMYADajfnhIg1IRah","Link","Entry",[],{"nodeType":1276,"data":1319,"content":1320},{},[1321],{"nodeType":1280,"value":1322,"marks":1323,"data":1324},"The human impact is immediate and tangible: students at schools and universities have been unable to access coursework, submit assignments, or sit final exams during one of the busiest testing periods of the academic year, with some institutions sending students home with no clear timeline for when normal operations will resume — the  kind of disruption usually associated with ransomware attacks. ",[],{},{"nodeType":1310,"data":1326,"content":1330},{"target":1327},{"sys":1328},{"id":1329,"type":1315,"linkType":1316},"6xVJCfjfnZCyGAe02copZ8",[],{"nodeType":1276,"data":1332,"content":1333},{},[1334],{"nodeType":1280,"value":1335,"marks":1336,"data":1337},"But the Instructure breach isn't an isolated incident. It’s the latest datapoint in a sustained series of campaigns by ShinyHunters and affiliates of the Com that has, over the past twelve months, compromised thousands of organizations across retail, technology, aviation, financial services, media, gaming, and now education. DataBreaches.net reports that the initial access at Instructure involved social engineering targeting the company's Salesforce instance, which places it squarely within the playbook that Push has been tracking across multiple blog posts since late 2025. ",[],{},{"nodeType":1276,"data":1339,"content":1340},{},[1341],{"nodeType":1280,"value":1342,"marks":1343,"data":1346},"The specific attack vector at Instructure remains unconfirmed, but the documented arsenal of these groups narrows it down to one of three browser-based attacks behind current SLH-related campaigns.",[1344],{"type":1345},"bold",{},{"nodeType":1276,"data":1348,"content":1349},{},[1350],{"nodeType":1280,"value":1351,"marks":1352,"data":1353},"This post examines those three vectors, maps them to the confirmed campaigns and victims that illustrate each one, and explains how browser-layer detection operates at the critical point to detect and intercept these attacks before a breach occurs.",[],{},{"nodeType":1355,"data":1356,"content":1357},"hr",{},[],{"nodeType":1359,"data":1360,"content":1361},"heading-1",{},[1362],{"nodeType":1280,"value":1363,"marks":1364,"data":1366},"The Com in 2026: a distributed criminal collective",[1365],{"type":1345},{},{"nodeType":1276,"data":1368,"content":1369},{},[1370,1374,1382,1386,1394],{"nodeType":1280,"value":1371,"marks":1372,"data":1373},"To understand the context behind the Instructure breach, it helps to understand the threat ecosystem behind it. ShinyHunters operates within the SLH (Scattered Lapsus$ Hunters) collective — itself part of the Com, a broader community of English-speaking cybercriminals with international criminal affiliations who collaborate across phishing, initial access, data theft, and extortion operations. The SLH connection traces through a merger of Scattered Spider, Lapsus$, and ShinyHunters, but the Com extends further: groups like",[],{},{"nodeType":1285,"data":1375,"content":1377},{"uri":1376},"https://www.crowdstrike.com/en-us/blog/defending-against-cordial-spider-and-snarky-spider-with-falcon-shield/",[1378],{"nodeType":1280,"value":1379,"marks":1380,"data":1381}," Cordial Spider and Snarky Spider",[],{},{"nodeType":1280,"value":1383,"marks":1384,"data":1385},", which CrowdStrike",[],{},{"nodeType":1285,"data":1387,"content":1389},{"uri":1388},"https://cyberscoop.com/crowdstrike-cordial-spider-snarky-spider-extortion-attacks/",[1390],{"nodeType":1280,"value":1391,"marks":1392,"data":1393}," characterizes as the new generation of Scattered Spider",[],{},{"nodeType":1280,"value":1395,"marks":1396,"data":1397},", are Com members running their own parallel campaigns, even if they are not confirmed as part of the SLH collective itself.",[],{},{"nodeType":1276,"data":1399,"content":1400},{},[1401,1405],{"nodeType":1280,"value":1402,"marks":1403,"data":1404},"The result is something closer to a distributed collective than a single coordinated group, with several independently operating clusters running parallel campaigns against different target sectors within a compressed timeframe. ",[],{},{"nodeType":1280,"value":1406,"marks":1407,"data":1409},"What connects them isn't infrastructure or coordination, but a shared understanding of where the structural weakness lies in modern business IT, and a common playbook of browser-based attack techniques that exploit it.",[1408],{"type":1345},{},{"nodeType":1355,"data":1411,"content":1412},{},[],{"nodeType":1359,"data":1414,"content":1415},{},[1416],{"nodeType":1280,"value":1417,"marks":1418,"data":1420},"Vector 1: Vishing combined with AiTM phishing",[1419],{"type":1345},{},{"nodeType":1276,"data":1422,"content":1423},{},[1424,1428,1436,1440,1447,1451,1459,1463,1471],{"nodeType":1280,"value":1425,"marks":1426,"data":1427},"The most visible campaign right now pairs targeted voice calls with adversary-in-the-middle phishing pages — an approach that",[],{},{"nodeType":1285,"data":1429,"content":1431},{"uri":1430},"https://cloud.google.com/blog/topics/threat-intelligence/expansion-shinyhunters-saas-data-theft",[1432],{"nodeType":1280,"value":1433,"marks":1434,"data":1435}," Mandiant",[],{},{"nodeType":1280,"value":1437,"marks":1438,"data":1439},",",[],{},{"nodeType":1285,"data":1441,"content":1442},{"uri":1376},[1443],{"nodeType":1280,"value":1444,"marks":1445,"data":1446}," CrowdStrike",[],{},{"nodeType":1280,"value":1448,"marks":1449,"data":1450},", and",[],{},{"nodeType":1285,"data":1452,"content":1454},{"uri":1453},"https://github.com/PaloAltoNetworks/Unit42-timely-threat-intel/blob/main/2026-03-12-Vishing-Campaigns-Lead-to-Data-Theft-and-Extortion.txt",[1455],{"nodeType":1280,"value":1456,"marks":1457,"data":1458}," Unit 42",[],{},{"nodeType":1280,"value":1460,"marks":1461,"data":1462}," have all documented from the incident response side, and which Push has",[],{},{"nodeType":1285,"data":1464,"content":1466},{"uri":1465},"https://pushsecurity.com/blog/inside-criminal-phishing-panel/",[1467],{"nodeType":1280,"value":1468,"marks":1469,"data":1470}," documented from inside the attacker's own operator panels",[],{},{"nodeType":1280,"value":1472,"marks":1473,"data":1474},".",[],{},{"nodeType":1276,"data":1476,"content":1477},{},[1478],{"nodeType":1280,"value":1479,"marks":1480,"data":1481},"An attacker impersonating IT support calls the target employee, establishes urgency — often citing a \"mandatory passkey rollout\" or a \"security compliance update\" — and directs them to a victim-branded AiTM phishing page (typically at a domain like \u003Ccompany>sso.com or \u003Ccompany>internal.com). The attack is processed by a live human in real time, relaying credentials and MFA codes to the legitimate identity provider as they are entered, capturing the resulting session token, and granting the attacker an authenticated session. ",[],{},{"nodeType":1276,"data":1483,"content":1484},{},[1485,1489,1496,1500],{"nodeType":1280,"value":1486,"marks":1487,"data":1488},"One of the reasons that this method is becoming so widespread is the commoditization of effective tools. Push's ",[],{},{"nodeType":1285,"data":1490,"content":1491},{"uri":1465},[1492],{"nodeType":1280,"value":1493,"marks":1494,"data":1495},"infiltration of the criminal phishing panels",[],{},{"nodeType":1280,"value":1497,"marks":1498,"data":1499}," identified over 400 linked domains across four distinct infrastructure clusters. ",[],{},{"nodeType":1280,"value":1501,"marks":1502,"data":1504},"This mirrors the pattern that turned AiTM phishing from a specialist capability into an industrialized market with competing PhaaS platforms, but with the added complication that voice phishing as the delivery vector makes the attack invisible to traditional anti-phishing controls at the email layer.",[1503],{"type":1345},{},{"nodeType":1310,"data":1506,"content":1510},{"target":1507},{"sys":1508},{"id":1509,"type":1315,"linkType":1316},"1Yhthl0PILGW7EmCcZUrNv",[],{"nodeType":1355,"data":1512,"content":1513},{},[],{"nodeType":1359,"data":1515,"content":1516},{},[1517],{"nodeType":1280,"value":1518,"marks":1519,"data":1521},"Vector 2: Vishing combined with device code phishing",[1520],{"type":1345},{},{"nodeType":1276,"data":1523,"content":1524},{},[1525,1529,1537,1541,1549],{"nodeType":1280,"value":1526,"marks":1527,"data":1528},"The",[],{},{"nodeType":1285,"data":1530,"content":1532},{"uri":1531},"https://pushsecurity.com/blog/unpacking-the-latest-slh-campaign/",[1533],{"nodeType":1280,"value":1534,"marks":1535,"data":1536}," ShinyHunters Salesforce campaign",[],{},{"nodeType":1280,"value":1538,"marks":1539,"data":1540}," that ran through 2025 and into 2026 used device code phishing as one of its core methods,",[],{},{"nodeType":1285,"data":1542,"content":1544},{"uri":1543},"https://www.bleepingcomputer.com/news/security/shinyhunters-claims-15-billion-salesforce-records-stolen-in-drift-hacks/",[1545],{"nodeType":1280,"value":1546,"marks":1547,"data":1548}," compromising over 1,000 organizations and claiming 1.5 billion stolen records",[],{},{"nodeType":1280,"value":1550,"marks":1551,"data":1552}," — including an attempted extortion of Salesforce itself. The attack involved registering an attacker-controlled \"DataLoader\" application mimicking a legitimate Salesforce tool, configuring it to request broad OAuth scopes including full API access and refresh token generation, and guiding victims through the device authorization flow via vishing calls.",[],{},{"nodeType":1276,"data":1554,"content":1555},{},[1556],{"nodeType":1280,"value":1557,"marks":1558,"data":1559},"Device code phishing exploits the OAuth 2.0 device authorization grant — a flow designed for devices without browsers, like smart TVs, but used in a wide range of scenarios including CLI logins — by tricking users into entering a code on Microsoft's (or another identity provider's) legitimate verification page. Since the victim is usually signed into the app in their browser, there’s no login at all. They simply navigate to the app’s device code login page and enter an attacker-provided code to grant the attacker an access token. ",[],{},{"nodeType":1276,"data":1561,"content":1562},{},[1563],{"nodeType":1280,"value":1564,"marks":1565,"data":1567},"This is what makes device code phishing structurally different from AiTM: it defeats all MFA (including passkeys) because the attack doesn’t target the login, but the authorization layer instead.",[1566],{"type":1345},{},{"nodeType":1310,"data":1569,"content":1573},{"target":1570},{"sys":1571},{"id":1572,"type":1315,"linkType":1316},"3ElQz8sLATnR8RY5nVlBGM",[],{"nodeType":1355,"data":1575,"content":1576},{},[],{"nodeType":1359,"data":1578,"content":1579},{},[1580],{"nodeType":1280,"value":1581,"marks":1582,"data":1584},"Vector 3: OAuth supply chain attacks through compromised integrators",[1583],{"type":1345},{},{"nodeType":1276,"data":1586,"content":1587},{},[1588],{"nodeType":1280,"value":1589,"marks":1590,"data":1591},"The third vector does not require the attacker to phish the victim organization's employees at all. Instead, it exploits the OAuth trust relationships that organizations create when they connect third-party SaaS vendors into their environments — and the consequence is that every organization that authorized one of these integrations effectively extended its security boundary to include the vendor's own security posture.",[],{},{"nodeType":1276,"data":1593,"content":1594},{},[1595,1598,1606],{"nodeType":1280,"value":1526,"marks":1596,"data":1597},[],{},{"nodeType":1285,"data":1599,"content":1601},{"uri":1600},"https://cloud.google.com/blog/topics/threat-intelligence/data-theft-salesforce-instances-via-salesloft-drift",[1602],{"nodeType":1280,"value":1603,"marks":1604,"data":1605}," Salesloft/Drift supply chain attack",[],{},{"nodeType":1280,"value":1607,"marks":1608,"data":1609}," demonstrated this at scale in 2025: in an extension of the previously mentioned device code phishing campaign, the attacker compromised Salesloft's GitHub environment, used TruffleHog to find secrets, stole Drift OAuth tokens, and used them to access downstream Salesforce environments. The same pattern was later repeated at Gainsight. ",[],{},{"nodeType":1276,"data":1611,"content":1612},{},[1613],{"nodeType":1280,"value":1614,"marks":1615,"data":1616},"Along with the previously mentioned device code phishing attacks,  more than 1000 organizations were breached. The attackers then harvested AWS keys, Snowflake credentials, and stored passwords from breached Salesforce instances, compounding the access into progressively wider reach.",[],{},{"nodeType":1276,"data":1618,"content":1619},{},[1620,1624,1632,1636,1644,1648,1656],{"nodeType":1280,"value":1621,"marks":1622,"data":1623},"The same structural pattern has continued into 2026 with the Anodot supply chain compromise, which has produced confirmed breaches at",[],{},{"nodeType":1285,"data":1625,"content":1627},{"uri":1626},"https://www.bleepingcomputer.com/news/security/vimeo-data-breach-exposes-personal-information-of-119-000-people/",[1628],{"nodeType":1280,"value":1629,"marks":1630,"data":1631}," Vimeo",[],{},{"nodeType":1280,"value":1633,"marks":1634,"data":1635}," (119,000 users), Rockstar Games (78.6 million records), and",[],{},{"nodeType":1285,"data":1637,"content":1639},{"uri":1638},"https://www.bleepingcomputer.com/news/security/zara-data-breach-exposed-personal-information-of-197-000-people/",[1640],{"nodeType":1280,"value":1641,"marks":1642,"data":1643}," Zara/Inditex",[],{},{"nodeType":1280,"value":1645,"marks":1646,"data":1647}," (197,000 people), with further downstream victims likely still emerging. The",[],{},{"nodeType":1285,"data":1649,"content":1651},{"uri":1650},"https://pushsecurity.com/blog/unpacking-the-vercel-breach/",[1652],{"nodeType":1280,"value":1653,"marks":1654,"data":1655}," Vercel breach",[],{},{"nodeType":1280,"value":1657,"marks":1658,"data":1659}," demonstrates this too, which involved compromised OAuth tokens from Context.ai cascading into Google Workspace, reinforces the same attack pattern (though it was likely not a ShinyHunters operation despite being claimed by someone pretending to be them).",[],{},{"nodeType":1276,"data":1661,"content":1662},{},[1663],{"nodeType":1280,"value":1664,"marks":1665,"data":1666},"A forgotten SaaS integration can easily become the pivot point for downstream compromise. The moment you authorize a third-party integration, your security boundary extends to include that vendor. If the third-party is compromised, every downstream customer organization with an active integration is exposed.",[],{},{"nodeType":1355,"data":1668,"content":1669},{},[],{"nodeType":1359,"data":1671,"content":1672},{},[1673],{"nodeType":1280,"value":1674,"marks":1675,"data":1677},"These attacks all happen in the browser",[1676],{"type":1345},{},{"nodeType":1276,"data":1679,"content":1680},{},[1681,1685,1693],{"nodeType":1280,"value":1682,"marks":1683,"data":1684},"Every one of these attack chains is a browser-based attack that either occurs in the browser (AiTM phishing, device code phishing) or could have been prevented at the browser layer (OAuth consent governance). The techniques are interchangeable — the",[],{},{"nodeType":1285,"data":1686,"content":1688},{"uri":1687},"https://pushsecurity.com/blog/device-code-phishing/",[1689],{"nodeType":1280,"value":1690,"marks":1691,"data":1692}," same criminal kits now offer AiTM and device code phishing side by side",[],{},{"nodeType":1280,"value":1694,"marks":1695,"data":1696},", and the same threat actor (ShinyHunters) has used all three vectors across different campaigns within the same twelve-month period.",[],{},{"nodeType":1698,"data":1699,"content":1700},"heading-2",{},[1701],{"nodeType":1280,"value":1702,"marks":1703,"data":1705},"How Push can help",[1704],{"type":1345},{},{"nodeType":1276,"data":1707,"content":1708},{},[1709,1713,1718,1722,1729],{"nodeType":1280,"value":1710,"marks":1711,"data":1712},"Push operates at the exact point in each of these attack chains where automated intervention can still prevent the compromise. ",[],{},{"nodeType":1280,"value":1714,"marks":1715,"data":1717},"For vishing + AiTM attacks, ",[1716],{"type":1345},{},{"nodeType":1280,"value":1719,"marks":1720,"data":1721},"Push's",[],{},{"nodeType":1285,"data":1723,"content":1724},{"uri":1465},[1725],{"nodeType":1280,"value":1726,"marks":1727,"data":1728}," behavioral phishing detection",[],{},{"nodeType":1280,"value":1730,"marks":1731,"data":1732}," analyzes and blocks the phishing page in real time by detecting it from the user's browser — regardless of the domains used, hosting infrastructure, or where the URL was delivered.  ",[],{},{"nodeType":1276,"data":1734,"content":1735},{},[1736,1741,1745,1752],{"nodeType":1280,"value":1737,"marks":1738,"data":1740},"For device code phishing,",[1739],{"type":1345},{},{"nodeType":1280,"value":1742,"marks":1743,"data":1744}," Push detects the phishing pages associated with ",[],{},{"nodeType":1285,"data":1746,"content":1747},{"uri":1687},[1748],{"nodeType":1280,"value":1749,"marks":1750,"data":1751},"device code phishing kits",[],{},{"nodeType":1280,"value":1753,"marks":1754,"data":1755}," — including generic, technique-class detections that catch new kits without requiring kit-specific signatures. Second, Push provides an additional layer of protection on the legitimate device code authentication pages themselves, preventing users from entering attacker-supplied codes into them. Together, these detections cover both the kit-operated phishing infrastructure and the legitimate auth pages that the attack flow depends on.",[],{},{"nodeType":1276,"data":1757,"content":1758},{},[1759,1764,1768,1776],{"nodeType":1280,"value":1760,"marks":1761,"data":1763},"For OAuth supply chain attacks,",[1762],{"type":1345},{},{"nodeType":1280,"value":1765,"marks":1766,"data":1767}," Push's ",[],{},{"nodeType":1285,"data":1769,"content":1771},{"uri":1770},"https://site.dev.pushsecurity.com/contentful-preview/?blogSlug=analyzing-the-instructure-breach",[1772],{"nodeType":1280,"value":1773,"marks":1774,"data":1775},"detects and controls OAuth consent flows",[],{},{"nodeType":1280,"value":1777,"marks":1778,"data":1779}," at the browser layer — capturing which application is requesting access, what scopes it's requesting, and whether the grant should be permitted under organizational policy. Push customers can also block OAuth connection requests as they transit the browser, enabling security teams to stop unwanted integrations being added in the first place. ",[],{},{"nodeType":1698,"data":1781,"content":1782},{},[1783],{"nodeType":1280,"value":1784,"marks":1785,"data":1787},"Closing thoughts",[1786],{"type":1345},{},{"nodeType":1276,"data":1789,"content":1790},{},[1791],{"nodeType":1280,"value":1792,"marks":1793,"data":1794},"The Instructure breach — and its real-world impact on students, teachers, and families — will produce more details as the investigation progresses, and those details will almost certainly map to one of these three vectors. But the defensive strategy doesn't need to wait for confirmation, because all three converge on the same control point: the browser, where the attack begins or the integration decision is made. ",[],{},{"nodeType":1276,"data":1796,"content":1797},{},[1798],{"nodeType":1280,"value":1799,"marks":1800,"data":1801},"Organizations with browser-layer detection and OAuth controls in place have defense-in-depth against the full range of techniques that modern threat groups like ShinyHunters employ, regardless of the specific vector any given campaign uses.",[],{},{"nodeType":1355,"data":1803,"content":1804},{},[],{"nodeType":1276,"data":1806,"content":1807},{},[1808,1812,1820],{"nodeType":1280,"value":1809,"marks":1810,"data":1811},"Push Security is the most powerful AI-native security tool in the browser. Think EDR, but for the browser — high-fidelity telemetry and real-time control across every session, on every device, with no browser migration required. Security teams use Push to detect and stop advanced browser-based attacks like AiTM phishing, ClickFix, and session hijacking; gain visibility and control over AI tool usage across their workforce; harden identities by surfacing credential reuse, SSO gaps, and shadow IT; and support data loss and insider investigations with browser-layer telemetry that other tools can't see.",[],{},{"nodeType":1285,"data":1813,"content":1815},{"uri":1814},"https://pushsecurity.com/demo/",[1816],{"nodeType":1280,"value":1817,"marks":1818,"data":1819}," Book a live demo to learn more.",[],{},{"nodeType":1280,"value":29,"marks":1821,"data":1822},[],{},{"nodeType":1355,"data":1824,"content":1825},{},[],{"nodeType":1359,"data":1827,"content":1828},{},[1829],{"nodeType":1280,"value":1830,"marks":1831,"data":1833},"Appendix: named ShinyHunters victims since May 2025",[1832],{"type":1345},{},{"nodeType":1276,"data":1835,"content":1836},{},[1837,1841,1849],{"nodeType":1280,"value":1838,"marks":1839,"data":1840},"To give an indication of the scale, the following table documents all publicly named victims attributed to ShinyHunters specifically since the Salesforce campaign began in May 2025. It is not exhaustive: ShinyHunters has claimed over 1,000 organizations in aggregate across its Salesforce campaigns alone, and many victims have not been publicly named. This list also doesn’t include the billion-plus records compromised in the 2024 Snowflake breaches. The major ransomware attacks executed against M&S, Co-op, and Jaguar Land Rover claimed by the ",[],{},{"nodeType":1285,"data":1842,"content":1844},{"uri":1843},"https://pushsecurity.com/blog/scattered-lapsus-hunters/",[1845],{"nodeType":1280,"value":1846,"marks":1847,"data":1848},"Scattered Lapsus$ Hunters \"brand\"",[],{},{"nodeType":1280,"value":1850,"marks":1851,"data":1852}," also aren't listed below. ",[],{},{"nodeType":1854,"data":1855,"content":1856},"table",{},[1857,1906,1963,2011,2059],{"nodeType":1858,"data":1859,"content":1860},"table-row",{},[1861,1873,1884,1895],{"nodeType":1862,"data":1863,"content":1864},"table-cell",{},[1865],{"nodeType":1276,"data":1866,"content":1867},{},[1868],{"nodeType":1280,"value":1869,"marks":1870,"data":1872},"Campaign",[1871],{"type":1345},{},{"nodeType":1862,"data":1874,"content":1875},{},[1876],{"nodeType":1276,"data":1877,"content":1878},{},[1879],{"nodeType":1280,"value":1880,"marks":1881,"data":1883},"Began",[1882],{"type":1345},{},{"nodeType":1862,"data":1885,"content":1886},{},[1887],{"nodeType":1276,"data":1888,"content":1889},{},[1890],{"nodeType":1280,"value":1891,"marks":1892,"data":1894},"Named victims",[1893],{"type":1345},{},{"nodeType":1862,"data":1896,"content":1897},{},[1898],{"nodeType":1276,"data":1899,"content":1900},{},[1901],{"nodeType":1280,"value":1902,"marks":1903,"data":1905},"Confirmed impact",[1904],{"type":1345},{},{"nodeType":1858,"data":1907,"content":1908},{},[1909,1933,1943,1953],{"nodeType":1862,"data":1910,"content":1911},{},[1912],{"nodeType":1276,"data":1913,"content":1914},{},[1915,1920,1924,1929],{"nodeType":1280,"value":1916,"marks":1917,"data":1919},"ShinyHunters Salesforce Vishing",[1918],{"type":1345},{},{"nodeType":1280,"value":1921,"marks":1922,"data":1923}," (vishing + device code phishing → Salesforce connected app authorization) \n\n& ",[],{},{"nodeType":1280,"value":1925,"marks":1926,"data":1928},"Salesloft/Drift Supply Chain",[1927],{"type":1345},{},{"nodeType":1280,"value":1930,"marks":1931,"data":1932}," (stolen OAuth tokens → downstream Salesforce access)",[],{},{"nodeType":1862,"data":1934,"content":1935},{},[1936],{"nodeType":1276,"data":1937,"content":1938},{},[1939],{"nodeType":1280,"value":1940,"marks":1941,"data":1942},"May 2025",[],{},{"nodeType":1862,"data":1944,"content":1945},{},[1946],{"nodeType":1276,"data":1947,"content":1948},{},[1949],{"nodeType":1280,"value":1950,"marks":1951,"data":1952},"Coca-Cola Europacific Partners, Cisco, Qantas, LVMH, Adidas, Google, Chanel, Pandora, Allianz Life, Air France-KLM, Farmers Insurance, Workday, TransUnion, Stellantis, Kering, Odido, Hallmark, Salesloft (origin), Toast, Avalara, Fastly, Cato Networks, Cloudflare, Palo Alto Networks, Zscaler, Tenable, Elastic, JFrog, CyberArk, Rubrik, BeyondTrust, Proofpoint, Workiva, Mercer Advisors, Beacon Pointe, Ameriprise, Kemper, Udemy, 7-Eleven, Mytheresa, Marcus & Millichap, Carnival, Pitney Bowes, Alert 360, Amtrak, McGraw-Hill, Canada Life",[],{},{"nodeType":1862,"data":1954,"content":1955},{},[1956],{"nodeType":1276,"data":1957,"content":1958},{},[1959],{"nodeType":1280,"value":1960,"marks":1961,"data":1962},"48 named victims. Confirmed individual impact includes 23M+ records (Coca-Cola), 5.7M records (Qantas), 6.2M customers (Odido), 4.4M consumers (TransUnion), up to 18M records (Stellantis), 13.5M emails (McGraw-Hill), 8.2M emails (Pitney Bowes), 7.5M emails (Carnival). ShinyHunters claims 1.5B+ Salesforce records across 1,000+ organizations total.",[],{},{"nodeType":1858,"data":1964,"content":1965},{},[1966,1981,1991,2001],{"nodeType":1862,"data":1967,"content":1968},{},[1969],{"nodeType":1276,"data":1970,"content":1971},{},[1972,1977],{"nodeType":1280,"value":1973,"marks":1974,"data":1976},"Vishing + AiTM SSO",[1975],{"type":1345},{},{"nodeType":1280,"value":1978,"marks":1979,"data":1980}," (vishing → AiTM phishing page → SSO session capture → SaaS data exfiltration)",[],{},{"nodeType":1862,"data":1982,"content":1983},{},[1984],{"nodeType":1276,"data":1985,"content":1986},{},[1987],{"nodeType":1280,"value":1988,"marks":1989,"data":1990},"Aug 2025",[],{},{"nodeType":1862,"data":1992,"content":1993},{},[1994],{"nodeType":1276,"data":1995,"content":1996},{},[1997],{"nodeType":1280,"value":1998,"marks":1999,"data":2000},"SoundCloud, GrubHub, Panera Bread, Match Group, Crunchbase, Betterment, CarMax, Edmunds, CarGurus, Hims & Hers, University of Pennsylvania, Harvard University, Optimizely, TELUS Digital, Crunchyroll, ADT",[],{},{"nodeType":1862,"data":2002,"content":2003},{},[2004],{"nodeType":1276,"data":2005,"content":2006},{},[2007],{"nodeType":1280,"value":2008,"marks":2009,"data":2010},"16 named victims. Confirmed individual impact includes ~30M records (SoundCloud), ~14M records (Panera), 10M+ records (Match Group), ~20M records (Betterment), 5.5M people (ADT), 1M+ records (UPenn), ~1PB stolen from TELUS Digital ($65M ransom refused).",[],{},{"nodeType":1858,"data":2012,"content":2013},{},[2014,2029,2039,2049],{"nodeType":1862,"data":2015,"content":2016},{},[2017],{"nodeType":1276,"data":2018,"content":2019},{},[2020,2025],{"nodeType":1280,"value":2021,"marks":2022,"data":2024},"Anodot Supply Chain",[2023],{"type":1345},{},{"nodeType":1280,"value":2026,"marks":2027,"data":2028}," (stolen OAuth tokens → downstream Snowflake/BigQuery access)",[],{},{"nodeType":1862,"data":2030,"content":2031},{},[2032],{"nodeType":1276,"data":2033,"content":2034},{},[2035],{"nodeType":1280,"value":2036,"marks":2037,"data":2038},"Apr 2026",[],{},{"nodeType":1862,"data":2040,"content":2041},{},[2042],{"nodeType":1276,"data":2043,"content":2044},{},[2045],{"nodeType":1280,"value":2046,"marks":2047,"data":2048},"Anodot/Glassbox (origin), Rockstar Games, Vimeo, Zara/Inditex",[],{},{"nodeType":1862,"data":2050,"content":2051},{},[2052],{"nodeType":1276,"data":2053,"content":2054},{},[2055],{"nodeType":1280,"value":2056,"marks":2057,"data":2058},"4 named victims (12+ total claimed). 78.6M records (Rockstar Games), 197K individuals (Zara), 119K individuals (Vimeo).",[],{},{"nodeType":1858,"data":2060,"content":2061},{},[2062,2077,2086,2096],{"nodeType":1862,"data":2063,"content":2064},{},[2065],{"nodeType":1276,"data":2066,"content":2067},{},[2068,2073],{"nodeType":1280,"value":2069,"marks":2070,"data":2072},"Other SLH-attributed",[2071],{"type":1345},{},{"nodeType":1280,"value":2074,"marks":2075,"data":2076}," (misc. vectors including infostealer chains, CI/CD supply chain, SaaS platform compromise)",[],{},{"nodeType":1862,"data":2078,"content":2079},{},[2080],{"nodeType":1276,"data":2081,"content":2082},{},[2083],{"nodeType":1280,"value":1940,"marks":2084,"data":2085},[],{},{"nodeType":1862,"data":2087,"content":2088},{},[2089],{"nodeType":1276,"data":2090,"content":2091},{},[2092],{"nodeType":1280,"value":2093,"marks":2094,"data":2095},"UK Legal Aid Agency, Mixpanel, Wynn Resorts, Woflow, Vercel, European Commission, Mercor, Medtronic, Instructure",[],{},{"nodeType":1862,"data":2097,"content":2098},{},[2099],{"nodeType":1276,"data":2100,"content":2101},{},[2102],{"nodeType":1280,"value":2103,"marks":2104,"data":2105},"10 named victims across varied vectors. Notable: Vercel (Lumma Stealer → Context.ai OAuth app → Google Workspace), European Commission (poisoned Trivy GitHub Action → 340GB across 71 EU entities)",[],{},{"nodeType":1276,"data":2107,"content":2108},{},[2109],{"nodeType":1280,"value":29,"marks":2110,"data":2111},[],{},{"entries":2113},{"hyperlink":2114,"inline":2115,"block":2116},[],[],[2117,2125,2166,2191],{"sys":2118,"__typename":2119,"title":2120,"caption":61,"layoutMode":61,"file":2121},{"id":1314},"Image","instructure-shinyhunters",{"url":2122,"width":2123,"height":2124},"https://images.ctfassets.net/y1cdw1ablpvd/4XbqfqLHSeXRpW6TpoioZ/1f53eea1a60fb5e2aa41a5a66e6e57a6/instructure-shinyhunters.jpg",1173,818,{"sys":2126,"__typename":2127,"content":2128,"name":2165,"title":61},{"id":1329},"InsightTextBlockComponent",{"json":2129},{"nodeType":1272,"data":2130,"content":2131},{},[2132],{"nodeType":1276,"data":2133,"content":2134},{},[2135,2139,2147,2151,2161],{"nodeType":1280,"value":2136,"marks":2137,"data":2138},"This isn’t the first time a cyberattack has caused this kind of disruption to Education — the",[],{},{"nodeType":1285,"data":2140,"content":2142},{"uri":2141},"https://www.bleepingcomputer.com/news/security/powerschool-hacker-claims-they-stole-data-of-62-million-students/",[2143],{"nodeType":1280,"value":2144,"marks":2145,"data":2146}," PowerSchool breach in late 2024",[],{},{"nodeType":1280,"value":2148,"marks":2149,"data":2150}," exposed data on 62 million students and 9.5 million teachers across thousands of school districts, demonstrating how deeply the education sector depends on platforms that are now firmly within the crosshairs of organized cybercrime. That was the result of stolen credentials to access PowerSchool’s support portal: another core technique used by ShinyHunters (they demonstrated this at scale in 2024’s ",[],{},{"nodeType":1285,"data":2152,"content":2154},{"uri":2153},"https://pushsecurity.com/blog/snowflake-retro/",[2155],{"nodeType":1280,"value":2156,"marks":2157,"data":2160},"Snowflake",[2158],{"type":2159},"underline",{},{"nodeType":1280,"value":2162,"marks":2163,"data":2164}," attacks, using infostealer-harvested credentials to compromise over 165 customer environments). ",[],{},"Instructure IB1",{"sys":2167,"__typename":2127,"content":2168,"name":2190,"title":61},{"id":1509},{"json":2169},{"data":2170,"content":2171,"nodeType":1272},{},[2172],{"data":2173,"content":2174,"nodeType":1276},{},[2175,2179,2186],{"data":2176,"marks":2177,"value":2178,"nodeType":1280},{},[],"The speed at which these campaigns execute has compressed dramatically.",{"data":2180,"content":2181,"nodeType":1285},{"uri":1453},[2182],{"data":2183,"marks":2184,"value":2185,"nodeType":1280},{},[]," Unit 42 documented",{"data":2187,"marks":2188,"value":2189,"nodeType":1280},{},[]," Cordial Spider and Snarky Spider moving from initial compromise to complete data exfiltration in under an hour — fast enough that any detection strategy that relies on human SOC triage will arrive after the data has already left the building.","Instructure IB3",{"sys":2192,"__typename":2127,"content":2193,"name":2236,"title":61},{"id":1572},{"json":2194},{"nodeType":1272,"data":2195,"content":2196},{},[2197],{"nodeType":1276,"data":2198,"content":2199},{},[2200,2204,2212,2216,2223,2227,2232],{"nodeType":1280,"value":2201,"marks":2202,"data":2203},"Device code phishing has been rapidly commoditized. What began with",[],{},{"nodeType":1285,"data":2205,"content":2207},{"uri":2206},"https://www.microsoft.com/en-us/security/blog/2025/02/13/storm-2372-conducts-device-code-phishing-campaign/",[2208],{"nodeType":1280,"value":2209,"marks":2210,"data":2211}," Storm-2372's nation-state campaigns in August 2024",[],{},{"nodeType":1280,"value":2213,"marks":2214,"data":2215}," has since proliferated through criminal kits like EvilTokens and Venom — which reuses Sneaky2FA's AiTM infrastructure while adding device code phishing options — and more recently through Tycoon2FA, which has",[],{},{"nodeType":1285,"data":2217,"content":2218},{"uri":1687},[2219],{"nodeType":1280,"value":2220,"marks":2221,"data":2222}," adopted device code phishing capabilities",[],{},{"nodeType":1280,"value":2224,"marks":2225,"data":2226}," alongside its established AiTM functionality. Push now tracks 12+ distinct device code phishing kits in the wild and has measured a ",[],{},{"nodeType":1280,"value":2228,"marks":2229,"data":2231},"37.5x increase in device code phishing activity since the start of 2026",[2230],{"type":1345},{},{"nodeType":1280,"value":2233,"marks":2234,"data":2235},". ",[],{},"Instructure IB2","json",{},"How three techniques are behind ShinyHunters' 2026 campaigns","2026-05-08T00:00:00.000Z",{"items":2242},[2243,4176,4954],{"__typename":2244,"sys":2245,"content":2247,"title":4155,"synopsis":4156,"hashTags":61,"publishedDate":4157,"slug":4158,"tagsCollection":4159,"authorsCollection":4169},"BlogPosts",{"id":2246},"2tz0zEJCarJBkceOYk4zVg",{"json":2248},{"nodeType":1272,"data":2249,"content":2250},{},[2251,2258,2288,2300,2307,2313,2325,2331,2334,2342,2349,2414,2421,2427,2430,2438,2445,2451,2459,2466,2592,2598,2604,2610,2616,2624,2631,2638,2701,2708,2714,2720,2728,2735,2742,2750,2757,2790,2797,2803,2810,2858,2865,2873,2880,2886,2893,2900,2906,2913,2946,2953,2959,2962,2970,2977,2984,2991,2997,3004,3011,3017,3024,3030,3037,3043,3050,3057,3060,3068,3084,3091,3110,3353,3360,3391,3626,3633,3640,3841,3848,4033,4036,4044,4051,4058,4070,4073,4081,4100,4117,4125,4128,4136],{"nodeType":1276,"data":2252,"content":2253},{},[2254],{"nodeType":1280,"value":2255,"marks":2256,"data":2257},"When Push blocks an attack in the browser, we take the opportunity to do some more digging to see what else we can find. One recent detection led us down the rabbit hole — and right into a criminal phishing panel. ",[],{},{"nodeType":1276,"data":2259,"content":2260},{},[2261,2265,2272,2276,2284],{"nodeType":1280,"value":2262,"marks":2263,"data":2264},"Real-time operated phishing panels have been used extensively in recent months, in vishing + phishing attacks attributed to first ",[],{},{"nodeType":1285,"data":2266,"content":2267},{"uri":1531},[2268],{"nodeType":1280,"value":2269,"marks":2270,"data":2271},"ShinyHunters",[],{},{"nodeType":1280,"value":2273,"marks":2274,"data":2275},", and more recently the ",[],{},{"nodeType":1285,"data":2277,"content":2279},{"uri":2278},"https://www.bleepingcomputer.com/news/security/new-blackfile-extortion-gang-targets-retail-and-hospitality-orgs/",[2280],{"nodeType":1280,"value":2281,"marks":2282,"data":2283},"BlackFile",[],{},{"nodeType":1280,"value":2285,"marks":2286,"data":2287}," hacking group, with a significant overlap in techniques and tooling. ",[],{},{"nodeType":1276,"data":2289,"content":2290},{},[2291,2296],{"nodeType":1280,"value":2292,"marks":2293,"data":2295},"We’ve directly accessed active deployments of the operator panels driving these campaigns, observed what happens in real-time when a victim is targeted, and analyzed multiple variants and forks of the tooling. ",[2294],{"type":1345},{},{"nodeType":1280,"value":2297,"marks":2298,"data":2299}," ",[],{},{"nodeType":1276,"data":2301,"content":2302},{},[2303],{"nodeType":1280,"value":2304,"marks":2305,"data":2306},"We identified four primary infrastructure clusters, with each deployment having its own panel implementation. While the panels share common heritage, the operators deploying them appear to be separate groups with different infrastructure preferences and operational patterns.",[],{},{"nodeType":1310,"data":2308,"content":2312},{"target":2309},{"sys":2310},{"id":2311,"type":1315,"linkType":1316},"5BQOpzjSbobLx8OkvXl6os",[],{"nodeType":1276,"data":2314,"content":2315},{},[2316,2320],{"nodeType":1280,"value":2317,"marks":2318,"data":2319},"The existence of these independently branded forks indicates that the tooling has entered a phase of wider distribution — operators who obtained the original panel source are now customizing and reshipping it for their own purposes. As a result, the tooling is now most likely accessible to a broad population of financially motivated threat actors. ",[],{},{"nodeType":1280,"value":2321,"marks":2322,"data":2324},"In total, we’ve identified over 400 domains linked to the attacks, giving an indication of the scale. ",[2323],{"type":1345},{},{"nodeType":1310,"data":2326,"content":2330},{"target":2327},{"sys":2328},{"id":2329,"type":1315,"linkType":1316},"2Z1LUdYXVONWO9nnJTkWsJ",[],{"nodeType":1355,"data":2332,"content":2333},{},[],{"nodeType":1359,"data":2335,"content":2336},{},[2337],{"nodeType":1280,"value":2338,"marks":2339,"data":2341},"Background",[2340],{"type":1345},{},{"nodeType":1276,"data":2343,"content":2344},{},[2345],{"nodeType":1280,"value":2346,"marks":2347,"data":2348},"Since at least August 2025, attackers have been running hybrid social engineering campaigns targeting hundreds of organizations across financial services, technology, cryptocurrency, healthcare, hospitality, and private aviation. ",[],{},{"nodeType":2350,"data":2351,"content":2352},"unordered-list",{},[2353,2369,2384,2399],{"nodeType":2354,"data":2355,"content":2356},"list-item",{},[2357],{"nodeType":1276,"data":2358,"content":2359},{},[2360,2365],{"nodeType":1280,"value":2361,"marks":2362,"data":2364},"August 2025: ",[2363],{"type":1345},{},{"nodeType":1280,"value":2366,"marks":2367,"data":2368},"Tooling made available, used in crypto-focused attacks",[],{},{"nodeType":2354,"data":2370,"content":2371},{},[2372],{"nodeType":1276,"data":2373,"content":2374},{},[2375,2380],{"nodeType":1280,"value":2376,"marks":2377,"data":2379},"November 2025:",[2378],{"type":1345},{},{"nodeType":1280,"value":2381,"marks":2382,"data":2383}," Major attacks on enterprise identity platforms begin",[],{},{"nodeType":2354,"data":2385,"content":2386},{},[2387],{"nodeType":1276,"data":2388,"content":2389},{},[2390,2395],{"nodeType":1280,"value":2391,"marks":2392,"data":2394},"January 2026: ",[2393],{"type":1345},{},{"nodeType":1280,"value":2396,"marks":2397,"data":2398},"Public breaches reported",[],{},{"nodeType":2354,"data":2400,"content":2401},{},[2402],{"nodeType":1276,"data":2403,"content":2404},{},[2405,2410],{"nodeType":1280,"value":2406,"marks":2407,"data":2409},"March 2026: ",[2408],{"type":1345},{},{"nodeType":1280,"value":2411,"marks":2412,"data":2413},"Activity spikes again",[],{},{"nodeType":1276,"data":2415,"content":2416},{},[2417],{"nodeType":1280,"value":2418,"marks":2419,"data":2420},"The attacks combine voice phishing with MFA-bypassing adversary-in-the-middle (AiTM) phishing mechanisms that allow the attacker to steal authenticated sessions for target applications — typically enterprise identity providers and cryptocurrency exchanges. Once an identity provider account is compromised, the attackers pivot across connected SaaS platforms — SharePoint, Salesforce, DocuSign, Slack — exfiltrates data, and attempts to extort the victim organization. ",[],{},{"nodeType":1310,"data":2422,"content":2426},{"target":2423},{"sys":2424},{"id":2425,"type":1315,"linkType":1316},"2X2YXMpozrbRQhegk7yF1k",[],{"nodeType":1355,"data":2428,"content":2429},{},[],{"nodeType":1359,"data":2431,"content":2432},{},[2433],{"nodeType":1280,"value":2434,"marks":2435,"data":2437},"Inside the panels: what Push found",[2436],{"type":1345},{},{"nodeType":1276,"data":2439,"content":2440},{},[2441],{"nodeType":1280,"value":2442,"marks":2443,"data":2444},"Push detected an active Okta phishing site with TTPs aligned to the tooling used by SLH and affiliated groups. Through analysis of the phishing infrastructure, we gained direct access to Doko’s Panel and variants, and were able to observe how these attacks unfold from the operator's perspective — including real victim submission logs from the current week confirming ongoing active operations.",[],{},{"nodeType":1310,"data":2446,"content":2450},{"target":2447},{"sys":2448},{"id":2449,"type":1315,"linkType":1316},"5ND0etPs5xN7ejz24l71jy",[],{"nodeType":1698,"data":2452,"content":2453},{},[2454],{"nodeType":1280,"value":2455,"marks":2456,"data":2458},"How the attack works",[2457],{"type":1345},{},{"nodeType":1276,"data":2460,"content":2461},{},[2462],{"nodeType":1280,"value":2463,"marks":2464,"data":2465},"The general sequence of steps is the same across the panels:",[],{},{"nodeType":2350,"data":2467,"content":2468},{},[2469,2484,2499,2523,2538,2553,2577],{"nodeType":2354,"data":2470,"content":2471},{},[2472],{"nodeType":1276,"data":2473,"content":2474},{},[2475,2480],{"nodeType":1280,"value":2476,"marks":2477,"data":2479},"The operator calls the target",[2478],{"type":1345},{},{"nodeType":1280,"value":2481,"marks":2482,"data":2483}," spoofing the organization's IT helpdesk number, often referencing real employee names or internal ticket numbers to establish trust. The target is directed to a phishing domain — usually following a combosquatting pattern like my\u003Ctarget>internal[.]com or \u003Ctarget>sso[.]com — under the pretext of a mandatory security update, passkey enrollment, or support ticket resolution. ",[],{},{"nodeType":2354,"data":2485,"content":2486},{},[2487],{"nodeType":1276,"data":2488,"content":2489},{},[2490,2495],{"nodeType":1280,"value":2491,"marks":2492,"data":2494},"The victim lands on the phishing domain",[2493],{"type":1345},{},{"nodeType":1280,"value":2496,"marks":2497,"data":2498}," and is presented with a loading spinner — the anti-bot gate that prevents unauthorized access to the phishing pages.",[],{},{"nodeType":2354,"data":2500,"content":2501},{},[2502],{"nodeType":1276,"data":2503,"content":2504},{},[2505,2510,2514,2519],{"nodeType":1280,"value":2506,"marks":2507,"data":2509},"The operator accepts the visitor",[2508],{"type":1345},{},{"nodeType":1280,"value":2511,"marks":2512,"data":2513}," from the admin panel and ",[],{},{"nodeType":1280,"value":2515,"marks":2516,"data":2518},"the victim is redirected",[2517],{"type":1345},{},{"nodeType":1280,"value":2520,"marks":2521,"data":2522}," to the cloned login page (e.g. Google, Microsoft, Okta).",[],{},{"nodeType":2354,"data":2524,"content":2525},{},[2526],{"nodeType":1276,"data":2527,"content":2528},{},[2529,2534],{"nodeType":1280,"value":2530,"marks":2531,"data":2533},"The victim enters their email address and password",[2532],{"type":1345},{},{"nodeType":1280,"value":2535,"marks":2536,"data":2537},", which is forwarded to the operator's Telegram channel. The victim sees a processing spinner on the branded login form.",[],{},{"nodeType":2354,"data":2539,"content":2540},{},[2541],{"nodeType":1276,"data":2542,"content":2543},{},[2544,2549],{"nodeType":1280,"value":2545,"marks":2546,"data":2548},"The operator relays the credentials",[2547],{"type":1345},{},{"nodeType":1280,"value":2550,"marks":2551,"data":2552}," to the real identity provider. If they're valid, the attack proceeds. If they're invalid, the operator can redirect the victim back to the credential entry pages. Assuming MFA is required, the operator issues a redirect to an appropriate MFA capture page — \"Submit SMS OTP,\" \"Submit Gauth OTP,\" or \"Approve [XX] Prompt,\" depending on what the legitimate IdP is presenting.",[],{},{"nodeType":2354,"data":2554,"content":2555},{},[2556],{"nodeType":1276,"data":2557,"content":2558},{},[2559,2564,2568,2573],{"nodeType":1280,"value":2560,"marks":2561,"data":2563},"The victim submits their OTP or approves the push notification ",[2562],{"type":1345},{},{"nodeType":1280,"value":2565,"marks":2566,"data":2567},"and",[],{},{"nodeType":1280,"value":2569,"marks":2570,"data":2572}," the operator relays the OTP",[2571],{"type":1345},{},{"nodeType":1280,"value":2574,"marks":2575,"data":2576}," in their own login session, completes authentication, and captures the session. ",[],{},{"nodeType":2354,"data":2578,"content":2579},{},[2580],{"nodeType":1276,"data":2581,"content":2582},{},[2583,2588],{"nodeType":1280,"value":2584,"marks":2585,"data":2587},"The victim is redirected to a benign page",[2586],{"type":1345},{},{"nodeType":1280,"value":2589,"marks":2590,"data":2591}," (e.g., Google Drive) or to a support ticket closure screen displaying a fabricated ticket number.",[],{},{"nodeType":1310,"data":2593,"content":2597},{"target":2594},{"sys":2595},{"id":2596,"type":1315,"linkType":1316},"1o0wm3EOd7zSl5MddsNxgL",[],{"nodeType":1310,"data":2599,"content":2603},{"target":2600},{"sys":2601},{"id":2602,"type":1315,"linkType":1316},"7w7SQEn3aITpcgXLMThhbS",[],{"nodeType":1276,"data":2605,"content":2606},{},[2607],{"nodeType":1280,"value":29,"marks":2608,"data":2609},[],{},{"nodeType":1310,"data":2611,"content":2615},{"target":2612},{"sys":2613},{"id":2614,"type":1315,"linkType":1316},"PJJabY1ZfoCfl8XQ6PMj2",[],{"nodeType":1698,"data":2617,"content":2618},{},[2619],{"nodeType":1280,"value":2620,"marks":2621,"data":2623},"Doko’s Panel",[2622],{"type":1345},{},{"nodeType":1276,"data":2625,"content":2626},{},[2627],{"nodeType":1280,"value":2628,"marks":2629,"data":2630},"Let’s take a closer look at the panels themselves. We'll start with the default version of Doko's Panel since it’s the most established. It provides a multi-functional framework targeting users of Google, Microsoft Entra, Okta, and popular cryptocurrency exchanges including Abra, Coinbase, Gemini, and Kraken. Its core functionality resides in a client-side JavaScript file (client.js) that establishes the real-time feedback loop between the victim's browser and the operator's C2.",[],{},{"nodeType":1276,"data":2632,"content":2633},{},[2634],{"nodeType":1280,"value":2635,"marks":2636,"data":2637},"The technical indicators that characterize Doko's Panel in its standard form include:",[],{},{"nodeType":2350,"data":2639,"content":2640},{},[2641,2656,2671,2686],{"nodeType":2354,"data":2642,"content":2643},{},[2644],{"nodeType":1276,"data":2645,"content":2646},{},[2647,2652],{"nodeType":1280,"value":2648,"marks":2649,"data":2651},"client.js",[2650],{"type":1345},{},{"nodeType":1280,"value":2653,"marks":2654,"data":2655}," containing a pingServer() function that sends a JSON POST request to /backend.php every second with the structure { action: 'ping', token, window_id, page, os, browser }. If the response contains a redirect key, the victim's browser navigates to that path. ",[],{},{"nodeType":2354,"data":2657,"content":2658},{},[2659],{"nodeType":1276,"data":2660,"content":2661},{},[2662,2667],{"nodeType":1280,"value":2663,"marks":2664,"data":2666},"sendTelegramMessage()",[2665],{"type":1345},{},{"nodeType":1280,"value":2668,"marks":2669,"data":2670}," (aliased to sendtg()), a function for relaying real-time credential submissions and session updates to the operator's Telegram channel.",[],{},{"nodeType":2354,"data":2672,"content":2673},{},[2674],{"nodeType":1276,"data":2675,"content":2676},{},[2677,2682],{"nodeType":1280,"value":2678,"marks":2679,"data":2681},"backend.php",[2680],{"type":1345},{},{"nodeType":1280,"value":2683,"marks":2684,"data":2685}," as the primary server-side handler for both victim ping actions and admin panel operations (retrieving connected victim information, sending redirect instructions).",[],{},{"nodeType":2354,"data":2687,"content":2688},{},[2689],{"nodeType":1276,"data":2690,"content":2691},{},[2692,2697],{"nodeType":1280,"value":2693,"marks":2694,"data":2696},"j.php",[2695],{"type":1345},{},{"nodeType":1280,"value":2698,"marks":2699,"data":2700}," as the endpoint for sending Telegram messages, relaying captured credentials and session logs.",[],{},{"nodeType":1276,"data":2702,"content":2703},{},[2704],{"nodeType":1280,"value":2705,"marks":2706,"data":2707},"Push found that deployments of Doko's Panel had minimal security by default — anyone was able to view the admin panel and manage visitors' connections without authentication.",[],{},{"nodeType":1310,"data":2709,"content":2713},{"target":2710},{"sys":2711},{"id":2712,"type":1315,"linkType":1316},"3glwGSGHdCpf3DLqNmQqN8",[],{"nodeType":1310,"data":2715,"content":2719},{"target":2716},{"sys":2717},{"id":2718,"type":1315,"linkType":1316},"20ymWIXMkmJlw7XYb93c9o",[],{"nodeType":1698,"data":2721,"content":2722},{},[2723],{"nodeType":1280,"value":2724,"marks":2725,"data":2727},"Panel proliferation and remixes",[2726],{"type":1345},{},{"nodeType":1276,"data":2729,"content":2730},{},[2731],{"nodeType":1280,"value":2732,"marks":2733,"data":2734},"Access to Doko's Panel has clearly proliferated beyond its original developers, resulting in remixes and variants being distributed across the ecosystem. Push identified a variant titled \"Lord Mensius's Panel\" targeting Koinly (a cryptocurrency tax platform), and another titled \"$$$\" using a template impersonating the Australian Tax Office, also targeting cryptocurrency tax filing. ",[],{},{"nodeType":1276,"data":2736,"content":2737},{},[2738],{"nodeType":1280,"value":2739,"marks":2740,"data":2741},"The existence of these independently branded forks indicates that the tooling has entered a phase of wider distribution — operators who obtained the original panel source are now customizing and reshipping it for their own purposes. As a result, the tooling is now accessible to a broad population of financially motivated threat actors. ",[],{},{"nodeType":1698,"data":2743,"content":2744},{},[2745],{"nodeType":1280,"value":2746,"marks":2747,"data":2749},"heartbeat/check_redirect variant",[2748],{"type":1345},{},{"nodeType":1276,"data":2751,"content":2752},{},[2753],{"nodeType":1280,"value":2754,"marks":2755,"data":2756},"In addition to Doko’s Panel and its forks, the site initially detected by Push used a modified variant of Doko's Panel with a different C2 protocol. Rather than the standard ping action, this variant sent two types of regular requests from client.js to the backend:",[],{},{"nodeType":2350,"data":2758,"content":2759},{},[2760,2775],{"nodeType":2354,"data":2761,"content":2762},{},[2763],{"nodeType":1276,"data":2764,"content":2765},{},[2766,2771],{"nodeType":1280,"value":2767,"marks":2768,"data":2770},"Heartbeat",[2769],{"type":1345},{},{"nodeType":1280,"value":2772,"marks":2773,"data":2774}," — POST to backend.php with action=heartbeat along with page, token, and window_id.",[],{},{"nodeType":2354,"data":2776,"content":2777},{},[2778],{"nodeType":1276,"data":2779,"content":2780},{},[2781,2786],{"nodeType":1280,"value":2782,"marks":2783,"data":2785},"Check Redirect",[2784],{"type":1345},{},{"nodeType":1280,"value":2787,"marks":2788,"data":2789}," — GET to backend.php with parameters action=check_redirect along with token and window_id.",[],{},{"nodeType":1276,"data":2791,"content":2792},{},[2793],{"nodeType":1280,"value":2794,"marks":2795,"data":2796},"A redirect instruction in response to either request causes the victim's browser to navigate to the specified page. The variant compounds this with a separate inline script embedded in the landing gate HTML — in addition to client.js — that schedules its own sendHeartbeat() and checkRedirect() functions on regular intervals. ",[],{},{"nodeType":1310,"data":2798,"content":2802},{"target":2799},{"sys":2800},{"id":2801,"type":1315,"linkType":1316},"6zRc9ublZvEQCxcWtMBSnF",[],{"nodeType":1276,"data":2804,"content":2805},{},[2806],{"nodeType":1280,"value":2807,"marks":2808,"data":2809},"Additional technical differentiators for this variant include:",[],{},{"nodeType":2350,"data":2811,"content":2812},{},[2813,2828,2843],{"nodeType":2354,"data":2814,"content":2815},{},[2816],{"nodeType":1276,"data":2817,"content":2818},{},[2819,2824],{"nodeType":1280,"value":2820,"marks":2821,"data":2823},"UUID generation",[2822],{"type":1345},{},{"nodeType":1280,"value":2825,"marks":2826,"data":2827}," using Math.random() to replace x in the template xxxxxxxx-xxxx-4xxx-yxxx-xxxxxxxxxxxx, rather than the original Doko's Panel method of constructing a template from [1e7]+-1e3+-4e3+-8e3+-1e11 and replacing [018].",[],{},{"nodeType":2354,"data":2829,"content":2830},{},[2831],{"nodeType":1276,"data":2832,"content":2833},{},[2834,2839],{"nodeType":1280,"value":2835,"marks":2836,"data":2838},"No central Telegram sending function",[2837],{"type":1345},{},{"nodeType":1280,"value":2840,"marks":2841,"data":2842},", though j.php still exists and is called from inline scripts on individual phishing pages.",[],{},{"nodeType":2354,"data":2844,"content":2845},{},[2846],{"nodeType":1276,"data":2847,"content":2848},{},[2849,2854],{"nodeType":1280,"value":2850,"marks":2851,"data":2853},"No use of FNV-1a",[2852],{"type":1345},{},{"nodeType":1280,"value":2855,"marks":2856,"data":2857}," to hash-generate the window ID.",[],{},{"nodeType":1276,"data":2859,"content":2860},{},[2861],{"nodeType":1280,"value":2862,"marks":2863,"data":2864},"Push also found sub-variants hosting Okta phishing pages with additional modifications: a minified client.js script, and a renamed backend endpoint (api_FyekIDWY.php replacing backend.php).",[],{},{"nodeType":1698,"data":2866,"content":2867},{},[2868],{"nodeType":1280,"value":2869,"marks":2870,"data":2872},"Revamped admin panel",[2871],{"type":1345},{},{"nodeType":1276,"data":2874,"content":2875},{},[2876],{"nodeType":1280,"value":2877,"marks":2878,"data":2879},"Push also found examples of a significantly revamped admin panel, including a version from April 2026 specifically targeting Microsoft as an enterprise identity provider. ",[],{},{"nodeType":1310,"data":2881,"content":2885},{"target":2882},{"sys":2883},{"id":2884,"type":1315,"linkType":1316},"3ufb4cotpg0f7yoIQJnND0",[],{"nodeType":1276,"data":2887,"content":2888},{},[2889],{"nodeType":1280,"value":2890,"marks":2891,"data":2892},"This panel featured a more sophisticated operator interface with an updated look, quick action buttons, and sound notifications.",[],{},{"nodeType":1276,"data":2894,"content":2895},{},[2896],{"nodeType":1280,"value":2897,"marks":2898,"data":2899},"In addition to the standard compromise flow for acquiring email, password, and OTP, this panel provided operator actions for sending Microsoft Teams call instructions to the victim — a Meeting ID and Passcode rendered on a branded page. This capability likely enables further interaction through a channel that supports screensharing, extending the attacker's reach beyond credential theft into live session manipulation. It also has the potential to make the scenario more believable for the victim.",[],{},{"nodeType":1310,"data":2901,"content":2905},{"target":2902},{"sys":2903},{"id":2904,"type":1315,"linkType":1316},"4pg65d1SvTJA3xm6AsxZBp",[],{"nodeType":1276,"data":2907,"content":2908},{},[2909],{"nodeType":1280,"value":2910,"marks":2911,"data":2912},"Other capabilities were referenced in the panel's source code but did not appear active in the observed deployment:",[],{},{"nodeType":2350,"data":2914,"content":2915},{},[2916,2931],{"nodeType":2354,"data":2917,"content":2918},{},[2919],{"nodeType":1276,"data":2920,"content":2921},{},[2922,2927],{"nodeType":1280,"value":2923,"marks":2924,"data":2926},"Additional MFA approval pages",[2925],{"type":1345},{},{"nodeType":1280,"value":2928,"marks":2929,"data":2930}," for Duo and Okta, with the operator providing a code to display to the victim.",[],{},{"nodeType":2354,"data":2932,"content":2933},{},[2934],{"nodeType":1276,"data":2935,"content":2936},{},[2937,2942],{"nodeType":1280,"value":2938,"marks":2939,"data":2941},"A code execution prompt",[2940],{"type":1345},{},{"nodeType":1280,"value":2943,"marks":2944,"data":2945}," to instruct the victim to run a command — the placeholder example being mshta to execute a remote HTA file, suggesting a potential bridge from identity compromise into malware delivery.",[],{},{"nodeType":1276,"data":2947,"content":2948},{},[2949],{"nodeType":1280,"value":2950,"marks":2951,"data":2952},"The admin panel also included settings for restricting access to specific geographic locations and device types, allowing operators to refine their campaign targeting and also avoid detection from unusual devices (often an indicator that the visitor is not a real human and is actually a security tool or bot).",[],{},{"nodeType":1310,"data":2954,"content":2958},{"target":2955},{"sys":2956},{"id":2957,"type":1315,"linkType":1316},"1hebGtxbkyuejWXczwx5n6",[],{"nodeType":1355,"data":2960,"content":2961},{},[],{"nodeType":1359,"data":2963,"content":2964},{},[2965],{"nodeType":1280,"value":2966,"marks":2967,"data":2969},"LLM-generated tells: vibe-coded phishing infrastructure",[2968],{"type":1345},{},{"nodeType":1276,"data":2971,"content":2972},{},[2973],{"nodeType":1280,"value":2974,"marks":2975,"data":2976},"Evidence of extensive LLM use is extremely prevalent in attacks detected by Push, from LLM-generated phishing kits and tools to vibe-coded cloned pages. Attackers have also been observed leveraging AI–assisted capabilities in SaaS platforms to automate and scale-up their campaigns from an infrastructure and operations perspective. ",[],{},{"nodeType":1276,"data":2978,"content":2979},{},[2980],{"nodeType":1280,"value":2981,"marks":2982,"data":2983},"The ‘heartbeat’ variant in particular has significant tells of heavy use of LLMs to modify the phishing panel for the operator’s needs. The fact that these are so blatant increases the belief that these tools are being vibe-coded by relatively inexperienced developers with limited regard for operational security.",[],{},{"nodeType":1276,"data":2985,"content":2986},{},[2987],{"nodeType":1280,"value":2988,"marks":2989,"data":2990},"Some versions of client.js begin with verbose header comments that no human developer would write:",[],{},{"nodeType":1310,"data":2992,"content":2996},{"target":2993},{"sys":2994},{"id":2995,"type":1315,"linkType":1316},"01mOiserRBXraawXwQyJNm",[],{"nodeType":1276,"data":2998,"content":2999},{},[3000],{"nodeType":1280,"value":3001,"marks":3002,"data":3003},"The \"NOTES FOR NEXT SESSION\" header is particularly telling — it's a pattern generated by LLMs that maintain context between chat sessions, not a convention any human developer would adopt in production code, let alone in a phishing kit where operational security should discourage self-documenting infrastructure.",[],{},{"nodeType":1276,"data":3005,"content":3006},{},[3007],{"nodeType":1280,"value":3008,"marks":3009,"data":3010},"The admin panel HTML contains similarly over-documented opening comments:",[],{},{"nodeType":1310,"data":3012,"content":3016},{"target":3013},{"sys":3014},{"id":3015,"type":1315,"linkType":1316},"60snRhz0RIsvLI6OU9RDOk",[],{"nodeType":1276,"data":3018,"content":3019},{},[3020],{"nodeType":1280,"value":3021,"marks":3022,"data":3023},"One of the Okta cloned login pages observed by Push contained the following comments suggesting the use of an LLM to create the clone:",[],{},{"nodeType":1310,"data":3025,"content":3029},{"target":3026},{"sys":3027},{"id":3028,"type":1315,"linkType":1316},"1WCd5LQ6cfPf1IsNAhPSIT",[],{"nodeType":1276,"data":3031,"content":3032},{},[3033],{"nodeType":1280,"value":3034,"marks":3035,"data":3036},"The cloned Microsoft login pages displayed previously contain terser comments, but still typical of useless comments that are included by an LLM rather than a human author, especially a malware/phishing author:",[],{},{"nodeType":1310,"data":3038,"content":3042},{"target":3039},{"sys":3040},{"id":3041,"type":1315,"linkType":1316},"6WN59mkiscNmAt8dmOR81c",[],{"nodeType":1276,"data":3044,"content":3045},{},[3046],{"nodeType":1280,"value":3047,"marks":3048,"data":3049},"The broken duplication in the heartbeat variant — where an inline script and client.js independently schedule the same backend requests using slightly different data formats — is consistent with an operator pasting requirements into an LLM and accepting the output without understanding the existing codebase well enough to recognize the redundancy.",[],{},{"nodeType":1276,"data":3051,"content":3052},{},[3053],{"nodeType":1280,"value":3054,"marks":3055,"data":3056},"Clearly, the barrier to entry for building (or forking) and operating a real-time vishing phishing panel is lower than the effectiveness of the tooling might suggest.",[],{},{"nodeType":1355,"data":3058,"content":3059},{},[],{"nodeType":1359,"data":3061,"content":3062},{},[3063],{"nodeType":1280,"value":3064,"marks":3065,"data":3067},"Infrastructure clustering and attribution",[3066],{"type":1345},{},{"nodeType":1276,"data":3069,"content":3070},{},[3071,3075,3080],{"nodeType":1280,"value":3072,"marks":3073,"data":3074},"Through analysis of phishing domains, hosting infrastructure, and technical indicators in the panel source code, ",[],{},{"nodeType":1280,"value":3076,"marks":3077,"data":3079},"we’re highlighting four distinct infrastructure clusters associated with this tooling. ",[3078],{"type":1345},{},{"nodeType":1280,"value":3081,"marks":3082,"data":3083},"While the panels share common heritage, the operators deploying them appear to be separate groups with different infrastructure preferences and operational patterns.",[],{},{"nodeType":1698,"data":3085,"content":3086},{},[3087],{"nodeType":1280,"value":3088,"marks":3089,"data":3090},"Cluster A",[],{},{"nodeType":1276,"data":3092,"content":3093},{},[3094,3098,3106],{"nodeType":1280,"value":3095,"marks":3096,"data":3097},"The indicators for Cluster A overlap with ",[],{},{"nodeType":1285,"data":3099,"content":3100},{"uri":1430},[3101],{"nodeType":1280,"value":3102,"marks":3103,"data":3105},"Mandiant’s reporting on UNC6661",[3104],{"type":2159},{},{"nodeType":1280,"value":3107,"marks":3108,"data":3109},". Mandiant also attributes the extortion activity following UNC6661 intrusions to UNC6240, aka ShinyHunters.",[],{},{"nodeType":1854,"data":3111,"content":3112},{},[3113,3137,3166,3189,3240,3284,3307,3330],{"nodeType":1858,"data":3114,"content":3115},{},[3116,3127],{"nodeType":1862,"data":3117,"content":3118},{},[3119],{"nodeType":1276,"data":3120,"content":3121},{},[3122],{"nodeType":1280,"value":3123,"marks":3124,"data":3126},"Tool",[3125],{"type":1345},{},{"nodeType":1862,"data":3128,"content":3129},{},[3130],{"nodeType":1276,"data":3131,"content":3132},{},[3133],{"nodeType":1280,"value":2620,"marks":3134,"data":3136},[3135],{"type":1345},{},{"nodeType":1858,"data":3138,"content":3139},{},[3140,3149],{"nodeType":1862,"data":3141,"content":3142},{},[3143],{"nodeType":1276,"data":3144,"content":3145},{},[3146],{"nodeType":1280,"value":2648,"marks":3147,"data":3148},[],{},{"nodeType":1862,"data":3150,"content":3151},{},[3152,3159],{"nodeType":1276,"data":3153,"content":3154},{},[3155],{"nodeType":1280,"value":3156,"marks":3157,"data":3158},"8a01bcb70ec1c101a163c9cb8e074781c1322096f7ae01789f02252854def44c",[],{},{"nodeType":1276,"data":3160,"content":3161},{},[3162],{"nodeType":1280,"value":3163,"marks":3164,"data":3165},"f574b6e6b3a968cda5f51bec2c090d8eb095fbcfc383314f94bc15676a0d6692",[],{},{"nodeType":1858,"data":3167,"content":3168},{},[3169,3179],{"nodeType":1862,"data":3170,"content":3171},{},[3172],{"nodeType":1276,"data":3173,"content":3174},{},[3175],{"nodeType":1280,"value":3176,"marks":3177,"data":3178},"Timeframe",[],{},{"nodeType":1862,"data":3180,"content":3181},{},[3182],{"nodeType":1276,"data":3183,"content":3184},{},[3185],{"nodeType":1280,"value":3186,"marks":3187,"data":3188},"November 2025 - present (April 2026)",[],{},{"nodeType":1858,"data":3190,"content":3191},{},[3192,3202],{"nodeType":1862,"data":3193,"content":3194},{},[3195],{"nodeType":1276,"data":3196,"content":3197},{},[3198],{"nodeType":1280,"value":3199,"marks":3200,"data":3201},"Domain Patterns",[],{},{"nodeType":1862,"data":3203,"content":3204},{},[3205,3212,3219,3226,3233],{"nodeType":1276,"data":3206,"content":3207},{},[3208],{"nodeType":1280,"value":3209,"marks":3210,"data":3211},"\u003Ctarget>internal.com\n\u003Ctarget>sso.com",[],{},{"nodeType":1276,"data":3213,"content":3214},{},[3215],{"nodeType":1280,"value":3216,"marks":3217,"data":3218},"my\u003Ctarget>.com",[],{},{"nodeType":1276,"data":3220,"content":3221},{},[3222],{"nodeType":1280,"value":3223,"marks":3224,"data":3225},"my\u003Ctarget>internal.com",[],{},{"nodeType":1276,"data":3227,"content":3228},{},[3229],{"nodeType":1280,"value":3230,"marks":3231,"data":3232},"my\u003Ctarget>manager.com",[],{},{"nodeType":1276,"data":3234,"content":3235},{},[3236],{"nodeType":1280,"value":3237,"marks":3238,"data":3239},"my\u003Ctarget>sso.com",[],{},{"nodeType":1858,"data":3241,"content":3242},{},[3243,3253],{"nodeType":1862,"data":3244,"content":3245},{},[3246],{"nodeType":1276,"data":3247,"content":3248},{},[3249],{"nodeType":1280,"value":3250,"marks":3251,"data":3252},"Examples",[],{},{"nodeType":1862,"data":3254,"content":3255},{},[3256,3263,3270,3277],{"nodeType":1276,"data":3257,"content":3258},{},[3259],{"nodeType":1280,"value":3260,"marks":3261,"data":3262},"mydropboxinternal.com (November 2025)",[],{},{"nodeType":1276,"data":3264,"content":3265},{},[3266],{"nodeType":1280,"value":3267,"marks":3268,"data":3269},"myxerointernal.com (December 2025)",[],{},{"nodeType":1276,"data":3271,"content":3272},{},[3273],{"nodeType":1280,"value":3274,"marks":3275,"data":3276},"amazoninternal.com (March 2026)",[],{},{"nodeType":1276,"data":3278,"content":3279},{},[3280],{"nodeType":1280,"value":3281,"marks":3282,"data":3283},"mydisneysso.com (March 2026)",[],{},{"nodeType":1858,"data":3285,"content":3286},{},[3287,3297],{"nodeType":1862,"data":3288,"content":3289},{},[3290],{"nodeType":1276,"data":3291,"content":3292},{},[3293],{"nodeType":1280,"value":3294,"marks":3295,"data":3296},"Registrar",[],{},{"nodeType":1862,"data":3298,"content":3299},{},[3300],{"nodeType":1276,"data":3301,"content":3302},{},[3303],{"nodeType":1280,"value":3304,"marks":3305,"data":3306},"NiceNIC",[],{},{"nodeType":1858,"data":3308,"content":3309},{},[3310,3320],{"nodeType":1862,"data":3311,"content":3312},{},[3313],{"nodeType":1276,"data":3314,"content":3315},{},[3316],{"nodeType":1280,"value":3317,"marks":3318,"data":3319},"Name Servers",[],{},{"nodeType":1862,"data":3321,"content":3322},{},[3323],{"nodeType":1276,"data":3324,"content":3325},{},[3326],{"nodeType":1280,"value":3327,"marks":3328,"data":3329},"1984.is FreeDNS",[],{},{"nodeType":1858,"data":3331,"content":3332},{},[3333,3343],{"nodeType":1862,"data":3334,"content":3335},{},[3336],{"nodeType":1276,"data":3337,"content":3338},{},[3339],{"nodeType":1280,"value":3340,"marks":3341,"data":3342},"Hosting Provider",[],{},{"nodeType":1862,"data":3344,"content":3345},{},[3346],{"nodeType":1276,"data":3347,"content":3348},{},[3349],{"nodeType":1280,"value":3350,"marks":3351,"data":3352},"Mevspace (AS201814)",[],{},{"nodeType":1698,"data":3354,"content":3355},{},[3356],{"nodeType":1280,"value":3357,"marks":3358,"data":3359},"Cluster B",[],{},{"nodeType":1276,"data":3361,"content":3362},{},[3363,3367,3375,3378,3387],{"nodeType":1280,"value":3364,"marks":3365,"data":3366},"The indicators for Cluster B overlap with ",[],{},{"nodeType":1285,"data":3368,"content":3369},{"uri":1430},[3370],{"nodeType":1280,"value":3371,"marks":3372,"data":3374},"Mandiant’s reporting on UNC6671",[3373],{"type":2159},{},{"nodeType":1280,"value":2233,"marks":3376,"data":3377},[],{},{"nodeType":1285,"data":3379,"content":3381},{"uri":3380},"https://rhisac.org/threat-intelligence/extortion-in-the-enterprise-defending-against-blackfile-attacks/",[3382],{"nodeType":1280,"value":3383,"marks":3384,"data":3386},"Other external reporting",[3385],{"type":2159},{},{"nodeType":1280,"value":3388,"marks":3389,"data":3390}," has linked this group to BlackFile-branded extortion and leaks.",[],{},{"nodeType":1854,"data":3392,"content":3393},{},[3394,3417,3460,3482,3517,3560,3582,3604],{"nodeType":1858,"data":3395,"content":3396},{},[3397,3407],{"nodeType":1862,"data":3398,"content":3399},{},[3400],{"nodeType":1276,"data":3401,"content":3402},{},[3403],{"nodeType":1280,"value":3123,"marks":3404,"data":3406},[3405],{"type":1345},{},{"nodeType":1862,"data":3408,"content":3409},{},[3410],{"nodeType":1276,"data":3411,"content":3412},{},[3413],{"nodeType":1280,"value":2746,"marks":3414,"data":3416},[3415],{"type":1345},{},{"nodeType":1858,"data":3418,"content":3419},{},[3420,3429],{"nodeType":1862,"data":3421,"content":3422},{},[3423],{"nodeType":1276,"data":3424,"content":3425},{},[3426],{"nodeType":1280,"value":2648,"marks":3427,"data":3428},[],{},{"nodeType":1862,"data":3430,"content":3431},{},[3432,3439,3446,3453],{"nodeType":1276,"data":3433,"content":3434},{},[3435],{"nodeType":1280,"value":3436,"marks":3437,"data":3438},"c0df36ccf88d5c8434b13b58f7a55a9715643a126148b9d078a93075d09cad26",[],{},{"nodeType":1276,"data":3440,"content":3441},{},[3442],{"nodeType":1280,"value":3443,"marks":3444,"data":3445},"d178dc7108fa9344dae28e350e810352e9e874563496dc7876ee628b11b0eabb",[],{},{"nodeType":1276,"data":3447,"content":3448},{},[3449],{"nodeType":1280,"value":3450,"marks":3451,"data":3452},"9c0939960e49122196e44b6779fe55dd7a13ab437ce251c8cf35f8c6daf8be21",[],{},{"nodeType":1276,"data":3454,"content":3455},{},[3456],{"nodeType":1280,"value":3457,"marks":3458,"data":3459},"e8128b33259f7ea4313c942689ba0ba557f17b1474f2e621c62a5b77674fab86",[],{},{"nodeType":1858,"data":3461,"content":3462},{},[3463,3472],{"nodeType":1862,"data":3464,"content":3465},{},[3466],{"nodeType":1276,"data":3467,"content":3468},{},[3469],{"nodeType":1280,"value":3176,"marks":3470,"data":3471},[],{},{"nodeType":1862,"data":3473,"content":3474},{},[3475],{"nodeType":1276,"data":3476,"content":3477},{},[3478],{"nodeType":1280,"value":3479,"marks":3480,"data":3481},"January 2026",[],{},{"nodeType":1858,"data":3483,"content":3484},{},[3485,3494],{"nodeType":1862,"data":3486,"content":3487},{},[3488],{"nodeType":1276,"data":3489,"content":3490},{},[3491],{"nodeType":1280,"value":3199,"marks":3492,"data":3493},[],{},{"nodeType":1862,"data":3495,"content":3496},{},[3497,3504,3511],{"nodeType":1276,"data":3498,"content":3499},{},[3500],{"nodeType":1280,"value":3501,"marks":3502,"data":3503},"\u003Ctarget>internal.com",[],{},{"nodeType":1276,"data":3505,"content":3506},{},[3507],{"nodeType":1280,"value":3508,"marks":3509,"data":3510},"\u003Ctarget>sso.com",[],{},{"nodeType":1276,"data":3512,"content":3513},{},[3514],{"nodeType":1280,"value":3237,"marks":3515,"data":3516},[],{},{"nodeType":1858,"data":3518,"content":3519},{},[3520,3529],{"nodeType":1862,"data":3521,"content":3522},{},[3523],{"nodeType":1276,"data":3524,"content":3525},{},[3526],{"nodeType":1280,"value":3250,"marks":3527,"data":3528},[],{},{"nodeType":1862,"data":3530,"content":3531},{},[3532,3539,3546,3553],{"nodeType":1276,"data":3533,"content":3534},{},[3535],{"nodeType":1280,"value":3536,"marks":3537,"data":3538},"epicgamessso[.]com (December 2025)",[],{},{"nodeType":1276,"data":3540,"content":3541},{},[3542],{"nodeType":1280,"value":3543,"marks":3544,"data":3545},"myadyeninternal[.]com (January 2026)",[],{},{"nodeType":1276,"data":3547,"content":3548},{},[3549],{"nodeType":1280,"value":3550,"marks":3551,"data":3552},"mysonossso[.]com (January 2026)",[],{},{"nodeType":1276,"data":3554,"content":3555},{},[3556],{"nodeType":1280,"value":3557,"marks":3558,"data":3559},"sonosinternal[.]com (January 2026)",[],{},{"nodeType":1858,"data":3561,"content":3562},{},[3563,3572],{"nodeType":1862,"data":3564,"content":3565},{},[3566],{"nodeType":1276,"data":3567,"content":3568},{},[3569],{"nodeType":1280,"value":3294,"marks":3570,"data":3571},[],{},{"nodeType":1862,"data":3573,"content":3574},{},[3575],{"nodeType":1276,"data":3576,"content":3577},{},[3578],{"nodeType":1280,"value":3579,"marks":3580,"data":3581},"Tucows",[],{},{"nodeType":1858,"data":3583,"content":3584},{},[3585,3594],{"nodeType":1862,"data":3586,"content":3587},{},[3588],{"nodeType":1276,"data":3589,"content":3590},{},[3591],{"nodeType":1280,"value":3317,"marks":3592,"data":3593},[],{},{"nodeType":1862,"data":3595,"content":3596},{},[3597],{"nodeType":1276,"data":3598,"content":3599},{},[3600],{"nodeType":1280,"value":3601,"marks":3602,"data":3603},"Njalla",[],{},{"nodeType":1858,"data":3605,"content":3606},{},[3607,3616],{"nodeType":1862,"data":3608,"content":3609},{},[3610],{"nodeType":1276,"data":3611,"content":3612},{},[3613],{"nodeType":1280,"value":3340,"marks":3614,"data":3615},[],{},{"nodeType":1862,"data":3617,"content":3618},{},[3619],{"nodeType":1276,"data":3620,"content":3621},{},[3622],{"nodeType":1280,"value":3623,"marks":3624,"data":3625},"Njalla (AS39287)",[],{},{"nodeType":1698,"data":3627,"content":3628},{},[3629],{"nodeType":1280,"value":3630,"marks":3631,"data":3632},"Cluster C",[],{},{"nodeType":1276,"data":3634,"content":3635},{},[3636],{"nodeType":1280,"value":3637,"marks":3638,"data":3639},"Cluster C is likely an evolution of Cluster B. Some evidence has been observed tying the backend hosting to Njalla behind the Cloudflare CDN further solidifying the link. The shift to Cloudflare Turnstile protection and subdomain-based targeting represents an operational refinement — moving away from the distinctive [target]internal[.]com pattern that had become a well-known campaign indicator.",[],{},{"nodeType":1854,"data":3641,"content":3642},{},[3643,3667,3689,3711,3733,3776,3797,3819],{"nodeType":1858,"data":3644,"content":3645},{},[3646,3656],{"nodeType":1862,"data":3647,"content":3648},{},[3649],{"nodeType":1276,"data":3650,"content":3651},{},[3652],{"nodeType":1280,"value":3123,"marks":3653,"data":3655},[3654],{"type":1345},{},{"nodeType":1862,"data":3657,"content":3658},{},[3659],{"nodeType":1276,"data":3660,"content":3661},{},[3662],{"nodeType":1280,"value":3663,"marks":3664,"data":3666},"heartbeat/check_redirect variant protected with Cloudflare turnstile",[3665],{"type":1345},{},{"nodeType":1858,"data":3668,"content":3669},{},[3670,3679],{"nodeType":1862,"data":3671,"content":3672},{},[3673],{"nodeType":1276,"data":3674,"content":3675},{},[3676],{"nodeType":1280,"value":2648,"marks":3677,"data":3678},[],{},{"nodeType":1862,"data":3680,"content":3681},{},[3682],{"nodeType":1276,"data":3683,"content":3684},{},[3685],{"nodeType":1280,"value":3686,"marks":3687,"data":3688},"cb1d409278b2247af23e7b00ac779b232baaf4ce5f63fdf5ebc3920a38cc6102",[],{},{"nodeType":1858,"data":3690,"content":3691},{},[3692,3701],{"nodeType":1862,"data":3693,"content":3694},{},[3695],{"nodeType":1276,"data":3696,"content":3697},{},[3698],{"nodeType":1280,"value":3176,"marks":3699,"data":3700},[],{},{"nodeType":1862,"data":3702,"content":3703},{},[3704],{"nodeType":1276,"data":3705,"content":3706},{},[3707],{"nodeType":1280,"value":3708,"marks":3709,"data":3710},"March 2026 - present (April 2026)",[],{},{"nodeType":1858,"data":3712,"content":3713},{},[3714,3723],{"nodeType":1862,"data":3715,"content":3716},{},[3717],{"nodeType":1276,"data":3718,"content":3719},{},[3720],{"nodeType":1280,"value":3199,"marks":3721,"data":3722},[],{},{"nodeType":1862,"data":3724,"content":3725},{},[3726],{"nodeType":1276,"data":3727,"content":3728},{},[3729],{"nodeType":1280,"value":3730,"marks":3731,"data":3732},"\u003Ctarget> subdomain with generic “sso”, “passkey”, “enroll”, “okta” theme root domain",[],{},{"nodeType":1858,"data":3734,"content":3735},{},[3736,3745],{"nodeType":1862,"data":3737,"content":3738},{},[3739],{"nodeType":1276,"data":3740,"content":3741},{},[3742],{"nodeType":1280,"value":3250,"marks":3743,"data":3744},[],{},{"nodeType":1862,"data":3746,"content":3747},{},[3748,3755,3762,3769],{"nodeType":1276,"data":3749,"content":3750},{},[3751],{"nodeType":1280,"value":3752,"marks":3753,"data":3754},"\u003Ctarget>.passkeysetup.com (March 2026)",[],{},{"nodeType":1276,"data":3756,"content":3757},{},[3758],{"nodeType":1280,"value":3759,"marks":3760,"data":3761},"\u003Ctarget>.enrollms.com (March 2026)",[],{},{"nodeType":1276,"data":3763,"content":3764},{},[3765],{"nodeType":1280,"value":3766,"marks":3767,"data":3768},"\u003Ctarget>.keyokta.com (April 2026)",[],{},{"nodeType":1276,"data":3770,"content":3771},{},[3772],{"nodeType":1280,"value":3773,"marks":3774,"data":3775},"\u003Ctarget>.passkeywork.com (April 2026)",[],{},{"nodeType":1858,"data":3777,"content":3778},{},[3779,3788],{"nodeType":1862,"data":3780,"content":3781},{},[3782],{"nodeType":1276,"data":3783,"content":3784},{},[3785],{"nodeType":1280,"value":3294,"marks":3786,"data":3787},[],{},{"nodeType":1862,"data":3789,"content":3790},{},[3791],{"nodeType":1276,"data":3792,"content":3793},{},[3794],{"nodeType":1280,"value":3579,"marks":3795,"data":3796},[],{},{"nodeType":1858,"data":3798,"content":3799},{},[3800,3809],{"nodeType":1862,"data":3801,"content":3802},{},[3803],{"nodeType":1276,"data":3804,"content":3805},{},[3806],{"nodeType":1280,"value":3317,"marks":3807,"data":3808},[],{},{"nodeType":1862,"data":3810,"content":3811},{},[3812],{"nodeType":1276,"data":3813,"content":3814},{},[3815],{"nodeType":1280,"value":3816,"marks":3817,"data":3818},"Cloudflare",[],{},{"nodeType":1858,"data":3820,"content":3821},{},[3822,3831],{"nodeType":1862,"data":3823,"content":3824},{},[3825],{"nodeType":1276,"data":3826,"content":3827},{},[3828],{"nodeType":1280,"value":3340,"marks":3829,"data":3830},[],{},{"nodeType":1862,"data":3832,"content":3833},{},[3834],{"nodeType":1276,"data":3835,"content":3836},{},[3837],{"nodeType":1280,"value":3838,"marks":3839,"data":3840},"Cloudflare (AS13335)",[],{},{"nodeType":1698,"data":3842,"content":3843},{},[3844],{"nodeType":1280,"value":3845,"marks":3846,"data":3847},"Cluster D",[],{},{"nodeType":1854,"data":3849,"content":3850},{},[3851,3875,3897,3919,3941,3970,3991,4012],{"nodeType":1858,"data":3852,"content":3853},{},[3854,3864],{"nodeType":1862,"data":3855,"content":3856},{},[3857],{"nodeType":1276,"data":3858,"content":3859},{},[3860],{"nodeType":1280,"value":3123,"marks":3861,"data":3863},[3862],{"type":1345},{},{"nodeType":1862,"data":3865,"content":3866},{},[3867],{"nodeType":1276,"data":3868,"content":3869},{},[3870],{"nodeType":1280,"value":3871,"marks":3872,"data":3874},"heartbeat/check_redirect variant (minified)",[3873],{"type":1345},{},{"nodeType":1858,"data":3876,"content":3877},{},[3878,3887],{"nodeType":1862,"data":3879,"content":3880},{},[3881],{"nodeType":1276,"data":3882,"content":3883},{},[3884],{"nodeType":1280,"value":2648,"marks":3885,"data":3886},[],{},{"nodeType":1862,"data":3888,"content":3889},{},[3890],{"nodeType":1276,"data":3891,"content":3892},{},[3893],{"nodeType":1280,"value":3894,"marks":3895,"data":3896},"9d65dd34384b441505e6b67647153c02d5c367bb53da36ce36a392e70b37940a",[],{},{"nodeType":1858,"data":3898,"content":3899},{},[3900,3909],{"nodeType":1862,"data":3901,"content":3902},{},[3903],{"nodeType":1276,"data":3904,"content":3905},{},[3906],{"nodeType":1280,"value":3176,"marks":3907,"data":3908},[],{},{"nodeType":1862,"data":3910,"content":3911},{},[3912],{"nodeType":1276,"data":3913,"content":3914},{},[3915],{"nodeType":1280,"value":3916,"marks":3917,"data":3918},"April 2026 (low volume)",[],{},{"nodeType":1858,"data":3920,"content":3921},{},[3922,3931],{"nodeType":1862,"data":3923,"content":3924},{},[3925],{"nodeType":1276,"data":3926,"content":3927},{},[3928],{"nodeType":1280,"value":3199,"marks":3929,"data":3930},[],{},{"nodeType":1862,"data":3932,"content":3933},{},[3934],{"nodeType":1276,"data":3935,"content":3936},{},[3937],{"nodeType":1280,"value":3938,"marks":3939,"data":3940},"\u003Ctarget> subdomain with generic “passkey”, “portal”, “okta” theme root domain",[],{},{"nodeType":1858,"data":3942,"content":3943},{},[3944,3953],{"nodeType":1862,"data":3945,"content":3946},{},[3947],{"nodeType":1276,"data":3948,"content":3949},{},[3950],{"nodeType":1280,"value":3250,"marks":3951,"data":3952},[],{},{"nodeType":1862,"data":3954,"content":3955},{},[3956,3963],{"nodeType":1276,"data":3957,"content":3958},{},[3959],{"nodeType":1280,"value":3960,"marks":3961,"data":3962},"\u003Ctarget>.passkeyportalsetup.com",[],{},{"nodeType":1276,"data":3964,"content":3965},{},[3966],{"nodeType":1280,"value":3967,"marks":3968,"data":3969},"\u003Ctarget>.addoktapasskey.com",[],{},{"nodeType":1858,"data":3971,"content":3972},{},[3973,3982],{"nodeType":1862,"data":3974,"content":3975},{},[3976],{"nodeType":1276,"data":3977,"content":3978},{},[3979],{"nodeType":1280,"value":3294,"marks":3980,"data":3981},[],{},{"nodeType":1862,"data":3983,"content":3984},{},[3985],{"nodeType":1276,"data":3986,"content":3987},{},[3988],{"nodeType":1280,"value":3304,"marks":3989,"data":3990},[],{},{"nodeType":1858,"data":3992,"content":3993},{},[3994,4003],{"nodeType":1862,"data":3995,"content":3996},{},[3997],{"nodeType":1276,"data":3998,"content":3999},{},[4000],{"nodeType":1280,"value":3317,"marks":4001,"data":4002},[],{},{"nodeType":1862,"data":4004,"content":4005},{},[4006],{"nodeType":1276,"data":4007,"content":4008},{},[4009],{"nodeType":1280,"value":3816,"marks":4010,"data":4011},[],{},{"nodeType":1858,"data":4013,"content":4014},{},[4015,4024],{"nodeType":1862,"data":4016,"content":4017},{},[4018],{"nodeType":1276,"data":4019,"content":4020},{},[4021],{"nodeType":1280,"value":3340,"marks":4022,"data":4023},[],{},{"nodeType":1862,"data":4025,"content":4026},{},[4027],{"nodeType":1276,"data":4028,"content":4029},{},[4030],{"nodeType":1280,"value":3838,"marks":4031,"data":4032},[],{},{"nodeType":1355,"data":4034,"content":4035},{},[],{"nodeType":1359,"data":4037,"content":4038},{},[4039],{"nodeType":1280,"value":4040,"marks":4041,"data":4043},"Detection considerations",[4042],{"type":1345},{},{"nodeType":1276,"data":4045,"content":4046},{},[4047],{"nodeType":1280,"value":4048,"marks":4049,"data":4050},"For Push, the detection approach to these panels is fundamentally the same as for any other phishing kit — behavioral analysis of the rendered page in the browser, regardless of the C2 protocol running underneath. ",[],{},{"nodeType":1276,"data":4052,"content":4053},{},[4054],{"nodeType":1280,"value":4055,"marks":4056,"data":4057},"The main operational difference is on the operator end, where the human-in-the-loop interaction replaces fully automated credential harvesting. This has implications for defenders relying on proactive infrastructure scanning: the gated landing pages, anti-bot checks, and operator-approval requirements mean the malicious content is only served to active targets, making it significantly harder for automated scanners to discover and flag these domains before they're used against a victim.",[],{},{"nodeType":1276,"data":4059,"content":4060},{},[4061,4066],{"nodeType":1280,"value":4062,"marks":4063,"data":4065},"The phone call as delivery vector eliminates the email-based detection surface that most organizations rely on as their primary phishing defense. ",[4064],{"type":1345},{},{"nodeType":1280,"value":4067,"marks":4068,"data":4069},"Operator-gated payload delivery further reduces the likelihood that these sites will be flagged as malicious and added to known-bad detection lists (and in any case, it’s trivial for attackers to spin up new ones). This reinforces the need for browser-based detection at the point the user interacts with the page, analyzing it in real time for malicious content without relying on static IoCs. ",[],{},{"nodeType":1355,"data":4071,"content":4072},{},[],{"nodeType":1359,"data":4074,"content":4075},{},[4076],{"nodeType":1280,"value":4077,"marks":4078,"data":4080},"Indicators of compromise",[4079],{"type":1345},{},{"nodeType":1276,"data":4082,"content":4083},{},[4084,4088,4096],{"nodeType":1280,"value":4085,"marks":4086,"data":4087},"Short-lived IoCs are of limited value when tackling modern phishing attacks due to the rate at which attackers are able to ",[],{},{"nodeType":1285,"data":4089,"content":4091},{"uri":4090},"https://phishing-techniques.pushsecurity.com/techniques/domain-rotation-redirection/",[4092],{"nodeType":1280,"value":4093,"marks":4094,"data":4095},"quickly spin up and rotate the sites used",[],{},{"nodeType":1280,"value":4097,"marks":4098,"data":4099}," in the attack chain, often dynamically serving different URLs to site visitors. ",[],{},{"nodeType":1276,"data":4101,"content":4102},{},[4103,4106,4114],{"nodeType":1280,"value":29,"marks":4104,"data":4105},[],{},{"nodeType":1285,"data":4107,"content":4109},{"uri":4108},"https://www.virustotal.com/gui/collection/0f745e9da6ef7664444594a7ee930cfe5a9d8bd6c2f039dcde818599b8926610",[4110],{"nodeType":1280,"value":4111,"marks":4112,"data":4113},"The full list of IoCs is on VirusTotal here. ",[],{},{"nodeType":1280,"value":29,"marks":4115,"data":4116},[],{},{"nodeType":1276,"data":4118,"content":4119},{},[4120],{"nodeType":1280,"value":4121,"marks":4122,"data":4124},"Push customers do not need to take any further action.",[4123],{"type":1345},{},{"nodeType":1355,"data":4126,"content":4127},{},[],{"nodeType":1359,"data":4129,"content":4130},{},[4131],{"nodeType":1280,"value":4132,"marks":4133,"data":4135},"Learn more about Push",[4134],{"type":1345},{},{"nodeType":1276,"data":4137,"content":4138},{},[4139,4143,4151],{"nodeType":1280,"value":4140,"marks":4141,"data":4142},"Push Security is the most powerful AI-native security tool in the browser. Think EDR, but for the browser — high-fidelity telemetry and real-time control across every session, on every device, with no browser migration required.\n\nSecurity teams use Push to detect and stop advanced browser-based attacks like AiTM phishing, ClickFix, and session hijacking; gain visibility and control over AI tool usage across their workforce; harden identities by surfacing credential reuse, SSO gaps, and shadow IT; and support data loss and insider investigations with browser-layer telemetry that other tools can't see.\n\nBook a ",[],{},{"nodeType":1285,"data":4144,"content":4146},{"uri":4145},"https://pushsecurity.com/demo",[4147],{"nodeType":1280,"value":4148,"marks":4149,"data":4150},"live demo",[],{},{"nodeType":1280,"value":4152,"marks":4153,"data":4154}," to learn more.",[],{},"We infiltrated a criminal phishing panel: here’s what we found","We got an inside look at a phishing panel used in criminal campaigns linked to operators like ShinyHunters and BlackFile. Here’s what we found.","2026-05-07T00:00:00.000Z","inside-criminal-phishing-panel",{"items":4160},[4161,4165],{"sys":4162,"name":4164},{"id":4163},"6A5RXS31ZQx3PwryGb1IMy","Browser-based attacks",{"sys":4166,"name":4168},{"id":4167},"4ksQNCFeBf8H4QIORqpRLw","Detection & response",{"items":4170},[4171],{"fullName":4172,"firstName":4173,"jobTitle":1267,"profilePicture":4174},"Push Security Research Team","Research",{"url":4175},"https://images.ctfassets.net/y1cdw1ablpvd/7LpkwyXbOZ8WCVTAXzULmC/bfa3634c78ee9dfbee6606ba5519918b/push-round.png",{"__typename":2244,"sys":4177,"content":4179,"title":4940,"synopsis":4941,"hashTags":61,"publishedDate":4942,"slug":4943,"tagsCollection":4944,"authorsCollection":4950},{"id":4178},"Lq2AFQ8VG2rMEe4h2CYuH",{"json":4180},{"nodeType":1272,"data":4181,"content":4182},{},[4183,4211,4244,4251,4257,4260,4268,4275,4281,4300,4307,4315,4335,4351,4358,4365,4368,4376,4383,4390,4453,4460,4466,4474,4486,4493,4500,4506,4514,4521,4528,4535,4542,4548,4556,4563,4649,4655,4658,4666,4673,4689,4696,4703,4709,4729,4732,4740,4747,4753,4772,4779,4786,4792,4795,4802,4809,4816,4822,4829,4835,4841,4866,4872,4884,4891,4898],{"nodeType":1276,"data":4184,"content":4185},{},[4186,4190,4198,4202,4207],{"nodeType":1280,"value":4187,"marks":4188,"data":4189},"This week, a user going by the name of “ShinyHunters” (though allegedly not ",[],{},{"nodeType":1285,"data":4191,"content":4192},{"uri":1843},[4193],{"nodeType":1280,"value":4194,"marks":4195,"data":4197},"actual ShinyHunters",[4196],{"type":2159},{},{"nodeType":1280,"value":4199,"marks":4200,"data":4201},", but someone imitating them in an attempt to trade off their credibility) posted on a breach forum claiming access keys, source code, and database data stolen from cloud development platform provider ",[],{},{"nodeType":1280,"value":4203,"marks":4204,"data":4206},"Vercel",[4205],{"type":1345},{},{"nodeType":1280,"value":4208,"marks":4209,"data":4210},". ",[],{},{"nodeType":1276,"data":4212,"content":4213},{},[4214,4218,4227,4231,4240],{"nodeType":1280,"value":4215,"marks":4216,"data":4217},"This happened because a Vercel employee had connected an AI app, Context.ai, into their Google Workspace tenant. When Context.ai was compromised — ",[],{},{"nodeType":1285,"data":4219,"content":4221},{"uri":4220},"https://www.infostealers.com/article/breaking-vercel-breach-linked-to-infostealer-infection-at-context-ai/",[4222],{"nodeType":1280,"value":4223,"marks":4224,"data":4226},"allegedly the result of an infostealer infection from an employee searching for Roblox cheats",[4225],{"type":2159},{},{"nodeType":1280,"value":4228,"marks":4229,"data":4230}," — the attacker was able to leverage OAuth tokens stored in Context.ai’s Supabase platform to access downstream customer accounts (pointing to a heavily permissioned victim, probably a developer, possibly even a ",[],{},{"nodeType":1285,"data":4232,"content":4234},{"uri":4233},"https://pushsecurity.com/blog/browser-sync-attacks-where-personal-account-hacks-lead-to-corporate-breaches/",[4235],{"nodeType":1280,"value":4236,"marks":4237,"data":4239},"personal device with access to corp credentials",[4238],{"type":2159},{},{"nodeType":1280,"value":4241,"marks":4242,"data":4243},"). ",[],{},{"nodeType":1276,"data":4245,"content":4246},{},[4247],{"nodeType":1280,"value":4248,"marks":4249,"data":4250},"This access included a Vercel employee’s Google Workspace account. This particular user had significant access to data and secrets in Vercel’s systems, including internal dashboards, employee records, API keys, NPM tokens, and GitHub tokens, which the attacker was able to exfiltrate, holding Vercel to ransom for $2 million. ",[],{},{"nodeType":1310,"data":4252,"content":4256},{"target":4253},{"sys":4254},{"id":4255,"type":1315,"linkType":1316},"6Ft8aSnzfYVZ7j57mYeXgQ",[],{"nodeType":1355,"data":4258,"content":4259},{},[],{"nodeType":1359,"data":4261,"content":4262},{},[4263],{"nodeType":1280,"value":4264,"marks":4265,"data":4267},"How did this happen, and what could have stopped it?",[4266],{"type":1345},{},{"nodeType":1276,"data":4269,"content":4270},{},[4271],{"nodeType":1280,"value":4272,"marks":4273,"data":4274},"From Vercel’s perspective, this attack could have been avoided had their employees been blocked from adding new OAuth integrations without admin approval (a toggle in their Google admin panel, and an essential control in a well-configured environment). Or, if the integration had been flagged in a routine audit and removed. ",[],{},{"nodeType":1310,"data":4276,"content":4280},{"target":4277},{"sys":4278},{"id":4279,"type":1315,"linkType":1316},"b5HFvY1m6RnuXL3a95jVt",[],{"nodeType":1276,"data":4282,"content":4283},{},[4284,4288,4296],{"nodeType":1280,"value":4285,"marks":4286,"data":4287},"It probably should have been removed, too. The particular OAuth app that was connected into the environment was a deprecated “AI Office Suite” product intended for consumer use. ",[],{},{"nodeType":1285,"data":4289,"content":4291},{"uri":4290},"https://context.ai/security-update",[4292],{"nodeType":1280,"value":4293,"marks":4294,"data":4295},"According to Context.ai",[],{},{"nodeType":1280,"value":4297,"marks":4298,"data":4299},", Vercel aren’t even a registered customer — adding more evidence that this was probably the result of a self-service trial that was subsequently forgotten about. That consumer product has also since been replaced by an enterprise product. But for whatever reason, the access hadn’t been revoked (from either side). ",[],{},{"nodeType":1276,"data":4301,"content":4302},{},[4303],{"nodeType":1280,"value":4304,"marks":4305,"data":4306},"The elephant in the room is that Context.ai is an AI app. Most organizations are rightly nervous about employees adding unapproved AI SaaS into their environment. Having employees use shadow AI in the form of LLMs is one thing — users uploading sensitive data to unapproved apps or external tenants being the key concern. But OAuth grants are even more dangerous. Because if that app or vendor is compromised, the apps and accounts you’ve integrated it with are also at risk — which is what was exploited here. ",[],{},{"nodeType":1698,"data":4308,"content":4309},{},[4310],{"nodeType":1280,"value":4311,"marks":4312,"data":4314},"Where’s the fault?",[4313],{"type":1345},{},{"nodeType":1276,"data":4316,"content":4317},{},[4318,4322,4331],{"nodeType":1280,"value":4319,"marks":4320,"data":4321},"It’s easy to point fingers here. There are multiple control gaps and failures for both parties. Vercel should have disabled OAuth grants without admin approval, and regularly audited the connections in their environment. From a vendor's perspective, they could have also default applied a control that ",[],{},{"nodeType":1285,"data":4323,"content":4325},{"uri":4324},"https://vercel.com/kb/bulletin/vercel-april-2026-security-incident",[4326],{"nodeType":1280,"value":4327,"marks":4328,"data":4330},"prevents secret environment variables from being read",[4329],{"type":2159},{},{"nodeType":1280,"value":4332,"marks":4333,"data":4334}," — which would have significantly reduced the impact to Vercel customers from the data breach. ",[],{},{"nodeType":1276,"data":4336,"content":4337},{},[4338,4342,4347],{"nodeType":1280,"value":4339,"marks":4340,"data":4341},"Context.ai comes off worse. They could and should have had better separation of accounts and privileges — and if true, their users really shouldn’t be downloading Roblox scripts on devices they use for work access. It’s important to say ",[],{},{"nodeType":1280,"value":4343,"marks":4344,"data":4346},"if true",[4345],{"type":275},{},{"nodeType":1280,"value":4348,"marks":4349,"data":4350}," here, but the prospect of third parties accessing your environment from insecure devices that they use for gaming is the stuff of nightmares for enterprise security and compliance teams.",[],{},{"nodeType":1276,"data":4352,"content":4353},{},[4354],{"nodeType":1280,"value":4355,"marks":4356,"data":4357},"You definitely don’t want to be Context.ai in this scenario. The reputational harm could be pretty significant, and is a wake-up call for other SaaS vendors to check that their house is in order. But although Vercel have responded quickly and transparently to the incident, this could only really have happened as a result of technical and procedural control gaps on their end.",[],{},{"nodeType":1276,"data":4359,"content":4360},{},[4361],{"nodeType":1280,"value":4362,"marks":4363,"data":4364},"It’s worth taking a step back and looking at the bigger picture here — and how these issues might impact your organization too. ",[],{},{"nodeType":1355,"data":4366,"content":4367},{},[],{"nodeType":1359,"data":4369,"content":4370},{},[4371],{"nodeType":1280,"value":4372,"marks":4373,"data":4375},"Shadow AI is still just shadow SaaS – but the AI scramble is a force multiplier",[4374],{"type":1345},{},{"nodeType":1276,"data":4377,"content":4378},{},[4379],{"nodeType":1280,"value":4380,"marks":4381,"data":4382},"Shadow IT, and in particular shadow SaaS, is not a new problem. Most organizations run heavily (or exclusively) on SaaS, accessed in the browser, with hundreds of apps per enterprise. Unmanaged, self-adopted apps have been a thorn in the side of security teams for some time. ",[],{},{"nodeType":1276,"data":4384,"content":4385},{},[4386],{"nodeType":1280,"value":4387,"marks":4388,"data":4389},"There are essentially four kinds of shadow IT to be wary of in the context of AI apps:",[],{},{"nodeType":2350,"data":4391,"content":4392},{},[4393,4408,4423,4438],{"nodeType":2354,"data":4394,"content":4395},{},[4396],{"nodeType":1276,"data":4397,"content":4398},{},[4399,4404],{"nodeType":1280,"value":4400,"marks":4401,"data":4403},"Shadow apps:",[4402],{"type":1345},{},{"nodeType":1280,"value":4405,"marks":4406,"data":4407}," Apps that employees have signed up to and are using for business purposes without business approval. This includes apps signed up to with a corporate account or personal account. ",[],{},{"nodeType":2354,"data":4409,"content":4410},{},[4411],{"nodeType":1276,"data":4412,"content":4413},{},[4414,4419],{"nodeType":1280,"value":4415,"marks":4416,"data":4418},"Shadow tenants:",[4417],{"type":1345},{},{"nodeType":1280,"value":4420,"marks":4421,"data":4422}," Apps that employees are accessing with personal accounts, essentially creating shadow tenants outside of your organization’s control — even if you’ve approved the app itself.",[],{},{"nodeType":2354,"data":4424,"content":4425},{},[4426],{"nodeType":1276,"data":4427,"content":4428},{},[4429,4434],{"nodeType":1280,"value":4430,"marks":4431,"data":4433},"Shadow extensions:",[4432],{"type":1345},{},{"nodeType":1280,"value":4435,"marks":4436,"data":4437}," Many AI apps come with an extension counterpart, along with countless third-party extensions that are either untrustworthy or downright malicious. Browser extensions add another angle to the equation by presenting visibility beyond the application into browser activity. ",[],{},{"nodeType":2354,"data":4439,"content":4440},{},[4441],{"nodeType":1276,"data":4442,"content":4443},{},[4444,4449],{"nodeType":1280,"value":4445,"marks":4446,"data":4448},"Shadow integrations:",[4447],{"type":1345},{},{"nodeType":1280,"value":4450,"marks":4451,"data":4452}," OAuth connections across apps that aren’t known or approved. Even if an app itself is approved, plugging that app directly into your primary enterprise apps — with all the sensitive data and functionality therein — isn't necessarily also approved.  ",[],{},{"nodeType":1276,"data":4454,"content":4455},{},[4456],{"nodeType":1280,"value":4457,"marks":4458,"data":4459},"In the Vercel case, we’re talking specifically about shadow integrations. But all of these present a key risk to your organization. ",[],{},{"nodeType":1310,"data":4461,"content":4465},{"target":4462},{"sys":4463},{"id":4464,"type":1315,"linkType":1316},"2hsKQ9DEspflhmtR0bE7QY",[],{"nodeType":1698,"data":4467,"content":4468},{},[4469],{"nodeType":1280,"value":4470,"marks":4471,"data":4473},"The web of OAuth sprawl spans way beyond Google and Microsoft ",[4472],{"type":1345},{},{"nodeType":1276,"data":4475,"content":4476},{},[4477,4482],{"nodeType":1280,"value":4478,"marks":4479,"data":4481},"On average we see 17 unique AI app integrations per organization in Microsoft and Google alone",[4480],{"type":1345},{},{"nodeType":1280,"value":4483,"marks":4484,"data":4485},". If you consider that most organizations have probably approved 1 or 2 max for business use, and may have approved none at all for app-to-app OAuth connectivity, that’s quite a significant difference. ",[],{},{"nodeType":1276,"data":4487,"content":4488},{},[4489],{"nodeType":1280,"value":4490,"marks":4491,"data":4492},"The number of connections outside of these core platforms is significantly higher. Just think how the typical AI app operates. If you want it to be able to effectively automate workflows — pull data from one app, aggregate and analyze it in another, present that information in a report, dashboard, or presentation, and then distribute it — that’s a fair few integrations in just one workflow. MCP connections use OAuth to achieve this interconnectivity in the same way as any other SaaS app.",[],{},{"nodeType":1276,"data":4494,"content":4495},{},[4496],{"nodeType":1280,"value":4497,"marks":4498,"data":4499},"We used to talk about automation apps like Zapier as being a goldmine for attackers. Well, AI apps are on their way to being even more interconnected, more frequently used, and more flexible in terms of how attackers can abuse them. ",[],{},{"nodeType":1310,"data":4501,"content":4505},{"target":4502},{"sys":4503},{"id":4504,"type":1315,"linkType":1316},"4FiWyVw7mpVBA5uBVJoOKL",[],{"nodeType":1698,"data":4507,"content":4508},{},[4509],{"nodeType":1280,"value":4510,"marks":4511,"data":4513},"A note on OAuth configuration complexity",[4512],{"type":1345},{},{"nodeType":1276,"data":4515,"content":4516},{},[4517],{"nodeType":1280,"value":4518,"marks":4519,"data":4520},"A common misconception is that when a regular user consents to an OAuth app (let's use Google Workspace as the example) the app only gets access to the things they can directly access. Technically that's true — the access is scoped to that user's permissions. But in practice, the blast radius is almost always bigger than people think.",[],{},{"nodeType":1276,"data":4522,"content":4523},{},[4524],{"nodeType":1280,"value":4525,"marks":4526,"data":4527},"The scope includes shared drives, shared calendars, documents shared with them, and any other collaborative resources. A single well-permissioned user (think: developer with access to secrets, dashboards, and internal tooling) is more than enough to cause serious damage through a single OAuth grant. ",[],{},{"nodeType":1276,"data":4529,"content":4530},{},[4531],{"nodeType":1280,"value":4532,"marks":4533,"data":4534},"The scopes themselves are often deceptively broad. An app requesting https://www.googleapis.com/auth/drive gets full read/write access to everything the user can see in Drive — not just their personal files. And the blast radius is further contingent on the data and user permission hygiene in these broader environments. ",[],{},{"nodeType":1276,"data":4536,"content":4537},{},[4538],{"nodeType":1280,"value":4539,"marks":4540,"data":4541},"So if your environment hasn't got cleanly separated access and permissions for different users and groups, an attacker compromising a \"normal\" user account can end up with extensive access. You don't need tenant-wide admin access when a normal user's access already spans the crown jewels.",[],{},{"nodeType":1310,"data":4543,"content":4547},{"target":4544},{"sys":4545},{"id":4546,"type":1315,"linkType":1316},"2t81AnAHx2On3fBynM4vVe",[],{"nodeType":1698,"data":4549,"content":4550},{},[4551],{"nodeType":1280,"value":4552,"marks":4553,"data":4555},"Unsurprisingly, OAuth breaches are stacking up",[4554],{"type":1345},{},{"nodeType":1276,"data":4557,"content":4558},{},[4559],{"nodeType":1280,"value":4560,"marks":4561,"data":4562},"Widespread OAuth interconnectedness isn’t just an AI app problem. Attackers have been exploiting this for some time:",[],{},{"nodeType":2350,"data":4564,"content":4565},{},[4566,4613],{"nodeType":2354,"data":4567,"content":4568},{},[4569],{"nodeType":1276,"data":4570,"content":4571},{},[4572,4576,4584,4588,4596,4600,4609],{"nodeType":1280,"value":4573,"marks":4574,"data":4575},"In 2025, ",[],{},{"nodeType":1285,"data":4577,"content":4578},{"uri":1843},[4579],{"nodeType":1280,"value":4580,"marks":4581,"data":4583},"Scattered Lapsus$ Hunters",[4582],{"type":2159},{},{"nodeType":1280,"value":4585,"marks":4586,"data":4587}," launched OAuth-driven supply chain attacks against Salesforce and Google Workspace tenants after breaching Salesloft (specifically the ",[],{},{"nodeType":1285,"data":4589,"content":4590},{"uri":1543},[4591],{"nodeType":1280,"value":4592,"marks":4593,"data":4595},"Salesloft Drift",[4594],{"type":2159},{},{"nodeType":1280,"value":4597,"marks":4598,"data":4599}," platform) and ",[],{},{"nodeType":1285,"data":4601,"content":4603},{"uri":4602},"https://www.bleepingcomputer.com/news/security/salesforce-investigates-customer-data-theft-via-gainsight-breach/",[4604],{"nodeType":1280,"value":4605,"marks":4606,"data":4608},"Gainsight",[4607],{"type":2159},{},{"nodeType":1280,"value":4610,"marks":4611,"data":4612},". In total, over 1000 organizations were impacted, including Google, Cloudflare, Rubrik, Elastic, Proofpoint, JFrog, Zscaler, Tenable, Palo Alto Networks, CyberArk, BeyondTrust, Qualys, and many more, with over 1.5B records stolen. ",[],{},{"nodeType":2354,"data":4614,"content":4615},{},[4616],{"nodeType":1276,"data":4617,"content":4618},{},[4619,4623,4632,4636,4645],{"nodeType":1280,"value":4620,"marks":4621,"data":4622},"More recently, Snowflake customers were impacted after a ",[],{},{"nodeType":1285,"data":4624,"content":4626},{"uri":4625},"https://www.bleepingcomputer.com/news/security/snowflake-customers-hit-in-data-theft-attacks-after-saas-integrator-breach/",[4627],{"nodeType":1280,"value":4628,"marks":4629,"data":4631},"breach at data anomaly detection company Anodot",[4630],{"type":2159},{},{"nodeType":1280,"value":4633,"marks":4634,"data":4635}," where the attacker attempted to leverage the stolen authentication tokens to access Salesforce data, with ",[],{},{"nodeType":1285,"data":4637,"content":4639},{"uri":4638},"https://www.bleepingcomputer.com/news/security/stolen-rockstar-games-analytics-data-leaked-by-extortion-gang/",[4640],{"nodeType":1280,"value":4641,"marks":4642,"data":4644},"Rockstar",[4643],{"type":2159},{},{"nodeType":1280,"value":4646,"marks":4647,"data":4648}," a high-profile victim of the breach (again linked to Scattered Lapsus$ Hunters). ",[],{},{"nodeType":1310,"data":4650,"content":4654},{"target":4651},{"sys":4652},{"id":4653,"type":1315,"linkType":1316},"3oqoL9L3fxetFcIhnfQhMQ",[],{"nodeType":1355,"data":4656,"content":4657},{},[],{"nodeType":1359,"data":4659,"content":4660},{},[4661],{"nodeType":1280,"value":4662,"marks":4663,"data":4665},"Infostealers continue to drive corporate breaches",[4664],{"type":1345},{},{"nodeType":1276,"data":4667,"content":4668},{},[4669],{"nodeType":1280,"value":4670,"marks":4671,"data":4672},"While unverified, Hudson Rock’s case for an infostealer breach being the root cause of the Context.ai breach seems believable. Infostealer infections have been one of the leading security threats for some time, fuelling breaches powered by stolen credentials and session tokens.",[],{},{"nodeType":1276,"data":4674,"content":4675},{},[4676,4680,4685],{"nodeType":1280,"value":4677,"marks":4678,"data":4679},"With the assumed rise in MFA coverage, it’s often surprising to security teams that stolen credentials are still a problem. ",[],{},{"nodeType":1280,"value":4681,"marks":4682,"data":4684},"But of the last million logins we saw, 1 in 4 were password logins (not SSO), 2 in 5 were not protected by MFA, and 1 in 5 used a weak, breached, or reused password. ",[4683],{"type":1345},{},{"nodeType":1280,"value":4686,"marks":4687,"data":4688},"Plenty of scope for abuse. ",[],{},{"nodeType":1276,"data":4690,"content":4691},{},[4692],{"nodeType":1280,"value":4693,"marks":4694,"data":4695},"Stolen session tokens are even more valuable to attackers, enabling them to bypass authentication controls by replaying the token in their own browser. In theory, they should only be valid for a limited timeframe, but in practice this can be as many as 90 days, and sometimes indefinite. ",[],{},{"nodeType":1276,"data":4697,"content":4698},{},[4699],{"nodeType":1280,"value":4700,"marks":4701,"data":4702},"In this case, it seems likely that the compromised device was a developer machine (given the access to Supabase), or potentially even a personal device (given they were installing Roblox cheats…). This is relevant because these personal, developer, and BYOD machines are often less secure — developer machines are often exempt from EDR monitoring or significantly tuned-down (too noisy), while personal devices naturally lack enterprise security software.",[],{},{"nodeType":1310,"data":4704,"content":4708},{"target":4705},{"sys":4706},{"id":4707,"type":1315,"linkType":1316},"139oaGgwRKZbwJzyex9LA5",[],{"nodeType":1276,"data":4710,"content":4711},{},[4712,4716,4725],{"nodeType":1280,"value":4713,"marks":4714,"data":4715},"We’ve also seen an uptick in developer-oriented phishing and malvertising campaigns. The ",[],{},{"nodeType":1285,"data":4717,"content":4719},{"uri":4718},"https://pushsecurity.com/blog/installfix/",[4720],{"nodeType":1280,"value":4721,"marks":4722,"data":4724},"InstallFix campaign",[4723],{"type":2159},{},{"nodeType":1280,"value":4726,"marks":4727,"data":4728}," we identified, intercepting users as they attempt to install AI tools like Claude Code and NotebookLM, is an example of this — and also another way that attackers are capitalizing on AI hype. ",[],{},{"nodeType":1355,"data":4730,"content":4731},{},[],{"nodeType":1359,"data":4733,"content":4734},{},[4735],{"nodeType":1280,"value":4736,"marks":4737,"data":4739},"Advice for security teams",[4738],{"type":1345},{},{"nodeType":1276,"data":4741,"content":4742},{},[4743],{"nodeType":1280,"value":4744,"marks":4745,"data":4746},"There are some immediate next steps that we’ll quickly summarize here, as they've already been covered in wider reporting. If you’re a Vercel customer, you should urgently rotate every credential stored as a non-sensitive variable that could have been exposed, enable the sensitive variable feature toggle, and monitor your account for anomalous activity. And if you’re using the specific Context.ai integration, you need to revoke it ASAP and begin a full audit of the connected accounts, both inside Workspace and broader connected apps (this isn’t that easy, as we’ll highlight in a moment). ",[],{},{"nodeType":1310,"data":4748,"content":4752},{"target":4749},{"sys":4750},{"id":4751,"type":1315,"linkType":1316},"76HViirkH2R4QAzWg605sv",[],{"nodeType":1276,"data":4754,"content":4755},{},[4756,4760,4769],{"nodeType":1280,"value":4757,"marks":4758,"data":4759},"Taking a step back, organizations really need to get their arms around OAuth integrations in their environment. A default-deny approach to allowing users to consent to new integrations, and routinely auditing the ones already in your environment to ensure they’re still definitely required, is essential. Each integration expands your attack surface and could potentially grant an attacker extensive access to your environment. This default-deny approach isn't exactly a new concept for security teams and is the same in principle as what we recently advised for ",[],{},{"nodeType":1285,"data":4761,"content":4763},{"uri":4762},"https://pushsecurity.com/blog/browser-extension-management-guide/",[4764],{"nodeType":1280,"value":4765,"marks":4766,"data":4768},"browser extension management",[4767],{"type":2159},{},{"nodeType":1280,"value":4208,"marks":4770,"data":4771},[],{},{"nodeType":1276,"data":4773,"content":4774},{},[4775],{"nodeType":1280,"value":4776,"marks":4777,"data":4778},"This is fairly straightforward in your main enterprise cloud environment (think M365 or Google Workspace). But doing it across every SaaS app that allows some level of OAuth integration with another (i.e. every SaaS app) is somewhat harder. Not only do you need to have a comprehensive and up-to-date inventory, you need to be an app admin for every app (not always the case for self-adopted apps) and the particular app needs to give you the control to restrict and remove OAuth grants on behalf of users in your tenant. ",[],{},{"nodeType":1276,"data":4780,"content":4781},{},[4782],{"nodeType":1280,"value":4783,"marks":4784,"data":4785},"Again, this is not exclusively a Shadow AI problem, even if AI adoption is contributing significantly to the sprawl. ",[],{},{"nodeType":1310,"data":4787,"content":4791},{"target":4788},{"sys":4789},{"id":4790,"type":1315,"linkType":1316},"XKKHUiz56G82uwYhbv2Qv",[],{"nodeType":1355,"data":4793,"content":4794},{},[],{"nodeType":1359,"data":4796,"content":4797},{},[4798],{"nodeType":1280,"value":1702,"marks":4799,"data":4801},[4800],{"type":1345},{},{"nodeType":1276,"data":4803,"content":4804},{},[4805],{"nodeType":1280,"value":4806,"marks":4807,"data":4808},"As we’ve established, there are quite a few pieces to this puzzle. Push can help with all of them. ",[],{},{"nodeType":1276,"data":4810,"content":4811},{},[4812],{"nodeType":1280,"value":4813,"marks":4814,"data":4815},"Push observes every app login your employees make in their browser, building a comprehensive picture of SaaS and AI use across your organization. This includes how they’re logging in and how secure the login is: did it have MFA, what kind of MFA, was it using a weak or compromised password, did they use SSO, and so on. ",[],{},{"nodeType":1310,"data":4817,"content":4821},{"target":4818},{"sys":4819},{"id":4820,"type":1315,"linkType":1316},"2B205bUaLm6vG8mIQ0rJvA",[],{"nodeType":1276,"data":4823,"content":4824},{},[4825],{"nodeType":1280,"value":4826,"marks":4827,"data":4828},"Push also tracks OAuth integrations in your environment and gives you the ability to manage and remove them in core environments like M365 and Google Workspace, providing a single platform for you to view, manage, and secure app use across your organization. ",[],{},{"nodeType":1310,"data":4830,"content":4834},{"target":4831},{"sys":4832},{"id":4833,"type":1315,"linkType":1316},"eEbdBUfyzZsdIOjFOXHpM",[],{"nodeType":1310,"data":4836,"content":4840},{"target":4837},{"sys":4838},{"id":4839,"type":1315,"linkType":1316},"1MTFxfROuGKxnkHQwWHe8K",[],{"nodeType":1276,"data":4842,"content":4843},{},[4844,4848,4853,4857,4862],{"nodeType":1280,"value":4845,"marks":4846,"data":4847},"This makes it easy to surface both vulnerabilities and possible control gaps, and do something about them. But where Push really excels is in the ability to observe and block OAuth connection requests ",[],{},{"nodeType":1280,"value":4849,"marks":4850,"data":4852},"even outside of your primary enterprise apps.",[4851],{"type":1345},{},{"nodeType":1280,"value":4854,"marks":4855,"data":4856}," Using Push, you can detect and block OAuth integration requests as they traverse the browser. This ",[],{},{"nodeType":1280,"value":4858,"marks":4859,"data":4861},"app-agnostic",[4860],{"type":1345},{},{"nodeType":1280,"value":4863,"marks":4864,"data":4865}," level of control is absolutely critical to halting OAuth integration sprawl. ",[],{},{"nodeType":1310,"data":4867,"content":4871},{"target":4868},{"sys":4869},{"id":4870,"type":1315,"linkType":1316},"2VZ4uw6MXslXME2ueydGuT",[],{"nodeType":1698,"data":4873,"content":4874},{},[4875,4879],{"nodeType":1280,"value":4876,"marks":4877,"data":4878},"And t",[],{},{"nodeType":1280,"value":4880,"marks":4881,"data":4883},"hat’s not all …",[4882],{"type":1345},{},{"nodeType":1276,"data":4885,"content":4886},{},[4887],{"nodeType":1280,"value":4888,"marks":4889,"data":4890},"Push’s browser-based security platform also detects and blocks browser-based attacks like AiTM phishing, credential stuffing, malicious browser extensions, device code phishing, ClickFix, and session hijacking in real time. This includes the most prominent infostealer delivery vectors in terms of malvertising and *Fix-style attacks. Push analyzes every web page in every browser session and tab for threats, in real time, with no latency. ",[],{},{"nodeType":1276,"data":4892,"content":4893},{},[4894],{"nodeType":1280,"value":4895,"marks":4896,"data":4897},"But as we've established, you don't need to wait until it all goes wrong either — you can use Push to proactively find and fix vulnerabilities across the apps that your employees use, like ghost logins, SSO coverage gaps, MFA gaps, vulnerable passwords, risky OAuth integrations, and more to harden your attack surface.",[],{},{"nodeType":1276,"data":4899,"content":4900},{},[4901,4905,4913,4917,4926,4930,4937],{"nodeType":1280,"value":4902,"marks":4903,"data":4904},"To learn more about Push, ",[],{},{"nodeType":1285,"data":4906,"content":4908},{"uri":4907},"https://pushsecurity.com/resources/product-brochure",[4909],{"nodeType":1280,"value":4910,"marks":4911,"data":4912},"check out our latest product overview",[],{},{"nodeType":1280,"value":4914,"marks":4915,"data":4916},", ",[],{},{"nodeType":1285,"data":4918,"content":4920},{"uri":4919},"https://pushsecurity.com/product-demo/",[4921],{"nodeType":1280,"value":4922,"marks":4923,"data":4925},"view our demo library",[4924],{"type":2159},{},{"nodeType":1280,"value":4927,"marks":4928,"data":4929},", or ",[],{},{"nodeType":1285,"data":4931,"content":4932},{"uri":4145},[4933],{"nodeType":1280,"value":4934,"marks":4935,"data":4936},"book some time with one of our team for a live demo",[],{},{"nodeType":1280,"value":1472,"marks":4938,"data":4939},[],{},"Unpacking the Vercel breach: A cautionary tale for Shadow AI and OAuth sprawl","In April 2026, Vercel was compromised via an OAuth app integrated into their Google Workspace tenant stemming from a compromised third-party AI SaaS provider.","2026-04-23T00:00:00.000Z","unpacking-the-vercel-breach",{"items":4945},[4946,4948],{"sys":4947,"name":4164},{"id":4163},{"sys":4949,"name":4168},{"id":4167},{"items":4951},[4952],{"fullName":1265,"firstName":1266,"jobTitle":1267,"profilePicture":4953},{"url":1269},{"__typename":2244,"sys":4955,"content":4957,"title":5816,"synopsis":5817,"hashTags":61,"publishedDate":5818,"slug":5819,"tagsCollection":5820,"authorsCollection":5826},{"id":4956},"6X3wP0WhtDk2l1jKH2fPIb",{"json":4958},{"nodeType":1272,"data":4959,"content":4960},{},[4961,4967,5010,5017,5024,5027,5035,5042,5050,5089,5111,5114,5122,5129,5136,5143,5159,5174,5181,5197,5204,5220,5241,5261,5318,5330,5350,5356,5363,5370,5377,5384,5407,5413,5420,5427,5434,5446,5471,5474,5482,5489,5496,5503,5522,5528,5551,5558,5565,5689,5695,5702,5709,5712,5720,5727,5746,5753,5761,5764,5783],{"nodeType":1310,"data":4962,"content":4966},{"target":4963},{"sys":4964},{"id":4965,"type":1315,"linkType":1316},"4Lk4sATAlk2wPcevG0cJCu",[],{"nodeType":1276,"data":4968,"content":4969},{},[4970,4974,4983,4986,4994,4997,5006],{"nodeType":1280,"value":4971,"marks":4972,"data":4973},"Browser extensions have become one of the most talked-about attack surfaces in security over the past 18 months, and understandably so — a string of high-profile supply chain compromises have collectively impacted tens of millions of users since late 2024 (",[],{},{"nodeType":1285,"data":4975,"content":4977},{"uri":4976},"https://www.cyberhaven.com/blog/cyberhavens-chrome-extension-security-incident-and-what-were-doing-about-it",[4978],{"nodeType":1280,"value":4979,"marks":4980,"data":4982},"Cyberhaven",[4981],{"type":2159},{},{"nodeType":1280,"value":4914,"marks":4984,"data":4985},[],{},{"nodeType":1285,"data":4987,"content":4989},{"uri":4988},"https://thehackernews.com/2025/12/darkspectre-browser-extension-campaigns.html",[4990],{"nodeType":1280,"value":4991,"marks":4992,"data":4993},"DarkSpectre",[],{},{"nodeType":1280,"value":4914,"marks":4995,"data":4996},[],{},{"nodeType":1285,"data":4998,"content":5000},{"uri":4999},"https://thehackernews.com/2025/12/trust-wallet-chrome-extension-hack.html",[5001],{"nodeType":1280,"value":5002,"marks":5003,"data":5005},"Trust Wallet",[5004],{"type":2159},{},{"nodeType":1280,"value":5007,"marks":5008,"data":5009},", among many others). ",[],{},{"nodeType":1276,"data":5011,"content":5012},{},[5013],{"nodeType":1280,"value":5014,"marks":5015,"data":5016},"But as the industry scrambles to respond, there's a tendency to treat browser extension management as an entirely new paradigm that requires a new approach, particularly risk scoring systems that attempt to rate each extension on a spectrum from safe to dangerous.",[],{},{"nodeType":1276,"data":5018,"content":5019},{},[5020],{"nodeType":1280,"value":5021,"marks":5022,"data":5023},"We think this framing misses the point, and that it's leading security teams toward a strategy that won't protect them from the attacks that actually cause damage.",[],{},{"nodeType":1355,"data":5025,"content":5026},{},[],{"nodeType":1359,"data":5028,"content":5029},{},[5030],{"nodeType":1280,"value":5031,"marks":5032,"data":5034},"The practical problem: \"just remove the high-risk ones\" doesn't work",[5033],{"type":1345},{},{"nodeType":1276,"data":5036,"content":5037},{},[5038],{"nodeType":1280,"value":5039,"marks":5040,"data":5041},"The strategy we see most often is some version of \"identify and remove the highest-risk extensions.\" On the surface this seems reasonable — you can't address everything, so you prioritize. The problem is that it doesn't materially reduce your exposure to the attacks that are actually happening.",[],{},{"nodeType":1276,"data":5043,"content":5044},{},[5045],{"nodeType":1280,"value":5046,"marks":5047,"data":5049},"Browser extension attacks almost always follow one of two patterns: ",[5048],{"type":1345},{},{"nodeType":2350,"data":5051,"content":5052},{},[5053,5063],{"nodeType":2354,"data":5054,"content":5055},{},[5056],{"nodeType":1276,"data":5057,"content":5058},{},[5059],{"nodeType":1280,"value":5060,"marks":5061,"data":5062},"A legitimate developer is compromised through consent phishing, session theft, or AiTM phishing, and a malicious update is pushed to the existing user base. Cyberhaven is a good example of this — a developer got consent phished with a specific app that granted the attacker access to the extension store.",[],{},{"nodeType":2354,"data":5064,"content":5065},{},[5066],{"nodeType":1276,"data":5067,"content":5068},{},[5069,5073,5085],{"nodeType":1280,"value":5070,"marks":5071,"data":5072},"An attacker builds or acquires a clean extension, operates it legitimately until it accumulates a sufficient user base, then deploys a malicious update. GitLab's threat intelligence team documented a cluster of",[],{},{"nodeType":1285,"data":5074,"content":5076},{"uri":5075},"https://gitlab-com.gitlab.io/gl-security/security-tech-notes/threat-intelligence-tech-notes/malicious-browser-extensions-feb-2025/",[5077,5080],{"nodeType":1280,"value":2297,"marks":5078,"data":5079},[],{},{"nodeType":1280,"value":5081,"marks":5082,"data":5084},"16 extensions impacting 3.2 million users",[5083],{"type":2159},{},{"nodeType":1280,"value":5086,"marks":5087,"data":5088}," where access had been acquired from original developers rather than via compromise.",[],{},{"nodeType":1276,"data":5090,"content":5091},{},[5092,5097,5102,5106],{"nodeType":1280,"value":5093,"marks":5094,"data":5096},"This means that r",[5095],{"type":1345},{},{"nodeType":1280,"value":5098,"marks":5099,"data":5101},"eal-world extension breaches aren't coming from extensions that looked risky beforehand.",[5100],{"type":1345},{},{"nodeType":1280,"value":5103,"marks":5104,"data":5105}," If your strategy is \"identify and remove the highest-risk extensions,\" you're optimizing for the wrong thing — because even extensions that score as moderate or low risk by every conventional measure still have the permissions and access needed for a full compromise. ",[],{},{"nodeType":1280,"value":5107,"marks":5108,"data":5110},"If you skim off the top 10% “riskiest” extensions, 90% of the extensions in your environment could still become a breach vector. ",[5109],{"type":1345},{},{"nodeType":1355,"data":5112,"content":5113},{},[],{"nodeType":1359,"data":5115,"content":5116},{},[5117],{"nodeType":1280,"value":5118,"marks":5119,"data":5121},"What risk scoring is designed to measure — and why it can’t predict future compromise",[5120],{"type":1345},{},{"nodeType":1276,"data":5123,"content":5124},{},[5125],{"nodeType":1280,"value":5126,"marks":5127,"data":5128},"Most extension risk scoring systems evaluate some combination of permissions, install count, user ratings, code analysis, developer reputation, and web store trust signals. Nice-to-have data points, but with a common limitation: they describe the extension as it is today, not what it will become after the next update. That makes them poor predictors of the thing that actually causes breaches — a previously-clean extension being weaponized through a supply chain compromise.",[],{},{"nodeType":1276,"data":5130,"content":5131},{},[5132],{"nodeType":1280,"value":5133,"marks":5134,"data":5135},"It's worth examining why each signal falls short as a predictor specifically of future compromise, because the failure modes are different and well-documented.",[],{},{"nodeType":1698,"data":5137,"content":5138},{},[5139],{"nodeType":1280,"value":5140,"marks":5141,"data":5142},"Permissions",[],{},{"nodeType":1276,"data":5144,"content":5145},{},[5146,5150,5155],{"nodeType":1280,"value":5147,"marks":5148,"data":5149},"Permissions are the most meaningful input to a risk score, because they determine what an extension is ",[],{},{"nodeType":1280,"value":5151,"marks":5152,"data":5154},"capable",[5153],{"type":275},{},{"nodeType":1280,"value":5156,"marks":5157,"data":5158}," of doing if it turns malicious. An extension with access to cookies, scripting, and broad host permissions can steal session tokens, log keystrokes, and exfiltrate data from any site the user visits. This is the data that actually answers the question \"what could this extension do to us if it went bad?\"",[],{},{"nodeType":1276,"data":5160,"content":5161},{},[5162,5166,5171],{"nodeType":1280,"value":5163,"marks":5164,"data":5165},"The problem is that these permissions are extraordinarily common. We analyzed a sample of 20,000 unique extensions deployed across Push customers and found that ",[],{},{"nodeType":1280,"value":5167,"marks":5168,"data":5170},"46.76% have the permission combinations needed to perform account takeover with no user interaction",[5169],{"type":1345},{},{"nodeType":1280,"value":4208,"marks":5172,"data":5173},[],{},{"nodeType":1276,"data":5175,"content":5176},{},[5177],{"nodeType":1280,"value":5178,"marks":5179,"data":5180},"These figures also understate the real exposure. One of the most straightforward attack techniques involves injecting content scripts into web pages to hook request functions and extract cookies. The user-facing warning Chrome shows for this capability — \"Read and change all your data on the websites you visit\" — is the same generic string shown for ad blockers, password managers, and translation tools. ",[],{},{"nodeType":1276,"data":5182,"content":5183},{},[5184,5188,5193],{"nodeType":1280,"value":5185,"marks":5186,"data":5187},"You can't practically remove everything that ",[],{},{"nodeType":1280,"value":5189,"marks":5190,"data":5192},"could",[5191],{"type":275},{},{"nodeType":1280,"value":5194,"marks":5195,"data":5196}," be dangerous, because that includes most of the extensions people actually use for work. And if you set the threshold lower to keep the list manageable, you're excluding extensions that have the same permissions and pose the same theoretical risk.",[],{},{"nodeType":1698,"data":5198,"content":5199},{},[5200],{"nodeType":1280,"value":5201,"marks":5202,"data":5203},"Install counts, ratings, developer reputation, and web store badges",[],{},{"nodeType":1276,"data":5205,"content":5206},{},[5207,5211,5216],{"nodeType":1280,"value":5208,"marks":5209,"data":5210},"These signals share a common failure mode, so it's worth addressing them together: they all describe the extension's ",[],{},{"nodeType":1280,"value":5212,"marks":5213,"data":5215},"reputation",[5214],{"type":275},{},{"nodeType":1280,"value":5217,"marks":5218,"data":5219}," at a point in time, and attackers have both the means and the incentive to ensure that reputation looks clean.",[],{},{"nodeType":1276,"data":5221,"content":5222},{},[5223,5228,5232,5237],{"nodeType":1280,"value":5224,"marks":5225,"data":5227},"Install count ",[5226],{"type":1345},{},{"nodeType":1280,"value":5229,"marks":5230,"data":5231},"is sometimes used as a proxy for trustworthiness, on the assumption that widely-adopted extensions are more likely to be legitimate. In practice, high install count is often a ",[],{},{"nodeType":1280,"value":5233,"marks":5234,"data":5236},"precondition",[5235],{"type":275},{},{"nodeType":1280,"value":5238,"marks":5239,"data":5240}," for the attack rather than a signal against it. ",[],{},{"nodeType":1276,"data":5242,"content":5243},{},[5244,5248,5257],{"nodeType":1280,"value":5245,"marks":5246,"data":5247},"Attackers who acquire or build extensions are specifically waiting for the install base to grow before weaponizing — what researchers are calling the \"",[],{},{"nodeType":1285,"data":5249,"content":5251},{"uri":5250},"https://www.malwarebytes.com/blog/news/2025/12/sleeper-browser-extensions-woke-up-as-spyware-on-4-million-devices",[5252],{"nodeType":1280,"value":5253,"marks":5254,"data":5256},"sleeper agent",[5255],{"type":2159},{},{"nodeType":1280,"value":5258,"marks":5259,"data":5260},"\" strategy. Install counts can also be easily inflated with bots, meaning that using them as a positive risk signal actively rewards the attackers who are best at gaming the system.",[],{},{"nodeType":2350,"data":5262,"content":5263},{},[5264,5286,5308],{"nodeType":2354,"data":5265,"content":5266},{},[5267],{"nodeType":1276,"data":5268,"content":5269},{},[5270,5274,5282],{"nodeType":1280,"value":5271,"marks":5272,"data":5273},"The ",[],{},{"nodeType":1285,"data":5275,"content":5276},{"uri":4988},[5277],{"nodeType":1280,"value":5278,"marks":5279,"data":5281},"DarkSpectre campaign",[5280],{"type":2159},{},{"nodeType":1280,"value":5283,"marks":5284,"data":5285}," accumulated over 8.8 million compromised browsers across extensions that held \"verified\" status and healthy install counts throughout a seven-year operational period. ",[],{},{"nodeType":2354,"data":5287,"content":5288},{},[5289],{"nodeType":1276,"data":5290,"content":5291},{},[5292,5295,5304],{"nodeType":1280,"value":5271,"marks":5293,"data":5294},[],{},{"nodeType":1285,"data":5296,"content":5298},{"uri":5297},"https://www.ox.security/blog/malicious-chrome-extensions-steal-chatgpt-deepseek-conversations/",[5299],{"nodeType":1280,"value":5300,"marks":5301,"data":5303},"AITOPIA",[5302],{"type":2159},{},{"nodeType":1280,"value":5305,"marks":5306,"data":5307}," impersonation extensions had over 900,000 combined installs and a Google \"Featured\" badge. ",[],{},{"nodeType":2354,"data":5309,"content":5310},{},[5311],{"nodeType":1276,"data":5312,"content":5313},{},[5314],{"nodeType":1280,"value":5315,"marks":5316,"data":5317},"Cyberhaven had approximately 400,000 users at the time of compromise. ",[],{},{"nodeType":1276,"data":5319,"content":5320},{},[5321,5326],{"nodeType":1280,"value":5322,"marks":5323,"data":5325},"User ratings",[5324],{"type":1345},{},{"nodeType":1280,"value":5327,"marks":5328,"data":5329}," suffer from the same problems. Attackers use bot networks to generate positive reviews, and even genuinely clean extensions will carry good ratings right up until they're compromised. By the time users start leaving negative reviews the attack has already run its course.",[],{},{"nodeType":1276,"data":5331,"content":5332},{},[5333,5338,5341,5346],{"nodeType":1280,"value":5334,"marks":5335,"data":5337},"Developer reputation and \"Featured\" and \"Verified\"",[5336],{"type":1345},{},{"nodeType":1280,"value":2297,"marks":5339,"data":5340},[],{},{"nodeType":1280,"value":5342,"marks":5343,"data":5345},"badges",[5344],{"type":1345},{},{"nodeType":1280,"value":5347,"marks":5348,"data":5349}," fail for a related but slightly different reason: the attack typically doesn't come from a known-bad developer. It comes from a reputable developer whose account has been compromised, or from an extension that has changed hands. ",[],{},{"nodeType":1310,"data":5351,"content":5355},{"target":5352},{"sys":5353},{"id":5354,"type":1315,"linkType":1316},"d1C5wKxUnKFwfhf4OBQAq",[],{"nodeType":1276,"data":5357,"content":5358},{},[5359],{"nodeType":1280,"value":5360,"marks":5361,"data":5362},"The net result across all of these signals is that the extensions most likely to appear in breach headlines — established tools with large user bases, good ratings, verified badges, and reputable developers — are precisely the ones that risk scoring would rate as low-risk.",[],{},{"nodeType":1698,"data":5364,"content":5365},{},[5366],{"nodeType":1280,"value":5367,"marks":5368,"data":5369},"Code analysis",[],{},{"nodeType":1276,"data":5371,"content":5372},{},[5373],{"nodeType":1280,"value":5374,"marks":5375,"data":5376},"Static analysis of extension code is the approach that sounds most rigorous, and it's the basis for Chrome Web Store's own review process. Google operates a hybrid system combining automated analysis and manual review, with manual review typically reserved for submissions that trigger specific signals such as sensitive permissions or large code volumes.",[],{},{"nodeType":1276,"data":5378,"content":5379},{},[5380],{"nodeType":1280,"value":5381,"marks":5382,"data":5383},"But attackers have developed reliable techniques to pass these checks, and the specific evasion methods used in major campaigns illustrate why static analysis consistently falls short. ",[],{},{"nodeType":2350,"data":5385,"content":5386},{},[5387,5397],{"nodeType":2354,"data":5388,"content":5389},{},[5390],{"nodeType":1276,"data":5391,"content":5392},{},[5393],{"nodeType":1280,"value":5394,"marks":5395,"data":5396},"The Cyberhaven compromise used dynamically loaded content fetched from a remote server via service workers, with the C2 infrastructure delivering different malicious configurations to different end-users — meaning that even if a scanner fetched the remote payload, it might receive a benign configuration depending on the target profile.",[],{},{"nodeType":2354,"data":5398,"content":5399},{},[5400],{"nodeType":1276,"data":5401,"content":5402},{},[5403],{"nodeType":1280,"value":5404,"marks":5405,"data":5406},"The GhostPoster campaign (part of the broader DarkSpectre operation) took evasion further still: the extension waited 48 hours between configuration check-ins and only loaded a malicious payload 10% of the time. No sandbox is running for 48 hours, and a 10% activation rate means that nine out of ten analysis runs would see nothing at all.",[],{},{"nodeType":1310,"data":5408,"content":5412},{"target":5409},{"sys":5410},{"id":5411,"type":1315,"linkType":1316},"6jy6jvYcHTXO2uMd7kx647",[],{"nodeType":1276,"data":5414,"content":5415},{},[5416],{"nodeType":1280,"value":5417,"marks":5418,"data":5419},"It's also worth noting that Chrome Web Store policy explicitly disallows code obfuscation, precisely because it makes review impossible. The fact that attackers have found ways to hide malicious behavior without technically obfuscating their code speaks to the fundamental asymmetry at play: the attacker controls when and how malicious functionality appears, and static analysis can only evaluate what's present at the time of review.",[],{},{"nodeType":1698,"data":5421,"content":5422},{},[5423],{"nodeType":1280,"value":5424,"marks":5425,"data":5426},"But extension scores combine all of these things …",[],{},{"nodeType":1276,"data":5428,"content":5429},{},[5430],{"nodeType":1280,"value":5431,"marks":5432,"data":5433},"The obvious counterargument is that no serious risk scoring system relies on any single signal in isolation — the value is supposed to come from combining permissions, install count, ratings, code analysis, and developer reputation into a composite score that's more predictive than any individual input. In theory, this sounds like the right approach: weak signals aggregated together should produce a stronger signal.",[],{},{"nodeType":1276,"data":5435,"content":5436},{},[5437,5442],{"nodeType":1280,"value":5438,"marks":5439,"data":5441},"In practice, combining signals that are individually unable to predict supply chain compromise doesn't produce a signal that can. ",[5440],{"type":1345},{},{"nodeType":1280,"value":5443,"marks":5444,"data":5445},"Aggregating a set of backward-looking indicators doesn't make the aggregate forward-looking; it just gives you a more detailed description of the present state, which is the state before the attack has happened. No weighting or combination of install count, code behavior, and developer reputation would have flagged Cyberhaven, or DarkSpectre, or Trust Wallet before the malicious update shipped, because at that point every input to the composite score was returning a legitimate value.",[],{},{"nodeType":1276,"data":5447,"content":5448},{},[5449,5453,5458,5462,5467],{"nodeType":1280,"value":5450,"marks":5451,"data":5452},"Meanwhile, the indicators that ",[],{},{"nodeType":1280,"value":5454,"marks":5455,"data":5457},"do",[5456],{"type":275},{},{"nodeType":1280,"value":5459,"marks":5460,"data":5461}," predict real-world compromise — an extension changing ownership, a developer account being phished, an update introducing behavior that wasn't present in prior versions, or an extension being explicitly confirmed as malicious through threat intelligence — aren't predictive risk score inputs. ",[],{},{"nodeType":1280,"value":5463,"marks":5464,"data":5466},"They're discrete events that require monitoring and an immediate response, not a recalculated number on a dashboard. ",[5465],{"type":1345},{},{"nodeType":1280,"value":5468,"marks":5469,"data":5470},"This is an important distinction: the signals that matter are changes over time, not static attributes at a point in time, and they call for a detection-and-response workflow rather than a periodic risk review.",[],{},{"nodeType":1355,"data":5472,"content":5473},{},[],{"nodeType":1359,"data":5475,"content":5476},{},[5477],{"nodeType":1280,"value":5478,"marks":5479,"data":5481},"What works instead",[5480],{"type":1345},{},{"nodeType":1276,"data":5483,"content":5484},{},[5485],{"nodeType":1280,"value":5486,"marks":5487,"data":5488},"If the goal is to reduce your exposure to extension-based supply chain compromise rather than to generate a ranked list of risk, the approach is operationally straightforward — even if it requires more discipline than deploying a scoring dashboard.",[],{},{"nodeType":1698,"data":5490,"content":5491},{},[5492],{"nodeType":1280,"value":5493,"marks":5494,"data":5495},"Reduce your attack surface through allowlisting",[],{},{"nodeType":1276,"data":5497,"content":5498},{},[5499],{"nodeType":1280,"value":5500,"marks":5501,"data":5502},"Build a complete inventory of every extension running across your environment — what's installed, how it got there (managed deployment, manual install, sideloaded, developer mode), what permissions it has, who's using it, and whether it serves a legitimate work purpose. Then create a strict allowlist of vetted and approved extensions and block everything else.",[],{},{"nodeType":1276,"data":5504,"content":5505},{},[5506,5510,5518],{"nodeType":1280,"value":5507,"marks":5508,"data":5509},"This is the same default-deny approach that's been best practice for firewall policy and endpoint allowlisting for decades. ",[],{},{"nodeType":1285,"data":5511,"content":5512},{"uri":4762},[5513],{"nodeType":1280,"value":5514,"marks":5515,"data":5517},"In Push, it works like building a firewall rule",[5516],{"type":2159},{},{"nodeType":1280,"value":5519,"marks":5520,"data":5521},": a global block rule at the bottom that disables all browser extensions, with explicit exceptions above it for approved tools. Users who attempt to install unapproved extensions see a block screen.",[],{},{"nodeType":1310,"data":5523,"content":5527},{"target":5524},{"sys":5525},{"id":5526,"type":1315,"linkType":1316},"97dDukjKsRsAptpHV1kpn",[],{"nodeType":1276,"data":5529,"content":5530},{},[5531,5536,5542,5547],{"nodeType":1280,"value":5532,"marks":5533,"data":5535},"The key insight is that every extension you don't ",[5534],{"type":1345},{},{"nodeType":1280,"value":5537,"marks":5538,"data":5541},"really ",[5539,5540],{"type":1345},{"type":275},{},{"nodeType":1280,"value":5543,"marks":5544,"data":5546},"need, but haven't blocked, is attack surface that exists for no business reason. ",[5545],{"type":1345},{},{"nodeType":1280,"value":5548,"marks":5549,"data":5550},"Most organizations are surprised by how many of the extensions in their environment are unused, forgotten, or have readily available alternatives. Reducing the population of installed extensions to only the ones that serve a genuine work purpose is the single most effective thing you can do — and it doesn't require a risk score to accomplish.",[],{},{"nodeType":1698,"data":5552,"content":5553},{},[5554],{"nodeType":1280,"value":5555,"marks":5556,"data":5557},"Monitor for changes that indicate weaponization",[],{},{"nodeType":1276,"data":5559,"content":5560},{},[5561],{"nodeType":1280,"value":5562,"marks":5563,"data":5564},"Once you have a controlled baseline, the risk shifts from unmanaged installations (those are blocked) to changes in the extensions you've already approved. These are the signals that map to real-world attack patterns and serve as leading indicators of weaponization:",[],{},{"nodeType":2350,"data":5566,"content":5567},{},[5568,5612,5627,5642,5657],{"nodeType":2354,"data":5569,"content":5570},{},[5571],{"nodeType":1276,"data":5572,"content":5573},{},[5574,5579,5583,5592,5597,5601,5609],{"nodeType":1280,"value":5575,"marks":5576,"data":5578},"Ownership changes",[5577],{"type":1345},{},{"nodeType":1280,"value":5580,"marks":5581,"data":5582}," — an extension changing hands is one of the most reliable precursors to supply chain compromise, as demonstrated by the ",[],{},{"nodeType":1285,"data":5584,"content":5586},{"uri":5585},"https://thehackernews.com/2026/03/chrome-extension-turns-malicious-after.html",[5587],{"nodeType":1280,"value":5588,"marks":5589,"data":5591},"QuickLens and ShotBird attack",[5590],{"type":2159},{},{"nodeType":1280,"value":5593,"marks":5594,"data":5596},"s",[5595],{"type":2159},{},{"nodeType":1280,"value":5598,"marks":5599,"data":5600}," and the acquired-extension clusters documented by ",[],{},{"nodeType":1285,"data":5602,"content":5603},{"uri":5075},[5604],{"nodeType":1280,"value":5605,"marks":5606,"data":5608},"GitLab",[5607],{"type":2159},{},{"nodeType":1280,"value":1472,"marks":5610,"data":5611},[],{},{"nodeType":2354,"data":5613,"content":5614},{},[5615],{"nodeType":1276,"data":5616,"content":5617},{},[5618,5623],{"nodeType":1280,"value":5619,"marks":5620,"data":5622},"Developer contact information changes",[5621],{"type":1345},{},{"nodeType":1280,"value":5624,"marks":5625,"data":5626}," — often an early indicator that an extension has been sold or that a developer account has been taken over.",[],{},{"nodeType":2354,"data":5628,"content":5629},{},[5630],{"nodeType":1276,"data":5631,"content":5632},{},[5633,5638],{"nodeType":1280,"value":5634,"marks":5635,"data":5637},"Permission escalations in updates",[5636],{"type":1345},{},{"nodeType":1280,"value":5639,"marks":5640,"data":5641}," — a previously-scoped extension suddenly requesting broad host permissions or cookie access.",[],{},{"nodeType":2354,"data":5643,"content":5644},{},[5645],{"nodeType":1276,"data":5646,"content":5647},{},[5648,5653],{"nodeType":1280,"value":5649,"marks":5650,"data":5652},"Delisting from the web store",[5651],{"type":1345},{},{"nodeType":1280,"value":5654,"marks":5655,"data":5656}," — can indicate that the store's review process has caught something, or that the developer has abandoned the extension.",[],{},{"nodeType":2354,"data":5658,"content":5659},{},[5660],{"nodeType":1276,"data":5661,"content":5662},{},[5663,5668,5672,5680,5685],{"nodeType":1280,"value":5664,"marks":5665,"data":5667},"Known malicious classification",[5666],{"type":1345},{},{"nodeType":1280,"value":5669,"marks":5670,"data":5671}," — when an extension is confirmed as weaponized or linked to an active campaign through threat intelligence. (",[],{},{"nodeType":1285,"data":5673,"content":5674},{"uri":4762},[5675],{"nodeType":1280,"value":5676,"marks":5677,"data":5679},"Push blocks known-bad extensions automaticall",[5678],{"type":2159},{},{"nodeType":1280,"value":5681,"marks":5682,"data":5684},"y",[5683],{"type":2159},{},{"nodeType":1280,"value":5686,"marks":5687,"data":5688},").",[],{},{"nodeType":1310,"data":5690,"content":5694},{"target":5691},{"sys":5692},{"id":5693,"type":1315,"linkType":1316},"4PWyOD92E549plkeNH1DxO",[],{"nodeType":1276,"data":5696,"content":5697},{},[5698],{"nodeType":1280,"value":5699,"marks":5700,"data":5701},"To make this concrete: Push emits structured events via webhook whenever extension metadata changes that captures all of the variables above. These these can be fed directly into your SIEM or SOAR workflows, making it easy for security teams to detect when a meaningful change occurs. An ownership change on its own warrants investigation; an ownership change paired with a new version and added permissions warrants an immediate block pending review.",[],{},{"nodeType":1276,"data":5703,"content":5704},{},[5705],{"nodeType":1280,"value":5706,"marks":5707,"data":5708},"Push detects these changes in real time and can automatically block an extension when a meaningful risk indicator fires, before the damage propagates. This is fundamentally different from a periodic risk score: rather than attempting to predict which extensions might go bad based on static attributes, Push monitors for the specific events that precede or accompany weaponization in the attacks we've actually observed.",[],{},{"nodeType":1355,"data":5710,"content":5711},{},[],{"nodeType":1359,"data":5713,"content":5714},{},[5715],{"nodeType":1280,"value":5716,"marks":5717,"data":5719},"The bottom line",[5718],{"type":1345},{},{"nodeType":1276,"data":5721,"content":5722},{},[5723],{"nodeType":1280,"value":5724,"marks":5725,"data":5726},"Traditional extension risk scores — based on permissions, store metadata, code analysis, and developer reputation — are poor predictors of which extensions will actually compromise you. The extensions involved in the major breaches of the past 18 months consistently scored as normal or low-risk right up until the moment they were weaponized. If your extension management strategy is built around \"identify the riskiest extensions and remove them,\" the extension that gets you is the one that wasn't on the list.",[],{},{"nodeType":1276,"data":5728,"content":5729},{},[5730,5734,5742],{"nodeType":1280,"value":5731,"marks":5732,"data":5733},"Browser extensions are software. They're third-party code running with significant privilege inside the browser, capable of reading and modifying page content, accessing cookies and session tokens, and interacting with virtually every web application your employees use. Like any other software dependency — ",[],{},{"nodeType":1285,"data":5735,"content":5736},{"uri":1650},[5737],{"nodeType":1280,"value":5738,"marks":5739,"data":5741},"OAuth integrations",[5740],{"type":2159},{},{"nodeType":1280,"value":5743,"marks":5744,"data":5745}," being another relevant recent example in public breaches — each one expands your attack surface. ",[],{},{"nodeType":1276,"data":5747,"content":5748},{},[5749],{"nodeType":1280,"value":5750,"marks":5751,"data":5752},"The principles behind managing browser extensions need to be the same as any other software — default-deny, build an allowlist, monitor and maintain that allowlist. This might trigger some PTSD for security teams, but it shouldn’t. On the endpoint, application allowlisting has always been operationally painful — diverse workflows, unpredictable application needs, and the overhead of vetting every binary made it impractical for most organizations outside of high-security environments. In the browser, it’s not that serious. You’re not going to brick an endpoint by blocking a third-party browser extension. ",[],{},{"nodeType":1276,"data":5754,"content":5755},{},[5756],{"nodeType":1280,"value":5757,"marks":5758,"data":5760},"The browser is one of the few environments where an allowlisting approach is both technically feasible and operationally lightweight: use it to your advantage. ",[5759],{"type":1345},{},{"nodeType":1355,"data":5762,"content":5763},{},[],{"nodeType":1276,"data":5765,"content":5766},{},[5767,5771,5779],{"nodeType":1280,"value":5768,"marks":5769,"data":5770},"Push detects and blocks malicious browser extensions, and gives security teams the controls to ",[],{},{"nodeType":1285,"data":5772,"content":5773},{"uri":4762},[5774],{"nodeType":1280,"value":5775,"marks":5776,"data":5778},"enforce an extension allowlist and monitor for risky changes",[5777],{"type":2159},{},{"nodeType":1280,"value":5780,"marks":5781,"data":5782}," across every browser in the environment. Combined with protection against AiTM phishing, ClickFix attacks, session hijacking, and stolen credentials — plus proactive hardening for ghost logins, SSO coverage gaps, MFA gaps, and vulnerable passwords — Push provides browser-native visibility and control where it matters most.",[],{},{"nodeType":1276,"data":5784,"content":5785},{},[5786,5789,5795,5798,5804,5807,5813],{"nodeType":1280,"value":4902,"marks":5787,"data":5788},[],{},{"nodeType":1285,"data":5790,"content":5791},{"uri":4907},[5792],{"nodeType":1280,"value":4910,"marks":5793,"data":5794},[],{},{"nodeType":1280,"value":4914,"marks":5796,"data":5797},[],{},{"nodeType":1285,"data":5799,"content":5800},{"uri":4919},[5801],{"nodeType":1280,"value":4922,"marks":5802,"data":5803},[],{},{"nodeType":1280,"value":4927,"marks":5805,"data":5806},[],{},{"nodeType":1285,"data":5808,"content":5809},{"uri":4145},[5810],{"nodeType":1280,"value":4934,"marks":5811,"data":5812},[],{},{"nodeType":1280,"value":1472,"marks":5814,"data":5815},[],{},"Why relying on browser extension risk scoring is an antipattern that won’t predict your next breach","Why typical browser extension risk scores are poor predictors of which extensions will actually lead to a compromise.","2026-04-29T00:00:00.000Z","why-browser-extension-risk-scoring-wont-predict-your-next-breach",{"items":5821},[5822,5824],{"sys":5823,"name":4168},{"id":4167},{"sys":5825,"name":4164},{"id":4163},{"items":5827},[5828],{"fullName":1265,"firstName":1266,"jobTitle":1267,"profilePicture":5829},{"url":1269},"analyzing-the-instructure-breach","blog/analyzing-the-instructure-breach",{"json":5833},{"data":5834,"content":5835,"nodeType":1272},{},[5836],{"data":5837,"content":5838,"nodeType":1276},{},[5839],{"data":5840,"marks":5841,"value":5842,"nodeType":1280},{},[],"ShinyHunters' breach of Instructure is the latest in a sustained series of campaigns leveraging three main browser-based attack vectors. Here's our view of the big picture. ","ShinyHunters' breach of Instructure is the latest in a long series of attacks. Here's our view of the big picture. ",{"id":5845,"publishedAt":5846},"3jF1fypt08TNlSoWuoMWhj","2026-05-08T14:51:55.700Z",{"items":5848},[5849,5851],{"sys":5850,"name":4164},{"id":4163},{"sys":5852,"name":4168},{"id":4167},"gI6jkaWIjw4maS44QMJRp8FlMoCj_Waz1QF8K5_pPik",1778253525100]