[{"data":1,"prerenderedAt":5657},["ShallowReactive",2],{"application-flags":3,"navbar":7,"always-visible-banner":36,"navbar-about-highlight":99,"navbar-resource-highlight":173,"use-case-page":219,"fa-icon-regular-faFishingRod":1241,"fa-icon-regular-faPuzzlePiece":1245,"fa-icon-regular-faUserSecret":1247,"fa-icon-regular-faRadar":1249,"fa-icon-regular-faLaptopCode":1251,"fa-icon-regular-faSatelliteDish":1253,"fa-icon-regular-faShieldCheck":1255,"fa-icon-regular-faBrainCircuit":1257,"blog/inside-criminal-phishing-panel":1259},[4],{"name":5,"enabled":6},"maintenanceMode",false,[8],{"createdDate":9,"id":10,"name":11,"modelId":12,"published":13,"query":14,"data":15,"variations":20,"lastUpdated":21,"firstPublished":22,"testRatio":23,"createdBy":24,"lastUpdatedBy":25,"folders":26,"meta":27,"rev":35},1742208588866,"1c7a4e423bf54ac1a328bb4063459ef2","Banner","1c6207a5f24948ab82d4a0b17f251193","published",[],{"type":16,"url":17,"text":18,"link":19},"web-banner","https://pushsecurity.com/resources/browser-attacks-report","Get our latest report analyzing browser attack techniques in 2026",{},{},1774258294825,1742208637545,1,"CydmZnOWU1XuAaLhEDCoYNM4Z8W2","jKjF9r5jcvXU8tzZEfFQm31Iyvr2",[],{"kind":28,"lastPreviewUrl":29,"breakpoints":30,"hasAutosaves":34},"data","",{"xsmall":31,"small":32,"medium":33},320,640,768,true,"kjekiykgjc",{"createdDate":37,"id":38,"name":39,"modelId":40,"published":13,"query":41,"data":42,"variations":88,"lastUpdated":89,"firstPublished":90,"testRatio":23,"createdBy":91,"lastUpdatedBy":92,"folders":93,"meta":94,"rev":98},1774965361051,"fd266d0172cc47429be7ad10f48c99ad","always visible banner","0678d178ec8b41efb8a23c09dba7874d",[],{"ctaText":43,"text":44,"url":29,"blocks":45,"state":84},"ewrererw","testrfesssssssssss",[46,72],{"@type":47,"@version":48,"id":49,"component":50,"responsiveStyles":62},"@builder.io/sdk:Element",2,"builder-ca12c06a52de41d7b8743da53118cd38",{"name":51,"tag":51,"options":52,"isRSC":61},"TopBannerContent",{"text":53,"ctaText":54,"url":55,"mainText":56,"cta":59},"New Webinar Series: Join John Hammond, Troy Hunt, and Matt Johansen for the State of Browser Attacks","Save Your Spot","https://pushsecurity.com/webinar/state-of-browser-security",{"content":57,"fontSize":58},"\u003Cp>New Webinar Series: Join John Hammond, Troy Hunt, and Matt Johansen for the State of Browser Attacks\u003C/p>","text-base",{"content":60,"fontSize":58,"url":55},"\u003Cp>\u003Cstrong style=\"font-weight:700;\">Save Your Spot\u003C/strong>\u003C/p>\n",null,{"large":63},{"display":64,"flexDirection":65,"position":66,"flexShrink":67,"boxSizing":68,"marginTop":69,"marginBottom":69,"fontSize":70,"fontWeight":71},"flex","column","relative","0","border-box",".56rem","1.125rem","700",{"id":73,"@type":47,"tagName":74,"properties":75,"responsiveStyles":79},"builder-pixel-bae3d2hy57","img",{"src":76,"aria-hidden":77,"alt":29,"role":78,"width":67,"height":67},"https://cdn.builder.io/api/v1/pixel?apiKey=f3a1111ff5be48cdbb123cd9f5795a05","true","presentation",{"large":80},{"height":67,"width":67,"display":81,"opacity":67,"overflow":82,"pointerEvents":83},"block","hidden","none",{"deviceSize":85,"location":86},"large",{"path":29,"query":87},{},{},1775137295127,1774968080803,"ST0tXQM8slWpFrmioqKHmENB2qe2","ax7YYfD0OCeqT1Vxxv1G4FUbqVr1",[],{"breakpoints":95,"hasLinks":6,"kind":96,"lastPreviewUrl":97,"hasAutosaves":6},{"xsmall":31,"small":32,"medium":33},"component","https://pushsecurity.com/?builder.space=f3a1111ff5be48cdbb123cd9f5795a05&builder.user.permissions=read%2Ccreate%2Cpublish%2CeditCode%2CeditDesigns%2CeditLayouts%2CeditLayers%2CeditContentPriority%2CeditFolders%2CeditProjects%2CmodifyMcpServers%2CmodifyWorkflowIntegrations%2CmodifyProjectSettings%2CconnectCodeRepository%2CcreateProjects%2CindexDesignSystems%2CsendPullRequests%2CmergePullRequests&builder.user.role.name=Developer&builder.user.role.id=developer&builder.cachebust=true&builder.preview=always-visible-banner&builder.noCache=true&builder.allowTextEdit=true&__builder_editing__=true&builder.overrides.always-visible-banner=fd266d0172cc47429be7ad10f48c99ad&builder.overrides.fd266d0172cc47429be7ad10f48c99ad=fd266d0172cc47429be7ad10f48c99ad&builder.options.locale=Default","2tlp3iakz33",[100,136],{"createdDate":101,"id":102,"name":103,"modelId":104,"published":13,"stageModifiedSincePublish":6,"query":105,"data":106,"variations":129,"lastUpdated":130,"firstPublished":131,"testRatio":23,"createdBy":24,"lastUpdatedBy":24,"folders":132,"meta":133,"rev":135},1776247359804,"9136a8f18b3b4a6ba29b8653a99372b1","testimonial-inductive-automation","20d9eaa352304613b3d1a794b400703d",[],{"link":107,"type":108,"testimonialLink":109,"testimonial":110},{},"testimonial","/customer-stories/inductive-automation",{"@type":111,"id":112,"model":108,"value":113},"@builder.io/core:Reference","f028f2b685bb47cd8bf9e82a26dd5a79",{"query":114,"folders":115,"createdDate":116,"id":112,"name":117,"modelId":118,"published":13,"data":119,"variations":123,"lastUpdated":124,"firstPublished":125,"testRatio":23,"createdBy":91,"lastUpdatedBy":91,"meta":126,"rev":128},[],[],1735823466309,"We found Push to be more accurate when compared to competitors and the browser agent offered features that others couldn’t match.","42035571a56940ac98bff4544aa79aa5",{"author":120,"jobTitle":121,"quote":117,"image":122},"Jason Waits","\u003Cp>CISO at Inductive Automation\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Ff04c0c0689ce4a89ac0f0708d78c0a07",{},1735910703862,1735823501152,{"kind":28,"lastPreviewUrl":29,"breakpoints":127,"hasAutosaves":34},{"small":32,"medium":33},"kq6o2ffbr6q",{},1776247404986,1776247404973,[],{"breakpoints":134,"kind":28,"lastPreviewUrl":29,"hasAutosaves":6},{"xsmall":31,"small":32,"medium":33},"205no08lfe",{"createdDate":137,"id":138,"name":139,"modelId":104,"published":13,"meta":140,"stageModifiedSincePublish":6,"query":142,"data":143,"variations":169,"lastUpdated":170,"firstPublished":171,"testRatio":23,"createdBy":24,"lastUpdatedBy":24,"folders":172,"rev":135},1776255761419,"05a9322735fc427db12e2740e4302300","Report: 2026 Browser Attack Techniques",{"breakpoints":141,"kind":28,"lastPreviewUrl":29,"hasAutosaves":6},{"xsmall":31,"small":32,"medium":33},[],{"testimonial":144,"link":163,"type":166,"title":139,"description":167,"image":168},{"@type":111,"id":145,"model":108,"value":146},"192acbb1f9ca4cac918c0ec435a8bae3",{"query":147,"folders":148,"createdDate":149,"id":145,"name":150,"modelId":118,"published":13,"data":151,"variations":157,"lastUpdated":158,"firstPublished":159,"testRatio":23,"createdBy":91,"lastUpdatedBy":24,"meta":160,"rev":162},[],[],1728981467463,"Push does for identity what CrowdStrike did for the endpoint",{"video":152,"jobTitle":153,"author":154,"qoute":29,"quote":155,"image":156},"https://cdn.builder.io/o/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F8b30e8ca50064058bbaef0f3c6164575%2Fcompressed?apiKey=f3a1111ff5be48cdbb123cd9f5795a05&token=8b30e8ca50064058bbaef0f3c6164575&alt=media&optimized=true","\u003Cp>Deputy CISO at Microsoft\u003C/p>\u003Cp>Former LinkedIn, Slack, Palantir\u003C/p>","Geoff Belknap","Push does for identity what CrowdStrike did for the endpoint.","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F748f0ad0a5064a00a13f4721fcc8dea1",{},1742902158597,1728981782923,{"kind":28,"lastPreviewUrl":29,"breakpoints":161,"hasAutosaves":34},{"small":32,"medium":33},"rxs2i6wz2h7",{"text":164,"url":165},"Download now","/resources/browser-attacks-report","resource","Learn about the latest techniques being used in the wild.","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F7b4a5ebf81d64e8c9d7fc35f6c96c4a9",{},1776255810913,1776255810900,[],[174,197],{"createdDate":175,"id":176,"name":139,"modelId":177,"published":13,"meta":178,"stageModifiedSincePublish":6,"query":180,"data":181,"variations":192,"lastUpdated":193,"firstPublished":194,"testRatio":23,"createdBy":24,"lastUpdatedBy":24,"folders":195,"rev":196},1776256900280,"1f429607996e4e5fae8fe3f9b9610e55","4829faa81e7c4ee8bd2d000e160e8d3c",{"breakpoints":179,"kind":28,"lastPreviewUrl":29,"hasAutosaves":6},{"xsmall":31,"small":32,"medium":33},[],{"testimonial":182,"link":191,"type":166,"title":139,"description":167,"image":168},{"@type":111,"id":145,"model":108,"value":183},{"query":184,"folders":185,"createdDate":149,"id":145,"name":150,"modelId":118,"published":13,"data":186,"variations":187,"lastUpdated":158,"firstPublished":159,"testRatio":23,"createdBy":91,"lastUpdatedBy":24,"meta":188,"rev":190},[],[],{"video":152,"jobTitle":153,"author":154,"qoute":29,"quote":155,"image":156},{},{"kind":28,"lastPreviewUrl":29,"breakpoints":189,"hasAutosaves":34},{"small":32,"medium":33},"1xdsjghwnhl",{"text":164,"url":165},{},1776256937553,1776256937540,[],"7mvz9ff6k3",{"createdDate":198,"id":199,"name":200,"modelId":177,"published":13,"stageModifiedSincePublish":6,"query":201,"data":202,"variations":213,"lastUpdated":214,"firstPublished":215,"testRatio":23,"createdBy":24,"lastUpdatedBy":24,"folders":216,"meta":217,"rev":196},1776256949234,"ce043785b71b4ece98eac811ecf4ba10","inductive-automation",[],{"link":203,"type":108,"testimonial":204,"testimonialLink":109},{},{"@type":111,"id":112,"model":108,"value":205},{"query":206,"folders":207,"createdDate":116,"id":112,"name":117,"modelId":118,"published":13,"data":208,"variations":209,"lastUpdated":124,"firstPublished":125,"testRatio":23,"createdBy":91,"lastUpdatedBy":91,"meta":210,"rev":212},[],[],{"author":120,"jobTitle":121,"quote":117,"image":122},{},{"kind":28,"lastPreviewUrl":29,"breakpoints":211,"hasAutosaves":34},{"small":32,"medium":33},"gl8u2d803le",{},1776256974140,1776256974130,[],{"breakpoints":218,"kind":28,"lastPreviewUrl":29,"hasAutosaves":6},{"xsmall":31,"small":32,"medium":33},[220,404,523,642,760,880,1000,1120],{"createdDate":221,"id":222,"name":223,"modelId":224,"published":13,"stageModifiedSincePublish":6,"query":225,"data":231,"variations":392,"lastUpdated":393,"firstPublished":394,"testRatio":23,"screenshot":395,"createdBy":91,"lastUpdatedBy":396,"folders":397,"meta":398,"rev":403},1744829487099,"387451215c314dd5bd654668cdc1a197","Zero-day phishing","cca4143377554c5a9163cc203a8ed2ba",[226],{"@type":227,"property":228,"operator":229,"value":230},"@builder.io/core:Query","urlPath","is","/uc/zero-day-phishing-protection",{"inputs":232,"customFonts":233,"seoTitle":281,"title":281,"tsCode":29,"seoDescription":282,"fontAwesomeIcon":283,"jsCode":29,"blocks":284,"url":230,"state":389},[],[234],{"family":235,"kind":236,"version":237,"lastModified":238,"files":239,"category":258,"menu":259,"subsets":260,"variants":263},"DM Sans","webfonts#webfont","v14","2023-07-13",{"100":240,"200":241,"300":242,"500":243,"600":244,"700":245,"800":246,"900":247,"800italic":248,"900italic":249,"700italic":250,"100italic":251,"italic":252,"regular":253,"200italic":254,"500italic":255,"300italic":256,"600italic":257},"https://fonts.gstatic.com/s/dmsans/v14/rP2tp2ywxg089UriI5-g4vlH9VoD8CmcqZG40F9JadbnoEwAop1hTmf3ZGMZpg.ttf","https://fonts.gstatic.com/s/dmsans/v14/rP2tp2ywxg089UriI5-g4vlH9VoD8CmcqZG40F9JadbnoEwAIpxhTmf3ZGMZpg.ttf","https://fonts.gstatic.com/s/dmsans/v14/rP2tp2ywxg089UriI5-g4vlH9VoD8CmcqZG40F9JadbnoEwA_JxhTmf3ZGMZpg.ttf","https://fonts.gstatic.com/s/dmsans/v14/rP2tp2ywxg089UriI5-g4vlH9VoD8CmcqZG40F9JadbnoEwAkJxhTmf3ZGMZpg.ttf","https://fonts.gstatic.com/s/dmsans/v14/rP2tp2ywxg089UriI5-g4vlH9VoD8CmcqZG40F9JadbnoEwAfJthTmf3ZGMZpg.ttf","https://fonts.gstatic.com/s/dmsans/v14/rP2tp2ywxg089UriI5-g4vlH9VoD8CmcqZG40F9JadbnoEwARZthTmf3ZGMZpg.ttf","https://fonts.gstatic.com/s/dmsans/v14/rP2tp2ywxg089UriI5-g4vlH9VoD8CmcqZG40F9JadbnoEwAIpthTmf3ZGMZpg.ttf","https://fonts.gstatic.com/s/dmsans/v14/rP2tp2ywxg089UriI5-g4vlH9VoD8CmcqZG40F9JadbnoEwAC5thTmf3ZGMZpg.ttf","https://fonts.gstatic.com/s/dmsans/v14/rP2rp2ywxg089UriCZaSExd86J3t9jz86Mvy4qCRAL19DksVat8JCm3zRmYJpso5.ttf","https://fonts.gstatic.com/s/dmsans/v14/rP2rp2ywxg089UriCZaSExd86J3t9jz86Mvy4qCRAL19DksVat8gCm3zRmYJpso5.ttf","https://fonts.gstatic.com/s/dmsans/v14/rP2rp2ywxg089UriCZaSExd86J3t9jz86Mvy4qCRAL19DksVat9uCm3zRmYJpso5.ttf","https://fonts.gstatic.com/s/dmsans/v14/rP2rp2ywxg089UriCZaSExd86J3t9jz86Mvy4qCRAL19DksVat-JDG3zRmYJpso5.ttf","https://fonts.gstatic.com/s/dmsans/v14/rP2rp2ywxg089UriCZaSExd86J3t9jz86Mvy4qCRAL19DksVat-JDW3zRmYJpso5.ttf","https://fonts.gstatic.com/s/dmsans/v14/rP2tp2ywxg089UriI5-g4vlH9VoD8CmcqZG40F9JadbnoEwAopxhTmf3ZGMZpg.ttf","https://fonts.gstatic.com/s/dmsans/v14/rP2rp2ywxg089UriCZaSExd86J3t9jz86Mvy4qCRAL19DksVat8JDW3zRmYJpso5.ttf","https://fonts.gstatic.com/s/dmsans/v14/rP2rp2ywxg089UriCZaSExd86J3t9jz86Mvy4qCRAL19DksVat-7DW3zRmYJpso5.ttf","https://fonts.gstatic.com/s/dmsans/v14/rP2rp2ywxg089UriCZaSExd86J3t9jz86Mvy4qCRAL19DksVat_XDW3zRmYJpso5.ttf","https://fonts.gstatic.com/s/dmsans/v14/rP2rp2ywxg089UriCZaSExd86J3t9jz86Mvy4qCRAL19DksVat9XCm3zRmYJpso5.ttf","sans-serif","https://fonts.gstatic.com/s/dmsans/v14/rP2tp2ywxg089UriI5-g4vlH9VoD8CmcqZG40F9JadbnoEwAopxRT23z.ttf",[261,262],"latin","latin-ext",[264,265,266,267,268,269,71,270,271,272,273,274,275,276,277,278,279,280],"100","200","300","regular","500","600","800","900","100italic","200italic","300italic","italic","500italic","600italic","700italic","800italic","900italic","Zero-day phishing protection","Detect phishing TTPs directly in the browser and stop credential theft.","faFishingRod",[285,384],{"@type":47,"@version":48,"tagName":286,"id":287,"children":288},"div","builder-76c6b8d1499346c7bc1fd56ae4e93638",[289,306,314,321,333,348,359,370,376],{"@type":47,"@version":48,"layerName":290,"id":291,"component":292,"responsiveStyles":303},"UseCaseHero","builder-5228fe062bef4a40a91e43f1112832fa",{"name":290,"options":293,"isRSC":61},{"title":281,"description":294,"points":295,"video":302},"\u003Cp>Push detects phishing as it happens. Autonomous agents hunt for new phishing techniques, identify kit signatures, and deploy detections within minutes of a new attack being analyzed. From cloned login pages to AiTM credential harvesting, Push sees what traditional filters miss and stops threats before they escalate.\u003C/p>",[296,298,300],{"item":297},"Detect phishing that bypasses traditional filters, including AiTM, SSO password theft, and fake login pages",{"item":299},"Stop never-before-seen attacks with AI-native behavioral and on-page analysis inside the browser",{"item":301},"Investigate faster with unified browser, user, and page context","https://cdn.builder.io/o/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F40433ceeb4f94b43a82e039a0f4fd411%2Fcompressed?apiKey=f3a1111ff5be48cdbb123cd9f5795a05&token=40433ceeb4f94b43a82e039a0f4fd411&alt=media&optimized=true",{"large":304},{"display":64,"flexDirection":65,"position":66,"flexShrink":67,"boxSizing":68,"backgroundColor":305},"transparent",{"@type":47,"@version":48,"id":307,"component":308,"responsiveStyles":311},"builder-96634044407e491299e291ed64669e39",{"name":309,"options":310,"isRSC":61},"TrustedBy",{"AllPartners":34,"backgroundTransparent":6},{"large":312},{"display":64,"flexDirection":65,"position":66,"flexShrink":67,"boxSizing":68,"backgroundColor":313},"#000",{"@type":47,"@version":48,"id":315,"component":316,"responsiveStyles":319},"builder-2c3768f930534557bb8978e32b6a6a0f",{"name":317,"options":318,"isRSC":61},"Diagonal",{"darkMode":34},{"large":320},{"display":64,"flexDirection":65,"position":66,"flexShrink":67,"boxSizing":68},{"@type":47,"@version":48,"layerName":322,"id":323,"component":324,"responsiveStyles":331},"TextImageBlockVertical","builder-7c3c1c2840424db2ad2ccbfaf382dd64",{"name":322,"tag":322,"options":325,"isRSC":61},{"darkMode":6,"maxWidth":326,"maxTextWidth":327,"title":328,"description":329,"animatedTitle":29,"image":330,"reverse":6,"descriptionPaddingHorizontal":61},1200,800,"\u003Ch2>Why stop at the inbox?\u003C/h2>","\u003Cp>Phishing attacks have evolved. Whether attackers lure users with QR codes, instant messages, or OAuth consent screens, the outcome is the same: it plays out in the browser. Push gives you real-time detection for in-browser threats, stopping phishing and consent-based attacks before they lead to compromise\u003C/p>\u003Cp>\u003Cbr>\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F7fdcac241f0e4a049166d7076858adeb",{"large":332},{"display":64,"flexDirection":65,"position":66,"flexShrink":67,"boxSizing":68},{"@type":47,"@version":48,"id":334,"component":335,"responsiveStyles":343},"builder-41c978b3669749cf947e622b4e79e4d7",{"name":336,"options":337,"isRSC":61},"TextImageBlockHorizontal",{"darkMode":6,"maxWidth":326,"imageMaxWidth":338,"textPaddingTop":339,"title":340,"description":341,"reverse":34,"image":342},600,100,"\u003Cp>Detect phishing at the edge\u003C/p>","\u003Cp>Push uses industry-first telemetry to detect phishing based on behavior, not static indicators. Autonomous agents analyze how phishing pages behave and how users interact with them, uncovering fake logins, credential theft, and phishing kits the moment they load in the browser.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F9df3d180c97b4e61af142af2ccd68721",{"large":344},{"display":64,"flexDirection":65,"position":66,"flexShrink":67,"boxSizing":68,"fontFamily":345,"paddingTop":346,"marginTop":347},"DM Sans, sans-serif","20px","0px",{"@type":47,"@version":48,"id":349,"component":350,"responsiveStyles":356},"builder-d2a7bc941feb43cdb898bc116b203cf9",{"name":336,"options":351,"isRSC":61},{"darkMode":6,"maxWidth":326,"imageMaxWidth":338,"textPaddingTop":352,"title":353,"description":354,"reverse":6,"image":355},120,"\u003Ch2>Go beyond blocklists and IOCs\u003C/h2>","\u003Cp>Push goes beyond URLs and easy-to-change indicators. It reads the full phishing playbook like script behavior, session hijacks, DOM changes, user inputs, then connects the dots in real time. This gives your team a complete picture of how the phishing attempt worked, not just an alert.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Fabfd58db169b433e96d3f1261797156e",{"large":357},{"display":64,"flexDirection":65,"position":66,"flexShrink":67,"boxSizing":68,"paddingTop":358},"36px",{"@type":47,"@version":48,"layerName":336,"id":360,"component":361,"responsiveStyles":367},"builder-42c32198083f4880acb37c5cb76934da",{"name":336,"options":362,"isRSC":61},{"darkMode":6,"maxWidth":326,"imageMaxWidth":338,"textPaddingTop":363,"title":364,"description":365,"reverse":34,"image":366},140,"\u003Ch2>Enhance your phishing response\u003C/h2>","\u003Cp>When phishing enters your environment, speed matters. Push gives you instant access to the telemetry that counts like session data, user behavior, and page activity, so you can investigate fast, trigger in-browser prompts, or forward alerts to your SIEM or SOAR for response. All in real time, right from the browser.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Fbb195aec46904056b85e8688629e558e",{"large":368},{"display":64,"flexDirection":65,"position":66,"flexShrink":67,"boxSizing":68,"paddingTop":369},"47px",{"@type":47,"@version":48,"id":371,"component":372,"responsiveStyles":374},"builder-9a95b9cbc4854421a92ef7b90f6c7adb",{"name":317,"options":373,"isRSC":61},{"darkMode":6},{"large":375},{"display":64,"flexDirection":65,"position":66,"flexShrink":67,"boxSizing":68},{"@type":47,"@version":48,"id":377,"component":378,"responsiveStyles":382},"builder-0afa17a9f25c4661a90f314d5578aa18",{"name":379,"tag":379,"options":380,"isRSC":61},"LatestResources",{"sectionHeading":29,"customClass":381},"bg-black",{"large":383},{"display":64,"flexDirection":65,"position":66,"flexShrink":67,"boxSizing":68},{"id":385,"@type":47,"tagName":74,"properties":386,"responsiveStyles":387},"builder-pixel-07ojnm65m2hg",{"src":76,"aria-hidden":77,"alt":29,"role":78,"width":67,"height":67},{"large":388},{"height":67,"width":67,"display":81,"opacity":67,"overflow":82,"pointerEvents":83},{"deviceSize":85,"location":390},{"path":29,"query":391},{},{},1776275046831,1745499158657,"https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Fff60c30a8442489c8ed7e0af9599d14f","kYgMv6WsbvfmlOUYqR2SFwGzw6e2",[],{"lastPreviewUrl":399,"winningTest":61,"breakpoints":400,"kind":401,"hasLinks":6,"originalContentId":402,"hasAutosaves":6},"https://pushsecurity.com/uc/zero-day-phishing-protection?builder.space=f3a1111ff5be48cdbb123cd9f5795a05&builder.user.permissions=read%2Ccreate%2Cpublish%2CeditDesigns%2CeditLayouts%2CeditLayers%2CeditContentPriority%2CeditFolders%2CcreateProjects%2CsendPullRequests&builder.user.role.name=Designer&builder.user.role.id=creator&builder.cachebust=true&builder.preview=use-case-page&builder.noCache=true&builder.allowTextEdit=true&__builder_editing__=true&builder.overrides.use-case-page=387451215c314dd5bd654668cdc1a197&builder.overrides.387451215c314dd5bd654668cdc1a197=387451215c314dd5bd654668cdc1a197&builder.overrides.use-case-page:/uc/zero-day-phishing-protection=387451215c314dd5bd654668cdc1a197&builder.options.locale=Default",{"xsmall":31,"small":32,"medium":33},"page","2daa5670b8504fc7ba4700633e8bd921","cnhmzlsbr5o",{"createdDate":405,"id":406,"name":407,"modelId":224,"published":13,"stageModifiedSincePublish":6,"query":408,"data":411,"variations":515,"lastUpdated":516,"firstPublished":517,"testRatio":23,"screenshot":518,"createdBy":91,"lastUpdatedBy":396,"folders":519,"meta":520,"rev":403},1756833377777,"54f8256648f54d439303734b1e69221b","Browser extension security",[409],{"@type":227,"property":228,"operator":229,"value":410},"/uc/browser-extension-security",{"seoDescription":412,"jsCode":29,"fontAwesomeIcon":413,"tsCode":29,"title":407,"seoTitle":407,"customFonts":414,"inputs":419,"blocks":420,"url":410,"state":512},"Shine a light on risky browser extensions.","faPuzzlePiece",[415],{"kind":236,"family":235,"version":237,"files":416,"category":258,"lastModified":238,"subsets":417,"variants":418,"menu":259},{"100":240,"200":241,"300":242,"500":243,"600":244,"700":245,"800":246,"900":247,"100italic":251,"italic":252,"regular":253,"900italic":249,"800italic":248,"700italic":250,"200italic":254,"300italic":256,"500italic":255,"600italic":257},[261,262],[264,265,266,267,268,269,71,270,271,272,273,274,275,276,277,278,279,280],[],[421,507],{"@type":47,"@version":48,"tagName":286,"id":422,"meta":423,"children":424},"builder-71d0648c1d2f4ede8d0d0b5b28b7b94c",{"previousId":287},[425,441,448,455,464,474,484,494,501],{"@type":47,"@version":48,"id":426,"meta":427,"component":428,"responsiveStyles":439},"builder-ff325b4b8fad4edea53f38865947e854",{"previousId":291},{"name":290,"options":429,"isRSC":61},{"title":407,"description":430,"points":431,"video":438},"\u003Cp>Browser extensions introduce new code, new permissions, and new potential for risk. Many include AI features, and most go completely unnoticed. Push gives you full visibility into every extension used across your workforce, across major browsers, so you can uncover shadow IT, assess risky permissions, and block unsafe tools before they lead to compromise.\u003C/p>",[432,434,436],{"item":433},"Discover every browser extension in use",{"item":435},"Spot risky or unsanctioned behavior",{"item":437},"Make informed decisions on extension policy","https://cdn.builder.io/o/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Fc538aad95d7f403aa3c3551af72f67c0?alt=media&token=1411fa6d-2eac-4e6c-94bf-ea117da12d67&apiKey=f3a1111ff5be48cdbb123cd9f5795a05",{"large":440},{"display":64,"flexDirection":65,"position":66,"flexShrink":67,"boxSizing":68,"backgroundColor":305},{"@type":47,"@version":48,"id":442,"meta":443,"component":444,"responsiveStyles":446},"builder-fb89d128c64e47cf9cbb11d90fc24523",{"previousId":307},{"name":309,"options":445,"isRSC":61},{"AllPartners":34,"backgroundTransparent":6},{"large":447},{"display":64,"flexDirection":65,"position":66,"flexShrink":67,"boxSizing":68,"backgroundColor":313},{"@type":47,"@version":48,"id":449,"meta":450,"component":451,"responsiveStyles":453},"builder-54388d35126c4d0096eeebaf8c4448cd",{"previousId":315},{"name":317,"options":452,"isRSC":61},{"darkMode":34},{"large":454},{"display":64,"flexDirection":65,"position":66,"flexShrink":67,"boxSizing":68},{"@type":47,"@version":48,"layerName":322,"id":456,"component":457,"responsiveStyles":462},"builder-3c8fa6785dd6466abf52a2470d66d85a",{"name":322,"tag":322,"options":458,"isRSC":61},{"darkMode":6,"maxWidth":326,"maxTextWidth":327,"title":459,"description":460,"image":461,"reverse":6},"\u003Ch2>Take control of browser extensions\u003C/h2>","\u003Cp>Attackers are increasingly using malicious browser extensions to gain access to data processed and stored in the browser. And the problem is, most security teams have no visibility into what extensions are being used. Push changes that. With browser-native telemetry, the Push extension continuously inventories browser extensions across your environment, flags the risky ones, and gives you intelligence to act. \u003C/p>\u003Cp>\u003Cbr>\u003C/p>\u003Cp>\u003Cbr>\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F0a004f16a6874f4c8fdf14344acc9fec",{"large":463},{"display":64,"flexDirection":65,"position":66,"flexShrink":67,"boxSizing":68},{"@type":47,"@version":48,"id":465,"meta":466,"component":467,"responsiveStyles":472},"builder-93738f98109a4009affb349afd7bb182",{"previousId":334},{"name":336,"options":468,"isRSC":61},{"darkMode":6,"maxWidth":326,"imageMaxWidth":338,"textPaddingTop":339,"title":469,"description":470,"reverse":34,"image":471},"\u003Ch2>Discover every extension in use\u003C/h2>","\u003Cp>Push gives you structured, searchable data about every extension in your environment, so you’re not just seeing what’s there, but also understanding how it got there, what it can do, and who it affects. It’s the kind of granular insight that’s nearly impossible to get from traditional tools, and it lays the groundwork for better policy decisions and faster investigations.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F0e5727ca99474f14b1b7916bf6bbb782",{"large":473},{"display":64,"flexDirection":65,"position":66,"flexShrink":67,"boxSizing":68,"fontFamily":345,"paddingTop":346,"marginTop":347},{"@type":47,"@version":48,"id":475,"meta":476,"component":477,"responsiveStyles":482},"builder-83393acb12ee4fdd840839185b51edb4",{"previousId":349},{"name":336,"options":478,"isRSC":61},{"darkMode":6,"maxWidth":326,"imageMaxWidth":338,"textPaddingTop":352,"title":479,"description":480,"reverse":6,"image":481},"\u003Ch2>Spot risky or malicious extensions\u003C/h2>","\u003Cp>Push highlights extensions with dangerous permissions, broad access, or poor reputations. This includes AI extensions that request access far beyond what their stated purpose requires. You can quickly detect sideloaded, manually installed, or development-mode extensions that bypass normal controls. And because Push shows you who’s using them and where, you can respond precisely and effectively.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Fa104d58c8da34fbb8901f738fb21453b",{"large":483},{"display":64,"flexDirection":65,"position":66,"flexShrink":67,"boxSizing":68,"paddingTop":358},{"@type":47,"@version":48,"layerName":336,"id":485,"meta":486,"component":487,"responsiveStyles":492},"builder-da98e3de949646d89c53a0d1c2784664",{"previousId":360},{"name":336,"options":488,"isRSC":61},{"darkMode":6,"maxWidth":326,"imageMaxWidth":338,"textPaddingTop":363,"title":489,"description":490,"reverse":34,"image":491},"\u003Ch2>Accelerate security reviews\u003C/h2>","\u003Cp>Most teams have extension policies, they just don’t have the data to enforce them. Push reveals how each extension entered your environment, whether it was installed manually, sideloaded, or deployed in dev mode. You’ll see which users are running what, and where, so you can surface violations, investigate quickly, and respond with confidence.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F229f355be6f243b180f410d237a75bb3",{"large":493},{"display":64,"flexDirection":65,"position":66,"flexShrink":67,"boxSizing":68,"paddingTop":369},{"@type":47,"@version":48,"id":495,"meta":496,"component":497,"responsiveStyles":499},"builder-1a689287d1a1418997d57db578a71105",{"previousId":371},{"name":317,"options":498,"isRSC":61},{"darkMode":6},{"large":500},{"display":64,"flexDirection":65,"position":66,"flexShrink":67,"boxSizing":68},{"@type":47,"@version":48,"id":502,"component":503,"responsiveStyles":505},"builder-feb4e75029f84c10b6498ef1f8f79128",{"name":379,"tag":379,"options":504,"isRSC":61},{"sectionHeading":29,"customClass":381},{"large":506},{"display":64,"flexDirection":65,"position":66,"flexShrink":67,"boxSizing":68},{"id":508,"@type":47,"tagName":74,"properties":509,"responsiveStyles":510},"builder-pixel-dkw3r2h0ndw",{"src":76,"aria-hidden":77,"alt":29,"role":78,"width":67,"height":67},{"large":511},{"height":67,"width":67,"display":81,"opacity":67,"overflow":82,"pointerEvents":83},{"deviceSize":85,"location":513},{"path":29,"query":514},{},{},1776275365038,1757000441666,"https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F8d496cf111644ee5afcc046b72d1ca5a",[],{"kind":401,"winningTest":61,"breakpoints":521,"lastPreviewUrl":522,"hasLinks":6,"originalContentId":222,"hasAutosaves":6},{"xsmall":31,"small":32,"medium":33},"https://pushsecurity.com/uc/browser-extension-security?builder.space=f3a1111ff5be48cdbb123cd9f5795a05&builder.user.permissions=read%2Ccreate%2Cpublish%2CeditDesigns%2CeditLayouts%2CeditLayers%2CeditContentPriority%2CeditFolders%2CcreateProjects%2CsendPullRequests&builder.user.role.name=Designer&builder.user.role.id=creator&builder.cachebust=true&builder.preview=use-case-page&builder.noCache=true&builder.allowTextEdit=true&__builder_editing__=true&builder.overrides.use-case-page=54f8256648f54d439303734b1e69221b&builder.overrides.54f8256648f54d439303734b1e69221b=54f8256648f54d439303734b1e69221b&builder.overrides.use-case-page:/uc/browser-extension-security=54f8256648f54d439303734b1e69221b&builder.options.locale=Default",{"createdDate":524,"id":525,"name":526,"modelId":224,"published":13,"query":527,"data":530,"variations":633,"lastUpdated":634,"firstPublished":635,"testRatio":23,"screenshot":636,"createdBy":91,"lastUpdatedBy":637,"folders":638,"meta":639,"rev":403},1744923509705,"94bebb7bb99d48629ad157e80cf4d81d","Account takeover detection",[528],{"@type":227,"property":228,"operator":229,"value":529},"/uc/account-takeover-detection",{"title":526,"customFonts":531,"jsCode":29,"seoTitle":526,"seoDescription":536,"fontAwesomeIcon":537,"tsCode":29,"blocks":538,"url":529,"state":630},[532],{"kind":236,"category":258,"variants":533,"menu":259,"files":534,"family":235,"subsets":535,"version":237,"lastModified":238},[264,265,266,267,268,269,71,270,271,272,273,274,275,276,277,278,279,280],{"100":240,"200":241,"300":242,"500":243,"600":244,"700":245,"800":246,"900":247,"300italic":256,"500italic":255,"800italic":248,"700italic":250,"italic":252,"900italic":249,"600italic":257,"200italic":254,"regular":253,"100italic":251},[261,262],"Stop ATO with stolen credential and compromised token detection.","faUserSecret",[539,625],{"@type":47,"@version":48,"tagName":286,"id":540,"meta":541,"children":542},"builder-e7913a774cae44c5a23d6081c5c30a52",{"previousId":287},[543,559,566,573,582,592,602,612,619],{"@type":47,"@version":48,"id":544,"meta":545,"component":546,"responsiveStyles":557},"builder-f1f1ab1601bc4c0f8c2a8aafd173675d",{"previousId":291},{"name":290,"options":547,"isRSC":61},{"title":526,"description":548,"points":549,"video":556},"\u003Cp>Attackers don’t need to phish, they just need a password that works. Push monitors for signs of credential-based attacks in real time, directly in the browser, catching account takeover attempts before the damage spreads. From ghost logins to credential stuffing, Push cuts off the paths attackers use to quietly slip in the back door.\u003C/p>\u003Cp>\u003Cbr>\u003C/p>",[550,552,554],{"item":551},"Identify credential-based ATO as it unfolds",{"item":553},"Surface hijacked sessions and token misuse",{"item":555},"Strengthen authentication where your IdP can’t","https://cdn.builder.io/o/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Fb4dd9db24bc9495b8a686b1b4d492016%2Fcompressed?apiKey=f3a1111ff5be48cdbb123cd9f5795a05&token=b4dd9db24bc9495b8a686b1b4d492016&alt=media&optimized=true",{"large":558},{"display":64,"flexDirection":65,"position":66,"flexShrink":67,"boxSizing":68,"backgroundColor":305},{"@type":47,"@version":48,"id":560,"meta":561,"component":562,"responsiveStyles":564},"builder-0bc0d1c78ece4994993c3a6427a4d533",{"previousId":307},{"name":309,"options":563,"isRSC":61},{"AllPartners":34,"backgroundTransparent":6},{"large":565},{"display":64,"flexDirection":65,"position":66,"flexShrink":67,"boxSizing":68,"backgroundColor":313},{"@type":47,"@version":48,"id":567,"meta":568,"component":569,"responsiveStyles":571},"builder-e45de8f3768c4f16938dbf78e4e87524",{"previousId":315},{"name":317,"options":570,"isRSC":61},{"darkMode":34},{"large":572},{"display":64,"flexDirection":65,"position":66,"flexShrink":67,"boxSizing":68},{"@type":47,"@version":48,"id":574,"component":575,"responsiveStyles":580},"builder-c98e8bfd341146c1b67c02d5698ff093",{"name":322,"tag":322,"options":576,"isRSC":61},{"darkMode":6,"maxWidth":326,"maxTextWidth":327,"title":577,"description":578,"image":579,"reverse":6},"\u003Ch2>Assume less. See more.\u003C/h2>","\u003Cp>Most account takeovers don’t start with a breach, they start with a login. Whether it’s a reused password, a local account, or an outdated login flow, Push shows you how accounts are actually accessed day to day, not just how policies say they should be. That means no more blind spots around ghost logins, bypassed SSO, or stale access paths that quietly persist.\u003C/p>\u003Cp>\u003Cbr>\u003C/p>\u003Cp>\u003Cbr>\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F18630ad2746d4eb7b7fcc0428b11a8f0",{"large":581},{"display":64,"flexDirection":65,"position":66,"flexShrink":67,"boxSizing":68},{"@type":47,"@version":48,"id":583,"meta":584,"component":585,"responsiveStyles":590},"builder-55c1fc38ddc04fd1a0d6a8e2fb819e00",{"previousId":334},{"name":336,"options":586,"isRSC":61},{"darkMode":6,"maxWidth":326,"imageMaxWidth":338,"textPaddingTop":339,"title":587,"description":588,"reverse":34,"image":589},"\u003Ch2>Catch stolen credential use in real time\u003C/h2>","\u003Cp>Push monitors login activity directly in the browser to detect signs of credential-based attacks like leaked password use or suspicious login flows. By analyzing attacker TTPs instead of relying on known indicators, Push spots credential stuffing and account takeover attempts the moment they begin, not after they’ve succeeded.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F52b0123cac2c4dfdb1dc0af6adf9d603",{"large":591},{"display":64,"flexDirection":65,"position":66,"flexShrink":67,"boxSizing":68,"fontFamily":345,"paddingTop":347,"marginTop":347},{"@type":47,"@version":48,"id":593,"meta":594,"component":595,"responsiveStyles":600},"builder-dfb31737b30948c6b95323655d571a50",{"previousId":349},{"name":336,"options":596,"isRSC":61},{"darkMode":6,"maxWidth":326,"imageMaxWidth":338,"textPaddingTop":352,"title":597,"description":598,"reverse":6,"image":599},"\u003Ch2>Detect session hijacks and stealth access\u003C/h2>","\u003Cp>Attackers don’t always need a login screen, they often sidestep it entirely using stolen session tokens. Push detects when valid sessions are reused in unexpected ways, identifying hijacked sessions and stealth access attempts that traditional tools miss. Because we monitor directly in the browser, you see what’s happening inside active sessions in real time.\u003C/p>\u003Cp>\u003Cbr>\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F94a6859a99e04d309ffe5841f3dbdf5c",{"large":601},{"display":64,"flexDirection":65,"position":66,"flexShrink":67,"boxSizing":68,"paddingTop":358},{"@type":47,"@version":48,"layerName":336,"id":603,"meta":604,"component":605,"responsiveStyles":610},"builder-f7585b90eb974d03a7dc7eae5b58d227",{"previousId":360},{"name":336,"options":606,"isRSC":61},{"darkMode":6,"maxWidth":326,"imageMaxWidth":338,"textPaddingTop":363,"title":607,"description":608,"reverse":34,"image":609},"\u003Ch2>Harden accounts before they’re compromised\u003C/h2>","\u003Cp>Push goes beyond alerts. It identifies apps that still allow local logins, even when SSO is configured, so you can remove weak access paths. Push also flags users without MFA, reused work credentials, or weak passwords, and prompts users in-browser to fix risky behaviors before they’re exploited.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F01c1b638f1b6497093a4f2b8ceddb5bb",{"large":611},{"display":64,"flexDirection":65,"position":66,"flexShrink":67,"boxSizing":68,"paddingTop":369},{"@type":47,"@version":48,"id":613,"meta":614,"component":615,"responsiveStyles":617},"builder-ad81d1e3afec49a791214194eae09bdc",{"previousId":371},{"name":317,"options":616,"isRSC":61},{"darkMode":6},{"large":618},{"display":64,"flexDirection":65,"position":66,"flexShrink":67,"boxSizing":68},{"@type":47,"@version":48,"id":620,"component":621,"responsiveStyles":623},"builder-8dac1aa4b9d148628d92252bd8eff822",{"name":379,"tag":379,"options":622,"isRSC":61},{"sectionHeading":29,"customClass":381},{"large":624},{"display":64,"flexDirection":65,"position":66,"flexShrink":67,"boxSizing":68},{"id":626,"@type":47,"tagName":74,"properties":627,"responsiveStyles":628},"builder-pixel-hkql45bxjvu",{"src":76,"aria-hidden":77,"alt":29,"role":78,"width":67,"height":67},{"large":629},{"height":67,"width":67,"display":81,"opacity":67,"overflow":82,"pointerEvents":83},{"deviceSize":85,"location":631},{"path":29,"query":632},{},{},1770892814499,1745499162732,"https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F58b660fa94aa4b30b0faeb9b663ae41a","SfUPqW5tkibIPby49keNFMdHFTr1",[],{"lastPreviewUrl":640,"hasLinks":6,"originalContentId":222,"breakpoints":641,"winningTest":61,"kind":401,"hasAutosaves":34},"https://pushsecurity.com/uc/account-takeover-detection?builder.space=f3a1111ff5be48cdbb123cd9f5795a05&builder.user.permissions=read%2Ccreate%2Cpublish%2CeditCode%2CeditDesigns%2CeditLayouts%2CeditLayers%2CeditContentPriority%2CeditFolders%2CeditProjects%2CmodifyMcpServers%2CmodifyWorkflowIntegrations%2CmodifyProjectSettings%2CconnectCodeRepository%2CcreateProjects%2CindexDesignSystems%2CsendPullRequests&builder.user.role.name=Developer&builder.user.role.id=developer&builder.cachebust=true&builder.preview=use-case-page&builder.noCache=true&builder.allowTextEdit=true&__builder_editing__=true&builder.overrides.use-case-page=94bebb7bb99d48629ad157e80cf4d81d&builder.overrides.94bebb7bb99d48629ad157e80cf4d81d=94bebb7bb99d48629ad157e80cf4d81d&builder.overrides.use-case-page:/uc/account-takeover-detection=94bebb7bb99d48629ad157e80cf4d81d&builder.options.includeRefs=true&builder.options.enrich=true&builder.options.locale=Default",{"xsmall":31,"small":32,"medium":33},{"createdDate":643,"id":644,"name":645,"modelId":224,"published":13,"query":646,"data":649,"variations":752,"lastUpdated":753,"firstPublished":754,"testRatio":23,"screenshot":755,"createdBy":91,"lastUpdatedBy":637,"folders":756,"meta":757,"rev":403},1745009370904,"23eb48fb56d3451cab77cb6ed140ee6d","Attack path hardening",[647],{"@type":227,"property":228,"operator":229,"value":648},"/uc/attack-path-hardening",{"tsCode":29,"seoDescription":650,"jsCode":29,"customFonts":651,"fontAwesomeIcon":656,"seoTitle":645,"title":645,"blocks":657,"url":648,"state":749},"Harden access paths with visibility,  detection, and guardrails.",[652],{"kind":236,"files":653,"version":237,"lastModified":238,"subsets":654,"menu":259,"category":258,"variants":655,"family":235},{"100":240,"200":241,"300":242,"500":243,"600":244,"700":245,"800":246,"900":247,"regular":253,"italic":252,"800italic":248,"500italic":255,"600italic":257,"200italic":254,"900italic":249,"700italic":250,"100italic":251,"300italic":256},[261,262],[264,265,266,267,268,269,71,270,271,272,273,274,275,276,277,278,279,280],"faRadar",[658,744],{"@type":47,"@version":48,"tagName":286,"id":659,"meta":660,"children":661},"builder-1d8553eddcaa44d7bba9e2f4ca13af2a",{"previousId":540},[662,678,685,692,701,711,721,731,738],{"@type":47,"@version":48,"id":663,"meta":664,"component":665,"responsiveStyles":676},"builder-84fe3d7c85a743cf8cef649aa974f1ef",{"previousId":544},{"name":290,"options":666,"isRSC":61},{"title":645,"description":667,"points":668,"video":675},"\u003Cp>Push continuously monitors your environment for exposed login paths, weak credentials, and missing protections like MFA. It detects the gaps attackers exploit and helps you close them before they’re used.\u003C/p>",[669,671,673],{"item":670},"Find weak spots like reused passwords, local logins, and missing MFA",{"item":672},"Monitor how users actually log in across apps, flows, and tools",{"item":674},"Enforce secure access with in-browser guardrails","https://cdn.builder.io/o/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Fdbdcf52892034f1bbddded77f753a343%2Fcompressed?apiKey=f3a1111ff5be48cdbb123cd9f5795a05&token=dbdcf52892034f1bbddded77f753a343&alt=media&optimized=true",{"large":677},{"display":64,"flexDirection":65,"position":66,"flexShrink":67,"boxSizing":68,"backgroundColor":305},{"@type":47,"@version":48,"id":679,"meta":680,"component":681,"responsiveStyles":683},"builder-b3f66f5b08054cc78a06fecfc3ae2337",{"previousId":560},{"name":309,"options":682,"isRSC":61},{"AllPartners":34,"backgroundTransparent":6},{"large":684},{"display":64,"flexDirection":65,"position":66,"flexShrink":67,"boxSizing":68,"backgroundColor":313},{"@type":47,"@version":48,"id":686,"meta":687,"component":688,"responsiveStyles":690},"builder-4c73418b84be49ed85e6e13d2625c5a0",{"previousId":567},{"name":317,"options":689,"isRSC":61},{"darkMode":34},{"large":691},{"display":64,"flexDirection":65,"position":66,"flexShrink":67,"boxSizing":68},{"@type":47,"@version":48,"id":693,"component":694,"responsiveStyles":699},"builder-dec0246085e1485c803f7152b1922a81",{"name":322,"tag":322,"options":695,"isRSC":61},{"darkMode":6,"maxWidth":326,"maxTextWidth":327,"title":696,"description":697,"image":698,"reverse":6},"\u003Ch2>Find the gaps that lead to compromise\u003C/h2>","\u003Cp>Misconfigurations don’t show up in your config files, they show up in how users actually access apps. Push monitors real login behavior in the browser, surfacing risky patterns like local login access, duplicate accounts, or missing protections that leave doors wide open.\u003C/p>\u003Cp>\u003Cbr>\u003C/p>\u003Cp>\u003Cbr>\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F309a59bba8d247a19476bb369397460e",{"large":700},{"display":64,"flexDirection":65,"position":66,"flexShrink":67,"boxSizing":68},{"@type":47,"@version":48,"id":702,"meta":703,"component":704,"responsiveStyles":709},"builder-ebf049a645604a249550996a88f8f3b6",{"previousId":583},{"name":336,"options":705,"isRSC":61},{"darkMode":6,"maxWidth":326,"imageMaxWidth":338,"textPaddingTop":339,"title":706,"description":707,"reverse":34,"image":708},"\u003Ch2>See real login behavior\u003C/h2>","\u003Cp>Push watches authentication flows as they happen, giving you a live view of how users log in, which methods they choose, and where protections like MFA are missing. Plus, uncover every app and account in use, even shadow IT you didn’t know existed, without relying on stale config files or IdP assumptions. \u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Fb51f6b0357cc451b87a7a5016d984e5e",{"large":710},{"display":64,"flexDirection":65,"position":66,"flexShrink":67,"boxSizing":68,"fontFamily":345,"paddingTop":346,"marginTop":347},{"@type":47,"@version":48,"id":712,"meta":713,"component":714,"responsiveStyles":719},"builder-431d175c59004669b0b2776b07d71737",{"previousId":593},{"name":336,"options":715,"isRSC":61},{"darkMode":6,"maxWidth":326,"imageMaxWidth":338,"textPaddingTop":352,"title":716,"description":717,"reverse":6,"image":718},"\u003Ch2>Find and fix posture drift\u003C/h2>","\u003Cp>Security posture isn’t static. Push continuously monitors for issues like missing MFA or legacy login methods. When something falls out of policy, you know immediately with custom notifications so you can act before it turns into risk.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F324e39127dfc41e592b1183dfb39892d",{"large":720},{"display":64,"flexDirection":65,"position":66,"flexShrink":67,"boxSizing":68,"paddingTop":358},{"@type":47,"@version":48,"layerName":336,"id":722,"meta":723,"component":724,"responsiveStyles":729},"builder-3dffdcbe0a484e2ca4c03f019b6d40ee",{"previousId":603},{"name":336,"options":725,"isRSC":61},{"darkMode":6,"maxWidth":326,"imageMaxWidth":338,"textPaddingTop":363,"title":726,"description":727,"reverse":34,"image":728},"\u003Ch2>Guide users with in-browser guardrails\u003C/h2>","\u003Cp>Push doesn’t just surface problems, it helps you fix them. When users sign in without MFA, reuse a password, or use insecure credentials, Push prompts them directly in the browser to secure their access. It’s faster, more effective, and actually gets results.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Fee8b75d13e45488aba55434a8b49ebb0",{"large":730},{"display":64,"flexDirection":65,"position":66,"flexShrink":67,"boxSizing":68,"paddingTop":369},{"@type":47,"@version":48,"id":732,"meta":733,"component":734,"responsiveStyles":736},"builder-976bc222cd7647ff905f1e01cfedc453",{"previousId":613},{"name":317,"options":735,"isRSC":61},{"darkMode":6},{"large":737},{"display":64,"flexDirection":65,"position":66,"flexShrink":67,"boxSizing":68},{"@type":47,"@version":48,"id":739,"component":740,"responsiveStyles":742},"builder-8c47ec2fd0f74382bb3e6c870555632c",{"name":379,"tag":379,"options":741,"isRSC":61},{"sectionHeading":29,"customClass":381},{"large":743},{"display":64,"flexDirection":65,"position":66,"flexShrink":67,"boxSizing":68},{"id":745,"@type":47,"tagName":74,"properties":746,"responsiveStyles":747},"builder-pixel-m7yumysc5pg",{"src":76,"aria-hidden":77,"alt":29,"role":78,"width":67,"height":67},{"large":748},{"height":67,"width":67,"display":81,"opacity":67,"overflow":82,"pointerEvents":83},{"deviceSize":85,"location":750},{"path":29,"query":751},{},{},1770892844854,1745499166112,"https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F6ca12bf728a045f1a31d40c0beb3bfe5",[],{"kind":401,"lastPreviewUrl":758,"breakpoints":759,"hasLinks":6,"originalContentId":525,"winningTest":61,"hasAutosaves":34},"https://pushsecurity.com/uc/attack-path-hardening?builder.space=f3a1111ff5be48cdbb123cd9f5795a05&builder.user.permissions=read%2Ccreate%2Cpublish%2CeditCode%2CeditDesigns%2CeditLayouts%2CeditLayers%2CeditContentPriority%2CeditFolders%2CeditProjects%2CmodifyMcpServers%2CmodifyWorkflowIntegrations%2CmodifyProjectSettings%2CconnectCodeRepository%2CcreateProjects%2CindexDesignSystems%2CsendPullRequests&builder.user.role.name=Developer&builder.user.role.id=developer&builder.cachebust=true&builder.preview=use-case-page&builder.noCache=true&builder.allowTextEdit=true&__builder_editing__=true&builder.overrides.use-case-page=23eb48fb56d3451cab77cb6ed140ee6d&builder.overrides.23eb48fb56d3451cab77cb6ed140ee6d=23eb48fb56d3451cab77cb6ed140ee6d&builder.overrides.use-case-page:/uc/attack-path-hardening=23eb48fb56d3451cab77cb6ed140ee6d&builder.options.includeRefs=true&builder.options.enrich=true&builder.options.locale=Default",{"xsmall":31,"small":32,"medium":33},{"createdDate":761,"id":762,"name":763,"modelId":224,"published":13,"query":764,"data":767,"variations":872,"lastUpdated":873,"firstPublished":874,"testRatio":23,"screenshot":875,"createdBy":91,"lastUpdatedBy":637,"folders":876,"meta":877,"rev":403},1761675020232,"ea4f309d2ffe46c5aa97ebf0fda4e2e3","ClickFix Protection",[765],{"@type":227,"property":228,"operator":229,"value":766},"/uc/clickfix-protection",{"seoDescription":768,"fontAwesomeIcon":769,"customFonts":770,"seoTitle":775,"jsCode":29,"tsCode":29,"title":775,"blocks":776,"url":766,"state":869},"Block attacks that trick users into running malicious code.","faLaptopCode",[771],{"files":772,"subsets":773,"menu":259,"version":237,"kind":236,"family":235,"lastModified":238,"variants":774,"category":258},{"100":240,"200":241,"300":242,"500":243,"600":244,"700":245,"800":246,"900":247,"200italic":254,"800italic":248,"700italic":250,"600italic":257,"100italic":251,"italic":252,"regular":253,"300italic":256,"500italic":255,"900italic":249},[261,262],[264,265,266,267,268,269,71,270,271,272,273,274,275,276,277,278,279,280],"ClickFix protection",[777,864],{"@type":47,"@version":48,"tagName":286,"id":778,"meta":779,"children":780},"builder-d7eefdde0f2a4b2b9de3dcb2978fd6cb",{"previousId":659},[781,797,804,811,821,831,841,851,858],{"@type":47,"@version":48,"id":782,"meta":783,"component":784,"responsiveStyles":795},"builder-56e2c54bcce040a4af8b92ae03706c12",{"previousId":663},{"name":290,"options":785,"isRSC":61},{"title":775,"description":786,"points":787,"image":794},"\u003Cp>ClickFix attacks are one of the fastest-growing threats, tricking users into copying malicious code from a webpage and running it locally. This technique bypasses traditional EDR, email gateways, and network filters, leading directly to ransomware and data theft. Push stops this attack at the source, in the browser, by detecting and blocking the malicious behavior before the user can ever paste the code.\u003C/p>\u003Cp>\u003Cbr>\u003C/p>",[788,790,792],{"item":789},"Detect ClickFix, FileFix, and fake CAPTCHA in the browser",{"item":791},"Block malicious copy-and-paste actions before code is executed",{"item":793},"See full telemetry into which users were targeted and what they saw","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F7b74af62889847ebb3927364485b0546",{"large":796},{"display":64,"flexDirection":65,"position":66,"flexShrink":67,"boxSizing":68,"backgroundColor":305},{"@type":47,"@version":48,"id":798,"meta":799,"component":800,"responsiveStyles":802},"builder-05f9614d4e3e4dc88b3ee8658f54e10e",{"previousId":679},{"name":309,"options":801,"isRSC":61},{"AllPartners":34,"backgroundTransparent":6},{"large":803},{"display":64,"flexDirection":65,"position":66,"flexShrink":67,"boxSizing":68,"backgroundColor":313},{"@type":47,"@version":48,"id":805,"meta":806,"component":807,"responsiveStyles":809},"builder-c4fb5179366243c1b6c32d368675cf47",{"previousId":686},{"name":317,"options":808,"isRSC":61},{"darkMode":34},{"large":810},{"display":64,"flexDirection":65,"position":66,"flexShrink":67,"boxSizing":68},{"@type":47,"@version":48,"id":812,"meta":813,"component":814,"responsiveStyles":819},"builder-261af50705fd445d8cca4a6ba20d5391",{"previousId":693},{"name":322,"tag":322,"options":815,"isRSC":61},{"darkMode":6,"maxWidth":326,"maxTextWidth":327,"title":816,"description":817,"reverse":6,"image":818},"\u003Ch2>Stop ClickFix-style attacks before they become a breach\u003C/h2>","\u003Cp>Traditional security tools are blind to malicious copy and paste attacks because the attack exploits a gap between the browser and the endpoint. EDR only sees the payload after it runs, and network tools see only part of the picture.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F98b2f7e08dec4eafaf8e24937605b8cf",{"large":820},{"display":64,"flexDirection":65,"position":66,"flexShrink":67,"boxSizing":68},{"@type":47,"@version":48,"id":822,"meta":823,"component":824,"responsiveStyles":829},"builder-7d21b8aab8064c40b1e5dd23c4749309",{"previousId":702},{"name":336,"options":825,"isRSC":61},{"darkMode":6,"maxWidth":326,"imageMaxWidth":338,"textPaddingTop":339,"title":826,"description":827,"reverse":34,"image":828},"\u003Ch2>Discover lures at the source\u003C/h2>","\u003Cp>Push inspects page behavior to identify ClickFix attacks as they happen. By inspecting the page, its structure, and how the user interacts with it, Push can detect and block these in-browser threats in real time. This deep, TTP-based inspection spots the trap even on novel pages that are built to bypass traditional web filters and blocklists.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F665bf47e01544c75bf9ddafd3917927b",{"large":830},{"display":64,"flexDirection":65,"position":66,"flexShrink":67,"boxSizing":68,"fontFamily":345,"paddingTop":346,"marginTop":347},{"@type":47,"@version":48,"id":832,"meta":833,"component":834,"responsiveStyles":839},"builder-fb91943adf6149259ed9e1e6566c9afe",{"previousId":712},{"name":336,"options":835,"isRSC":61},{"darkMode":6,"maxWidth":326,"imageMaxWidth":338,"textPaddingTop":352,"title":836,"description":837,"reverse":6,"image":838},"\u003Ch2>Block the malicious action\u003C/h2>","\u003Cp>When Push detects a malicious script, it intercepts the user's action and blocks the code from being copied to the clipboard. The user is protected, the attack is stopped, and no malicious code ever reaches the endpoint. Unlike broad DLP tools, this action is surgical, targeting only malicious behavior without disrupting normal work.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F5ee68f81f1ac416685cbfe91298cf827",{"large":840},{"display":64,"flexDirection":65,"position":66,"flexShrink":67,"boxSizing":68,"paddingTop":358},{"@type":47,"@version":48,"layerName":336,"id":842,"meta":843,"component":844,"responsiveStyles":849},"builder-bfac95fada864e5a8259b955b5b5f98b",{"previousId":722},{"name":336,"options":845,"isRSC":61},{"darkMode":6,"maxWidth":326,"imageMaxWidth":338,"textPaddingTop":363,"title":846,"description":847,"reverse":34,"image":848},"\u003Ch2>Accelerate ClickFix investigations\u003C/h2>","\u003Cp>When an attack happens, knowing what the user saw or did is critical. Push provides rich browser session data for rapid investigation and containment. Security teams get detailed telemetry on which users were targeted, what lure they were served, and when the block occurred. This enables defenders to reconstruct what happened and respond quickly, even when other tools miss the activity entirely.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F6cdf2a8aeddc4e9a9023cbf974e40239",{"large":850},{"display":64,"flexDirection":65,"position":66,"flexShrink":67,"boxSizing":68,"paddingTop":369},{"@type":47,"@version":48,"id":852,"meta":853,"component":854,"responsiveStyles":856},"builder-136892e831684a6987f87d3be67c33d1",{"previousId":732},{"name":317,"options":855,"isRSC":61},{"darkMode":6},{"large":857},{"display":64,"flexDirection":65,"position":66,"flexShrink":67,"boxSizing":68},{"@type":47,"@version":48,"id":859,"component":860,"responsiveStyles":862},"builder-dec26b739f2f42beb5a73cfc6c675b60",{"name":379,"tag":379,"options":861,"isRSC":61},{"sectionHeading":29,"customClass":381},{"large":863},{"display":64,"flexDirection":65,"position":66,"flexShrink":67,"boxSizing":68},{"id":865,"@type":47,"tagName":74,"properties":866,"responsiveStyles":867},"builder-pixel-wa8eobjh148",{"src":76,"aria-hidden":77,"alt":29,"role":78,"width":67,"height":67},{"large":868},{"height":67,"width":67,"display":81,"opacity":67,"overflow":82,"pointerEvents":83},{"deviceSize":85,"location":870},{"path":29,"query":871},{},{},1770892881888,1761847585203,"https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F375467b8bef34ed1a8a1cc5b8b67d75f",[],{"lastPreviewUrl":878,"originalContentId":644,"winningTest":61,"hasLinks":6,"kind":401,"breakpoints":879,"hasAutosaves":6},"https://pushsecurity.com/uc/clickfix-protection?builder.space=f3a1111ff5be48cdbb123cd9f5795a05&builder.user.permissions=read%2Ccreate%2Cpublish%2CeditCode%2CeditDesigns%2CeditLayouts%2CeditLayers%2CeditContentPriority%2CeditFolders%2CeditProjects%2CmodifyMcpServers%2CmodifyWorkflowIntegrations%2CmodifyProjectSettings%2CconnectCodeRepository%2CcreateProjects%2CindexDesignSystems%2CsendPullRequests&builder.user.role.name=Developer&builder.user.role.id=developer&builder.cachebust=true&builder.preview=use-case-page&builder.noCache=true&builder.allowTextEdit=true&__builder_editing__=true&builder.overrides.use-case-page=ea4f309d2ffe46c5aa97ebf0fda4e2e3&builder.overrides.ea4f309d2ffe46c5aa97ebf0fda4e2e3=ea4f309d2ffe46c5aa97ebf0fda4e2e3&builder.overrides.use-case-page:/uc/clickfix-protection=ea4f309d2ffe46c5aa97ebf0fda4e2e3&builder.options.includeRefs=true&builder.options.enrich=true&builder.options.locale=Default",{"xsmall":31,"small":32,"medium":33},{"createdDate":881,"id":882,"name":883,"modelId":224,"published":13,"query":884,"data":887,"variations":992,"lastUpdated":993,"firstPublished":994,"testRatio":23,"screenshot":995,"createdBy":91,"lastUpdatedBy":637,"folders":996,"meta":997,"rev":403},1745009743870,"a9d5556e77f84a37b5bd52310a7110c1","Incident response",[885],{"@type":227,"property":228,"operator":229,"value":886},"/uc/incident-response",{"seoDescription":888,"customFonts":889,"title":883,"jsCode":29,"fontAwesomeIcon":894,"seoTitle":895,"tsCode":29,"blocks":896,"url":886,"state":989},"Investigate and respond faster with unique browser telemetry.",[890],{"kind":236,"subsets":891,"menu":259,"variants":892,"category":258,"family":235,"version":237,"lastModified":238,"files":893},[261,262],[264,265,266,267,268,269,71,270,271,272,273,274,275,276,277,278,279,280],{"100":240,"200":241,"300":242,"500":243,"600":244,"700":245,"800":246,"900":247,"900italic":249,"600italic":257,"200italic":254,"300italic":256,"100italic":251,"700italic":250,"800italic":248,"regular":253,"italic":252,"500italic":255},"faSatelliteDish","Browser based incident response",[897,984],{"@type":47,"@version":48,"tagName":286,"id":898,"meta":899,"children":900},"builder-653c4aed737b4def88dc4cd2d695660a",{"previousId":659},[901,918,925,932,941,951,961,971,978],{"@type":47,"@version":48,"id":902,"meta":903,"component":904,"responsiveStyles":916},"builder-18190bd36518467d9154d27d7e945b9b",{"previousId":663},{"name":290,"options":905,"isRSC":61},{"title":906,"description":907,"points":908,"video":915},"Browser-based incident response","\u003Cp>Push gives you real-time visibility into what actually happened during a breach, right in the browser where the attack played out. From credential theft to session hijacking, Push captures high-fidelity telemetry so you can investigate quickly, contain confidently, and shut it down before it spreads.\u003C/p>\u003Cp>\u003Cbr>\u003C/p>",[909,911,913],{"item":910},"Reconstruct what happened with real browser session context",{"item":912},"Investigate faster with real-world session context",{"item":914},"Trigger response actions automatically through your SIEM or SOAR","https://cdn.builder.io/o/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Fd00e39d3b6e346c296261d875cf55652%2Fcompressed?apiKey=f3a1111ff5be48cdbb123cd9f5795a05&token=d00e39d3b6e346c296261d875cf55652&alt=media&optimized=true",{"large":917},{"display":64,"flexDirection":65,"position":66,"flexShrink":67,"boxSizing":68,"backgroundColor":305},{"@type":47,"@version":48,"id":919,"meta":920,"component":921,"responsiveStyles":923},"builder-8a0a8ea63f5d48dd8a6726f2d49cf0ca",{"previousId":679},{"name":309,"options":922,"isRSC":61},{"AllPartners":34,"backgroundTransparent":6},{"large":924},{"display":64,"flexDirection":65,"position":66,"flexShrink":67,"boxSizing":68,"backgroundColor":313},{"@type":47,"@version":48,"id":926,"meta":927,"component":928,"responsiveStyles":930},"builder-2df65c3f54334df2b26e7cb744886cdc",{"previousId":686},{"name":317,"options":929,"isRSC":61},{"darkMode":34},{"large":931},{"display":64,"flexDirection":65,"position":66,"flexShrink":67,"boxSizing":68},{"@type":47,"@version":48,"id":933,"component":934,"responsiveStyles":939},"builder-2c32c869efc2423ab69ef06b150e9f97",{"name":322,"tag":322,"options":935,"isRSC":61},{"darkMode":6,"maxWidth":326,"maxTextWidth":327,"title":936,"description":937,"image":938,"reverse":6},"\u003Ch2>See attacks unfold, not just their aftermath\u003C/h2>","\u003Cp>Attacks happen in the browser, not in logs. Push captures what traditional tools miss: what users clicked, what loaded, what was entered, and how attackers moved. That gives you real-world evidence, not just assumptions, when every second matters.\u003C/p>\u003Cp>\u003Cbr>\u003C/p>\u003Cp>\u003Cbr>\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F36fc719bd1de4a38b916f4d25c81a26d",{"large":940},{"display":64,"flexDirection":65,"position":66,"flexShrink":67,"boxSizing":68},{"@type":47,"@version":48,"id":942,"meta":943,"component":944,"responsiveStyles":949},"builder-370e53c6016e432db01e9193a2ce90f6",{"previousId":702},{"name":336,"options":945,"isRSC":61},{"darkMode":6,"maxWidth":326,"imageMaxWidth":338,"textPaddingTop":339,"title":946,"description":947,"reverse":34,"image":948},"\u003Ch2>Investigate faster with high-fidelity data\u003C/h2>","\u003Cp>Reconstructing an incident shouldn’t feel like guesswork. Push records detailed telemetry from inside the browser: page loads, credential inputs, DOM changes, session activity, user behavior. It’s structured, exportable, and ready to plug into your investigation workflows, so you can move fast without digging through proxy logs or relying on user reports.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Fa6adda040e684e67a8d68a55c5ce5f6d",{"large":950},{"display":64,"flexDirection":65,"position":66,"flexShrink":67,"boxSizing":68,"fontFamily":345,"paddingTop":347,"marginTop":347},{"@type":47,"@version":48,"id":952,"meta":953,"component":954,"responsiveStyles":959},"builder-a7f3767a8d184bd08fb24520bf210e95",{"previousId":712},{"name":336,"options":955,"isRSC":61},{"darkMode":6,"maxWidth":326,"imageMaxWidth":338,"textPaddingTop":352,"title":956,"description":957,"reverse":6,"image":958},"\u003Ch2>Contain and respond in real time\u003C/h2>","\u003Cp>When something looks off, Push doesn’t just alert you, it gives you options. Guide users with in-browser prompts. Terminate sessions. Trigger SOAR workflows. Enrich SIEM alerts. Push gives you the context and control to stop spread before it starts.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Fb3dedeed5aba4847a2c2d22e10d0ec12",{"large":960},{"display":64,"flexDirection":65,"position":66,"flexShrink":67,"boxSizing":68,"paddingTop":358},{"@type":47,"@version":48,"layerName":336,"id":962,"meta":963,"component":964,"responsiveStyles":969},"builder-b92036ee0ece4b32acdbdcc7c377366b",{"previousId":722},{"name":336,"options":965,"isRSC":61},{"darkMode":6,"maxWidth":326,"imageMaxWidth":338,"textPaddingTop":363,"title":966,"description":967,"reverse":34,"image":968},"\u003Ch2>Prevent the next one\u003C/h2>","\u003Cp>Push helps you respond fast, but it also helps you fix what went wrong. It surfaces misconfigurations and risky behaviors that made the attack possible in the first place, then guides users in-browser to remediate. One tool. Full loop. No loose ends.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Fc1ecc2d5d3814b62b072fac01827ff96",{"large":970},{"display":64,"flexDirection":65,"position":66,"flexShrink":67,"boxSizing":68,"paddingTop":369},{"@type":47,"@version":48,"id":972,"meta":973,"component":974,"responsiveStyles":976},"builder-5e8ae39655274de89da32ab573a2525a",{"previousId":732},{"name":317,"options":975,"isRSC":61},{"darkMode":6},{"large":977},{"display":64,"flexDirection":65,"position":66,"flexShrink":67,"boxSizing":68},{"@type":47,"@version":48,"id":979,"component":980,"responsiveStyles":982},"builder-dfd6850cfb4741d2b8a0c16c2780f00a",{"name":379,"tag":379,"options":981,"isRSC":61},{"sectionHeading":29,"customClass":381},{"large":983},{"display":64,"flexDirection":65,"position":66,"flexShrink":67,"boxSizing":68},{"id":985,"@type":47,"tagName":74,"properties":986,"responsiveStyles":987},"builder-pixel-ckgs7k70eee",{"src":76,"aria-hidden":77,"alt":29,"role":78,"width":67,"height":67},{"large":988},{"height":67,"width":67,"display":81,"opacity":67,"overflow":82,"pointerEvents":83},{"deviceSize":85,"location":990},{"path":29,"query":991},{},{},1770892908052,1745427419274,"https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Fb07017bfd318431690a5bb35bda35b99",[],{"kind":401,"breakpoints":998,"originalContentId":644,"winningTest":61,"lastPreviewUrl":999,"hasLinks":6,"hasAutosaves":6},{"xsmall":31,"small":32,"medium":33},"https://pushsecurity.com/uc/incident-response?builder.space=f3a1111ff5be48cdbb123cd9f5795a05&builder.user.permissions=read%2Ccreate%2Cpublish%2CeditCode%2CeditDesigns%2CeditLayouts%2CeditLayers%2CeditContentPriority%2CeditFolders%2CeditProjects%2CmodifyMcpServers%2CmodifyWorkflowIntegrations%2CmodifyProjectSettings%2CconnectCodeRepository%2CcreateProjects%2CindexDesignSystems%2CsendPullRequests&builder.user.role.name=Developer&builder.user.role.id=developer&builder.cachebust=true&builder.preview=use-case-page&builder.noCache=true&builder.allowTextEdit=true&__builder_editing__=true&builder.overrides.use-case-page=a9d5556e77f84a37b5bd52310a7110c1&builder.overrides.a9d5556e77f84a37b5bd52310a7110c1=a9d5556e77f84a37b5bd52310a7110c1&builder.overrides.use-case-page:/uc/incident-response=a9d5556e77f84a37b5bd52310a7110c1&builder.options.includeRefs=true&builder.options.enrich=true&builder.options.locale=Default",{"createdDate":1001,"id":1002,"name":1003,"modelId":224,"published":13,"query":1004,"data":1007,"variations":1112,"lastUpdated":1113,"firstPublished":1114,"testRatio":23,"screenshot":1115,"createdBy":91,"lastUpdatedBy":637,"folders":1116,"meta":1117,"rev":403},1746122471259,"5f118e24433d46ceb79f5099987156d7","Shadow SaaS",[1005],{"@type":227,"property":228,"operator":229,"value":1006},"/uc/shadow-saas",{"seoTitle":1008,"seoDescription":1009,"customFonts":1010,"fontAwesomeIcon":1015,"title":1016,"jsCode":29,"tsCode":29,"blocks":1017,"url":1006,"state":1109},"Find and secure shadow SaaS","See and control shadow SaaS in the browser.",[1011],{"kind":236,"variants":1012,"files":1013,"family":235,"version":237,"subsets":1014,"lastModified":238,"category":258,"menu":259},[264,265,266,267,268,269,71,270,271,272,273,274,275,276,277,278,279,280],{"100":240,"200":241,"300":242,"500":243,"600":244,"700":245,"800":246,"900":247,"300italic":256,"500italic":255,"regular":253,"900italic":249,"italic":252,"100italic":251,"200italic":254,"600italic":257,"700italic":250,"800italic":248},[261,262],"faShieldCheck","Secure shadow SaaS",[1018,1104],{"@type":47,"@version":48,"tagName":286,"id":1019,"meta":1020,"children":1021},"builder-04da805c4cd34652a2db452fcda52e1d",{"previousId":898},[1022,1038,1045,1052,1061,1071,1081,1091,1098],{"@type":47,"@version":48,"id":1023,"meta":1024,"component":1025,"responsiveStyles":1036},"builder-830d414faeaf41439142f9157e8288c8",{"previousId":902},{"name":290,"options":1026,"isRSC":61},{"title":1008,"description":1027,"points":1028,"video":1035},"\u003Cp>SaaS sprawl is one of today’s fastest-growing security blind spots because most tools monitor around the edges. Push sees it at the source, in the browser, revealing every app users access, flagging risky tools, and helping you shut down exposure before it leads to a breach. No guesswork. No nasty surprises. Just real-time visibility and control.\u003C/p>",[1029,1031,1033],{"item":1030},"Discover every SaaS app users access, managed or not",{"item":1032},"Spot accounts with weak security postures like missing MFA, unmanaged access, and no SSO",{"item":1034},"Control usage with in-browser prompts, blocks, and security guardrails","https://cdn.builder.io/o/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F3e4eece318d04d6586e691d59d0741cf%2Fcompressed?apiKey=f3a1111ff5be48cdbb123cd9f5795a05&token=3e4eece318d04d6586e691d59d0741cf&alt=media&optimized=true",{"large":1037},{"display":64,"flexDirection":65,"position":66,"flexShrink":67,"boxSizing":68,"backgroundColor":305},{"@type":47,"@version":48,"id":1039,"meta":1040,"component":1041,"responsiveStyles":1043},"builder-cd7833f966cb4c7e8adf0d6c979414a6",{"previousId":919},{"name":309,"options":1042,"isRSC":61},{"AllPartners":34,"backgroundTransparent":6},{"large":1044},{"display":64,"flexDirection":65,"position":66,"flexShrink":67,"boxSizing":68,"backgroundColor":313},{"@type":47,"@version":48,"id":1046,"meta":1047,"component":1048,"responsiveStyles":1050},"builder-49d720b45430454e8b08c526f267c19f",{"previousId":926},{"name":317,"options":1049,"isRSC":61},{"darkMode":34},{"large":1051},{"display":64,"flexDirection":65,"position":66,"flexShrink":67,"boxSizing":68},{"@type":47,"@version":48,"id":1053,"component":1054,"responsiveStyles":1059},"builder-3dde0bf6c8544e5e9ab41b18a9d68034",{"name":322,"tag":322,"options":1055,"isRSC":61},{"darkMode":6,"maxWidth":326,"maxTextWidth":327,"title":1056,"description":1057,"image":1058,"reverse":6},"\u003Ch2>Use your browser to curb Saas Sprawl\u003C/h2>","\u003Cp>Shadow SaaS isn’t hiding in your network, it’s in your browser. From AI tools to unsanctioned file-sharing sites, security risks live in the apps your users sign into every day. Push maps your organization's true SaaS footprint in real time, exposing apps and accounts with unmanaged access, poor authentication, or no security oversight.\u003C/p>\u003Cp>\u003Cbr>\u003C/p>\u003Cp>\u003Cbr>\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Fb6811a214c7949b6bbe0b9a3bca62efd",{"large":1060},{"display":64,"flexDirection":65,"position":66,"flexShrink":67,"boxSizing":68},{"@type":47,"@version":48,"id":1062,"meta":1063,"component":1064,"responsiveStyles":1069},"builder-e2420451ccdc4f088d0a4904cff45935",{"previousId":942},{"name":336,"options":1065,"isRSC":61},{"darkMode":6,"maxWidth":326,"imageMaxWidth":338,"textPaddingTop":339,"title":1066,"description":1067,"reverse":34,"image":1068},"\u003Ch2>Discover hidden SaaS usage\u003C/h2>","\u003Cp>Push captures live browser telemetry across every tab and session. Whether a user signs into a sanctioned app with a personal account or tries a new AI plugin, you’ll see it in real time, with no integrations or manual tagging.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Fe16e301f9af94665b95d98232a863d8a",{"large":1070},{"display":64,"flexDirection":65,"position":66,"flexShrink":67,"boxSizing":68,"fontFamily":345,"paddingTop":347,"marginTop":347},{"@type":47,"@version":48,"id":1072,"meta":1073,"component":1074,"responsiveStyles":1079},"builder-b36de7fce7994beea9e58d94662e7166",{"previousId":952},{"name":336,"options":1075,"isRSC":61},{"darkMode":6,"maxWidth":326,"imageMaxWidth":338,"textPaddingTop":352,"title":1076,"description":1077,"reverse":6,"image":1078},"\u003Ch2>Spot risky access and unsafe usage\u003C/h2>","\u003Cp>Discovery is just the beginning. Push flags apps with risky traits, no MFA, no SSO, known vulnerabilities, or broad access scopes. You’ll know which tools introduce real risk, and which users are exposed so you can act with precision.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F6585f3c242da4d70ae3cb7d02f481bef",{"large":1080},{"display":64,"flexDirection":65,"position":66,"flexShrink":67,"boxSizing":68,"paddingTop":358},{"@type":47,"@version":48,"layerName":336,"id":1082,"meta":1083,"component":1084,"responsiveStyles":1089},"builder-dc366b5134684fe7a508edf8913103ea",{"previousId":962},{"name":336,"options":1085,"isRSC":61},{"darkMode":6,"maxWidth":326,"imageMaxWidth":338,"textPaddingTop":363,"title":1086,"description":1087,"reverse":34,"image":1088},"\u003Ch2>Close gaps before they grow\u003C/h2>","\u003Cp>Push turns insight into action. When risky SaaS use is detected, guide users to enable MFA, block high-risk apps, or apply in-browser guardrails automatically. All without deploying new infrastructure or managing dozens of integrations.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Fe6d60b6d91414819bc6258a318f00557",{"large":1090},{"display":64,"flexDirection":65,"position":66,"flexShrink":67,"boxSizing":68,"paddingTop":369},{"@type":47,"@version":48,"id":1092,"meta":1093,"component":1094,"responsiveStyles":1096},"builder-8708f6f0d8da4b3f9e17bf16cda70219",{"previousId":972},{"name":317,"options":1095,"isRSC":61},{"darkMode":6},{"large":1097},{"display":64,"flexDirection":65,"position":66,"flexShrink":67,"boxSizing":68},{"@type":47,"@version":48,"id":1099,"component":1100,"responsiveStyles":1102},"builder-8ff4b38d60534cf28cb523ab0f754875",{"name":379,"tag":379,"options":1101,"isRSC":61},{"sectionHeading":29,"customClass":381},{"large":1103},{"display":64,"flexDirection":65,"position":66,"flexShrink":67,"boxSizing":68},{"id":1105,"@type":47,"tagName":74,"properties":1106,"responsiveStyles":1107},"builder-pixel-3bpi4545uus",{"src":76,"aria-hidden":77,"alt":29,"role":78,"width":67,"height":67},{"large":1108},{"height":67,"width":67,"display":81,"opacity":67,"overflow":82,"pointerEvents":83},{"deviceSize":85,"location":1110},{"path":29,"query":1111},{},{},1770892936802,1746714967208,"https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F01bfb2304521412fbd2e1a1180904d40",[],{"originalContentId":882,"winningTest":61,"lastPreviewUrl":1118,"breakpoints":1119,"kind":401,"hasLinks":6,"hasAutosaves":6},"https://pushsecurity.com/uc/shadow-saas?builder.space=f3a1111ff5be48cdbb123cd9f5795a05&builder.user.permissions=read%2Ccreate%2Cpublish%2CeditCode%2CeditDesigns%2CeditLayouts%2CeditLayers%2CeditContentPriority%2CeditFolders%2CeditProjects%2CmodifyMcpServers%2CmodifyWorkflowIntegrations%2CmodifyProjectSettings%2CconnectCodeRepository%2CcreateProjects%2CindexDesignSystems%2CsendPullRequests&builder.user.role.name=Developer&builder.user.role.id=developer&builder.cachebust=true&builder.preview=use-case-page&builder.noCache=true&builder.allowTextEdit=true&__builder_editing__=true&builder.overrides.use-case-page=5f118e24433d46ceb79f5099987156d7&builder.overrides.5f118e24433d46ceb79f5099987156d7=5f118e24433d46ceb79f5099987156d7&builder.overrides.use-case-page:/uc/shadow-saas=5f118e24433d46ceb79f5099987156d7&builder.options.includeRefs=true&builder.options.enrich=true&builder.options.locale=Default",{"xsmall":31,"small":32,"medium":33},{"createdDate":1121,"id":1122,"name":1123,"modelId":224,"published":13,"stageModifiedSincePublish":6,"query":1124,"data":1127,"variations":1233,"lastUpdated":1234,"firstPublished":1235,"testRatio":23,"screenshot":1236,"createdBy":91,"lastUpdatedBy":396,"folders":1237,"meta":1238,"rev":403},1764707470172,"b62629ce2f3741158d961cd10fe74b31","Shadow AI",[1125],{"@type":227,"property":228,"operator":229,"value":1126},"/uc/shadow-ai",{"seoTitle":1128,"fontAwesomeIcon":1129,"title":1130,"seoDescription":1131,"customFonts":1132,"tsCode":29,"jsCode":29,"blocks":1137,"url":1126,"state":1230},"Secure AI native and AI enhanced apps. ","faBrainCircuit","Secure AI","See and control AI apps in the browser.",[1133],{"version":237,"files":1134,"kind":236,"family":235,"lastModified":238,"category":258,"variants":1135,"subsets":1136,"menu":259},{"100":240,"200":241,"300":242,"500":243,"600":244,"700":245,"800":246,"900":247,"700italic":250,"100italic":251,"600italic":257,"italic":252,"300italic":256,"200italic":254,"500italic":255,"800italic":248,"900italic":249,"regular":253},[264,265,266,267,268,269,71,270,271,272,273,274,275,276,277,278,279,280],[261,262],[1138,1225],{"@type":47,"@version":48,"tagName":286,"id":1139,"meta":1140,"children":1141},"builder-a6e5717a2c914d5695058e4ee201a05d",{"previousId":1019},[1142,1158,1165,1172,1182,1192,1202,1212,1219],{"@type":47,"@version":48,"id":1143,"meta":1144,"component":1145,"responsiveStyles":1156},"builder-3e0ed678683f4a0eb7aa00253cf263b2",{"previousId":1023},{"name":290,"options":1146,"isRSC":61},{"title":1130,"description":1147,"points":1148,"image":1155},"\u003Cp>Every AI interaction traverses the browser. Employees use GenAI tools, connect AI apps to corporate accounts, and run agentic workflows, often outside security oversight. Push gives security teams the visibility to see what AI is doing across their environment and the controls to intervene before sensitive data leaves or access gets abused.\u003C/p>",[1149,1151,1153],{"item":1150},"Discover every AI tool and agent active across your workforce",{"item":1152},"Detect sensitive data being submitted to AI apps",{"item":1154},"Enforce AI policy directly in the browser","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F33cf153d920f4e389f3650253577cff7",{"large":1157},{"display":64,"flexDirection":65,"position":66,"flexShrink":67,"boxSizing":68,"backgroundColor":305},{"@type":47,"@version":48,"id":1159,"meta":1160,"component":1161,"responsiveStyles":1163},"builder-76968f8471d14893b8189d75b08fb426",{"previousId":1039},{"name":309,"options":1162,"isRSC":61},{"AllPartners":34,"backgroundTransparent":6},{"large":1164},{"display":64,"flexDirection":65,"position":66,"flexShrink":67,"boxSizing":68,"backgroundColor":313},{"@type":47,"@version":48,"id":1166,"meta":1167,"component":1168,"responsiveStyles":1170},"builder-b55b9d4bc5a649d8839ce7f6c2043d95",{"previousId":1046},{"name":317,"options":1169,"isRSC":61},{"darkMode":34},{"large":1171},{"display":64,"flexDirection":65,"position":66,"flexShrink":67,"boxSizing":68},{"@type":47,"@version":48,"id":1173,"meta":1174,"component":1175,"responsiveStyles":1180},"builder-c3f38ef4d75d4989a29b5903175ed8a1",{"previousId":1053},{"name":322,"tag":322,"options":1176,"isRSC":61},{"darkMode":6,"maxWidth":326,"maxTextWidth":327,"title":1177,"description":1178,"image":1179,"reverse":6},"\u003Ch2>The browser is where AI lives\u003C/h2>","\u003Cp>AI activity doesn't happen at the network layer or the endpoint. It happens in the browser, where employees interact with AI tools, where agents execute tasks, and where sensitive data gets submitted to external services. Push captures live telemetry from inside the browser session, identifying every AI-native and AI-enhanced application in use. \u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F30b43bda6f1644c19478fb1efa20050c",{"large":1181},{"display":64,"flexDirection":65,"position":66,"flexShrink":67,"boxSizing":68},{"@type":47,"@version":48,"id":1183,"meta":1184,"component":1185,"responsiveStyles":1190},"builder-90ee9cb9afc44e7f885523715bf51a53",{"previousId":1062},{"name":336,"options":1186,"isRSC":61},{"darkMode":6,"maxWidth":326,"imageMaxWidth":338,"textPaddingTop":339,"title":1187,"description":1188,"reverse":34,"image":1189},"\u003Ch2>Discover every AI tool users touch\u003C/h2>","\u003Cp>Most organisations are using far more AI than they've approved. Push identifies every AI-native and AI-enhanced application accessed across the workforce, which corporate identities are connected, and what new tools appear in the environment. Applications are categorized by risk and policy status so security teams can prioritize exposure before it becomes an incident.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F636e65ad0c4c43faa3e626c41e90d8a3",{"large":1191},{"display":64,"flexDirection":65,"position":66,"flexShrink":67,"boxSizing":68,"fontFamily":345,"paddingTop":347,"marginTop":347},{"@type":47,"@version":48,"id":1193,"meta":1194,"component":1195,"responsiveStyles":1200},"builder-9e44539fa53c4d8e87406036c921fc46",{"previousId":1072},{"name":336,"options":1196,"isRSC":61},{"darkMode":6,"maxWidth":326,"imageMaxWidth":338,"textPaddingTop":352,"title":1197,"description":1198,"reverse":6,"image":1199},"\u003Ch2>Prevent sensitive data from reaching the wrong AI tools\u003C/h2>","\u003Cp>Employees paste credentials, customer data, and internal documents into AI tools without realizing the risk. Push detects sensitive data interactions in the browser in real time, including file uploads, clipboard activity, and form submissions to unsanctioned or high-risk AI applications. Controls can be applied to warn users, require policy acknowledgment, or block the interaction entirely.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F011332d42dab4a299f25ab3847741ed9",{"large":1201},{"display":64,"flexDirection":65,"position":66,"flexShrink":67,"boxSizing":68,"paddingTop":358},{"@type":47,"@version":48,"layerName":336,"id":1203,"meta":1204,"component":1205,"responsiveStyles":1210},"builder-44c1a891926f4bdeaaa37e90721fe6ac",{"previousId":1082},{"name":336,"options":1206,"isRSC":61},{"darkMode":6,"maxWidth":326,"imageMaxWidth":338,"textPaddingTop":363,"title":1207,"description":1208,"reverse":34,"image":1209},"\u003Ch2>Govern agentic AI permissions and activity\u003C/h2>","\u003Cp>AI agents operating in the browser can access applications, execute actions, and handle data on behalf of users, often with permissions that were never explicitly reviewed. Push surfaces agentic permissions and data flows so security teams can see what agents are doing, where they have access, and apply controls before that access is exploited or abused.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F71549a73d0b84f1c8cb151c05e493e8d",{"large":1211},{"display":64,"flexDirection":65,"position":66,"flexShrink":67,"boxSizing":68,"paddingTop":369},{"@type":47,"@version":48,"id":1213,"meta":1214,"component":1215,"responsiveStyles":1217},"builder-dcc906f9cbe54dc68b3c672668e7a38f",{"previousId":1092},{"name":317,"options":1216,"isRSC":61},{"darkMode":6},{"large":1218},{"display":64,"flexDirection":65,"position":66,"flexShrink":67,"boxSizing":68},{"@type":47,"@version":48,"id":1220,"component":1221,"responsiveStyles":1223},"builder-d2d64780c31b4349bc75805b23a07e38",{"name":379,"tag":379,"options":1222,"isRSC":61},{"sectionHeading":29,"customClass":381},{"large":1224},{"display":64,"flexDirection":65,"position":66,"flexShrink":67,"boxSizing":68},{"id":1226,"@type":47,"tagName":74,"properties":1227,"responsiveStyles":1228},"builder-pixel-dye6sse6bmm",{"src":76,"aria-hidden":77,"alt":29,"role":78,"width":67,"height":67},{"large":1229},{"height":67,"width":67,"display":81,"opacity":67,"overflow":82,"pointerEvents":83},{"deviceSize":85,"location":1231},{"path":29,"query":1232},{},{},1778073860450,1764950077593,"https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F9b4d5666fc9e495a9a8de4258975cd9f",[],{"lastPreviewUrl":1239,"hasLinks":6,"originalContentId":1002,"winningTest":61,"breakpoints":1240,"kind":401,"hasAutosaves":6},"https://pushsecurity.com/uc/shadow-ai?builder.space=f3a1111ff5be48cdbb123cd9f5795a05&builder.user.permissions=read%2Ccreate%2Cpublish%2CeditDesigns%2CeditLayouts%2CeditLayers%2CeditContentPriority%2CeditFolders%2CcreateProjects%2CsendPullRequests&builder.user.role.name=Designer&builder.user.role.id=creator&builder.cachebust=true&builder.preview=use-case-page&builder.noCache=true&builder.allowTextEdit=true&__builder_editing__=true&builder.overrides.use-case-page=b62629ce2f3741158d961cd10fe74b31&builder.overrides.b62629ce2f3741158d961cd10fe74b31=b62629ce2f3741158d961cd10fe74b31&builder.overrides.use-case-page:/uc/shadow-ai=b62629ce2f3741158d961cd10fe74b31&builder.options.locale=Default",{"xsmall":31,"small":32,"medium":33},{"w":1242,"h":1243,"d":1244},448,512,"M280.4 48c-3.2 0-6.3 .5-9.3 1.4L206.6 69.2C136.1 90.9 88 156.1 88 229.8l0 42.9c22.7 3.8 40 23.6 40 47.3l0 144c0 26.5-21.5 48-48 48l-32 0c-26.5 0-48-21.5-48-48L0 320c0-23.8 17.3-43.5 40-47.3l0-42.9C40 135 101.8 51.2 192.5 23.4L256.9 3.5c7.6-2.3 15.5-3.5 23.4-3.5 44 0 79.6 35.7 79.6 79.6l0 56.4c0 13.3-10.7 24-24 24s-24-10.7-24-24l0-56.4C312 62.2 297.8 48 280.4 48zM48 320l0 144 32 0 0-144-32 0zm208 24c0-71.6 55.6-127.8 89-148.1 4.3-2.6 9.6-2.6 14 0 33.5 20.3 89 76.6 89 148.1 0 32-16 80-64 112l27.3 27.3c3 3 4.7 7.1 4.7 11.3l0 1.4c0 8.8-7.2 16-16 16l-96 0c-8.8 0-16-7.2-16-16l0-1.4c0-4.2 1.7-8.3 4.7-11.3L320 456c-48-32-64-80-64-112zm128-32a24 24 0 1 0 -48 0 24 24 0 1 0 48 0z",{"w":1243,"h":1243,"d":1246},"M201.1 57.3c-7 5.3-9.1 10.7-9.1 14.7 0 4.2 2.4 10.1 10.4 15.6 7.8 5.3 13.6 14.6 13.6 25.6 0 17-13.8 30.7-30.7 30.7L56 144c-4.4 0-8 3.6-8 8l0 52.5c7.4-2.9 15.5-4.5 24-4.5 43.1 0 72 39.4 72 80s-28.9 80-72 80c-8.5 0-16.6-1.6-24-4.5L48 456c0 4.4 3.6 8 8 8l100.5 0c-2.9-7.4-4.5-15.5-4.5-24 0-43.1 39.4-72 80-72s80 28.9 80 72c0 8.5-1.6 16.6-4.5 24l52.5 0c4.4 0 8-3.6 8-8l0-129.3c0-17 13.8-30.7 30.7-30.7 11.1 0 20.3 5.8 25.6 13.6 5.5 8 11.4 10.4 15.6 10.4 4 0 9.5-2.1 14.7-9.1s9.3-17.9 9.3-30.9-4-23.8-9.3-30.9-10.7-9.1-14.7-9.1c-4.2 0-10.1 2.4-15.6 10.4-5.3 7.8-14.6 13.6-25.6 13.6-17 0-30.7-13.8-30.7-30.7l0-81.3c0-4.4-3.6-8-8-8l-81.3 0c-17 0-30.7-13.8-30.7-30.7 0-11.1 5.8-20.3 13.6-25.6 8-5.5 10.4-11.4 10.4-15.6 0-4-2.1-9.5-9.1-14.7S245 48 232 48 208.2 52 201.1 57.3zM172.3 18.9C188.5 6.8 209.6 0 232 0S275.5 6.8 291.7 18.9 320 49.5 320 72c0 8.6-1.8 16.7-4.9 24L360 96c30.9 0 56 25.1 56 56l0 44.9c7.3-3.1 15.4-4.9 24-4.9 22.5 0 41 12.2 53.1 28.3s18.9 37.3 18.9 59.7-6.8 43.5-18.9 59.7-30.6 28.3-53.1 28.3c-8.6 0-16.7-1.8-24-4.9l0 92.9c0 30.9-25.1 56-56 56l-78.1 0c-18.7 0-33.9-15.2-33.9-33.9 0-10.1 4.5-18.5 9.9-24.2 4.2-4.3 6.1-9.2 6.1-13.9 0-9.9-10.7-24-32-24s-32 14.1-32 24c0 4.7 1.9 9.5 6.1 13.9 5.5 5.7 9.9 14.1 9.9 24.2 0 18.7-15.2 33.9-33.9 33.9L56 512c-30.9 0-56-25.1-56-56L0 329.9c0-18.7 15.2-33.9 33.9-33.9 10.1 0 18.5 4.5 24.2 9.9 4.3 4.2 9.2 6.1 13.9 6.1 9.9 0 24-10.7 24-32s-14.1-32-24-32c-4.7 0-9.5 1.9-13.9 6.1-5.7 5.5-14.1 9.9-24.2 9.9-18.7 0-33.9-15.2-33.9-33.9L0 152c0-30.9 25.1-56 56-56l92.9 0c-3.1-7.3-4.9-15.4-4.9-24 0-22.5 12.2-41 28.3-53.1z",{"w":1242,"h":1243,"d":1248},"M102.7 96c10.4-53.7 31.9-112 68.3-112 9.6 0 19 3.9 27.5 8.2 8.2 4.1 18.4 7.8 25.5 7.8s17.3-3.7 25.5-7.8c8.5-4.3 17.9-8.2 27.5-8.2 36.4 0 57.8 58.3 68.3 112L376 96c13.3 0 24 10.7 24 24s-10.7 24-24 24l-24 0 0 32c0 17-3.3 33.2-9.3 48l33.3 0c8.1 0 15.6 4 20 10.8s5.2 15.2 2.1 22.6l-31.5 74.2c48.9 31.2 81.4 86 81.4 148.5l0 8c0 13.3-10.7 24-24 24s-24-10.7-24-24l0-8c0-51.4-30.3-95.8-74.1-116.1-11.7-5.5-17-19.2-12-31.2l25.8-60.7-27.7 0c-1.1 0-2.1-.1-3.1-.2-22.6 20-52.3 32.2-84.9 32.2s-62.3-12.2-84.9-32.2c-1 .1-2.1 .2-3.1 .2l-27.7 0 25.8 60.7c5.1 11.9-.2 25.7-12 31.2-43.8 20.4-74.1 64.7-74.1 116.1l0 8c0 13.3-10.7 24-24 24S0 501.3 0 488l0-8c0-62.4 32.5-117.2 81.4-148.5L49.9 257.4c-3.2-7.4-2.4-15.9 2.1-22.6S63.9 224 72 224l33.3 0c-6-14.8-9.3-31-9.3-48l0-32-24 0c-13.3 0-24-10.7-24-24S58.7 96 72 96l30.7 0zm45.9 107c11.1 30.9 40.6 53 75.3 53s64.2-22.1 75.3-53c-5.7 3.2-12.3 5-19.3 5l-12.4 0c-16.5 0-31.1-10.6-36.3-26.2-2.3-7-12.2-7-14.5 0-5.2 15.6-19.9 26.2-36.3 26.2L168 208c-7 0-13.6-1.8-19.3-5zm44.8 133l61 0c9.7 0 17.5 7.8 17.5 17.5 0 4.2-1.5 8.2-4.2 11.4l-27.9 32.5 28.9 82.6c5.5 15.6-6.1 31.9-22.7 31.9l-44.3 0c-16.5 0-28.1-16.3-22.7-31.9l28.9-82.6-27.9-32.5c-2.7-3.2-4.2-7.2-4.2-11.4 0-9.7 7.8-17.5 17.5-17.5z",{"w":1243,"h":1243,"d":1250},"M304.8 173.3c-14.3-8.4-31-13.3-48.8-13.3-53 0-96 43-96 96s43 96 96 96 96-43 96-96l48 0c0 79.5-64.5 144-144 144s-144-64.5-144-144 64.5-144 144-144c31.1 0 59.9 9.9 83.4 26.6l45.7-45.7C349.7 64.8 304.8 48 256 48 141.1 48 48 141.1 48 256s93.1 208 208 208 208-93.1 208-208l48 0c0 141.4-114.6 256-256 256S0 397.4 0 256 114.6 0 256 0c62.1 0 118.9 22.1 163.3 58.8L463 15c9.4-9.4 24.6-9.4 33.9 0s9.4 24.6 0 33.9L273 273c-9.4 9.4-24.6 9.4-33.9 0s-9.4-24.6 0-33.9l65.7-65.7z",{"w":32,"h":1243,"d":1252},"M128 80l384 0c8.8 0 16 7.2 16 16l0 208 48 0 0-208c0-35.3-28.7-64-64-64L128 32C92.7 32 64 60.7 64 96l0 208 48 0 0-208c0-8.8 7.2-16 16-16zM52.8 400l534.4 0c-8.5 18.9-27.5 32-49.6 32l-435.2 0c-22.1 0-41.1-13.1-49.6-32zM25.6 352C11.5 352 0 363.5 0 377.6 0 434.2 45.8 480 102.4 480l435.2 0c56.6 0 102.4-45.8 102.4-102.4 0-14.1-11.5-25.6-25.6-25.6L25.6 352zM281 169c9.4-9.4 9.4-24.6 0-33.9s-24.6-9.4-33.9 0l-48 48c-9.4 9.4-9.4 24.6 0 33.9l48 48c9.4 9.4 24.6 9.4 33.9 0s9.4-24.6 0-33.9l-31-31 31-31zM393 135c-9.4-9.4-24.6-9.4-33.9 0s-9.4 24.6 0 33.9l31 31-31 31c-9.4 9.4-9.4 24.6 0 33.9s24.6 9.4 33.9 0l48-48c9.4-9.4 9.4-24.6 0-33.9l-48-48z",{"w":1243,"h":1243,"d":1254},"M232 0c-13.3 0-24 10.7-24 24s10.7 24 24 24c128.1 0 232 103.9 232 232 0 13.3 10.7 24 24 24s24-10.7 24-24C512 125.4 386.6 0 232 0zM48 256c0-23 3.7-45 10.5-65.6l263 263C301 460.3 279 464 256 464 141.1 464 48 370.9 48 256zM72.8 136.8c-14.1-14.1-37.6-12-46.5 5.8-16.9 34.2-26.4 72.6-26.4 113.3 0 141.4 114.6 256 256 256 40.7 0 79.2-9.5 113.3-26.4 17.9-8.8 19.9-32.4 5.8-46.5L241 305 281 265c9.4-9.4 9.4-24.6 0-33.9s-24.6-9.4-33.9 0L207 271 72.8 136.8zM208 120c0 13.3 10.7 24 24 24 75.1 0 136 60.9 136 136 0 13.3 10.7 24 24 24s24-10.7 24-24c0-101.6-82.4-184-184-184-13.3 0-24 10.7-24 24z",{"w":1243,"h":1243,"d":1256},"M256.1 0c4.6 0 9.2 1 13.3 2.9L457.8 82.8c22 9.3 38.4 31 38.3 57.2-.5 99.2-41.3 280.7-213.6 363.2-16.7 8-36.1 8-52.8 0-172.4-82.5-213.2-263.9-213.7-363.2-.1-26.2 16.3-47.9 38.3-57.2L242.7 2.9C246.8 1 251.4 0 256.1 0zM73.1 127c-5.9 2.5-9.1 7.7-9 12.7 .5 91.4 38.4 249.3 186.4 320.1 3.6 1.7 7.8 1.7 11.3 0 148-70.8 185.9-228.7 186.3-320.1 0-5-3.1-10.2-9-12.7l-183-77.6-183 77.6zm240.3 34.9c7.8-10.7 22.8-13.1 33.5-5.3 10.7 7.8 13.1 22.8 5.3 33.5L249.8 330.9c-4.2 5.7-10.7 9.3-17.8 9.8s-14-2.2-18.9-7.3l-46.4-48c-9.2-9.5-9-24.7 .6-33.9 9.5-9.2 24.7-8.9 33.9 .6l26.5 27.4 85.6-117.7z",{"w":1243,"h":1243,"d":1258},"M123 58.1c9.5-33.5 40.4-58.1 77-58.1 21.8 0 41.6 8.7 56 22.9 14.4-14.1 34.2-22.9 56-22.9 36.6 0 67.4 24.6 77 58.1 47.4 9.7 83 51.6 83 101.9 0 11.3-1.8 22.2-5.1 32.3 22.7 19.1 37.1 47.7 37.1 79.7 0 23.7-8 45.6-21.3 63.1 3.5 10.4 5.3 21.4 5.3 32.9 0 54-41.2 98.5-93.9 103.5-15.6 24.3-42.9 40.5-74.1 40.5-25.2 0-48-10.6-64-27.6-16 17-38.8 27.6-64 27.6-31.1 0-58.4-16.2-74.1-40.5-52.7-5.1-93.9-49.5-93.9-103.5 0-11.5 1.9-22.5 5.3-32.9-13.4-17.5-21.3-39.4-21.3-63.1 0-32 14.5-60.6 37.1-79.7-3.3-10.2-5.1-21.1-5.1-32.3 0-50.3 35.6-92.2 83-101.9zM200 48c-17.7 0-32 14.3-32 32 0 13.3-10.7 24-24 24-30.9 0-56 25.1-56 56 0 10.5 2.9 20.3 7.9 28.6 3.4 5.7 4.3 12.5 2.5 18.9s-6.2 11.7-12 14.7c-18 9.3-30.3 28.1-30.3 49.8 0 16.1 6.8 30.7 17.8 40.9 7.9 7.4 9.9 19.2 4.8 28.8-4.2 7.8-6.5 16.7-6.5 26.3 0 30.9 25.1 56 56 56 1.1 0 2.2 0 3.2-.1 10.3-.6 19.8 5.5 23.6 15 5.9 14.7 20.4 25.1 37.1 25.1 20.4 0 37.2-15.3 39.7-35 .1-.6 .2-1.3 .3-1.9l0-135.1-40 0c-6.6 0-12 5.4-12 12l0 4.4c16.5 7.6 28 24.3 28 43.6 0 26.5-21.5 48-48 48s-48-21.5-48-48c0-19.4 11.5-36.1 28-43.6l0-4.4c0-28.7 23.3-52 52-52l40 0 0-56-12.4 0c-7.6 16.5-24.3 28-43.6 28-26.5 0-48-21.5-48-48s21.5-48 48-48c19.4 0 36.1 11.5 43.6 28l12.4 0 0-76c0-17.7-14.3-32-32-32zm80 148l0 152 40 0c6.6 0 12-5.4 12-12l0-4.4c-16.5-7.6-28-24.3-28-43.6 0-26.5 21.5-48 48-48s48 21.5 48 48c0 19.4-11.5 36.1-28 43.6l0 4.4c0 28.7-23.3 52-52 52l-40 0 0 39.1c.1 .6 .2 1.2 .3 1.9 2.5 19.7 19.3 35 39.7 35 16.8 0 31.2-10.3 37.1-25.1 3.8-9.6 13.3-15.6 23.6-15 1.1 .1 2.2 .1 3.2 .1 30.9 0 56-25.1 56-56 0-9.5-2.4-18.5-6.5-26.3-5.1-9.6-3.1-21.4 4.8-28.8 11-10.2 17.8-24.8 17.8-40.9 0-21.6-12.2-40.4-30.3-49.8-5.9-3-10.2-8.4-12-14.7s-.9-13.2 2.5-18.9c5-8.4 7.9-18.1 7.9-28.6 0-30.9-25.1-56-56-56-13.3 0-24-10.7-24-24 0-17.7-14.3-32-32-32s-32 14.3-32 32l0 76 12.4 0c7.6-16.5 24.3-28 43.6-28 26.5 0 48 21.5 48 48s-21.5 48-48 48c-19.4 0-36.1-11.5-43.6-28L280 196zm56-36a16 16 0 1 0 0 32 16 16 0 1 0 0-32zm0 128a16 16 0 1 0 32 0 16 16 0 1 0 -32 0zM144 352a16 16 0 1 0 32 0 16 16 0 1 0 -32 0zm16-176a16 16 0 1 0 32 0 16 16 0 1 0 -32 0z",{"id":1260,"title":1261,"authorsCollection":1262,"content":1270,"extension":3410,"hashTags":61,"meta":3411,"metaTitle":3412,"ogImage":61,"publishedDate":3413,"relatedBlogPostsCollection":3414,"slug":5634,"stem":5635,"subtitle":61,"summary":5636,"synopsis":5646,"sys":5647,"tagsCollection":5650,"__hash__":5656},"blog/blog/inside-criminal-phishing-panel.json","We infiltrated a criminal phishing panel: here’s what we found",{"items":1263},[1264],{"fullName":1265,"firstName":1266,"jobTitle":1267,"profilePicture":1268},"Push Security Research Team","Research","Threat Research",{"url":1269},"https://images.ctfassets.net/y1cdw1ablpvd/7LpkwyXbOZ8WCVTAXzULmC/bfa3634c78ee9dfbee6606ba5519918b/push-round.png",{"json":1271,"links":3196},{"nodeType":1272,"data":1273,"content":1274},"document",{},[1275,1284,1316,1329,1336,1345,1357,1363,1367,1376,1383,1448,1455,1461,1464,1472,1479,1485,1494,1501,1627,1633,1639,1645,1651,1659,1666,1673,1736,1743,1749,1755,1763,1770,1777,1785,1792,1825,1832,1838,1845,1893,1900,1908,1915,1921,1928,1935,1941,1948,1981,1988,1994,1997,2005,2012,2019,2026,2032,2039,2046,2052,2059,2065,2072,2078,2085,2092,2095,2103,2119,2126,2147,2393,2400,2432,2667,2674,2681,2882,2889,3074,3077,3085,3092,3099,3111,3114,3122,3141,3158,3166,3169,3177],{"nodeType":1276,"data":1277,"content":1278},"paragraph",{},[1279],{"nodeType":1280,"value":1281,"marks":1282,"data":1283},"text","When Push blocks an attack in the browser, we take the opportunity to do some more digging to see what else we can find. One recent detection led us down the rabbit hole — and right into a criminal phishing panel. ",[],{},{"nodeType":1276,"data":1285,"content":1286},{},[1287,1291,1300,1304,1312],{"nodeType":1280,"value":1288,"marks":1289,"data":1290},"Real-time operated phishing panels have been used extensively in recent months, in vishing + phishing attacks attributed to first ",[],{},{"nodeType":1292,"data":1293,"content":1295},"hyperlink",{"uri":1294},"https://pushsecurity.com/blog/unpacking-the-latest-slh-campaign/",[1296],{"nodeType":1280,"value":1297,"marks":1298,"data":1299},"ShinyHunters",[],{},{"nodeType":1280,"value":1301,"marks":1302,"data":1303},", and more recently the ",[],{},{"nodeType":1292,"data":1305,"content":1307},{"uri":1306},"https://www.bleepingcomputer.com/news/security/new-blackfile-extortion-gang-targets-retail-and-hospitality-orgs/",[1308],{"nodeType":1280,"value":1309,"marks":1310,"data":1311},"BlackFile",[],{},{"nodeType":1280,"value":1313,"marks":1314,"data":1315}," hacking group, with a significant overlap in techniques and tooling. ",[],{},{"nodeType":1276,"data":1317,"content":1318},{},[1319,1325],{"nodeType":1280,"value":1320,"marks":1321,"data":1324},"We’ve directly accessed active deployments of the operator panels driving these campaigns, observed what happens in real-time when a victim is targeted, and analyzed multiple variants and forks of the tooling. ",[1322],{"type":1323},"bold",{},{"nodeType":1280,"value":1326,"marks":1327,"data":1328}," ",[],{},{"nodeType":1276,"data":1330,"content":1331},{},[1332],{"nodeType":1280,"value":1333,"marks":1334,"data":1335},"We identified four primary infrastructure clusters, with each deployment having its own panel implementation. While the panels share common heritage, the operators deploying them appear to be separate groups with different infrastructure preferences and operational patterns.",[],{},{"nodeType":1337,"data":1338,"content":1344},"embedded-entry-block",{"target":1339},{"sys":1340},{"id":1341,"type":1342,"linkType":1343},"5BQOpzjSbobLx8OkvXl6os","Link","Entry",[],{"nodeType":1276,"data":1346,"content":1347},{},[1348,1352],{"nodeType":1280,"value":1349,"marks":1350,"data":1351},"The existence of these independently branded forks indicates that the tooling has entered a phase of wider distribution — operators who obtained the original panel source are now customizing and reshipping it for their own purposes. As a result, the tooling is now most likely accessible to a broad population of financially motivated threat actors. ",[],{},{"nodeType":1280,"value":1353,"marks":1354,"data":1356},"In total, we’ve identified over 400 domains linked to the attacks, giving an indication of the scale. ",[1355],{"type":1323},{},{"nodeType":1337,"data":1358,"content":1362},{"target":1359},{"sys":1360},{"id":1361,"type":1342,"linkType":1343},"2Z1LUdYXVONWO9nnJTkWsJ",[],{"nodeType":1364,"data":1365,"content":1366},"hr",{},[],{"nodeType":1368,"data":1369,"content":1370},"heading-1",{},[1371],{"nodeType":1280,"value":1372,"marks":1373,"data":1375},"Background",[1374],{"type":1323},{},{"nodeType":1276,"data":1377,"content":1378},{},[1379],{"nodeType":1280,"value":1380,"marks":1381,"data":1382},"Since at least August 2025, attackers have been running hybrid social engineering campaigns targeting hundreds of organizations across financial services, technology, cryptocurrency, healthcare, hospitality, and private aviation. ",[],{},{"nodeType":1384,"data":1385,"content":1386},"unordered-list",{},[1387,1403,1418,1433],{"nodeType":1388,"data":1389,"content":1390},"list-item",{},[1391],{"nodeType":1276,"data":1392,"content":1393},{},[1394,1399],{"nodeType":1280,"value":1395,"marks":1396,"data":1398},"August 2025: ",[1397],{"type":1323},{},{"nodeType":1280,"value":1400,"marks":1401,"data":1402},"Tooling made available, used in crypto-focused attacks",[],{},{"nodeType":1388,"data":1404,"content":1405},{},[1406],{"nodeType":1276,"data":1407,"content":1408},{},[1409,1414],{"nodeType":1280,"value":1410,"marks":1411,"data":1413},"November 2025:",[1412],{"type":1323},{},{"nodeType":1280,"value":1415,"marks":1416,"data":1417}," Major attacks on enterprise identity platforms begin",[],{},{"nodeType":1388,"data":1419,"content":1420},{},[1421],{"nodeType":1276,"data":1422,"content":1423},{},[1424,1429],{"nodeType":1280,"value":1425,"marks":1426,"data":1428},"January 2026: ",[1427],{"type":1323},{},{"nodeType":1280,"value":1430,"marks":1431,"data":1432},"Public breaches reported",[],{},{"nodeType":1388,"data":1434,"content":1435},{},[1436],{"nodeType":1276,"data":1437,"content":1438},{},[1439,1444],{"nodeType":1280,"value":1440,"marks":1441,"data":1443},"March 2026: ",[1442],{"type":1323},{},{"nodeType":1280,"value":1445,"marks":1446,"data":1447},"Activity spikes again",[],{},{"nodeType":1276,"data":1449,"content":1450},{},[1451],{"nodeType":1280,"value":1452,"marks":1453,"data":1454},"The attacks combine voice phishing with MFA-bypassing adversary-in-the-middle (AiTM) phishing mechanisms that allow the attacker to steal authenticated sessions for target applications — typically enterprise identity providers and cryptocurrency exchanges. Once an identity provider account is compromised, the attackers pivot across connected SaaS platforms — SharePoint, Salesforce, DocuSign, Slack — exfiltrates data, and attempts to extort the victim organization. ",[],{},{"nodeType":1337,"data":1456,"content":1460},{"target":1457},{"sys":1458},{"id":1459,"type":1342,"linkType":1343},"2X2YXMpozrbRQhegk7yF1k",[],{"nodeType":1364,"data":1462,"content":1463},{},[],{"nodeType":1368,"data":1465,"content":1466},{},[1467],{"nodeType":1280,"value":1468,"marks":1469,"data":1471},"Inside the panels: what Push found",[1470],{"type":1323},{},{"nodeType":1276,"data":1473,"content":1474},{},[1475],{"nodeType":1280,"value":1476,"marks":1477,"data":1478},"Push detected an active Okta phishing site with TTPs aligned to the tooling used by SLH and affiliated groups. Through analysis of the phishing infrastructure, we gained direct access to Doko’s Panel and variants, and were able to observe how these attacks unfold from the operator's perspective — including real victim submission logs from the current week confirming ongoing active operations.",[],{},{"nodeType":1337,"data":1480,"content":1484},{"target":1481},{"sys":1482},{"id":1483,"type":1342,"linkType":1343},"5ND0etPs5xN7ejz24l71jy",[],{"nodeType":1486,"data":1487,"content":1488},"heading-2",{},[1489],{"nodeType":1280,"value":1490,"marks":1491,"data":1493},"How the attack works",[1492],{"type":1323},{},{"nodeType":1276,"data":1495,"content":1496},{},[1497],{"nodeType":1280,"value":1498,"marks":1499,"data":1500},"The general sequence of steps is the same across the panels:",[],{},{"nodeType":1384,"data":1502,"content":1503},{},[1504,1519,1534,1558,1573,1588,1612],{"nodeType":1388,"data":1505,"content":1506},{},[1507],{"nodeType":1276,"data":1508,"content":1509},{},[1510,1515],{"nodeType":1280,"value":1511,"marks":1512,"data":1514},"The operator calls the target",[1513],{"type":1323},{},{"nodeType":1280,"value":1516,"marks":1517,"data":1518}," spoofing the organization's IT helpdesk number, often referencing real employee names or internal ticket numbers to establish trust. The target is directed to a phishing domain — usually following a combosquatting pattern like my\u003Ctarget>internal[.]com or \u003Ctarget>sso[.]com — under the pretext of a mandatory security update, passkey enrollment, or support ticket resolution. ",[],{},{"nodeType":1388,"data":1520,"content":1521},{},[1522],{"nodeType":1276,"data":1523,"content":1524},{},[1525,1530],{"nodeType":1280,"value":1526,"marks":1527,"data":1529},"The victim lands on the phishing domain",[1528],{"type":1323},{},{"nodeType":1280,"value":1531,"marks":1532,"data":1533}," and is presented with a loading spinner — the anti-bot gate that prevents unauthorized access to the phishing pages.",[],{},{"nodeType":1388,"data":1535,"content":1536},{},[1537],{"nodeType":1276,"data":1538,"content":1539},{},[1540,1545,1549,1554],{"nodeType":1280,"value":1541,"marks":1542,"data":1544},"The operator accepts the visitor",[1543],{"type":1323},{},{"nodeType":1280,"value":1546,"marks":1547,"data":1548}," from the admin panel and ",[],{},{"nodeType":1280,"value":1550,"marks":1551,"data":1553},"the victim is redirected",[1552],{"type":1323},{},{"nodeType":1280,"value":1555,"marks":1556,"data":1557}," to the cloned login page (e.g. Google, Microsoft, Okta).",[],{},{"nodeType":1388,"data":1559,"content":1560},{},[1561],{"nodeType":1276,"data":1562,"content":1563},{},[1564,1569],{"nodeType":1280,"value":1565,"marks":1566,"data":1568},"The victim enters their email address and password",[1567],{"type":1323},{},{"nodeType":1280,"value":1570,"marks":1571,"data":1572},", which is forwarded to the operator's Telegram channel. The victim sees a processing spinner on the branded login form.",[],{},{"nodeType":1388,"data":1574,"content":1575},{},[1576],{"nodeType":1276,"data":1577,"content":1578},{},[1579,1584],{"nodeType":1280,"value":1580,"marks":1581,"data":1583},"The operator relays the credentials",[1582],{"type":1323},{},{"nodeType":1280,"value":1585,"marks":1586,"data":1587}," to the real identity provider. If they're valid, the attack proceeds. If they're invalid, the operator can redirect the victim back to the credential entry pages. Assuming MFA is required, the operator issues a redirect to an appropriate MFA capture page — \"Submit SMS OTP,\" \"Submit Gauth OTP,\" or \"Approve [XX] Prompt,\" depending on what the legitimate IdP is presenting.",[],{},{"nodeType":1388,"data":1589,"content":1590},{},[1591],{"nodeType":1276,"data":1592,"content":1593},{},[1594,1599,1603,1608],{"nodeType":1280,"value":1595,"marks":1596,"data":1598},"The victim submits their OTP or approves the push notification ",[1597],{"type":1323},{},{"nodeType":1280,"value":1600,"marks":1601,"data":1602},"and",[],{},{"nodeType":1280,"value":1604,"marks":1605,"data":1607}," the operator relays the OTP",[1606],{"type":1323},{},{"nodeType":1280,"value":1609,"marks":1610,"data":1611}," in their own login session, completes authentication, and captures the session. ",[],{},{"nodeType":1388,"data":1613,"content":1614},{},[1615],{"nodeType":1276,"data":1616,"content":1617},{},[1618,1623],{"nodeType":1280,"value":1619,"marks":1620,"data":1622},"The victim is redirected to a benign page",[1621],{"type":1323},{},{"nodeType":1280,"value":1624,"marks":1625,"data":1626}," (e.g., Google Drive) or to a support ticket closure screen displaying a fabricated ticket number.",[],{},{"nodeType":1337,"data":1628,"content":1632},{"target":1629},{"sys":1630},{"id":1631,"type":1342,"linkType":1343},"1o0wm3EOd7zSl5MddsNxgL",[],{"nodeType":1337,"data":1634,"content":1638},{"target":1635},{"sys":1636},{"id":1637,"type":1342,"linkType":1343},"7w7SQEn3aITpcgXLMThhbS",[],{"nodeType":1276,"data":1640,"content":1641},{},[1642],{"nodeType":1280,"value":29,"marks":1643,"data":1644},[],{},{"nodeType":1337,"data":1646,"content":1650},{"target":1647},{"sys":1648},{"id":1649,"type":1342,"linkType":1343},"PJJabY1ZfoCfl8XQ6PMj2",[],{"nodeType":1486,"data":1652,"content":1653},{},[1654],{"nodeType":1280,"value":1655,"marks":1656,"data":1658},"Doko’s Panel",[1657],{"type":1323},{},{"nodeType":1276,"data":1660,"content":1661},{},[1662],{"nodeType":1280,"value":1663,"marks":1664,"data":1665},"Let’s take a closer look at the panels themselves. We'll start with the default version of Doko's Panel since it’s the most established. It provides a multi-functional framework targeting users of Google, Microsoft Entra, Okta, and popular cryptocurrency exchanges including Abra, Coinbase, Gemini, and Kraken. Its core functionality resides in a client-side JavaScript file (client.js) that establishes the real-time feedback loop between the victim's browser and the operator's C2.",[],{},{"nodeType":1276,"data":1667,"content":1668},{},[1669],{"nodeType":1280,"value":1670,"marks":1671,"data":1672},"The technical indicators that characterize Doko's Panel in its standard form include:",[],{},{"nodeType":1384,"data":1674,"content":1675},{},[1676,1691,1706,1721],{"nodeType":1388,"data":1677,"content":1678},{},[1679],{"nodeType":1276,"data":1680,"content":1681},{},[1682,1687],{"nodeType":1280,"value":1683,"marks":1684,"data":1686},"client.js",[1685],{"type":1323},{},{"nodeType":1280,"value":1688,"marks":1689,"data":1690}," containing a pingServer() function that sends a JSON POST request to /backend.php every second with the structure { action: 'ping', token, window_id, page, os, browser }. If the response contains a redirect key, the victim's browser navigates to that path. ",[],{},{"nodeType":1388,"data":1692,"content":1693},{},[1694],{"nodeType":1276,"data":1695,"content":1696},{},[1697,1702],{"nodeType":1280,"value":1698,"marks":1699,"data":1701},"sendTelegramMessage()",[1700],{"type":1323},{},{"nodeType":1280,"value":1703,"marks":1704,"data":1705}," (aliased to sendtg()), a function for relaying real-time credential submissions and session updates to the operator's Telegram channel.",[],{},{"nodeType":1388,"data":1707,"content":1708},{},[1709],{"nodeType":1276,"data":1710,"content":1711},{},[1712,1717],{"nodeType":1280,"value":1713,"marks":1714,"data":1716},"backend.php",[1715],{"type":1323},{},{"nodeType":1280,"value":1718,"marks":1719,"data":1720}," as the primary server-side handler for both victim ping actions and admin panel operations (retrieving connected victim information, sending redirect instructions).",[],{},{"nodeType":1388,"data":1722,"content":1723},{},[1724],{"nodeType":1276,"data":1725,"content":1726},{},[1727,1732],{"nodeType":1280,"value":1728,"marks":1729,"data":1731},"j.php",[1730],{"type":1323},{},{"nodeType":1280,"value":1733,"marks":1734,"data":1735}," as the endpoint for sending Telegram messages, relaying captured credentials and session logs.",[],{},{"nodeType":1276,"data":1737,"content":1738},{},[1739],{"nodeType":1280,"value":1740,"marks":1741,"data":1742},"Push found that deployments of Doko's Panel had minimal security by default — anyone was able to view the admin panel and manage visitors' connections without authentication.",[],{},{"nodeType":1337,"data":1744,"content":1748},{"target":1745},{"sys":1746},{"id":1747,"type":1342,"linkType":1343},"3glwGSGHdCpf3DLqNmQqN8",[],{"nodeType":1337,"data":1750,"content":1754},{"target":1751},{"sys":1752},{"id":1753,"type":1342,"linkType":1343},"20ymWIXMkmJlw7XYb93c9o",[],{"nodeType":1486,"data":1756,"content":1757},{},[1758],{"nodeType":1280,"value":1759,"marks":1760,"data":1762},"Panel proliferation and remixes",[1761],{"type":1323},{},{"nodeType":1276,"data":1764,"content":1765},{},[1766],{"nodeType":1280,"value":1767,"marks":1768,"data":1769},"Access to Doko's Panel has clearly proliferated beyond its original developers, resulting in remixes and variants being distributed across the ecosystem. Push identified a variant titled \"Lord Mensius's Panel\" targeting Koinly (a cryptocurrency tax platform), and another titled \"$$$\" using a template impersonating the Australian Tax Office, also targeting cryptocurrency tax filing. ",[],{},{"nodeType":1276,"data":1771,"content":1772},{},[1773],{"nodeType":1280,"value":1774,"marks":1775,"data":1776},"The existence of these independently branded forks indicates that the tooling has entered a phase of wider distribution — operators who obtained the original panel source are now customizing and reshipping it for their own purposes. As a result, the tooling is now accessible to a broad population of financially motivated threat actors. ",[],{},{"nodeType":1486,"data":1778,"content":1779},{},[1780],{"nodeType":1280,"value":1781,"marks":1782,"data":1784},"heartbeat/check_redirect variant",[1783],{"type":1323},{},{"nodeType":1276,"data":1786,"content":1787},{},[1788],{"nodeType":1280,"value":1789,"marks":1790,"data":1791},"In addition to Doko’s Panel and its forks, the site initially detected by Push used a modified variant of Doko's Panel with a different C2 protocol. Rather than the standard ping action, this variant sent two types of regular requests from client.js to the backend:",[],{},{"nodeType":1384,"data":1793,"content":1794},{},[1795,1810],{"nodeType":1388,"data":1796,"content":1797},{},[1798],{"nodeType":1276,"data":1799,"content":1800},{},[1801,1806],{"nodeType":1280,"value":1802,"marks":1803,"data":1805},"Heartbeat",[1804],{"type":1323},{},{"nodeType":1280,"value":1807,"marks":1808,"data":1809}," — POST to backend.php with action=heartbeat along with page, token, and window_id.",[],{},{"nodeType":1388,"data":1811,"content":1812},{},[1813],{"nodeType":1276,"data":1814,"content":1815},{},[1816,1821],{"nodeType":1280,"value":1817,"marks":1818,"data":1820},"Check Redirect",[1819],{"type":1323},{},{"nodeType":1280,"value":1822,"marks":1823,"data":1824}," — GET to backend.php with parameters action=check_redirect along with token and window_id.",[],{},{"nodeType":1276,"data":1826,"content":1827},{},[1828],{"nodeType":1280,"value":1829,"marks":1830,"data":1831},"A redirect instruction in response to either request causes the victim's browser to navigate to the specified page. The variant compounds this with a separate inline script embedded in the landing gate HTML — in addition to client.js — that schedules its own sendHeartbeat() and checkRedirect() functions on regular intervals. ",[],{},{"nodeType":1337,"data":1833,"content":1837},{"target":1834},{"sys":1835},{"id":1836,"type":1342,"linkType":1343},"6zRc9ublZvEQCxcWtMBSnF",[],{"nodeType":1276,"data":1839,"content":1840},{},[1841],{"nodeType":1280,"value":1842,"marks":1843,"data":1844},"Additional technical differentiators for this variant include:",[],{},{"nodeType":1384,"data":1846,"content":1847},{},[1848,1863,1878],{"nodeType":1388,"data":1849,"content":1850},{},[1851],{"nodeType":1276,"data":1852,"content":1853},{},[1854,1859],{"nodeType":1280,"value":1855,"marks":1856,"data":1858},"UUID generation",[1857],{"type":1323},{},{"nodeType":1280,"value":1860,"marks":1861,"data":1862}," using Math.random() to replace x in the template xxxxxxxx-xxxx-4xxx-yxxx-xxxxxxxxxxxx, rather than the original Doko's Panel method of constructing a template from [1e7]+-1e3+-4e3+-8e3+-1e11 and replacing [018].",[],{},{"nodeType":1388,"data":1864,"content":1865},{},[1866],{"nodeType":1276,"data":1867,"content":1868},{},[1869,1874],{"nodeType":1280,"value":1870,"marks":1871,"data":1873},"No central Telegram sending function",[1872],{"type":1323},{},{"nodeType":1280,"value":1875,"marks":1876,"data":1877},", though j.php still exists and is called from inline scripts on individual phishing pages.",[],{},{"nodeType":1388,"data":1879,"content":1880},{},[1881],{"nodeType":1276,"data":1882,"content":1883},{},[1884,1889],{"nodeType":1280,"value":1885,"marks":1886,"data":1888},"No use of FNV-1a",[1887],{"type":1323},{},{"nodeType":1280,"value":1890,"marks":1891,"data":1892}," to hash-generate the window ID.",[],{},{"nodeType":1276,"data":1894,"content":1895},{},[1896],{"nodeType":1280,"value":1897,"marks":1898,"data":1899},"Push also found sub-variants hosting Okta phishing pages with additional modifications: a minified client.js script, and a renamed backend endpoint (api_FyekIDWY.php replacing backend.php).",[],{},{"nodeType":1486,"data":1901,"content":1902},{},[1903],{"nodeType":1280,"value":1904,"marks":1905,"data":1907},"Revamped admin panel",[1906],{"type":1323},{},{"nodeType":1276,"data":1909,"content":1910},{},[1911],{"nodeType":1280,"value":1912,"marks":1913,"data":1914},"Push also found examples of a significantly revamped admin panel, including a version from April 2026 specifically targeting Microsoft as an enterprise identity provider. ",[],{},{"nodeType":1337,"data":1916,"content":1920},{"target":1917},{"sys":1918},{"id":1919,"type":1342,"linkType":1343},"3ufb4cotpg0f7yoIQJnND0",[],{"nodeType":1276,"data":1922,"content":1923},{},[1924],{"nodeType":1280,"value":1925,"marks":1926,"data":1927},"This panel featured a more sophisticated operator interface with an updated look, quick action buttons, and sound notifications.",[],{},{"nodeType":1276,"data":1929,"content":1930},{},[1931],{"nodeType":1280,"value":1932,"marks":1933,"data":1934},"In addition to the standard compromise flow for acquiring email, password, and OTP, this panel provided operator actions for sending Microsoft Teams call instructions to the victim — a Meeting ID and Passcode rendered on a branded page. This capability likely enables further interaction through a channel that supports screensharing, extending the attacker's reach beyond credential theft into live session manipulation. It also has the potential to make the scenario more believable for the victim.",[],{},{"nodeType":1337,"data":1936,"content":1940},{"target":1937},{"sys":1938},{"id":1939,"type":1342,"linkType":1343},"4pg65d1SvTJA3xm6AsxZBp",[],{"nodeType":1276,"data":1942,"content":1943},{},[1944],{"nodeType":1280,"value":1945,"marks":1946,"data":1947},"Other capabilities were referenced in the panel's source code but did not appear active in the observed deployment:",[],{},{"nodeType":1384,"data":1949,"content":1950},{},[1951,1966],{"nodeType":1388,"data":1952,"content":1953},{},[1954],{"nodeType":1276,"data":1955,"content":1956},{},[1957,1962],{"nodeType":1280,"value":1958,"marks":1959,"data":1961},"Additional MFA approval pages",[1960],{"type":1323},{},{"nodeType":1280,"value":1963,"marks":1964,"data":1965}," for Duo and Okta, with the operator providing a code to display to the victim.",[],{},{"nodeType":1388,"data":1967,"content":1968},{},[1969],{"nodeType":1276,"data":1970,"content":1971},{},[1972,1977],{"nodeType":1280,"value":1973,"marks":1974,"data":1976},"A code execution prompt",[1975],{"type":1323},{},{"nodeType":1280,"value":1978,"marks":1979,"data":1980}," to instruct the victim to run a command — the placeholder example being mshta to execute a remote HTA file, suggesting a potential bridge from identity compromise into malware delivery.",[],{},{"nodeType":1276,"data":1982,"content":1983},{},[1984],{"nodeType":1280,"value":1985,"marks":1986,"data":1987},"The admin panel also included settings for restricting access to specific geographic locations and device types, allowing operators to refine their campaign targeting and also avoid detection from unusual devices (often an indicator that the visitor is not a real human and is actually a security tool or bot).",[],{},{"nodeType":1337,"data":1989,"content":1993},{"target":1990},{"sys":1991},{"id":1992,"type":1342,"linkType":1343},"1hebGtxbkyuejWXczwx5n6",[],{"nodeType":1364,"data":1995,"content":1996},{},[],{"nodeType":1368,"data":1998,"content":1999},{},[2000],{"nodeType":1280,"value":2001,"marks":2002,"data":2004},"LLM-generated tells: vibe-coded phishing infrastructure",[2003],{"type":1323},{},{"nodeType":1276,"data":2006,"content":2007},{},[2008],{"nodeType":1280,"value":2009,"marks":2010,"data":2011},"Evidence of extensive LLM use is extremely prevalent in attacks detected by Push, from LLM-generated phishing kits and tools to vibe-coded cloned pages. Attackers have also been observed leveraging AI–assisted capabilities in SaaS platforms to automate and scale-up their campaigns from an infrastructure and operations perspective. ",[],{},{"nodeType":1276,"data":2013,"content":2014},{},[2015],{"nodeType":1280,"value":2016,"marks":2017,"data":2018},"The ‘heartbeat’ variant in particular has significant tells of heavy use of LLMs to modify the phishing panel for the operator’s needs. The fact that these are so blatant increases the belief that these tools are being vibe-coded by relatively inexperienced developers with limited regard for operational security.",[],{},{"nodeType":1276,"data":2020,"content":2021},{},[2022],{"nodeType":1280,"value":2023,"marks":2024,"data":2025},"Some versions of client.js begin with verbose header comments that no human developer would write:",[],{},{"nodeType":1337,"data":2027,"content":2031},{"target":2028},{"sys":2029},{"id":2030,"type":1342,"linkType":1343},"01mOiserRBXraawXwQyJNm",[],{"nodeType":1276,"data":2033,"content":2034},{},[2035],{"nodeType":1280,"value":2036,"marks":2037,"data":2038},"The \"NOTES FOR NEXT SESSION\" header is particularly telling — it's a pattern generated by LLMs that maintain context between chat sessions, not a convention any human developer would adopt in production code, let alone in a phishing kit where operational security should discourage self-documenting infrastructure.",[],{},{"nodeType":1276,"data":2040,"content":2041},{},[2042],{"nodeType":1280,"value":2043,"marks":2044,"data":2045},"The admin panel HTML contains similarly over-documented opening comments:",[],{},{"nodeType":1337,"data":2047,"content":2051},{"target":2048},{"sys":2049},{"id":2050,"type":1342,"linkType":1343},"60snRhz0RIsvLI6OU9RDOk",[],{"nodeType":1276,"data":2053,"content":2054},{},[2055],{"nodeType":1280,"value":2056,"marks":2057,"data":2058},"One of the Okta cloned login pages observed by Push contained the following comments suggesting the use of an LLM to create the clone:",[],{},{"nodeType":1337,"data":2060,"content":2064},{"target":2061},{"sys":2062},{"id":2063,"type":1342,"linkType":1343},"1WCd5LQ6cfPf1IsNAhPSIT",[],{"nodeType":1276,"data":2066,"content":2067},{},[2068],{"nodeType":1280,"value":2069,"marks":2070,"data":2071},"The cloned Microsoft login pages displayed previously contain terser comments, but still typical of useless comments that are included by an LLM rather than a human author, especially a malware/phishing author:",[],{},{"nodeType":1337,"data":2073,"content":2077},{"target":2074},{"sys":2075},{"id":2076,"type":1342,"linkType":1343},"6WN59mkiscNmAt8dmOR81c",[],{"nodeType":1276,"data":2079,"content":2080},{},[2081],{"nodeType":1280,"value":2082,"marks":2083,"data":2084},"The broken duplication in the heartbeat variant — where an inline script and client.js independently schedule the same backend requests using slightly different data formats — is consistent with an operator pasting requirements into an LLM and accepting the output without understanding the existing codebase well enough to recognize the redundancy.",[],{},{"nodeType":1276,"data":2086,"content":2087},{},[2088],{"nodeType":1280,"value":2089,"marks":2090,"data":2091},"Clearly, the barrier to entry for building (or forking) and operating a real-time vishing phishing panel is lower than the effectiveness of the tooling might suggest.",[],{},{"nodeType":1364,"data":2093,"content":2094},{},[],{"nodeType":1368,"data":2096,"content":2097},{},[2098],{"nodeType":1280,"value":2099,"marks":2100,"data":2102},"Infrastructure clustering and attribution",[2101],{"type":1323},{},{"nodeType":1276,"data":2104,"content":2105},{},[2106,2110,2115],{"nodeType":1280,"value":2107,"marks":2108,"data":2109},"Through analysis of phishing domains, hosting infrastructure, and technical indicators in the panel source code, ",[],{},{"nodeType":1280,"value":2111,"marks":2112,"data":2114},"we’re highlighting four distinct infrastructure clusters associated with this tooling. ",[2113],{"type":1323},{},{"nodeType":1280,"value":2116,"marks":2117,"data":2118},"While the panels share common heritage, the operators deploying them appear to be separate groups with different infrastructure preferences and operational patterns.",[],{},{"nodeType":1486,"data":2120,"content":2121},{},[2122],{"nodeType":1280,"value":2123,"marks":2124,"data":2125},"Cluster A",[],{},{"nodeType":1276,"data":2127,"content":2128},{},[2129,2133,2143],{"nodeType":1280,"value":2130,"marks":2131,"data":2132},"The indicators for Cluster A overlap with ",[],{},{"nodeType":1292,"data":2134,"content":2136},{"uri":2135},"https://cloud.google.com/blog/topics/threat-intelligence/expansion-shinyhunters-saas-data-theft",[2137],{"nodeType":1280,"value":2138,"marks":2139,"data":2142},"Mandiant’s reporting on UNC6661",[2140],{"type":2141},"underline",{},{"nodeType":1280,"value":2144,"marks":2145,"data":2146},". Mandiant also attributes the extortion activity following UNC6661 intrusions to UNC6240, aka ShinyHunters.",[],{},{"nodeType":2148,"data":2149,"content":2150},"table",{},[2151,2177,2206,2229,2280,2324,2347,2370],{"nodeType":2152,"data":2153,"content":2154},"table-row",{},[2155,2167],{"nodeType":2156,"data":2157,"content":2158},"table-cell",{},[2159],{"nodeType":1276,"data":2160,"content":2161},{},[2162],{"nodeType":1280,"value":2163,"marks":2164,"data":2166},"Tool",[2165],{"type":1323},{},{"nodeType":2156,"data":2168,"content":2169},{},[2170],{"nodeType":1276,"data":2171,"content":2172},{},[2173],{"nodeType":1280,"value":1655,"marks":2174,"data":2176},[2175],{"type":1323},{},{"nodeType":2152,"data":2178,"content":2179},{},[2180,2189],{"nodeType":2156,"data":2181,"content":2182},{},[2183],{"nodeType":1276,"data":2184,"content":2185},{},[2186],{"nodeType":1280,"value":1683,"marks":2187,"data":2188},[],{},{"nodeType":2156,"data":2190,"content":2191},{},[2192,2199],{"nodeType":1276,"data":2193,"content":2194},{},[2195],{"nodeType":1280,"value":2196,"marks":2197,"data":2198},"8a01bcb70ec1c101a163c9cb8e074781c1322096f7ae01789f02252854def44c",[],{},{"nodeType":1276,"data":2200,"content":2201},{},[2202],{"nodeType":1280,"value":2203,"marks":2204,"data":2205},"f574b6e6b3a968cda5f51bec2c090d8eb095fbcfc383314f94bc15676a0d6692",[],{},{"nodeType":2152,"data":2207,"content":2208},{},[2209,2219],{"nodeType":2156,"data":2210,"content":2211},{},[2212],{"nodeType":1276,"data":2213,"content":2214},{},[2215],{"nodeType":1280,"value":2216,"marks":2217,"data":2218},"Timeframe",[],{},{"nodeType":2156,"data":2220,"content":2221},{},[2222],{"nodeType":1276,"data":2223,"content":2224},{},[2225],{"nodeType":1280,"value":2226,"marks":2227,"data":2228},"November 2025 - present (April 2026)",[],{},{"nodeType":2152,"data":2230,"content":2231},{},[2232,2242],{"nodeType":2156,"data":2233,"content":2234},{},[2235],{"nodeType":1276,"data":2236,"content":2237},{},[2238],{"nodeType":1280,"value":2239,"marks":2240,"data":2241},"Domain Patterns",[],{},{"nodeType":2156,"data":2243,"content":2244},{},[2245,2252,2259,2266,2273],{"nodeType":1276,"data":2246,"content":2247},{},[2248],{"nodeType":1280,"value":2249,"marks":2250,"data":2251},"\u003Ctarget>internal.com\n\u003Ctarget>sso.com",[],{},{"nodeType":1276,"data":2253,"content":2254},{},[2255],{"nodeType":1280,"value":2256,"marks":2257,"data":2258},"my\u003Ctarget>.com",[],{},{"nodeType":1276,"data":2260,"content":2261},{},[2262],{"nodeType":1280,"value":2263,"marks":2264,"data":2265},"my\u003Ctarget>internal.com",[],{},{"nodeType":1276,"data":2267,"content":2268},{},[2269],{"nodeType":1280,"value":2270,"marks":2271,"data":2272},"my\u003Ctarget>manager.com",[],{},{"nodeType":1276,"data":2274,"content":2275},{},[2276],{"nodeType":1280,"value":2277,"marks":2278,"data":2279},"my\u003Ctarget>sso.com",[],{},{"nodeType":2152,"data":2281,"content":2282},{},[2283,2293],{"nodeType":2156,"data":2284,"content":2285},{},[2286],{"nodeType":1276,"data":2287,"content":2288},{},[2289],{"nodeType":1280,"value":2290,"marks":2291,"data":2292},"Examples",[],{},{"nodeType":2156,"data":2294,"content":2295},{},[2296,2303,2310,2317],{"nodeType":1276,"data":2297,"content":2298},{},[2299],{"nodeType":1280,"value":2300,"marks":2301,"data":2302},"mydropboxinternal.com (November 2025)",[],{},{"nodeType":1276,"data":2304,"content":2305},{},[2306],{"nodeType":1280,"value":2307,"marks":2308,"data":2309},"myxerointernal.com (December 2025)",[],{},{"nodeType":1276,"data":2311,"content":2312},{},[2313],{"nodeType":1280,"value":2314,"marks":2315,"data":2316},"amazoninternal.com (March 2026)",[],{},{"nodeType":1276,"data":2318,"content":2319},{},[2320],{"nodeType":1280,"value":2321,"marks":2322,"data":2323},"mydisneysso.com (March 2026)",[],{},{"nodeType":2152,"data":2325,"content":2326},{},[2327,2337],{"nodeType":2156,"data":2328,"content":2329},{},[2330],{"nodeType":1276,"data":2331,"content":2332},{},[2333],{"nodeType":1280,"value":2334,"marks":2335,"data":2336},"Registrar",[],{},{"nodeType":2156,"data":2338,"content":2339},{},[2340],{"nodeType":1276,"data":2341,"content":2342},{},[2343],{"nodeType":1280,"value":2344,"marks":2345,"data":2346},"NiceNIC",[],{},{"nodeType":2152,"data":2348,"content":2349},{},[2350,2360],{"nodeType":2156,"data":2351,"content":2352},{},[2353],{"nodeType":1276,"data":2354,"content":2355},{},[2356],{"nodeType":1280,"value":2357,"marks":2358,"data":2359},"Name Servers",[],{},{"nodeType":2156,"data":2361,"content":2362},{},[2363],{"nodeType":1276,"data":2364,"content":2365},{},[2366],{"nodeType":1280,"value":2367,"marks":2368,"data":2369},"1984.is FreeDNS",[],{},{"nodeType":2152,"data":2371,"content":2372},{},[2373,2383],{"nodeType":2156,"data":2374,"content":2375},{},[2376],{"nodeType":1276,"data":2377,"content":2378},{},[2379],{"nodeType":1280,"value":2380,"marks":2381,"data":2382},"Hosting Provider",[],{},{"nodeType":2156,"data":2384,"content":2385},{},[2386],{"nodeType":1276,"data":2387,"content":2388},{},[2389],{"nodeType":1280,"value":2390,"marks":2391,"data":2392},"Mevspace (AS201814)",[],{},{"nodeType":1486,"data":2394,"content":2395},{},[2396],{"nodeType":1280,"value":2397,"marks":2398,"data":2399},"Cluster B",[],{},{"nodeType":1276,"data":2401,"content":2402},{},[2403,2407,2415,2419,2428],{"nodeType":1280,"value":2404,"marks":2405,"data":2406},"The indicators for Cluster B overlap with ",[],{},{"nodeType":1292,"data":2408,"content":2409},{"uri":2135},[2410],{"nodeType":1280,"value":2411,"marks":2412,"data":2414},"Mandiant’s reporting on UNC6671",[2413],{"type":2141},{},{"nodeType":1280,"value":2416,"marks":2417,"data":2418},". ",[],{},{"nodeType":1292,"data":2420,"content":2422},{"uri":2421},"https://rhisac.org/threat-intelligence/extortion-in-the-enterprise-defending-against-blackfile-attacks/",[2423],{"nodeType":1280,"value":2424,"marks":2425,"data":2427},"Other external reporting",[2426],{"type":2141},{},{"nodeType":1280,"value":2429,"marks":2430,"data":2431}," has linked this group to BlackFile-branded extortion and leaks.",[],{},{"nodeType":2148,"data":2433,"content":2434},{},[2435,2458,2501,2523,2558,2601,2623,2645],{"nodeType":2152,"data":2436,"content":2437},{},[2438,2448],{"nodeType":2156,"data":2439,"content":2440},{},[2441],{"nodeType":1276,"data":2442,"content":2443},{},[2444],{"nodeType":1280,"value":2163,"marks":2445,"data":2447},[2446],{"type":1323},{},{"nodeType":2156,"data":2449,"content":2450},{},[2451],{"nodeType":1276,"data":2452,"content":2453},{},[2454],{"nodeType":1280,"value":1781,"marks":2455,"data":2457},[2456],{"type":1323},{},{"nodeType":2152,"data":2459,"content":2460},{},[2461,2470],{"nodeType":2156,"data":2462,"content":2463},{},[2464],{"nodeType":1276,"data":2465,"content":2466},{},[2467],{"nodeType":1280,"value":1683,"marks":2468,"data":2469},[],{},{"nodeType":2156,"data":2471,"content":2472},{},[2473,2480,2487,2494],{"nodeType":1276,"data":2474,"content":2475},{},[2476],{"nodeType":1280,"value":2477,"marks":2478,"data":2479},"c0df36ccf88d5c8434b13b58f7a55a9715643a126148b9d078a93075d09cad26",[],{},{"nodeType":1276,"data":2481,"content":2482},{},[2483],{"nodeType":1280,"value":2484,"marks":2485,"data":2486},"d178dc7108fa9344dae28e350e810352e9e874563496dc7876ee628b11b0eabb",[],{},{"nodeType":1276,"data":2488,"content":2489},{},[2490],{"nodeType":1280,"value":2491,"marks":2492,"data":2493},"9c0939960e49122196e44b6779fe55dd7a13ab437ce251c8cf35f8c6daf8be21",[],{},{"nodeType":1276,"data":2495,"content":2496},{},[2497],{"nodeType":1280,"value":2498,"marks":2499,"data":2500},"e8128b33259f7ea4313c942689ba0ba557f17b1474f2e621c62a5b77674fab86",[],{},{"nodeType":2152,"data":2502,"content":2503},{},[2504,2513],{"nodeType":2156,"data":2505,"content":2506},{},[2507],{"nodeType":1276,"data":2508,"content":2509},{},[2510],{"nodeType":1280,"value":2216,"marks":2511,"data":2512},[],{},{"nodeType":2156,"data":2514,"content":2515},{},[2516],{"nodeType":1276,"data":2517,"content":2518},{},[2519],{"nodeType":1280,"value":2520,"marks":2521,"data":2522},"January 2026",[],{},{"nodeType":2152,"data":2524,"content":2525},{},[2526,2535],{"nodeType":2156,"data":2527,"content":2528},{},[2529],{"nodeType":1276,"data":2530,"content":2531},{},[2532],{"nodeType":1280,"value":2239,"marks":2533,"data":2534},[],{},{"nodeType":2156,"data":2536,"content":2537},{},[2538,2545,2552],{"nodeType":1276,"data":2539,"content":2540},{},[2541],{"nodeType":1280,"value":2542,"marks":2543,"data":2544},"\u003Ctarget>internal.com",[],{},{"nodeType":1276,"data":2546,"content":2547},{},[2548],{"nodeType":1280,"value":2549,"marks":2550,"data":2551},"\u003Ctarget>sso.com",[],{},{"nodeType":1276,"data":2553,"content":2554},{},[2555],{"nodeType":1280,"value":2277,"marks":2556,"data":2557},[],{},{"nodeType":2152,"data":2559,"content":2560},{},[2561,2570],{"nodeType":2156,"data":2562,"content":2563},{},[2564],{"nodeType":1276,"data":2565,"content":2566},{},[2567],{"nodeType":1280,"value":2290,"marks":2568,"data":2569},[],{},{"nodeType":2156,"data":2571,"content":2572},{},[2573,2580,2587,2594],{"nodeType":1276,"data":2574,"content":2575},{},[2576],{"nodeType":1280,"value":2577,"marks":2578,"data":2579},"epicgamessso[.]com (December 2025)",[],{},{"nodeType":1276,"data":2581,"content":2582},{},[2583],{"nodeType":1280,"value":2584,"marks":2585,"data":2586},"myadyeninternal[.]com (January 2026)",[],{},{"nodeType":1276,"data":2588,"content":2589},{},[2590],{"nodeType":1280,"value":2591,"marks":2592,"data":2593},"mysonossso[.]com (January 2026)",[],{},{"nodeType":1276,"data":2595,"content":2596},{},[2597],{"nodeType":1280,"value":2598,"marks":2599,"data":2600},"sonosinternal[.]com (January 2026)",[],{},{"nodeType":2152,"data":2602,"content":2603},{},[2604,2613],{"nodeType":2156,"data":2605,"content":2606},{},[2607],{"nodeType":1276,"data":2608,"content":2609},{},[2610],{"nodeType":1280,"value":2334,"marks":2611,"data":2612},[],{},{"nodeType":2156,"data":2614,"content":2615},{},[2616],{"nodeType":1276,"data":2617,"content":2618},{},[2619],{"nodeType":1280,"value":2620,"marks":2621,"data":2622},"Tucows",[],{},{"nodeType":2152,"data":2624,"content":2625},{},[2626,2635],{"nodeType":2156,"data":2627,"content":2628},{},[2629],{"nodeType":1276,"data":2630,"content":2631},{},[2632],{"nodeType":1280,"value":2357,"marks":2633,"data":2634},[],{},{"nodeType":2156,"data":2636,"content":2637},{},[2638],{"nodeType":1276,"data":2639,"content":2640},{},[2641],{"nodeType":1280,"value":2642,"marks":2643,"data":2644},"Njalla",[],{},{"nodeType":2152,"data":2646,"content":2647},{},[2648,2657],{"nodeType":2156,"data":2649,"content":2650},{},[2651],{"nodeType":1276,"data":2652,"content":2653},{},[2654],{"nodeType":1280,"value":2380,"marks":2655,"data":2656},[],{},{"nodeType":2156,"data":2658,"content":2659},{},[2660],{"nodeType":1276,"data":2661,"content":2662},{},[2663],{"nodeType":1280,"value":2664,"marks":2665,"data":2666},"Njalla (AS39287)",[],{},{"nodeType":1486,"data":2668,"content":2669},{},[2670],{"nodeType":1280,"value":2671,"marks":2672,"data":2673},"Cluster C",[],{},{"nodeType":1276,"data":2675,"content":2676},{},[2677],{"nodeType":1280,"value":2678,"marks":2679,"data":2680},"Cluster C is likely an evolution of Cluster B. Some evidence has been observed tying the backend hosting to Njalla behind the Cloudflare CDN further solidifying the link. The shift to Cloudflare Turnstile protection and subdomain-based targeting represents an operational refinement — moving away from the distinctive [target]internal[.]com pattern that had become a well-known campaign indicator.",[],{},{"nodeType":2148,"data":2682,"content":2683},{},[2684,2708,2730,2752,2774,2817,2838,2860],{"nodeType":2152,"data":2685,"content":2686},{},[2687,2697],{"nodeType":2156,"data":2688,"content":2689},{},[2690],{"nodeType":1276,"data":2691,"content":2692},{},[2693],{"nodeType":1280,"value":2163,"marks":2694,"data":2696},[2695],{"type":1323},{},{"nodeType":2156,"data":2698,"content":2699},{},[2700],{"nodeType":1276,"data":2701,"content":2702},{},[2703],{"nodeType":1280,"value":2704,"marks":2705,"data":2707},"heartbeat/check_redirect variant protected with Cloudflare turnstile",[2706],{"type":1323},{},{"nodeType":2152,"data":2709,"content":2710},{},[2711,2720],{"nodeType":2156,"data":2712,"content":2713},{},[2714],{"nodeType":1276,"data":2715,"content":2716},{},[2717],{"nodeType":1280,"value":1683,"marks":2718,"data":2719},[],{},{"nodeType":2156,"data":2721,"content":2722},{},[2723],{"nodeType":1276,"data":2724,"content":2725},{},[2726],{"nodeType":1280,"value":2727,"marks":2728,"data":2729},"cb1d409278b2247af23e7b00ac779b232baaf4ce5f63fdf5ebc3920a38cc6102",[],{},{"nodeType":2152,"data":2731,"content":2732},{},[2733,2742],{"nodeType":2156,"data":2734,"content":2735},{},[2736],{"nodeType":1276,"data":2737,"content":2738},{},[2739],{"nodeType":1280,"value":2216,"marks":2740,"data":2741},[],{},{"nodeType":2156,"data":2743,"content":2744},{},[2745],{"nodeType":1276,"data":2746,"content":2747},{},[2748],{"nodeType":1280,"value":2749,"marks":2750,"data":2751},"March 2026 - present (April 2026)",[],{},{"nodeType":2152,"data":2753,"content":2754},{},[2755,2764],{"nodeType":2156,"data":2756,"content":2757},{},[2758],{"nodeType":1276,"data":2759,"content":2760},{},[2761],{"nodeType":1280,"value":2239,"marks":2762,"data":2763},[],{},{"nodeType":2156,"data":2765,"content":2766},{},[2767],{"nodeType":1276,"data":2768,"content":2769},{},[2770],{"nodeType":1280,"value":2771,"marks":2772,"data":2773},"\u003Ctarget> subdomain with generic “sso”, “passkey”, “enroll”, “okta” theme root domain",[],{},{"nodeType":2152,"data":2775,"content":2776},{},[2777,2786],{"nodeType":2156,"data":2778,"content":2779},{},[2780],{"nodeType":1276,"data":2781,"content":2782},{},[2783],{"nodeType":1280,"value":2290,"marks":2784,"data":2785},[],{},{"nodeType":2156,"data":2787,"content":2788},{},[2789,2796,2803,2810],{"nodeType":1276,"data":2790,"content":2791},{},[2792],{"nodeType":1280,"value":2793,"marks":2794,"data":2795},"\u003Ctarget>.passkeysetup.com (March 2026)",[],{},{"nodeType":1276,"data":2797,"content":2798},{},[2799],{"nodeType":1280,"value":2800,"marks":2801,"data":2802},"\u003Ctarget>.enrollms.com (March 2026)",[],{},{"nodeType":1276,"data":2804,"content":2805},{},[2806],{"nodeType":1280,"value":2807,"marks":2808,"data":2809},"\u003Ctarget>.keyokta.com (April 2026)",[],{},{"nodeType":1276,"data":2811,"content":2812},{},[2813],{"nodeType":1280,"value":2814,"marks":2815,"data":2816},"\u003Ctarget>.passkeywork.com (April 2026)",[],{},{"nodeType":2152,"data":2818,"content":2819},{},[2820,2829],{"nodeType":2156,"data":2821,"content":2822},{},[2823],{"nodeType":1276,"data":2824,"content":2825},{},[2826],{"nodeType":1280,"value":2334,"marks":2827,"data":2828},[],{},{"nodeType":2156,"data":2830,"content":2831},{},[2832],{"nodeType":1276,"data":2833,"content":2834},{},[2835],{"nodeType":1280,"value":2620,"marks":2836,"data":2837},[],{},{"nodeType":2152,"data":2839,"content":2840},{},[2841,2850],{"nodeType":2156,"data":2842,"content":2843},{},[2844],{"nodeType":1276,"data":2845,"content":2846},{},[2847],{"nodeType":1280,"value":2357,"marks":2848,"data":2849},[],{},{"nodeType":2156,"data":2851,"content":2852},{},[2853],{"nodeType":1276,"data":2854,"content":2855},{},[2856],{"nodeType":1280,"value":2857,"marks":2858,"data":2859},"Cloudflare",[],{},{"nodeType":2152,"data":2861,"content":2862},{},[2863,2872],{"nodeType":2156,"data":2864,"content":2865},{},[2866],{"nodeType":1276,"data":2867,"content":2868},{},[2869],{"nodeType":1280,"value":2380,"marks":2870,"data":2871},[],{},{"nodeType":2156,"data":2873,"content":2874},{},[2875],{"nodeType":1276,"data":2876,"content":2877},{},[2878],{"nodeType":1280,"value":2879,"marks":2880,"data":2881},"Cloudflare (AS13335)",[],{},{"nodeType":1486,"data":2883,"content":2884},{},[2885],{"nodeType":1280,"value":2886,"marks":2887,"data":2888},"Cluster D",[],{},{"nodeType":2148,"data":2890,"content":2891},{},[2892,2916,2938,2960,2982,3011,3032,3053],{"nodeType":2152,"data":2893,"content":2894},{},[2895,2905],{"nodeType":2156,"data":2896,"content":2897},{},[2898],{"nodeType":1276,"data":2899,"content":2900},{},[2901],{"nodeType":1280,"value":2163,"marks":2902,"data":2904},[2903],{"type":1323},{},{"nodeType":2156,"data":2906,"content":2907},{},[2908],{"nodeType":1276,"data":2909,"content":2910},{},[2911],{"nodeType":1280,"value":2912,"marks":2913,"data":2915},"heartbeat/check_redirect variant (minified)",[2914],{"type":1323},{},{"nodeType":2152,"data":2917,"content":2918},{},[2919,2928],{"nodeType":2156,"data":2920,"content":2921},{},[2922],{"nodeType":1276,"data":2923,"content":2924},{},[2925],{"nodeType":1280,"value":1683,"marks":2926,"data":2927},[],{},{"nodeType":2156,"data":2929,"content":2930},{},[2931],{"nodeType":1276,"data":2932,"content":2933},{},[2934],{"nodeType":1280,"value":2935,"marks":2936,"data":2937},"9d65dd34384b441505e6b67647153c02d5c367bb53da36ce36a392e70b37940a",[],{},{"nodeType":2152,"data":2939,"content":2940},{},[2941,2950],{"nodeType":2156,"data":2942,"content":2943},{},[2944],{"nodeType":1276,"data":2945,"content":2946},{},[2947],{"nodeType":1280,"value":2216,"marks":2948,"data":2949},[],{},{"nodeType":2156,"data":2951,"content":2952},{},[2953],{"nodeType":1276,"data":2954,"content":2955},{},[2956],{"nodeType":1280,"value":2957,"marks":2958,"data":2959},"April 2026 (low volume)",[],{},{"nodeType":2152,"data":2961,"content":2962},{},[2963,2972],{"nodeType":2156,"data":2964,"content":2965},{},[2966],{"nodeType":1276,"data":2967,"content":2968},{},[2969],{"nodeType":1280,"value":2239,"marks":2970,"data":2971},[],{},{"nodeType":2156,"data":2973,"content":2974},{},[2975],{"nodeType":1276,"data":2976,"content":2977},{},[2978],{"nodeType":1280,"value":2979,"marks":2980,"data":2981},"\u003Ctarget> subdomain with generic “passkey”, “portal”, “okta” theme root domain",[],{},{"nodeType":2152,"data":2983,"content":2984},{},[2985,2994],{"nodeType":2156,"data":2986,"content":2987},{},[2988],{"nodeType":1276,"data":2989,"content":2990},{},[2991],{"nodeType":1280,"value":2290,"marks":2992,"data":2993},[],{},{"nodeType":2156,"data":2995,"content":2996},{},[2997,3004],{"nodeType":1276,"data":2998,"content":2999},{},[3000],{"nodeType":1280,"value":3001,"marks":3002,"data":3003},"\u003Ctarget>.passkeyportalsetup.com",[],{},{"nodeType":1276,"data":3005,"content":3006},{},[3007],{"nodeType":1280,"value":3008,"marks":3009,"data":3010},"\u003Ctarget>.addoktapasskey.com",[],{},{"nodeType":2152,"data":3012,"content":3013},{},[3014,3023],{"nodeType":2156,"data":3015,"content":3016},{},[3017],{"nodeType":1276,"data":3018,"content":3019},{},[3020],{"nodeType":1280,"value":2334,"marks":3021,"data":3022},[],{},{"nodeType":2156,"data":3024,"content":3025},{},[3026],{"nodeType":1276,"data":3027,"content":3028},{},[3029],{"nodeType":1280,"value":2344,"marks":3030,"data":3031},[],{},{"nodeType":2152,"data":3033,"content":3034},{},[3035,3044],{"nodeType":2156,"data":3036,"content":3037},{},[3038],{"nodeType":1276,"data":3039,"content":3040},{},[3041],{"nodeType":1280,"value":2357,"marks":3042,"data":3043},[],{},{"nodeType":2156,"data":3045,"content":3046},{},[3047],{"nodeType":1276,"data":3048,"content":3049},{},[3050],{"nodeType":1280,"value":2857,"marks":3051,"data":3052},[],{},{"nodeType":2152,"data":3054,"content":3055},{},[3056,3065],{"nodeType":2156,"data":3057,"content":3058},{},[3059],{"nodeType":1276,"data":3060,"content":3061},{},[3062],{"nodeType":1280,"value":2380,"marks":3063,"data":3064},[],{},{"nodeType":2156,"data":3066,"content":3067},{},[3068],{"nodeType":1276,"data":3069,"content":3070},{},[3071],{"nodeType":1280,"value":2879,"marks":3072,"data":3073},[],{},{"nodeType":1364,"data":3075,"content":3076},{},[],{"nodeType":1368,"data":3078,"content":3079},{},[3080],{"nodeType":1280,"value":3081,"marks":3082,"data":3084},"Detection considerations",[3083],{"type":1323},{},{"nodeType":1276,"data":3086,"content":3087},{},[3088],{"nodeType":1280,"value":3089,"marks":3090,"data":3091},"For Push, the detection approach to these panels is fundamentally the same as for any other phishing kit — behavioral analysis of the rendered page in the browser, regardless of the C2 protocol running underneath. ",[],{},{"nodeType":1276,"data":3093,"content":3094},{},[3095],{"nodeType":1280,"value":3096,"marks":3097,"data":3098},"The main operational difference is on the operator end, where the human-in-the-loop interaction replaces fully automated credential harvesting. This has implications for defenders relying on proactive infrastructure scanning: the gated landing pages, anti-bot checks, and operator-approval requirements mean the malicious content is only served to active targets, making it significantly harder for automated scanners to discover and flag these domains before they're used against a victim.",[],{},{"nodeType":1276,"data":3100,"content":3101},{},[3102,3107],{"nodeType":1280,"value":3103,"marks":3104,"data":3106},"The phone call as delivery vector eliminates the email-based detection surface that most organizations rely on as their primary phishing defense. ",[3105],{"type":1323},{},{"nodeType":1280,"value":3108,"marks":3109,"data":3110},"Operator-gated payload delivery further reduces the likelihood that these sites will be flagged as malicious and added to known-bad detection lists (and in any case, it’s trivial for attackers to spin up new ones). This reinforces the need for browser-based detection at the point the user interacts with the page, analyzing it in real time for malicious content without relying on static IoCs. ",[],{},{"nodeType":1364,"data":3112,"content":3113},{},[],{"nodeType":1368,"data":3115,"content":3116},{},[3117],{"nodeType":1280,"value":3118,"marks":3119,"data":3121},"Indicators of compromise",[3120],{"type":1323},{},{"nodeType":1276,"data":3123,"content":3124},{},[3125,3129,3137],{"nodeType":1280,"value":3126,"marks":3127,"data":3128},"Short-lived IoCs are of limited value when tackling modern phishing attacks due to the rate at which attackers are able to ",[],{},{"nodeType":1292,"data":3130,"content":3132},{"uri":3131},"https://phishing-techniques.pushsecurity.com/techniques/domain-rotation-redirection/",[3133],{"nodeType":1280,"value":3134,"marks":3135,"data":3136},"quickly spin up and rotate the sites used",[],{},{"nodeType":1280,"value":3138,"marks":3139,"data":3140}," in the attack chain, often dynamically serving different URLs to site visitors. ",[],{},{"nodeType":1276,"data":3142,"content":3143},{},[3144,3147,3155],{"nodeType":1280,"value":29,"marks":3145,"data":3146},[],{},{"nodeType":1292,"data":3148,"content":3150},{"uri":3149},"https://www.virustotal.com/gui/collection/0f745e9da6ef7664444594a7ee930cfe5a9d8bd6c2f039dcde818599b8926610",[3151],{"nodeType":1280,"value":3152,"marks":3153,"data":3154},"The full list of IoCs is on VirusTotal here. ",[],{},{"nodeType":1280,"value":29,"marks":3156,"data":3157},[],{},{"nodeType":1276,"data":3159,"content":3160},{},[3161],{"nodeType":1280,"value":3162,"marks":3163,"data":3165},"Push customers do not need to take any further action.",[3164],{"type":1323},{},{"nodeType":1364,"data":3167,"content":3168},{},[],{"nodeType":1368,"data":3170,"content":3171},{},[3172],{"nodeType":1280,"value":3173,"marks":3174,"data":3176},"Learn more about Push",[3175],{"type":1323},{},{"nodeType":1276,"data":3178,"content":3179},{},[3180,3184,3192],{"nodeType":1280,"value":3181,"marks":3182,"data":3183},"Push Security is the most powerful AI-native security tool in the browser. Think EDR, but for the browser — high-fidelity telemetry and real-time control across every session, on every device, with no browser migration required.\n\nSecurity teams use Push to detect and stop advanced browser-based attacks like AiTM phishing, ClickFix, and session hijacking; gain visibility and control over AI tool usage across their workforce; harden identities by surfacing credential reuse, SSO gaps, and shadow IT; and support data loss and insider investigations with browser-layer telemetry that other tools can't see.\n\nBook a ",[],{},{"nodeType":1292,"data":3185,"content":3187},{"uri":3186},"https://pushsecurity.com/demo",[3188],{"nodeType":1280,"value":3189,"marks":3190,"data":3191},"live demo",[],{},{"nodeType":1280,"value":3193,"marks":3194,"data":3195}," to learn more.",[],{},{"entries":3197},{"hyperlink":3198,"inline":3199,"block":3200},[],[],[3201,3210,3237,3264,3278,3285,3291,3336,3342,3348,3362,3368,3375,3382,3389,3396,3403],{"sys":3202,"__typename":3203,"title":3204,"caption":3205,"layoutMode":61,"file":3206},{"id":1341},"Image","One example of a deployment portal identified Push that is currently in active use (redacted).","One example of a deployment portal identified by Push that is currently in active use (redacted).",{"url":3207,"width":3208,"height":3209},"https://images.ctfassets.net/y1cdw1ablpvd/68nyea8Rava8TWxoodHhM7/ca0a81e683c541b969703c22a3f2b992/image4.png",1999,1124,{"sys":3211,"__typename":3212,"content":3213,"name":3236,"title":61},{"id":1361},"InsightTextBlockComponent",{"json":3214},{"nodeType":1272,"data":3215,"content":3216},{},[3217,3224],{"nodeType":1276,"data":3218,"content":3219},{},[3220],{"nodeType":1280,"value":3221,"marks":3222,"data":3223},"It’s easier than ever for attackers to spin up and tear down their phishing infrastructure by abusing a range of legitimate services. This is why we’re focused on detecting the actual malicious page at the end of the chain, regardless of the hosting, infrastructure, or delivery vector.",[],{},{"nodeType":1276,"data":3225,"content":3226},{},[3227,3232],{"nodeType":1280,"value":3228,"marks":3229,"data":3231},"This is extra useful in this case when we consider that a phone call is the delivery vector — not something that typically email-based phishing controls would be able to intercept",[3230],{"type":1323},{},{"nodeType":1280,"value":3233,"marks":3234,"data":3235},".",[],{},"Phishing Panel Blog IB1",{"sys":3238,"__typename":3212,"content":3239,"name":3263,"title":61},{"id":1459},{"json":3240},{"data":3241,"content":3242,"nodeType":1272},{},[3243],{"data":3244,"content":3245,"nodeType":1276},{},[3246,3250,3259],{"data":3247,"marks":3248,"value":3249,"nodeType":1280},{},[],"Resulting breaches have already been publicly confirmed at SoundCloud (30 million records), Match Group (Hinge, OkCupid, and Match.com — over 10 million records), Betterment (20 million records), and Crunchbase, among others — all linked to ",{"data":3251,"content":3253,"nodeType":1292},{"uri":3252},"https://pushsecurity.com/blog/scattered-lapsus-hunters/",[3254],{"data":3255,"marks":3256,"value":3258,"nodeType":1280},{},[3257],{"type":2141},"ShinyHunters-branded",{"data":3260,"marks":3261,"value":3262,"nodeType":1280},{},[]," extortion demands. The group also claimed breaches at Bumble, CarMax, Panera Bread, Harvard, the University of Pennsylvania and others in the same period, using data stolen in the Salesforce breaches in 2025 to identify victims and make the social engineering more convincing.","Phishing Panel Blog IB5",{"sys":3265,"__typename":3212,"content":3266,"name":3277,"title":61},{"id":1483},{"json":3267},{"nodeType":1272,"data":3268,"content":3269},{},[3270],{"nodeType":1276,"data":3271,"content":3272},{},[3273],{"nodeType":1280,"value":3274,"marks":3275,"data":3276},"Doko’s Panel, which takes its name from the Telegram alias of its developer, was linked to ShinyHunters attacks earlier this year. The same persona behind Doko's Panel has been observed actively recruiting \"experienced callers\" via Telegram, specifying requirements including fluent English with no accent, and advertising six-to-seven-figure weekly returns — evidence of the professionalized vishing-as-a-service model that complements the phishing kit ecosystem. ",[],{},"Phishing Panel Blog IB2",{"sys":3279,"__typename":3203,"title":3280,"caption":3280,"layoutMode":61,"file":3281},{"id":1631},"How the panel is operated during a phishing attack",{"url":3282,"width":3283,"height":3284},"https://images.ctfassets.net/y1cdw1ablpvd/37tinpxZjSb3LUOCdnVKge/b92c9911e992de27f6411f07b0c1e796/Screenshot_2026-05-07_at_12.33.21.png",3290,1902,{"sys":3286,"__typename":3287,"title":3288,"arcadeDemoUrl":3289,"playText":3290},{"id":1637},"ArcadeDemo","Phishing Panel Annotated Demo","https://demo.arcade.software/dDjAyFfOHyGepDwLWJKw?embed","1 mins",{"sys":3292,"__typename":3212,"content":3293,"name":3335,"title":61},{"id":1649},{"json":3294},{"nodeType":1272,"data":3295,"content":3296},{},[3297,3304],{"nodeType":1276,"data":3298,"content":3299},{},[3300],{"nodeType":1280,"value":3301,"marks":3302,"data":3303},"Functionally, this is the same as a typical AITM attack — except that the stages are performed manually by the attacker instead of automatically proxying the victim’s inputs to the real site. ",[],{},{"nodeType":1276,"data":3305,"content":3306},{},[3307,3311,3318,3322,3331],{"nodeType":1280,"value":3308,"marks":3309,"data":3310},"This seems like an odd choice. On one hand, this is a very sophisticated version of a voice phishing attack. But on the other, it’s not taking advantage of some of the standard capabilities that common AITM kits have. This more manual approach is something that ",[],{},{"nodeType":1292,"data":3312,"content":3313},{"uri":3252},[3314],{"nodeType":1280,"value":3315,"marks":3316,"data":3317},"Scattered Spider",[],{},{"nodeType":1280,"value":3319,"marks":3320,"data":3321}," were known for during the ",[],{},{"nodeType":1292,"data":3323,"content":3325},{"uri":3324},"https://www.group-ib.com/blog/0ktapus/",[3326],{"nodeType":1280,"value":3327,"marks":3328,"data":3330},"0ktapus",[3329],{"type":2141},{},{"nodeType":1280,"value":3332,"marks":3333,"data":3334}," days. But it doesn’t make much difference to the outcome, or what we can observe to detect the attack in the browser.",[],{},"Phishing Panel Blog IB3",{"sys":3337,"__typename":3203,"title":3338,"caption":3338,"layoutMode":61,"file":3339},{"id":1747},"Anyone can access Doko’s Panel without authentication.",{"url":3340,"width":3208,"height":3341},"https://images.ctfassets.net/y1cdw1ablpvd/1E2c3tIITtYeiD5GtSecxt/91c95bb593188975b1a4a96effb5bea8/image5.png",307,{"sys":3343,"__typename":3203,"title":3344,"caption":3344,"layoutMode":61,"file":3345},{"id":1753},"Admin panel controls.",{"url":3346,"width":3208,"height":3347},"https://images.ctfassets.net/y1cdw1ablpvd/2A56uZUHEDmm8RbeW9IpjE/491e686b77dd60a676d0eebb3ca101c6/image2.png",1059,{"sys":3349,"__typename":3212,"content":3350,"name":3361,"title":61},{"id":1836},{"json":3351},{"data":3352,"content":3353,"nodeType":1272},{},[3354],{"data":3355,"content":3356,"nodeType":1276},{},[3357],{"data":3358,"marks":3359,"value":3360,"nodeType":1280},{},[],"The result is that the victim's browser sends two pairs of duplicate requests every few seconds (with the inline script transmitting heartbeats in JSON format rather than HTML form-encoded data). This level of broken duplication indicates an inexperienced developer making modifications to unfamiliar code — a pattern reinforced by the LLM-generated artifacts discussed later. ","Phishing Panel Blog IB4",{"sys":3363,"__typename":3203,"title":3364,"caption":3364,"layoutMode":61,"file":3365},{"id":1919},"Revamped admin panel specifically targeting M365.",{"url":3366,"width":3208,"height":3367},"https://images.ctfassets.net/y1cdw1ablpvd/6ltgUv6FOGaMkdYNW06uBC/6449e82609fda96af123dfbd09c2f8c0/image8.png",940,{"sys":3369,"__typename":3203,"title":3370,"caption":3370,"layoutMode":61,"file":3371},{"id":1939},"Instructions for joining the attacker’s Teams meeting.",{"url":3372,"width":3373,"height":3374},"https://images.ctfassets.net/y1cdw1ablpvd/7G6GLi6twkTrDOGFHU9RNt/a1aa2a7a324ba3eda2f38d21af0e4a85/image3.png",1390,1316,{"sys":3376,"__typename":3203,"title":3377,"caption":3377,"layoutMode":61,"file":3378},{"id":1992},"Device and country restriction options.",{"url":3379,"width":3380,"height":3381},"https://images.ctfassets.net/y1cdw1ablpvd/2nxMJQlSeyBwuFgZIsjeRF/78df4d0e8c75a8171937294c1684b3df/image6.png",1064,1192,{"sys":3383,"__typename":3203,"title":3384,"caption":3384,"layoutMode":61,"file":3385},{"id":2030},"Verbose phishing kit comments (a clear sign of AI involvement).",{"url":3386,"width":3387,"height":3388},"https://images.ctfassets.net/y1cdw1ablpvd/2XOX0xzOxsmBKUuQbup47x/a624c2141879f9238704167a35fdeb39/Screenshot_2026-05-07_at_12.53.27.png",1100,1332,{"sys":3390,"__typename":3203,"title":3391,"caption":3391,"layoutMode":61,"file":3392},{"id":2050},"More verbose phishing kit comments.",{"url":3393,"width":3394,"height":3395},"https://images.ctfassets.net/y1cdw1ablpvd/2VIaWB9ExM6nmURNtoP7f4/bc72afef6d151c7e9d5be71f0c74a651/Screenshot_2026-05-07_at_12.53.08.png",1184,1036,{"sys":3397,"__typename":3203,"title":3398,"caption":3398,"layoutMode":61,"file":3399},{"id":2063},"Evidence of LLM use in cloning the Okta login pages.",{"url":3400,"width":3401,"height":3402},"https://images.ctfassets.net/y1cdw1ablpvd/5UL0neYANY9ECegc0JsDzL/45a4576d016d9fa806598cabaf493a0f/Screenshot_2026-05-07_at_12.53.49.png",1164,586,{"sys":3404,"__typename":3203,"title":3405,"caption":3405,"layoutMode":61,"file":3406},{"id":2076},"LLM comments not typically included by a human author.",{"url":3407,"width":3408,"height":3409},"https://images.ctfassets.net/y1cdw1ablpvd/6yXfx49paHKklV1iLfGiBP/6eb461b66533a9ef25eb671370c8f316/Screenshot_2026-05-07_at_12.54.09.png",942,430,"json",{},"Inside a phishing panel used by ShinyHunters and BlackFile","2026-05-07T00:00:00.000Z",{"items":3415},[3416,4021,4990],{"__typename":3417,"sys":3418,"content":3420,"title":4000,"synopsis":4001,"hashTags":61,"publishedDate":4002,"slug":4003,"tagsCollection":4004,"authorsCollection":4014},"BlogPosts",{"id":3419},"27Z1JlNtpGTPyarh393sHK",{"json":3421},{"nodeType":1272,"data":3422,"content":3423},{},[3424,3444,3451,3457,3464,3470,3490,3496,3502,3505,3513,3533,3539,3545,3551,3570,3577,3585,3592,3599,3606,3609,3617,3635,3658,3663,3669,3676,3683,3690,3693,3701,3720,3753,3760,3766,3769,3777,3784,3787,3795,3802,3810,3830,3850,3857,3863,3871,3878,3885,3888,3896,3903,3909,3929,3935,3942,3949,3956],{"nodeType":1276,"data":3425,"content":3426},{},[3427,3431,3440],{"nodeType":1280,"value":3428,"marks":3429,"data":3430},"In December 2025, we uncovered a state-sponsored campaign linked to Russian state-affiliated APT29 that used a new technique we called ",[],{},{"nodeType":1292,"data":3432,"content":3434},{"uri":3433},"https://pushsecurity.com/blog/consentfix/",[3435],{"nodeType":1280,"value":3436,"marks":3437,"data":3439},"ConsentFix",[3438],{"type":2141},{},{"nodeType":1280,"value":3441,"marks":3442,"data":3443},". This technique merged ClickFix-style social engineering with OAuth consent phishing to hijack Microsoft accounts. Effectively, ConsentFix is a browser-native attack that results in account takeover, without the downside of needing to touch the endpoint like typical ClickFix (really, the point that it's most likely to be detected and blocked). ",[],{},{"nodeType":1276,"data":3445,"content":3446},{},[3447],{"nodeType":1280,"value":3448,"marks":3449,"data":3450},"The quick 101 is that victims are tricked into copy-and-pasting a legitimate Microsoft URL into the phishing page. This URL contains an OAuth authorization code that the attacker uses to sign in to a first-party Microsoft application like Azure CLI — specifically targeting apps with known Conditional Access exclusions. ",[],{},{"nodeType":1337,"data":3452,"content":3456},{"target":3453},{"sys":3454},{"id":3455,"type":1342,"linkType":1343},"7s4kF5CUFUmdkhpzuwNalX",[],{"nodeType":1276,"data":3458,"content":3459},{},[3460],{"nodeType":1280,"value":3461,"marks":3462,"data":3463},"At the end of the attack chain, the attacker is effectively granted API access to the victim's Entra account, while sidestepping MFA (even passkeys), device compliance checks, and in some cases conditional access controls (depending on the application ID targeted by the attacker). ",[],{},{"nodeType":1337,"data":3465,"content":3469},{"target":3466},{"sys":3467},{"id":3468,"type":1342,"linkType":1343},"IMtJXMWeaIbRsWxuQ1CaS",[],{"nodeType":1276,"data":3471,"content":3472},{},[3473,3477,3486],{"nodeType":1280,"value":3474,"marks":3475,"data":3476},"It didn’t take long for security researchers to jump on this new technique. Lots of contributors rallied round the security recommendations (which we covered in a ",[],{},{"nodeType":1292,"data":3478,"content":3480},{"uri":3479},"https://pushsecurity.com/blog/consentfix-debrief/",[3481],{"nodeType":1280,"value":3482,"marks":3483,"data":3485},"follow-up blog post",[3484],{"type":2141},{},{"nodeType":1280,"value":3487,"marks":3488,"data":3489},") but the most notable contribution came from John Hammond, who took the attacker’s implementation and said “I can do better”. His v2 replaced a somewhat clunky implementation with a slick drag-and-drop function. But now, attackers have taken it one step further.",[],{},{"nodeType":1337,"data":3491,"content":3495},{"target":3492},{"sys":3493},{"id":3494,"type":1342,"linkType":1343},"59tfJDRhGThKD48Wjg7uY2",[],{"nodeType":1337,"data":3497,"content":3501},{"target":3498},{"sys":3499},{"id":3500,"type":1342,"linkType":1343},"6mEpyVD6f13ZttFmaBcxNm",[],{"nodeType":1364,"data":3503,"content":3504},{},[],{"nodeType":1368,"data":3506,"content":3507},{},[3508],{"nodeType":1280,"value":3509,"marks":3510,"data":3512},"Introducing: ConsentFix v3",[3511],{"type":1323},{},{"nodeType":1276,"data":3514,"content":3515},{},[3516,3520,3529],{"nodeType":1280,"value":3517,"marks":3518,"data":3519},"The latest development is that a member of the XSS criminal forum, a site strongly suspected to have ",[],{},{"nodeType":1292,"data":3521,"content":3523},{"uri":3522},"https://flare.io/learn/resources/blog/state-of-the-dark-web-2026",[3524],{"nodeType":1280,"value":3525,"marks":3526,"data":3528},"Russian state involvement",[3527],{"type":2141},{},{"nodeType":1280,"value":3530,"marks":3531,"data":3532},", has released a new tool “ConsentFix v3”, building on the v1 we saw in the wild, and John’s v2. ",[],{},{"nodeType":1337,"data":3534,"content":3538},{"target":3535},{"sys":3536},{"id":3537,"type":1342,"linkType":1343},"4AW0UnBlIaXbIFZjy8ObY1",[],{"nodeType":1337,"data":3540,"content":3544},{"target":3541},{"sys":3542},{"id":3543,"type":1342,"linkType":1343},"1b36XjqBpPx7wteBu6OA6h",[],{"nodeType":1337,"data":3546,"content":3550},{"target":3547},{"sys":3548},{"id":3549,"type":1342,"linkType":1343},"4kbiWA3b096BAFGQuozPaK",[],{"nodeType":1276,"data":3552,"content":3553},{},[3554,3558,3566],{"nodeType":1280,"value":3555,"marks":3556,"data":3557},"It looks like broader cybercriminals are starting to take note of ConsentFix, and with the release of public tools like this one, it could be about to go mainstream — like ",[],{},{"nodeType":1292,"data":3559,"content":3561},{"uri":3560},"https://pushsecurity.com/blog/device-code-phishing/",[3562],{"nodeType":1280,"value":3563,"marks":3564,"data":3565},"device code phishing",[],{},{"nodeType":1280,"value":3567,"marks":3568,"data":3569}," has this year. ",[],{},{"nodeType":1276,"data":3571,"content":3572},{},[3573],{"nodeType":1280,"value":3574,"marks":3575,"data":3576},"Let’s take a closer look at some of the more interesting details of the ConsentFix v3 implementation before considering the bigger picture.  ",[],{},{"nodeType":1486,"data":3578,"content":3579},{},[3580],{"nodeType":1280,"value":3581,"marks":3582,"data":3584},"ConsentFix v3 under the hood",[3583],{"type":1323},{},{"nodeType":1276,"data":3586,"content":3587},{},[3588],{"nodeType":1280,"value":3589,"marks":3590,"data":3591},"The first thing that jumps out is just how detailed this forum post is. It reads like a security vendor blog post. It walks through the key technical concepts that the reader needs to know, breaking down OAuth grants, consent phishing, refresh tokens, and FOCI (or 'Family of Client IDs' — basically, the feature that allows attackers to use a refresh token obtained for one Microsoft app to be exchanged for access tokens to other FOCI apps without re-authentication). It then walks through the history of ClickFix and ConsentFix before providing step-by-step guidance for users. ",[],{},{"nodeType":1276,"data":3593,"content":3594},{},[3595],{"nodeType":1280,"value":3596,"marks":3597,"data":3598},"ConsentFix v3 allows users to instrument the entire attack chain, enabling users to spin up ConsentFix infrastructure, create believable personas with which to interact with victims, craft and manage email campaigns, and automate the process of exchanging the captured OAuth token for session and refresh tokens to establish access to the compromised account. ",[],{},{"nodeType":1276,"data":3600,"content":3601},{},[3602],{"nodeType":1280,"value":3603,"marks":3604,"data":3605},"A combination of SaaS and open-source tools are used to perform the attack, including Cloudflare Workers for hosting, ZoomInfo for target identification, Dropbox for PDF hosting, and Pipedream as an exfiltration channel (effectively creating a webhook to automatically exchange the OAuth material in the URL for a refresh token). They also use hacker tools like SpecterPortal for post exploitation activity.",[],{},{"nodeType":1364,"data":3607,"content":3608},{},[],{"nodeType":1368,"data":3610,"content":3611},{},[3612],{"nodeType":1280,"value":3613,"marks":3614,"data":3616},"Why attackers are turning to OAuth-based attacks",[3615],{"type":1323},{},{"nodeType":1276,"data":3618,"content":3619},{},[3620,3624,3631],{"nodeType":1280,"value":3621,"marks":3622,"data":3623},"Attackers are increasingly turning to OAuth based techniques in 2026. Not only are “legit” OAuth connections being abused in supply chain attacks, but attacks targeting OAuth mechanisms have significantly increased with the rise of ",[],{},{"nodeType":1292,"data":3625,"content":3626},{"uri":3560},[3627],{"nodeType":1280,"value":3563,"marks":3628,"data":3630},[3629],{"type":2141},{},{"nodeType":1280,"value":3632,"marks":3633,"data":3634},". This is because:",[],{},{"nodeType":1384,"data":3636,"content":3637},{},[3638,3648],{"nodeType":1388,"data":3639,"content":3640},{},[3641],{"nodeType":1276,"data":3642,"content":3643},{},[3644],{"nodeType":1280,"value":3645,"marks":3646,"data":3647},"OAuth attacks defeat standard access controls (including passkeys)",[],{},{"nodeType":1388,"data":3649,"content":3650},{},[3651],{"nodeType":1276,"data":3652,"content":3653},{},[3654],{"nodeType":1280,"value":3655,"marks":3656,"data":3657},"It’s very low friction, and less likely that users will identify it as phishing (see examples below)",[],{},{"nodeType":1337,"data":3659,"content":3662},{"target":3660},{"sys":3661},{"id":3494,"type":1342,"linkType":1343},[],{"nodeType":1337,"data":3664,"content":3668},{"target":3665},{"sys":3666},{"id":3667,"type":1342,"linkType":1343},"2WPb41lNRajdpt5pogQg8M",[],{"nodeType":1276,"data":3670,"content":3671},{},[3672],{"nodeType":1280,"value":3673,"marks":3674,"data":3675},"From the user’s perspective, these aren’t situations that users are trained to treat as suspicious. In one case, the victim copies a URL (or simply drag-and-drops a box on the page). In another, they enter a short passcode that’s visible on the page. ",[],{},{"nodeType":1276,"data":3677,"content":3678},{},[3679],{"nodeType":1280,"value":3680,"marks":3681,"data":3682},"Both are using pop-up windows that look very convincing — and point to legitimate Microsoft pages/URLs. Even users scrutinizing the domain won’t see anything out of place. And as you can see, if the user is already signed into their Microsoft account in the browser, there’s no credential entry or MFA checks to pass through. Simply select your account from the drop down menu and … that’s it.",[],{},{"nodeType":1276,"data":3684,"content":3685},{},[3686],{"nodeType":1280,"value":3687,"marks":3688,"data":3689},"This unfamiliarity is the same reason that attacks like ClickFix have been so successful. In general, convincing social engineering — well crafted comms, legit-looking pages hosted on trusted sites — combined with unfamiliar payloads makes for a clever attack. And when these attacks play out entirely in the browser (circumventing endpoint controls) and sidestep identity controls, the impact is dialled up even further. ",[],{},{"nodeType":1364,"data":3691,"content":3692},{},[],{"nodeType":1368,"data":3694,"content":3695},{},[3696],{"nodeType":1280,"value":3697,"marks":3698,"data":3700},"How ConsentFix and device code phishing overlap",[3699],{"type":1323},{},{"nodeType":1276,"data":3702,"content":3703},{},[3704,3708,3716],{"nodeType":1280,"value":3705,"marks":3706,"data":3707},"It was only ever going to be a matter of time before ConsentFix was adopted by the mass market. But these things don’t always happen particularly fast. ",[],{},{"nodeType":1292,"data":3709,"content":3710},{"uri":3560},[3711],{"nodeType":1280,"value":3712,"marks":3713,"data":3715},"Device code phishing",[3714],{"type":2141},{},{"nodeType":1280,"value":3717,"marks":3718,"data":3719}," is probably the best example of this — it’s been a known technique since 2021, but it took until this year to enter mainstream adoption. A big part of that has been the availability of criminal toolkits, and also the rise in AI-assisted capabilities for tool creation (clearly at play here too). The similarity with device code phishing doesn’t end there. ",[],{},{"nodeType":1276,"data":3721,"content":3722},{},[3723,3727,3736,3740,3749],{"nodeType":1280,"value":3724,"marks":3725,"data":3726},"Both ConsentFix and device code phishing are OAuth attacks. They both find ways of bypassing the standard login procedure (and controls) by targeting different authorization flows, but with a similar outcome and the same advantages to an attacker. Device code phishing exploits the device authorization grant (",[],{},{"nodeType":1292,"data":3728,"content":3730},{"uri":3729},"https://datatracker.ietf.org/doc/html/rfc8628",[3731],{"nodeType":1280,"value":3732,"marks":3733,"data":3735},"RFC 8628",[3734],{"type":2141},{},{"nodeType":1280,"value":3737,"marks":3738,"data":3739},"). ConsentFix exploits the authorization code grant (",[],{},{"nodeType":1292,"data":3741,"content":3743},{"uri":3742},"https://datatracker.ietf.org/doc/html/rfc6749#section-4.1",[3744],{"nodeType":1280,"value":3745,"marks":3746,"data":3748},"RFC 6749",[3747],{"type":2141},{},{"nodeType":1280,"value":3750,"marks":3751,"data":3752},") as implemented for native/desktop apps with localhost redirects. ",[],{},{"nodeType":1276,"data":3754,"content":3755},{},[3756],{"nodeType":1280,"value":3757,"marks":3758,"data":3759},"The post-compromise paths are essentially identical because the tokens you get are determined by which app you target, what scopes it has, and the victim user’s permissions, not by which OAuth flow you used to obtain them. The authorization code flow and the device code flow are just different front doors into the same token issuance system.",[],{},{"nodeType":1337,"data":3761,"content":3765},{"target":3762},{"sys":3763},{"id":3764,"type":1342,"linkType":1343},"7np3j139dWMP7sLlUQwEFC",[],{"nodeType":1364,"data":3767,"content":3768},{},[],{"nodeType":1368,"data":3770,"content":3771},{},[3772],{"nodeType":1280,"value":3773,"marks":3774,"data":3776},"The verdict: An interesting sign of what’s coming, but maybe not the final form",[3775],{"type":1323},{},{"nodeType":1276,"data":3778,"content":3779},{},[3780],{"nodeType":1280,"value":3781,"marks":3782,"data":3783},"It’s clear that ConsentFix v3 isn’t exactly an industrialized PhaaS-scale offering. It’s probably closer to a red team-esque proof of concept. But it is a good example of how attackers could operationalize ConsentFix campaigns using largely off-the-shelf tooling and legit SaaS tools. And an indicator of what might be coming soon. ",[],{},{"nodeType":1364,"data":3785,"content":3786},{},[],{"nodeType":1368,"data":3788,"content":3789},{},[3790],{"nodeType":1280,"value":3791,"marks":3792,"data":3794},"Security recommendations",[3793],{"type":1323},{},{"nodeType":1276,"data":3796,"content":3797},{},[3798],{"nodeType":1280,"value":3799,"marks":3800,"data":3801},"To be able to tackle modern attacks like ConsentFix that occur entirely within the browser context, it is vital that organizations look to monitor the browser as a detection surface, hunt for signs of malicious activity, and block attacks in real-time — in the same way that you would expect EDR to work for endpoint attacks. We’ll talk about how we do this below, but first here’s some general recommendations. ",[],{},{"nodeType":1486,"data":3803,"content":3804},{},[3805],{"nodeType":1280,"value":3806,"marks":3807,"data":3809},"Microsoft ecosystem",[3808],{"type":1323},{},{"nodeType":1276,"data":3811,"content":3812},{},[3813,3817,3826],{"nodeType":1280,"value":3814,"marks":3815,"data":3816},"Despite the similarity with device code phishing, the ",[],{},{"nodeType":1292,"data":3818,"content":3820},{"uri":3819},"https://techcommunity.microsoft.com/blog/microsoft-entra-blog/new-microsoft-managed-policies-to-raise-your-identity-security-posture/4286758",[3821],{"nodeType":1280,"value":3822,"marks":3823,"data":3825},"primary recommendation from Microsoft for device code attacks",[3824],{"type":2141},{},{"nodeType":1280,"value":3827,"marks":3828,"data":3829}," — disable the device code flow via conditional access — doesn’t apply to ConsentFix (because, as mentioned, it uses a different login flow).",[],{},{"nodeType":1276,"data":3831,"content":3832},{},[3833,3837,3846],{"nodeType":1280,"value":3834,"marks":3835,"data":3836},"For both ConsentFix and device code phishing, the ",[],{},{"nodeType":1292,"data":3838,"content":3840},{"uri":3839},"https://msendpointmgr.com/2026/01/08/consentfix-quickfix/",[3841],{"nodeType":1280,"value":3842,"marks":3843,"data":3845},"strongest recommendation",[3844],{"type":2141},{},{"nodeType":1280,"value":3847,"marks":3848,"data":3849}," is to create Service Principals for each of the vulnerable apps and restrict the users that are authorized to access them to reduce the attack surface of users that can be phished with this method.",[],{},{"nodeType":1276,"data":3851,"content":3852},{},[3853],{"nodeType":1280,"value":3854,"marks":3855,"data":3856},"You should also hunt in logs for relevant application IDs and resource IDs, and look for mismatches in terms of the initial access IP and subsequent activity, because while the initial login is performed by the user, subsequent actions will be performed by the attacker.  ",[],{},{"nodeType":1337,"data":3858,"content":3862},{"target":3859},{"sys":3860},{"id":3861,"type":1342,"linkType":1343},"49Y7NXpnAeAYe9fCp1oyKn",[],{"nodeType":1486,"data":3864,"content":3865},{},[3866],{"nodeType":1280,"value":3867,"marks":3868,"data":3870},"Beyond Microsoft — Google, GitHub, Salesforce, AWS",[3869],{"type":1323},{},{"nodeType":1276,"data":3872,"content":3873},{},[3874],{"nodeType":1280,"value":3875,"marks":3876,"data":3877},"It’s worth calling out that these recommendations are Microsoft specific. While in-the-wild exploitation has focused on Microsoft, GitHub, Salesforce, AWS and others are also impacted by device code phishing, supporting device code flow either as a primary or fallback mechanism (Google less so due to inherent restrictions on scopes authorized in the context of device code logins). ",[],{},{"nodeType":1276,"data":3879,"content":3880},{},[3881],{"nodeType":1280,"value":3882,"marks":3883,"data":3884},"Similarly, ConsentFix principles can be applied beyond Microsoft too. The core requirement is that an OAuth code ends up in a location the victim can manually see and share, e.g. a localhost redirect where no listener is present to complete the handshake. Google Cloud CLI, GitHub CLI, and others support the auth code grant and allow localhost as a redirect URI. ",[],{},{"nodeType":1364,"data":3886,"content":3887},{},[],{"nodeType":1368,"data":3889,"content":3890},{},[3891],{"nodeType":1280,"value":3892,"marks":3893,"data":3895},"How Push can help",[3894],{"type":1323},{},{"nodeType":1276,"data":3897,"content":3898},{},[3899],{"nodeType":1280,"value":3900,"marks":3901,"data":3902},"We’re already detecting and blocking both ConsentFix and device code phishing attacks as they target users in their web browser. When a page matches our detections for a device code or ConsentFix phishing kit (not limited to things like known-bad IPs and domains, but DOM-level analysis of the web page) Push detects and blocks it. Unlike an SWG or RBI type solution, Push analyzes every web page in every browser session and tab, in real time, with no latency. ",[],{},{"nodeType":1337,"data":3904,"content":3908},{"target":3905},{"sys":3906},{"id":3907,"type":1342,"linkType":1343},"63EwHbmFZVAlhoXl17Xjfi",[],{"nodeType":1276,"data":3910,"content":3911},{},[3912,3916,3925],{"nodeType":1280,"value":3913,"marks":3914,"data":3915},"Using Push you can also ",[],{},{"nodeType":1292,"data":3917,"content":3919},{"uri":3918},"https://pushsecurity.com/help/can-i-use-push-to-help-protect-against-device-code-phishing-scenarios/",[3920],{"nodeType":1280,"value":3921,"marks":3922,"data":3924},"configure in-browser warnings",[3923],{"type":2141},{},{"nodeType":1280,"value":3926,"marks":3927,"data":3928}," whenever a user accesses a URL used for device code logins, across any app that supports them. This provides universal, last-mile protection against even ‘zero-day’ device code phishing attacks using previously unidentified toolkits.  ",[],{},{"nodeType":1337,"data":3930,"content":3934},{"target":3931},{"sys":3932},{"id":3933,"type":1342,"linkType":1343},"3baS2yqvJd2e4aczw73PTF",[],{"nodeType":1276,"data":3936,"content":3937},{},[3938],{"nodeType":1280,"value":3939,"marks":3940,"data":3941},"When a user visits those URLs, Push will also emit a webhook event that the banner was shown and acknowledged. If a user opts to proceed, you can treat this as a high-fidelity alert for your security team to investigate, providing app-agnostic telemetry that may not already be provided in your logs from that particular vendor. You can also simply use Push to block users from accessing these pages if you’re confident that disruption won’t be caused. ",[],{},{"nodeType":1486,"data":3943,"content":3944},{},[3945],{"nodeType":1280,"value":3173,"marks":3946,"data":3948},[3947],{"type":1323},{},{"nodeType":1276,"data":3950,"content":3951},{},[3952],{"nodeType":1280,"value":3953,"marks":3954,"data":3955},"Push Security's browser-based security platform detects and blocks browser-based attacks like AiTM phishing, credential stuffing, malicious browser extensions, device code phishing, ClickFix, and session hijacking. You don't need to wait until it all goes wrong either — you can use Push to proactively find and fix vulnerabilities across the apps that your employees use, like ghost logins, SSO coverage gaps, MFA gaps, vulnerable passwords, risky OAuth integrations, and more to harden your attack surface.",[],{},{"nodeType":1276,"data":3957,"content":3958},{},[3959,3963,3972,3976,3985,3989,3997],{"nodeType":1280,"value":3960,"marks":3961,"data":3962},"To learn more about Push, ",[],{},{"nodeType":1292,"data":3964,"content":3966},{"uri":3965},"https://pushsecurity.com/resources/product-brochure",[3967],{"nodeType":1280,"value":3968,"marks":3969,"data":3971},"check out our latest product overview",[3970],{"type":2141},{},{"nodeType":1280,"value":3973,"marks":3974,"data":3975},", ",[],{},{"nodeType":1292,"data":3977,"content":3979},{"uri":3978},"https://pushsecurity.com/product-demo/",[3980],{"nodeType":1280,"value":3981,"marks":3982,"data":3984},"view our demo library",[3983],{"type":2141},{},{"nodeType":1280,"value":3986,"marks":3987,"data":3988},", or ",[],{},{"nodeType":1292,"data":3990,"content":3991},{"uri":3186},[3992],{"nodeType":1280,"value":3993,"marks":3994,"data":3996},"book some time with one of our team for a live demo",[3995],{"type":2141},{},{"nodeType":1280,"value":3233,"marks":3998,"data":3999},[],{},"ConsentFix v3: Analyzing a new criminal toolkit","Investigating a new criminal toolkit for ConsentFix being promoted on criminal forums. ","2026-04-23T00:00:00.000Z","consentfix-v3-analyzing-a-new-toolkit",{"items":4005},[4006,4010],{"sys":4007,"name":4009},{"id":4008},"6A5RXS31ZQx3PwryGb1IMy","Browser-based attacks",{"sys":4011,"name":4013},{"id":4012},"4ksQNCFeBf8H4QIORqpRLw","Detection & response",{"items":4015},[4016],{"fullName":4017,"firstName":4018,"jobTitle":1267,"profilePicture":4019},"Dan Green","Dan",{"url":4020},"https://images.ctfassets.net/y1cdw1ablpvd/7jik1VhFgA3kgzXBXTm2Vw/fcd8c171da644903d0827eafcfbcaad0/Dan_Headshot_2025.png",{"__typename":3417,"sys":4022,"content":4024,"title":4976,"synopsis":4977,"hashTags":61,"publishedDate":4978,"slug":4979,"tagsCollection":4980,"authorsCollection":4986},{"id":4023},"2sFCww9xnI8okIxhtOaiY1",{"json":4025},{"nodeType":1272,"data":4026,"content":4027},{},[4028,4035,4042,4049,4052,4060,4067,4074,4080,4087,4093,4113,4120,4132,4135,4143,4150,4166,4173,4185,4191,4194,4202,4210,4216,4225,4245,4254,4261,4270,4289,4298,4305,4314,4347,4356,4363,4372,4390,4396,4405,4412,4421,4463,4466,4474,4483,4503,4512,4519,4528,4561,4567,4576,4583,4589,4592,4600,4609,4616,4676,4682,4685,4693,4702,4709,4715,4718,4726,4733,4740,4810,4817,4880,4887,4890,4898,4905,4912,4918,4921,4928,4935,4942,4949],{"nodeType":1276,"data":4029,"content":4030},{},[4031],{"nodeType":1280,"value":4032,"marks":4033,"data":4034},"The biggest cybersecurity story this year (so far) has been the emergence of “Scattered Lapsus$ Hunters” and their record-breaking worldwide hacking spree. ",[],{},{"nodeType":1276,"data":4036,"content":4037},{},[4038],{"nodeType":1280,"value":4039,"marks":4040,"data":4041},"Scattered Lapsus$ Hunters is part of “The Com”, the name for the broad community of English-speaking cybercriminals with international criminal connections — including with nation-state sponsored groups. They are also known to collaborate with a range of cybercrime “as-a-Service” organizations for phishing, initial access, ransomware, and more. ",[],{},{"nodeType":1276,"data":4043,"content":4044},{},[4045],{"nodeType":1280,"value":4046,"marks":4047,"data":4048},"It’s difficult to pin down exactly who the individuals are that make up this criminal collective. But what is known is their MO — making money through extortion by means of account takeover, mass data theft, and ransomware deployment. ",[],{},{"nodeType":1364,"data":4050,"content":4051},{},[],{"nodeType":1368,"data":4053,"content":4054},{},[4055],{"nodeType":1280,"value":4056,"marks":4057,"data":4059},"How did we get here? ",[4058],{"type":1323},{},{"nodeType":1276,"data":4061,"content":4062},{},[4063],{"nodeType":1280,"value":4064,"marks":4065,"data":4066},"Earlier this year, the threat group known to most analysts as Scattered Spider (also tracked as 0ktapus, Octo Tempest, Scatter Swine, Muddled Libra, and UNC3944) re-emerged after a series of arrests in late 2024. ",[],{},{"nodeType":1276,"data":4068,"content":4069},{},[4070],{"nodeType":1280,"value":4071,"marks":4072,"data":4073},"This group has been active in peaks and troughs over the years, but are mainly known for high-profile ransomware attacks on Caesars and MGM Resorts in 2024. ",[],{},{"nodeType":1337,"data":4075,"content":4079},{"target":4076},{"sys":4077},{"id":4078,"type":1342,"linkType":1343},"1Vt269d7n6IGMzOrJs1FDx",[],{"nodeType":1276,"data":4081,"content":4082},{},[4083],{"nodeType":1280,"value":4084,"marks":4085,"data":4086},"Scattered Spider hit the headlines again in April 2025 with attacks on UK retailers Marks & Spencer and Co-op, which resulted in significant, prolonged disruption, and a serious downstream impact on the retail supply chain. ",[],{},{"nodeType":1337,"data":4088,"content":4092},{"target":4089},{"sys":4090},{"id":4091,"type":1342,"linkType":1343},"3kvcGV2zZZUPnM8IK04Y1O",[],{"nodeType":1276,"data":4094,"content":4095},{},[4096,4100,4109],{"nodeType":1280,"value":4097,"marks":4098,"data":4099},"It didn’t stop there, though. What followed was a wide-scale campaign targeting Salesforce customers, with the attackers claiming to have stolen ",[],{},{"nodeType":1292,"data":4101,"content":4103},{"uri":4102},"https://www.bleepingcomputer.com/news/security/shinyhunters-claims-15-billion-salesforce-records-stolen-in-drift-hacks/",[4104],{"nodeType":1280,"value":4105,"marks":4106,"data":4108},"over 1.5 billion records from 1000+ companies",[4107],{"type":2141},{},{"nodeType":1280,"value":4110,"marks":4111,"data":4112}," across multiple verticals, including heavyweights like Google, Cloudflare, Workday, Adidas, FedEx, Disney, LVMH, and many more.",[],{},{"nodeType":1276,"data":4114,"content":4115},{},[4116],{"nodeType":1280,"value":4117,"marks":4118,"data":4119},"Around this time, the attackers began to refer to themselves as part of a wider collective, assuming the moniker “Scattered Lapsus$ Hunters” (a mash-up of names given by analysts and self-adopted by attackers — Scattered Spider, ShinyHunters, and Lapsus$).",[],{},{"nodeType":1276,"data":4121,"content":4122},{},[4123,4127],{"nodeType":1280,"value":4124,"marks":4125,"data":4126},"The most significant breach this year to-date impacted Jaguar Land Rover. A ransomware attack resulted in months of disruption that directly impacted the UK’s GDP, with the government underwriting a $1.5B loan to alleviate the supply chain impact. ",[],{},{"nodeType":1280,"value":4128,"marks":4129,"data":4131},"In fact, this was the most economically consequential cyber attack yet recorded in a G7 economy. ",[4130],{"type":1323},{},{"nodeType":1364,"data":4133,"content":4134},{},[],{"nodeType":1368,"data":4136,"content":4137},{},[4138],{"nodeType":1280,"value":4139,"marks":4140,"data":4142},"2025 wasn’t a one-off",[4141],{"type":1323},{},{"nodeType":1276,"data":4144,"content":4145},{},[4146],{"nodeType":1280,"value":4147,"marks":4148,"data":4149},"The developments through 2025 have presented a stronger picture than ever before that cybercriminal operations are heavily interlinked. Groups overlap considerably, and individuals freely move between different cells. ",[],{},{"nodeType":1276,"data":4151,"content":4152},{},[4153,4157,4162],{"nodeType":1280,"value":4154,"marks":4155,"data":4156},"When we scratch beneath the surface, this is evident in the tactics, techniques and procedures (TTPs) used by these attackers — even stretching as far back as 2021 with the initial rise of Lapsus$. This is not an accident. ",[],{},{"nodeType":1280,"value":4158,"marks":4159,"data":4161},"The TTPs used show a conscious move by attackers to move away from environments that are well-protected by traditional security tools. ",[4160],{"type":1323},{},{"nodeType":1280,"value":4163,"marks":4164,"data":4165},"This means avoiding targeting endpoints with malware, and not relying on software-based exploits. Instead, these attackers look to take over apps and services directly over the internet. ",[],{},{"nodeType":1276,"data":4167,"content":4168},{},[4169],{"nodeType":1280,"value":4170,"marks":4171,"data":4172},"Most of the time, this is as simple as logging in to a SaaS app, or an enterprise SSO account (e.g. Microsoft, Okta, or Google) and dumping the data. For attackers that want to take it further, they can abuse the sprawl of interconnected apps that make up modern business IT, seeking out specific data or exploitable functionality. Or, they can leverage internet-accessible management portals to chart a path back to your on-premise assets, giving them everything they need to pivot toward more conventional methods such as ransomware deployment. ",[],{},{"nodeType":1276,"data":4174,"content":4175},{},[4176,4180],{"nodeType":1280,"value":4177,"marks":4178,"data":4179},"When we look at historical breaches, the pattern is clear. ",[],{},{"nodeType":1280,"value":4181,"marks":4182,"data":4184},"Not one of the attacks attributed to Scattered Lapsus$ Hunters, or its predecessors, started with an endpoint or network attack — they all began with account takeover. ",[4183],{"type":1323},{},{"nodeType":1337,"data":4186,"content":4190},{"target":4187},{"sys":4188},{"id":4189,"type":1342,"linkType":1343},"6poP5VM2ARrEvwKEG42HgK",[],{"nodeType":1364,"data":4192,"content":4193},{},[],{"nodeType":1368,"data":4195,"content":4196},{},[4197],{"nodeType":1280,"value":4198,"marks":4199,"data":4201},"TTP breakdown: Analyzing the top “Scattered Lapsus$ Hunters” breaches since 2021",[4200],{"type":1323},{},{"nodeType":1486,"data":4203,"content":4204},{},[4205],{"nodeType":1280,"value":4206,"marks":4207,"data":4209},"Phishing and stolen credentials",[4208],{"type":1323},{},{"nodeType":1337,"data":4211,"content":4215},{"target":4212},{"sys":4213},{"id":4214,"type":1342,"linkType":1343},"4SNOanDIdGZsvRRnMYQVSo",[],{"nodeType":1276,"data":4217,"content":4218},{},[4219],{"nodeType":1280,"value":4220,"marks":4221,"data":4224},"EA Games (2021)",[4222,4223],{"type":1323},{"type":2141},{},{"nodeType":1276,"data":4226,"content":4227},{},[4228,4232,4241],{"nodeType":1280,"value":4229,"marks":4230,"data":4231},"Attackers used stolen session cookies to log into EA’s Slack instance, purchased on a criminal forum. Combined with ",[],{},{"nodeType":1292,"data":4233,"content":4235},{"uri":4234},"https://pushsecurity.com/blog/phishing-slack-persistence/",[4236],{"nodeType":1280,"value":4237,"marks":4238,"data":4240},"social engineering via Slack",[4239],{"type":2141},{},{"nodeType":1280,"value":4242,"marks":4243,"data":4244},", this was used to steal 750GB of data, including video game source code. ",[],{},{"nodeType":1276,"data":4246,"content":4247},{},[4248],{"nodeType":1280,"value":4249,"marks":4250,"data":4253},"Nvidia (2022)",[4251,4252],{"type":1323},{"type":2141},{},{"nodeType":1276,"data":4255,"content":4256},{},[4257],{"nodeType":1280,"value":4258,"marks":4259,"data":4260},"Attackers used stolen credentials to steal 1TB of data from Nvidia’s internal shares, including a significant amount of sensitive information about the designs of Nvidia graphics cards, source code, and the usernames and passwords of more than 71,000 Nvidia employees.",[],{},{"nodeType":1276,"data":4262,"content":4263},{},[4264],{"nodeType":1280,"value":4265,"marks":4266,"data":4269},"Microsoft (2022)",[4267,4268],{"type":1323},{"type":2141},{},{"nodeType":1276,"data":4271,"content":4272},{},[4273,4277,4285],{"nodeType":1280,"value":4274,"marks":4275,"data":4276},"Attackers used stolen credentials combined with SIM swapping and ",[],{},{"nodeType":1292,"data":4278,"content":4280},{"uri":4279},"https://github.com/pushsecurity/saas-attacks/blob/main/techniques/mfa_fatigue/description.md",[4281],{"nodeType":1280,"value":4282,"marks":4283,"data":4284},"MFA fatigue",[],{},{"nodeType":1280,"value":4286,"marks":4287,"data":4288}," attacks to steal Azure DevOps source code — leaked a 9GB archive of Microsoft source code – including ~90% of Bing and 45% of Cortana code. ",[],{},{"nodeType":1276,"data":4290,"content":4291},{},[4292],{"nodeType":1280,"value":4293,"marks":4294,"data":4297},"T-Mobile (2022)",[4295,4296],{"type":1323},{"type":2141},{},{"nodeType":1276,"data":4299,"content":4300},{},[4301],{"nodeType":1280,"value":4302,"marks":4303,"data":4304},"Attackers used stolen credentials to establish initial access, coupled with social engineering T-Mobile staff into approving the attacker’s device for VPN access. This resulted in source code being stolen from over 30,000 repositories. ",[],{},{"nodeType":1276,"data":4306,"content":4307},{},[4308],{"nodeType":1280,"value":4309,"marks":4310,"data":4313},"Snowflake (165 customers) (2024)",[4311,4312],{"type":1323},{"type":2141},{},{"nodeType":1276,"data":4315,"content":4316},{},[4317,4321,4330,4334,4343],{"nodeType":1280,"value":4318,"marks":4319,"data":4320},"Attackers targeted ",[],{},{"nodeType":1292,"data":4322,"content":4324},{"uri":4323},"https://pushsecurity.com/blog/snowflake-retro/",[4325],{"nodeType":1280,"value":4326,"marks":4327,"data":4329},"165 Snowflake customers",[4328],{"type":2141},{},{"nodeType":1280,"value":4331,"marks":4332,"data":4333}," using stolen credentials from credential breaches dating back as far as 2020. Due to widespread MFA gaps and the presence of ",[],{},{"nodeType":1292,"data":4335,"content":4337},{"uri":4336},"https://github.com/pushsecurity/saas-attacks/blob/main/techniques/ghost_logins/description.md",[4338],{"nodeType":1280,"value":4339,"marks":4340,"data":4342},"ghost logins",[4341],{"type":2141},{},{"nodeType":1280,"value":4344,"marks":4345,"data":4346},", attackers were able to simply log in to individual customer tenants, dump the data, and use it to extort the companies. In total, 9 public victims were named following the breach, with over 1B breached customer records. ",[],{},{"nodeType":1276,"data":4348,"content":4349},{},[4350],{"nodeType":1280,"value":4351,"marks":4352,"data":4355},"PowerSchool (2024)",[4353,4354],{"type":1323},{"type":2141},{},{"nodeType":1276,"data":4357,"content":4358},{},[4359],{"nodeType":1280,"value":4360,"marks":4361,"data":4362},"Attackers gained access to a community-focused customer support portal, PowerSource, using compromised credentials and stole data using an \"export data manager\" customer support tool, stealing the data of 62.4 million students and 9.5 million teachers. PowerSchool paid an undisclosed ransom fee, but hackers returned later to extort schools and individuals separately anyway.",[],{},{"nodeType":1276,"data":4364,"content":4365},{},[4366],{"nodeType":1280,"value":4367,"marks":4368,"data":4371},"Red Hat (2025)",[4369,4370],{"type":1323},{"type":2141},{},{"nodeType":1276,"data":4373,"content":4374},{},[4375,4379,4386],{"nodeType":1280,"value":4376,"marks":4377,"data":4378},"Attackers breached Red Hat’s GitLab instance via a compromised account — the result of ",[],{},{"nodeType":1292,"data":4380,"content":4381},{"uri":4336},[4382],{"nodeType":1280,"value":4339,"marks":4383,"data":4385},[4384],{"type":2141},{},{"nodeType":1280,"value":4387,"marks":4388,"data":4389}," providing a backdoor to access an otherwise secure, SSO-connected account. Stolen data included approximately 800 Customer Engagement Reports (CERs), authentication tokens, full database URIs, and other private information in Red Hat code and CERs, which they claimed to use to gain access to downstream customer infrastructure. ",[],{},{"nodeType":1337,"data":4391,"content":4395},{"target":4392},{"sys":4393},{"id":4394,"type":1342,"linkType":1343},"G1V7d5Dvevmr9p0YXElPX",[],{"nodeType":1276,"data":4397,"content":4398},{},[4399],{"nodeType":1280,"value":4400,"marks":4401,"data":4404},"Discord (2025)",[4402,4403],{"type":1323},{"type":2141},{},{"nodeType":1276,"data":4406,"content":4407},{},[4408],{"nodeType":1280,"value":4409,"marks":4410,"data":4411},"Attackers compromised a Zendesk customer support account, stealing 1.6TB of data. The hackers say this consisted of roughly 8.4 million tickets affecting 5.5 million unique users, and that about 580,000 users contained payment information.",[],{},{"nodeType":1276,"data":4413,"content":4414},{},[4415],{"nodeType":1280,"value":4416,"marks":4417,"data":4420},"SoundCloud, MatchGroup, Crunchbase, Betterment... (2026)",[4418,4419],{"type":1323},{"type":2141},{},{"nodeType":1276,"data":4422,"content":4423},{},[4424,4428,4436,4440,4448,4452,4459],{"nodeType":1280,"value":4425,"marks":4426,"data":4427},"Scattered Lapsus$ Hunters have already claimed several public victims in 2026, with over 60 million breached records. ",[],{},{"nodeType":1292,"data":4429,"content":4431},{"uri":4430},"https://www.bleepingcomputer.com/news/security/shinyhunters-claim-to-be-behind-sso-account-data-theft-attacks/",[4432],{"nodeType":1280,"value":4433,"marks":4434,"data":4435},"SoundCloud, Betterment, Crunchbase",[],{},{"nodeType":1280,"value":4437,"marks":4438,"data":4439}," and ",[],{},{"nodeType":1292,"data":4441,"content":4443},{"uri":4442},"https://www.bleepingcomputer.com/news/security/match-group-breach-exposes-data-from-hinge-tinder-okcupid-and-match/",[4444],{"nodeType":1280,"value":4445,"marks":4446,"data":4447},"MatchGroup",[],{},{"nodeType":1280,"value":4449,"marks":4450,"data":4451}," have all reported breaches this month, powered by a brand ",[],{},{"nodeType":1292,"data":4453,"content":4454},{"uri":1294},[4455],{"nodeType":1280,"value":4456,"marks":4457,"data":4458},"new real-time-operated AiTM phishing kit",[],{},{"nodeType":1280,"value":4460,"marks":4461,"data":4462}," targeting Okta, Entra, and Google SSO accounts. This is a developing situation, with more victims expected to be announced publicly soon.",[],{},{"nodeType":1364,"data":4464,"content":4465},{},[],{"nodeType":1486,"data":4467,"content":4468},{},[4469],{"nodeType":1280,"value":4470,"marks":4471,"data":4473},"Vishing and help desk scams",[4472],{"type":1323},{},{"nodeType":1276,"data":4475,"content":4476},{},[4477],{"nodeType":1280,"value":4478,"marks":4479,"data":4482},"MGM Resorts & Caesars (2023)",[4480,4481],{"type":1323},{"type":2141},{},{"nodeType":1276,"data":4484,"content":4485},{},[4486,4490,4499],{"nodeType":1280,"value":4487,"marks":4488,"data":4489},"MGM Resorts and Caesars were hit with twin breaches in 2023. Attackers socially engineered help desk personnel to take over accounts with Super Administrator privileges within MGM Resorts’ Okta tenant, which they then used to register a second, attacker-controlled IdP via ",[],{},{"nodeType":1292,"data":4491,"content":4493},{"uri":4492},"https://github.com/pushsecurity/saas-attacks/blob/main/techniques/inbound_federation/description.md",[4494],{"nodeType":1280,"value":4495,"marks":4496,"data":4498},"inbound federation",[4497],{"type":2141},{},{"nodeType":1280,"value":4500,"marks":4501,"data":4502}," — granting comprehensive access that was used to deploy ransomware. ",[],{},{"nodeType":1276,"data":4504,"content":4505},{},[4506],{"nodeType":1280,"value":4507,"marks":4508,"data":4511},"Transport for London (2024)",[4509,4510],{"type":1323},{"type":2141},{},{"nodeType":1276,"data":4513,"content":4514},{},[4515],{"nodeType":1280,"value":4516,"marks":4517,"data":4518},"Attackers socially engineered the Transport for London help desk to gain privileged access to the IT environment, resulting in prolonged disruption to key online services underpinning London’s public transport network, theft of 5,000 users bank details, and all 30,000 staff members having to reset their online credentials in person.",[],{},{"nodeType":1276,"data":4520,"content":4521},{},[4522],{"nodeType":1280,"value":4523,"marks":4524,"data":4527},"Marks & Spencer (2025)",[4525,4526],{"type":1323},{"type":2141},{},{"nodeType":1276,"data":4529,"content":4530},{},[4531,4535,4544,4548,4557],{"nodeType":1280,"value":4532,"marks":4533,"data":4534},"Attackers compromised a Microsoft Entra account belonging to a privileged user via a ",[],{},{"nodeType":1292,"data":4536,"content":4538},{"uri":4537},"https://pushsecurity.com/blog/scattered-spider-defending-against-help-desk-scams/",[4539],{"nodeType":1280,"value":4540,"marks":4541,"data":4543},"help desk scam",[4542],{"type":2141},{},{"nodeType":1280,"value":4545,"marks":4546,"data":4547},", which enabled them to steal sensitive data from cloud environments, as well as pivot to deploy ransomware via the ",[],{},{"nodeType":1292,"data":4549,"content":4551},{"uri":4550},"https://cloud.google.com/blog/topics/threat-intelligence/vsphere-active-directory-integration-risks",[4552],{"nodeType":1280,"value":4553,"marks":4554,"data":4556},"VMware admin console",[4555],{"type":2141},{},{"nodeType":1280,"value":4558,"marks":4559,"data":4560},". This enabled ransomware to be deployed at the hypervisor layer, evading host-based protections like EDR. ",[],{},{"nodeType":1337,"data":4562,"content":4566},{"target":4563},{"sys":4564},{"id":4565,"type":1342,"linkType":1343},"7hBdHG74NaA3bQfOMpYA9o",[],{"nodeType":1276,"data":4568,"content":4569},{},[4570],{"nodeType":1280,"value":4571,"marks":4572,"data":4575},"Jaguar Land Rover (2025)",[4573,4574],{"type":1323},{"type":2141},{},{"nodeType":1276,"data":4577,"content":4578},{},[4579],{"nodeType":1280,"value":4580,"marks":4581,"data":4582},"Attackers compromised highly privileged admin accounts via a help desk scam, which they leveraged to access and deploy ransomware to all aspects of Jaguar’s business, from CAD and engineering software, to payments tracking, to customer car delivery, using similar techniques to the Marks & Spencer breach. ",[],{},{"nodeType":1337,"data":4584,"content":4588},{"target":4585},{"sys":4586},{"id":4587,"type":1342,"linkType":1343},"6s1X2fo4K9EeVLBmHm4YXb",[],{"nodeType":1364,"data":4590,"content":4591},{},[],{"nodeType":1486,"data":4593,"content":4594},{},[4595],{"nodeType":1280,"value":4596,"marks":4597,"data":4599},"Malicious OAuth integrations",[4598],{"type":1323},{},{"nodeType":1276,"data":4601,"content":4602},{},[4603],{"nodeType":1280,"value":4604,"marks":4605,"data":4608},"Salesforce & Salesloft (1000+ customers) (2025)",[4606,4607],{"type":1323},{"type":2141},{},{"nodeType":1276,"data":4610,"content":4611},{},[4612],{"nodeType":1280,"value":4613,"marks":4614,"data":4615},"A vast campaign against Salesforce customers resulted in the compromise of 1000+ Salesforce tenants (according to the attacker) with more than 1.5 billion records stolen. This campaign can consisted of three phases:",[],{},{"nodeType":1384,"data":4617,"content":4618},{},[4619,4634,4649],{"nodeType":1388,"data":4620,"content":4621},{},[4622],{"nodeType":1276,"data":4623,"content":4624},{},[4625,4630],{"nodeType":1280,"value":4626,"marks":4627,"data":4629},"Phase 1:",[4628],{"type":1323},{},{"nodeType":1280,"value":4631,"marks":4632,"data":4633}," The attacker conducted a large-scale vishing campaign against Salesforce customers, calling up users and socially engineering them into connecting a malicious version of the “Data Loader” app into their tenant. This was in fact an attacker-controlled app that enabled data to be mass-exfiltrated via API. ",[],{},{"nodeType":1388,"data":4635,"content":4636},{},[4637],{"nodeType":1276,"data":4638,"content":4639},{},[4640,4645],{"nodeType":1280,"value":4641,"marks":4642,"data":4644},"Phase 2: ",[4643],{"type":1323},{},{"nodeType":1280,"value":4646,"marks":4647,"data":4648},"The attacker conducted a supply-chain compromise against customers of Salesloft. Users of Salesloft’s “Drift” integration were impacted by attackers stealing access tokens from Salesloft’s AWS environment. This integration allowed the attacker to steal data from customers that had deployed Drift to connected environments — namely, Salesforce, and Google Workspace. ",[],{},{"nodeType":1388,"data":4650,"content":4651},{},[4652],{"nodeType":1276,"data":4653,"content":4654},{},[4655,4660,4664,4672],{"nodeType":1280,"value":4656,"marks":4657,"data":4659},"Phase 3:",[4658],{"type":1323},{},{"nodeType":1280,"value":4661,"marks":4662,"data":4663}," The attacker then conducted a separate supply-chain compromise involving Gainsight (allegedly using OAuth tokens stolen in the Salesloft attack) which enabled them to ",[],{},{"nodeType":1292,"data":4665,"content":4667},{"uri":4666},"https://www.bleepingcomputer.com/news/security/salesforce-investigates-customer-data-theft-via-gainsight-breach/",[4668],{"nodeType":1280,"value":4669,"marks":4670,"data":4671},"breach a further 285 Salesforce instances",[],{},{"nodeType":1280,"value":4673,"marks":4674,"data":4675}," using stolen OAuth tokens from Gainsight's integrations. ",[],{},{"nodeType":1337,"data":4677,"content":4681},{"target":4678},{"sys":4679},{"id":4680,"type":1342,"linkType":1343},"3TwjpVKQ42SwQRhvGFbZdn",[],{"nodeType":1364,"data":4683,"content":4684},{},[],{"nodeType":1486,"data":4686,"content":4687},{},[4688],{"nodeType":1280,"value":4689,"marks":4690,"data":4692},"Malicious browser extensions",[4691],{"type":1323},{},{"nodeType":1276,"data":4694,"content":4695},{},[4696],{"nodeType":1280,"value":4697,"marks":4698,"data":4701},"CyberHaven (2024)",[4699,4700],{"type":1323},{"type":2141},{},{"nodeType":1276,"data":4703,"content":4704},{},[4705],{"nodeType":1280,"value":4706,"marks":4707,"data":4708},"Hackers phished a CyberHaven extension developer and uploaded a malicious version of the CyberHaven extension to the Chrome Web Store, leading to customer data breaches where installed in user browsers, impacting CyberHaven’s estimated ~400 business customers. This was part of a broader campaign that targeted 35 Chrome extensions, collectively impacting over 2.5 million users.",[],{},{"nodeType":1337,"data":4710,"content":4714},{"target":4711},{"sys":4712},{"id":4713,"type":1342,"linkType":1343},"4ErDI0xi0Vj2Zrk8Qsb2NB",[],{"nodeType":1364,"data":4716,"content":4717},{},[],{"nodeType":1368,"data":4719,"content":4720},{},[4721],{"nodeType":1280,"value":4722,"marks":4723,"data":4725},"The bigger picture",[4724],{"type":1323},{},{"nodeType":1276,"data":4727,"content":4728},{},[4729],{"nodeType":1280,"value":4730,"marks":4731,"data":4732},"Scattered Lapsus$ Hunters are dominating the headlines right now, but they aren’t the only attackers using these modern techniques and consciously evading established security controls. ",[],{},{"nodeType":1276,"data":4734,"content":4735},{},[4736],{"nodeType":1280,"value":4737,"marks":4738,"data":4739},"Threat reports agree that attackers are steering away from traditional exploit and malware-driven breaches towards identities:",[],{},{"nodeType":1384,"data":4741,"content":4742},{},[4743,4766,4788],{"nodeType":1388,"data":4744,"content":4745},{},[4746],{"nodeType":1276,"data":4747,"content":4748},{},[4749,4753,4762],{"nodeType":1280,"value":4750,"marks":4751,"data":4752},"Identity-based attacks surged 32% in the last year, while 97% of identity attacks are password-based, driven by credential leaks and infostealer malware. (",[],{},{"nodeType":1292,"data":4754,"content":4756},{"uri":4755},"https://cdn-dynmedia-1.microsoft.com/is/content/microsoftcorp/microsoft/msc/documents/presentations/CSR/Microsoft-Digital-Defense-Report-2025.pdf#page=1",[4757],{"nodeType":1280,"value":4758,"marks":4759,"data":4761},"Microsoft",[4760],{"type":2141},{},{"nodeType":1280,"value":4763,"marks":4764,"data":4765},")",[],{},{"nodeType":1388,"data":4767,"content":4768},{},[4769],{"nodeType":1276,"data":4770,"content":4771},{},[4772,4776,4785],{"nodeType":1280,"value":4773,"marks":4774,"data":4775},"79% of detections were malware-free in the last year, up from 40% in 2019. (",[],{},{"nodeType":1292,"data":4777,"content":4779},{"uri":4778},"https://www.crowdstrike.com/en-gb/global-threat-report/",[4780],{"nodeType":1280,"value":4781,"marks":4782,"data":4784},"CrowdStrike",[4783],{"type":2141},{},{"nodeType":1280,"value":4763,"marks":4786,"data":4787},[],{},{"nodeType":1388,"data":4789,"content":4790},{},[4791],{"nodeType":1276,"data":4792,"content":4793},{},[4794,4798,4807],{"nodeType":1280,"value":4795,"marks":4796,"data":4797},"Credential abuse and phishing combined accounted for 38% of breaches, making identity the primary breach vector observed. (",[],{},{"nodeType":1292,"data":4799,"content":4801},{"uri":4800},"https://www.verizon.com/business/resources/reports/dbir/",[4802],{"nodeType":1280,"value":4803,"marks":4804,"data":4806},"Verizon",[4805],{"type":2141},{},{"nodeType":1280,"value":4763,"marks":4808,"data":4809},[],{},{"nodeType":1276,"data":4811,"content":4812},{},[4813],{"nodeType":1280,"value":4814,"marks":4815,"data":4816},"And other public breaches from this year alone demonstrate similar TTPs from outside of the Scattered Lapsus$ Hunters orbit:",[],{},{"nodeType":1384,"data":4818,"content":4819},{},[4820,4835,4850,4865],{"nodeType":1388,"data":4821,"content":4822},{},[4823],{"nodeType":1276,"data":4824,"content":4825},{},[4826,4831],{"nodeType":1280,"value":4827,"marks":4828,"data":4830},"Nikkei",[4829],{"type":1323},{},{"nodeType":1280,"value":4832,"marks":4833,"data":4834},": Japanese publishing giant Nikkei’s Slack messaging platform was compromised using stolen credentials, leaking the names, email addresses, and chat histories for 17,368 individuals registered on Slack.",[],{},{"nodeType":1388,"data":4836,"content":4837},{},[4838],{"nodeType":1276,"data":4839,"content":4840},{},[4841,4846],{"nodeType":1280,"value":4842,"marks":4843,"data":4845},"Evertec",[4844],{"type":1323},{},{"nodeType":1280,"value":4847,"marks":4848,"data":4849},": Hackers tried to steal $130 million from Evertec’s Brazilian subsidiary Sinqia S.A.after gaining unauthorized access to its environment on the central bank’s real-time payment system (Pix) using stolen credentials.",[],{},{"nodeType":1388,"data":4851,"content":4852},{},[4853],{"nodeType":1276,"data":4854,"content":4855},{},[4856,4861],{"nodeType":1280,"value":4857,"marks":4858,"data":4860},"Hy-Vee:",[4859],{"type":1323},{},{"nodeType":1280,"value":4862,"marks":4863,"data":4864}," Was hit with a data breach after hackers logged in with stolen credentials, exposing 53GB of sensitive data.",[],{},{"nodeType":1388,"data":4866,"content":4867},{},[4868],{"nodeType":1276,"data":4869,"content":4870},{},[4871,4876],{"nodeType":1280,"value":4872,"marks":4873,"data":4875},"Scania: ",[4874],{"type":1323},{},{"nodeType":1280,"value":4877,"marks":4878,"data":4879},"Automotive giant Scania confirmed it suffered a cybersecurity incident where threat actors used compromised credentials to breach its Financial Services systems and steal insurance claim documents.",[],{},{"nodeType":1276,"data":4881,"content":4882},{},[4883],{"nodeType":1280,"value":4884,"marks":4885,"data":4886},"Scattered Lapsus$ Hunters may be grabbing the headlines — but this a huge movement in a vast and flexible community of attackers. And criminals around the world are learning from their success. ",[],{},{"nodeType":1364,"data":4888,"content":4889},{},[],{"nodeType":1368,"data":4891,"content":4892},{},[4893],{"nodeType":1280,"value":4894,"marks":4895,"data":4897},"Lessons learned",[4896],{"type":1323},{},{"nodeType":1276,"data":4899,"content":4900},{},[4901],{"nodeType":1280,"value":4902,"marks":4903,"data":4904},"The common thread with all of these attacks is that they are evading established security controls by targeting applications directly, over the internet, via account takeover.",[],{},{"nodeType":1276,"data":4906,"content":4907},{},[4908],{"nodeType":1280,"value":4909,"marks":4910,"data":4911},"Clearly, the success of these attacks shows the limitations of multiple control layers. Endpoint and network layer controls have no visibility of this attack surface. Identity-focused controls are being undermined by ghost logins and shadow IT. And the limitations of cloud security controls in their ability to encompass all apps, and detect and stop malicious actions in real-time (that often blend in seamlessly with normal user activity). ",[],{},{"nodeType":1337,"data":4913,"content":4917},{"target":4914},{"sys":4915},{"id":4916,"type":1342,"linkType":1343},"4Dg3fZEGf7ShyQJ8jlNDME",[],{"nodeType":1364,"data":4919,"content":4920},{},[],{"nodeType":1368,"data":4922,"content":4923},{},[4924],{"nodeType":1280,"value":3892,"marks":4925,"data":4927},[4926],{"type":1323},{},{"nodeType":1276,"data":4929,"content":4930},{},[4931],{"nodeType":1280,"value":4932,"marks":4933,"data":4934},"Stopping attacks that are designed to evade established controls is in our DNA — it’s the reason Push was founded. ",[],{},{"nodeType":1276,"data":4936,"content":4937},{},[4938],{"nodeType":1280,"value":4939,"marks":4940,"data":4941},"The browser is the gateway to to the apps and identities that attackers are now targeting, with many attacks taking place inside the user’s browser — whether that’s entering credentials onto a phishing page, approving a malicious OAuth grant, installing a risky browser extension, or insecurely accessing an app with a weak password and no MFA. ",[],{},{"nodeType":1276,"data":4943,"content":4944},{},[4945],{"nodeType":1280,"value":4946,"marks":4947,"data":4948},"Push’s browser-based security platform provides comprehensive detection and response capabilities against attacks like AiTM phishing, credential stuffing, malicious browser extensions, malicious OAuth grants, ClickFix, and session hijacking. You don’t need to wait until it all goes wrong either — you can use Push to proactively find and fix vulnerabilities across the apps that your employees use, like ghost logins, SSO coverage gaps, MFA gaps, vulnerable passwords, and more to harden your attack surface.",[],{},{"nodeType":1276,"data":4950,"content":4951},{},[4952,4955,4962,4966,4973],{"nodeType":1280,"value":3960,"marks":4953,"data":4954},[],{},{"nodeType":1292,"data":4956,"content":4957},{"uri":3965},[4958],{"nodeType":1280,"value":3968,"marks":4959,"data":4961},[4960],{"type":2141},{},{"nodeType":1280,"value":4963,"marks":4964,"data":4965}," or ",[],{},{"nodeType":1292,"data":4967,"content":4968},{"uri":3186},[4969],{"nodeType":1280,"value":3993,"marks":4970,"data":4972},[4971],{"type":2141},{},{"nodeType":1280,"value":3233,"marks":4974,"data":4975},[],{},"\"Scattered Lapsus$ Hunters\" — how modern attackers exploit the gaps in your security stack ","How Scattered Lapsus$ Hunters breaches demonstrate the evolution of attacker TTPs, shaping the future of cyber attacks.","2025-11-13T00:00:00.000Z","scattered-lapsus-hunters",{"items":4981},[4982,4984],{"sys":4983,"name":4009},{"id":4008},{"sys":4985,"name":4013},{"id":4012},{"items":4987},[4988],{"fullName":4017,"firstName":4018,"jobTitle":1267,"profilePicture":4989},{"url":4020},{"__typename":3417,"sys":4991,"content":4993,"title":5620,"synopsis":5621,"hashTags":61,"publishedDate":5622,"slug":5623,"tagsCollection":5624,"authorsCollection":5630},{"id":4992},"3ExexM6DB2QBOQrtbMrXnN",{"json":4994},{"nodeType":1272,"data":4995,"content":4996},{},[4997,5003,5035,5128,5205,5212,5215,5222,5229,5236,5252,5259,5266,5269,5276,5283,5290,5323,5330,5353,5360,5363,5370,5377,5396,5483,5490,5496,5499,5506,5513,5520,5526,5547,5553,5560,5563,5570,5590,5608,5614],{"nodeType":1337,"data":4998,"content":5002},{"target":4999},{"sys":5000},{"id":5001,"type":1342,"linkType":1343},"6BjaSruVecmhn1NoHreRni",[],{"nodeType":1276,"data":5004,"content":5005},{},[5006,5010,5019,5022,5031],{"nodeType":1280,"value":5007,"marks":5008,"data":5009},"Scattered Spider have been busy. Major breaches of UK retailers ",[],{},{"nodeType":1292,"data":5011,"content":5013},{"uri":5012},"https://www.bleepingcomputer.com/news/security/mands-says-customer-data-stolen-in-cyberattack-forces-password-resets/",[5014],{"nodeType":1280,"value":5015,"marks":5016,"data":5018},"Marks and Spencer",[5017],{"type":2141},{},{"nodeType":1280,"value":4437,"marks":5020,"data":5021},[],{},{"nodeType":1292,"data":5023,"content":5025},{"uri":5024},"https://www.bleepingcomputer.com/news/security/co-op-confirms-data-theft-after-dragonforce-ransomware-claims-attack/",[5026],{"nodeType":1280,"value":5027,"marks":5028,"data":5030},"Co-op",[5029],{"type":2141},{},{"nodeType":1280,"value":5032,"marks":5033,"data":5034}," resulted in the loss of sensitive data and prolonged disruption to in-store and digital services, with M&S feeling the pain of £300m in lost profits and a share value hit approaching £1b, and a multimillion-pound class action lawsuit and possible ICO fines looming.",[],{},{"nodeType":1276,"data":5036,"content":5037},{},[5038,5042,5051,5054,5063,5066,5075,5078,5087,5090,5099,5102,5111,5115,5124],{"nodeType":1280,"value":5039,"marks":5040,"data":5041},"A series of attacks against retailers worldwide soon followed, at an unprecedented rate. ",[],{},{"nodeType":1292,"data":5043,"content":5045},{"uri":5044},"https://www.bleepingcomputer.com/news/security/fashion-giant-dior-discloses-cyberattack-warns-of-data-breach/",[5046],{"nodeType":1280,"value":5047,"marks":5048,"data":5050},"Dior",[5049],{"type":2141},{},{"nodeType":1280,"value":3973,"marks":5052,"data":5053},[],{},{"nodeType":1292,"data":5055,"content":5057},{"uri":5056},"https://www.bleepingcomputer.com/news/security/the-north-face-warns-customers-of-april-credential-stuffing-attack/",[5058],{"nodeType":1280,"value":5059,"marks":5060,"data":5062},"The North Face",[5061],{"type":2141},{},{"nodeType":1280,"value":3973,"marks":5064,"data":5065},[],{},{"nodeType":1292,"data":5067,"content":5069},{"uri":5068},"https://www.bleepingcomputer.com/news/security/cartier-discloses-data-breach-amid-fashion-brand-cyberattacks/",[5070],{"nodeType":1280,"value":5071,"marks":5072,"data":5074},"Cartier",[5073],{"type":2141},{},{"nodeType":1280,"value":3973,"marks":5076,"data":5077},[],{},{"nodeType":1292,"data":5079,"content":5081},{"uri":5080},"https://www.bleepingcomputer.com/news/security/victorias-secret-delays-earnings-release-after-security-incident/",[5082],{"nodeType":1280,"value":5083,"marks":5084,"data":5086},"Victoria’s Secret",[5085],{"type":2141},{},{"nodeType":1280,"value":3973,"marks":5088,"data":5089},[],{},{"nodeType":1292,"data":5091,"content":5093},{"uri":5092},"https://www.bleepingcomputer.com/news/security/adidas-warns-of-data-breach-after-customer-service-provider-hack/",[5094],{"nodeType":1280,"value":5095,"marks":5096,"data":5098},"Adidas",[5097],{"type":2141},{},{"nodeType":1280,"value":3973,"marks":5100,"data":5101},[],{},{"nodeType":1292,"data":5103,"content":5105},{"uri":5104},"https://www.scworld.com/brief/separate-ransomware-attacks-purportedly-hit-coca-cola-bottling-partner",[5106],{"nodeType":1280,"value":5107,"marks":5108,"data":5110},"Coca-Cola",[5109],{"type":2141},{},{"nodeType":1280,"value":5112,"marks":5113,"data":5114},", and ",[],{},{"nodeType":1292,"data":5116,"content":5118},{"uri":5117},"https://www.bleepingcomputer.com/news/security/grocery-wholesale-giant-united-natural-foods-hit-by-cyberattack/",[5119],{"nodeType":1280,"value":5120,"marks":5121,"data":5123},"United Natural Foods",[5122],{"type":2141},{},{"nodeType":1280,"value":5125,"marks":5126,"data":5127}," were among the retailers to suffer a breach between May-June 2025. ",[],{},{"nodeType":1276,"data":5129,"content":5130},{},[5131,5135,5144,5147,5156,5160,5169,5173,5181,5184,5192,5195,5202],{"nodeType":1280,"value":5132,"marks":5133,"data":5134},"The latest news links the hackers to attacks on ",[],{},{"nodeType":1292,"data":5136,"content":5138},{"uri":5137},"https://www.bleepingcomputer.com/news/security/aflac-discloses-breach-amidst-scattered-spider-insurance-attacks/",[5139],{"nodeType":1280,"value":5140,"marks":5141,"data":5143},"Aflac",[5142],{"type":2141},{},{"nodeType":1280,"value":3973,"marks":5145,"data":5146},[],{},{"nodeType":1292,"data":5148,"content":5150},{"uri":5149},"https://www.bleepingcomputer.com/news/security/google-warns-scattered-spider-hackers-now-target-us-insurance-companies/",[5151],{"nodeType":1280,"value":5152,"marks":5153,"data":5155},"Philadelphia Insurance Companies",[5154],{"type":2141},{},{"nodeType":1280,"value":5157,"marks":5158,"data":5159},",  ",[],{},{"nodeType":1292,"data":5161,"content":5163},{"uri":5162},"https://www.bleepingcomputer.com/news/security/erie-insurance-confirms-cyberattack-behind-business-disruptions/amp/",[5164],{"nodeType":1280,"value":5165,"marks":5166,"data":5168},"Erie Insurance",[5167],{"type":2141},{},{"nodeType":1280,"value":5170,"marks":5171,"data":5172},", and most recently ",[],{},{"nodeType":1292,"data":5174,"content":5176},{"uri":5175},"https://www.bleepingcomputer.com/news/security/qantas-is-being-extorted-in-recent-data-theft-cyberattack/",[5177],{"nodeType":1280,"value":5178,"marks":5179,"data":5180},"Qantas",[],{},{"nodeType":1280,"value":3973,"marks":5182,"data":5183},[],{},{"nodeType":1292,"data":5185,"content":5187},{"uri":5186},"https://www.bleepingcomputer.com/news/security/scattered-spider-hackers-shift-focus-to-aviation-transportation-firms/",[5188],{"nodeType":1280,"value":5189,"marks":5190,"data":5191},"Hawaiian Airlines",[],{},{"nodeType":1280,"value":4437,"marks":5193,"data":5194},[],{},{"nodeType":1292,"data":5196,"content":5197},{"uri":5186},[5198],{"nodeType":1280,"value":5199,"marks":5200,"data":5201},"WestJet",[],{},{"nodeType":1280,"value":2416,"marks":5203,"data":5204},[],{},{"nodeType":1276,"data":5206,"content":5207},{},[5208],{"nodeType":1280,"value":5209,"marks":5210,"data":5211},"The top story from recent campaigns is the use of help desk scams. This typically involves the attacker calling up a company’s help desk with some level of information — at minimum, PII that allows them to impersonate their victim, and sometimes a password, leaning heavily on their native English-speaking abilities to trick the help desk operator into giving them access to a user account. ",[],{},{"nodeType":1364,"data":5213,"content":5214},{},[],{"nodeType":1368,"data":5216,"content":5217},{},[5218],{"nodeType":1280,"value":5219,"marks":5220,"data":5221},"Help desk scams 101",[],{},{"nodeType":1276,"data":5223,"content":5224},{},[5225],{"nodeType":1280,"value":5226,"marks":5227,"data":5228},"The goal of a help desk scam is to get the help desk operator to reset the credentials and/or MFA used to access an account so the attacker can take control of it. They’ll use a variety of backstories and tactics to get that done, but most of the time it’s as simple as saying “I’ve got a new phone, can you remove my existing MFA and allow me to enroll a new one?”",[],{},{"nodeType":1276,"data":5230,"content":5231},{},[5232],{"nodeType":1280,"value":5233,"marks":5234,"data":5235},"From there, the attacker is then sent an MFA reset link via email or SMS. Usually, this would be sent to, for example, a number on file — but at this point, the attacker has already established trust and bypassed the help desk process to a degree. So asking “can you send it to this email address” or “I’ve actually got a new number too, can you send it to…” gets this sent directly to the attacker. ",[],{},{"nodeType":1276,"data":5237,"content":5238},{},[5239,5243,5248],{"nodeType":1280,"value":5240,"marks":5241,"data":5242},"At this point, it’s simply a case of using the self service password reset functionality for Okta or Entra (which you can get around because you now have the MFA factor to verify yourself) and ",[],{},{"nodeType":1280,"value":5244,"marks":5245,"data":5247},"voila",[5246],{"type":275},{},{"nodeType":1280,"value":5249,"marks":5250,"data":5251},", the attacker has taken control of the account. ",[],{},{"nodeType":1276,"data":5253,"content":5254},{},[5255],{"nodeType":1280,"value":5256,"marks":5257,"data":5258},"And the best part? Most help desks have the same process for every account — it doesn’t matter who you’re impersonating or which account you’re trying to reset. So, attackers are specifically targeting accounts likely to have top tier admin privileges — meaning once they get in, progressing the attack is trivial and much of the typical privilege escalation and lateral movement is removed from the attack path. ",[],{},{"nodeType":1276,"data":5260,"content":5261},{},[5262],{"nodeType":1280,"value":5263,"marks":5264,"data":5265},"So, help desk scams have proved to be a reliable way of bypassing MFA and achieving account takeover — the foothold from which to launch the rest of an attack, such as stealing data, deploying ransomware, etc. ",[],{},{"nodeType":1364,"data":5267,"content":5268},{},[],{"nodeType":1368,"data":5270,"content":5271},{},[5272],{"nodeType":1280,"value":5273,"marks":5274,"data":5275},"Avoiding help desk gotchas",[],{},{"nodeType":1276,"data":5277,"content":5278},{},[5279],{"nodeType":1280,"value":5280,"marks":5281,"data":5282},"There’s lots of advice for securing help desks being circulated, but much of the advice still results in a process that is either phishable or difficult to implement. ",[],{},{"nodeType":1276,"data":5284,"content":5285},{},[5286],{"nodeType":1280,"value":5287,"marks":5288,"data":5289},"Ultimately, organizations need to be prepared to introduce friction to their help desk process and either delay or deny requests in situations where there’s significant risk. So, for example, having a process for MFA reset that recognizes the risk associated with resetting a high-privileged account:",[],{},{"nodeType":1384,"data":5291,"content":5292},{},[5293,5303,5313],{"nodeType":1388,"data":5294,"content":5295},{},[5296],{"nodeType":1276,"data":5297,"content":5298},{},[5299],{"nodeType":1280,"value":5300,"marks":5301,"data":5302},"Require multi-party approval / escalation for admin-level account resets",[],{},{"nodeType":1388,"data":5304,"content":5305},{},[5306],{"nodeType":1276,"data":5307,"content":5308},{},[5309],{"nodeType":1280,"value":5310,"marks":5311,"data":5312},"Require in-person verification if the process can’t be followed remotely",[],{},{"nodeType":1388,"data":5314,"content":5315},{},[5316],{"nodeType":1276,"data":5317,"content":5318},{},[5319],{"nodeType":1280,"value":5320,"marks":5321,"data":5322},"Freeze self-service resets when suspicious behavior is encountered (this would require some kind of internal process and awareness training to raise the alarm if an attack is suspected)",[],{},{"nodeType":1276,"data":5324,"content":5325},{},[5326],{"nodeType":1280,"value":5327,"marks":5328,"data":5329},"And watch out for these gotchas: ",[],{},{"nodeType":1384,"data":5331,"content":5332},{},[5333,5343],{"nodeType":1388,"data":5334,"content":5335},{},[5336],{"nodeType":1276,"data":5337,"content":5338},{},[5339],{"nodeType":1280,"value":5340,"marks":5341,"data":5342},"If you receive a call, good practice is to terminate the call and dial the number on file for the employee. But, in a world of SIM swapping, this isn’t a foolproof solution — you could just be re-dialing the attacker. ",[],{},{"nodeType":1388,"data":5344,"content":5345},{},[5346],{"nodeType":1276,"data":5347,"content":5348},{},[5349],{"nodeType":1280,"value":5350,"marks":5351,"data":5352},"If your solution is to get the employee on camera, increasingly sophisticated deepfakes can thwart this approach.  ",[],{},{"nodeType":1276,"data":5354,"content":5355},{},[5356],{"nodeType":1280,"value":5357,"marks":5358,"data":5359},"But, help desks are a target for a reason. They’re “helpful” by nature. This is usually reflected in how they’re operated and performance measured — delays won’t help you to hit those SLAs! Ultimately, a process only works if employees are willing to adhere to it — and can’t be socially engineered to break it. Help desks that are removed from day-to-day operations (especially when outsourced or offshored) are also inherently susceptible to attacks where employees are impersonated. ",[],{},{"nodeType":1364,"data":5361,"content":5362},{},[],{"nodeType":1368,"data":5364,"content":5365},{},[5366],{"nodeType":1280,"value":5367,"marks":5368,"data":5369},"Comparing help desk scams with other approaches",[],{},{"nodeType":1276,"data":5371,"content":5372},{},[5373],{"nodeType":1280,"value":5374,"marks":5375,"data":5376},"Taking a step back, it’s worth thinking about how help desk scams fit into the wider toolkit of tactics, techniques and procedures (TTPs) used by threat actors like Scattered Spider. ",[],{},{"nodeType":1276,"data":5378,"content":5379},{},[5380,5383,5392],{"nodeType":1280,"value":29,"marks":5381,"data":5382},[],{},{"nodeType":1292,"data":5384,"content":5386},{"uri":5385},"https://pushsecurity.com/blog/scattered-spider-ttp-evolution-in-2025/",[5387],{"nodeType":1280,"value":5388,"marks":5389,"data":5391},"Scattered Spider has heavily relied on identity-based TTPs since they first emerged in 2022",[5390],{"type":2141},{},{"nodeType":1280,"value":5393,"marks":5394,"data":5395},", following a repeatable path of bypassing MFA, achieving account takeover on privileged accounts, stealing data from cloud services, and deploying ransomware (principally to VMware environments). ",[],{},{"nodeType":1384,"data":5397,"content":5398},{},[5399,5409,5419,5440,5450,5460],{"nodeType":1388,"data":5400,"content":5401},{},[5402],{"nodeType":1276,"data":5403,"content":5404},{},[5405],{"nodeType":1280,"value":5406,"marks":5407,"data":5408},"Credential phishing via email and SMS (smishing) to harvest passwords en masse",[],{},{"nodeType":1388,"data":5410,"content":5411},{},[5412],{"nodeType":1276,"data":5413,"content":5414},{},[5415],{"nodeType":1280,"value":5416,"marks":5417,"data":5418},"Using SIM swapping (where you get the carrier to transfer a number to your attacker-controlled SIM card) to bypass SMS-based MFA",[],{},{"nodeType":1388,"data":5420,"content":5421},{},[5422],{"nodeType":1276,"data":5423,"content":5424},{},[5425,5429,5436],{"nodeType":1280,"value":5426,"marks":5427,"data":5428},"Using ",[],{},{"nodeType":1292,"data":5430,"content":5431},{"uri":4279},[5432],{"nodeType":1280,"value":4282,"marks":5433,"data":5435},[5434],{"type":2141},{},{"nodeType":1280,"value":5437,"marks":5438,"data":5439}," (aka. push bombing) to bypass app-based push authentication",[],{},{"nodeType":1388,"data":5441,"content":5442},{},[5443],{"nodeType":1276,"data":5444,"content":5445},{},[5446],{"nodeType":1280,"value":5447,"marks":5448,"data":5449},"Using vishing (i.e. directly calling a victim to social engineer their MFA code, as opposed to a help desk attack)",[],{},{"nodeType":1388,"data":5451,"content":5452},{},[5453],{"nodeType":1276,"data":5454,"content":5455},{},[5456],{"nodeType":1280,"value":5457,"marks":5458,"data":5459},"Social engineering domain registrars to take control of the target organization’s DNS, hijacking their MX records and inbound mail, and using this to take over the company’s business app environments ",[],{},{"nodeType":1388,"data":5461,"content":5462},{},[5463],{"nodeType":1276,"data":5464,"content":5465},{},[5466,5470,5479],{"nodeType":1280,"value":5467,"marks":5468,"data":5469},"And latterly, using ",[],{},{"nodeType":1292,"data":5471,"content":5473},{"uri":5472},"https://pushsecurity.com/blog/phishing-2-0-how-phishing-toolkits-are-evolving-with-aitm/",[5474],{"nodeType":1280,"value":5475,"marks":5476,"data":5478},"MFA-bypass AiTM phishing kits like Evilginx",[5477],{"type":2141},{},{"nodeType":1280,"value":5480,"marks":5481,"data":5482}," to steal live user sessions, bypassing all common forms of MFA (with the exception of WebAuthn/FIDO2) ",[],{},{"nodeType":1276,"data":5484,"content":5485},{},[5486],{"nodeType":1280,"value":5487,"marks":5488,"data":5489},"So, help desk scams are an important part of their toolkit, but it’s not the whole picture. Methods like AiTM in particular have spiked in popularity this year as a reliable and scalable way of bypassing MFA and achieving account takeover, with attackers using these toolkits as the de facto standard, getting creative in their detection evasion methods and in some cases, evading standard delivery vectors like email altogether to ensure the success of their phishing campaigns. ",[],{},{"nodeType":1337,"data":5491,"content":5495},{"target":5492},{"sys":5493},{"id":5494,"type":1342,"linkType":1343},"2F2dpOkyXWnrKgFC3dSl67",[],{"nodeType":1364,"data":5497,"content":5498},{},[],{"nodeType":1368,"data":5500,"content":5501},{},[5502],{"nodeType":1280,"value":5503,"marks":5504,"data":5505},"Stop identity attacks with Push Security",[],{},{"nodeType":1276,"data":5507,"content":5508},{},[5509],{"nodeType":1280,"value":5510,"marks":5511,"data":5512},"Modern attacks no longer take place on the endpoint or network — they target identities created and used via the web browser. This means that attacks increasingly take place in the browser (or rather, on resources your employees access through the browser). ",[],{},{"nodeType":1276,"data":5514,"content":5515},{},[5516],{"nodeType":1280,"value":5517,"marks":5518,"data":5519},"Push Security’s browser-based security platform provides comprehensive identity attack detection and response capabilities against techniques like AiTM phishing, credential stuffing, password spraying and session hijacking using stolen session tokens. You can also use Push to find and fix identity vulnerabilities across every app that your employees use, like: ghost logins; SSO coverage gaps; MFA gaps; weak, breached and reused passwords; risky OAuth integrations; and more. ",[],{},{"nodeType":1337,"data":5521,"content":5525},{"target":5522},{"sys":5523},{"id":5524,"type":1342,"linkType":1343},"4atESpAAPAC0zP8CO4m8oa",[],{"nodeType":1276,"data":5527,"content":5528},{},[5529,5533,5543],{"nodeType":1280,"value":5530,"marks":5531,"data":5532},"To help combat help desk scams, we recently released ",[],{},{"nodeType":1292,"data":5534,"content":5536},{"uri":5535},"https://pushsecurity.com/blog/employee-identity-verification-codes-release/",[5537],{"nodeType":1280,"value":5538,"marks":5539,"data":5542},"Employee Identity Verification Codes",[5540,5541],{"type":2141},{"type":1323},{},{"nodeType":1280,"value":5544,"marks":5545,"data":5546}," — a simple, browser-based identity check that gives your help desk a reliable way to confirm they’re talking to someone from your organization.",[],{},{"nodeType":1337,"data":5548,"content":5552},{"target":5549},{"sys":5550},{"id":5551,"type":1342,"linkType":1343},"1TEpCjh8UGwmejgYSGC1by",[],{"nodeType":1276,"data":5554,"content":5555},{},[5556],{"nodeType":1280,"value":5557,"marks":5558,"data":5559},"It enables legitimate help desk callers to quickly verify that they’re in possession of their primary device (i.e. laptop) by relaying a rotating 6-digit verification code in their browser via the Push extension. This is a great way to securely confirm caller identity and sniff out fraudulent callers, and can be used as part of a phishing-resistant help desk process. ",[],{},{"nodeType":1364,"data":5561,"content":5562},{},[],{"nodeType":1368,"data":5564,"content":5565},{},[5566],{"nodeType":1280,"value":5567,"marks":5568,"data":5569},"Get started today!",[],{},{"nodeType":1276,"data":5571,"content":5572},{},[5573,5577,5586],{"nodeType":1280,"value":5574,"marks":5575,"data":5576},"You can use Employee Verification Codes as a free tool by installing the Push browser extension. Simply ",[],{},{"nodeType":1292,"data":5578,"content":5580},{"uri":5579},"https://pushsecurity.com/free-tool/employee-verification-codes",[5581],{"nodeType":1280,"value":5582,"marks":5583,"data":5585},"sign up for a trial account and you can deploy the extension organization-wide to make use of this feature",[5584],{"type":2141},{},{"nodeType":1280,"value":5587,"marks":5588,"data":5589},". While you’re at it, you can trial Push’s full features for up to 10 users for free. ",[],{},{"nodeType":1276,"data":5591,"content":5592},{},[5593,5597,5605],{"nodeType":1280,"value":5594,"marks":5595,"data":5596},"Or if you want to learn more about how Push helps you to detect and defeat common identity attack techniques, ",[],{},{"nodeType":1292,"data":5598,"content":5600},{"uri":5599},"https://pushsecurity.com/demo/",[5601],{"nodeType":1280,"value":3993,"marks":5602,"data":5604},[5603],{"type":2141},{},{"nodeType":1280,"value":3233,"marks":5606,"data":5607},[],{},{"nodeType":1337,"data":5609,"content":5613},{"target":5610},{"sys":5611},{"id":5612,"type":1342,"linkType":1343},"6Td0hDBYdeT8tlnnfwipmD",[],{"nodeType":1276,"data":5615,"content":5616},{},[5617],{"nodeType":1280,"value":29,"marks":5618,"data":5619},[],{},"Scattered Spider: Understanding help desk scams and how to defend your organization","Scattered Spider has dominated the headlines in recent months with a consistent focus on help desk scams. Here's what you need to know to protect your business.","2025-06-27T00:00:00.000Z","scattered-spider-defending-against-help-desk-scams",{"items":5625},[5626,5628],{"sys":5627,"name":4009},{"id":4008},{"sys":5629,"name":4013},{"id":4012},{"items":5631},[5632],{"fullName":4017,"firstName":4018,"jobTitle":1267,"profilePicture":5633},{"url":4020},"inside-criminal-phishing-panel","blog/inside-criminal-phishing-panel",{"json":5637},{"data":5638,"content":5639,"nodeType":1272},{},[5640],{"data":5641,"content":5642,"nodeType":1276},{},[5643],{"data":5644,"marks":5645,"value":5646,"nodeType":1280},{},[],"We got an inside look at a phishing panel used in criminal campaigns linked to operators like ShinyHunters and BlackFile. Here’s what we found.",{"id":5648,"publishedAt":5649},"2tz0zEJCarJBkceOYk4zVg","2026-05-07T15:21:23.171Z",{"items":5651},[5652,5654],{"sys":5653,"name":4009},{"id":4008},{"sys":5655,"name":4013},{"id":4012},"G7ZyJZ9w1ljs5V89MsY6UmHlIkOZus3uQnSy6bcDuR8",1778167669706]