[{"data":1,"prerenderedAt":3527},["ShallowReactive",2],{"application-flags":3,"navbar":7,"always-visible-banner":36,"navbar-about-highlight":100,"navbar-resource-highlight":174,"blog/openai-poisoned-tenant-attack":218},[4],{"name":5,"enabled":6},"maintenanceMode",false,[8],{"createdDate":9,"id":10,"name":11,"modelId":12,"published":13,"query":14,"data":15,"variations":20,"lastUpdated":21,"firstPublished":22,"testRatio":23,"createdBy":24,"lastUpdatedBy":25,"folders":26,"meta":27,"rev":35},1742208588866,"1c7a4e423bf54ac1a328bb4063459ef2","Banner","1c6207a5f24948ab82d4a0b17f251193","published",[],{"type":16,"url":17,"text":18,"link":19},"web-banner","https://pushsecurity.com/resources/browser-attacks-report","Get our latest report analyzing browser attack techniques in 2026",{},{},1774258294825,1742208637545,1,"CydmZnOWU1XuAaLhEDCoYNM4Z8W2","jKjF9r5jcvXU8tzZEfFQm31Iyvr2",[],{"kind":28,"lastPreviewUrl":29,"breakpoints":30,"hasAutosaves":34},"data","",{"xsmall":31,"small":32,"medium":33},320,640,768,true,"96hsu565w8a",{"createdDate":37,"id":38,"name":39,"modelId":40,"published":13,"stageModifiedSincePublish":6,"query":41,"data":42,"variations":89,"lastUpdated":90,"firstPublished":91,"testRatio":23,"createdBy":92,"lastUpdatedBy":93,"folders":94,"meta":95,"rev":99},1774965361051,"fd266d0172cc47429be7ad10f48c99ad","always visible banner","0678d178ec8b41efb8a23c09dba7874d",[],{"url":29,"ctaText":43,"text":44,"blocks":45,"state":85},"ewrererw","testrfesssssssssss",[46,73],{"@type":47,"@version":48,"id":49,"component":50,"responsiveStyles":63},"@builder.io/sdk:Element",2,"builder-ca12c06a52de41d7b8743da53118cd38",{"name":51,"tag":51,"options":52,"isRSC":62},"TopBannerContent",{"text":53,"ctaText":54,"url":55,"mainText":56,"cta":59},"New Webinar Series: Join John Hammond, Troy Hunt, and Matt Johansen for the State of Browser Attacks","Save Your Spot","https://pushsecurity.com/webinar/state-of-browser-security",{"content":57,"fontSize":58},"\u003Cp>Is your stack covered? 51 browser & identity attacks, mapped.\u003C/p>","text-base",{"content":60,"fontSize":58,"url":61},"\u003Cp>\u003Cstrong style=\"font-weight:700;\">See the matrix →\u003C/strong>\u003C/p>\n","https://pushsecurity.com/resources/browser-identity-attacks-matrix/",null,{"large":64},{"display":65,"flexDirection":66,"position":67,"flexShrink":68,"boxSizing":69,"marginTop":70,"marginBottom":70,"fontSize":71,"fontWeight":72},"flex","column","relative","0","border-box",".56rem","1.125rem","700",{"id":74,"@type":47,"tagName":75,"properties":76,"responsiveStyles":80},"builder-pixel-eqhiwgy15j5","img",{"src":77,"aria-hidden":78,"alt":29,"role":79,"width":68,"height":68},"https://cdn.builder.io/api/v1/pixel?apiKey=f3a1111ff5be48cdbb123cd9f5795a05","true","presentation",{"large":81},{"height":68,"width":68,"display":82,"opacity":68,"overflow":83,"pointerEvents":84},"block","hidden","none",{"deviceSize":86,"location":87},"large",{"path":29,"query":88},{},{},1778612252607,1774968080803,"ST0tXQM8slWpFrmioqKHmENB2qe2","ax7YYfD0OCeqT1Vxxv1G4FUbqVr1",[],{"kind":96,"hasLinks":6,"breakpoints":97,"lastPreviewUrl":98,"hasAutosaves":34,"hasErrors":6},"component",{"xsmall":31,"small":32,"medium":33},"https://pushsecurity.com/?builder.space=f3a1111ff5be48cdbb123cd9f5795a05&builder.user.permissions=read%2Ccreate%2Cpublish%2CeditCode%2CeditDesigns%2CeditLayouts%2CeditLayers%2CeditContentPriority%2CeditFolders%2CeditProjects%2CmodifyMcpServers%2CmodifyWorkflowIntegrations%2CmodifyProjectSettings%2CconnectCodeRepository%2CcreateProjects%2CindexDesignSystems%2CsendPullRequests%2CmergePullRequests&builder.user.role.name=Developer&builder.user.role.id=developer&builder.cachebust=true&builder.preview=always-visible-banner&builder.noCache=true&builder.allowTextEdit=true&__builder_editing__=true&builder.overrides.always-visible-banner=fd266d0172cc47429be7ad10f48c99ad&builder.overrides.fd266d0172cc47429be7ad10f48c99ad=fd266d0172cc47429be7ad10f48c99ad&builder.options.locale=Default","aomrxnuxkf",[101,137],{"createdDate":102,"id":103,"name":104,"modelId":105,"published":13,"stageModifiedSincePublish":6,"query":106,"data":107,"variations":130,"lastUpdated":131,"firstPublished":132,"testRatio":23,"createdBy":24,"lastUpdatedBy":24,"folders":133,"meta":134,"rev":136},1776247359804,"9136a8f18b3b4a6ba29b8653a99372b1","testimonial-inductive-automation","20d9eaa352304613b3d1a794b400703d",[],{"link":108,"type":109,"testimonialLink":110,"testimonial":111},{},"testimonial","/customer-stories/inductive-automation",{"@type":112,"id":113,"model":109,"value":114},"@builder.io/core:Reference","f028f2b685bb47cd8bf9e82a26dd5a79",{"query":115,"folders":116,"createdDate":117,"id":113,"name":118,"modelId":119,"published":13,"data":120,"variations":124,"lastUpdated":125,"firstPublished":126,"testRatio":23,"createdBy":92,"lastUpdatedBy":92,"meta":127,"rev":129},[],[],1735823466309,"We found Push to be more accurate when compared to competitors and the browser agent offered features that others couldn’t match.","42035571a56940ac98bff4544aa79aa5",{"author":121,"jobTitle":122,"quote":118,"image":123},"Jason Waits","\u003Cp>CISO at Inductive Automation\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Ff04c0c0689ce4a89ac0f0708d78c0a07",{},1735910703862,1735823501152,{"kind":28,"lastPreviewUrl":29,"breakpoints":128,"hasAutosaves":34},{"small":32,"medium":33},"pt6xxmjnc6",{},1776247404986,1776247404973,[],{"breakpoints":135,"kind":28,"lastPreviewUrl":29,"hasAutosaves":6},{"xsmall":31,"small":32,"medium":33},"i0s4fsp1ma",{"createdDate":138,"id":139,"name":140,"modelId":105,"published":13,"meta":141,"stageModifiedSincePublish":6,"query":143,"data":144,"variations":170,"lastUpdated":171,"firstPublished":172,"testRatio":23,"createdBy":24,"lastUpdatedBy":24,"folders":173,"rev":136},1776255761419,"05a9322735fc427db12e2740e4302300","Report: 2026 Browser Attack Techniques",{"breakpoints":142,"kind":28,"lastPreviewUrl":29,"hasAutosaves":6},{"xsmall":31,"small":32,"medium":33},[],{"testimonial":145,"link":164,"type":167,"title":140,"description":168,"image":169},{"@type":112,"id":146,"model":109,"value":147},"192acbb1f9ca4cac918c0ec435a8bae3",{"query":148,"folders":149,"createdDate":150,"id":146,"name":151,"modelId":119,"published":13,"data":152,"variations":158,"lastUpdated":159,"firstPublished":160,"testRatio":23,"createdBy":92,"lastUpdatedBy":24,"meta":161,"rev":163},[],[],1728981467463,"Push does for identity what CrowdStrike did for the endpoint",{"video":153,"jobTitle":154,"author":155,"qoute":29,"quote":156,"image":157},"https://cdn.builder.io/o/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F8b30e8ca50064058bbaef0f3c6164575%2Fcompressed?apiKey=f3a1111ff5be48cdbb123cd9f5795a05&token=8b30e8ca50064058bbaef0f3c6164575&alt=media&optimized=true","\u003Cp>Deputy CISO at Microsoft\u003C/p>\u003Cp>Former LinkedIn, Slack, Palantir\u003C/p>","Geoff Belknap","Push does for identity what CrowdStrike did for the endpoint.","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F748f0ad0a5064a00a13f4721fcc8dea1",{},1742902158597,1728981782923,{"kind":28,"lastPreviewUrl":29,"breakpoints":162,"hasAutosaves":34},{"small":32,"medium":33},"2c7wgy7j93v",{"text":165,"url":166},"Download now","/resources/browser-attacks-report","resource","Learn about the latest techniques being used in the wild.","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F7b4a5ebf81d64e8c9d7fc35f6c96c4a9",{},1776255810913,1776255810900,[],[175,197],{"createdDate":176,"id":177,"name":140,"modelId":178,"published":13,"meta":179,"stageModifiedSincePublish":6,"query":181,"data":182,"variations":192,"lastUpdated":193,"firstPublished":194,"testRatio":23,"createdBy":24,"lastUpdatedBy":24,"folders":195,"rev":196},1776256900280,"1f429607996e4e5fae8fe3f9b9610e55","4829faa81e7c4ee8bd2d000e160e8d3c",{"breakpoints":180,"kind":28,"lastPreviewUrl":29,"hasAutosaves":6},{"xsmall":31,"small":32,"medium":33},[],{"testimonial":183,"link":191,"type":167,"title":140,"description":168,"image":169},{"@type":112,"id":146,"model":109,"value":184},{"query":185,"folders":186,"createdDate":150,"id":146,"name":151,"modelId":119,"published":13,"data":187,"variations":188,"lastUpdated":159,"firstPublished":160,"testRatio":23,"createdBy":92,"lastUpdatedBy":24,"meta":189,"rev":163},[],[],{"video":153,"jobTitle":154,"author":155,"qoute":29,"quote":156,"image":157},{},{"kind":28,"lastPreviewUrl":29,"breakpoints":190,"hasAutosaves":34},{"small":32,"medium":33},{"text":165,"url":166},{},1776256937553,1776256937540,[],"1evjoxejjzt",{"createdDate":198,"id":199,"name":200,"modelId":178,"published":13,"stageModifiedSincePublish":6,"query":201,"data":202,"variations":212,"lastUpdated":213,"firstPublished":214,"testRatio":23,"createdBy":24,"lastUpdatedBy":24,"folders":215,"meta":216,"rev":196},1776256949234,"ce043785b71b4ece98eac811ecf4ba10","inductive-automation",[],{"link":203,"type":109,"testimonial":204,"testimonialLink":110},{},{"@type":112,"id":113,"model":109,"value":205},{"query":206,"folders":207,"createdDate":117,"id":113,"name":118,"modelId":119,"published":13,"data":208,"variations":209,"lastUpdated":125,"firstPublished":126,"testRatio":23,"createdBy":92,"lastUpdatedBy":92,"meta":210,"rev":129},[],[],{"author":121,"jobTitle":122,"quote":118,"image":123},{},{"kind":28,"lastPreviewUrl":29,"breakpoints":211,"hasAutosaves":34},{"small":32,"medium":33},{},1776256974140,1776256974130,[],{"breakpoints":217,"kind":28,"lastPreviewUrl":29,"hasAutosaves":6},{"xsmall":31,"small":32,"medium":33},{"id":219,"title":220,"authorsCollection":221,"content":229,"extension":1033,"faqItemsCollection":1034,"faqTitle":62,"featured":6,"hashTags":62,"meta":1036,"metaTitle":1037,"ogImage":62,"publishedDate":1038,"relatedBlogPostsCollection":1039,"slug":3504,"stem":3505,"subtitle":62,"summary":3506,"synopsis":3516,"sys":3517,"tagsCollection":3520,"__hash__":3526},"blog/blog/openai-poisoned-tenant-attack.json","We coined the poisoned tenant attack in 2023; in 2026, someone used it on us",{"items":222},[223],{"fullName":224,"firstName":225,"jobTitle":226,"profilePicture":227},"Luke Jennings","Luke","Vice President, R&D",{"url":228},"https://images.ctfassets.net/y1cdw1ablpvd/4Hosb4zKi1dA0PUyDLMe1h/27e09d894861f2196ba794037986fb08/T016S22KZ96-U02NVQM7ZD4-57761d542d83-512.jpeg",{"json":230,"links":942},{"nodeType":231,"data":232,"content":233},"document",{},[234,258,267,273,277,287,296,303,310,316,323,330,338,345,352,358,366,373,380,387,393,399,405,413,420,426,433,440,443,451,463,471,478,485,492,499,507,561,568,587,594,602,622,628,635,641,649,656,684,703,710,713,721,728,736,743,751,758,766,773,781,788,795,798,806,813,833,840,847,850,858,865,900,907,910,917,924],{"nodeType":235,"data":236,"content":237},"paragraph",{},[238,243,254],{"nodeType":239,"value":240,"marks":241,"data":242},"text","Three years ago, we published the poisoned tenant attack as part of the ",[],{},{"nodeType":244,"data":245,"content":247},"hyperlink",{"uri":246},"https://pushsecurity.com/resources/browser-identity-attacks-matrix",[248],{"nodeType":239,"value":249,"marks":250,"data":253},"Browser and Identity Attacks matrix",[251],{"type":252},"underline",{},{"nodeType":239,"value":255,"marks":256,"data":257},". Last week, someone used it to target Push Security employees and customers through OpenAI's organization invitation feature. This post breaks down what happened, explores what the payoff is for an attacker, and connects the incident to a broader pattern of SaaS platform abuse that is accelerating across the industry.",[],{},{"nodeType":259,"data":260,"content":266},"embedded-entry-block",{"target":261},{"sys":262},{"id":263,"type":264,"linkType":265},"7upGHPt7eVNji6v22h124t","Link","Entry",[],{"nodeType":259,"data":268,"content":272},{"target":269},{"sys":270},{"id":271,"type":264,"linkType":265},"53U3LHhhHFYnEpShdLmDqs",[],{"nodeType":274,"data":275,"content":276},"hr",{},[],{"nodeType":278,"data":279,"content":280},"heading-1",{},[281],{"nodeType":239,"value":282,"marks":283,"data":286},"What happened",[284],{"type":285},"bold",{},{"nodeType":288,"data":289,"content":290},"heading-2",{},[291],{"nodeType":239,"value":292,"marks":293,"data":295},"The invitation",[294],{"type":285},{},{"nodeType":235,"data":297,"content":298},{},[299],{"nodeType":239,"value":300,"marks":301,"data":302},"In recent weeks, several Push Security team members have received multiple waves of emails from OpenAI inviting them to join an organization called \"Push Security Inc\". ",[],{},{"nodeType":235,"data":304,"content":305},{},[306],{"nodeType":239,"value":307,"marks":308,"data":309},"The emails came from OpenAI's legitimate notification address (noreply@tm.openai.com), passed all standard email authentication checks, and referenced our company by name. They looked exactly like a routine organizational invitation because, technically, they were one.",[],{},{"nodeType":259,"data":311,"content":315},{"target":312},{"sys":313},{"id":314,"type":264,"linkType":265},"6JmXCVjUckklFrO7leDqOA",[],{"nodeType":235,"data":317,"content":318},{},[319],{"nodeType":239,"value":320,"marks":321,"data":322},"The invitations were sent by various accounts registered under email addresses that had no affiliation with Push. ",[],{},{"nodeType":235,"data":324,"content":325},{},[326],{"nodeType":239,"value":327,"marks":328,"data":329},"OpenAI's invitation email did include a warning — \"The inviter's email domain, gmail.com, does not match your domain, pushsecurity.com\" — but that's a single line in an otherwise completely legitimate-looking email from a trusted platform. The invitation targeted specific employees by their work email addresses, suggesting the attacker had done some reconnaissance on our team. ",[],{},{"nodeType":288,"data":331,"content":332},{},[333],{"nodeType":239,"value":334,"marks":335,"data":337},"One click, no credentials",[336],{"type":285},{},{"nodeType":235,"data":339,"content":340},{},[341],{"nodeType":239,"value":342,"marks":343,"data":344},"After discussing internally we decided to investigate further by accepting the invite. The acceptance was instant (one click, no credentials or additional authentication). This was particularly notable because it was done from an entirely separate browser to my typical work profile. I wasn’t already logged into ChatGPT from the browser, but clicking the email link was all it took to join my account to the attacker's organization. ",[],{},{"nodeType":235,"data":346,"content":347},{},[348],{"nodeType":239,"value":349,"marks":350,"data":351},"I landed on a confirmation page telling me I'd been added to \"Push Security Inc.\"",[],{},{"nodeType":259,"data":353,"content":357},{"target":354},{"sys":355},{"id":356,"type":264,"linkType":265},"1YPMilWhyTSV860PCFXxmx",[],{"nodeType":288,"data":359,"content":360},{},[361],{"nodeType":239,"value":362,"marks":363,"data":365},"What the attacker had set up",[364],{"type":285},{},{"nodeType":235,"data":367,"content":368},{},[369],{"nodeType":239,"value":370,"marks":371,"data":372},"Within the organization, the attacker's account appeared under the name of Push's CEO. ",[],{},{"nodeType":235,"data":374,"content":375},{},[376],{"nodeType":239,"value":377,"marks":378,"data":379},"It's something of a rite of passage for new Push employees to receive scam texts from someone impersonating Adam, usually with an urgent request that inevitably leads to gift cards. But creating a fully configured SaaS tenant under a CEO's name and inviting specific employees into it is a different level of effort entirely.",[],{},{"nodeType":235,"data":381,"content":382},{},[383],{"nodeType":239,"value":384,"marks":385,"data":386},"All invited team members had been assigned the \"Owner\" role, giving them full administrative access to the organization. A Visa credit card was attached to the billing account.",[],{},{"nodeType":259,"data":388,"content":392},{"target":389},{"sys":390},{"id":391,"type":264,"linkType":265},"272ejb1WCqvL58rYN3wfSQ",[],{"nodeType":259,"data":394,"content":398},{"target":395},{"sys":396},{"id":397,"type":264,"linkType":265},"9U5oPibmLSuloIIwMdpuG",[],{"nodeType":259,"data":400,"content":404},{"target":401},{"sys":402},{"id":403,"type":264,"linkType":265},"6S0boiGqIRqkxsNJWlXMZ0",[],{"nodeType":288,"data":406,"content":407},{},[408],{"nodeType":239,"value":409,"marks":410,"data":412},"The response",[411],{"type":285},{},{"nodeType":235,"data":414,"content":415},{},[416],{"nodeType":239,"value":417,"marks":418,"data":419},"We spotted the attack straight away and raised the alarm internally before deciding to investigate. Several Push employees had been invited to the tenant but either hadn’t seen the emails, or the wrong email address had been added for the employee. ",[],{},{"nodeType":259,"data":421,"content":425},{"target":422},{"sys":423},{"id":424,"type":264,"linkType":265},"1CQqUTdcJtZWozY7azSuOI",[],{"nodeType":235,"data":427,"content":428},{},[429],{"nodeType":239,"value":430,"marks":431,"data":432},"By joining the tenant, I was able to see the other employees that had been added, enabling us to speak to each employee to confirm. We could also see that they hadn’t joined the tenant since they were all “invite pending” status. Confirming that nobody had joined (and thus used) the platform was the extent of investigation required. ",[],{},{"nodeType":235,"data":434,"content":435},{},[436],{"nodeType":239,"value":437,"marks":438,"data":439},"We also implemented mail rules to block similar invites from reaching Push employees in future. ",[],{},{"nodeType":274,"data":441,"content":442},{},[],{"nodeType":278,"data":444,"content":445},{},[446],{"nodeType":239,"value":447,"marks":448,"data":450},"What's the payoff for an attacker?",[449],{"type":285},{},{"nodeType":235,"data":452,"content":453},{},[454,458],{"nodeType":239,"value":455,"marks":456,"data":457},"The attacker created an OpenAI organization, named it after our company, attached a credit card (which we believe was likely stolen — it's hard to see why a legitimate card would be used for this purpose), researched specific employees, and sent targeted invitations. That represents a non-trivial investment of effort. ",[],{},{"nodeType":239,"value":459,"marks":460,"data":462},"So what was the endgame?",[461],{"type":285},{},{"nodeType":288,"data":464,"content":465},{},[466],{"nodeType":239,"value":467,"marks":468,"data":470},"Get employees using the platform — then harvest what they put into it?",[469],{"type":285},{},{"nodeType":235,"data":472,"content":473},{},[474],{"nodeType":239,"value":475,"marks":476,"data":477},"An attacker who just wants to spray scam content through a trusted email channel doesn't name the organization after their target, research individual employees, or attach a credit card. ",[],{},{"nodeType":235,"data":479,"content":480},{},[481],{"nodeType":239,"value":482,"marks":483,"data":484},"That investment only pays off if employees actually join the organization and start using it. And on an AI platform, the data people put into prompts can be extraordinarily sensitive — source code, internal documents, customer data, security research, strategic plans.",[],{},{"nodeType":235,"data":486,"content":487},{},[488],{"nodeType":239,"value":489,"marks":490,"data":491},"If someone on the team had assumed \"oh, we've got a company OpenAI org now\" and started running work through it, the attacker would be sitting on a live feed of that activity as an org administrator with access to usage logs and API interactions.",[],{},{"nodeType":235,"data":493,"content":494},{},[495],{"nodeType":239,"value":496,"marks":497,"data":498},"The stolen credit card removes a friction point that might otherwise tip someone off: if there were no billing set up and employees hit a paywall when trying to use the API, they'd start asking questions internally about who created the org. A pre-funded account removes friction and the chance to discover that something is up.",[],{},{"nodeType":288,"data":500,"content":501},{},[502],{"nodeType":239,"value":503,"marks":504,"data":506},"SAMLjacking a poisoned tenant?",[505],{"type":285},{},{"nodeType":235,"data":508,"content":509},{},[510,514,522,526,533,537,545,549,557],{"nodeType":239,"value":511,"marks":512,"data":513},"In August 2023, we published ",[],{},{"nodeType":244,"data":515,"content":517},{"uri":516},"https://pushsecurity.com/blog/samljacking-a-poisoned-tenant/",[518],{"nodeType":239,"value":519,"marks":520,"data":521},"SAMLjacking a poisoned tenant",[],{},{"nodeType":239,"value":523,"marks":524,"data":525},", which demonstrated how an attacker could register a tenant on a SaaS platform using a target organization's name, invite employees to join it, and then leverage that foothold for further attacks — in that case, by configuring a malicious SAML identity provider to harvest credentials. The technique is cataloged in the ",[],{},{"nodeType":244,"data":527,"content":528},{"uri":61},[529],{"nodeType":239,"value":530,"marks":531,"data":532},"Browser & Identity Attacks Matrix",[],{},{"nodeType":239,"value":534,"marks":535,"data":536}," (originally the SaaS attack matrix) as an ",[],{},{"nodeType":244,"data":538,"content":540},{"uri":539},"https://pushsecurity.com/resources/browser-identity-attacks-matrix/poisoned-tenants",[541],{"nodeType":239,"value":542,"marks":543,"data":544},"initial access technique",[],{},{"nodeType":239,"value":546,"marks":547,"data":548}," — and when combined with ",[],{},{"nodeType":244,"data":550,"content":552},{"uri":551},"https://pushsecurity.com/resources/browser-identity-attacks-matrix/samljacking",[553],{"nodeType":239,"value":554,"marks":555,"data":556},"SAMLjacking",[],{},{"nodeType":239,"value":558,"marks":559,"data":560},", it becomes a lateral movement vector too.",[],{},{"nodeType":235,"data":562,"content":563},{},[564],{"nodeType":239,"value":565,"marks":566,"data":567},"The gist is that once an employee has joined an attacker-controlled organization and is treating it as a legitimate company resource, the attacker has a trusted channel for further social engineering — a follow-up message asking team members to connect their SSO, or to authorize a third-party integration that requires OAuth consent.",[],{},{"nodeType":235,"data":569,"content":570},{},[571,575,583],{"nodeType":239,"value":572,"marks":573,"data":574},"This is exactly the attack chain we described in the ",[],{},{"nodeType":244,"data":576,"content":577},{"uri":516},[578],{"nodeType":239,"value":579,"marks":580,"data":582},"original SAMLjacking post",[581],{"type":252},{},{"nodeType":239,"value":584,"marks":585,"data":586},", where a poisoned tenant on a seemingly low-risk platform becomes the entry point for credential harvesting via a malicious SAML configuration.",[],{},{"nodeType":235,"data":588,"content":589},{},[590],{"nodeType":239,"value":591,"marks":592,"data":593},"Based on my research I don’t think this exact scenario is easily possible in the specific context of OpenAI / ChatGPT since domain verification is required in order to enable SAML. However, there are other options to consider. ",[],{},{"nodeType":288,"data":595,"content":596},{},[597],{"nodeType":239,"value":598,"marks":599,"data":601},"Substituting SAMLjacking for project-jacking?",[600],{"type":285},{},{"nodeType":235,"data":603,"content":604},{},[605,609,618],{"nodeType":239,"value":606,"marks":607,"data":608},"We’ve recently reported on attacks like ",[],{},{"nodeType":244,"data":610,"content":612},{"uri":611},"https://pushsecurity.com/blog/llmshare-malvertising-campaign/",[613],{"nodeType":239,"value":614,"marks":615,"data":617},"LLMShare",[616],{"type":252},{},{"nodeType":239,"value":619,"marks":620,"data":621}," that interestingly also abused ChatGPT — in this case, abusing chat sharing functionality to distribute both malicious instructions and convincing-looking designs that trick the user into navigating to an attacker-controlled site hosting a malicious payload. ",[],{},{"nodeType":259,"data":623,"content":627},{"target":624},{"sys":625},{"id":626,"type":264,"linkType":265},"5U6imJMpFs8CAohztgHG3x",[],{"nodeType":235,"data":629,"content":630},{},[631],{"nodeType":239,"value":632,"marks":633,"data":634},"In the cases we observed in the wild, links were distributed via malvertising. But you could see a scenario in which shared projects or conversations are seeded with chats containing malicious links. Or even perhaps malicious instructions in shared projects (effectively a form of prompt injection). In this way, attackers could trick the user into running malicious commands that interact with other connected apps such as their email, calendar, and a long list of cloud services with access to sensitive company data. ",[],{},{"nodeType":259,"data":636,"content":640},{"target":637},{"sys":638},{"id":639,"type":264,"linkType":265},"4g0jXhfJ5OMBhDXjfCX8S2",[],{"nodeType":278,"data":642,"content":643},{},[644],{"nodeType":239,"value":645,"marks":646,"data":648},"This isn't an isolated technique",[647],{"type":285},{},{"nodeType":235,"data":650,"content":651},{},[652],{"nodeType":239,"value":653,"marks":654,"data":655},"Our experience is a specific instance of a broader trend: attackers weaponizing the invitation and notification features built into SaaS platforms to deliver social engineering through trusted channels. ",[],{},{"nodeType":235,"data":657,"content":658},{},[659,663,671,675,680],{"nodeType":239,"value":660,"marks":661,"data":662},"In January 2026, ",[],{},{"nodeType":244,"data":664,"content":666},{"uri":665},"https://me-en.kaspersky.com/about/press-releases/kaspersky-detected-a-scam-exploiting-openais-teamwork-features",[667],{"nodeType":239,"value":668,"marks":669,"data":670},"Kaspersky reported",[],{},{"nodeType":239,"value":672,"marks":673,"data":674}," a cruder abuse of the same OpenAI invitation feature. When you create an OpenAI organization, the platform lets you set the organization name to any arbitrary string. Attackers exploited this by stuffing scam content directly into the org name field: fake subscription renewal notices, fraudulent phone numbers for vishing callbacks, and links to adult services. In that case, the ",[],{},{"nodeType":239,"value":676,"marks":677,"data":679},"org name was the payload",[678],{"type":285},{},{"nodeType":239,"value":681,"marks":682,"data":683},", while in our case, the email was the delivery mechanism for a legitimate-looking poisoned tenant. ",[],{},{"nodeType":235,"data":685,"content":686},{},[687,691,699],{"nodeType":239,"value":688,"marks":689,"data":690},"In April 2026, ",[],{},{"nodeType":244,"data":692,"content":694},{"uri":693},"https://blog.talosintelligence.com/weaponizing-saas-notification-pipelines/",[695],{"nodeType":239,"value":696,"marks":697,"data":698},"Cisco Talos published research",[],{},{"nodeType":239,"value":700,"marks":701,"data":702}," on what they termed \"Platform-as-a-Proxy\" (PaaP), documenting the same technique across GitHub and Jira — phishing lures embedded in commit messages, welcome messages, and other user-controlled fields that feed into platform-generated notification emails. At its peak, Talos estimated approximately 2.89% of emails sent from GitHub on a single day were associated with this activity.",[],{},{"nodeType":235,"data":704,"content":705},{},[706],{"nodeType":239,"value":707,"marks":708,"data":709},"What’s clear is that attackers are abusing SaaS platforms that let anyone create organizations, name them whatever they want, and send invitation emails through the platform's own mail infrastructure. ",[],{},{"nodeType":274,"data":711,"content":712},{},[],{"nodeType":278,"data":714,"content":715},{},[716],{"nodeType":239,"value":717,"marks":718,"data":720},"What you can actually do about it",[719],{"type":285},{},{"nodeType":235,"data":722,"content":723},{},[724],{"nodeType":239,"value":725,"marks":726,"data":727},"The defensive challenge with poisoned tenant attacks is that they exploit legitimate platform functionality delivered through legitimate sites. There's no malicious URL to block, no spoofed domain to detect, and no attachment to scan. The invitation email is, by every technical measure, genuine. That said, there are practical steps that reduce the risk. ",[],{},{"nodeType":288,"data":729,"content":730},{},[731],{"nodeType":239,"value":732,"marks":733,"data":735},"Get visibility into SaaS organization membership",[734],{"type":285},{},{"nodeType":235,"data":737,"content":738},{},[739],{"nodeType":239,"value":740,"marks":741,"data":742},"Most organizations have no visibility into which SaaS platform invitations their employees are receiving or accepting. If an employee joins an attacker-controlled Slack workspace, OpenAI organization, or Jira project, the security team typically has no way to know. Any tool that provides visibility into SaaS account creation and organization membership — whether through browser telemetry, IdP monitoring, or platform API integration — closes a significant blind spot. ",[],{},{"nodeType":288,"data":744,"content":745},{},[746],{"nodeType":239,"value":747,"marks":748,"data":750},"Train for invitations, not just phishing",[749],{"type":285},{},{"nodeType":235,"data":752,"content":753},{},[754],{"nodeType":239,"value":755,"marks":756,"data":757},"Generic phishing awareness training doesn't cover this scenario well, because the emails genuinely aren't phishing in the traditional sense. They're legitimate platform notifications carrying an illegitimate invitation. Employees need to understand that an email from OpenAI, Microsoft, GitHub, or Atlassian can be both technically authentic and part of an attack — and that joining an organization on any platform is a security-relevant action that should be verified through an internal channel before accepting.",[],{},{"nodeType":288,"data":759,"content":760},{},[761],{"nodeType":239,"value":762,"marks":763,"data":765},"Can you protect against domain squatting?",[764],{"type":285},{},{"nodeType":235,"data":767,"content":768},{},[769],{"nodeType":239,"value":770,"marks":771,"data":772},"In some cases, you can register your organization name on a platform to prevent others from claiming it, even if you don't plan to use the platform's organizational features immediately. That said, in others you can have lots of tenants with the same name, and there are no protections around companies claiming a tenant ID impersonating your own — as in this case, where an attacker with a random email address was able to create a realistic-looking Push Security tenant. ",[],{},{"nodeType":288,"data":774,"content":775},{},[776],{"nodeType":239,"value":777,"marks":778,"data":780},"Lobby vendors to do better",[779],{"type":285},{},{"nodeType":235,"data":782,"content":783},{},[784],{"nodeType":239,"value":785,"marks":786,"data":787},"Platform vendors need to improve invitation controls. OpenAI does include a warning when the inviter's domain doesn't match the recipient's domain, which is better than nothing — but a single line of text in an otherwise polished invitation email is easy to miss.",[],{},{"nodeType":235,"data":789,"content":790},{},[791],{"nodeType":239,"value":792,"marks":793,"data":794},"Platforms should consider requiring domain verification before allowing an organization to use a company's name, adding more prominent warnings for cross-domain invitations, or allowing enterprise customers to restrict which organizations their employees can join.",[],{},{"nodeType":274,"data":796,"content":797},{},[],{"nodeType":278,"data":799,"content":800},{},[801],{"nodeType":239,"value":802,"marks":803,"data":805},"The bigger picture",[804],{"type":285},{},{"nodeType":235,"data":807,"content":808},{},[809],{"nodeType":239,"value":810,"marks":811,"data":812},"When we published the poisoned tenant technique in 2023, it was a theoretical attack that we hadn't seen used in the wild. Three years later, we've experienced it firsthand, and the technique has moved from our attack matrix to our incident log.",[],{},{"nodeType":235,"data":814,"content":815},{},[816,820,829],{"nodeType":239,"value":817,"marks":818,"data":819},"The explosion of SaaS platforms in enterprise environments (",[],{},{"nodeType":244,"data":821,"content":823},{"uri":822},"https://pushsecurity.com/blog/what-push-data-reveals-about-the-state-of-shadow-ai/",[824],{"nodeType":239,"value":825,"marks":826,"data":828},"particularly with the force multiplier that is AI",[827],{"type":252},{},{"nodeType":239,"value":830,"marks":831,"data":832},"), each with their own organization and invitation features, has created a sprawling attack surface that most security teams aren't monitoring. Every platform that lets anyone create an organization with any name and invite anyone to join it is offering attackers a trusted delivery channel.",[],{},{"nodeType":235,"data":834,"content":835},{},[836],{"nodeType":239,"value":837,"marks":838,"data":839},"And as AI platforms like OpenAI become standard tools in the enterprise, the value of a poisoned tenant on those platforms — with access to prompts, API usage, and potentially sensitive data — grows significantly.",[],{},{"nodeType":235,"data":841,"content":842},{},[843],{"nodeType":239,"value":844,"marks":845,"data":846},"It's good that we spend our days thinking about this stuff — the attack was caught quickly because the team is wary of exactly these kinds of techniques, and no data was exposed. The next organization targeted with this technique may not have that advantage, especially if the attacker's tenant sits in the background while employees unknowingly feed it data through their normal work.",[],{},{"nodeType":274,"data":848,"content":849},{},[],{"nodeType":278,"data":851,"content":852},{},[853],{"nodeType":239,"value":854,"marks":855,"data":857},"IoCs",[856],{"type":285},{},{"nodeType":235,"data":859,"content":860},{},[861],{"nodeType":239,"value":862,"marks":863,"data":864},"We’ve identified the following emails associated with the campaign so far (at least, in terms of the attacks directly targeting Push):",[],{},{"nodeType":866,"data":867,"content":868},"unordered-list",{},[869,880,890],{"nodeType":870,"data":871,"content":872},"list-item",{},[873],{"nodeType":235,"data":874,"content":875},{},[876],{"nodeType":239,"value":877,"marks":878,"data":879},"phamvankim2133@gmail[.]com",[],{},{"nodeType":870,"data":881,"content":882},{},[883],{"nodeType":235,"data":884,"content":885},{},[886],{"nodeType":239,"value":887,"marks":888,"data":889},"adam.bateman_928@faeththeraputics[.]email",[],{},{"nodeType":870,"data":891,"content":892},{},[893],{"nodeType":235,"data":894,"content":895},{},[896],{"nodeType":239,"value":897,"marks":898,"data":899},"amelindashaffer99495@gmail[.]com",[],{},{"nodeType":235,"data":901,"content":902},{},[903],{"nodeType":239,"value":904,"marks":905,"data":906},"However, the real list is likely to be much larger. We’ve confirmed that similar messages have also been received by Push customers. But it's not like you can easily block access to the tenants themselves — they are \"legit\" OpenAI tenants, using the normal OpenAI domain. And since a new one is being spun up each time, no two attacks will look the same.",[],{},{"nodeType":274,"data":908,"content":909},{},[],{"nodeType":235,"data":911,"content":912},{},[913],{"nodeType":239,"value":914,"marks":915,"data":916},"Push Security is the most powerful AI-native security tool in the browser. Think EDR, but for the browser — high-fidelity telemetry and real-time control across every session, on every device, with no browser migration required.",[],{},{"nodeType":235,"data":918,"content":919},{},[920],{"nodeType":239,"value":921,"marks":922,"data":923},"Security teams use Push to detect and stop advanced browser-based attacks like AiTM phishing, ClickFix, and session hijacking; gain visibility and control over AI tool usage across their workforce; harden identities by surfacing credential reuse, SSO gaps, and shadow IT; and support data loss and insider investigations with browser-layer telemetry that other tools can't see.",[],{},{"nodeType":235,"data":925,"content":926},{},[927,930,939],{"nodeType":239,"value":29,"marks":928,"data":929},[],{},{"nodeType":244,"data":931,"content":933},{"uri":932},"https://pushsecurity.com/demo/",[934],{"nodeType":239,"value":935,"marks":936,"data":938},"Book a live demo to learn more.",[937],{"type":252},{},{"nodeType":239,"value":29,"marks":940,"data":941},[],{},{"entries":943},{"hyperlink":944,"inline":945,"block":946},[],[],[947,954,962,969,976,982,988,993,1000,1006],{"sys":948,"__typename":949,"type":950,"ctaText":951,"buttonLabel":952,"buttonColour":953,"buttonUrl":61},{"id":263},"CtaWidget","Custom","Check out our browser and identity attacks matrix for a comprehensive overview of attack techniques using a MITRE-inspired mapping.","Check it out","sunny orange",{"sys":955,"__typename":956,"title":530,"caption":957,"layoutMode":62,"file":958},{"id":271},"Image","Browser and identity-based techniques have exploded since we first launched our attack matrix",{"url":959,"width":960,"height":961},"https://images.ctfassets.net/y1cdw1ablpvd/L0Yc77y9vzrKVD72BQGX2/4ffe0bf61bd62f025262b8efd74394b7/Browser___Identity_Attacks_Matrix__1_.png",6160,4432,{"sys":963,"__typename":956,"title":964,"caption":964,"layoutMode":62,"file":965},{"id":314},"Invitation email showing OpenAI branding, \"Push Security Inc\" org name, and the Gmail sender address",{"url":966,"width":967,"height":968},"https://images.ctfassets.net/y1cdw1ablpvd/3eUI8n1hcCbP6nV2dZ2lLK/1f34b9057cafed9ef1472ea0902d84ac/image4.png",1833,775,{"sys":970,"__typename":956,"title":971,"caption":971,"layoutMode":62,"file":972},{"id":356},"\"Invite accepted\" confirmation page.",{"url":973,"width":974,"height":975},"https://images.ctfassets.net/y1cdw1ablpvd/38N7FnCMSQz519ZXQfpXo4/f848d30b238b943a47efa29d12b68b87/image5.png",1999,1031,{"sys":977,"__typename":956,"title":978,"caption":978,"layoutMode":62,"file":979},{"id":391},"Settings screen showing the organization name “Push Security Inc”.",{"url":980,"width":974,"height":981},"https://images.ctfassets.net/y1cdw1ablpvd/3bRsNJecXnZPE2VNzS2gRy/5b715bb1b01af459885be77757c94953/image6.png",1129,{"sys":983,"__typename":956,"title":984,"caption":62,"layoutMode":62,"file":985},{"id":397},"Members page showing the attacker's account and Luke's account.",{"url":986,"width":974,"height":987},"https://images.ctfassets.net/y1cdw1ablpvd/6SXC65KKIl6Kh7jWj24fG7/930d892e37218a1e7f0bbed06edaea6e/image7.png",602,{"sys":989,"__typename":956,"title":990,"caption":62,"layoutMode":62,"file":991},{"id":403},"Billing page showing attached Visa card.",{"url":992,"width":974,"height":981},"https://images.ctfassets.net/y1cdw1ablpvd/6lXKx1sPEpoPSLP0vWkWmX/042ea3d7a259234bb0ac53f93e79ff99/image2.png",{"sys":994,"__typename":956,"title":995,"caption":995,"layoutMode":62,"file":996},{"id":424},"Several Push employees had been invited to the tenant. Because I was an admin, I could also choose to resend the invites or remove them.",{"url":997,"width":998,"height":999},"https://images.ctfassets.net/y1cdw1ablpvd/4XMXNGxkUOZc8OJIEvAR5X/e51c2460775d712732f6a59bef28d018/image3.png",1936,1428,{"sys":1001,"__typename":956,"title":1002,"caption":1002,"layoutMode":62,"file":1003},{"id":626},"The LLMShare attack we recently disclosed also leveraged ChatGPT as a platform to distribute malware.",{"url":1004,"width":974,"height":1005},"https://images.ctfassets.net/y1cdw1ablpvd/5grmZOTXQcb1uDHhMw8e20/239aece66c5f29745dd2a77fd288de49/image1.png",875,{"sys":1007,"__typename":1008,"content":1009,"name":1032,"title":62},{"id":639},"InsightTextBlockComponent",{"json":1010},{"data":1011,"content":1012,"nodeType":231},{},[1013],{"data":1014,"content":1015,"nodeType":235},{},[1016,1020,1028],{"data":1017,"marks":1018,"value":1019,"nodeType":239},{},[],"AI apps are increasingly the ",{"data":1021,"content":1022,"nodeType":244},{"uri":822},[1023],{"data":1024,"marks":1025,"value":1027,"nodeType":239},{},[1026],{"type":252},"work hub for modern enterprise users",{"data":1029,"marks":1030,"value":1031,"nodeType":239},{},[],", even more so than something like M365 or Google Workspace once was. AI apps acting as the control plane for automation and orchestration across business apps are a security nightmare if compromised — if a user could be tricked into using the attacker’s tenant, connecting it to business apps and accounts, and then inadvertently running malicious instructions, the possible attack scenarios are extensive. ","OpenAI poisoned tenant IB1","json",{"items":1035},[],{},"Investigating a novel OpenAI poisoned tenant attack","2026-06-26T00:00:00.000Z",{"items":1040},[1041,1915,2727],{"__typename":1042,"sys":1043,"content":1045,"title":1893,"synopsis":1894,"hashTags":62,"publishedDate":1895,"slug":1896,"tagsCollection":1897,"authorsCollection":1907},"BlogPosts",{"id":1044},"211Dd0EIrXPOFpvRgs0fEE",{"json":1046},{"nodeType":231,"data":1047,"content":1048},{},[1049,1068,1087,1104,1110,1113,1121,1128,1135,1142,1149,1157,1160,1168,1175,1182,1189,1195,1203,1222,1229,1236,1252,1260,1291,1307,1314,1345,1353,1384,1391,1399,1418,1425,1432,1438,1445,1453,1472,1479,1498,1505,1508,1516,1523,1612,1619,1635,1638,1669,1688,1695,1702,1705,1713,1732,1739,1746,1764,1767,1775,1782,1815,1822,1839,1858,1864,1867,1874],{"nodeType":235,"data":1050,"content":1051},{},[1052,1056,1064],{"nodeType":239,"value":1053,"marks":1054,"data":1055},"When we released the ",[],{},{"nodeType":244,"data":1057,"content":1059},{"uri":1058},"https://pushsecurity.com/blog/saas-attack-techniques/",[1060],{"nodeType":239,"value":1061,"marks":1062,"data":1063},"SaaS attack matrix",[],{},{"nodeType":239,"value":1065,"marks":1066,"data":1067}," in 2023, we were anticipating a shift that was just beginning to take shape. The techniques that attackers were using to compromise cloud applications and identities weren't well represented in existing frameworks, and many of the ones we documented hadn't yet been widely observed in the wild.",[],{},{"nodeType":235,"data":1069,"content":1070},{},[1071,1075,1083],{"nodeType":239,"value":1072,"marks":1073,"data":1074},"A year later, we ",[],{},{"nodeType":244,"data":1076,"content":1078},{"uri":1077},"https://pushsecurity.com/blog/the-saas-attack-matrix-one-year-on/",[1079],{"nodeType":239,"value":1080,"marks":1081,"data":1082},"reviewed what had changed",[],{},{"nodeType":239,"value":1084,"marks":1085,"data":1086}," and found that the initial access phase — the techniques designed to compromise an identity in the first place — was where almost all of the attacker innovation was concentrated. And two years on, that trend has become the story of the modern threat landscape. ",[],{},{"nodeType":235,"data":1088,"content":1089},{},[1090,1094,1100],{"nodeType":239,"value":1091,"marks":1092,"data":1093},"Today, we're re-releasing the matrix as the ",[],{},{"nodeType":244,"data":1095,"content":1096},{"uri":61},[1097],{"nodeType":239,"value":530,"marks":1098,"data":1099},[],{},{"nodeType":239,"value":1101,"marks":1102,"data":1103},". The name change isn't cosmetic. It reflects that the attacks driving the most consequential breaches are browser-based and identity-first.",[],{},{"nodeType":259,"data":1105,"content":1109},{"target":1106},{"sys":1107},{"id":1108,"type":264,"linkType":265},"MSnrBRJtiQxpv2qxFLCVE",[],{"nodeType":274,"data":1111,"content":1112},{},[],{"nodeType":278,"data":1114,"content":1115},{},[1116],{"nodeType":239,"value":1117,"marks":1118,"data":1120},"Why the scope needed to change",[1119],{"type":285},{},{"nodeType":235,"data":1122,"content":1123},{},[1124],{"nodeType":239,"value":1125,"marks":1126,"data":1127},"The original SaaS attack matrix was built around a specific insight: that attacks targeting modern business applications played out entirely over the internet, without touching endpoints or internal networks in any way that EDR or network detection tools would recognize.",[],{},{"nodeType":235,"data":1129,"content":1130},{},[1131],{"nodeType":239,"value":1132,"marks":1133,"data":1134},"That framing was useful, and it remains true. But it anchored the matrix to the post-access phase — what attackers do once they're inside a SaaS application — and didn't give enough weight to the initial access techniques that determine whether attackers get there in the first place.",[],{},{"nodeType":235,"data":1136,"content":1137},{},[1138],{"nodeType":239,"value":1139,"marks":1140,"data":1141},"The problem is that initial access is where the overwhelming majority of attacker innovation and investment is concentrated, and the techniques being used to achieve it are best understood as browser and identity attacks rather than SaaS-specific ones. AiTM phishing, ClickFix and its growing family of clipboard-injection variants, device code phishing, OAuth consent abuse, credential stuffing powered by infostealer supply chains, malicious browser extensions all happen in or via the browser.",[],{},{"nodeType":235,"data":1143,"content":1144},{},[1145],{"nodeType":239,"value":1146,"marks":1147,"data":1148},"Another issue is that \"SaaS\" has arguably ceased to be a meaningful category. When we consider that most organizations run the majority of their business on cloud applications, the difference between what constitutes \"SaaS\" versus cloud versus just \"business IT\" is pretty blurry (and feels like an academic rather than practical difference).",[],{},{"nodeType":235,"data":1150,"content":1151},{},[1152],{"nodeType":239,"value":1153,"marks":1154,"data":1156},"So it's less about whether an attack is a \"SaaS attack\" and more about how these attacks actually play out. ",[1155],{"type":285},{},{"nodeType":274,"data":1158,"content":1159},{},[],{"nodeType":278,"data":1161,"content":1162},{},[1163],{"nodeType":239,"value":1164,"marks":1165,"data":1167},"The technique landscape has transformed",[1166],{"type":285},{},{"nodeType":235,"data":1169,"content":1170},{},[1171],{"nodeType":239,"value":1172,"marks":1173,"data":1174},"The second part to the change is the fact that scale and speed of attacker innovation in the space justifies it.",[],{},{"nodeType":235,"data":1176,"content":1177},{},[1178],{"nodeType":239,"value":1179,"marks":1180,"data":1181},"When we launched the matrix in mid-2023, AiTM phishing was emerging as a serious concern but was far from ubiquitous. ClickFix didn't exist as a named technique. Device code phishing was a curiosity documented by a handful of researchers. ConsentFix was years away from being discovered. Browser extension supply chain attacks were rare enough to be individually notable.",[],{},{"nodeType":235,"data":1183,"content":1184},{},[1185],{"nodeType":239,"value":1186,"marks":1187,"data":1188},"In the two and a half years since, every one of these has become a mainstream, industrialized attack technique — and several have converged in ways that would have been hard to predict.",[],{},{"nodeType":259,"data":1190,"content":1194},{"target":1191},{"sys":1192},{"id":1193,"type":264,"linkType":265},"5Kw2kSrL8u4VyslxK8HCtR",[],{"nodeType":288,"data":1196,"content":1197},{},[1198],{"nodeType":239,"value":1199,"marks":1200,"data":1202},"AiTM phishing has become the default phishing method",[1201],{"type":285},{},{"nodeType":235,"data":1204,"content":1205},{},[1206,1210,1218],{"nodeType":239,"value":1207,"marks":1208,"data":1209},"AiTM phishing is now the standard, powered by Phishing-as-a-Service kits that operate with the release cycles and customer support of legitimate SaaS products. Tycoon 2FA alone accounted for ",[],{},{"nodeType":244,"data":1211,"content":1213},{"uri":1212},"https://pushsecurity.com/blog/2025-top-phishing-trends/",[1214],{"nodeType":239,"value":1215,"marks":1216,"data":1217},"62% of phishing detected by Microsoft",[],{},{"nodeType":239,"value":1219,"marks":1220,"data":1221}," and over 64,000 confirmed incidents, with Sneaky2FA, FlowerStorm, Evilginx, and a growing roster of competitors filling out the marketplace.",[],{},{"nodeType":235,"data":1223,"content":1224},{},[1225],{"nodeType":239,"value":1226,"marks":1227,"data":1228},"AiTM is constantly evolving, with vendors adding new features, capabilities, detection evasion techniques, and so on. Abuse of legitimate platforms, and increasingly AI-assisted development means that it’s trivial for attackers to spin up and tear down infrastructure, scale their campaigns, target specific organizations with crafted pages and lures, and generally means that attackers can operate highly sophisticated attacks with minimal effort and complexity. This makes AiTM and other PhaaS-powered techniques extremely accessible to all kinds of criminals.  ",[],{},{"nodeType":235,"data":1230,"content":1231},{},[1232],{"nodeType":239,"value":1233,"marks":1234,"data":1235},"These kits are delivered across several browser-based channels — not just email. Push data consistently shows that roughly 1 in 3 phishing payloads we intercept arrive via social media, search ads, messaging apps, or other non-email vectors.",[],{},{"nodeType":235,"data":1237,"content":1238},{},[1239,1243,1248],{"nodeType":239,"value":1240,"marks":1241,"data":1242},"Vishing has also surged as a delivery channel — CrowdStrike documented a ",[],{},{"nodeType":239,"value":1244,"marks":1245,"data":1247},"442% year-over-year increase",[1246],{"type":285},{},{"nodeType":239,"value":1249,"marks":1250,"data":1251},", and Mandiant found it was the single most common initial vector in cloud compromises at 23%. But the trend that matters isn't voice calls in isolation; it's voice calls combined with browser-based payloads, where a live operator guides the victim into an AiTM page or device code flow that the call alone could not execute.",[],{},{"nodeType":288,"data":1253,"content":1254},{},[1255],{"nodeType":239,"value":1256,"marks":1257,"data":1259},"ClickFix is the top reported initial access vector",[1258],{"type":285},{},{"nodeType":235,"data":1261,"content":1262},{},[1263,1267,1275,1279,1287],{"nodeType":239,"value":1264,"marks":1265,"data":1266},"ClickFix has gone from nonexistent to one of the most prevalent initial access techniques in under 18 months. Microsoft reported it as the ",[],{},{"nodeType":244,"data":1268,"content":1270},{"uri":1269},"https://cdn-dynmedia-1.microsoft.com/is/content/microsoftcorp/microsoft/msc/documents/presentations/CSR/Microsoft-Digital-Defense-Report-2025.pdf",[1271],{"nodeType":239,"value":1272,"marks":1273,"data":1274},"most common initial access vector in 2025",[],{},{"nodeType":239,"value":1276,"marks":1277,"data":1278},", accounting for 47% of observed attacks, while CrowdStrike documented a ",[],{},{"nodeType":244,"data":1280,"content":1282},{"uri":1281},"https://www.crowdstrike.com/explore/2026-global-threat-report",[1283],{"nodeType":239,"value":1284,"marks":1285,"data":1286},"563% increase",[],{},{"nodeType":239,"value":1288,"marks":1289,"data":1290}," in fake CAPTCHA lures (a top ClickFix style).",[],{},{"nodeType":235,"data":1292,"content":1293},{},[1294,1298,1303],{"nodeType":239,"value":1295,"marks":1296,"data":1297},"ClickFix is admittedly an outlier in a browser attacks matrix — the payload ultimately executes on the endpoint, not in the browser — but the delivery is overwhelmingly browser-based: ",[],{},{"nodeType":239,"value":1299,"marks":1300,"data":1302},"4 in 5 ClickFix payloads",[1301],{"type":285},{},{"nodeType":239,"value":1304,"marks":1305,"data":1306}," intercepted by Push arrive via search engines as a result of malvertising or compromised web pages, not email, which means the browser is the only control point that actually sees the attack before the user pastes the malicious command.",[],{},{"nodeType":235,"data":1308,"content":1309},{},[1310],{"nodeType":239,"value":1311,"marks":1312,"data":1313},"ClickFix is now the primary delivery mechanism for infostealer malware, which is in turn the primary source of the stolen credentials and session tokens that power credential stuffing and session hijacking — which means the technique sits at the start of a cycle where one class of browser-delivered attack generates the raw material for the next.",[],{},{"nodeType":235,"data":1315,"content":1316},{},[1317,1321,1329,1333,1341],{"nodeType":239,"value":1318,"marks":1319,"data":1320},"The success of ClickFix has predictably spawned a growing family of derivatives — FileFix, CrashFix, ",[],{},{"nodeType":244,"data":1322,"content":1324},{"uri":1323},"https://pushsecurity.com/blog/installfix/",[1325],{"nodeType":239,"value":1326,"marks":1327,"data":1328},"InstallFix",[],{},{"nodeType":239,"value":1330,"marks":1331,"data":1332}," — and much of the naming is marketing hype around variations on the same clipboard-injection mechanic. But ",[],{},{"nodeType":244,"data":1334,"content":1336},{"uri":1335},"https://pushsecurity.com/blog/consentfix/",[1337],{"nodeType":239,"value":1338,"marks":1339,"data":1340},"ConsentFix",[],{},{"nodeType":239,"value":1342,"marks":1343,"data":1344}," was a genuinely novel development.",[],{},{"nodeType":288,"data":1346,"content":1347},{},[1348],{"nodeType":239,"value":1349,"marks":1350,"data":1352},"Browser-native ClickFix: ConsentFix",[1351],{"type":285},{},{"nodeType":235,"data":1354,"content":1355},{},[1356,1360,1368,1372,1380],{"nodeType":239,"value":1357,"marks":1358,"data":1359},"ConsentFix is a fully browser-native attack that merged ClickFix-style social engineering with OAuth consent abuse, compromising accounts through a legitimate Microsoft authorization flow with no endpoint component at all. ConsentFix was ",[],{},{"nodeType":244,"data":1361,"content":1363},{"uri":1362},"https://pushsecurity.com/blog/consentfix-debrief/",[1364],{"nodeType":239,"value":1365,"marks":1366,"data":1367},"traced to APT29",[],{},{"nodeType":239,"value":1369,"marks":1370,"data":1371}," and has since been ",[],{},{"nodeType":244,"data":1373,"content":1375},{"uri":1374},"https://pushsecurity.com/blog/consentfix-v3-analyzing-a-new-toolkit/",[1376],{"nodeType":239,"value":1377,"marks":1378,"data":1379},"commercialized on criminal forums",[],{},{"nodeType":239,"value":1381,"marks":1382,"data":1383},", following the same path from state-sponsored technique to commodity criminal tooling that we've seen repeatedly in this space.",[],{},{"nodeType":235,"data":1385,"content":1386},{},[1387],{"nodeType":239,"value":1388,"marks":1389,"data":1390},"ConsentFix demonstrates that the clipboard-injection mechanic can evolve into something that operates entirely within the browser, eliminating the endpoint detection surface that traditional ClickFix still exposed.",[],{},{"nodeType":288,"data":1392,"content":1393},{},[1394],{"nodeType":239,"value":1395,"marks":1396,"data":1398},"Attackers have pivoted to authorization attacks to get around login controls",[1397],{"type":285},{},{"nodeType":235,"data":1400,"content":1401},{},[1402,1406,1414],{"nodeType":239,"value":1403,"marks":1404,"data":1405},"Authorization attacks like device code phishing have seen a ",[],{},{"nodeType":244,"data":1407,"content":1409},{"uri":1408},"https://pushsecurity.com/blog/device-code-phishing/",[1410],{"nodeType":239,"value":1411,"marks":1412,"data":1413},"37.5x increase",[],{},{"nodeType":239,"value":1415,"marks":1416,"data":1417}," since the start of 2026, with at least 12 distinct kits now offering the technique. It bypasses standard authentication controls — including passkeys — because the attack occurs through the OAuth device authorization flow rather than the standard login flow. ",[],{},{"nodeType":235,"data":1419,"content":1420},{},[1421],{"nodeType":239,"value":1422,"marks":1423,"data":1424},"The technique was first associated with nation-state actors like Storm-2372, but went from espionage-grade to commodity PhaaS tooling in roughly eighteen months, with kits like EvilTokens and Venom now offering turnkey device code phishing as a service.",[],{},{"nodeType":235,"data":1426,"content":1427},{},[1428],{"nodeType":239,"value":1429,"marks":1430,"data":1431},"The device code authorization is effectively performed post-authentication. If you already have an active session in your browser, entering the device code and selecting your account from a drop-down menu is all that's needed. No password or MFA required. You can see an example in the video below.",[],{},{"nodeType":259,"data":1433,"content":1437},{"target":1434},{"sys":1435},{"id":1436,"type":264,"linkType":265},"2WPb41lNRajdpt5pogQg8M",[],{"nodeType":235,"data":1439,"content":1440},{},[1441],{"nodeType":239,"value":1442,"marks":1443,"data":1444},"And the ecosystem is adapting to this opportunity: established AiTM vendors like Tycoon are adding authorization-focused options alongside their existing credential-harvesting capabilities, which points toward multi-technique platforms where operators pick the right tool for whatever defenses the target has in place.",[],{},{"nodeType":288,"data":1446,"content":1447},{},[1448],{"nodeType":239,"value":1449,"marks":1450,"data":1452},"Malicious and hacked browser extensions are one of the fastest growing threats",[1451],{"type":285},{},{"nodeType":235,"data":1454,"content":1455},{},[1456,1460,1468],{"nodeType":239,"value":1457,"marks":1458,"data":1459},"Malicious browser extensions have matured from an occasional nuisance into a scalable supply chain attack vector. The ",[],{},{"nodeType":244,"data":1461,"content":1463},{"uri":1462},"https://pushsecurity.com/blog/why-browser-extension-risk-scoring-wont-predict-your-next-breach/",[1464],{"nodeType":239,"value":1465,"marks":1466,"data":1467},"Cyberhaven compromise",[],{},{"nodeType":239,"value":1469,"marks":1470,"data":1471}," in December 2024 — where approximately 35 extensions were weaponized through a single OAuth phishing campaign targeting developers — impacted 2.6 million users and demonstrated that extension supply chain attacks can achieve the kind of reach that used to require a compromised software update server.",[],{},{"nodeType":235,"data":1473,"content":1474},{},[1475],{"nodeType":239,"value":1476,"marks":1477,"data":1478},"Since Cyberhaven, the pace has only accelerated. In 2026 alone, researchers have publicly disclosed at least 250 confirmed malicious browser extensions affecting roughly 1.75 million users, alongside a further 370+ extensions engaged in undisclosed or policy-disclosed data harvesting affecting an additional 44 million users. That doesn't count the extensions from late-2025 campaigns (DarkSpectre, AITOPIA, Trust Wallet) whose impacts carried into 2026.",[],{},{"nodeType":235,"data":1480,"content":1481},{},[1482,1486,1494],{"nodeType":239,"value":1483,"marks":1484,"data":1485},"The attack paths have also expanded. Beyond phishing developers for take over Web Store accounts (the Cyberhaven playbook), attackers are buying existing extensions from developers, waiting for ownership transfers or abandonments to take over, and increasingly vibe-coding their own functional extensions from scratch to build an audience that can later be weaponized. The common thread is that ",[],{},{"nodeType":244,"data":1487,"content":1488},{"uri":1462},[1489],{"nodeType":239,"value":1490,"marks":1491,"data":1493},"most malicious extensions didn't start out malicious",[1492],{"type":252},{},{"nodeType":239,"value":1495,"marks":1496,"data":1497}," — they started as legitimate tools and were turned into weapons after the fact.",[],{},{"nodeType":235,"data":1499,"content":1500},{},[1501],{"nodeType":239,"value":1502,"marks":1503,"data":1504},"None of this is happening in isolation. The threat landscape has reoriented around browser-based initial access and identity compromise — and the matrix needed to catch up.",[],{},{"nodeType":274,"data":1506,"content":1507},{},[],{"nodeType":278,"data":1509,"content":1510},{},[1511],{"nodeType":239,"value":1512,"marks":1513,"data":1515},"The evolution is playing out in public breaches",[1514],{"type":285},{},{"nodeType":235,"data":1517,"content":1518},{},[1519],{"nodeType":239,"value":1520,"marks":1521,"data":1522},"It’s worth reinforcing that when the SaaS matrix was first released, many of these attacks hadn’t been seen in the wild. The change today is staggering:",[],{},{"nodeType":866,"data":1524,"content":1525},{},[1526,1548,1570,1590],{"nodeType":870,"data":1527,"content":1528},{},[1529],{"nodeType":235,"data":1530,"content":1531},{},[1532,1536,1544],{"nodeType":239,"value":1533,"marks":1534,"data":1535},"When ",[],{},{"nodeType":244,"data":1537,"content":1539},{"uri":1538},"https://pushsecurity.com/blog/scattered-lapsus-hunters/",[1540],{"nodeType":239,"value":1541,"marks":1542,"data":1543},"Scattered Lapsus$ Hunters",[],{},{"nodeType":239,"value":1545,"marks":1546,"data":1547}," compromised over a thousand organizations' Salesforce tenants through device code phishing, the attack started with a phone call, moved through a browser-based authorization flow for the attacker’s app, and ended with mass data exfiltration via API.",[],{},{"nodeType":870,"data":1549,"content":1550},{},[1551],{"nodeType":235,"data":1552,"content":1553},{},[1554,1558,1566],{"nodeType":239,"value":1555,"marks":1556,"data":1557},"When the same collective launched ",[],{},{"nodeType":244,"data":1559,"content":1561},{"uri":1560},"https://pushsecurity.com/blog/unpacking-the-latest-slh-campaign/",[1562],{"nodeType":239,"value":1563,"marks":1564,"data":1565},"AiTM phishing campaigns",[],{},{"nodeType":239,"value":1567,"marks":1568,"data":1569}," targeting Okta and Entra SSO, the phishing page was operated by a human in real time and delivered over a voice call — not email.",[],{},{"nodeType":870,"data":1571,"content":1572},{},[1573],{"nodeType":235,"data":1574,"content":1575},{},[1576,1579,1586],{"nodeType":239,"value":1533,"marks":1577,"data":1578},[],{},{"nodeType":244,"data":1580,"content":1581},{"uri":1335},[1582],{"nodeType":239,"value":1583,"marks":1584,"data":1585},"APT29 deployed ConsentFix",[],{},{"nodeType":239,"value":1587,"marks":1588,"data":1589}," across dozens of compromised websites, the entire attack chain was browser-native, abusing a legitimate Microsoft OAuth flow to bypass MFA without proxying a single credential.",[],{},{"nodeType":870,"data":1591,"content":1592},{},[1593],{"nodeType":235,"data":1594,"content":1595},{},[1596,1600,1608],{"nodeType":239,"value":1597,"marks":1598,"data":1599},"The ",[],{},{"nodeType":244,"data":1601,"content":1603},{"uri":1602},"https://pushsecurity.com/blog/identity-attacks-in-the-wild/#id-snowflake-june-2024",[1604],{"nodeType":239,"value":1605,"marks":1606,"data":1607},"Snowflake breach",[],{},{"nodeType":239,"value":1609,"marks":1610,"data":1611}," — arguably the most consequential credential-based campaign of the past several years — saw 165 organizations breached using credentials that had been sitting in infostealer dumps for years, replayed against Snowflake tenants that lacked mandatory MFA. The attack surface wasn't Snowflake's application logic; it was the identity hygiene gap that every organization carries across hundreds of apps.",[],{},{"nodeType":235,"data":1613,"content":1614},{},[1615],{"nodeType":239,"value":1616,"marks":1617,"data":1618},"And that’s just the big picture. Every month we’re tracking new public breaches involving browser and identity TTPs — which again, are just the tip of the iceberg when you consider that many breaches are settled quietly without hitting the headlines. ",[],{},{"nodeType":235,"data":1620,"content":1621},{},[1622,1626,1631],{"nodeType":239,"value":1623,"marks":1624,"data":1625},"One of the key drivers here is the shrinking time-to-exploit. CrowdStrike's average e-crime breakout time is down to ",[],{},{"nodeType":239,"value":1627,"marks":1628,"data":1630},"29 minutes",[1629],{"type":285},{},{"nodeType":239,"value":1632,"marks":1633,"data":1634},", with the fastest recorded at 27 seconds. When attackers can move from initial access to data exfiltration within minutes, the window for post-compromise detection collapses to near zero. The best chance of stopping the attack is at the point of initial access before the identity is compromised.",[],{},{"nodeType":274,"data":1636,"content":1637},{},[],{"nodeType":278,"data":1639,"content":1640},{},[1641,1646,1653,1658,1664],{"nodeType":239,"value":1642,"marks":1643,"data":1645},"Sidenote: why we're looking at attacks ",[1644],{"type":285},{},{"nodeType":239,"value":1647,"marks":1648,"data":1652},"in",[1649,1651],{"type":1650},"italic",{"type":285},{},{"nodeType":239,"value":1654,"marks":1655,"data":1657}," the browser, not ",[1656],{"type":285},{},{"nodeType":239,"value":1659,"marks":1660,"data":1663},"on",[1661,1662],{"type":1650},{"type":285},{},{"nodeType":239,"value":1665,"marks":1666,"data":1668}," the browser",[1667],{"type":285},{},{"nodeType":235,"data":1670,"content":1671},{},[1672,1676,1684],{"nodeType":239,"value":1673,"marks":1674,"data":1675},"Calling this a \"browser attacks\" matrix needs clarification. We're not talking about browser exploits — RCE vulnerabilities, sandbox escapes, memory corruption bugs. Those attacks target the browser itself, they're extraordinarily expensive to develop, and they're increasingly rare. Browser zero-days hit a ",[],{},{"nodeType":244,"data":1677,"content":1679},{"uri":1678},"https://cloud.google.com/blog/topics/threat-intelligence/2025-zero-day-review",[1680],{"nodeType":239,"value":1681,"marks":1682,"data":1683},"historic low of 9%",[],{},{"nodeType":239,"value":1685,"marks":1686,"data":1687}," of all zero-days reported to Google, and a Chrome RCE commands a $250,000 bug bounty.",[],{},{"nodeType":235,"data":1689,"content":1690},{},[1691],{"nodeType":239,"value":1692,"marks":1693,"data":1694},"In comparison, a one-year phishing kit rental costs $1,000. A bulk stolen credential list costs $15. An initial-access-broker-provided IdP admin account costs $3,000. When it costs orders of magnitude less to exploit the person using the browser than to exploit the browser itself, attackers will take the cheaper option every time.",[],{},{"nodeType":235,"data":1696,"content":1697},{},[1698],{"nodeType":239,"value":1699,"marks":1700,"data":1701},"It's worth heading off the obvious counterargument: won't AI-assisted vulnerability discovery eventually make browser exploits cheaper? Perhaps — but it will simultaneously make them easier for browser vendors to find and patch, and vendors like Google and Microsoft have the engineering capacity and financial incentive to scale AI-driven remediation far faster than attackers can scale exploit development.",[],{},{"nodeType":274,"data":1703,"content":1704},{},[],{"nodeType":278,"data":1706,"content":1707},{},[1708],{"nodeType":239,"value":1709,"marks":1710,"data":1712},"What hasn't changed",[1711],{"type":285},{},{"nodeType":235,"data":1714,"content":1715},{},[1716,1720,1728],{"nodeType":239,"value":1717,"marks":1718,"data":1719},"The matrix remains open-source, community-maintained, and available on ",[],{},{"nodeType":244,"data":1721,"content":1723},{"uri":1722},"https://github.com/pushsecurity/saas-attacks",[1724],{"nodeType":239,"value":1725,"marks":1726,"data":1727},"GitHub",[],{},{"nodeType":239,"value":1729,"marks":1730,"data":1731},". The goal is the same as it was in 2023: to give offensive and defensive security teams a shared reference point for the techniques that matter most.",[],{},{"nodeType":235,"data":1733,"content":1734},{},[1735],{"nodeType":239,"value":1736,"marks":1737,"data":1738},"We built it because there was a gap in how the industry talked about these techniques, and that gap still exists — MITRE ATT&CK remains essential for endpoint and network TTPs, but the browser-based, identity-first techniques behind most modern breaches are still underrepresented in traditional frameworks.",[],{},{"nodeType":235,"data":1740,"content":1741},{},[1742],{"nodeType":239,"value":1743,"marks":1744,"data":1745},"We continue to maintain the matrix with input from red teams, detection engineers, and threat researchers across the community. Some of the most valuable additions over the past two years have come from practitioners who encountered a technique on an engagement or in an investigation and contributed it back to the repository.",[],{},{"nodeType":235,"data":1747,"content":1748},{},[1749,1753,1760],{"nodeType":239,"value":1750,"marks":1751,"data":1752},"If you're an offensive security professional using these techniques on engagements, or a defender building detections against them, we want to hear from you. Submit a PR, open a discussion, or flag a technique we've missed on ",[],{},{"nodeType":244,"data":1754,"content":1756},{"uri":1755},"https://github.com/pushsecurity/browser-identity-attacks-matrix",[1757],{"nodeType":239,"value":1725,"marks":1758,"data":1759},[],{},{"nodeType":239,"value":1761,"marks":1762,"data":1763},".",[],{},{"nodeType":274,"data":1765,"content":1766},{},[],{"nodeType":278,"data":1768,"content":1769},{},[1770],{"nodeType":239,"value":1771,"marks":1772,"data":1774},"Looking ahead",[1773],{"type":285},{},{"nodeType":235,"data":1776,"content":1777},{},[1778],{"nodeType":239,"value":1779,"marks":1780,"data":1781},"The pace of attacker innovation in browser-based initial access techniques over the past 18 months has been unlike anything we've tracked before — technique after technique moving from research curiosity to industrialized criminal tooling within months, not years.",[],{},{"nodeType":866,"data":1783,"content":1784},{},[1785,1795,1805],{"nodeType":870,"data":1786,"content":1787},{},[1788],{"nodeType":235,"data":1789,"content":1790},{},[1791],{"nodeType":239,"value":1792,"marks":1793,"data":1794},"AiTM platforms are adding authorization-based attack options alongside their credential-harvesting capabilities.",[],{},{"nodeType":870,"data":1796,"content":1797},{},[1798],{"nodeType":235,"data":1799,"content":1800},{},[1801],{"nodeType":239,"value":1802,"marks":1803,"data":1804},"ClickFix has spawned fully browser-native variants.",[],{},{"nodeType":870,"data":1806,"content":1807},{},[1808],{"nodeType":235,"data":1809,"content":1810},{},[1811],{"nodeType":239,"value":1812,"marks":1813,"data":1814},"AI is lowering the cost of producing convincing social engineering and phishing infrastructure at scale.",[],{},{"nodeType":235,"data":1816,"content":1817},{},[1818],{"nodeType":239,"value":1819,"marks":1820,"data":1821},"We don't see any of this slowing down, and that's exactly why thinking about these attacks as a browser problem instead of siloing them across email, endpoint, network, and cloud categories, each with a partial view of the picture (and still missing the whole when combined).",[],{},{"nodeType":235,"data":1823,"content":1824},{},[1825,1829,1836],{"nodeType":239,"value":1826,"marks":1827,"data":1828},"The Browser & Identity Attacks Matrix is our contribution to keeping that shared understanding current. You can ",[],{},{"nodeType":244,"data":1830,"content":1831},{"uri":61},[1832],{"nodeType":239,"value":1833,"marks":1834,"data":1835},"explore the matrix here",[],{},{"nodeType":239,"value":1761,"marks":1837,"data":1838},[],{},{"nodeType":235,"data":1840,"content":1841},{},[1842,1846,1854],{"nodeType":239,"value":1843,"marks":1844,"data":1845},"You can also read our recent ",[],{},{"nodeType":244,"data":1847,"content":1849},{"uri":1848},"https://pushsecurity.com/thank-you/browser-attacks-report",[1850],{"nodeType":239,"value":1851,"marks":1852,"data":1853},"browser attack techniques report",[],{},{"nodeType":239,"value":1855,"marks":1856,"data":1857}," for more information.",[],{},{"nodeType":259,"data":1859,"content":1863},{"target":1860},{"sys":1861},{"id":1862,"type":264,"linkType":265},"1hx6sxpyEzxn4F4jc1RGQi",[],{"nodeType":274,"data":1865,"content":1866},{},[],{"nodeType":235,"data":1868,"content":1869},{},[1870],{"nodeType":239,"value":1871,"marks":1872,"data":1873},"Push Security is the most powerful AI-native security tool in the browser. Think EDR, but for the browser — high-fidelity telemetry and real-time control across every session, on every device, with no browser migration required. Security teams use Push to detect and stop advanced browser-based attacks like AiTM phishing, ClickFix, and session hijacking; gain visibility and control over AI tool usage across their workforce; harden identities by surfacing credential reuse, SSO gaps, and shadow IT; and support data loss and insider investigations with browser-layer telemetry that other tools can't see.",[],{},{"nodeType":235,"data":1875,"content":1876},{},[1877,1881,1889],{"nodeType":239,"value":1878,"marks":1879,"data":1880},"Book a ",[],{},{"nodeType":244,"data":1882,"content":1884},{"uri":1883},"https://pushsecurity.com/demo",[1885],{"nodeType":239,"value":1886,"marks":1887,"data":1888},"live demo",[],{},{"nodeType":239,"value":1890,"marks":1891,"data":1892}," to learn more.",[],{},"Introducing the Browser & Identity Attacks Matrix","We're re-releasing the SaaS attack matrix as the Browser & Identity Attacks Matrix. Here's why we've decided to make the change and what it means.","2026-05-08T00:00:00.000Z","introducing-the-browser-and-identity-attacks-matrix",{"items":1898},[1899,1903],{"sys":1900,"name":1902},{"id":1901},"6A5RXS31ZQx3PwryGb1IMy","Browser-based attacks",{"sys":1904,"name":1906},{"id":1905},"4ksQNCFeBf8H4QIORqpRLw","Detection & response",{"items":1908},[1909],{"fullName":1910,"firstName":1911,"jobTitle":1912,"profilePicture":1913},"Dan Green","Dan","Threat Research",{"url":1914},"https://images.ctfassets.net/y1cdw1ablpvd/7jik1VhFgA3kgzXBXTm2Vw/fcd8c171da644903d0827eafcfbcaad0/Dan_Headshot_2025.png",{"__typename":1042,"sys":1916,"content":1918,"title":2709,"synopsis":2710,"hashTags":62,"publishedDate":2711,"slug":2712,"tagsCollection":2713,"authorsCollection":2719},{"id":1917},"Gcg7PGuICrlRcqq1QFXxH",{"json":1919},{"nodeType":231,"data":1920,"content":1921},{},[1922,1929,1936,1967,1974,1980,1986,1998,2001,2009,2025,2032,2038,2045,2052,2058,2061,2069,2076,2082,2088,2095,2102,2120,2126,2129,2137,2155,2161,2168,2171,2179,2186,2193,2199,2205,2249,2256,2259,2267,2274,2281,2324,2331,2362,2369,2412,2419,2422,2430,2449,2456,2464,2479,2486,2505,2512,2515,2521,2527,2543,2546,2554,2573,2580,2703],{"nodeType":235,"data":1923,"content":1924},{},[1925],{"nodeType":239,"value":1926,"marks":1927,"data":1928},"Shared conversations on AI chatbot platforms have become the latest delivery mechanism for malware campaigns targeting macOS and Windows users. Attackers create content on platforms like ChatGPT and Claude that appears to offer installation guidance or service updates, then drive traffic to it via search engine results in the form of malvertising and SEO poisoning.  ",[],{},{"nodeType":235,"data":1930,"content":1931},{},[1932],{"nodeType":239,"value":1933,"marks":1934,"data":1935},"The content lives on chatgpt.com or claude.ai — domains that users and security tools trust implicitly — so the attack bypasses URL reputation checks before the victim even reaches the malicious payload.",[],{},{"nodeType":235,"data":1937,"content":1938},{},[1939,1943,1951,1955,1963],{"nodeType":239,"value":1940,"marks":1941,"data":1942},"Several variants of this technique have been ",[],{},{"nodeType":244,"data":1944,"content":1946},{"uri":1945},"https://www.bleepingcomputer.com/news/security/hackers-abuse-google-ads-claudeai-chats-to-push-mac-malware/",[1947],{"nodeType":239,"value":1948,"marks":1949,"data":1950},"reported over the past few months",[],{},{"nodeType":239,"value":1952,"marks":1953,"data":1954},". The earliest examples used shared Claude.ai conversations disguised as installation guides — complete with fake \"Apple Support\" attribution — that walked users through opening a terminal and pasting a curl command that downloaded and executed an infostealer. ",[],{},{"nodeType":244,"data":1956,"content":1958},{"uri":1957},"https://www.kaspersky.com/blog/share-chatgpt-chat-clickfix-macos-amos-infostealer/54928/",[1959],{"nodeType":239,"value":1960,"marks":1961,"data":1962},"Kaspersky documented a parallel campaign",[],{},{"nodeType":239,"value":1964,"marks":1965,"data":1966}," using shared ChatGPT conversations to deliver the AMOS (Atomic macOS Stealer) via the same paste-this-command social engineering pattern. ",[],{},{"nodeType":235,"data":1968,"content":1969},{},[1970],{"nodeType":239,"value":1971,"marks":1972,"data":1973},"Push has detected a new variant that goes beyond the previously reported technique of embedding terminal commands in shared conversations: the attacker has used ChatGPT's code rendering feature to build a fully designed fake page that mimics a ChatGPT service disruption, redirecting victims to a convincing clone of ChatGPT's download page that delivers a malicious executable. ",[],{},{"nodeType":259,"data":1975,"content":1979},{"target":1976},{"sys":1977},{"id":1978,"type":264,"linkType":265},"5lz9zt223pecGvdaqdvSTQ",[],{"nodeType":259,"data":1981,"content":1985},{"target":1982},{"sys":1983},{"id":1984,"type":264,"linkType":265},"51GomAj3VOjnbmgd1DWYu0",[],{"nodeType":235,"data":1987,"content":1988},{},[1989,1994],{"nodeType":239,"value":1990,"marks":1991,"data":1993},"This is a live campaign which is still generating detections across our customer base at the time of writing. ",[1992],{"type":285},{},{"nodeType":239,"value":1995,"marks":1996,"data":1997},"Push customers are already protected and do not need to take further action. The malicious page URLs can be found at the end of this report but are not exhaustive and are liable to change. ",[],{},{"nodeType":274,"data":1999,"content":2000},{},[],{"nodeType":278,"data":2002,"content":2003},{},[2004],{"nodeType":239,"value":2005,"marks":2006,"data":2008},"A fake page, not a fake conversation",[2007],{"type":285},{},{"nodeType":235,"data":2010,"content":2011},{},[2012,2016,2021],{"nodeType":239,"value":2013,"marks":2014,"data":2015},"Previously reported variants relied on shared ",[],{},{"nodeType":239,"value":2017,"marks":2018,"data":2020},"conversations",[2019],{"type":1650},{},{"nodeType":239,"value":2022,"marks":2023,"data":2024}," — the attacker created a chat that contained step-by-step instructions for the victim to follow, typically involving pasting a command into their terminal. The social engineering was conversational: the \"AI assistant\" appeared to be helpfully guiding the user through an installation process.",[],{},{"nodeType":235,"data":2026,"content":2027},{},[2028],{"nodeType":239,"value":2029,"marks":2030,"data":2031},"But now, rather than a shared conversation, the attacker has used ChatGPT's code rendering feature to create a fully designed, self-contained web page hosted at a chatgpt.com/s/ URL. It renders as what appears to be a ChatGPT service disruption notice:",[],{},{"nodeType":259,"data":2033,"content":2037},{"target":2034},{"sys":2035},{"id":2036,"type":264,"linkType":265},"1O9gyQab81SnbxhQp2aa5Z",[],{"nodeType":235,"data":2039,"content":2040},{},[2041],{"nodeType":239,"value":2042,"marks":2043,"data":2044},"A professional-looking error message reads: \"We're experiencing high traffic right now. Our website is temporarily unavailable due to a large number of users. Download our desktop app to continue.\" A prominent download button sits below.",[],{},{"nodeType":235,"data":2046,"content":2047},{},[2048],{"nodeType":239,"value":2049,"marks":2050,"data":2051},"The \"Show code\" toggle at the top of the page reveals what's actually happening — the entire thing is custom HTML and CSS, authored to mimic a ChatGPT system notice, rendered using ChatGPT's code output feature. A web page inside a web page, hosted on a domain that every URL reputation system in the world considers safe.",[],{},{"nodeType":259,"data":2053,"content":2057},{"target":2054},{"sys":2055},{"id":2056,"type":264,"linkType":265},"4kQTfxB3aVH9W9BeYOuljP",[],{"nodeType":274,"data":2059,"content":2060},{},[],{"nodeType":278,"data":2062,"content":2063},{},[2064],{"nodeType":239,"value":2065,"marks":2066,"data":2068},"The download page",[2067],{"type":285},{},{"nodeType":235,"data":2070,"content":2071},{},[2072],{"nodeType":239,"value":2073,"marks":2074,"data":2075},"Clicking the download button redirects the user to openew[.]app, which presents a convincing clone of ChatGPT's official desktop application download page — complete with OpenAI branding, macOS and Windows download buttons, a Chrome extension link, and a mobile download section.",[],{},{"nodeType":259,"data":2077,"content":2081},{"target":2078},{"sys":2079},{"id":2080,"type":264,"linkType":265},"4MdFc4OB37ZihTGx506QJ6",[],{"nodeType":259,"data":2083,"content":2087},{"target":2084},{"sys":2085},{"id":2086,"type":264,"linkType":265},"LaPUy0zpIeY8s4PF2wkat",[],{"nodeType":235,"data":2089,"content":2090},{},[2091],{"nodeType":239,"value":2092,"marks":2093,"data":2094},"The site also displays differently depending on who visits it. When Push researchers examined the URL via URLScan, the scanner was redirected to a different page entirely — a generic AR/VR company website with no obvious connection to ChatGPT. ",[],{},{"nodeType":235,"data":2096,"content":2097},{},[2098],{"nodeType":239,"value":2099,"marks":2100,"data":2101},"Real users in a browser see the fake download page; automated scanners and bots see something benign. This kind of conditional rendering is a well-established evasion technique in the malvertising ecosystem, and it makes the malicious infrastructure harder for security teams and threat intelligence services to identify and analyze.",[],{},{"nodeType":235,"data":2103,"content":2104},{},[2105,2109,2117],{"nodeType":239,"value":2106,"marks":2107,"data":2108},"The downloaded executable poses as \"ChatGPT for Desktop\" and is ",[],{},{"nodeType":244,"data":2110,"content":2112},{"uri":2111},"https://www.virustotal.com/gui/file/de8c50e8ccd240ef9d10ec26c26eeb37a4d1cad7c1e0edf3bb6e5689ec2dde78",[2113],{"nodeType":239,"value":2114,"marks":2115,"data":2116},"flagged on VirusTotal",[],{},{"nodeType":239,"value":1761,"marks":2118,"data":2119},[],{},{"nodeType":259,"data":2121,"content":2125},{"target":2122},{"sys":2123},{"id":2124,"type":264,"linkType":265},"3FSbwoFJYQrcyo9uMsQIWI",[],{"nodeType":274,"data":2127,"content":2128},{},[],{"nodeType":278,"data":2130,"content":2131},{},[2132],{"nodeType":239,"value":2133,"marks":2134,"data":2136},"The Claude variant: same campaign, different platform",[2135],{"type":285},{},{"nodeType":235,"data":2138,"content":2139},{},[2140,2144,2151],{"nodeType":239,"value":2141,"marks":2142,"data":2143},"Alongside the ChatGPT rendered-page variant, Push has also detected the previously reported style of attack using shared Claude.ai conversations. These follow the pattern documented by ",[],{},{"nodeType":244,"data":2145,"content":2146},{"uri":1945},[2147],{"nodeType":239,"value":2148,"marks":2149,"data":2150},"BleepingComputer",[],{},{"nodeType":239,"value":2152,"marks":2153,"data":2154},": a shared chat disguised as a \"Claude Code on Mac\" installation guide, attributed to \"Apple Support,\" containing a curl command that downloads and executes malware.",[],{},{"nodeType":259,"data":2156,"content":2160},{"target":2157},{"sys":2158},{"id":2159,"type":264,"linkType":265},"5sWayuTsVdiLSLoS4sv2Vc",[],{"nodeType":235,"data":2162,"content":2163},{},[2164],{"nodeType":239,"value":2165,"marks":2166,"data":2167},"The fact that both the ChatGPT and Claude variants are appearing in Push customer environments suggests a campaign — or at least a shared playbook — that is actively experimenting with different platforms and different social engineering approaches to find what converts best.",[],{},{"nodeType":274,"data":2169,"content":2170},{},[],{"nodeType":278,"data":2172,"content":2173},{},[2174],{"nodeType":239,"value":2175,"marks":2176,"data":2178},"Malvertising remains one of the top phishing delivery channels",[2177],{"type":285},{},{"nodeType":235,"data":2180,"content":2181},{},[2182],{"nodeType":239,"value":2183,"marks":2184,"data":2185},"Push has detected this variant across multiple customer environments, with users arriving at these shared chat URLs after searching for terms including \"chatgpt,\" \"chatgpt free,\" \"chat gpt,\" and common typos like \"chatgo,\" \"chatgot,\" and \"cvhatgpt.\" ",[],{},{"nodeType":235,"data":2187,"content":2188},{},[2189],{"nodeType":239,"value":2190,"marks":2191,"data":2192},"You can see an example of this below: it's incredibly convincing, and uses the real ChatGPT domain — so even users that are paying attention are liable to fall for it. ",[],{},{"nodeType":259,"data":2194,"content":2198},{"target":2195},{"sys":2196},{"id":2197,"type":264,"linkType":265},"1GYWOyHpZT1rdTm6IGOKu8",[],{"nodeType":259,"data":2200,"content":2204},{"target":2201},{"sys":2202},{"id":2203,"type":264,"linkType":265},"4HpFJRAZH2lbygaEk2xOnN",[],{"nodeType":235,"data":2206,"content":2207},{},[2208,2212,2220,2224,2232,2236,2245],{"nodeType":239,"value":2209,"marks":2210,"data":2211},"This fits a pattern Push has tracked extensively. ",[],{},{"nodeType":244,"data":2213,"content":2215},{"uri":2214},"https://pushsecurity.com/blog/verizon-dbir-2026-review/",[2216],{"nodeType":239,"value":2217,"marks":2218,"data":2219},"Search-based delivery is now the dominant channel for malware distribution",[],{},{"nodeType":239,"value":2221,"marks":2222,"data":2223}," — our own data shows that ClickFix attacks are reached via search results rather than email in 4 of 5 cases, and Push's own research into ",[],{},{"nodeType":244,"data":2225,"content":2227},{"uri":2226},"https://pushsecurity.com/blog/analysing-a-sophisticated-google-malvertising-attack/",[2228],{"nodeType":239,"value":2229,"marks":2230,"data":2231},"malvertising campaigns impersonating brands like TradingView",[],{},{"nodeType":239,"value":2233,"marks":2234,"data":2235}," and ",[],{},{"nodeType":244,"data":2237,"content":2239},{"uri":2238},"https://pushsecurity.com/blog/google-search-malvertising-campaign-continues-now-impersonating-ahrefs/",[2240],{"nodeType":239,"value":2241,"marks":2242,"data":2244},"Ahrefs",[2243],{"type":252},{},{"nodeType":239,"value":2246,"marks":2247,"data":2248}," has demonstrated how effectively search ads can funnel victims to malicious pages. ",[],{},{"nodeType":235,"data":2250,"content":2251},{},[2252],{"nodeType":239,"value":2253,"marks":2254,"data":2255},"The shared-chat technique adds a new dimension: the destination URL itself is genuine (chatgpt.com, claude.ai), which means even a cautious user who checks the URL before clicking will see nothing suspicious.",[],{},{"nodeType":274,"data":2257,"content":2258},{},[],{"nodeType":278,"data":2260,"content":2261},{},[2262],{"nodeType":239,"value":2263,"marks":2264,"data":2266},"Legitimate platform abuse is everywhere",[2265],{"type":285},{},{"nodeType":235,"data":2268,"content":2269},{},[2270],{"nodeType":239,"value":2271,"marks":2272,"data":2273},"This is one example of a much broader pattern that has become one of the defining characteristics of the 2026 threat landscape: attackers systematically abusing legitimate platforms as attack infrastructure. The scale and variety of this abuse in recent months alone is striking, and it spans every stage of the phishing chain.",[],{},{"nodeType":288,"data":2275,"content":2276},{},[2277],{"nodeType":239,"value":2278,"marks":2279,"data":2280},"Legit platform abuse for delivery",[],{},{"nodeType":235,"data":2282,"content":2283},{},[2284,2288,2296,2300,2308,2312,2320],{"nodeType":239,"value":2285,"marks":2286,"data":2287},"On the delivery side, attackers have been ",[],{},{"nodeType":244,"data":2289,"content":2291},{"uri":2290},"https://www.bleepingcomputer.com/news/security/amazon-ses-increasingly-abused-in-phishing-to-evade-detection/",[2292],{"nodeType":239,"value":2293,"marks":2294,"data":2295},"weaponizing stolen AWS credentials to send phishing through Amazon SES",[],{},{"nodeType":239,"value":2297,"marks":2298,"data":2299}," that passes SPF, DKIM, and DMARC validation because SES is a legitimate Amazon service. A Vietnamese operation dubbed ",[],{},{"nodeType":244,"data":2301,"content":2303},{"uri":2302},"https://thehackernews.com/2026/05/30000-facebook-accounts-hacked-via.html",[2304],{"nodeType":239,"value":2305,"marks":2306,"data":2307},"AccountDumpling used Google AppSheet's built-in email capability",[],{},{"nodeType":239,"value":2309,"marks":2310,"data":2311}," as a phishing relay to harvest 30,000 Facebook credentials. ",[],{},{"nodeType":244,"data":2313,"content":2315},{"uri":2314},"https://techcrunch.com/2026/05/21/scammers-are-abusing-an-internal-microsoft-account-to-send-spam/",[2316],{"nodeType":239,"value":2317,"marks":2318,"data":2319},"Scammers exploited Microsoft's own internal notification pipeline",[],{},{"nodeType":239,"value":2321,"marks":2322,"data":2323}," — sending phishing from the same msonlineservicesteam@microsoftonline.com address that delivers legitimate 2FA codes — with Spamhaus confirming months of ongoing abuse.",[],{},{"nodeType":288,"data":2325,"content":2326},{},[2327],{"nodeType":239,"value":2328,"marks":2329,"data":2330},"Legit platform abuse for hosting",[],{},{"nodeType":235,"data":2332,"content":2333},{},[2334,2338,2346,2350,2358],{"nodeType":239,"value":2335,"marks":2336,"data":2337},"For hosting, the platforms being abused read like a who's who of modern web infrastructure. ",[],{},{"nodeType":244,"data":2339,"content":2341},{"uri":2340},"https://www.securityweek.com/over-500-organizations-hit-in-years-long-phishing-campaign/",[2342],{"nodeType":239,"value":2343,"marks":2344,"data":2345},"Operation HookedWing ran for four years",[],{},{"nodeType":239,"value":2347,"marks":2348,"data":2349}," on GitHub Pages and Vercel, compromising 500+ organizations across more than 100 GitHub Pages domains before anyone documented it publicly. Cofense has separately ",[],{},{"nodeType":244,"data":2351,"content":2353},{"uri":2352},"https://cofense.com/blog/steal-smarter-not-harder-malicious-use-of-vercel-for-credential-phishing/",[2354],{"nodeType":239,"value":2355,"marks":2356,"data":2357},"documented the growing abuse of Vercel",[],{},{"nodeType":239,"value":2359,"marks":2360,"data":2361}," for credential phishing hosting. Pixm's Q1 2026 phishing report tracked over 100 unique Azure Blob Storage subdomain variants hosting phishing content that carried Microsoft's own domain reputation, alongside abuse of Cloudflare CDN, Cloudflare Workers, Cloudflare R2, Backblaze B2, and Supabase. ",[],{},{"nodeType":288,"data":2363,"content":2364},{},[2365],{"nodeType":239,"value":2366,"marks":2367,"data":2368},"Abuse of compromised websites that are otherwise legit",[],{},{"nodeType":235,"data":2370,"content":2371},{},[2372,2376,2384,2388,2396,2400,2408],{"nodeType":239,"value":2373,"marks":2374,"data":2375},"Compromised legitimate sites are also being repurposed at scale. A mass exploitation of a ",[],{},{"nodeType":244,"data":2377,"content":2379},{"uri":2378},"https://www.bleepingcomputer.com/news/security/ghost-cms-sql-injection-flaw-exploited-in-large-scale-clickfix-campaign/",[2380],{"nodeType":239,"value":2381,"marks":2382,"data":2383},"Ghost CMS vulnerability planted ClickFix pages across 700+ websites",[],{},{"nodeType":239,"value":2385,"marks":2386,"data":2387}," including Harvard, Oxford, and DuckDuckGo subdomains. Microsoft recently documented a campaign where ",[],{},{"nodeType":244,"data":2389,"content":2391},{"uri":2390},"https://www.microsoft.com/en-us/security/blog/2026/05/26/poisoned-search-results-gpu-mining-cryptojacking-campaign-abusing-screenconnect-microsoft-net-utilities/",[2392],{"nodeType":239,"value":2393,"marks":2394,"data":2395},"SEO poisoning was combined with AI chatbot recommendation manipulation",[],{},{"nodeType":239,"value":2397,"marks":2398,"data":2399}," to deliver GPU mining malware — extending the poisoning from traditional search results into AI-generated software recommendations. And ",[],{},{"nodeType":244,"data":2401,"content":2403},{"uri":2402},"https://www.helpnetsecurity.com/2026/05/27/deno-rat-malware-fake-chatgpt-claude-installers/",[2404],{"nodeType":239,"value":2405,"marks":2406,"data":2407},"fake ChatGPT and Claude installers on GitHub and SourceForge",[],{},{"nodeType":239,"value":2409,"marks":2410,"data":2411}," have been delivering the DinDoor backdoor and a Deno-based RAT via repositories that mimic legitimate developer tool distributions.",[],{},{"nodeType":235,"data":2413,"content":2414},{},[2415],{"nodeType":239,"value":2416,"marks":2417,"data":2418},"The structural problem is that every one of these platforms is genuinely legitimate, and the security controls that evaluate them — domain reputation, email authentication, URL categorization — confirm them as trusted because they are trusted. This attack extends this pattern into new territory by weaponizing the content-sharing features of AI chatbot platforms specifically, but the underlying principles are the same. ",[],{},{"nodeType":274,"data":2420,"content":2421},{},[],{"nodeType":278,"data":2423,"content":2424},{},[2425],{"nodeType":239,"value":2426,"marks":2427,"data":2429},"Impact analysis",[2428],{"type":285},{},{"nodeType":235,"data":2431,"content":2432},{},[2433,2437,2445],{"nodeType":239,"value":2434,"marks":2435,"data":2436},"Shared-chat malware delivery exploits a structural property of AI platforms that traditional security controls aren't designed to handle. Domain reputation, URL categorization, and safe browsing databases all treat chatgpt.com and claude.ai as trusted — because they are. Using these trusted pages to link off to further convincing-looking pages hosting malware allows the attacker to run campaigns that blend in, as well as rotate the phishing delivery pages later in the chain should they ever be flagged, allowing the campaign to continue without interruption (a well known ",[],{},{"nodeType":244,"data":2438,"content":2440},{"uri":2439},"https://phishing-techniques.pushsecurity.com/",[2441],{"nodeType":239,"value":2442,"marks":2443,"data":2444},"detection evasion technique",[],{},{"nodeType":239,"value":2446,"marks":2447,"data":2448},"). ",[],{},{"nodeType":235,"data":2450,"content":2451},{},[2452],{"nodeType":239,"value":2453,"marks":2454,"data":2455},"What makes the rendered-page variant particularly concerning is that it eliminates the most obvious red flag in the earlier attacks. The Claude.ai conversation variants required the victim to recognize that a shared chat instructing them to paste terminal commands might be suspicious — a tall order for many users, but at least the attack surface was visible. The rendered-page variant shows nothing that looks like an attack. It presents what appears to be a routine service disruption with a reasonable call to action: download the desktop app to continue using ChatGPT. ",[],{},{"nodeType":288,"data":2457,"content":2458},{},[2459],{"nodeType":239,"value":2460,"marks":2461,"data":2463},"How Push detected the attack",[2462],{"type":285},{},{"nodeType":235,"data":2465,"content":2466},{},[2467,2471,2475],{"nodeType":239,"value":2468,"marks":2469,"data":2470},"We've aligned our detection logic for this technique under the name ",[],{},{"nodeType":239,"value":614,"marks":2472,"data":2474},[2473],{"type":285},{},{"nodeType":239,"value":2476,"marks":2477,"data":2478}," — a technique-level detection that covers shared content abuse across LLM platforms, not tied to any single campaign or set of IOCs. ",[],{},{"nodeType":235,"data":2480,"content":2481},{},[2482],{"nodeType":239,"value":2483,"marks":2484,"data":2485},"Because Push sees the full context of how a user arrived at a page and what that page does once it renders, we can identify LLMShare attacks regardless of which AI platform is being abused or what social engineering wrapper the attacker has chosen. ",[],{},{"nodeType":235,"data":2487,"content":2488},{},[2489,2493,2501],{"nodeType":239,"value":2490,"marks":2491,"data":2492},"When we identified the initial instances of this campaign, we used our ",[],{},{"nodeType":244,"data":2494,"content":2496},{"uri":2495},"https://pushsecurity.com/blog/can-ai-replace-a-threat-researcher-what-we-learned-building-an-agentic-threat-hunting-pipeline/",[2497],{"nodeType":239,"value":2498,"marks":2499,"data":2500},"agentic threat hunting pipeline",[],{},{"nodeType":239,"value":2502,"marks":2503,"data":2504}," to hunt for additional examples across our customer telemetry, develop the LLMShare detection, and rapidly deploy it to customers. Push blocks users from interacting with the page before any malicious activity can occur. ",[],{},{"nodeType":235,"data":2506,"content":2507},{},[2508],{"nodeType":239,"value":2509,"marks":2510,"data":2511},"Push customers do not need to take any further action.",[],{},{"nodeType":274,"data":2513,"content":2514},{},[],{"nodeType":235,"data":2516,"content":2517},{},[2518],{"nodeType":239,"value":914,"marks":2519,"data":2520},[],{},{"nodeType":235,"data":2522,"content":2523},{},[2524],{"nodeType":239,"value":921,"marks":2525,"data":2526},[],{},{"nodeType":235,"data":2528,"content":2529},{},[2530,2533,2540],{"nodeType":239,"value":29,"marks":2531,"data":2532},[],{},{"nodeType":244,"data":2534,"content":2535},{"uri":932},[2536],{"nodeType":239,"value":935,"marks":2537,"data":2539},[2538],{"type":252},{},{"nodeType":239,"value":29,"marks":2541,"data":2542},[],{},{"nodeType":274,"data":2544,"content":2545},{},[],{"nodeType":278,"data":2547,"content":2548},{},[2549],{"nodeType":239,"value":2550,"marks":2551,"data":2553},"Indicators of compromise",[2552],{"type":285},{},{"nodeType":235,"data":2555,"content":2556},{},[2557,2561,2569],{"nodeType":239,"value":2558,"marks":2559,"data":2560},"As we always say, short-lived IoCs are of limited value when tackling modern phishing attacks due to the rate at which attackers are able to ",[],{},{"nodeType":244,"data":2562,"content":2564},{"uri":2563},"https://phishing-techniques.pushsecurity.com/techniques/domain-rotation-redirection/",[2565],{"nodeType":239,"value":2566,"marks":2567,"data":2568},"quickly spin up and rotate the sites used",[],{},{"nodeType":239,"value":2570,"marks":2571,"data":2572}," in the attack chain. IoC-based detections for campaigns like this are of limited value.",[],{},{"nodeType":235,"data":2574,"content":2575},{},[2576],{"nodeType":239,"value":2577,"marks":2578,"data":2579},"At the time of writing, the indicators observed were:",[],{},{"nodeType":2581,"data":2582,"content":2583},"table",{},[2584,2611,2635,2657,2680],{"nodeType":2585,"data":2586,"content":2587},"table-row",{},[2588,2600],{"nodeType":2589,"data":2590,"content":2591},"table-header-cell",{},[2592],{"nodeType":235,"data":2593,"content":2594},{},[2595],{"nodeType":239,"value":2596,"marks":2597,"data":2599},"Indicator",[2598],{"type":285},{},{"nodeType":2589,"data":2601,"content":2602},{},[2603],{"nodeType":235,"data":2604,"content":2605},{},[2606],{"nodeType":239,"value":2607,"marks":2608,"data":2610},"Type",[2609],{"type":285},{},{"nodeType":2585,"data":2612,"content":2613},{},[2614,2625],{"nodeType":2615,"data":2616,"content":2617},"table-cell",{},[2618],{"nodeType":235,"data":2619,"content":2620},{},[2621],{"nodeType":239,"value":2622,"marks":2623,"data":2624},"hxxps://claude[.]ai/share/8e6401b5-4849-46c4-a3cb-29e1c3c49131",[],{},{"nodeType":2615,"data":2626,"content":2627},{},[2628],{"nodeType":235,"data":2629,"content":2630},{},[2631],{"nodeType":239,"value":2632,"marks":2633,"data":2634},"URL",[],{},{"nodeType":2585,"data":2636,"content":2637},{},[2638,2648],{"nodeType":2615,"data":2639,"content":2640},{},[2641],{"nodeType":235,"data":2642,"content":2643},{},[2644],{"nodeType":239,"value":2645,"marks":2646,"data":2647},"hxxps://chatgpt[.]com/s/cb_6a0f1e6bbec88191aa7fede27163f08d",[],{},{"nodeType":2615,"data":2649,"content":2650},{},[2651],{"nodeType":235,"data":2652,"content":2653},{},[2654],{"nodeType":239,"value":2632,"marks":2655,"data":2656},[],{},{"nodeType":2585,"data":2658,"content":2659},{},[2660,2670],{"nodeType":2615,"data":2661,"content":2662},{},[2663],{"nodeType":235,"data":2664,"content":2665},{},[2666],{"nodeType":239,"value":2667,"marks":2668,"data":2669},"openew[.]app",[],{},{"nodeType":2615,"data":2671,"content":2672},{},[2673],{"nodeType":235,"data":2674,"content":2675},{},[2676],{"nodeType":239,"value":2677,"marks":2678,"data":2679},"Domain",[],{},{"nodeType":2585,"data":2681,"content":2682},{},[2683,2693],{"nodeType":2615,"data":2684,"content":2685},{},[2686],{"nodeType":235,"data":2687,"content":2688},{},[2689],{"nodeType":239,"value":2690,"marks":2691,"data":2692},"de8c50e8ccd240ef9d10ec26c26eeb37a4d1cad7c1e0edf3bb6e5689ec2dde78",[],{},{"nodeType":2615,"data":2694,"content":2695},{},[2696],{"nodeType":235,"data":2697,"content":2698},{},[2699],{"nodeType":239,"value":2700,"marks":2701,"data":2702},"SHA256",[],{},{"nodeType":235,"data":2704,"content":2705},{},[2706],{"nodeType":239,"value":29,"marks":2707,"data":2708},[],{},"LLMShare: how attackers are turning AI chatbot pages into malware delivery platforms","How attackers are using shared content features on AI chatbot platforms to deliver malware via pages hosted on legitimate domains, sent via malvertising.","2026-05-29T00:00:00.000Z","llmshare-malvertising-campaign",{"items":2714},[2715,2717],{"sys":2716,"name":1902},{"id":1901},{"sys":2718,"name":1906},{"id":1905},{"items":2720},[2721],{"fullName":2722,"firstName":2723,"jobTitle":2724,"profilePicture":2725},"Keanu Maharaj","Keanu","Senior Security Researcher",{"url":2726},"https://images.ctfassets.net/y1cdw1ablpvd/VCGOm62jiocjwngWTh32U/e9a30637b1c76bf988d2fec90f5b6c36/1689361049351_1.png",{"__typename":1042,"sys":2728,"content":2730,"title":3490,"synopsis":3491,"hashTags":62,"publishedDate":3492,"slug":3493,"tagsCollection":3494,"authorsCollection":3500},{"id":2729},"5RDOpmzJolwT1hk0fNIxzf",{"json":2731},{"nodeType":231,"data":2732,"content":2733},{},[2734,2753,2759,2766,2773,2776,2784,2803,2822,2829,2835,2842,2848,2855,2863,2870,2888,2919,2925,2931,2939,2946,2964,2994,3026,3033,3039,3047,3054,3066,3073,3114,3120,3161,3198,3204,3207,3215,3222,3228,3235,3242,3248,3255,3262,3290,3293,3301,3308,3316,3323,3330,3349,3356,3362,3369,3377,3384,3401,3408,3426,3429,3437,3444,3451,3458,3461,3467,3473],{"nodeType":235,"data":2735,"content":2736},{},[2737,2741,2749],{"nodeType":239,"value":2738,"marks":2739,"data":2740},"Back in 2024, we wrote about ",[],{},{"nodeType":244,"data":2742,"content":2744},{"uri":2743},"https://pushsecurity.com/blog/our-design-philosophy-detecting-what-matters/",[2745],{"nodeType":239,"value":2746,"marks":2747,"data":2748},"how the Pyramid of Pain shapes Push's detection philosophy",[],{},{"nodeType":239,"value":2750,"marks":2751,"data":2752}," — detections targeting indicators that are easy for attackers to change deliver diminishing returns, while detections targeting attacker techniques impose a cost that's hard to absorb. Two years on, every force that made IoC-based detection fragile has intensified.",[],{},{"nodeType":259,"data":2754,"content":2758},{"target":2755},{"sys":2756},{"id":2757,"type":264,"linkType":265},"1iuLYxwI8T1wDUIFSom0G0",[],{"nodeType":235,"data":2760,"content":2761},{},[2762],{"nodeType":239,"value":2763,"marks":2764,"data":2765},"AI hasn't introduced a new problem so much as it's compressed the timelines on an existing one — attackers can generate infrastructure, iterate on tooling, and industrialize newly discovered techniques faster than before. The bottom layers of the Pyramid are collapsing under the weight of machine-speed operations, and the middle layers are starting to buckle too.",[],{},{"nodeType":235,"data":2767,"content":2768},{},[2769],{"nodeType":239,"value":2770,"marks":2771,"data":2772},"These changes mean that technique-level detection is more important than ever. In this article, we’ll dig into how the Pyramid is changing, and what this means for our detection philosophy at Push (TL;DR — it reinforces the path we’re already on: building detections at the top of the Pyramid by harnessing browser visibility). ",[],{},{"nodeType":274,"data":2774,"content":2775},{},[],{"nodeType":278,"data":2777,"content":2778},{},[2779],{"nodeType":239,"value":2780,"marks":2781,"data":2783},"The bottom of the Pyramid was already crumbling",[2782],{"type":285},{},{"nodeType":235,"data":2785,"content":2786},{},[2787,2791,2799],{"nodeType":239,"value":2788,"marks":2789,"data":2790},"The case against indicator-based detection didn't need AI to be compelling. ",[],{},{"nodeType":244,"data":2792,"content":2794},{"uri":2793},"https://www.spamhaus.org/",[2795],{"nodeType":239,"value":2796,"marks":2797,"data":2798},"89% of phishing domains are active for fewer than two days",[],{},{"nodeType":239,"value":2800,"marks":2801,"data":2802},", with just 6.5% surviving past 15 days — by the time a domain makes it onto a blocklist, the campaign has moved on.",[],{},{"nodeType":235,"data":2804,"content":2805},{},[2806,2810,2818],{"nodeType":239,"value":2807,"marks":2808,"data":2809},"We've ",[],{},{"nodeType":244,"data":2811,"content":2813},{"uri":2812},"https://pushsecurity.com/blog/why-most-phishing-attacks-feel-like-a-zero-day/",[2814],{"nodeType":239,"value":2815,"marks":2816,"data":2817},"written before",[],{},{"nodeType":239,"value":2819,"marks":2820,"data":2821}," about how this makes every phishing attack effectively a zero-day for organizations relying on known-bad detection. The phishing kit's behavior — its page structure, script signatures, malicious payload mechanics — is the only detection target that outlasts a single campaign.",[],{},{"nodeType":235,"data":2823,"content":2824},{},[2825],{"nodeType":239,"value":2826,"marks":2827,"data":2828},"When we blogged about the Pyramid of Pain for modern attacks that happen predominantly over the internet, with minimal (or zero) endpoint contact, it first looked like this: ",[],{},{"nodeType":259,"data":2830,"content":2834},{"target":2831},{"sys":2832},{"id":2833,"type":264,"linkType":265},"2N04ycJ6RKGfHdX5X1TwU3",[],{"nodeType":235,"data":2836,"content":2837},{},[2838],{"nodeType":239,"value":2839,"marks":2840,"data":2841},"Now, it looks more like this:",[],{},{"nodeType":259,"data":2843,"content":2847},{"target":2844},{"sys":2845},{"id":2846,"type":264,"linkType":265},"mfhP4WToOQkrHnVkXU0tX",[],{"nodeType":235,"data":2849,"content":2850},{},[2851],{"nodeType":239,"value":2852,"marks":2853,"data":2854},"Let’s explore why. ",[],{},{"nodeType":288,"data":2856,"content":2857},{},[2858],{"nodeType":239,"value":2859,"marks":2860,"data":2862},"AI is accelerating phishing rotation and delivery",[2861],{"type":285},{},{"nodeType":235,"data":2864,"content":2865},{},[2866],{"nodeType":239,"value":2867,"marks":2868,"data":2869},"Attackers are harnessing AI at every stage, speeding up the process of creating, rotating, and replacing phishing infrastructure at every level, as well as capitalizing on AI adoption itself to enhance their lures. The operational signature is more domains, shorter lifespans, more variation, and fewer of the reuse patterns that blocklists depend on.",[],{},{"nodeType":235,"data":2871,"content":2872},{},[2873,2877,2884],{"nodeType":239,"value":2874,"marks":2875,"data":2876},"Attackers can ",[],{},{"nodeType":244,"data":2878,"content":2879},{"uri":2495},[2880],{"nodeType":239,"value":2881,"marks":2882,"data":2883},"vibe-code entire phishing pages in minutes",[],{},{"nodeType":239,"value":2885,"marks":2886,"data":2887}," — not just cloning legitimate login pages but vibe-cloning them, feeding an AI a screenshot and having it rebuild a convincing frontend with a completely unique backend. ",[],{},{"nodeType":235,"data":2889,"content":2890},{},[2891,2895,2903,2907,2915],{"nodeType":239,"value":2892,"marks":2893,"data":2894},"We've seen attackers clone free SaaS tools like background removers and PDF converters, then inject phishing components or ClickFix payloads into what looks like a functional utility. We’ve even seen attackers distributing malware using AI-generated pages shared using ",[],{},{"nodeType":244,"data":2896,"content":2897},{"uri":611},[2898],{"nodeType":239,"value":2899,"marks":2900,"data":2902},"LLM tool sharing functionality",[2901],{"type":252},{},{"nodeType":239,"value":2904,"marks":2905,"data":2906},", resulting in phishing delivery pages hosted on real claude.ai and chatgpt.com. And legitimate cloud platforms like ",[],{},{"nodeType":244,"data":2908,"content":2910},{"uri":2909},"https://www.huntress.com/blog/railway-paas-m365-token-replay-campaign",[2911],{"nodeType":239,"value":2912,"marks":2913,"data":2914},"Railway",[],{},{"nodeType":239,"value":2916,"marks":2917,"data":2918},", Cloudflare Workers, and Vercel host and dynamically rotate attack infrastructure, so the domains feeding into blocklists often belong to reputable services that can't simply be blocked. ",[],{},{"nodeType":259,"data":2920,"content":2924},{"target":2921},{"sys":2922},{"id":2923,"type":264,"linkType":265},"5yoLmqysyQazfzLITCUTfc",[],{"nodeType":259,"data":2926,"content":2930},{"target":2927},{"sys":2928},{"id":2929,"type":264,"linkType":265},"5XK5qZMQU19xlA8L2T5y0Z",[],{"nodeType":288,"data":2932,"content":2933},{},[2934],{"nodeType":239,"value":2935,"marks":2936,"data":2938},"The kit ecosystem is fragmenting faster than anyone can track",[2937],{"type":285},{},{"nodeType":235,"data":2940,"content":2941},{},[2942],{"nodeType":239,"value":2943,"marks":2944,"data":2945},"What we see across our install base is a huge and growing variation in phishing kits — new kits, derivative kits of known platforms, derivatives of those derivatives — appearing on a weekly basis.",[],{},{"nodeType":235,"data":2947,"content":2948},{},[2949,2953,2960],{"nodeType":239,"value":2950,"marks":2951,"data":2952},"As we reported in our ",[],{},{"nodeType":244,"data":2954,"content":2955},{"uri":1848},[2956],{"nodeType":239,"value":2957,"marks":2958,"data":2959},"Browser Attacks Report",[],{},{"nodeType":239,"value":2961,"marks":2962,"data":2963},", the most common AiTM kits we detected over the last year were Tycoon 2FA (59% of detections), followed by Sneaky 2FA, FlowerStorm, Evilginx (nominally a red team tool, but widely abused by attackers), NakedPages, Gabagool, and dozens more — but those established names are just the visible layer.",[],{},{"nodeType":235,"data":2965,"content":2966},{},[2967,2971,2979,2983,2990],{"nodeType":239,"value":2968,"marks":2969,"data":2970},"Code is forked, modified, and redeployed across kits in a pattern that ",[],{},{"nodeType":244,"data":2972,"content":2974},{"uri":2973},"https://blog.barracuda.com/2026/04/16/threat-spotlight-tycoon-2fa-scattered-everywhere",[2975],{"nodeType":239,"value":2976,"marks":2977,"data":2978},"resembles open-source development",[],{},{"nodeType":239,"value":2980,"marks":2981,"data":2982}," more than traditional criminal enterprise, and the rate at which new variants appear is accelerating. The ",[],{},{"nodeType":244,"data":2984,"content":2985},{"uri":1408},[2986],{"nodeType":239,"value":2987,"marks":2988,"data":2989},"Venom kit",[],{},{"nodeType":239,"value":2991,"marks":2992,"data":2993}," reuses Sneaky 2FA's AiTM infrastructure but carries different branding and adds device code phishing — whether it's the same developers, stolen code, or a deliberate fork is unclear.",[],{},{"nodeType":235,"data":2995,"content":2996},{},[2997,3001,3009,3013,3022],{"nodeType":239,"value":2998,"marks":2999,"data":3000},"Tycoon 2FA illustrates the scale of the evolution. The kit evolves continuously, addingnew capabilities, new evasion techniques, and hybridizing with other platforms. Even when Sekoia and Microsoft seized 330+ Tycoon domains in March 2026, the techniques it popularized were already embedded across competitors, and the slack was taken up by rival platforms within days. And in any case, Tycoon was back to ",[],{},{"nodeType":244,"data":3002,"content":3004},{"uri":3003},"https://www.crowdstrike.com/en-us/blog/tycoon2fa-phishing-as-a-service-platform-persists-following-takedown/",[3005],{"nodeType":239,"value":3006,"marks":3007,"data":3008},"normal levels of operation",[],{},{"nodeType":239,"value":3010,"marks":3011,"data":3012}," shortly after. It has also been observed ",[],{},{"nodeType":244,"data":3014,"content":3016},{"uri":3015},"https://www.okta.com/en-nl/blog/threat-intelligence/tycoon_2fa_phishing_actors_scatter/",[3017],{"nodeType":239,"value":3018,"marks":3019,"data":3021},"pivoting to add new device code phishing capabilities",[3020],{"type":252},{},{"nodeType":239,"value":3023,"marks":3024,"data":3025}," (more on that below). ",[],{},{"nodeType":235,"data":3027,"content":3028},{},[3029],{"nodeType":239,"value":3030,"marks":3031,"data":3032},"Tear one down and there are many more to take its place — and meanwhile the original is already evolving into something new.",[],{},{"nodeType":259,"data":3034,"content":3038},{"target":3035},{"sys":3036},{"id":3037,"type":264,"linkType":265},"3UDzUCCizPJhXp3SsoZuSK",[],{"nodeType":288,"data":3040,"content":3041},{},[3042],{"nodeType":239,"value":3043,"marks":3044,"data":3046},"New techniques are being industrialized faster than ever",[3045],{"type":285},{},{"nodeType":235,"data":3048,"content":3049},{},[3050],{"nodeType":239,"value":3051,"marks":3052,"data":3053},"As well as the fragmentation of existing kits, we’re seeing new techniques added at an accelerating rate. ",[],{},{"nodeType":235,"data":3055,"content":3056},{},[3057,3062],{"nodeType":239,"value":3058,"marks":3059,"data":3061},"Device code phishing",[3060],{"type":285},{},{"nodeType":239,"value":3063,"marks":3064,"data":3065}," is the clearest case study. From early nation state adoption in 2024, it took until 2026 for criminal adoption to really take off, but the take-up this year is unprecedented. The EvilTokens kit packaged device code phishing into a PhaaS offering with GPT-powered spear-phishing and adaptive landing pages, hitting 340+ organizations across five countries in March 2026. ",[],{},{"nodeType":235,"data":3067,"content":3068},{},[3069],{"nodeType":239,"value":3070,"marks":3071,"data":3072},"Now, device code functionality is now a core phish kit component. We’re tracking 18+ kits with device code phishing capabilities and a 37.5x increase in device code phishing detections this year alone, with the technique moving from state-sponsored exclusivity to something any PhaaS customer can rent.",[],{},{"nodeType":235,"data":3074,"content":3075},{},[3076,3080,3088,3092,3097,3101,3110],{"nodeType":239,"value":3077,"marks":3078,"data":3079},"Similarly, when we ",[],{},{"nodeType":244,"data":3081,"content":3083},{"uri":3082},"https://pushsecurity.com/blog/we-infiltrated-a-criminal-phishing-panel/",[3084],{"nodeType":239,"value":3085,"marks":3086,"data":3087},"infiltrated Doko's Panel",[],{},{"nodeType":239,"value":3089,"marks":3090,"data":3091}," — a ",[],{},{"nodeType":239,"value":3093,"marks":3094,"data":3096},"real-time vishing and AiTM platform",[3095],{"type":285},{},{"nodeType":239,"value":3098,"marks":3099,"data":3100}," used by ShinyHunters and affiliated groups — the codebase was full of LLM-generated artifacts. Multiple groups were using the templated vishing panel and spinning up their own variants, but the AI-generated indicators persisted throughout. This approach to real-time vishing + browser payload has been a ",[],{},{"nodeType":244,"data":3102,"content":3104},{"uri":3103},"https://pushsecurity.com/blog/analyzing-the-instructure-breach/",[3105],{"nodeType":239,"value":3106,"marks":3107,"data":3109},"mainstay of the Com affiliates like ShinyHunters this year",[3108],{"type":252},{},{"nodeType":239,"value":3111,"marks":3112,"data":3113},". ",[],{},{"nodeType":259,"data":3115,"content":3119},{"target":3116},{"sys":3117},{"id":3118,"type":264,"linkType":265},"01mOiserRBXraawXwQyJNm",[],{"nodeType":235,"data":3121,"content":3122},{},[3123,3127,3132,3136,3145,3149,3157],{"nodeType":239,"value":3124,"marks":3125,"data":3126},"The broader ",[],{},{"nodeType":239,"value":3128,"marks":3129,"data":3131},"ClickFix",[3130],{"type":285},{},{"nodeType":239,"value":3133,"marks":3134,"data":3135}," family shows the same acceleration: First reported in early 2024 and adopted by four nation-state groups within a single quarter. Fast forward and ",[],{},{"nodeType":244,"data":3137,"content":3139},{"uri":3138},"https://www.crowdstrike.com/en-us/global-threat-report/",[3140],{"nodeType":239,"value":3141,"marks":3142,"data":3144},"CrowdStrike's data",[3143],{"type":252},{},{"nodeType":239,"value":3146,"marks":3147,"data":3148}," shows a 563% increase in fake CAPTCHA incidents (one of the more common ClickFix lure types), while ",[],{},{"nodeType":244,"data":3150,"content":3151},{"uri":1269},[3152],{"nodeType":239,"value":3153,"marks":3154,"data":3156},"Microsoft reported",[3155],{"type":252},{},{"nodeType":239,"value":3158,"marks":3159,"data":3160}," it as making up 47% of observed attacks according to their Digital Defense Report.",[],{},{"nodeType":235,"data":3162,"content":3163},{},[3164,3168,3172,3176,3183,3187,3194],{"nodeType":239,"value":3165,"marks":3166,"data":3167},"And ",[],{},{"nodeType":239,"value":1338,"marks":3169,"data":3171},[3170],{"type":285},{},{"nodeType":239,"value":3173,"marks":3174,"data":3175}," — a combination of ClickFix and OAuth consent phishing techniques — suggests the next compression is already underway. Push researchers ",[],{},{"nodeType":244,"data":3177,"content":3178},{"uri":1335},[3179],{"nodeType":239,"value":3180,"marks":3181,"data":3182},"discovered the technique",[],{},{"nodeType":239,"value":3184,"marks":3185,"data":3186}," in December 2025 — a browser-native ClickFix variant hijacking OAuth consent grants via Azure CLI's localhost redirect. It was later confirmed to be tied to APT29. By January 2026, a ",[],{},{"nodeType":244,"data":3188,"content":3189},{"uri":1374},[3190],{"nodeType":239,"value":3191,"marks":3192,"data":3193},"criminal ConsentFix v3 toolkit",[],{},{"nodeType":239,"value":3195,"marks":3196,"data":3197}," had appeared on the XSS forum with Cloudflare Workers, ZoomInfo targeting, and automated exfiltration via Pipedream.",[],{},{"nodeType":259,"data":3199,"content":3203},{"target":3200},{"sys":3201},{"id":3202,"type":264,"linkType":265},"41FMif4T0y1maflzonWgL8",[],{"nodeType":274,"data":3205,"content":3206},{},[],{"nodeType":278,"data":3208,"content":3209},{},[3210],{"nodeType":239,"value":3211,"marks":3212,"data":3214},"Why technique-level detection is the only layer that holds",[3213],{"type":285},{},{"nodeType":235,"data":3216,"content":3217},{},[3218],{"nodeType":239,"value":3219,"marks":3220,"data":3221},"The middle of the Pyramid — tool signatures and artifacts — used to offer much more durable detection than infrastructure indicators. Fingerprinting a specific phishing kit by its JavaScript structure or HTML patterns provided a detection target that survived across dozens or hundreds of campaigns, even as the underlying domains rotated. Tool level detections are still better, but not by quite the same margin.",[],{},{"nodeType":259,"data":3223,"content":3227},{"target":3224},{"sys":3225},{"id":3226,"type":264,"linkType":265},"5pxaYdCIFiFKLPhRaPoldX",[],{"nodeType":235,"data":3229,"content":3230},{},[3231],{"nodeType":239,"value":3232,"marks":3233,"data":3234},"When the kit landscape was dominated by a handful of platforms, you could write signatures for Tycoon, Sneaky2FA, EvilProxy, and so on, and cover the lion's share of attacks. With the ecosystem now producing new variants and entirely new kits on a weekly basis, detecting by kit fingerprint starts to look uncomfortably similar to detecting by domain.",[],{},{"nodeType":235,"data":3236,"content":3237},{},[3238],{"nodeType":239,"value":3239,"marks":3240,"data":3241},"But many of these proliferating kits do share behavioral patterns at a deeper level than their code signatures. For example, every device code phishing kit implements fundamentally the same flow: present a lure, generate a device code via the OAuth Device Authorization endpoint, get the user to enter it on the legitimate authorization page, and poll for the resulting tokens. The frontends vary, the infrastructure varies, but the behavioral pattern doesn't.",[],{},{"nodeType":259,"data":3243,"content":3247},{"target":3244},{"sys":3245},{"id":3246,"type":264,"linkType":265},"FyyHayQtsJTwoB1kluMOl",[],{"nodeType":235,"data":3249,"content":3250},{},[3251],{"nodeType":239,"value":3252,"marks":3253,"data":3254},"Genuinely new attack techniques still require human creativity — an attacker has to identify a gap in how a legitimate protocol or feature can be subverted. That kind of innovation hasn't been automated. But the window to discover a technique, build a detection, and then deploy it before it is adopted by criminals at scale is compressing with each generation.",[],{},{"nodeType":235,"data":3256,"content":3257},{},[3258],{"nodeType":239,"value":3259,"marks":3260,"data":3261},"Organizations that detect at the technique level and deploy before commoditization have a structural advantage that increases over time. Waiting for indicators — even tool-level indicators — means chasing a curve that's accelerating away from you. This is the challenge we grapple with every day as we strive for the most resilient detections possible. ",[],{},{"nodeType":3263,"data":3264,"content":3265},"blockquote",{},[3266],{"nodeType":235,"data":3267,"content":3268},{},[3269,3273,3281,3285],{"nodeType":239,"value":3270,"marks":3271,"data":3272},"As our CPO Jacques Louw put it on ",[],{},{"nodeType":244,"data":3274,"content":3276},{"uri":3275},"https://risky.biz/RBNEWSSI128/",[3277],{"nodeType":239,"value":3278,"marks":3279,"data":3280},"Risky Business",[],{},{"nodeType":239,"value":3282,"marks":3283,"data":3284},": ",[],{},{"nodeType":239,"value":3286,"marks":3287,"data":3289},"\"There's no list of bad domains anywhere in the product. It's a crutch — a false cheat code that stops you from doing the detection in the way that actually is resilient, because the next time you see it, it will be on a different domain.\"",[3288],{"type":1650},{},{"nodeType":274,"data":3291,"content":3292},{},[],{"nodeType":278,"data":3294,"content":3295},{},[3296],{"nodeType":239,"value":3297,"marks":3298,"data":3300},"What it takes to detect at the top of the Pyramid",[3299],{"type":285},{},{"nodeType":235,"data":3302,"content":3303},{},[3304],{"nodeType":239,"value":3305,"marks":3306,"data":3307},"If technique-level detection is the only layer that holds, two things have to be true about your detection capability: You need the right vantage point, and you need the research velocity to stay ahead.",[],{},{"nodeType":288,"data":3309,"content":3310},{},[3311],{"nodeType":239,"value":3312,"marks":3313,"data":3315},"You need the right vantage point",[3314],{"type":285},{},{"nodeType":235,"data":3317,"content":3318},{},[3319],{"nodeType":239,"value":3320,"marks":3321,"data":3322},"Technique-level behaviors in browser-based identity attacks — how a phishing page orchestrates credential entry, how a device code flow presents its authorization prompt, how a ClickFix variant manipulates the clipboard — are visible in the browser session and nowhere else.",[],{},{"nodeType":235,"data":3324,"content":3325},{},[3326],{"nodeType":239,"value":3327,"marks":3328,"data":3329},"Network proxies see encrypted traffic and can attempt to reconstruct page behavior from metadata, but DOM manipulation, user interaction sequences, and script execution aren't visible from that vantage point. Email gateways see the delivery mechanism (or nothing at all in the increasing number of social media and search engine based attacks) but not the payload.",[],{},{"nodeType":235,"data":3331,"content":3332},{},[3333,3337,3345],{"nodeType":239,"value":3334,"marks":3335,"data":3336},"As we disclosed in our ",[],{},{"nodeType":244,"data":3338,"content":3339},{"uri":1848},[3340],{"nodeType":239,"value":3341,"marks":3342,"data":3344},"browser attacks report",[3343],{"type":252},{},{"nodeType":239,"value":3346,"marks":3347,"data":3348},", 95% of in-browser attacks we detect use some form of bot protection, often combined with conditional loading techniques like referrer and browser checks, reliably defeating automated analysis techniques. ",[],{},{"nodeType":235,"data":3350,"content":3351},{},[3352],{"nodeType":239,"value":3353,"marks":3354,"data":3355},"Behavioral detection at the technique level requires observing what happens on the page at the moment the user interacts with it — analyzing pages, not links. When you see the entire browsing flow — ad click, redirect chain, page render, credential prompt — an attack stands out immediately. Without that context, any detection system is forced to fill in gaps, and the gaps are where attacks hide.",[],{},{"nodeType":259,"data":3357,"content":3361},{"target":3358},{"sys":3359},{"id":3360,"type":264,"linkType":265},"4804g6u4POUDpL42bzP0EY",[],{"nodeType":235,"data":3363,"content":3364},{},[3365],{"nodeType":239,"value":3366,"marks":3367,"data":3368},"Push sits inside the browser session, observing this in real time. Its detections target the behavioral mechanics of techniques rather than the surface characteristics of individual kits or infrastructure.",[],{},{"nodeType":288,"data":3370,"content":3371},{},[3372],{"nodeType":239,"value":3373,"marks":3374,"data":3376},"You need the research expertise",[3375],{"type":285},{},{"nodeType":235,"data":3378,"content":3379},{},[3380],{"nodeType":239,"value":3381,"marks":3382,"data":3383},"When the window between technique discovery and industrialized exploitation is measured in weeks rather than years, the detection pipeline needs to operate on that same compressed timescale.",[],{},{"nodeType":235,"data":3385,"content":3386},{},[3387,3391,3397],{"nodeType":239,"value":3388,"marks":3389,"data":3390},"This is where our ",[],{},{"nodeType":244,"data":3392,"content":3393},{"uri":2495},[3394],{"nodeType":239,"value":2498,"marks":3395,"data":3396},[],{},{"nodeType":239,"value":3398,"marks":3399,"data":3400}," fits. It's tripled our monthly detection output — not by generating bigger blocklists, but by scaling the process of discovering behavioral patterns across the telemetry generated by 3+ million browser deployments.",[],{},{"nodeType":235,"data":3402,"content":3403},{},[3404],{"nodeType":239,"value":3405,"marks":3406,"data":3407},"The detections it produces are technique-class by design, targeting how attacks work rather than the infrastructure or specific tool that implements them. The goal is curation, not accumulation — hundreds of high-fidelity behavioral detections rather than the billions of signatures and domain entries that traditional approaches require.",[],{},{"nodeType":235,"data":3409,"content":3410},{},[3411,3415,3422],{"nodeType":239,"value":3412,"marks":3413,"data":3414},"When we detected the first in-the-wild ",[],{},{"nodeType":244,"data":3416,"content":3417},{"uri":1323},[3418],{"nodeType":239,"value":3419,"marks":3420,"data":3421},"InstallFix attack",[],{},{"nodeType":239,"value":3423,"marks":3424,"data":3425}," through the pipeline — a user had searched for NotebookLM, clicked a paid Google ad, and was redirected to a fake page with a WebAssembly C2 connector — the detection shipped to all customers within minutes. It didn't depend on knowing the domain, the ad creative, or the specific kit. It depended on recognizing the technique itself.",[],{},{"nodeType":274,"data":3427,"content":3428},{},[],{"nodeType":278,"data":3430,"content":3431},{},[3432],{"nodeType":239,"value":3433,"marks":3434,"data":3436},"Technique-level detection is now the only option",[3435],{"type":285},{},{"nodeType":235,"data":3438,"content":3439},{},[3440],{"nodeType":239,"value":3441,"marks":3442,"data":3443},"As a framework for detection durability, the Pyramid of Pain is more relevant than ever. ",[],{},{"nodeType":235,"data":3445,"content":3446},{},[3447],{"nodeType":239,"value":3448,"marks":3449,"data":3450},"AI has made infrastructure indicators essentially disposable. The tools tier is compressing as criminal vendors vibe-code, fork, and clone tooling at machine speed. Technique-level detection is the layer that holds long-term to be able to proactively detect and block net-new attacks and the kits that power them. ",[],{},{"nodeType":235,"data":3452,"content":3453},{},[3454],{"nodeType":239,"value":3455,"marks":3456,"data":3457},"Novel attack techniques still require human creativity to discover, and detections built around how those techniques work can survive infrastructure rotation, tool proliferation, and kit fragmentation. Defending that layer requires a vantage point inside the browser session and a research pipeline fast enough to stay ahead of the accelerating path from discovery to industrialization.",[],{},{"nodeType":274,"data":3459,"content":3460},{},[],{"nodeType":235,"data":3462,"content":3463},{},[3464],{"nodeType":239,"value":914,"marks":3465,"data":3466},[],{},{"nodeType":235,"data":3468,"content":3469},{},[3470],{"nodeType":239,"value":921,"marks":3471,"data":3472},[],{},{"nodeType":235,"data":3474,"content":3475},{},[3476,3479,3487],{"nodeType":239,"value":29,"marks":3477,"data":3478},[],{},{"nodeType":244,"data":3480,"content":3481},{"uri":1883},[3482],{"nodeType":239,"value":3483,"marks":3484,"data":3486},"Book a live demo",[3485],{"type":252},{},{"nodeType":239,"value":1890,"marks":3488,"data":3489},[],{},"The Pyramid of Pain in the AI era: Why technique-level detection matters more than ever","AI is accelerating the collapse of indicator-based threat detection. Here's why you need technique-level detection to stay ahead.","2026-06-01T00:00:00.000Z","the-pyramid-of-pain-in-the-ai-era",{"items":3495},[3496,3498],{"sys":3497,"name":1906},{"id":1905},{"sys":3499,"name":1902},{"id":1901},{"items":3501},[3502],{"fullName":1910,"firstName":1911,"jobTitle":1912,"profilePicture":3503},{"url":1914},"openai-poisoned-tenant-attack","blog/openai-poisoned-tenant-attack",{"json":3507},{"data":3508,"content":3509,"nodeType":231},{},[3510],{"data":3511,"content":3512,"nodeType":235},{},[3513],{"data":3514,"marks":3515,"value":3516,"nodeType":239},{},[],"Someone created a fake OpenAI organization using our company's name and invited specific Push employees to join it. Here's what we learned. ",{"id":3518,"publishedAt":3519},"gZ98u7GsQBtQWUZAbb9ct","2026-06-26T08:44:27.953Z",{"items":3521},[3522,3524],{"sys":3523,"name":1902},{"id":1901},{"sys":3525,"name":1906},{"id":1905},"r3ovH3WQIfyCL844aJ2ud9uvV6d7QJFBkTfcY48FiSs",1782485293909]