New Feature: Verified Stolen Credential Detection

Blog
/
Release notes

Product release: May 2024

Our latest development sprint focused on extending the power of the Push browser agent to detect and prevent identity attacks that evade traditional security controls. We’ve also enhanced our popular app banners feature, and added more API and webhooks options for managing Push programmatically.

What’s new this month:

  • SSO password protection

  • Phishing tool detection

  • Session token theft detection

  • URL blocking

  • Require a reason for app usage

  • Expanded API and webhooks options

Prevent SSO password reuse

Instead of trying to detect phishing websites and domains that constantly change, Push can now detect (and block!) SSO password reuse based on directly observing user behavior in the browser.

Our SSO password protection feature detects and blocks when a user enters their identity provider password on a webpage that does not belong to the IdP (e.g. Okta, Google Workspace, Microsoft 365, etc.)

You can choose to warn or block SSO password reuse and customize the message that end-users see.

Phishing block screen for end-users - KB 10109

See how it works

Detect Adversary-in-the-Middle phishing toolkits

The Push browser agent can now detect when employees visit websites that are using phishing toolkits such as EvilNoVNC and Evilginx. These tools can mimic legitimate login screens in order to steal credentials and bypass MFA.

Send detections to your SIEM or similar monitoring tool and add malicious sites to a blocklist in Push.

Phishing tool detection - config page - KB 10113

Learn more

Identify session token theft

You can now use the Push browser agent to inject a unique marker to the user agent string of sessions that occur in browsers enrolled in Push. By analyzing logs from your identity provider (e.g. Okta, Microsoft 365, etc.) or other app, you can use the marker to help you find suspicious activity that indicates a stolen session cookie in use.

Detecting session hijacking is extremely difficult when relying on device-based monitoring using EDR and network traffic. But by giving legitimate sessions a stamp of approval using the Push browser agent, you can easily identify access to apps from untrusted devices.

See how it works

Configure a custom blocklist of URLs

Prevent employees from visiting malicious sites you detect by configuring a custom blocklist of URLs in Push using the URL blocking feature. You can customize the message shown to end-users by adding your own links and instructions. Use Push’s REST API to programmatically manage URL blocking as part of responding to a phishing incident.

You can use this alongside other Push features like phishing tool detection to block access to known-bad sites you find.

Sample block page for URL blocking - KB 10112

Learn more

Require end-users to submit a reason when using an app

We’ve expanded our popular app banners feature to include a Reason mode that allows you to configure a custom message and require employees to submit a reason why they need to use a specific app before they can proceed to log in.

App banner - Reason mode - KB 10106
App banner in Reason mode

Learn more

Monitor ‘other apps’ list via Push API and webhooks

You can now keep a closer eye on all new observed cloud apps by using the Push API and webhooks to notify you of new entries on the “other apps” list or to retrieve specific details about accounts on these apps. The “other apps” list consists of apps accessed by employees that Push doesn’t recognize as work apps but that may still be relevant to your operations.

Learn more

Subscribe to get updates from Push
The latest news, articles, and resources, sent to your inbox