[{"data":1,"prerenderedAt":4504},["ShallowReactive",2],{"application-flags":3,"navbar":7,"always-visible-banner":36,"navbar-about-highlight":99,"navbar-resource-highlight":173,"use-case-page":219,"fa-icon-regular-faFishingRod":1241,"fa-icon-regular-faPuzzlePiece":1245,"fa-icon-regular-faUserSecret":1247,"fa-icon-regular-faRadar":1249,"fa-icon-regular-faLaptopCode":1251,"fa-icon-regular-faSatelliteDish":1253,"fa-icon-regular-faShieldCheck":1255,"fa-icon-regular-faBrainCircuit":1257,"blog/the-cisos-data-problem-and-how-browser-telemetry-can-help":1259},[4],{"name":5,"enabled":6},"maintenanceMode",false,[8],{"createdDate":9,"id":10,"name":11,"modelId":12,"published":13,"query":14,"data":15,"variations":20,"lastUpdated":21,"firstPublished":22,"testRatio":23,"createdBy":24,"lastUpdatedBy":25,"folders":26,"meta":27,"rev":35},1742208588866,"1c7a4e423bf54ac1a328bb4063459ef2","Banner","1c6207a5f24948ab82d4a0b17f251193","published",[],{"type":16,"url":17,"text":18,"link":19},"web-banner","https://pushsecurity.com/resources/browser-attacks-report","Get our latest report analyzing browser attack techniques in 2026",{},{},1774258294825,1742208637545,1,"CydmZnOWU1XuAaLhEDCoYNM4Z8W2","jKjF9r5jcvXU8tzZEfFQm31Iyvr2",[],{"kind":28,"lastPreviewUrl":29,"breakpoints":30,"hasAutosaves":34},"data","",{"xsmall":31,"small":32,"medium":33},320,640,768,true,"4b1iz02jy77",{"createdDate":37,"id":38,"name":39,"modelId":40,"published":13,"query":41,"data":42,"variations":88,"lastUpdated":89,"firstPublished":90,"testRatio":23,"createdBy":91,"lastUpdatedBy":92,"folders":93,"meta":94,"rev":98},1774965361051,"fd266d0172cc47429be7ad10f48c99ad","always visible banner","0678d178ec8b41efb8a23c09dba7874d",[],{"ctaText":43,"text":44,"url":29,"blocks":45,"state":84},"ewrererw","testrfesssssssssss",[46,72],{"@type":47,"@version":48,"id":49,"component":50,"responsiveStyles":62},"@builder.io/sdk:Element",2,"builder-ca12c06a52de41d7b8743da53118cd38",{"name":51,"tag":51,"options":52,"isRSC":61},"TopBannerContent",{"text":53,"ctaText":54,"url":55,"mainText":56,"cta":59},"New Webinar Series: Join John Hammond, Troy Hunt, and Matt Johansen for the State of Browser Attacks","Save Your Spot","https://pushsecurity.com/webinar/state-of-browser-security",{"content":57,"fontSize":58},"\u003Cp>New Webinar Series: Join John Hammond, Troy Hunt, and Matt Johansen for the State of Browser Attacks\u003C/p>","text-base",{"content":60,"fontSize":58,"url":55},"\u003Cp>\u003Cstrong style=\"font-weight:700;\">Save Your Spot\u003C/strong>\u003C/p>\n",null,{"large":63},{"display":64,"flexDirection":65,"position":66,"flexShrink":67,"boxSizing":68,"marginTop":69,"marginBottom":69,"fontSize":70,"fontWeight":71},"flex","column","relative","0","border-box",".56rem","1.125rem","700",{"id":73,"@type":47,"tagName":74,"properties":75,"responsiveStyles":79},"builder-pixel-86wtm10y06o","img",{"src":76,"aria-hidden":77,"alt":29,"role":78,"width":67,"height":67},"https://cdn.builder.io/api/v1/pixel?apiKey=f3a1111ff5be48cdbb123cd9f5795a05","true","presentation",{"large":80},{"height":67,"width":67,"display":81,"opacity":67,"overflow":82,"pointerEvents":83},"block","hidden","none",{"deviceSize":85,"location":86},"large",{"path":29,"query":87},{},{},1775137295127,1774968080803,"ST0tXQM8slWpFrmioqKHmENB2qe2","ax7YYfD0OCeqT1Vxxv1G4FUbqVr1",[],{"breakpoints":95,"hasLinks":6,"kind":96,"lastPreviewUrl":97,"hasAutosaves":6},{"xsmall":31,"small":32,"medium":33},"component","https://pushsecurity.com/?builder.space=f3a1111ff5be48cdbb123cd9f5795a05&builder.user.permissions=read%2Ccreate%2Cpublish%2CeditCode%2CeditDesigns%2CeditLayouts%2CeditLayers%2CeditContentPriority%2CeditFolders%2CeditProjects%2CmodifyMcpServers%2CmodifyWorkflowIntegrations%2CmodifyProjectSettings%2CconnectCodeRepository%2CcreateProjects%2CindexDesignSystems%2CsendPullRequests%2CmergePullRequests&builder.user.role.name=Developer&builder.user.role.id=developer&builder.cachebust=true&builder.preview=always-visible-banner&builder.noCache=true&builder.allowTextEdit=true&__builder_editing__=true&builder.overrides.always-visible-banner=fd266d0172cc47429be7ad10f48c99ad&builder.overrides.fd266d0172cc47429be7ad10f48c99ad=fd266d0172cc47429be7ad10f48c99ad&builder.options.locale=Default","dy7e9yeefh5",[100,136],{"createdDate":101,"id":102,"name":103,"modelId":104,"published":13,"stageModifiedSincePublish":6,"query":105,"data":106,"variations":129,"lastUpdated":130,"firstPublished":131,"testRatio":23,"createdBy":24,"lastUpdatedBy":24,"folders":132,"meta":133,"rev":135},1776247359804,"9136a8f18b3b4a6ba29b8653a99372b1","testimonial-inductive-automation","20d9eaa352304613b3d1a794b400703d",[],{"link":107,"type":108,"testimonialLink":109,"testimonial":110},{},"testimonial","/customer-stories/inductive-automation",{"@type":111,"id":112,"model":108,"value":113},"@builder.io/core:Reference","f028f2b685bb47cd8bf9e82a26dd5a79",{"query":114,"folders":115,"createdDate":116,"id":112,"name":117,"modelId":118,"published":13,"data":119,"variations":123,"lastUpdated":124,"firstPublished":125,"testRatio":23,"createdBy":91,"lastUpdatedBy":91,"meta":126,"rev":128},[],[],1735823466309,"We found Push to be more accurate when compared to competitors and the browser agent offered features that others couldn’t match.","42035571a56940ac98bff4544aa79aa5",{"author":120,"jobTitle":121,"quote":117,"image":122},"Jason Waits","\u003Cp>CISO at Inductive Automation\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Ff04c0c0689ce4a89ac0f0708d78c0a07",{},1735910703862,1735823501152,{"kind":28,"lastPreviewUrl":29,"breakpoints":127,"hasAutosaves":34},{"small":32,"medium":33},"rzbog5v8txl",{},1776247404986,1776247404973,[],{"breakpoints":134,"kind":28,"lastPreviewUrl":29,"hasAutosaves":6},{"xsmall":31,"small":32,"medium":33},"4qa8r8xhoxg",{"createdDate":137,"id":138,"name":139,"modelId":104,"published":13,"meta":140,"stageModifiedSincePublish":6,"query":142,"data":143,"variations":169,"lastUpdated":170,"firstPublished":171,"testRatio":23,"createdBy":24,"lastUpdatedBy":24,"folders":172,"rev":135},1776255761419,"05a9322735fc427db12e2740e4302300","Report: 2026 Browser Attack Techniques",{"breakpoints":141,"kind":28,"lastPreviewUrl":29,"hasAutosaves":6},{"xsmall":31,"small":32,"medium":33},[],{"testimonial":144,"link":163,"type":166,"title":139,"description":167,"image":168},{"@type":111,"id":145,"model":108,"value":146},"192acbb1f9ca4cac918c0ec435a8bae3",{"query":147,"folders":148,"createdDate":149,"id":145,"name":150,"modelId":118,"published":13,"data":151,"variations":157,"lastUpdated":158,"firstPublished":159,"testRatio":23,"createdBy":91,"lastUpdatedBy":24,"meta":160,"rev":162},[],[],1728981467463,"Push does for identity what CrowdStrike did for the endpoint",{"video":152,"jobTitle":153,"author":154,"qoute":29,"quote":155,"image":156},"https://cdn.builder.io/o/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F8b30e8ca50064058bbaef0f3c6164575%2Fcompressed?apiKey=f3a1111ff5be48cdbb123cd9f5795a05&token=8b30e8ca50064058bbaef0f3c6164575&alt=media&optimized=true","\u003Cp>Deputy CISO at Microsoft\u003C/p>\u003Cp>Former LinkedIn, Slack, Palantir\u003C/p>","Geoff Belknap","Push does for identity what CrowdStrike did for the endpoint.","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F748f0ad0a5064a00a13f4721fcc8dea1",{},1742902158597,1728981782923,{"kind":28,"lastPreviewUrl":29,"breakpoints":161,"hasAutosaves":34},{"small":32,"medium":33},"es2cvrfe4e",{"text":164,"url":165},"Download now","/resources/browser-attacks-report","resource","Learn about the latest techniques being used in the wild.","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F7b4a5ebf81d64e8c9d7fc35f6c96c4a9",{},1776255810913,1776255810900,[],[174,197],{"createdDate":175,"id":176,"name":139,"modelId":177,"published":13,"meta":178,"stageModifiedSincePublish":6,"query":180,"data":181,"variations":192,"lastUpdated":193,"firstPublished":194,"testRatio":23,"createdBy":24,"lastUpdatedBy":24,"folders":195,"rev":196},1776256900280,"1f429607996e4e5fae8fe3f9b9610e55","4829faa81e7c4ee8bd2d000e160e8d3c",{"breakpoints":179,"kind":28,"lastPreviewUrl":29,"hasAutosaves":6},{"xsmall":31,"small":32,"medium":33},[],{"testimonial":182,"link":191,"type":166,"title":139,"description":167,"image":168},{"@type":111,"id":145,"model":108,"value":183},{"query":184,"folders":185,"createdDate":149,"id":145,"name":150,"modelId":118,"published":13,"data":186,"variations":187,"lastUpdated":158,"firstPublished":159,"testRatio":23,"createdBy":91,"lastUpdatedBy":24,"meta":188,"rev":190},[],[],{"video":152,"jobTitle":153,"author":154,"qoute":29,"quote":155,"image":156},{},{"kind":28,"lastPreviewUrl":29,"breakpoints":189,"hasAutosaves":34},{"small":32,"medium":33},"6elkcwmc4na",{"text":164,"url":165},{},1776256937553,1776256937540,[],"ijqktvezzt",{"createdDate":198,"id":199,"name":200,"modelId":177,"published":13,"stageModifiedSincePublish":6,"query":201,"data":202,"variations":213,"lastUpdated":214,"firstPublished":215,"testRatio":23,"createdBy":24,"lastUpdatedBy":24,"folders":216,"meta":217,"rev":196},1776256949234,"ce043785b71b4ece98eac811ecf4ba10","inductive-automation",[],{"link":203,"type":108,"testimonial":204,"testimonialLink":109},{},{"@type":111,"id":112,"model":108,"value":205},{"query":206,"folders":207,"createdDate":116,"id":112,"name":117,"modelId":118,"published":13,"data":208,"variations":209,"lastUpdated":124,"firstPublished":125,"testRatio":23,"createdBy":91,"lastUpdatedBy":91,"meta":210,"rev":212},[],[],{"author":120,"jobTitle":121,"quote":117,"image":122},{},{"kind":28,"lastPreviewUrl":29,"breakpoints":211,"hasAutosaves":34},{"small":32,"medium":33},"m175g5t1ds",{},1776256974140,1776256974130,[],{"breakpoints":218,"kind":28,"lastPreviewUrl":29,"hasAutosaves":6},{"xsmall":31,"small":32,"medium":33},[220,404,523,642,760,880,1000,1120],{"createdDate":221,"id":222,"name":223,"modelId":224,"published":13,"stageModifiedSincePublish":6,"query":225,"data":231,"variations":392,"lastUpdated":393,"firstPublished":394,"testRatio":23,"screenshot":395,"createdBy":91,"lastUpdatedBy":396,"folders":397,"meta":398,"rev":403},1744829487099,"387451215c314dd5bd654668cdc1a197","Zero-day phishing","cca4143377554c5a9163cc203a8ed2ba",[226],{"@type":227,"property":228,"operator":229,"value":230},"@builder.io/core:Query","urlPath","is","/uc/zero-day-phishing-protection",{"inputs":232,"customFonts":233,"seoTitle":281,"title":281,"tsCode":29,"seoDescription":282,"fontAwesomeIcon":283,"jsCode":29,"blocks":284,"url":230,"state":389},[],[234],{"family":235,"kind":236,"version":237,"lastModified":238,"files":239,"category":258,"menu":259,"subsets":260,"variants":263},"DM Sans","webfonts#webfont","v14","2023-07-13",{"100":240,"200":241,"300":242,"500":243,"600":244,"700":245,"800":246,"900":247,"800italic":248,"900italic":249,"700italic":250,"100italic":251,"italic":252,"regular":253,"200italic":254,"500italic":255,"300italic":256,"600italic":257},"https://fonts.gstatic.com/s/dmsans/v14/rP2tp2ywxg089UriI5-g4vlH9VoD8CmcqZG40F9JadbnoEwAop1hTmf3ZGMZpg.ttf","https://fonts.gstatic.com/s/dmsans/v14/rP2tp2ywxg089UriI5-g4vlH9VoD8CmcqZG40F9JadbnoEwAIpxhTmf3ZGMZpg.ttf","https://fonts.gstatic.com/s/dmsans/v14/rP2tp2ywxg089UriI5-g4vlH9VoD8CmcqZG40F9JadbnoEwA_JxhTmf3ZGMZpg.ttf","https://fonts.gstatic.com/s/dmsans/v14/rP2tp2ywxg089UriI5-g4vlH9VoD8CmcqZG40F9JadbnoEwAkJxhTmf3ZGMZpg.ttf","https://fonts.gstatic.com/s/dmsans/v14/rP2tp2ywxg089UriI5-g4vlH9VoD8CmcqZG40F9JadbnoEwAfJthTmf3ZGMZpg.ttf","https://fonts.gstatic.com/s/dmsans/v14/rP2tp2ywxg089UriI5-g4vlH9VoD8CmcqZG40F9JadbnoEwARZthTmf3ZGMZpg.ttf","https://fonts.gstatic.com/s/dmsans/v14/rP2tp2ywxg089UriI5-g4vlH9VoD8CmcqZG40F9JadbnoEwAIpthTmf3ZGMZpg.ttf","https://fonts.gstatic.com/s/dmsans/v14/rP2tp2ywxg089UriI5-g4vlH9VoD8CmcqZG40F9JadbnoEwAC5thTmf3ZGMZpg.ttf","https://fonts.gstatic.com/s/dmsans/v14/rP2rp2ywxg089UriCZaSExd86J3t9jz86Mvy4qCRAL19DksVat8JCm3zRmYJpso5.ttf","https://fonts.gstatic.com/s/dmsans/v14/rP2rp2ywxg089UriCZaSExd86J3t9jz86Mvy4qCRAL19DksVat8gCm3zRmYJpso5.ttf","https://fonts.gstatic.com/s/dmsans/v14/rP2rp2ywxg089UriCZaSExd86J3t9jz86Mvy4qCRAL19DksVat9uCm3zRmYJpso5.ttf","https://fonts.gstatic.com/s/dmsans/v14/rP2rp2ywxg089UriCZaSExd86J3t9jz86Mvy4qCRAL19DksVat-JDG3zRmYJpso5.ttf","https://fonts.gstatic.com/s/dmsans/v14/rP2rp2ywxg089UriCZaSExd86J3t9jz86Mvy4qCRAL19DksVat-JDW3zRmYJpso5.ttf","https://fonts.gstatic.com/s/dmsans/v14/rP2tp2ywxg089UriI5-g4vlH9VoD8CmcqZG40F9JadbnoEwAopxhTmf3ZGMZpg.ttf","https://fonts.gstatic.com/s/dmsans/v14/rP2rp2ywxg089UriCZaSExd86J3t9jz86Mvy4qCRAL19DksVat8JDW3zRmYJpso5.ttf","https://fonts.gstatic.com/s/dmsans/v14/rP2rp2ywxg089UriCZaSExd86J3t9jz86Mvy4qCRAL19DksVat-7DW3zRmYJpso5.ttf","https://fonts.gstatic.com/s/dmsans/v14/rP2rp2ywxg089UriCZaSExd86J3t9jz86Mvy4qCRAL19DksVat_XDW3zRmYJpso5.ttf","https://fonts.gstatic.com/s/dmsans/v14/rP2rp2ywxg089UriCZaSExd86J3t9jz86Mvy4qCRAL19DksVat9XCm3zRmYJpso5.ttf","sans-serif","https://fonts.gstatic.com/s/dmsans/v14/rP2tp2ywxg089UriI5-g4vlH9VoD8CmcqZG40F9JadbnoEwAopxRT23z.ttf",[261,262],"latin","latin-ext",[264,265,266,267,268,269,71,270,271,272,273,274,275,276,277,278,279,280],"100","200","300","regular","500","600","800","900","100italic","200italic","300italic","italic","500italic","600italic","700italic","800italic","900italic","Zero-day phishing protection","Detect phishing TTPs directly in the browser and stop credential theft.","faFishingRod",[285,384],{"@type":47,"@version":48,"tagName":286,"id":287,"children":288},"div","builder-76c6b8d1499346c7bc1fd56ae4e93638",[289,306,314,321,333,348,359,370,376],{"@type":47,"@version":48,"layerName":290,"id":291,"component":292,"responsiveStyles":303},"UseCaseHero","builder-5228fe062bef4a40a91e43f1112832fa",{"name":290,"options":293,"isRSC":61},{"title":281,"description":294,"points":295,"video":302},"\u003Cp>Push detects phishing as it happens. Autonomous agents hunt for new phishing techniques, identify kit signatures, and deploy detections within minutes of a new attack being analyzed. From cloned login pages to AiTM credential harvesting, Push sees what traditional filters miss and stops threats before they escalate.\u003C/p>",[296,298,300],{"item":297},"Detect phishing that bypasses traditional filters, including AiTM, SSO password theft, and fake login pages",{"item":299},"Stop never-before-seen attacks with AI-native behavioral and on-page analysis inside the browser",{"item":301},"Investigate faster with unified browser, user, and page context","https://cdn.builder.io/o/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F40433ceeb4f94b43a82e039a0f4fd411%2Fcompressed?apiKey=f3a1111ff5be48cdbb123cd9f5795a05&token=40433ceeb4f94b43a82e039a0f4fd411&alt=media&optimized=true",{"large":304},{"display":64,"flexDirection":65,"position":66,"flexShrink":67,"boxSizing":68,"backgroundColor":305},"transparent",{"@type":47,"@version":48,"id":307,"component":308,"responsiveStyles":311},"builder-96634044407e491299e291ed64669e39",{"name":309,"options":310,"isRSC":61},"TrustedBy",{"AllPartners":34,"backgroundTransparent":6},{"large":312},{"display":64,"flexDirection":65,"position":66,"flexShrink":67,"boxSizing":68,"backgroundColor":313},"#000",{"@type":47,"@version":48,"id":315,"component":316,"responsiveStyles":319},"builder-2c3768f930534557bb8978e32b6a6a0f",{"name":317,"options":318,"isRSC":61},"Diagonal",{"darkMode":34},{"large":320},{"display":64,"flexDirection":65,"position":66,"flexShrink":67,"boxSizing":68},{"@type":47,"@version":48,"layerName":322,"id":323,"component":324,"responsiveStyles":331},"TextImageBlockVertical","builder-7c3c1c2840424db2ad2ccbfaf382dd64",{"name":322,"tag":322,"options":325,"isRSC":61},{"darkMode":6,"maxWidth":326,"maxTextWidth":327,"title":328,"description":329,"animatedTitle":29,"image":330,"reverse":6,"descriptionPaddingHorizontal":61},1200,800,"\u003Ch2>Why stop at the inbox?\u003C/h2>","\u003Cp>Phishing attacks have evolved. Whether attackers lure users with QR codes, instant messages, or OAuth consent screens, the outcome is the same: it plays out in the browser. Push gives you real-time detection for in-browser threats, stopping phishing and consent-based attacks before they lead to compromise\u003C/p>\u003Cp>\u003Cbr>\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F7fdcac241f0e4a049166d7076858adeb",{"large":332},{"display":64,"flexDirection":65,"position":66,"flexShrink":67,"boxSizing":68},{"@type":47,"@version":48,"id":334,"component":335,"responsiveStyles":343},"builder-41c978b3669749cf947e622b4e79e4d7",{"name":336,"options":337,"isRSC":61},"TextImageBlockHorizontal",{"darkMode":6,"maxWidth":326,"imageMaxWidth":338,"textPaddingTop":339,"title":340,"description":341,"reverse":34,"image":342},600,100,"\u003Cp>Detect phishing at the edge\u003C/p>","\u003Cp>Push uses industry-first telemetry to detect phishing based on behavior, not static indicators. Autonomous agents analyze how phishing pages behave and how users interact with them, uncovering fake logins, credential theft, and phishing kits the moment they load in the browser.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F9df3d180c97b4e61af142af2ccd68721",{"large":344},{"display":64,"flexDirection":65,"position":66,"flexShrink":67,"boxSizing":68,"fontFamily":345,"paddingTop":346,"marginTop":347},"DM Sans, sans-serif","20px","0px",{"@type":47,"@version":48,"id":349,"component":350,"responsiveStyles":356},"builder-d2a7bc941feb43cdb898bc116b203cf9",{"name":336,"options":351,"isRSC":61},{"darkMode":6,"maxWidth":326,"imageMaxWidth":338,"textPaddingTop":352,"title":353,"description":354,"reverse":6,"image":355},120,"\u003Ch2>Go beyond blocklists and IOCs\u003C/h2>","\u003Cp>Push goes beyond URLs and easy-to-change indicators. It reads the full phishing playbook like script behavior, session hijacks, DOM changes, user inputs, then connects the dots in real time. This gives your team a complete picture of how the phishing attempt worked, not just an alert.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Fabfd58db169b433e96d3f1261797156e",{"large":357},{"display":64,"flexDirection":65,"position":66,"flexShrink":67,"boxSizing":68,"paddingTop":358},"36px",{"@type":47,"@version":48,"layerName":336,"id":360,"component":361,"responsiveStyles":367},"builder-42c32198083f4880acb37c5cb76934da",{"name":336,"options":362,"isRSC":61},{"darkMode":6,"maxWidth":326,"imageMaxWidth":338,"textPaddingTop":363,"title":364,"description":365,"reverse":34,"image":366},140,"\u003Ch2>Enhance your phishing response\u003C/h2>","\u003Cp>When phishing enters your environment, speed matters. Push gives you instant access to the telemetry that counts like session data, user behavior, and page activity, so you can investigate fast, trigger in-browser prompts, or forward alerts to your SIEM or SOAR for response. All in real time, right from the browser.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Fbb195aec46904056b85e8688629e558e",{"large":368},{"display":64,"flexDirection":65,"position":66,"flexShrink":67,"boxSizing":68,"paddingTop":369},"47px",{"@type":47,"@version":48,"id":371,"component":372,"responsiveStyles":374},"builder-9a95b9cbc4854421a92ef7b90f6c7adb",{"name":317,"options":373,"isRSC":61},{"darkMode":6},{"large":375},{"display":64,"flexDirection":65,"position":66,"flexShrink":67,"boxSizing":68},{"@type":47,"@version":48,"id":377,"component":378,"responsiveStyles":382},"builder-0afa17a9f25c4661a90f314d5578aa18",{"name":379,"tag":379,"options":380,"isRSC":61},"LatestResources",{"sectionHeading":29,"customClass":381},"bg-black",{"large":383},{"display":64,"flexDirection":65,"position":66,"flexShrink":67,"boxSizing":68},{"id":385,"@type":47,"tagName":74,"properties":386,"responsiveStyles":387},"builder-pixel-hr3txb30ku",{"src":76,"aria-hidden":77,"alt":29,"role":78,"width":67,"height":67},{"large":388},{"height":67,"width":67,"display":81,"opacity":67,"overflow":82,"pointerEvents":83},{"deviceSize":85,"location":390},{"path":29,"query":391},{},{},1776275046831,1745499158657,"https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Fff60c30a8442489c8ed7e0af9599d14f","kYgMv6WsbvfmlOUYqR2SFwGzw6e2",[],{"lastPreviewUrl":399,"winningTest":61,"breakpoints":400,"kind":401,"hasLinks":6,"originalContentId":402,"hasAutosaves":6},"https://pushsecurity.com/uc/zero-day-phishing-protection?builder.space=f3a1111ff5be48cdbb123cd9f5795a05&builder.user.permissions=read%2Ccreate%2Cpublish%2CeditDesigns%2CeditLayouts%2CeditLayers%2CeditContentPriority%2CeditFolders%2CcreateProjects%2CsendPullRequests&builder.user.role.name=Designer&builder.user.role.id=creator&builder.cachebust=true&builder.preview=use-case-page&builder.noCache=true&builder.allowTextEdit=true&__builder_editing__=true&builder.overrides.use-case-page=387451215c314dd5bd654668cdc1a197&builder.overrides.387451215c314dd5bd654668cdc1a197=387451215c314dd5bd654668cdc1a197&builder.overrides.use-case-page:/uc/zero-day-phishing-protection=387451215c314dd5bd654668cdc1a197&builder.options.locale=Default",{"xsmall":31,"small":32,"medium":33},"page","2daa5670b8504fc7ba4700633e8bd921","4b7w9k2ak0u",{"createdDate":405,"id":406,"name":407,"modelId":224,"published":13,"stageModifiedSincePublish":6,"query":408,"data":411,"variations":515,"lastUpdated":516,"firstPublished":517,"testRatio":23,"screenshot":518,"createdBy":91,"lastUpdatedBy":396,"folders":519,"meta":520,"rev":403},1756833377777,"54f8256648f54d439303734b1e69221b","Browser extension security",[409],{"@type":227,"property":228,"operator":229,"value":410},"/uc/browser-extension-security",{"seoDescription":412,"jsCode":29,"fontAwesomeIcon":413,"tsCode":29,"title":407,"seoTitle":407,"customFonts":414,"inputs":419,"blocks":420,"url":410,"state":512},"Shine a light on risky browser extensions.","faPuzzlePiece",[415],{"kind":236,"family":235,"version":237,"files":416,"category":258,"lastModified":238,"subsets":417,"variants":418,"menu":259},{"100":240,"200":241,"300":242,"500":243,"600":244,"700":245,"800":246,"900":247,"100italic":251,"italic":252,"regular":253,"900italic":249,"800italic":248,"700italic":250,"200italic":254,"300italic":256,"500italic":255,"600italic":257},[261,262],[264,265,266,267,268,269,71,270,271,272,273,274,275,276,277,278,279,280],[],[421,507],{"@type":47,"@version":48,"tagName":286,"id":422,"meta":423,"children":424},"builder-71d0648c1d2f4ede8d0d0b5b28b7b94c",{"previousId":287},[425,441,448,455,464,474,484,494,501],{"@type":47,"@version":48,"id":426,"meta":427,"component":428,"responsiveStyles":439},"builder-ff325b4b8fad4edea53f38865947e854",{"previousId":291},{"name":290,"options":429,"isRSC":61},{"title":407,"description":430,"points":431,"video":438},"\u003Cp>Browser extensions introduce new code, new permissions, and new potential for risk. Many include AI features, and most go completely unnoticed. Push gives you full visibility into every extension used across your workforce, across major browsers, so you can uncover shadow IT, assess risky permissions, and block unsafe tools before they lead to compromise.\u003C/p>",[432,434,436],{"item":433},"Discover every browser extension in use",{"item":435},"Spot risky or unsanctioned behavior",{"item":437},"Make informed decisions on extension policy","https://cdn.builder.io/o/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Fc538aad95d7f403aa3c3551af72f67c0?alt=media&token=1411fa6d-2eac-4e6c-94bf-ea117da12d67&apiKey=f3a1111ff5be48cdbb123cd9f5795a05",{"large":440},{"display":64,"flexDirection":65,"position":66,"flexShrink":67,"boxSizing":68,"backgroundColor":305},{"@type":47,"@version":48,"id":442,"meta":443,"component":444,"responsiveStyles":446},"builder-fb89d128c64e47cf9cbb11d90fc24523",{"previousId":307},{"name":309,"options":445,"isRSC":61},{"AllPartners":34,"backgroundTransparent":6},{"large":447},{"display":64,"flexDirection":65,"position":66,"flexShrink":67,"boxSizing":68,"backgroundColor":313},{"@type":47,"@version":48,"id":449,"meta":450,"component":451,"responsiveStyles":453},"builder-54388d35126c4d0096eeebaf8c4448cd",{"previousId":315},{"name":317,"options":452,"isRSC":61},{"darkMode":34},{"large":454},{"display":64,"flexDirection":65,"position":66,"flexShrink":67,"boxSizing":68},{"@type":47,"@version":48,"layerName":322,"id":456,"component":457,"responsiveStyles":462},"builder-3c8fa6785dd6466abf52a2470d66d85a",{"name":322,"tag":322,"options":458,"isRSC":61},{"darkMode":6,"maxWidth":326,"maxTextWidth":327,"title":459,"description":460,"image":461,"reverse":6},"\u003Ch2>Take control of browser extensions\u003C/h2>","\u003Cp>Attackers are increasingly using malicious browser extensions to gain access to data processed and stored in the browser. And the problem is, most security teams have no visibility into what extensions are being used. Push changes that. With browser-native telemetry, the Push extension continuously inventories browser extensions across your environment, flags the risky ones, and gives you intelligence to act. \u003C/p>\u003Cp>\u003Cbr>\u003C/p>\u003Cp>\u003Cbr>\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F0a004f16a6874f4c8fdf14344acc9fec",{"large":463},{"display":64,"flexDirection":65,"position":66,"flexShrink":67,"boxSizing":68},{"@type":47,"@version":48,"id":465,"meta":466,"component":467,"responsiveStyles":472},"builder-93738f98109a4009affb349afd7bb182",{"previousId":334},{"name":336,"options":468,"isRSC":61},{"darkMode":6,"maxWidth":326,"imageMaxWidth":338,"textPaddingTop":339,"title":469,"description":470,"reverse":34,"image":471},"\u003Ch2>Discover every extension in use\u003C/h2>","\u003Cp>Push gives you structured, searchable data about every extension in your environment, so you’re not just seeing what’s there, but also understanding how it got there, what it can do, and who it affects. It’s the kind of granular insight that’s nearly impossible to get from traditional tools, and it lays the groundwork for better policy decisions and faster investigations.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F0e5727ca99474f14b1b7916bf6bbb782",{"large":473},{"display":64,"flexDirection":65,"position":66,"flexShrink":67,"boxSizing":68,"fontFamily":345,"paddingTop":346,"marginTop":347},{"@type":47,"@version":48,"id":475,"meta":476,"component":477,"responsiveStyles":482},"builder-83393acb12ee4fdd840839185b51edb4",{"previousId":349},{"name":336,"options":478,"isRSC":61},{"darkMode":6,"maxWidth":326,"imageMaxWidth":338,"textPaddingTop":352,"title":479,"description":480,"reverse":6,"image":481},"\u003Ch2>Spot risky or malicious extensions\u003C/h2>","\u003Cp>Push highlights extensions with dangerous permissions, broad access, or poor reputations. This includes AI extensions that request access far beyond what their stated purpose requires. You can quickly detect sideloaded, manually installed, or development-mode extensions that bypass normal controls. And because Push shows you who’s using them and where, you can respond precisely and effectively.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Fa104d58c8da34fbb8901f738fb21453b",{"large":483},{"display":64,"flexDirection":65,"position":66,"flexShrink":67,"boxSizing":68,"paddingTop":358},{"@type":47,"@version":48,"layerName":336,"id":485,"meta":486,"component":487,"responsiveStyles":492},"builder-da98e3de949646d89c53a0d1c2784664",{"previousId":360},{"name":336,"options":488,"isRSC":61},{"darkMode":6,"maxWidth":326,"imageMaxWidth":338,"textPaddingTop":363,"title":489,"description":490,"reverse":34,"image":491},"\u003Ch2>Accelerate security reviews\u003C/h2>","\u003Cp>Most teams have extension policies, they just don’t have the data to enforce them. Push reveals how each extension entered your environment, whether it was installed manually, sideloaded, or deployed in dev mode. You’ll see which users are running what, and where, so you can surface violations, investigate quickly, and respond with confidence.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F229f355be6f243b180f410d237a75bb3",{"large":493},{"display":64,"flexDirection":65,"position":66,"flexShrink":67,"boxSizing":68,"paddingTop":369},{"@type":47,"@version":48,"id":495,"meta":496,"component":497,"responsiveStyles":499},"builder-1a689287d1a1418997d57db578a71105",{"previousId":371},{"name":317,"options":498,"isRSC":61},{"darkMode":6},{"large":500},{"display":64,"flexDirection":65,"position":66,"flexShrink":67,"boxSizing":68},{"@type":47,"@version":48,"id":502,"component":503,"responsiveStyles":505},"builder-feb4e75029f84c10b6498ef1f8f79128",{"name":379,"tag":379,"options":504,"isRSC":61},{"sectionHeading":29,"customClass":381},{"large":506},{"display":64,"flexDirection":65,"position":66,"flexShrink":67,"boxSizing":68},{"id":508,"@type":47,"tagName":74,"properties":509,"responsiveStyles":510},"builder-pixel-36eccogsjzc",{"src":76,"aria-hidden":77,"alt":29,"role":78,"width":67,"height":67},{"large":511},{"height":67,"width":67,"display":81,"opacity":67,"overflow":82,"pointerEvents":83},{"deviceSize":85,"location":513},{"path":29,"query":514},{},{},1776275365038,1757000441666,"https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F8d496cf111644ee5afcc046b72d1ca5a",[],{"kind":401,"winningTest":61,"breakpoints":521,"lastPreviewUrl":522,"hasLinks":6,"originalContentId":222,"hasAutosaves":6},{"xsmall":31,"small":32,"medium":33},"https://pushsecurity.com/uc/browser-extension-security?builder.space=f3a1111ff5be48cdbb123cd9f5795a05&builder.user.permissions=read%2Ccreate%2Cpublish%2CeditDesigns%2CeditLayouts%2CeditLayers%2CeditContentPriority%2CeditFolders%2CcreateProjects%2CsendPullRequests&builder.user.role.name=Designer&builder.user.role.id=creator&builder.cachebust=true&builder.preview=use-case-page&builder.noCache=true&builder.allowTextEdit=true&__builder_editing__=true&builder.overrides.use-case-page=54f8256648f54d439303734b1e69221b&builder.overrides.54f8256648f54d439303734b1e69221b=54f8256648f54d439303734b1e69221b&builder.overrides.use-case-page:/uc/browser-extension-security=54f8256648f54d439303734b1e69221b&builder.options.locale=Default",{"createdDate":524,"id":525,"name":526,"modelId":224,"published":13,"query":527,"data":530,"variations":633,"lastUpdated":634,"firstPublished":635,"testRatio":23,"screenshot":636,"createdBy":91,"lastUpdatedBy":637,"folders":638,"meta":639,"rev":403},1744923509705,"94bebb7bb99d48629ad157e80cf4d81d","Account takeover detection",[528],{"@type":227,"property":228,"operator":229,"value":529},"/uc/account-takeover-detection",{"title":526,"customFonts":531,"jsCode":29,"seoTitle":526,"seoDescription":536,"fontAwesomeIcon":537,"tsCode":29,"blocks":538,"url":529,"state":630},[532],{"kind":236,"category":258,"variants":533,"menu":259,"files":534,"family":235,"subsets":535,"version":237,"lastModified":238},[264,265,266,267,268,269,71,270,271,272,273,274,275,276,277,278,279,280],{"100":240,"200":241,"300":242,"500":243,"600":244,"700":245,"800":246,"900":247,"300italic":256,"500italic":255,"800italic":248,"700italic":250,"italic":252,"900italic":249,"600italic":257,"200italic":254,"regular":253,"100italic":251},[261,262],"Stop ATO with stolen credential and compromised token detection.","faUserSecret",[539,625],{"@type":47,"@version":48,"tagName":286,"id":540,"meta":541,"children":542},"builder-e7913a774cae44c5a23d6081c5c30a52",{"previousId":287},[543,559,566,573,582,592,602,612,619],{"@type":47,"@version":48,"id":544,"meta":545,"component":546,"responsiveStyles":557},"builder-f1f1ab1601bc4c0f8c2a8aafd173675d",{"previousId":291},{"name":290,"options":547,"isRSC":61},{"title":526,"description":548,"points":549,"video":556},"\u003Cp>Attackers don’t need to phish, they just need a password that works. Push monitors for signs of credential-based attacks in real time, directly in the browser, catching account takeover attempts before the damage spreads. From ghost logins to credential stuffing, Push cuts off the paths attackers use to quietly slip in the back door.\u003C/p>\u003Cp>\u003Cbr>\u003C/p>",[550,552,554],{"item":551},"Identify credential-based ATO as it unfolds",{"item":553},"Surface hijacked sessions and token misuse",{"item":555},"Strengthen authentication where your IdP can’t","https://cdn.builder.io/o/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Fb4dd9db24bc9495b8a686b1b4d492016%2Fcompressed?apiKey=f3a1111ff5be48cdbb123cd9f5795a05&token=b4dd9db24bc9495b8a686b1b4d492016&alt=media&optimized=true",{"large":558},{"display":64,"flexDirection":65,"position":66,"flexShrink":67,"boxSizing":68,"backgroundColor":305},{"@type":47,"@version":48,"id":560,"meta":561,"component":562,"responsiveStyles":564},"builder-0bc0d1c78ece4994993c3a6427a4d533",{"previousId":307},{"name":309,"options":563,"isRSC":61},{"AllPartners":34,"backgroundTransparent":6},{"large":565},{"display":64,"flexDirection":65,"position":66,"flexShrink":67,"boxSizing":68,"backgroundColor":313},{"@type":47,"@version":48,"id":567,"meta":568,"component":569,"responsiveStyles":571},"builder-e45de8f3768c4f16938dbf78e4e87524",{"previousId":315},{"name":317,"options":570,"isRSC":61},{"darkMode":34},{"large":572},{"display":64,"flexDirection":65,"position":66,"flexShrink":67,"boxSizing":68},{"@type":47,"@version":48,"id":574,"component":575,"responsiveStyles":580},"builder-c98e8bfd341146c1b67c02d5698ff093",{"name":322,"tag":322,"options":576,"isRSC":61},{"darkMode":6,"maxWidth":326,"maxTextWidth":327,"title":577,"description":578,"image":579,"reverse":6},"\u003Ch2>Assume less. See more.\u003C/h2>","\u003Cp>Most account takeovers don’t start with a breach, they start with a login. Whether it’s a reused password, a local account, or an outdated login flow, Push shows you how accounts are actually accessed day to day, not just how policies say they should be. That means no more blind spots around ghost logins, bypassed SSO, or stale access paths that quietly persist.\u003C/p>\u003Cp>\u003Cbr>\u003C/p>\u003Cp>\u003Cbr>\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F18630ad2746d4eb7b7fcc0428b11a8f0",{"large":581},{"display":64,"flexDirection":65,"position":66,"flexShrink":67,"boxSizing":68},{"@type":47,"@version":48,"id":583,"meta":584,"component":585,"responsiveStyles":590},"builder-55c1fc38ddc04fd1a0d6a8e2fb819e00",{"previousId":334},{"name":336,"options":586,"isRSC":61},{"darkMode":6,"maxWidth":326,"imageMaxWidth":338,"textPaddingTop":339,"title":587,"description":588,"reverse":34,"image":589},"\u003Ch2>Catch stolen credential use in real time\u003C/h2>","\u003Cp>Push monitors login activity directly in the browser to detect signs of credential-based attacks like leaked password use or suspicious login flows. By analyzing attacker TTPs instead of relying on known indicators, Push spots credential stuffing and account takeover attempts the moment they begin, not after they’ve succeeded.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F52b0123cac2c4dfdb1dc0af6adf9d603",{"large":591},{"display":64,"flexDirection":65,"position":66,"flexShrink":67,"boxSizing":68,"fontFamily":345,"paddingTop":347,"marginTop":347},{"@type":47,"@version":48,"id":593,"meta":594,"component":595,"responsiveStyles":600},"builder-dfb31737b30948c6b95323655d571a50",{"previousId":349},{"name":336,"options":596,"isRSC":61},{"darkMode":6,"maxWidth":326,"imageMaxWidth":338,"textPaddingTop":352,"title":597,"description":598,"reverse":6,"image":599},"\u003Ch2>Detect session hijacks and stealth access\u003C/h2>","\u003Cp>Attackers don’t always need a login screen, they often sidestep it entirely using stolen session tokens. Push detects when valid sessions are reused in unexpected ways, identifying hijacked sessions and stealth access attempts that traditional tools miss. Because we monitor directly in the browser, you see what’s happening inside active sessions in real time.\u003C/p>\u003Cp>\u003Cbr>\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F94a6859a99e04d309ffe5841f3dbdf5c",{"large":601},{"display":64,"flexDirection":65,"position":66,"flexShrink":67,"boxSizing":68,"paddingTop":358},{"@type":47,"@version":48,"layerName":336,"id":603,"meta":604,"component":605,"responsiveStyles":610},"builder-f7585b90eb974d03a7dc7eae5b58d227",{"previousId":360},{"name":336,"options":606,"isRSC":61},{"darkMode":6,"maxWidth":326,"imageMaxWidth":338,"textPaddingTop":363,"title":607,"description":608,"reverse":34,"image":609},"\u003Ch2>Harden accounts before they’re compromised\u003C/h2>","\u003Cp>Push goes beyond alerts. It identifies apps that still allow local logins, even when SSO is configured, so you can remove weak access paths. Push also flags users without MFA, reused work credentials, or weak passwords, and prompts users in-browser to fix risky behaviors before they’re exploited.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F01c1b638f1b6497093a4f2b8ceddb5bb",{"large":611},{"display":64,"flexDirection":65,"position":66,"flexShrink":67,"boxSizing":68,"paddingTop":369},{"@type":47,"@version":48,"id":613,"meta":614,"component":615,"responsiveStyles":617},"builder-ad81d1e3afec49a791214194eae09bdc",{"previousId":371},{"name":317,"options":616,"isRSC":61},{"darkMode":6},{"large":618},{"display":64,"flexDirection":65,"position":66,"flexShrink":67,"boxSizing":68},{"@type":47,"@version":48,"id":620,"component":621,"responsiveStyles":623},"builder-8dac1aa4b9d148628d92252bd8eff822",{"name":379,"tag":379,"options":622,"isRSC":61},{"sectionHeading":29,"customClass":381},{"large":624},{"display":64,"flexDirection":65,"position":66,"flexShrink":67,"boxSizing":68},{"id":626,"@type":47,"tagName":74,"properties":627,"responsiveStyles":628},"builder-pixel-to6zctet07n",{"src":76,"aria-hidden":77,"alt":29,"role":78,"width":67,"height":67},{"large":629},{"height":67,"width":67,"display":81,"opacity":67,"overflow":82,"pointerEvents":83},{"deviceSize":85,"location":631},{"path":29,"query":632},{},{},1770892814499,1745499162732,"https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F58b660fa94aa4b30b0faeb9b663ae41a","SfUPqW5tkibIPby49keNFMdHFTr1",[],{"lastPreviewUrl":640,"hasLinks":6,"originalContentId":222,"breakpoints":641,"winningTest":61,"kind":401,"hasAutosaves":34},"https://pushsecurity.com/uc/account-takeover-detection?builder.space=f3a1111ff5be48cdbb123cd9f5795a05&builder.user.permissions=read%2Ccreate%2Cpublish%2CeditCode%2CeditDesigns%2CeditLayouts%2CeditLayers%2CeditContentPriority%2CeditFolders%2CeditProjects%2CmodifyMcpServers%2CmodifyWorkflowIntegrations%2CmodifyProjectSettings%2CconnectCodeRepository%2CcreateProjects%2CindexDesignSystems%2CsendPullRequests&builder.user.role.name=Developer&builder.user.role.id=developer&builder.cachebust=true&builder.preview=use-case-page&builder.noCache=true&builder.allowTextEdit=true&__builder_editing__=true&builder.overrides.use-case-page=94bebb7bb99d48629ad157e80cf4d81d&builder.overrides.94bebb7bb99d48629ad157e80cf4d81d=94bebb7bb99d48629ad157e80cf4d81d&builder.overrides.use-case-page:/uc/account-takeover-detection=94bebb7bb99d48629ad157e80cf4d81d&builder.options.includeRefs=true&builder.options.enrich=true&builder.options.locale=Default",{"xsmall":31,"small":32,"medium":33},{"createdDate":643,"id":644,"name":645,"modelId":224,"published":13,"query":646,"data":649,"variations":752,"lastUpdated":753,"firstPublished":754,"testRatio":23,"screenshot":755,"createdBy":91,"lastUpdatedBy":637,"folders":756,"meta":757,"rev":403},1745009370904,"23eb48fb56d3451cab77cb6ed140ee6d","Attack path hardening",[647],{"@type":227,"property":228,"operator":229,"value":648},"/uc/attack-path-hardening",{"tsCode":29,"seoDescription":650,"jsCode":29,"customFonts":651,"fontAwesomeIcon":656,"seoTitle":645,"title":645,"blocks":657,"url":648,"state":749},"Harden access paths with visibility,  detection, and guardrails.",[652],{"kind":236,"files":653,"version":237,"lastModified":238,"subsets":654,"menu":259,"category":258,"variants":655,"family":235},{"100":240,"200":241,"300":242,"500":243,"600":244,"700":245,"800":246,"900":247,"regular":253,"italic":252,"800italic":248,"500italic":255,"600italic":257,"200italic":254,"900italic":249,"700italic":250,"100italic":251,"300italic":256},[261,262],[264,265,266,267,268,269,71,270,271,272,273,274,275,276,277,278,279,280],"faRadar",[658,744],{"@type":47,"@version":48,"tagName":286,"id":659,"meta":660,"children":661},"builder-1d8553eddcaa44d7bba9e2f4ca13af2a",{"previousId":540},[662,678,685,692,701,711,721,731,738],{"@type":47,"@version":48,"id":663,"meta":664,"component":665,"responsiveStyles":676},"builder-84fe3d7c85a743cf8cef649aa974f1ef",{"previousId":544},{"name":290,"options":666,"isRSC":61},{"title":645,"description":667,"points":668,"video":675},"\u003Cp>Push continuously monitors your environment for exposed login paths, weak credentials, and missing protections like MFA. It detects the gaps attackers exploit and helps you close them before they’re used.\u003C/p>",[669,671,673],{"item":670},"Find weak spots like reused passwords, local logins, and missing MFA",{"item":672},"Monitor how users actually log in across apps, flows, and tools",{"item":674},"Enforce secure access with in-browser guardrails","https://cdn.builder.io/o/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Fdbdcf52892034f1bbddded77f753a343%2Fcompressed?apiKey=f3a1111ff5be48cdbb123cd9f5795a05&token=dbdcf52892034f1bbddded77f753a343&alt=media&optimized=true",{"large":677},{"display":64,"flexDirection":65,"position":66,"flexShrink":67,"boxSizing":68,"backgroundColor":305},{"@type":47,"@version":48,"id":679,"meta":680,"component":681,"responsiveStyles":683},"builder-b3f66f5b08054cc78a06fecfc3ae2337",{"previousId":560},{"name":309,"options":682,"isRSC":61},{"AllPartners":34,"backgroundTransparent":6},{"large":684},{"display":64,"flexDirection":65,"position":66,"flexShrink":67,"boxSizing":68,"backgroundColor":313},{"@type":47,"@version":48,"id":686,"meta":687,"component":688,"responsiveStyles":690},"builder-4c73418b84be49ed85e6e13d2625c5a0",{"previousId":567},{"name":317,"options":689,"isRSC":61},{"darkMode":34},{"large":691},{"display":64,"flexDirection":65,"position":66,"flexShrink":67,"boxSizing":68},{"@type":47,"@version":48,"id":693,"component":694,"responsiveStyles":699},"builder-dec0246085e1485c803f7152b1922a81",{"name":322,"tag":322,"options":695,"isRSC":61},{"darkMode":6,"maxWidth":326,"maxTextWidth":327,"title":696,"description":697,"image":698,"reverse":6},"\u003Ch2>Find the gaps that lead to compromise\u003C/h2>","\u003Cp>Misconfigurations don’t show up in your config files, they show up in how users actually access apps. Push monitors real login behavior in the browser, surfacing risky patterns like local login access, duplicate accounts, or missing protections that leave doors wide open.\u003C/p>\u003Cp>\u003Cbr>\u003C/p>\u003Cp>\u003Cbr>\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F309a59bba8d247a19476bb369397460e",{"large":700},{"display":64,"flexDirection":65,"position":66,"flexShrink":67,"boxSizing":68},{"@type":47,"@version":48,"id":702,"meta":703,"component":704,"responsiveStyles":709},"builder-ebf049a645604a249550996a88f8f3b6",{"previousId":583},{"name":336,"options":705,"isRSC":61},{"darkMode":6,"maxWidth":326,"imageMaxWidth":338,"textPaddingTop":339,"title":706,"description":707,"reverse":34,"image":708},"\u003Ch2>See real login behavior\u003C/h2>","\u003Cp>Push watches authentication flows as they happen, giving you a live view of how users log in, which methods they choose, and where protections like MFA are missing. Plus, uncover every app and account in use, even shadow IT you didn’t know existed, without relying on stale config files or IdP assumptions. \u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Fb51f6b0357cc451b87a7a5016d984e5e",{"large":710},{"display":64,"flexDirection":65,"position":66,"flexShrink":67,"boxSizing":68,"fontFamily":345,"paddingTop":346,"marginTop":347},{"@type":47,"@version":48,"id":712,"meta":713,"component":714,"responsiveStyles":719},"builder-431d175c59004669b0b2776b07d71737",{"previousId":593},{"name":336,"options":715,"isRSC":61},{"darkMode":6,"maxWidth":326,"imageMaxWidth":338,"textPaddingTop":352,"title":716,"description":717,"reverse":6,"image":718},"\u003Ch2>Find and fix posture drift\u003C/h2>","\u003Cp>Security posture isn’t static. Push continuously monitors for issues like missing MFA or legacy login methods. When something falls out of policy, you know immediately with custom notifications so you can act before it turns into risk.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F324e39127dfc41e592b1183dfb39892d",{"large":720},{"display":64,"flexDirection":65,"position":66,"flexShrink":67,"boxSizing":68,"paddingTop":358},{"@type":47,"@version":48,"layerName":336,"id":722,"meta":723,"component":724,"responsiveStyles":729},"builder-3dffdcbe0a484e2ca4c03f019b6d40ee",{"previousId":603},{"name":336,"options":725,"isRSC":61},{"darkMode":6,"maxWidth":326,"imageMaxWidth":338,"textPaddingTop":363,"title":726,"description":727,"reverse":34,"image":728},"\u003Ch2>Guide users with in-browser guardrails\u003C/h2>","\u003Cp>Push doesn’t just surface problems, it helps you fix them. When users sign in without MFA, reuse a password, or use insecure credentials, Push prompts them directly in the browser to secure their access. It’s faster, more effective, and actually gets results.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Fee8b75d13e45488aba55434a8b49ebb0",{"large":730},{"display":64,"flexDirection":65,"position":66,"flexShrink":67,"boxSizing":68,"paddingTop":369},{"@type":47,"@version":48,"id":732,"meta":733,"component":734,"responsiveStyles":736},"builder-976bc222cd7647ff905f1e01cfedc453",{"previousId":613},{"name":317,"options":735,"isRSC":61},{"darkMode":6},{"large":737},{"display":64,"flexDirection":65,"position":66,"flexShrink":67,"boxSizing":68},{"@type":47,"@version":48,"id":739,"component":740,"responsiveStyles":742},"builder-8c47ec2fd0f74382bb3e6c870555632c",{"name":379,"tag":379,"options":741,"isRSC":61},{"sectionHeading":29,"customClass":381},{"large":743},{"display":64,"flexDirection":65,"position":66,"flexShrink":67,"boxSizing":68},{"id":745,"@type":47,"tagName":74,"properties":746,"responsiveStyles":747},"builder-pixel-jd24dbxvxv",{"src":76,"aria-hidden":77,"alt":29,"role":78,"width":67,"height":67},{"large":748},{"height":67,"width":67,"display":81,"opacity":67,"overflow":82,"pointerEvents":83},{"deviceSize":85,"location":750},{"path":29,"query":751},{},{},1770892844854,1745499166112,"https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F6ca12bf728a045f1a31d40c0beb3bfe5",[],{"kind":401,"lastPreviewUrl":758,"breakpoints":759,"hasLinks":6,"originalContentId":525,"winningTest":61,"hasAutosaves":34},"https://pushsecurity.com/uc/attack-path-hardening?builder.space=f3a1111ff5be48cdbb123cd9f5795a05&builder.user.permissions=read%2Ccreate%2Cpublish%2CeditCode%2CeditDesigns%2CeditLayouts%2CeditLayers%2CeditContentPriority%2CeditFolders%2CeditProjects%2CmodifyMcpServers%2CmodifyWorkflowIntegrations%2CmodifyProjectSettings%2CconnectCodeRepository%2CcreateProjects%2CindexDesignSystems%2CsendPullRequests&builder.user.role.name=Developer&builder.user.role.id=developer&builder.cachebust=true&builder.preview=use-case-page&builder.noCache=true&builder.allowTextEdit=true&__builder_editing__=true&builder.overrides.use-case-page=23eb48fb56d3451cab77cb6ed140ee6d&builder.overrides.23eb48fb56d3451cab77cb6ed140ee6d=23eb48fb56d3451cab77cb6ed140ee6d&builder.overrides.use-case-page:/uc/attack-path-hardening=23eb48fb56d3451cab77cb6ed140ee6d&builder.options.includeRefs=true&builder.options.enrich=true&builder.options.locale=Default",{"xsmall":31,"small":32,"medium":33},{"createdDate":761,"id":762,"name":763,"modelId":224,"published":13,"query":764,"data":767,"variations":872,"lastUpdated":873,"firstPublished":874,"testRatio":23,"screenshot":875,"createdBy":91,"lastUpdatedBy":637,"folders":876,"meta":877,"rev":403},1761675020232,"ea4f309d2ffe46c5aa97ebf0fda4e2e3","ClickFix Protection",[765],{"@type":227,"property":228,"operator":229,"value":766},"/uc/clickfix-protection",{"seoDescription":768,"fontAwesomeIcon":769,"customFonts":770,"seoTitle":775,"jsCode":29,"tsCode":29,"title":775,"blocks":776,"url":766,"state":869},"Block attacks that trick users into running malicious code.","faLaptopCode",[771],{"files":772,"subsets":773,"menu":259,"version":237,"kind":236,"family":235,"lastModified":238,"variants":774,"category":258},{"100":240,"200":241,"300":242,"500":243,"600":244,"700":245,"800":246,"900":247,"200italic":254,"800italic":248,"700italic":250,"600italic":257,"100italic":251,"italic":252,"regular":253,"300italic":256,"500italic":255,"900italic":249},[261,262],[264,265,266,267,268,269,71,270,271,272,273,274,275,276,277,278,279,280],"ClickFix protection",[777,864],{"@type":47,"@version":48,"tagName":286,"id":778,"meta":779,"children":780},"builder-d7eefdde0f2a4b2b9de3dcb2978fd6cb",{"previousId":659},[781,797,804,811,821,831,841,851,858],{"@type":47,"@version":48,"id":782,"meta":783,"component":784,"responsiveStyles":795},"builder-56e2c54bcce040a4af8b92ae03706c12",{"previousId":663},{"name":290,"options":785,"isRSC":61},{"title":775,"description":786,"points":787,"image":794},"\u003Cp>ClickFix attacks are one of the fastest-growing threats, tricking users into copying malicious code from a webpage and running it locally. This technique bypasses traditional EDR, email gateways, and network filters, leading directly to ransomware and data theft. Push stops this attack at the source, in the browser, by detecting and blocking the malicious behavior before the user can ever paste the code.\u003C/p>\u003Cp>\u003Cbr>\u003C/p>",[788,790,792],{"item":789},"Detect ClickFix, FileFix, and fake CAPTCHA in the browser",{"item":791},"Block malicious copy-and-paste actions before code is executed",{"item":793},"See full telemetry into which users were targeted and what they saw","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F7b74af62889847ebb3927364485b0546",{"large":796},{"display":64,"flexDirection":65,"position":66,"flexShrink":67,"boxSizing":68,"backgroundColor":305},{"@type":47,"@version":48,"id":798,"meta":799,"component":800,"responsiveStyles":802},"builder-05f9614d4e3e4dc88b3ee8658f54e10e",{"previousId":679},{"name":309,"options":801,"isRSC":61},{"AllPartners":34,"backgroundTransparent":6},{"large":803},{"display":64,"flexDirection":65,"position":66,"flexShrink":67,"boxSizing":68,"backgroundColor":313},{"@type":47,"@version":48,"id":805,"meta":806,"component":807,"responsiveStyles":809},"builder-c4fb5179366243c1b6c32d368675cf47",{"previousId":686},{"name":317,"options":808,"isRSC":61},{"darkMode":34},{"large":810},{"display":64,"flexDirection":65,"position":66,"flexShrink":67,"boxSizing":68},{"@type":47,"@version":48,"id":812,"meta":813,"component":814,"responsiveStyles":819},"builder-261af50705fd445d8cca4a6ba20d5391",{"previousId":693},{"name":322,"tag":322,"options":815,"isRSC":61},{"darkMode":6,"maxWidth":326,"maxTextWidth":327,"title":816,"description":817,"reverse":6,"image":818},"\u003Ch2>Stop ClickFix-style attacks before they become a breach\u003C/h2>","\u003Cp>Traditional security tools are blind to malicious copy and paste attacks because the attack exploits a gap between the browser and the endpoint. EDR only sees the payload after it runs, and network tools see only part of the picture.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F98b2f7e08dec4eafaf8e24937605b8cf",{"large":820},{"display":64,"flexDirection":65,"position":66,"flexShrink":67,"boxSizing":68},{"@type":47,"@version":48,"id":822,"meta":823,"component":824,"responsiveStyles":829},"builder-7d21b8aab8064c40b1e5dd23c4749309",{"previousId":702},{"name":336,"options":825,"isRSC":61},{"darkMode":6,"maxWidth":326,"imageMaxWidth":338,"textPaddingTop":339,"title":826,"description":827,"reverse":34,"image":828},"\u003Ch2>Discover lures at the source\u003C/h2>","\u003Cp>Push inspects page behavior to identify ClickFix attacks as they happen. By inspecting the page, its structure, and how the user interacts with it, Push can detect and block these in-browser threats in real time. This deep, TTP-based inspection spots the trap even on novel pages that are built to bypass traditional web filters and blocklists.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F665bf47e01544c75bf9ddafd3917927b",{"large":830},{"display":64,"flexDirection":65,"position":66,"flexShrink":67,"boxSizing":68,"fontFamily":345,"paddingTop":346,"marginTop":347},{"@type":47,"@version":48,"id":832,"meta":833,"component":834,"responsiveStyles":839},"builder-fb91943adf6149259ed9e1e6566c9afe",{"previousId":712},{"name":336,"options":835,"isRSC":61},{"darkMode":6,"maxWidth":326,"imageMaxWidth":338,"textPaddingTop":352,"title":836,"description":837,"reverse":6,"image":838},"\u003Ch2>Block the malicious action\u003C/h2>","\u003Cp>When Push detects a malicious script, it intercepts the user's action and blocks the code from being copied to the clipboard. The user is protected, the attack is stopped, and no malicious code ever reaches the endpoint. Unlike broad DLP tools, this action is surgical, targeting only malicious behavior without disrupting normal work.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F5ee68f81f1ac416685cbfe91298cf827",{"large":840},{"display":64,"flexDirection":65,"position":66,"flexShrink":67,"boxSizing":68,"paddingTop":358},{"@type":47,"@version":48,"layerName":336,"id":842,"meta":843,"component":844,"responsiveStyles":849},"builder-bfac95fada864e5a8259b955b5b5f98b",{"previousId":722},{"name":336,"options":845,"isRSC":61},{"darkMode":6,"maxWidth":326,"imageMaxWidth":338,"textPaddingTop":363,"title":846,"description":847,"reverse":34,"image":848},"\u003Ch2>Accelerate ClickFix investigations\u003C/h2>","\u003Cp>When an attack happens, knowing what the user saw or did is critical. Push provides rich browser session data for rapid investigation and containment. Security teams get detailed telemetry on which users were targeted, what lure they were served, and when the block occurred. This enables defenders to reconstruct what happened and respond quickly, even when other tools miss the activity entirely.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F6cdf2a8aeddc4e9a9023cbf974e40239",{"large":850},{"display":64,"flexDirection":65,"position":66,"flexShrink":67,"boxSizing":68,"paddingTop":369},{"@type":47,"@version":48,"id":852,"meta":853,"component":854,"responsiveStyles":856},"builder-136892e831684a6987f87d3be67c33d1",{"previousId":732},{"name":317,"options":855,"isRSC":61},{"darkMode":6},{"large":857},{"display":64,"flexDirection":65,"position":66,"flexShrink":67,"boxSizing":68},{"@type":47,"@version":48,"id":859,"component":860,"responsiveStyles":862},"builder-dec26b739f2f42beb5a73cfc6c675b60",{"name":379,"tag":379,"options":861,"isRSC":61},{"sectionHeading":29,"customClass":381},{"large":863},{"display":64,"flexDirection":65,"position":66,"flexShrink":67,"boxSizing":68},{"id":865,"@type":47,"tagName":74,"properties":866,"responsiveStyles":867},"builder-pixel-wlp1de4u88",{"src":76,"aria-hidden":77,"alt":29,"role":78,"width":67,"height":67},{"large":868},{"height":67,"width":67,"display":81,"opacity":67,"overflow":82,"pointerEvents":83},{"deviceSize":85,"location":870},{"path":29,"query":871},{},{},1770892881888,1761847585203,"https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F375467b8bef34ed1a8a1cc5b8b67d75f",[],{"lastPreviewUrl":878,"originalContentId":644,"winningTest":61,"hasLinks":6,"kind":401,"breakpoints":879,"hasAutosaves":6},"https://pushsecurity.com/uc/clickfix-protection?builder.space=f3a1111ff5be48cdbb123cd9f5795a05&builder.user.permissions=read%2Ccreate%2Cpublish%2CeditCode%2CeditDesigns%2CeditLayouts%2CeditLayers%2CeditContentPriority%2CeditFolders%2CeditProjects%2CmodifyMcpServers%2CmodifyWorkflowIntegrations%2CmodifyProjectSettings%2CconnectCodeRepository%2CcreateProjects%2CindexDesignSystems%2CsendPullRequests&builder.user.role.name=Developer&builder.user.role.id=developer&builder.cachebust=true&builder.preview=use-case-page&builder.noCache=true&builder.allowTextEdit=true&__builder_editing__=true&builder.overrides.use-case-page=ea4f309d2ffe46c5aa97ebf0fda4e2e3&builder.overrides.ea4f309d2ffe46c5aa97ebf0fda4e2e3=ea4f309d2ffe46c5aa97ebf0fda4e2e3&builder.overrides.use-case-page:/uc/clickfix-protection=ea4f309d2ffe46c5aa97ebf0fda4e2e3&builder.options.includeRefs=true&builder.options.enrich=true&builder.options.locale=Default",{"xsmall":31,"small":32,"medium":33},{"createdDate":881,"id":882,"name":883,"modelId":224,"published":13,"query":884,"data":887,"variations":992,"lastUpdated":993,"firstPublished":994,"testRatio":23,"screenshot":995,"createdBy":91,"lastUpdatedBy":637,"folders":996,"meta":997,"rev":403},1745009743870,"a9d5556e77f84a37b5bd52310a7110c1","Incident response",[885],{"@type":227,"property":228,"operator":229,"value":886},"/uc/incident-response",{"seoDescription":888,"customFonts":889,"title":883,"jsCode":29,"fontAwesomeIcon":894,"seoTitle":895,"tsCode":29,"blocks":896,"url":886,"state":989},"Investigate and respond faster with unique browser telemetry.",[890],{"kind":236,"subsets":891,"menu":259,"variants":892,"category":258,"family":235,"version":237,"lastModified":238,"files":893},[261,262],[264,265,266,267,268,269,71,270,271,272,273,274,275,276,277,278,279,280],{"100":240,"200":241,"300":242,"500":243,"600":244,"700":245,"800":246,"900":247,"900italic":249,"600italic":257,"200italic":254,"300italic":256,"100italic":251,"700italic":250,"800italic":248,"regular":253,"italic":252,"500italic":255},"faSatelliteDish","Browser based incident response",[897,984],{"@type":47,"@version":48,"tagName":286,"id":898,"meta":899,"children":900},"builder-653c4aed737b4def88dc4cd2d695660a",{"previousId":659},[901,918,925,932,941,951,961,971,978],{"@type":47,"@version":48,"id":902,"meta":903,"component":904,"responsiveStyles":916},"builder-18190bd36518467d9154d27d7e945b9b",{"previousId":663},{"name":290,"options":905,"isRSC":61},{"title":906,"description":907,"points":908,"video":915},"Browser-based incident response","\u003Cp>Push gives you real-time visibility into what actually happened during a breach, right in the browser where the attack played out. From credential theft to session hijacking, Push captures high-fidelity telemetry so you can investigate quickly, contain confidently, and shut it down before it spreads.\u003C/p>\u003Cp>\u003Cbr>\u003C/p>",[909,911,913],{"item":910},"Reconstruct what happened with real browser session context",{"item":912},"Investigate faster with real-world session context",{"item":914},"Trigger response actions automatically through your SIEM or SOAR","https://cdn.builder.io/o/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Fd00e39d3b6e346c296261d875cf55652%2Fcompressed?apiKey=f3a1111ff5be48cdbb123cd9f5795a05&token=d00e39d3b6e346c296261d875cf55652&alt=media&optimized=true",{"large":917},{"display":64,"flexDirection":65,"position":66,"flexShrink":67,"boxSizing":68,"backgroundColor":305},{"@type":47,"@version":48,"id":919,"meta":920,"component":921,"responsiveStyles":923},"builder-8a0a8ea63f5d48dd8a6726f2d49cf0ca",{"previousId":679},{"name":309,"options":922,"isRSC":61},{"AllPartners":34,"backgroundTransparent":6},{"large":924},{"display":64,"flexDirection":65,"position":66,"flexShrink":67,"boxSizing":68,"backgroundColor":313},{"@type":47,"@version":48,"id":926,"meta":927,"component":928,"responsiveStyles":930},"builder-2df65c3f54334df2b26e7cb744886cdc",{"previousId":686},{"name":317,"options":929,"isRSC":61},{"darkMode":34},{"large":931},{"display":64,"flexDirection":65,"position":66,"flexShrink":67,"boxSizing":68},{"@type":47,"@version":48,"id":933,"component":934,"responsiveStyles":939},"builder-2c32c869efc2423ab69ef06b150e9f97",{"name":322,"tag":322,"options":935,"isRSC":61},{"darkMode":6,"maxWidth":326,"maxTextWidth":327,"title":936,"description":937,"image":938,"reverse":6},"\u003Ch2>See attacks unfold, not just their aftermath\u003C/h2>","\u003Cp>Attacks happen in the browser, not in logs. Push captures what traditional tools miss: what users clicked, what loaded, what was entered, and how attackers moved. That gives you real-world evidence, not just assumptions, when every second matters.\u003C/p>\u003Cp>\u003Cbr>\u003C/p>\u003Cp>\u003Cbr>\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F36fc719bd1de4a38b916f4d25c81a26d",{"large":940},{"display":64,"flexDirection":65,"position":66,"flexShrink":67,"boxSizing":68},{"@type":47,"@version":48,"id":942,"meta":943,"component":944,"responsiveStyles":949},"builder-370e53c6016e432db01e9193a2ce90f6",{"previousId":702},{"name":336,"options":945,"isRSC":61},{"darkMode":6,"maxWidth":326,"imageMaxWidth":338,"textPaddingTop":339,"title":946,"description":947,"reverse":34,"image":948},"\u003Ch2>Investigate faster with high-fidelity data\u003C/h2>","\u003Cp>Reconstructing an incident shouldn’t feel like guesswork. Push records detailed telemetry from inside the browser: page loads, credential inputs, DOM changes, session activity, user behavior. It’s structured, exportable, and ready to plug into your investigation workflows, so you can move fast without digging through proxy logs or relying on user reports.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Fa6adda040e684e67a8d68a55c5ce5f6d",{"large":950},{"display":64,"flexDirection":65,"position":66,"flexShrink":67,"boxSizing":68,"fontFamily":345,"paddingTop":347,"marginTop":347},{"@type":47,"@version":48,"id":952,"meta":953,"component":954,"responsiveStyles":959},"builder-a7f3767a8d184bd08fb24520bf210e95",{"previousId":712},{"name":336,"options":955,"isRSC":61},{"darkMode":6,"maxWidth":326,"imageMaxWidth":338,"textPaddingTop":352,"title":956,"description":957,"reverse":6,"image":958},"\u003Ch2>Contain and respond in real time\u003C/h2>","\u003Cp>When something looks off, Push doesn’t just alert you, it gives you options. Guide users with in-browser prompts. Terminate sessions. Trigger SOAR workflows. Enrich SIEM alerts. Push gives you the context and control to stop spread before it starts.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Fb3dedeed5aba4847a2c2d22e10d0ec12",{"large":960},{"display":64,"flexDirection":65,"position":66,"flexShrink":67,"boxSizing":68,"paddingTop":358},{"@type":47,"@version":48,"layerName":336,"id":962,"meta":963,"component":964,"responsiveStyles":969},"builder-b92036ee0ece4b32acdbdcc7c377366b",{"previousId":722},{"name":336,"options":965,"isRSC":61},{"darkMode":6,"maxWidth":326,"imageMaxWidth":338,"textPaddingTop":363,"title":966,"description":967,"reverse":34,"image":968},"\u003Ch2>Prevent the next one\u003C/h2>","\u003Cp>Push helps you respond fast, but it also helps you fix what went wrong. It surfaces misconfigurations and risky behaviors that made the attack possible in the first place, then guides users in-browser to remediate. One tool. Full loop. No loose ends.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Fc1ecc2d5d3814b62b072fac01827ff96",{"large":970},{"display":64,"flexDirection":65,"position":66,"flexShrink":67,"boxSizing":68,"paddingTop":369},{"@type":47,"@version":48,"id":972,"meta":973,"component":974,"responsiveStyles":976},"builder-5e8ae39655274de89da32ab573a2525a",{"previousId":732},{"name":317,"options":975,"isRSC":61},{"darkMode":6},{"large":977},{"display":64,"flexDirection":65,"position":66,"flexShrink":67,"boxSizing":68},{"@type":47,"@version":48,"id":979,"component":980,"responsiveStyles":982},"builder-dfd6850cfb4741d2b8a0c16c2780f00a",{"name":379,"tag":379,"options":981,"isRSC":61},{"sectionHeading":29,"customClass":381},{"large":983},{"display":64,"flexDirection":65,"position":66,"flexShrink":67,"boxSizing":68},{"id":985,"@type":47,"tagName":74,"properties":986,"responsiveStyles":987},"builder-pixel-t6s3okc48is",{"src":76,"aria-hidden":77,"alt":29,"role":78,"width":67,"height":67},{"large":988},{"height":67,"width":67,"display":81,"opacity":67,"overflow":82,"pointerEvents":83},{"deviceSize":85,"location":990},{"path":29,"query":991},{},{},1770892908052,1745427419274,"https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Fb07017bfd318431690a5bb35bda35b99",[],{"kind":401,"breakpoints":998,"originalContentId":644,"winningTest":61,"lastPreviewUrl":999,"hasLinks":6,"hasAutosaves":6},{"xsmall":31,"small":32,"medium":33},"https://pushsecurity.com/uc/incident-response?builder.space=f3a1111ff5be48cdbb123cd9f5795a05&builder.user.permissions=read%2Ccreate%2Cpublish%2CeditCode%2CeditDesigns%2CeditLayouts%2CeditLayers%2CeditContentPriority%2CeditFolders%2CeditProjects%2CmodifyMcpServers%2CmodifyWorkflowIntegrations%2CmodifyProjectSettings%2CconnectCodeRepository%2CcreateProjects%2CindexDesignSystems%2CsendPullRequests&builder.user.role.name=Developer&builder.user.role.id=developer&builder.cachebust=true&builder.preview=use-case-page&builder.noCache=true&builder.allowTextEdit=true&__builder_editing__=true&builder.overrides.use-case-page=a9d5556e77f84a37b5bd52310a7110c1&builder.overrides.a9d5556e77f84a37b5bd52310a7110c1=a9d5556e77f84a37b5bd52310a7110c1&builder.overrides.use-case-page:/uc/incident-response=a9d5556e77f84a37b5bd52310a7110c1&builder.options.includeRefs=true&builder.options.enrich=true&builder.options.locale=Default",{"createdDate":1001,"id":1002,"name":1003,"modelId":224,"published":13,"query":1004,"data":1007,"variations":1112,"lastUpdated":1113,"firstPublished":1114,"testRatio":23,"screenshot":1115,"createdBy":91,"lastUpdatedBy":637,"folders":1116,"meta":1117,"rev":403},1746122471259,"5f118e24433d46ceb79f5099987156d7","Shadow SaaS",[1005],{"@type":227,"property":228,"operator":229,"value":1006},"/uc/shadow-saas",{"seoTitle":1008,"seoDescription":1009,"customFonts":1010,"fontAwesomeIcon":1015,"title":1016,"jsCode":29,"tsCode":29,"blocks":1017,"url":1006,"state":1109},"Find and secure shadow SaaS","See and control shadow SaaS in the browser.",[1011],{"kind":236,"variants":1012,"files":1013,"family":235,"version":237,"subsets":1014,"lastModified":238,"category":258,"menu":259},[264,265,266,267,268,269,71,270,271,272,273,274,275,276,277,278,279,280],{"100":240,"200":241,"300":242,"500":243,"600":244,"700":245,"800":246,"900":247,"300italic":256,"500italic":255,"regular":253,"900italic":249,"italic":252,"100italic":251,"200italic":254,"600italic":257,"700italic":250,"800italic":248},[261,262],"faShieldCheck","Secure shadow SaaS",[1018,1104],{"@type":47,"@version":48,"tagName":286,"id":1019,"meta":1020,"children":1021},"builder-04da805c4cd34652a2db452fcda52e1d",{"previousId":898},[1022,1038,1045,1052,1061,1071,1081,1091,1098],{"@type":47,"@version":48,"id":1023,"meta":1024,"component":1025,"responsiveStyles":1036},"builder-830d414faeaf41439142f9157e8288c8",{"previousId":902},{"name":290,"options":1026,"isRSC":61},{"title":1008,"description":1027,"points":1028,"video":1035},"\u003Cp>SaaS sprawl is one of today’s fastest-growing security blind spots because most tools monitor around the edges. Push sees it at the source, in the browser, revealing every app users access, flagging risky tools, and helping you shut down exposure before it leads to a breach. No guesswork. No nasty surprises. Just real-time visibility and control.\u003C/p>",[1029,1031,1033],{"item":1030},"Discover every SaaS app users access, managed or not",{"item":1032},"Spot accounts with weak security postures like missing MFA, unmanaged access, and no SSO",{"item":1034},"Control usage with in-browser prompts, blocks, and security guardrails","https://cdn.builder.io/o/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F3e4eece318d04d6586e691d59d0741cf%2Fcompressed?apiKey=f3a1111ff5be48cdbb123cd9f5795a05&token=3e4eece318d04d6586e691d59d0741cf&alt=media&optimized=true",{"large":1037},{"display":64,"flexDirection":65,"position":66,"flexShrink":67,"boxSizing":68,"backgroundColor":305},{"@type":47,"@version":48,"id":1039,"meta":1040,"component":1041,"responsiveStyles":1043},"builder-cd7833f966cb4c7e8adf0d6c979414a6",{"previousId":919},{"name":309,"options":1042,"isRSC":61},{"AllPartners":34,"backgroundTransparent":6},{"large":1044},{"display":64,"flexDirection":65,"position":66,"flexShrink":67,"boxSizing":68,"backgroundColor":313},{"@type":47,"@version":48,"id":1046,"meta":1047,"component":1048,"responsiveStyles":1050},"builder-49d720b45430454e8b08c526f267c19f",{"previousId":926},{"name":317,"options":1049,"isRSC":61},{"darkMode":34},{"large":1051},{"display":64,"flexDirection":65,"position":66,"flexShrink":67,"boxSizing":68},{"@type":47,"@version":48,"id":1053,"component":1054,"responsiveStyles":1059},"builder-3dde0bf6c8544e5e9ab41b18a9d68034",{"name":322,"tag":322,"options":1055,"isRSC":61},{"darkMode":6,"maxWidth":326,"maxTextWidth":327,"title":1056,"description":1057,"image":1058,"reverse":6},"\u003Ch2>Use your browser to curb Saas Sprawl\u003C/h2>","\u003Cp>Shadow SaaS isn’t hiding in your network, it’s in your browser. From AI tools to unsanctioned file-sharing sites, security risks live in the apps your users sign into every day. Push maps your organization's true SaaS footprint in real time, exposing apps and accounts with unmanaged access, poor authentication, or no security oversight.\u003C/p>\u003Cp>\u003Cbr>\u003C/p>\u003Cp>\u003Cbr>\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Fb6811a214c7949b6bbe0b9a3bca62efd",{"large":1060},{"display":64,"flexDirection":65,"position":66,"flexShrink":67,"boxSizing":68},{"@type":47,"@version":48,"id":1062,"meta":1063,"component":1064,"responsiveStyles":1069},"builder-e2420451ccdc4f088d0a4904cff45935",{"previousId":942},{"name":336,"options":1065,"isRSC":61},{"darkMode":6,"maxWidth":326,"imageMaxWidth":338,"textPaddingTop":339,"title":1066,"description":1067,"reverse":34,"image":1068},"\u003Ch2>Discover hidden SaaS usage\u003C/h2>","\u003Cp>Push captures live browser telemetry across every tab and session. Whether a user signs into a sanctioned app with a personal account or tries a new AI plugin, you’ll see it in real time, with no integrations or manual tagging.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Fe16e301f9af94665b95d98232a863d8a",{"large":1070},{"display":64,"flexDirection":65,"position":66,"flexShrink":67,"boxSizing":68,"fontFamily":345,"paddingTop":347,"marginTop":347},{"@type":47,"@version":48,"id":1072,"meta":1073,"component":1074,"responsiveStyles":1079},"builder-b36de7fce7994beea9e58d94662e7166",{"previousId":952},{"name":336,"options":1075,"isRSC":61},{"darkMode":6,"maxWidth":326,"imageMaxWidth":338,"textPaddingTop":352,"title":1076,"description":1077,"reverse":6,"image":1078},"\u003Ch2>Spot risky access and unsafe usage\u003C/h2>","\u003Cp>Discovery is just the beginning. Push flags apps with risky traits, no MFA, no SSO, known vulnerabilities, or broad access scopes. You’ll know which tools introduce real risk, and which users are exposed so you can act with precision.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F6585f3c242da4d70ae3cb7d02f481bef",{"large":1080},{"display":64,"flexDirection":65,"position":66,"flexShrink":67,"boxSizing":68,"paddingTop":358},{"@type":47,"@version":48,"layerName":336,"id":1082,"meta":1083,"component":1084,"responsiveStyles":1089},"builder-dc366b5134684fe7a508edf8913103ea",{"previousId":962},{"name":336,"options":1085,"isRSC":61},{"darkMode":6,"maxWidth":326,"imageMaxWidth":338,"textPaddingTop":363,"title":1086,"description":1087,"reverse":34,"image":1088},"\u003Ch2>Close gaps before they grow\u003C/h2>","\u003Cp>Push turns insight into action. When risky SaaS use is detected, guide users to enable MFA, block high-risk apps, or apply in-browser guardrails automatically. All without deploying new infrastructure or managing dozens of integrations.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Fe6d60b6d91414819bc6258a318f00557",{"large":1090},{"display":64,"flexDirection":65,"position":66,"flexShrink":67,"boxSizing":68,"paddingTop":369},{"@type":47,"@version":48,"id":1092,"meta":1093,"component":1094,"responsiveStyles":1096},"builder-8708f6f0d8da4b3f9e17bf16cda70219",{"previousId":972},{"name":317,"options":1095,"isRSC":61},{"darkMode":6},{"large":1097},{"display":64,"flexDirection":65,"position":66,"flexShrink":67,"boxSizing":68},{"@type":47,"@version":48,"id":1099,"component":1100,"responsiveStyles":1102},"builder-8ff4b38d60534cf28cb523ab0f754875",{"name":379,"tag":379,"options":1101,"isRSC":61},{"sectionHeading":29,"customClass":381},{"large":1103},{"display":64,"flexDirection":65,"position":66,"flexShrink":67,"boxSizing":68},{"id":1105,"@type":47,"tagName":74,"properties":1106,"responsiveStyles":1107},"builder-pixel-ls2o8r8i1he",{"src":76,"aria-hidden":77,"alt":29,"role":78,"width":67,"height":67},{"large":1108},{"height":67,"width":67,"display":81,"opacity":67,"overflow":82,"pointerEvents":83},{"deviceSize":85,"location":1110},{"path":29,"query":1111},{},{},1770892936802,1746714967208,"https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F01bfb2304521412fbd2e1a1180904d40",[],{"originalContentId":882,"winningTest":61,"lastPreviewUrl":1118,"breakpoints":1119,"kind":401,"hasLinks":6,"hasAutosaves":6},"https://pushsecurity.com/uc/shadow-saas?builder.space=f3a1111ff5be48cdbb123cd9f5795a05&builder.user.permissions=read%2Ccreate%2Cpublish%2CeditCode%2CeditDesigns%2CeditLayouts%2CeditLayers%2CeditContentPriority%2CeditFolders%2CeditProjects%2CmodifyMcpServers%2CmodifyWorkflowIntegrations%2CmodifyProjectSettings%2CconnectCodeRepository%2CcreateProjects%2CindexDesignSystems%2CsendPullRequests&builder.user.role.name=Developer&builder.user.role.id=developer&builder.cachebust=true&builder.preview=use-case-page&builder.noCache=true&builder.allowTextEdit=true&__builder_editing__=true&builder.overrides.use-case-page=5f118e24433d46ceb79f5099987156d7&builder.overrides.5f118e24433d46ceb79f5099987156d7=5f118e24433d46ceb79f5099987156d7&builder.overrides.use-case-page:/uc/shadow-saas=5f118e24433d46ceb79f5099987156d7&builder.options.includeRefs=true&builder.options.enrich=true&builder.options.locale=Default",{"xsmall":31,"small":32,"medium":33},{"createdDate":1121,"id":1122,"name":1123,"modelId":224,"published":13,"stageModifiedSincePublish":6,"query":1124,"data":1127,"variations":1233,"lastUpdated":1234,"firstPublished":1235,"testRatio":23,"screenshot":1236,"createdBy":91,"lastUpdatedBy":396,"folders":1237,"meta":1238,"rev":403},1764707470172,"b62629ce2f3741158d961cd10fe74b31","Shadow AI",[1125],{"@type":227,"property":228,"operator":229,"value":1126},"/uc/shadow-ai",{"seoTitle":1128,"fontAwesomeIcon":1129,"title":1130,"seoDescription":1131,"customFonts":1132,"tsCode":29,"jsCode":29,"blocks":1137,"url":1126,"state":1230},"Secure AI native and AI enhanced apps. ","faBrainCircuit","Secure AI","See and control AI apps in the browser.",[1133],{"version":237,"files":1134,"kind":236,"family":235,"lastModified":238,"category":258,"variants":1135,"subsets":1136,"menu":259},{"100":240,"200":241,"300":242,"500":243,"600":244,"700":245,"800":246,"900":247,"700italic":250,"100italic":251,"600italic":257,"italic":252,"300italic":256,"200italic":254,"500italic":255,"800italic":248,"900italic":249,"regular":253},[264,265,266,267,268,269,71,270,271,272,273,274,275,276,277,278,279,280],[261,262],[1138,1225],{"@type":47,"@version":48,"tagName":286,"id":1139,"meta":1140,"children":1141},"builder-a6e5717a2c914d5695058e4ee201a05d",{"previousId":1019},[1142,1158,1165,1172,1182,1192,1202,1212,1219],{"@type":47,"@version":48,"id":1143,"meta":1144,"component":1145,"responsiveStyles":1156},"builder-3e0ed678683f4a0eb7aa00253cf263b2",{"previousId":1023},{"name":290,"options":1146,"isRSC":61},{"title":1130,"description":1147,"points":1148,"image":1155},"\u003Cp>Every AI interaction traverses the browser. Employees use GenAI tools, connect AI apps to corporate accounts, and run agentic workflows, often outside security oversight. Push gives security teams the visibility to see what AI is doing across their environment and the controls to intervene before sensitive data leaves or access gets abused.\u003C/p>",[1149,1151,1153],{"item":1150},"Discover every AI tool and agent active across your workforce",{"item":1152},"Detect sensitive data being submitted to AI apps",{"item":1154},"Enforce AI policy directly in the browser","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F33cf153d920f4e389f3650253577cff7",{"large":1157},{"display":64,"flexDirection":65,"position":66,"flexShrink":67,"boxSizing":68,"backgroundColor":305},{"@type":47,"@version":48,"id":1159,"meta":1160,"component":1161,"responsiveStyles":1163},"builder-76968f8471d14893b8189d75b08fb426",{"previousId":1039},{"name":309,"options":1162,"isRSC":61},{"AllPartners":34,"backgroundTransparent":6},{"large":1164},{"display":64,"flexDirection":65,"position":66,"flexShrink":67,"boxSizing":68,"backgroundColor":313},{"@type":47,"@version":48,"id":1166,"meta":1167,"component":1168,"responsiveStyles":1170},"builder-b55b9d4bc5a649d8839ce7f6c2043d95",{"previousId":1046},{"name":317,"options":1169,"isRSC":61},{"darkMode":34},{"large":1171},{"display":64,"flexDirection":65,"position":66,"flexShrink":67,"boxSizing":68},{"@type":47,"@version":48,"id":1173,"meta":1174,"component":1175,"responsiveStyles":1180},"builder-c3f38ef4d75d4989a29b5903175ed8a1",{"previousId":1053},{"name":322,"tag":322,"options":1176,"isRSC":61},{"darkMode":6,"maxWidth":326,"maxTextWidth":327,"title":1177,"description":1178,"image":1179,"reverse":6},"\u003Ch2>The browser is where AI lives\u003C/h2>","\u003Cp>AI activity doesn't happen at the network layer or the endpoint. It happens in the browser, where employees interact with AI tools, where agents execute tasks, and where sensitive data gets submitted to external services. Push captures live telemetry from inside the browser session, identifying every AI-native and AI-enhanced application in use. \u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F30b43bda6f1644c19478fb1efa20050c",{"large":1181},{"display":64,"flexDirection":65,"position":66,"flexShrink":67,"boxSizing":68},{"@type":47,"@version":48,"id":1183,"meta":1184,"component":1185,"responsiveStyles":1190},"builder-90ee9cb9afc44e7f885523715bf51a53",{"previousId":1062},{"name":336,"options":1186,"isRSC":61},{"darkMode":6,"maxWidth":326,"imageMaxWidth":338,"textPaddingTop":339,"title":1187,"description":1188,"reverse":34,"image":1189},"\u003Ch2>Discover every AI tool users touch\u003C/h2>","\u003Cp>Most organisations are using far more AI than they've approved. Push identifies every AI-native and AI-enhanced application accessed across the workforce, which corporate identities are connected, and what new tools appear in the environment. Applications are categorized by risk and policy status so security teams can prioritize exposure before it becomes an incident.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F636e65ad0c4c43faa3e626c41e90d8a3",{"large":1191},{"display":64,"flexDirection":65,"position":66,"flexShrink":67,"boxSizing":68,"fontFamily":345,"paddingTop":347,"marginTop":347},{"@type":47,"@version":48,"id":1193,"meta":1194,"component":1195,"responsiveStyles":1200},"builder-9e44539fa53c4d8e87406036c921fc46",{"previousId":1072},{"name":336,"options":1196,"isRSC":61},{"darkMode":6,"maxWidth":326,"imageMaxWidth":338,"textPaddingTop":352,"title":1197,"description":1198,"reverse":6,"image":1199},"\u003Ch2>Prevent sensitive data from reaching the wrong AI tools\u003C/h2>","\u003Cp>Employees paste credentials, customer data, and internal documents into AI tools without realizing the risk. Push detects sensitive data interactions in the browser in real time, including file uploads, clipboard activity, and form submissions to unsanctioned or high-risk AI applications. Controls can be applied to warn users, require policy acknowledgment, or block the interaction entirely.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F011332d42dab4a299f25ab3847741ed9",{"large":1201},{"display":64,"flexDirection":65,"position":66,"flexShrink":67,"boxSizing":68,"paddingTop":358},{"@type":47,"@version":48,"layerName":336,"id":1203,"meta":1204,"component":1205,"responsiveStyles":1210},"builder-44c1a891926f4bdeaaa37e90721fe6ac",{"previousId":1082},{"name":336,"options":1206,"isRSC":61},{"darkMode":6,"maxWidth":326,"imageMaxWidth":338,"textPaddingTop":363,"title":1207,"description":1208,"reverse":34,"image":1209},"\u003Ch2>Govern agentic AI permissions and activity\u003C/h2>","\u003Cp>AI agents operating in the browser can access applications, execute actions, and handle data on behalf of users, often with permissions that were never explicitly reviewed. Push surfaces agentic permissions and data flows so security teams can see what agents are doing, where they have access, and apply controls before that access is exploited or abused.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F71549a73d0b84f1c8cb151c05e493e8d",{"large":1211},{"display":64,"flexDirection":65,"position":66,"flexShrink":67,"boxSizing":68,"paddingTop":369},{"@type":47,"@version":48,"id":1213,"meta":1214,"component":1215,"responsiveStyles":1217},"builder-dcc906f9cbe54dc68b3c672668e7a38f",{"previousId":1092},{"name":317,"options":1216,"isRSC":61},{"darkMode":6},{"large":1218},{"display":64,"flexDirection":65,"position":66,"flexShrink":67,"boxSizing":68},{"@type":47,"@version":48,"id":1220,"component":1221,"responsiveStyles":1223},"builder-d2d64780c31b4349bc75805b23a07e38",{"name":379,"tag":379,"options":1222,"isRSC":61},{"sectionHeading":29,"customClass":381},{"large":1224},{"display":64,"flexDirection":65,"position":66,"flexShrink":67,"boxSizing":68},{"id":1226,"@type":47,"tagName":74,"properties":1227,"responsiveStyles":1228},"builder-pixel-rbdhslfte4",{"src":76,"aria-hidden":77,"alt":29,"role":78,"width":67,"height":67},{"large":1229},{"height":67,"width":67,"display":81,"opacity":67,"overflow":82,"pointerEvents":83},{"deviceSize":85,"location":1231},{"path":29,"query":1232},{},{},1778073860450,1764950077593,"https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F9b4d5666fc9e495a9a8de4258975cd9f",[],{"lastPreviewUrl":1239,"hasLinks":6,"originalContentId":1002,"winningTest":61,"breakpoints":1240,"kind":401,"hasAutosaves":6},"https://pushsecurity.com/uc/shadow-ai?builder.space=f3a1111ff5be48cdbb123cd9f5795a05&builder.user.permissions=read%2Ccreate%2Cpublish%2CeditDesigns%2CeditLayouts%2CeditLayers%2CeditContentPriority%2CeditFolders%2CcreateProjects%2CsendPullRequests&builder.user.role.name=Designer&builder.user.role.id=creator&builder.cachebust=true&builder.preview=use-case-page&builder.noCache=true&builder.allowTextEdit=true&__builder_editing__=true&builder.overrides.use-case-page=b62629ce2f3741158d961cd10fe74b31&builder.overrides.b62629ce2f3741158d961cd10fe74b31=b62629ce2f3741158d961cd10fe74b31&builder.overrides.use-case-page:/uc/shadow-ai=b62629ce2f3741158d961cd10fe74b31&builder.options.locale=Default",{"xsmall":31,"small":32,"medium":33},{"w":1242,"h":1243,"d":1244},448,512,"M280.4 48c-3.2 0-6.3 .5-9.3 1.4L206.6 69.2C136.1 90.9 88 156.1 88 229.8l0 42.9c22.7 3.8 40 23.6 40 47.3l0 144c0 26.5-21.5 48-48 48l-32 0c-26.5 0-48-21.5-48-48L0 320c0-23.8 17.3-43.5 40-47.3l0-42.9C40 135 101.8 51.2 192.5 23.4L256.9 3.5c7.6-2.3 15.5-3.5 23.4-3.5 44 0 79.6 35.7 79.6 79.6l0 56.4c0 13.3-10.7 24-24 24s-24-10.7-24-24l0-56.4C312 62.2 297.8 48 280.4 48zM48 320l0 144 32 0 0-144-32 0zm208 24c0-71.6 55.6-127.8 89-148.1 4.3-2.6 9.6-2.6 14 0 33.5 20.3 89 76.6 89 148.1 0 32-16 80-64 112l27.3 27.3c3 3 4.7 7.1 4.7 11.3l0 1.4c0 8.8-7.2 16-16 16l-96 0c-8.8 0-16-7.2-16-16l0-1.4c0-4.2 1.7-8.3 4.7-11.3L320 456c-48-32-64-80-64-112zm128-32a24 24 0 1 0 -48 0 24 24 0 1 0 48 0z",{"w":1243,"h":1243,"d":1246},"M201.1 57.3c-7 5.3-9.1 10.7-9.1 14.7 0 4.2 2.4 10.1 10.4 15.6 7.8 5.3 13.6 14.6 13.6 25.6 0 17-13.8 30.7-30.7 30.7L56 144c-4.4 0-8 3.6-8 8l0 52.5c7.4-2.9 15.5-4.5 24-4.5 43.1 0 72 39.4 72 80s-28.9 80-72 80c-8.5 0-16.6-1.6-24-4.5L48 456c0 4.4 3.6 8 8 8l100.5 0c-2.9-7.4-4.5-15.5-4.5-24 0-43.1 39.4-72 80-72s80 28.9 80 72c0 8.5-1.6 16.6-4.5 24l52.5 0c4.4 0 8-3.6 8-8l0-129.3c0-17 13.8-30.7 30.7-30.7 11.1 0 20.3 5.8 25.6 13.6 5.5 8 11.4 10.4 15.6 10.4 4 0 9.5-2.1 14.7-9.1s9.3-17.9 9.3-30.9-4-23.8-9.3-30.9-10.7-9.1-14.7-9.1c-4.2 0-10.1 2.4-15.6 10.4-5.3 7.8-14.6 13.6-25.6 13.6-17 0-30.7-13.8-30.7-30.7l0-81.3c0-4.4-3.6-8-8-8l-81.3 0c-17 0-30.7-13.8-30.7-30.7 0-11.1 5.8-20.3 13.6-25.6 8-5.5 10.4-11.4 10.4-15.6 0-4-2.1-9.5-9.1-14.7S245 48 232 48 208.2 52 201.1 57.3zM172.3 18.9C188.5 6.8 209.6 0 232 0S275.5 6.8 291.7 18.9 320 49.5 320 72c0 8.6-1.8 16.7-4.9 24L360 96c30.9 0 56 25.1 56 56l0 44.9c7.3-3.1 15.4-4.9 24-4.9 22.5 0 41 12.2 53.1 28.3s18.9 37.3 18.9 59.7-6.8 43.5-18.9 59.7-30.6 28.3-53.1 28.3c-8.6 0-16.7-1.8-24-4.9l0 92.9c0 30.9-25.1 56-56 56l-78.1 0c-18.7 0-33.9-15.2-33.9-33.9 0-10.1 4.5-18.5 9.9-24.2 4.2-4.3 6.1-9.2 6.1-13.9 0-9.9-10.7-24-32-24s-32 14.1-32 24c0 4.7 1.9 9.5 6.1 13.9 5.5 5.7 9.9 14.1 9.9 24.2 0 18.7-15.2 33.9-33.9 33.9L56 512c-30.9 0-56-25.1-56-56L0 329.9c0-18.7 15.2-33.9 33.9-33.9 10.1 0 18.5 4.5 24.2 9.9 4.3 4.2 9.2 6.1 13.9 6.1 9.9 0 24-10.7 24-32s-14.1-32-24-32c-4.7 0-9.5 1.9-13.9 6.1-5.7 5.5-14.1 9.9-24.2 9.9-18.7 0-33.9-15.2-33.9-33.9L0 152c0-30.9 25.1-56 56-56l92.9 0c-3.1-7.3-4.9-15.4-4.9-24 0-22.5 12.2-41 28.3-53.1z",{"w":1242,"h":1243,"d":1248},"M102.7 96c10.4-53.7 31.9-112 68.3-112 9.6 0 19 3.9 27.5 8.2 8.2 4.1 18.4 7.8 25.5 7.8s17.3-3.7 25.5-7.8c8.5-4.3 17.9-8.2 27.5-8.2 36.4 0 57.8 58.3 68.3 112L376 96c13.3 0 24 10.7 24 24s-10.7 24-24 24l-24 0 0 32c0 17-3.3 33.2-9.3 48l33.3 0c8.1 0 15.6 4 20 10.8s5.2 15.2 2.1 22.6l-31.5 74.2c48.9 31.2 81.4 86 81.4 148.5l0 8c0 13.3-10.7 24-24 24s-24-10.7-24-24l0-8c0-51.4-30.3-95.8-74.1-116.1-11.7-5.5-17-19.2-12-31.2l25.8-60.7-27.7 0c-1.1 0-2.1-.1-3.1-.2-22.6 20-52.3 32.2-84.9 32.2s-62.3-12.2-84.9-32.2c-1 .1-2.1 .2-3.1 .2l-27.7 0 25.8 60.7c5.1 11.9-.2 25.7-12 31.2-43.8 20.4-74.1 64.7-74.1 116.1l0 8c0 13.3-10.7 24-24 24S0 501.3 0 488l0-8c0-62.4 32.5-117.2 81.4-148.5L49.9 257.4c-3.2-7.4-2.4-15.9 2.1-22.6S63.9 224 72 224l33.3 0c-6-14.8-9.3-31-9.3-48l0-32-24 0c-13.3 0-24-10.7-24-24S58.7 96 72 96l30.7 0zm45.9 107c11.1 30.9 40.6 53 75.3 53s64.2-22.1 75.3-53c-5.7 3.2-12.3 5-19.3 5l-12.4 0c-16.5 0-31.1-10.6-36.3-26.2-2.3-7-12.2-7-14.5 0-5.2 15.6-19.9 26.2-36.3 26.2L168 208c-7 0-13.6-1.8-19.3-5zm44.8 133l61 0c9.7 0 17.5 7.8 17.5 17.5 0 4.2-1.5 8.2-4.2 11.4l-27.9 32.5 28.9 82.6c5.5 15.6-6.1 31.9-22.7 31.9l-44.3 0c-16.5 0-28.1-16.3-22.7-31.9l28.9-82.6-27.9-32.5c-2.7-3.2-4.2-7.2-4.2-11.4 0-9.7 7.8-17.5 17.5-17.5z",{"w":1243,"h":1243,"d":1250},"M304.8 173.3c-14.3-8.4-31-13.3-48.8-13.3-53 0-96 43-96 96s43 96 96 96 96-43 96-96l48 0c0 79.5-64.5 144-144 144s-144-64.5-144-144 64.5-144 144-144c31.1 0 59.9 9.9 83.4 26.6l45.7-45.7C349.7 64.8 304.8 48 256 48 141.1 48 48 141.1 48 256s93.1 208 208 208 208-93.1 208-208l48 0c0 141.4-114.6 256-256 256S0 397.4 0 256 114.6 0 256 0c62.1 0 118.9 22.1 163.3 58.8L463 15c9.4-9.4 24.6-9.4 33.9 0s9.4 24.6 0 33.9L273 273c-9.4 9.4-24.6 9.4-33.9 0s-9.4-24.6 0-33.9l65.7-65.7z",{"w":32,"h":1243,"d":1252},"M128 80l384 0c8.8 0 16 7.2 16 16l0 208 48 0 0-208c0-35.3-28.7-64-64-64L128 32C92.7 32 64 60.7 64 96l0 208 48 0 0-208c0-8.8 7.2-16 16-16zM52.8 400l534.4 0c-8.5 18.9-27.5 32-49.6 32l-435.2 0c-22.1 0-41.1-13.1-49.6-32zM25.6 352C11.5 352 0 363.5 0 377.6 0 434.2 45.8 480 102.4 480l435.2 0c56.6 0 102.4-45.8 102.4-102.4 0-14.1-11.5-25.6-25.6-25.6L25.6 352zM281 169c9.4-9.4 9.4-24.6 0-33.9s-24.6-9.4-33.9 0l-48 48c-9.4 9.4-9.4 24.6 0 33.9l48 48c9.4 9.4 24.6 9.4 33.9 0s9.4-24.6 0-33.9l-31-31 31-31zM393 135c-9.4-9.4-24.6-9.4-33.9 0s-9.4 24.6 0 33.9l31 31-31 31c-9.4 9.4-9.4 24.6 0 33.9s24.6 9.4 33.9 0l48-48c9.4-9.4 9.4-24.6 0-33.9l-48-48z",{"w":1243,"h":1243,"d":1254},"M232 0c-13.3 0-24 10.7-24 24s10.7 24 24 24c128.1 0 232 103.9 232 232 0 13.3 10.7 24 24 24s24-10.7 24-24C512 125.4 386.6 0 232 0zM48 256c0-23 3.7-45 10.5-65.6l263 263C301 460.3 279 464 256 464 141.1 464 48 370.9 48 256zM72.8 136.8c-14.1-14.1-37.6-12-46.5 5.8-16.9 34.2-26.4 72.6-26.4 113.3 0 141.4 114.6 256 256 256 40.7 0 79.2-9.5 113.3-26.4 17.9-8.8 19.9-32.4 5.8-46.5L241 305 281 265c9.4-9.4 9.4-24.6 0-33.9s-24.6-9.4-33.9 0L207 271 72.8 136.8zM208 120c0 13.3 10.7 24 24 24 75.1 0 136 60.9 136 136 0 13.3 10.7 24 24 24s24-10.7 24-24c0-101.6-82.4-184-184-184-13.3 0-24 10.7-24 24z",{"w":1243,"h":1243,"d":1256},"M256.1 0c4.6 0 9.2 1 13.3 2.9L457.8 82.8c22 9.3 38.4 31 38.3 57.2-.5 99.2-41.3 280.7-213.6 363.2-16.7 8-36.1 8-52.8 0-172.4-82.5-213.2-263.9-213.7-363.2-.1-26.2 16.3-47.9 38.3-57.2L242.7 2.9C246.8 1 251.4 0 256.1 0zM73.1 127c-5.9 2.5-9.1 7.7-9 12.7 .5 91.4 38.4 249.3 186.4 320.1 3.6 1.7 7.8 1.7 11.3 0 148-70.8 185.9-228.7 186.3-320.1 0-5-3.1-10.2-9-12.7l-183-77.6-183 77.6zm240.3 34.9c7.8-10.7 22.8-13.1 33.5-5.3 10.7 7.8 13.1 22.8 5.3 33.5L249.8 330.9c-4.2 5.7-10.7 9.3-17.8 9.8s-14-2.2-18.9-7.3l-46.4-48c-9.2-9.5-9-24.7 .6-33.9 9.5-9.2 24.7-8.9 33.9 .6l26.5 27.4 85.6-117.7z",{"w":1243,"h":1243,"d":1258},"M123 58.1c9.5-33.5 40.4-58.1 77-58.1 21.8 0 41.6 8.7 56 22.9 14.4-14.1 34.2-22.9 56-22.9 36.6 0 67.4 24.6 77 58.1 47.4 9.7 83 51.6 83 101.9 0 11.3-1.8 22.2-5.1 32.3 22.7 19.1 37.1 47.7 37.1 79.7 0 23.7-8 45.6-21.3 63.1 3.5 10.4 5.3 21.4 5.3 32.9 0 54-41.2 98.5-93.9 103.5-15.6 24.3-42.9 40.5-74.1 40.5-25.2 0-48-10.6-64-27.6-16 17-38.8 27.6-64 27.6-31.1 0-58.4-16.2-74.1-40.5-52.7-5.1-93.9-49.5-93.9-103.5 0-11.5 1.9-22.5 5.3-32.9-13.4-17.5-21.3-39.4-21.3-63.1 0-32 14.5-60.6 37.1-79.7-3.3-10.2-5.1-21.1-5.1-32.3 0-50.3 35.6-92.2 83-101.9zM200 48c-17.7 0-32 14.3-32 32 0 13.3-10.7 24-24 24-30.9 0-56 25.1-56 56 0 10.5 2.9 20.3 7.9 28.6 3.4 5.7 4.3 12.5 2.5 18.9s-6.2 11.7-12 14.7c-18 9.3-30.3 28.1-30.3 49.8 0 16.1 6.8 30.7 17.8 40.9 7.9 7.4 9.9 19.2 4.8 28.8-4.2 7.8-6.5 16.7-6.5 26.3 0 30.9 25.1 56 56 56 1.1 0 2.2 0 3.2-.1 10.3-.6 19.8 5.5 23.6 15 5.9 14.7 20.4 25.1 37.1 25.1 20.4 0 37.2-15.3 39.7-35 .1-.6 .2-1.3 .3-1.9l0-135.1-40 0c-6.6 0-12 5.4-12 12l0 4.4c16.5 7.6 28 24.3 28 43.6 0 26.5-21.5 48-48 48s-48-21.5-48-48c0-19.4 11.5-36.1 28-43.6l0-4.4c0-28.7 23.3-52 52-52l40 0 0-56-12.4 0c-7.6 16.5-24.3 28-43.6 28-26.5 0-48-21.5-48-48s21.5-48 48-48c19.4 0 36.1 11.5 43.6 28l12.4 0 0-76c0-17.7-14.3-32-32-32zm80 148l0 152 40 0c6.6 0 12-5.4 12-12l0-4.4c-16.5-7.6-28-24.3-28-43.6 0-26.5 21.5-48 48-48s48 21.5 48 48c0 19.4-11.5 36.1-28 43.6l0 4.4c0 28.7-23.3 52-52 52l-40 0 0 39.1c.1 .6 .2 1.2 .3 1.9 2.5 19.7 19.3 35 39.7 35 16.8 0 31.2-10.3 37.1-25.1 3.8-9.6 13.3-15.6 23.6-15 1.1 .1 2.2 .1 3.2 .1 30.9 0 56-25.1 56-56 0-9.5-2.4-18.5-6.5-26.3-5.1-9.6-3.1-21.4 4.8-28.8 11-10.2 17.8-24.8 17.8-40.9 0-21.6-12.2-40.4-30.3-49.8-5.9-3-10.2-8.4-12-14.7s-.9-13.2 2.5-18.9c5-8.4 7.9-18.1 7.9-28.6 0-30.9-25.1-56-56-56-13.3 0-24-10.7-24-24 0-17.7-14.3-32-32-32s-32 14.3-32 32l0 76 12.4 0c7.6-16.5 24.3-28 43.6-28 26.5 0 48 21.5 48 48s-21.5 48-48 48c-19.4 0-36.1-11.5-43.6-28L280 196zm56-36a16 16 0 1 0 0 32 16 16 0 1 0 0-32zm0 128a16 16 0 1 0 32 0 16 16 0 1 0 -32 0zM144 352a16 16 0 1 0 32 0 16 16 0 1 0 -32 0zm16-176a16 16 0 1 0 32 0 16 16 0 1 0 -32 0z",{"id":1260,"title":1261,"authorsCollection":1262,"content":1270,"extension":1916,"hashTags":61,"meta":1917,"metaTitle":1918,"ogImage":61,"publishedDate":1919,"relatedBlogPostsCollection":1920,"slug":4478,"stem":4479,"subtitle":61,"summary":4480,"synopsis":4491,"sys":4492,"tagsCollection":4495,"__hash__":4503},"blog/blog/the-cisos-data-problem-and-how-browser-telemetry-can-help.json","The CISO's data problem (and how browser telemetry can help)",{"items":1263},[1264],{"fullName":1265,"firstName":1266,"jobTitle":1267,"profilePicture":1268},"Mark Orlando","Mark","Field CTO",{"url":1269},"https://images.ctfassets.net/y1cdw1ablpvd/592PMwIQQFaa24k5SKBEKF/a33090d0ad95d1e3081f5d16a46ba826/image__68_.png",{"json":1271,"links":1799},{"nodeType":1272,"data":1273,"content":1274},"document",{},[1275,1286,1319,1328,1335,1354,1370,1374,1382,1397,1418,1443,1449,1465,1496,1502,1508,1524,1527,1535,1542,1551,1570,1586,1594,1620,1627,1635,1666,1673,1681,1688,1694,1697,1705,1712,1720,1726,1729,1737,1744,1751,1758,1770,1773,1780],{"nodeType":1276,"data":1277,"content":1278},"heading-1",{},[1279],{"nodeType":1280,"value":1281,"marks":1282,"data":1285},"text","The quantification problem nobody talks about",[1283],{"type":1284},"bold",{},{"nodeType":1287,"data":1288,"content":1289},"paragraph",{},[1290,1294,1303,1307,1315],{"nodeType":1280,"value":1291,"marks":1292,"data":1293},"I was recently teaching",[],{},{"nodeType":1295,"data":1296,"content":1298},"hyperlink",{"uri":1297},"https://www.sans.org/cyber-security-courses/cybersecurity-leaders/",[1299],{"nodeType":1280,"value":1300,"marks":1301,"data":1302}," SANS LDR551",[],{},{"nodeType":1280,"value":1304,"marks":1305,"data":1306},", where we cover some of the flawed approaches used in risk measurement and prioritization — for example, presenting ordinal data in a risk matrix as ratio data, implying that the matrix represents quantitative analysis when it’s more of a best guess. We then look at modeling using",[],{},{"nodeType":1295,"data":1308,"content":1310},{"uri":1309},"https://en.wikipedia.org/wiki/Loss_exceedance_curve",[1311],{"nodeType":1280,"value":1312,"marks":1313,"data":1314}," Loss Exceedance Curves",[],{},{"nodeType":1280,"value":1316,"marks":1317,"data":1318}," as a more accurate, if much more difficult, approach to quantitative risk assessment.",[],{},{"nodeType":1320,"data":1321,"content":1327},"embedded-entry-block",{"target":1322},{"sys":1323},{"id":1324,"type":1325,"linkType":1326},"4S1wJUm6E1qvyZzwrl2DL","Link","Entry",[],{"nodeType":1287,"data":1329,"content":1330},{},[1331],{"nodeType":1280,"value":1332,"marks":1333,"data":1334},"The only problem is, we rarely have the time or the data to construct such models. Ask a CISO how they measure risk for credential compromise and other account takeover attacks, and the answer will probably include one or more of the following: a risk assessment, a whiteboard, and a room full of smart people making educated guesses about attack frequency and control strength. ",[],{},{"nodeType":1287,"data":1336,"content":1337},{},[1338,1342,1350],{"nodeType":1280,"value":1339,"marks":1340,"data":1341},"That isn't a criticism — for most risk scenarios, expert elicitation is the best (and most convenient) available method. Breach cost data is sparse, threat actor behavior is unpredictable, and internal incident history is (ideally!) a limited sample. Quantitative risk frameworks like",[],{},{"nodeType":1295,"data":1343,"content":1345},{"uri":1344},"https://www.fairinstitute.org/",[1346],{"nodeType":1280,"value":1347,"marks":1348,"data":1349}," FAIR",[],{},{"nodeType":1280,"value":1351,"marks":1352,"data":1353}," give structure to that uncertainty, but they can't conjure data that just doesn't exist.",[],{},{"nodeType":1287,"data":1355,"content":1356},{},[1357,1361,1366],{"nodeType":1280,"value":1358,"marks":1359,"data":1360},"The results are usually estimates with wide confidence intervals and loss distributions that appear precise, but are hard to defend to a CFO or a board. Finance leaders have seen Monte Carlo simulations before; the capable ones will challenge the quality of the outputs if they doubt the quality of the inputs. ",[],{},{"nodeType":1280,"value":1362,"marks":1363,"data":1365},"But with the right telemetry, we can get both",[1364],{"type":1284},{},{"nodeType":1280,"value":1367,"marks":1368,"data":1369},".",[],{},{"nodeType":1371,"data":1372,"content":1373},"hr",{},[],{"nodeType":1276,"data":1375,"content":1376},{},[1377],{"nodeType":1280,"value":1378,"marks":1379,"data":1381},"Why the identity attack surface is uniquely measurable",[1380],{"type":1284},{},{"nodeType":1287,"data":1383,"content":1384},{},[1385,1389,1394],{"nodeType":1280,"value":1386,"marks":1387,"data":1388},"We've written extensively about the shift to identity as a primary attack vector — and the evidence continues to stack up. Credential phishing, device code phishing, ClickFix, adversary-in-the-middle attacks, session hijacking, and SaaS account compromise now account for the majority of breach entry points in most enterprise environments. But the silver lining here is that this shift has created something valuable for risk quantification: ",[],{},{"nodeType":1280,"value":1390,"marks":1391,"data":1393},"a highly observable threat surface",[1392],{"type":275},{},{"nodeType":1280,"value":1367,"marks":1395,"data":1396},[],{},{"nodeType":1287,"data":1398,"content":1399},{},[1400,1404,1414],{"nodeType":1280,"value":1401,"marks":1402,"data":1403},"Identity attacks execute ",[],{},{"nodeType":1295,"data":1405,"content":1407},{"uri":1406},"https://pushsecurity.com/blog/introducing-the-browser-and-identity-attacks-matrix/",[1408],{"nodeType":1280,"value":1409,"marks":1410,"data":1413},"in the browser",[1411],{"type":1412},"underline",{},{"nodeType":1280,"value":1415,"marks":1416,"data":1417},". They leave traces in authentication flows, login behaviors, OAuth integrations, extension activity, and SaaS access patterns — all of which are captured in real time by the Push extension. Unlike network or endpoint attacks, where the signal is often binary and retroactive, browser-based identity threats generate continuous, high-frequency telemetry that maps directly onto the inputs that drive quantitative risk models.",[],{},{"nodeType":1287,"data":1419,"content":1420},{},[1421,1425,1430,1434,1439],{"nodeType":1280,"value":1422,"marks":1423,"data":1424},"This telemetry directly informs the hardest inputs in any quantitative risk model. One is ",[],{},{"nodeType":1280,"value":1426,"marks":1427,"data":1429},"Threat Event Frequency (TEF)",[1428],{"type":1284},{},{"nodeType":1280,"value":1431,"marks":1432,"data":1433},": how often a threat agent acts against an asset in a given period. For identity risks, this can be answered in how many credential phishing attempts reached your users across all delivery channels (social media, email, malvertising, etc.), or how frequently your users authorize malicious or compromised SaaS apps. Browser-level telemetry can answer these questions with ",[],{},{"nodeType":1280,"value":1435,"marks":1436,"data":1438},"observed",[1437],{"type":275},{},{"nodeType":1280,"value":1440,"marks":1441,"data":1442}," data rather than industry lookups and general benchmarks. ",[],{},{"nodeType":1320,"data":1444,"content":1448},{"target":1445},{"sys":1446},{"id":1447,"type":1325,"linkType":1326},"EvjT68MCWW7nz5q86xe8S",[],{"nodeType":1287,"data":1450,"content":1451},{},[1452,1456,1461],{"nodeType":1280,"value":1453,"marks":1454,"data":1455},"The other input to risk modeling that's difficult to express in concrete terms is ",[],{},{"nodeType":1280,"value":1457,"marks":1458,"data":1460},"vulnerability",[1459],{"type":1284},{},{"nodeType":1280,"value":1462,"marks":1463,"data":1464},": the probability a threat becomes a loss event or, more specifically, how likely it is that your controls will fail. ",[],{},{"nodeType":1287,"data":1466,"content":1467},{},[1468,1472,1480,1484,1492],{"nodeType":1280,"value":1469,"marks":1470,"data":1471},"This is where browser telemetry gets especially concrete.",[],{},{"nodeType":1295,"data":1473,"content":1475},{"uri":1474},"https://pushsecurity.com/blog/how-many-vulnerable-identities-do-you-have/",[1476],{"nodeType":1280,"value":1477,"marks":1478,"data":1479}," Analysis of login telemetry across Push-monitored environments",[],{},{"nodeType":1280,"value":1481,"marks":1482,"data":1483}," shows that 1 in 4 logins are still password-only (not SSO), 2 in 5 are not protected by MFA, and 1 in 5 use a weak, breached, or reused password. Many of these logins occur outside the visibility of a central IdP platform like Microsoft, Google or Okta — the result of downstream ",[],{},{"nodeType":1295,"data":1485,"content":1487},{"uri":1486},"https://pushsecurity.com/blog/ghost-logins-when-forgotten-identities-come-back-to-haunt-you/",[1488],{"nodeType":1280,"value":1489,"marks":1490,"data":1491},"ghost logins",[],{},{"nodeType":1280,"value":1493,"marks":1494,"data":1495},". ",[],{},{"nodeType":1320,"data":1497,"content":1501},{"target":1498},{"sys":1499},{"id":1500,"type":1325,"linkType":1326},"5GctExdVGjHRwKifiP00Fp",[],{"nodeType":1320,"data":1503,"content":1507},{"target":1504},{"sys":1505},{"id":1506,"type":1325,"linkType":1326},"2mWToHCJcuB9FMwxxzd67F",[],{"nodeType":1287,"data":1509,"content":1510},{},[1511,1515,1520],{"nodeType":1280,"value":1512,"marks":1513,"data":1514},"In a FAIR-based model, TEF and vulnerability together determine ",[],{},{"nodeType":1280,"value":1516,"marks":1517,"data":1519},"loss event frequency",[1518],{"type":1284},{},{"nodeType":1280,"value":1521,"marks":1522,"data":1523},": the foundational driver of the entire risk calculation. Using telemetry from your own environment as the basis for these calculations makes them far more accurate, and more likely to stand up to scrutiny.",[],{},{"nodeType":1371,"data":1525,"content":1526},{},[],{"nodeType":1276,"data":1528,"content":1529},{},[1530],{"nodeType":1280,"value":1531,"marks":1532,"data":1534},"The attack surface is bigger than most models assume",[1533],{"type":1284},{},{"nodeType":1287,"data":1536,"content":1537},{},[1538],{"nodeType":1280,"value":1539,"marks":1540,"data":1541},"One of the consistent failures in identity risk modeling is the tendency to model risks defenders can see, and leave the rest off the balance sheet. These omissions create a systematic understatement of exposure that browser-based telemetry can offset.",[],{},{"nodeType":1543,"data":1544,"content":1545},"heading-2",{},[1546],{"nodeType":1280,"value":1547,"marks":1548,"data":1550},"Shadow AI and OAuth sprawl",[1549],{"type":1284},{},{"nodeType":1287,"data":1552,"content":1553},{},[1554,1557,1566],{"nodeType":1280,"value":29,"marks":1555,"data":1556},[],{},{"nodeType":1295,"data":1558,"content":1560},{"uri":1559},"https://pushsecurity.com/blog/unpacking-the-vercel-breach/",[1561],{"nodeType":1280,"value":1562,"marks":1563,"data":1565},"The Vercel breach in April 2026",[1564],{"type":1412},{},{"nodeType":1280,"value":1567,"marks":1568,"data":1569}," was the result of an OAuth connection to a third-party AI SaaS tool a developer connected into the organization's Google Workspace tenant (without admin approval). When the AI vendor was compromised, the attacker leveraged stored OAuth tokens to access downstream accounts, ultimately reaching internal dashboards, API keys, and source code. ",[],{},{"nodeType":1287,"data":1571,"content":1572},{},[1573,1577,1582],{"nodeType":1280,"value":1574,"marks":1575,"data":1576},"Push telemetry across customer environments shows an average of ",[],{},{"nodeType":1280,"value":1578,"marks":1579,"data":1581},"17 unique AI app integrations per organization in Microsoft and Google alone",[1580],{"type":1284},{},{"nodeType":1280,"value":1583,"marks":1584,"data":1585},", most of which security teams would describe as unapproved. These generally don't appear in a conventional risk model that isn't looking for them.",[],{},{"nodeType":1543,"data":1587,"content":1588},{},[1589],{"nodeType":1280,"value":1590,"marks":1591,"data":1593},"Browser extensions",[1592],{"type":1284},{},{"nodeType":1287,"data":1595,"content":1596},{},[1597,1601,1611,1616],{"nodeType":1280,"value":29,"marks":1598,"data":1600},[1599],{"type":1284},{},{"nodeType":1295,"data":1602,"content":1604},{"uri":1603},"https://pushsecurity.com/blog/why-browser-extension-risk-scoring-wont-predict-your-next-breach/",[1605],{"nodeType":1280,"value":1606,"marks":1607,"data":1610},"Analysis of 20,000 unique extensions deployed across Push customer environments",[1608,1609],{"type":1412},{"type":1284},{},{"nodeType":1280,"value":1612,"marks":1613,"data":1615}," found that 46.76% have the permission combinations required for account takeover without user interaction. ",[1614],{"type":1284},{},{"nodeType":1280,"value":1617,"marks":1618,"data":1619},"The extensions carrying these permissions aren't flagged by risk scoring systems because the same permissions are used by ad blockers, password managers, and translation tools (the downside of relying on tools that rely on dubious scoring to assess extensions, but I digress). ",[],{},{"nodeType":1287,"data":1621,"content":1622},{},[1623],{"nodeType":1280,"value":1624,"marks":1625,"data":1626},"What matters for risk quantification isn't the permission set or an arbitrary score assigned by a vendor; it's whether the monitoring exists to detect when a previously-clean extension changes ownership, escalates permissions, or behaves anomalously. Without that monitoring, the exposure is real but unquantified.",[],{},{"nodeType":1543,"data":1628,"content":1629},{},[1630],{"nodeType":1280,"value":1631,"marks":1632,"data":1634},"ClickFix and non-email delivery channels",[1633],{"type":1284},{},{"nodeType":1287,"data":1636,"content":1637},{},[1638,1642,1650,1654,1662],{"nodeType":1280,"value":1639,"marks":1640,"data":1641},"ClickFix — where a malicious page silently writes a PowerShell or mshta command into the victim's clipboard and instructs them to paste it — was",[],{},{"nodeType":1295,"data":1643,"content":1645},{"uri":1644},"https://cdn-dynmedia-1.microsoft.com/is/content/microsoftcorp/microsoft/msc/documents/presentations/CSR/Microsoft-Digital-Defense-Report-2025.pdf",[1646],{"nodeType":1280,"value":1647,"marks":1648,"data":1649}," the most common initial access vector observed by Microsoft in 2025",[],{},{"nodeType":1280,"value":1651,"marks":1652,"data":1653},", and CrowdStrike reported a",[],{},{"nodeType":1295,"data":1655,"content":1657},{"uri":1656},"https://www.crowdstrike.com/explore/2026-global-threat-report",[1658],{"nodeType":1280,"value":1659,"marks":1660,"data":1661}," 563% increase in fake CAPTCHA lures",[],{},{"nodeType":1280,"value":1663,"marks":1664,"data":1665}," (one of the most common ClickFix styles in which the user has to \"verify they're human\" by running a command on their machine). ",[],{},{"nodeType":1287,"data":1667,"content":1668},{},[1669],{"nodeType":1280,"value":1670,"marks":1671,"data":1672},"What makes this particularly relevant for risk quantification is the delivery channel: 4 in 5 ClickFix payloads intercepted by Push arrive via search engines, not email. A risk model that estimates threat event frequency from email-based phishing telemetry alone is structurally blind to an entire category of attack that has become one of the most prevalent initial access methods in the landscape.",[],{},{"nodeType":1543,"data":1674,"content":1675},{},[1676],{"nodeType":1280,"value":1677,"marks":1678,"data":1680},"Authorization attacks",[1679],{"type":1284},{},{"nodeType":1287,"data":1682,"content":1683},{},[1684],{"nodeType":1280,"value":1685,"marks":1686,"data":1687},"Device code phishing and OAuth consent abuse represent a slightly separate category of identity attack that most risk models don't account for because they operate after the authentication flow has already completed — meaning password strength, MFA coverage, and SSO adoption are irrelevant to whether the attack succeeds. ",[],{},{"nodeType":1320,"data":1689,"content":1693},{"target":1690},{"sys":1691},{"id":1692,"type":1325,"linkType":1326},"7qtHmxCzBm5664jD6HsCwN",[],{"nodeType":1371,"data":1695,"content":1696},{},[],{"nodeType":1276,"data":1698,"content":1699},{},[1700],{"nodeType":1280,"value":1701,"marks":1702,"data":1704},"The key lesson for CISOs",[1703],{"type":1284},{},{"nodeType":1287,"data":1706,"content":1707},{},[1708],{"nodeType":1280,"value":1709,"marks":1710,"data":1711},"A risk model that measures identity vulnerability purely in terms of authentication hygiene at the IdP layer — how many accounts have MFA, how many use SSO — will correctly quantify one dimension of exposure while completely missing another that is growing faster and is structurally immune to the controls being measured.",[],{},{"nodeType":1287,"data":1713,"content":1714},{},[1715],{"nodeType":1280,"value":1716,"marks":1717,"data":1719},"For a CISO building a risk model, these aren't edge cases. They represent a real attack surface that doesn't show up in models built on conventional network, endpoint, and cloud telemetry. We aren't just talking about better inputs to risk modeling — we're talking about entirely new risk scenarios that aren't being modeled at all, supported by live data.",[1718],{"type":1284},{},{"nodeType":1320,"data":1721,"content":1725},{"target":1722},{"sys":1723},{"id":1724,"type":1325,"linkType":1326},"2ObEcO1gqz8lrOLCZzfpNw",[],{"nodeType":1371,"data":1727,"content":1728},{},[],{"nodeType":1543,"data":1730,"content":1731},{},[1732],{"nodeType":1280,"value":1733,"marks":1734,"data":1736},"Browser telemetry makes a CISO's life easier",[1735],{"type":1284},{},{"nodeType":1287,"data":1738,"content":1739},{},[1740],{"nodeType":1280,"value":1741,"marks":1742,"data":1743},"Browser-based telemetry changes the conversation a CISO can have with a CFO or board. Instead of \"industry benchmarks suggest our expected annual loss from account compromise is somewhere in this range,\" the answer is, \"We can see how often these attacks are attempted against our users, and we can measure what percentage of our accounts have the controls in place to stop them,\" or \"We know how many shadow AI apps our users self-provision and share data with each month.\" ",[],{},{"nodeType":1287,"data":1745,"content":1746},{},[1747],{"nodeType":1280,"value":1748,"marks":1749,"data":1750},"Identity risk is only a piece of the quantification problem. Loss magnitude, regulatory exposure, and reputational impact are still extremely hard to estimate regardless of how good your frequency inputs are. ",[],{},{"nodeType":1287,"data":1752,"content":1753},{},[1754],{"nodeType":1280,"value":1755,"marks":1756,"data":1757},"But the identity attack surface is one of the few areas in security where measurement is genuinely achievable right now, and the gap between what most organizations are modeling and what's actually observable is significant. Shadow SaaS integrations, unapproved AI connections, browser extensions with excessive privileges — these are enumerable risks that don't appear in models built on network, endpoint, and cloud access telemetry alone. ",[],{},{"nodeType":1287,"data":1759,"content":1760},{},[1761,1766],{"nodeType":1280,"value":1762,"marks":1763,"data":1765},"The lesson for CISOs serious about quantitative risk management is this: the frameworks exist, the talent is available, and the bottleneck is almost always data quality. ",[1764],{"type":1284},{},{"nodeType":1280,"value":1767,"marks":1768,"data":1769},"Browser telemetry is a good example of the kind of high-fidelity, environment-specific measurement that closes that gap.",[],{},{"nodeType":1371,"data":1771,"content":1772},{},[],{"nodeType":1287,"data":1774,"content":1775},{},[1776],{"nodeType":1280,"value":1777,"marks":1778,"data":1779},"Push Security is the most powerful AI-native security tool in the browser. Think EDR, but for the browser — high-fidelity telemetry and real-time control across every session, on every device, with no browser migration required. ",[],{},{"nodeType":1287,"data":1781,"content":1782},{},[1783,1787,1795],{"nodeType":1280,"value":1784,"marks":1785,"data":1786},"Security teams use Push to detect and stop advanced browser-based attacks like AiTM phishing, ClickFix, and session hijacking; gain visibility and control over AI tool usage across their workforce; harden identities by surfacing credential reuse, SSO gaps, and shadow IT; and support data loss and insider investigations with browser-layer telemetry that other tools can't see.",[],{},{"nodeType":1295,"data":1788,"content":1790},{"uri":1789},"https://pushsecurity.com/book-demo/",[1791],{"nodeType":1280,"value":1792,"marks":1793,"data":1794}," Book a live demo",[],{},{"nodeType":1280,"value":1796,"marks":1797,"data":1798}," to learn more.",[],{},{"entries":1800},{"hyperlink":1801,"inline":1802,"block":1803},[],[],[1804,1812,1827,1856,1863,1908],{"sys":1805,"__typename":1806,"title":1807,"caption":1807,"layoutMode":61,"file":1808},{"id":1324},"Image","Risk Matrix-style risk modeling versus Loss Exceedance Curve.",{"url":1809,"width":1810,"height":1811},"https://images.ctfassets.net/y1cdw1ablpvd/2bkhvxg1zeLZnrTyzQXQjd/58cfb711a8825b5861a47ef18db8b661/image1.png",1999,1033,{"sys":1813,"__typename":1814,"content":1815,"name":1826,"title":61},{"id":1447},"InsightTextBlockComponent",{"json":1816},{"nodeType":1272,"data":1817,"content":1818},{},[1819],{"nodeType":1287,"data":1820,"content":1821},{},[1822],{"nodeType":1280,"value":1823,"marks":1824,"data":1825},"Models that estimate TEF without factoring in browser-borne attacks are systemically undercounting. One key example of this is email-delivered phishing data. Roughly 1 in 3 phishing payloads intercepted by Push are delivered outside of email, meaning an email-only risk assessment is missing the attacks happening over channels like social media, search ads, and messaging apps that most risk models ignore entirely — places where the success chance is far higher because of the lack of control (and because users don't expect it). ",[],{},"CISO data problem IB1",{"sys":1828,"__typename":1814,"content":1829,"name":1855,"title":61},{"id":1500},{"json":1830},{"nodeType":1272,"data":1831,"content":1832},{},[1833],{"nodeType":1287,"data":1834,"content":1835},{},[1836,1841,1850],{"nodeType":1280,"value":1837,"marks":1838,"data":1840},"There are many examples of ghost logins being exploited by attackers in the wild, but the landmark case remains 2024's ",[1839],{"type":1284},{},{"nodeType":1295,"data":1842,"content":1844},{"uri":1843},"https://pushsecurity.com/blog/snowflake-retro/",[1845],{"nodeType":1280,"value":1846,"marks":1847,"data":1849},"Snowflake breach",[1848],{"type":1284},{},{"nodeType":1280,"value":1851,"marks":1852,"data":1854},", in which 165 organizations were breached using compromised credentials that had been sitting online since 2020. MFA was missing in every case. ",[1853],{"type":1284},{},"CISO data problem IB3",{"sys":1857,"__typename":1806,"title":1858,"caption":1858,"layoutMode":61,"file":1859},{"id":1506},"Data from Push login telemetry across customer environments.",{"url":1860,"width":1861,"height":1862},"https://images.ctfassets.net/y1cdw1ablpvd/67iyvaMRSinyWAPqNFRity/5650febed866df4656160006d7415588/Frame_1__2_.png",2160,496,{"sys":1864,"__typename":1814,"content":1865,"name":1907,"title":61},{"id":1692},{"json":1866},{"nodeType":1272,"data":1867,"content":1868},{},[1869,1888],{"nodeType":1287,"data":1870,"content":1871},{},[1872,1876,1884],{"nodeType":1280,"value":1873,"marks":1874,"data":1875},"Push has tracked a",[],{},{"nodeType":1295,"data":1877,"content":1879},{"uri":1878},"https://pushsecurity.com/blog/device-code-phishing/",[1880],{"nodeType":1280,"value":1881,"marks":1882,"data":1883}," 37x increase in device code phishing attacks since the start of 2026",[],{},{"nodeType":1280,"value":1885,"marks":1886,"data":1887},", with at least 12 distinct kits now offering the technique, while established AiTM vendors like Tycoon are now adding authorization-focused options alongside their existing session token and credential harvesting capabilities. ",[],{},{"nodeType":1287,"data":1889,"content":1890},{},[1891,1895,1903],{"nodeType":1280,"value":1892,"marks":1893,"data":1894},"Device code phishing has featured heavily in ",[],{},{"nodeType":1295,"data":1896,"content":1898},{"uri":1897},"https://pushsecurity.com/blog/analyzing-the-instructure-breach/",[1899],{"nodeType":1280,"value":1900,"marks":1901,"data":1902},"ShinyHunters campaigns",[],{},{"nodeType":1280,"value":1904,"marks":1905,"data":1906}," in 2025 and 2026 along with AiTM phishing and OAuth token abuse, often paired with voice-based lure delivery that misses traditional endpoint controls (but inevitably leads the victim to a webpage in the browser where the payload is delivered). ",[],{},"CISO data problem IB2",{"sys":1909,"__typename":1806,"title":1910,"caption":1911,"layoutMode":61,"file":1912},{"id":1724},"Precision improvements with browser telemetry.","Precision risk assessment improvements with browser telemetry.",{"url":1913,"width":1914,"height":1915},"https://images.ctfassets.net/y1cdw1ablpvd/1hpJGD6oVLcvalCTuFBia3/547b689a199b5b4ac3b2e7ddb9f3079d/blog-inline-fair-model-v4_1.png",2200,1520,"json",{},"Why modern attack data is missing in your threat analysis","2026-05-11T00:00:00.000Z",{"items":1921},[1922,2776,3557],{"__typename":1923,"sys":1924,"content":1926,"title":2754,"synopsis":2755,"hashTags":61,"publishedDate":2756,"slug":2757,"tagsCollection":2758,"authorsCollection":2768},"BlogPosts",{"id":1925},"3jF1fypt08TNlSoWuoMWhj",{"json":1927},{"nodeType":1272,"data":1928,"content":1929},{},[1930,1961,1967,1974,1980,1987,1995,2002,2005,2013,2044,2056,2059,2067,2120,2127,2150,2156,2159,2167,2198,2205,2213,2219,2222,2230,2237,2255,2262,2304,2311,2314,2322,2340,2348,2375,2398,2422,2430,2437,2444,2447,2465,2468,2476,2495,2748],{"nodeType":1287,"data":1931,"content":1932},{},[1933,1937,1945,1949,1957],{"nodeType":1280,"value":1934,"marks":1935,"data":1936},"ShinyHunters' ",[],{},{"nodeType":1295,"data":1938,"content":1940},{"uri":1939},"https://www.bleepingcomputer.com/news/security/canvas-login-portals-hacked-in-mass-shinyhunters-extortion-campaign/",[1941],{"nodeType":1280,"value":1942,"marks":1943,"data":1944},"breach of Instructure",[],{},{"nodeType":1280,"value":1946,"marks":1947,"data":1948},", the company behind Canvas (one of the most widely used learning management systems in education) has escalated rapidly over the past week, with 275 million individuals impacted across 9000 schools worldwide, ",[],{},{"nodeType":1295,"data":1950,"content":1952},{"uri":1951},"https://krebsonsecurity.com/2026/05/canvas-breach-disrupts-schools-colleges-nationwide/",[1953],{"nodeType":1280,"value":1954,"marks":1955,"data":1956},"defaced login portals at roughly 330 schools",[],{},{"nodeType":1280,"value":1958,"marks":1959,"data":1960},", and a public ransom deadline.",[],{},{"nodeType":1320,"data":1962,"content":1966},{"target":1963},{"sys":1964},{"id":1965,"type":1325,"linkType":1326},"2yE4PCMYADajfnhIg1IRah",[],{"nodeType":1287,"data":1968,"content":1969},{},[1970],{"nodeType":1280,"value":1971,"marks":1972,"data":1973},"The human impact is immediate and tangible: students at schools and universities have been unable to access coursework, submit assignments, or sit final exams during one of the busiest testing periods of the academic year, with some institutions sending students home with no clear timeline for when normal operations will resume — the  kind of disruption usually associated with ransomware attacks. ",[],{},{"nodeType":1320,"data":1975,"content":1979},{"target":1976},{"sys":1977},{"id":1978,"type":1325,"linkType":1326},"6xVJCfjfnZCyGAe02copZ8",[],{"nodeType":1287,"data":1981,"content":1982},{},[1983],{"nodeType":1280,"value":1984,"marks":1985,"data":1986},"But the Instructure breach isn't an isolated incident. It’s the latest datapoint in a sustained series of campaigns by ShinyHunters and affiliates of the Com that has, over the past twelve months, compromised thousands of organizations across retail, technology, aviation, financial services, media, gaming, and now education. DataBreaches.net reports that the initial access at Instructure involved social engineering targeting the company's Salesforce instance, which places it squarely within the playbook that Push has been tracking across multiple blog posts since late 2025. ",[],{},{"nodeType":1287,"data":1988,"content":1989},{},[1990],{"nodeType":1280,"value":1991,"marks":1992,"data":1994},"The specific attack vector at Instructure remains unconfirmed, but the documented arsenal of these groups narrows it down to one of three browser-based attacks behind current SLH-related campaigns.",[1993],{"type":1284},{},{"nodeType":1287,"data":1996,"content":1997},{},[1998],{"nodeType":1280,"value":1999,"marks":2000,"data":2001},"This post examines those three vectors, maps them to the confirmed campaigns and victims that illustrate each one, and explains how browser-layer detection operates at the critical point to detect and intercept these attacks before a breach occurs.",[],{},{"nodeType":1371,"data":2003,"content":2004},{},[],{"nodeType":1276,"data":2006,"content":2007},{},[2008],{"nodeType":1280,"value":2009,"marks":2010,"data":2012},"The Com in 2026: a distributed criminal collective",[2011],{"type":1284},{},{"nodeType":1287,"data":2014,"content":2015},{},[2016,2020,2028,2032,2040],{"nodeType":1280,"value":2017,"marks":2018,"data":2019},"To understand the context behind the Instructure breach, it helps to understand the threat ecosystem behind it. ShinyHunters operates within the SLH (Scattered Lapsus$ Hunters) collective — itself part of the Com, a broader community of English-speaking cybercriminals with international criminal affiliations who collaborate across phishing, initial access, data theft, and extortion operations. The SLH connection traces through a merger of Scattered Spider, Lapsus$, and ShinyHunters, but the Com extends further: groups like",[],{},{"nodeType":1295,"data":2021,"content":2023},{"uri":2022},"https://www.crowdstrike.com/en-us/blog/defending-against-cordial-spider-and-snarky-spider-with-falcon-shield/",[2024],{"nodeType":1280,"value":2025,"marks":2026,"data":2027}," Cordial Spider and Snarky Spider",[],{},{"nodeType":1280,"value":2029,"marks":2030,"data":2031},", which CrowdStrike",[],{},{"nodeType":1295,"data":2033,"content":2035},{"uri":2034},"https://cyberscoop.com/crowdstrike-cordial-spider-snarky-spider-extortion-attacks/",[2036],{"nodeType":1280,"value":2037,"marks":2038,"data":2039}," characterizes as the new generation of Scattered Spider",[],{},{"nodeType":1280,"value":2041,"marks":2042,"data":2043},", are Com members running their own parallel campaigns, even if they are not confirmed as part of the SLH collective itself.",[],{},{"nodeType":1287,"data":2045,"content":2046},{},[2047,2051],{"nodeType":1280,"value":2048,"marks":2049,"data":2050},"The result is something closer to a distributed collective than a single coordinated group, with several independently operating clusters running parallel campaigns against different target sectors within a compressed timeframe. ",[],{},{"nodeType":1280,"value":2052,"marks":2053,"data":2055},"What connects them isn't infrastructure or coordination, but a shared understanding of where the structural weakness lies in modern business IT, and a common playbook of browser-based attack techniques that exploit it.",[2054],{"type":1284},{},{"nodeType":1371,"data":2057,"content":2058},{},[],{"nodeType":1276,"data":2060,"content":2061},{},[2062],{"nodeType":1280,"value":2063,"marks":2064,"data":2066},"Vector 1: Vishing combined with AiTM phishing",[2065],{"type":1284},{},{"nodeType":1287,"data":2068,"content":2069},{},[2070,2074,2082,2086,2093,2097,2105,2109,2117],{"nodeType":1280,"value":2071,"marks":2072,"data":2073},"The most visible campaign right now pairs targeted voice calls with adversary-in-the-middle phishing pages — an approach that",[],{},{"nodeType":1295,"data":2075,"content":2077},{"uri":2076},"https://cloud.google.com/blog/topics/threat-intelligence/expansion-shinyhunters-saas-data-theft",[2078],{"nodeType":1280,"value":2079,"marks":2080,"data":2081}," Mandiant",[],{},{"nodeType":1280,"value":2083,"marks":2084,"data":2085},",",[],{},{"nodeType":1295,"data":2087,"content":2088},{"uri":2022},[2089],{"nodeType":1280,"value":2090,"marks":2091,"data":2092}," CrowdStrike",[],{},{"nodeType":1280,"value":2094,"marks":2095,"data":2096},", and",[],{},{"nodeType":1295,"data":2098,"content":2100},{"uri":2099},"https://github.com/PaloAltoNetworks/Unit42-timely-threat-intel/blob/main/2026-03-12-Vishing-Campaigns-Lead-to-Data-Theft-and-Extortion.txt",[2101],{"nodeType":1280,"value":2102,"marks":2103,"data":2104}," Unit 42",[],{},{"nodeType":1280,"value":2106,"marks":2107,"data":2108}," have all documented from the incident response side, and which Push has",[],{},{"nodeType":1295,"data":2110,"content":2112},{"uri":2111},"https://pushsecurity.com/blog/inside-criminal-phishing-panel/",[2113],{"nodeType":1280,"value":2114,"marks":2115,"data":2116}," documented from inside the attacker's own operator panels",[],{},{"nodeType":1280,"value":1367,"marks":2118,"data":2119},[],{},{"nodeType":1287,"data":2121,"content":2122},{},[2123],{"nodeType":1280,"value":2124,"marks":2125,"data":2126},"An attacker impersonating IT support calls the target employee, establishes urgency — often citing a \"mandatory passkey rollout\" or a \"security compliance update\" — and directs them to a victim-branded AiTM phishing page (typically at a domain like \u003Ccompany>sso.com or \u003Ccompany>internal.com). The attack is processed by a live human in real time, relaying credentials and MFA codes to the legitimate identity provider as they are entered, capturing the resulting session token, and granting the attacker an authenticated session. ",[],{},{"nodeType":1287,"data":2128,"content":2129},{},[2130,2134,2141,2145],{"nodeType":1280,"value":2131,"marks":2132,"data":2133},"One of the reasons that this method is becoming so widespread is the commoditization of effective tools. Push's ",[],{},{"nodeType":1295,"data":2135,"content":2136},{"uri":2111},[2137],{"nodeType":1280,"value":2138,"marks":2139,"data":2140},"infiltration of the criminal phishing panels",[],{},{"nodeType":1280,"value":2142,"marks":2143,"data":2144}," identified over 400 linked domains across four distinct infrastructure clusters. ",[],{},{"nodeType":1280,"value":2146,"marks":2147,"data":2149},"This mirrors the pattern that turned AiTM phishing from a specialist capability into an industrialized market with competing PhaaS platforms, but with the added complication that voice phishing as the delivery vector makes the attack invisible to traditional anti-phishing controls at the email layer.",[2148],{"type":1284},{},{"nodeType":1320,"data":2151,"content":2155},{"target":2152},{"sys":2153},{"id":2154,"type":1325,"linkType":1326},"1Yhthl0PILGW7EmCcZUrNv",[],{"nodeType":1371,"data":2157,"content":2158},{},[],{"nodeType":1276,"data":2160,"content":2161},{},[2162],{"nodeType":1280,"value":2163,"marks":2164,"data":2166},"Vector 2: Vishing combined with device code phishing",[2165],{"type":1284},{},{"nodeType":1287,"data":2168,"content":2169},{},[2170,2174,2182,2186,2194],{"nodeType":1280,"value":2171,"marks":2172,"data":2173},"The",[],{},{"nodeType":1295,"data":2175,"content":2177},{"uri":2176},"https://pushsecurity.com/blog/unpacking-the-latest-slh-campaign/",[2178],{"nodeType":1280,"value":2179,"marks":2180,"data":2181}," ShinyHunters Salesforce campaign",[],{},{"nodeType":1280,"value":2183,"marks":2184,"data":2185}," that ran through 2025 and into 2026 used device code phishing as one of its core methods,",[],{},{"nodeType":1295,"data":2187,"content":2189},{"uri":2188},"https://www.bleepingcomputer.com/news/security/shinyhunters-claims-15-billion-salesforce-records-stolen-in-drift-hacks/",[2190],{"nodeType":1280,"value":2191,"marks":2192,"data":2193}," compromising over 1,000 organizations and claiming 1.5 billion stolen records",[],{},{"nodeType":1280,"value":2195,"marks":2196,"data":2197}," — including an attempted extortion of Salesforce itself. The attack involved registering an attacker-controlled \"DataLoader\" application mimicking a legitimate Salesforce tool, configuring it to request broad OAuth scopes including full API access and refresh token generation, and guiding victims through the device authorization flow via vishing calls.",[],{},{"nodeType":1287,"data":2199,"content":2200},{},[2201],{"nodeType":1280,"value":2202,"marks":2203,"data":2204},"Device code phishing exploits the OAuth 2.0 device authorization grant — a flow designed for devices without browsers, like smart TVs, but used in a wide range of scenarios including CLI logins — by tricking users into entering a code on Microsoft's (or another identity provider's) legitimate verification page. Since the victim is usually signed into the app in their browser, there’s no login at all. They simply navigate to the app’s device code login page and enter an attacker-provided code to grant the attacker an access token. ",[],{},{"nodeType":1287,"data":2206,"content":2207},{},[2208],{"nodeType":1280,"value":2209,"marks":2210,"data":2212},"This is what makes device code phishing structurally different from AiTM: it defeats all MFA (including passkeys) because the attack doesn’t target the login, but the authorization layer instead.",[2211],{"type":1284},{},{"nodeType":1320,"data":2214,"content":2218},{"target":2215},{"sys":2216},{"id":2217,"type":1325,"linkType":1326},"3ElQz8sLATnR8RY5nVlBGM",[],{"nodeType":1371,"data":2220,"content":2221},{},[],{"nodeType":1276,"data":2223,"content":2224},{},[2225],{"nodeType":1280,"value":2226,"marks":2227,"data":2229},"Vector 3: OAuth supply chain attacks through compromised integrators",[2228],{"type":1284},{},{"nodeType":1287,"data":2231,"content":2232},{},[2233],{"nodeType":1280,"value":2234,"marks":2235,"data":2236},"The third vector does not require the attacker to phish the victim organization's employees at all. Instead, it exploits the OAuth trust relationships that organizations create when they connect third-party SaaS vendors into their environments — and the consequence is that every organization that authorized one of these integrations effectively extended its security boundary to include the vendor's own security posture.",[],{},{"nodeType":1287,"data":2238,"content":2239},{},[2240,2243,2251],{"nodeType":1280,"value":2171,"marks":2241,"data":2242},[],{},{"nodeType":1295,"data":2244,"content":2246},{"uri":2245},"https://cloud.google.com/blog/topics/threat-intelligence/data-theft-salesforce-instances-via-salesloft-drift",[2247],{"nodeType":1280,"value":2248,"marks":2249,"data":2250}," Salesloft/Drift supply chain attack",[],{},{"nodeType":1280,"value":2252,"marks":2253,"data":2254}," demonstrated this at scale in 2025: in an extension of the previously mentioned device code phishing campaign, the attacker compromised Salesloft's GitHub environment, used TruffleHog to find secrets, stole Drift OAuth tokens, and used them to access downstream Salesforce environments. The same pattern was later repeated at Gainsight. ",[],{},{"nodeType":1287,"data":2256,"content":2257},{},[2258],{"nodeType":1280,"value":2259,"marks":2260,"data":2261},"Along with the previously mentioned device code phishing attacks,  more than 1000 organizations were breached. The attackers then harvested AWS keys, Snowflake credentials, and stored passwords from breached Salesforce instances, compounding the access into progressively wider reach.",[],{},{"nodeType":1287,"data":2263,"content":2264},{},[2265,2269,2277,2281,2289,2293,2300],{"nodeType":1280,"value":2266,"marks":2267,"data":2268},"The same structural pattern has continued into 2026 with the Anodot supply chain compromise, which has produced confirmed breaches at",[],{},{"nodeType":1295,"data":2270,"content":2272},{"uri":2271},"https://www.bleepingcomputer.com/news/security/vimeo-data-breach-exposes-personal-information-of-119-000-people/",[2273],{"nodeType":1280,"value":2274,"marks":2275,"data":2276}," Vimeo",[],{},{"nodeType":1280,"value":2278,"marks":2279,"data":2280}," (119,000 users), Rockstar Games (78.6 million records), and",[],{},{"nodeType":1295,"data":2282,"content":2284},{"uri":2283},"https://www.bleepingcomputer.com/news/security/zara-data-breach-exposed-personal-information-of-197-000-people/",[2285],{"nodeType":1280,"value":2286,"marks":2287,"data":2288}," Zara/Inditex",[],{},{"nodeType":1280,"value":2290,"marks":2291,"data":2292}," (197,000 people), with further downstream victims likely still emerging. The",[],{},{"nodeType":1295,"data":2294,"content":2295},{"uri":1559},[2296],{"nodeType":1280,"value":2297,"marks":2298,"data":2299}," Vercel breach",[],{},{"nodeType":1280,"value":2301,"marks":2302,"data":2303}," demonstrates this too, which involved compromised OAuth tokens from Context.ai cascading into Google Workspace, reinforces the same attack pattern (though it was likely not a ShinyHunters operation despite being claimed by someone pretending to be them).",[],{},{"nodeType":1287,"data":2305,"content":2306},{},[2307],{"nodeType":1280,"value":2308,"marks":2309,"data":2310},"A forgotten SaaS integration can easily become the pivot point for downstream compromise. The moment you authorize a third-party integration, your security boundary extends to include that vendor. If the third-party is compromised, every downstream customer organization with an active integration is exposed.",[],{},{"nodeType":1371,"data":2312,"content":2313},{},[],{"nodeType":1276,"data":2315,"content":2316},{},[2317],{"nodeType":1280,"value":2318,"marks":2319,"data":2321},"These attacks all happen in the browser",[2320],{"type":1284},{},{"nodeType":1287,"data":2323,"content":2324},{},[2325,2329,2336],{"nodeType":1280,"value":2326,"marks":2327,"data":2328},"Every one of these attack chains is a browser-based attack that either occurs in the browser (AiTM phishing, device code phishing) or could have been prevented at the browser layer (OAuth consent governance). The techniques are interchangeable — the",[],{},{"nodeType":1295,"data":2330,"content":2331},{"uri":1878},[2332],{"nodeType":1280,"value":2333,"marks":2334,"data":2335}," same criminal kits now offer AiTM and device code phishing side by side",[],{},{"nodeType":1280,"value":2337,"marks":2338,"data":2339},", and the same threat actor (ShinyHunters) has used all three vectors across different campaigns within the same twelve-month period.",[],{},{"nodeType":1543,"data":2341,"content":2342},{},[2343],{"nodeType":1280,"value":2344,"marks":2345,"data":2347},"How Push can help",[2346],{"type":1284},{},{"nodeType":1287,"data":2349,"content":2350},{},[2351,2355,2360,2364,2371],{"nodeType":1280,"value":2352,"marks":2353,"data":2354},"Push operates at the exact point in each of these attack chains where automated intervention can still prevent the compromise. ",[],{},{"nodeType":1280,"value":2356,"marks":2357,"data":2359},"For vishing + AiTM attacks, ",[2358],{"type":1284},{},{"nodeType":1280,"value":2361,"marks":2362,"data":2363},"Push's",[],{},{"nodeType":1295,"data":2365,"content":2366},{"uri":2111},[2367],{"nodeType":1280,"value":2368,"marks":2369,"data":2370}," behavioral phishing detection",[],{},{"nodeType":1280,"value":2372,"marks":2373,"data":2374}," analyzes and blocks the phishing page in real time by detecting it from the user's browser — regardless of the domains used, hosting infrastructure, or where the URL was delivered.  ",[],{},{"nodeType":1287,"data":2376,"content":2377},{},[2378,2383,2387,2394],{"nodeType":1280,"value":2379,"marks":2380,"data":2382},"For device code phishing,",[2381],{"type":1284},{},{"nodeType":1280,"value":2384,"marks":2385,"data":2386}," Push detects the phishing pages associated with ",[],{},{"nodeType":1295,"data":2388,"content":2389},{"uri":1878},[2390],{"nodeType":1280,"value":2391,"marks":2392,"data":2393},"device code phishing kits",[],{},{"nodeType":1280,"value":2395,"marks":2396,"data":2397}," — including generic, technique-class detections that catch new kits without requiring kit-specific signatures. Second, Push provides an additional layer of protection on the legitimate device code authentication pages themselves, preventing users from entering attacker-supplied codes into them. Together, these detections cover both the kit-operated phishing infrastructure and the legitimate auth pages that the attack flow depends on.",[],{},{"nodeType":1287,"data":2399,"content":2400},{},[2401,2406,2410,2418],{"nodeType":1280,"value":2402,"marks":2403,"data":2405},"For OAuth supply chain attacks,",[2404],{"type":1284},{},{"nodeType":1280,"value":2407,"marks":2408,"data":2409}," Push's ",[],{},{"nodeType":1295,"data":2411,"content":2413},{"uri":2412},"https://site.dev.pushsecurity.com/contentful-preview/?blogSlug=analyzing-the-instructure-breach",[2414],{"nodeType":1280,"value":2415,"marks":2416,"data":2417},"detects and controls OAuth consent flows",[],{},{"nodeType":1280,"value":2419,"marks":2420,"data":2421}," at the browser layer — capturing which application is requesting access, what scopes it's requesting, and whether the grant should be permitted under organizational policy. Push customers can also block OAuth connection requests as they transit the browser, enabling security teams to stop unwanted integrations being added in the first place. ",[],{},{"nodeType":1543,"data":2423,"content":2424},{},[2425],{"nodeType":1280,"value":2426,"marks":2427,"data":2429},"Closing thoughts",[2428],{"type":1284},{},{"nodeType":1287,"data":2431,"content":2432},{},[2433],{"nodeType":1280,"value":2434,"marks":2435,"data":2436},"The Instructure breach — and its real-world impact on students, teachers, and families — will produce more details as the investigation progresses, and those details will almost certainly map to one of these three vectors. But the defensive strategy doesn't need to wait for confirmation, because all three converge on the same control point: the browser, where the attack begins or the integration decision is made. ",[],{},{"nodeType":1287,"data":2438,"content":2439},{},[2440],{"nodeType":1280,"value":2441,"marks":2442,"data":2443},"Organizations with browser-layer detection and OAuth controls in place have defense-in-depth against the full range of techniques that modern threat groups like ShinyHunters employ, regardless of the specific vector any given campaign uses.",[],{},{"nodeType":1371,"data":2445,"content":2446},{},[],{"nodeType":1287,"data":2448,"content":2449},{},[2450,2454,2462],{"nodeType":1280,"value":2451,"marks":2452,"data":2453},"Push Security is the most powerful AI-native security tool in the browser. Think EDR, but for the browser — high-fidelity telemetry and real-time control across every session, on every device, with no browser migration required. Security teams use Push to detect and stop advanced browser-based attacks like AiTM phishing, ClickFix, and session hijacking; gain visibility and control over AI tool usage across their workforce; harden identities by surfacing credential reuse, SSO gaps, and shadow IT; and support data loss and insider investigations with browser-layer telemetry that other tools can't see.",[],{},{"nodeType":1295,"data":2455,"content":2457},{"uri":2456},"https://pushsecurity.com/demo/",[2458],{"nodeType":1280,"value":2459,"marks":2460,"data":2461}," Book a live demo to learn more.",[],{},{"nodeType":1280,"value":29,"marks":2463,"data":2464},[],{},{"nodeType":1371,"data":2466,"content":2467},{},[],{"nodeType":1276,"data":2469,"content":2470},{},[2471],{"nodeType":1280,"value":2472,"marks":2473,"data":2475},"Appendix: named ShinyHunters victims since May 2025",[2474],{"type":1284},{},{"nodeType":1287,"data":2477,"content":2478},{},[2479,2483,2491],{"nodeType":1280,"value":2480,"marks":2481,"data":2482},"To give an indication of the scale, the following table documents all publicly named victims attributed to ShinyHunters specifically since the Salesforce campaign began in May 2025. It is not exhaustive: ShinyHunters has claimed over 1,000 organizations in aggregate across its Salesforce campaigns alone, and many victims have not been publicly named. This list also doesn’t include the billion-plus records compromised in the 2024 Snowflake breaches. The major ransomware attacks executed against M&S, Co-op, and Jaguar Land Rover claimed by the ",[],{},{"nodeType":1295,"data":2484,"content":2486},{"uri":2485},"https://pushsecurity.com/blog/scattered-lapsus-hunters/",[2487],{"nodeType":1280,"value":2488,"marks":2489,"data":2490},"Scattered Lapsus$ Hunters \"brand\"",[],{},{"nodeType":1280,"value":2492,"marks":2493,"data":2494}," also aren't listed below. ",[],{},{"nodeType":2496,"data":2497,"content":2498},"table",{},[2499,2548,2605,2653,2701],{"nodeType":2500,"data":2501,"content":2502},"table-row",{},[2503,2515,2526,2537],{"nodeType":2504,"data":2505,"content":2506},"table-cell",{},[2507],{"nodeType":1287,"data":2508,"content":2509},{},[2510],{"nodeType":1280,"value":2511,"marks":2512,"data":2514},"Campaign",[2513],{"type":1284},{},{"nodeType":2504,"data":2516,"content":2517},{},[2518],{"nodeType":1287,"data":2519,"content":2520},{},[2521],{"nodeType":1280,"value":2522,"marks":2523,"data":2525},"Began",[2524],{"type":1284},{},{"nodeType":2504,"data":2527,"content":2528},{},[2529],{"nodeType":1287,"data":2530,"content":2531},{},[2532],{"nodeType":1280,"value":2533,"marks":2534,"data":2536},"Named victims",[2535],{"type":1284},{},{"nodeType":2504,"data":2538,"content":2539},{},[2540],{"nodeType":1287,"data":2541,"content":2542},{},[2543],{"nodeType":1280,"value":2544,"marks":2545,"data":2547},"Confirmed impact",[2546],{"type":1284},{},{"nodeType":2500,"data":2549,"content":2550},{},[2551,2575,2585,2595],{"nodeType":2504,"data":2552,"content":2553},{},[2554],{"nodeType":1287,"data":2555,"content":2556},{},[2557,2562,2566,2571],{"nodeType":1280,"value":2558,"marks":2559,"data":2561},"ShinyHunters Salesforce Vishing",[2560],{"type":1284},{},{"nodeType":1280,"value":2563,"marks":2564,"data":2565}," (vishing + device code phishing → Salesforce connected app authorization) \n\n& ",[],{},{"nodeType":1280,"value":2567,"marks":2568,"data":2570},"Salesloft/Drift Supply Chain",[2569],{"type":1284},{},{"nodeType":1280,"value":2572,"marks":2573,"data":2574}," (stolen OAuth tokens → downstream Salesforce access)",[],{},{"nodeType":2504,"data":2576,"content":2577},{},[2578],{"nodeType":1287,"data":2579,"content":2580},{},[2581],{"nodeType":1280,"value":2582,"marks":2583,"data":2584},"May 2025",[],{},{"nodeType":2504,"data":2586,"content":2587},{},[2588],{"nodeType":1287,"data":2589,"content":2590},{},[2591],{"nodeType":1280,"value":2592,"marks":2593,"data":2594},"Coca-Cola Europacific Partners, Cisco, Qantas, LVMH, Adidas, Google, Chanel, Pandora, Allianz Life, Air France-KLM, Farmers Insurance, Workday, TransUnion, Stellantis, Kering, Odido, Hallmark, Salesloft (origin), Toast, Avalara, Fastly, Cato Networks, Cloudflare, Palo Alto Networks, Zscaler, Tenable, Elastic, JFrog, CyberArk, Rubrik, BeyondTrust, Proofpoint, Workiva, Mercer Advisors, Beacon Pointe, Ameriprise, Kemper, Udemy, 7-Eleven, Mytheresa, Marcus & Millichap, Carnival, Pitney Bowes, Alert 360, Amtrak, McGraw-Hill, Canada Life",[],{},{"nodeType":2504,"data":2596,"content":2597},{},[2598],{"nodeType":1287,"data":2599,"content":2600},{},[2601],{"nodeType":1280,"value":2602,"marks":2603,"data":2604},"48 named victims. Confirmed individual impact includes 23M+ records (Coca-Cola), 5.7M records (Qantas), 6.2M customers (Odido), 4.4M consumers (TransUnion), up to 18M records (Stellantis), 13.5M emails (McGraw-Hill), 8.2M emails (Pitney Bowes), 7.5M emails (Carnival). ShinyHunters claims 1.5B+ Salesforce records across 1,000+ organizations total.",[],{},{"nodeType":2500,"data":2606,"content":2607},{},[2608,2623,2633,2643],{"nodeType":2504,"data":2609,"content":2610},{},[2611],{"nodeType":1287,"data":2612,"content":2613},{},[2614,2619],{"nodeType":1280,"value":2615,"marks":2616,"data":2618},"Vishing + AiTM SSO",[2617],{"type":1284},{},{"nodeType":1280,"value":2620,"marks":2621,"data":2622}," (vishing → AiTM phishing page → SSO session capture → SaaS data exfiltration)",[],{},{"nodeType":2504,"data":2624,"content":2625},{},[2626],{"nodeType":1287,"data":2627,"content":2628},{},[2629],{"nodeType":1280,"value":2630,"marks":2631,"data":2632},"Aug 2025",[],{},{"nodeType":2504,"data":2634,"content":2635},{},[2636],{"nodeType":1287,"data":2637,"content":2638},{},[2639],{"nodeType":1280,"value":2640,"marks":2641,"data":2642},"SoundCloud, GrubHub, Panera Bread, Match Group, Crunchbase, Betterment, CarMax, Edmunds, CarGurus, Hims & Hers, University of Pennsylvania, Harvard University, Optimizely, TELUS Digital, Crunchyroll, ADT",[],{},{"nodeType":2504,"data":2644,"content":2645},{},[2646],{"nodeType":1287,"data":2647,"content":2648},{},[2649],{"nodeType":1280,"value":2650,"marks":2651,"data":2652},"16 named victims. Confirmed individual impact includes ~30M records (SoundCloud), ~14M records (Panera), 10M+ records (Match Group), ~20M records (Betterment), 5.5M people (ADT), 1M+ records (UPenn), ~1PB stolen from TELUS Digital ($65M ransom refused).",[],{},{"nodeType":2500,"data":2654,"content":2655},{},[2656,2671,2681,2691],{"nodeType":2504,"data":2657,"content":2658},{},[2659],{"nodeType":1287,"data":2660,"content":2661},{},[2662,2667],{"nodeType":1280,"value":2663,"marks":2664,"data":2666},"Anodot Supply Chain",[2665],{"type":1284},{},{"nodeType":1280,"value":2668,"marks":2669,"data":2670}," (stolen OAuth tokens → downstream Snowflake/BigQuery access)",[],{},{"nodeType":2504,"data":2672,"content":2673},{},[2674],{"nodeType":1287,"data":2675,"content":2676},{},[2677],{"nodeType":1280,"value":2678,"marks":2679,"data":2680},"Apr 2026",[],{},{"nodeType":2504,"data":2682,"content":2683},{},[2684],{"nodeType":1287,"data":2685,"content":2686},{},[2687],{"nodeType":1280,"value":2688,"marks":2689,"data":2690},"Anodot/Glassbox (origin), Rockstar Games, Vimeo, Zara/Inditex",[],{},{"nodeType":2504,"data":2692,"content":2693},{},[2694],{"nodeType":1287,"data":2695,"content":2696},{},[2697],{"nodeType":1280,"value":2698,"marks":2699,"data":2700},"4 named victims (12+ total claimed). 78.6M records (Rockstar Games), 197K individuals (Zara), 119K individuals (Vimeo).",[],{},{"nodeType":2500,"data":2702,"content":2703},{},[2704,2719,2728,2738],{"nodeType":2504,"data":2705,"content":2706},{},[2707],{"nodeType":1287,"data":2708,"content":2709},{},[2710,2715],{"nodeType":1280,"value":2711,"marks":2712,"data":2714},"Other SLH-attributed",[2713],{"type":1284},{},{"nodeType":1280,"value":2716,"marks":2717,"data":2718}," (misc. vectors including infostealer chains, CI/CD supply chain, SaaS platform compromise)",[],{},{"nodeType":2504,"data":2720,"content":2721},{},[2722],{"nodeType":1287,"data":2723,"content":2724},{},[2725],{"nodeType":1280,"value":2582,"marks":2726,"data":2727},[],{},{"nodeType":2504,"data":2729,"content":2730},{},[2731],{"nodeType":1287,"data":2732,"content":2733},{},[2734],{"nodeType":1280,"value":2735,"marks":2736,"data":2737},"UK Legal Aid Agency, Mixpanel, Wynn Resorts, Woflow, Vercel, European Commission, Mercor, Medtronic, Instructure",[],{},{"nodeType":2504,"data":2739,"content":2740},{},[2741],{"nodeType":1287,"data":2742,"content":2743},{},[2744],{"nodeType":1280,"value":2745,"marks":2746,"data":2747},"10 named victims across varied vectors. Notable: Vercel (Lumma Stealer → Context.ai OAuth app → Google Workspace), European Commission (poisoned Trivy GitHub Action → 340GB across 71 EU entities)",[],{},{"nodeType":1287,"data":2749,"content":2750},{},[2751],{"nodeType":1280,"value":29,"marks":2752,"data":2753},[],{},"Analyzing the Instructure breach: The three attack techniques behind ShinyHunters' 2026 campaigns ","ShinyHunters' breach of Instructure is the latest in a long series of attacks. Here's our view of the big picture. ","2026-05-08T00:00:00.000Z","analyzing-the-instructure-breach",{"items":2759},[2760,2764],{"sys":2761,"name":2763},{"id":2762},"6A5RXS31ZQx3PwryGb1IMy","Browser-based attacks",{"sys":2765,"name":2767},{"id":2766},"4ksQNCFeBf8H4QIORqpRLw","Detection & response",{"items":2769},[2770],{"fullName":2771,"firstName":2772,"jobTitle":2773,"profilePicture":2774},"Dan Green","Dan","Threat Research",{"url":2775},"https://images.ctfassets.net/y1cdw1ablpvd/7jik1VhFgA3kgzXBXTm2Vw/fcd8c171da644903d0827eafcfbcaad0/Dan_Headshot_2025.png",{"__typename":1923,"sys":2777,"content":2779,"title":3543,"synopsis":3544,"hashTags":61,"publishedDate":3545,"slug":3546,"tagsCollection":3547,"authorsCollection":3553},{"id":2778},"Lq2AFQ8VG2rMEe4h2CYuH",{"json":2780},{"nodeType":1272,"data":2781,"content":2782},{},[2783,2811,2844,2851,2857,2860,2868,2875,2881,2900,2907,2915,2935,2951,2958,2965,2968,2976,2983,2990,3055,3062,3068,3076,3088,3095,3102,3108,3116,3123,3130,3137,3144,3150,3158,3165,3251,3257,3260,3268,3275,3291,3298,3305,3311,3331,3334,3342,3349,3355,3374,3381,3388,3394,3397,3404,3411,3418,3424,3431,3437,3443,3468,3474,3486,3493,3500],{"nodeType":1287,"data":2784,"content":2785},{},[2786,2790,2798,2802,2807],{"nodeType":1280,"value":2787,"marks":2788,"data":2789},"This week, a user going by the name of “ShinyHunters” (though allegedly not ",[],{},{"nodeType":1295,"data":2791,"content":2792},{"uri":2485},[2793],{"nodeType":1280,"value":2794,"marks":2795,"data":2797},"actual ShinyHunters",[2796],{"type":1412},{},{"nodeType":1280,"value":2799,"marks":2800,"data":2801},", but someone imitating them in an attempt to trade off their credibility) posted on a breach forum claiming access keys, source code, and database data stolen from cloud development platform provider ",[],{},{"nodeType":1280,"value":2803,"marks":2804,"data":2806},"Vercel",[2805],{"type":1284},{},{"nodeType":1280,"value":2808,"marks":2809,"data":2810},". ",[],{},{"nodeType":1287,"data":2812,"content":2813},{},[2814,2818,2827,2831,2840],{"nodeType":1280,"value":2815,"marks":2816,"data":2817},"This happened because a Vercel employee had connected an AI app, Context.ai, into their Google Workspace tenant. When Context.ai was compromised — ",[],{},{"nodeType":1295,"data":2819,"content":2821},{"uri":2820},"https://www.infostealers.com/article/breaking-vercel-breach-linked-to-infostealer-infection-at-context-ai/",[2822],{"nodeType":1280,"value":2823,"marks":2824,"data":2826},"allegedly the result of an infostealer infection from an employee searching for Roblox cheats",[2825],{"type":1412},{},{"nodeType":1280,"value":2828,"marks":2829,"data":2830}," — the attacker was able to leverage OAuth tokens stored in Context.ai’s Supabase platform to access downstream customer accounts (pointing to a heavily permissioned victim, probably a developer, possibly even a ",[],{},{"nodeType":1295,"data":2832,"content":2834},{"uri":2833},"https://pushsecurity.com/blog/browser-sync-attacks-where-personal-account-hacks-lead-to-corporate-breaches/",[2835],{"nodeType":1280,"value":2836,"marks":2837,"data":2839},"personal device with access to corp credentials",[2838],{"type":1412},{},{"nodeType":1280,"value":2841,"marks":2842,"data":2843},"). ",[],{},{"nodeType":1287,"data":2845,"content":2846},{},[2847],{"nodeType":1280,"value":2848,"marks":2849,"data":2850},"This access included a Vercel employee’s Google Workspace account. This particular user had significant access to data and secrets in Vercel’s systems, including internal dashboards, employee records, API keys, NPM tokens, and GitHub tokens, which the attacker was able to exfiltrate, holding Vercel to ransom for $2 million. ",[],{},{"nodeType":1320,"data":2852,"content":2856},{"target":2853},{"sys":2854},{"id":2855,"type":1325,"linkType":1326},"6Ft8aSnzfYVZ7j57mYeXgQ",[],{"nodeType":1371,"data":2858,"content":2859},{},[],{"nodeType":1276,"data":2861,"content":2862},{},[2863],{"nodeType":1280,"value":2864,"marks":2865,"data":2867},"How did this happen, and what could have stopped it?",[2866],{"type":1284},{},{"nodeType":1287,"data":2869,"content":2870},{},[2871],{"nodeType":1280,"value":2872,"marks":2873,"data":2874},"From Vercel’s perspective, this attack could have been avoided had their employees been blocked from adding new OAuth integrations without admin approval (a toggle in their Google admin panel, and an essential control in a well-configured environment). Or, if the integration had been flagged in a routine audit and removed. ",[],{},{"nodeType":1320,"data":2876,"content":2880},{"target":2877},{"sys":2878},{"id":2879,"type":1325,"linkType":1326},"b5HFvY1m6RnuXL3a95jVt",[],{"nodeType":1287,"data":2882,"content":2883},{},[2884,2888,2896],{"nodeType":1280,"value":2885,"marks":2886,"data":2887},"It probably should have been removed, too. The particular OAuth app that was connected into the environment was a deprecated “AI Office Suite” product intended for consumer use. ",[],{},{"nodeType":1295,"data":2889,"content":2891},{"uri":2890},"https://context.ai/security-update",[2892],{"nodeType":1280,"value":2893,"marks":2894,"data":2895},"According to Context.ai",[],{},{"nodeType":1280,"value":2897,"marks":2898,"data":2899},", Vercel aren’t even a registered customer — adding more evidence that this was probably the result of a self-service trial that was subsequently forgotten about. That consumer product has also since been replaced by an enterprise product. But for whatever reason, the access hadn’t been revoked (from either side). ",[],{},{"nodeType":1287,"data":2901,"content":2902},{},[2903],{"nodeType":1280,"value":2904,"marks":2905,"data":2906},"The elephant in the room is that Context.ai is an AI app. Most organizations are rightly nervous about employees adding unapproved AI SaaS into their environment. Having employees use shadow AI in the form of LLMs is one thing — users uploading sensitive data to unapproved apps or external tenants being the key concern. But OAuth grants are even more dangerous. Because if that app or vendor is compromised, the apps and accounts you’ve integrated it with are also at risk — which is what was exploited here. ",[],{},{"nodeType":1543,"data":2908,"content":2909},{},[2910],{"nodeType":1280,"value":2911,"marks":2912,"data":2914},"Where’s the fault?",[2913],{"type":1284},{},{"nodeType":1287,"data":2916,"content":2917},{},[2918,2922,2931],{"nodeType":1280,"value":2919,"marks":2920,"data":2921},"It’s easy to point fingers here. There are multiple control gaps and failures for both parties. Vercel should have disabled OAuth grants without admin approval, and regularly audited the connections in their environment. From a vendor's perspective, they could have also default applied a control that ",[],{},{"nodeType":1295,"data":2923,"content":2925},{"uri":2924},"https://vercel.com/kb/bulletin/vercel-april-2026-security-incident",[2926],{"nodeType":1280,"value":2927,"marks":2928,"data":2930},"prevents secret environment variables from being read",[2929],{"type":1412},{},{"nodeType":1280,"value":2932,"marks":2933,"data":2934}," — which would have significantly reduced the impact to Vercel customers from the data breach. ",[],{},{"nodeType":1287,"data":2936,"content":2937},{},[2938,2942,2947],{"nodeType":1280,"value":2939,"marks":2940,"data":2941},"Context.ai comes off worse. They could and should have had better separation of accounts and privileges — and if true, their users really shouldn’t be downloading Roblox scripts on devices they use for work access. It’s important to say ",[],{},{"nodeType":1280,"value":2943,"marks":2944,"data":2946},"if true",[2945],{"type":275},{},{"nodeType":1280,"value":2948,"marks":2949,"data":2950}," here, but the prospect of third parties accessing your environment from insecure devices that they use for gaming is the stuff of nightmares for enterprise security and compliance teams.",[],{},{"nodeType":1287,"data":2952,"content":2953},{},[2954],{"nodeType":1280,"value":2955,"marks":2956,"data":2957},"You definitely don’t want to be Context.ai in this scenario. The reputational harm could be pretty significant, and is a wake-up call for other SaaS vendors to check that their house is in order. But although Vercel have responded quickly and transparently to the incident, this could only really have happened as a result of technical and procedural control gaps on their end.",[],{},{"nodeType":1287,"data":2959,"content":2960},{},[2961],{"nodeType":1280,"value":2962,"marks":2963,"data":2964},"It’s worth taking a step back and looking at the bigger picture here — and how these issues might impact your organization too. ",[],{},{"nodeType":1371,"data":2966,"content":2967},{},[],{"nodeType":1276,"data":2969,"content":2970},{},[2971],{"nodeType":1280,"value":2972,"marks":2973,"data":2975},"Shadow AI is still just shadow SaaS – but the AI scramble is a force multiplier",[2974],{"type":1284},{},{"nodeType":1287,"data":2977,"content":2978},{},[2979],{"nodeType":1280,"value":2980,"marks":2981,"data":2982},"Shadow IT, and in particular shadow SaaS, is not a new problem. Most organizations run heavily (or exclusively) on SaaS, accessed in the browser, with hundreds of apps per enterprise. Unmanaged, self-adopted apps have been a thorn in the side of security teams for some time. ",[],{},{"nodeType":1287,"data":2984,"content":2985},{},[2986],{"nodeType":1280,"value":2987,"marks":2988,"data":2989},"There are essentially four kinds of shadow IT to be wary of in the context of AI apps:",[],{},{"nodeType":2991,"data":2992,"content":2993},"unordered-list",{},[2994,3010,3025,3040],{"nodeType":2995,"data":2996,"content":2997},"list-item",{},[2998],{"nodeType":1287,"data":2999,"content":3000},{},[3001,3006],{"nodeType":1280,"value":3002,"marks":3003,"data":3005},"Shadow apps:",[3004],{"type":1284},{},{"nodeType":1280,"value":3007,"marks":3008,"data":3009}," Apps that employees have signed up to and are using for business purposes without business approval. This includes apps signed up to with a corporate account or personal account. ",[],{},{"nodeType":2995,"data":3011,"content":3012},{},[3013],{"nodeType":1287,"data":3014,"content":3015},{},[3016,3021],{"nodeType":1280,"value":3017,"marks":3018,"data":3020},"Shadow tenants:",[3019],{"type":1284},{},{"nodeType":1280,"value":3022,"marks":3023,"data":3024}," Apps that employees are accessing with personal accounts, essentially creating shadow tenants outside of your organization’s control — even if you’ve approved the app itself.",[],{},{"nodeType":2995,"data":3026,"content":3027},{},[3028],{"nodeType":1287,"data":3029,"content":3030},{},[3031,3036],{"nodeType":1280,"value":3032,"marks":3033,"data":3035},"Shadow extensions:",[3034],{"type":1284},{},{"nodeType":1280,"value":3037,"marks":3038,"data":3039}," Many AI apps come with an extension counterpart, along with countless third-party extensions that are either untrustworthy or downright malicious. Browser extensions add another angle to the equation by presenting visibility beyond the application into browser activity. ",[],{},{"nodeType":2995,"data":3041,"content":3042},{},[3043],{"nodeType":1287,"data":3044,"content":3045},{},[3046,3051],{"nodeType":1280,"value":3047,"marks":3048,"data":3050},"Shadow integrations:",[3049],{"type":1284},{},{"nodeType":1280,"value":3052,"marks":3053,"data":3054}," OAuth connections across apps that aren’t known or approved. Even if an app itself is approved, plugging that app directly into your primary enterprise apps — with all the sensitive data and functionality therein — isn't necessarily also approved.  ",[],{},{"nodeType":1287,"data":3056,"content":3057},{},[3058],{"nodeType":1280,"value":3059,"marks":3060,"data":3061},"In the Vercel case, we’re talking specifically about shadow integrations. But all of these present a key risk to your organization. ",[],{},{"nodeType":1320,"data":3063,"content":3067},{"target":3064},{"sys":3065},{"id":3066,"type":1325,"linkType":1326},"2hsKQ9DEspflhmtR0bE7QY",[],{"nodeType":1543,"data":3069,"content":3070},{},[3071],{"nodeType":1280,"value":3072,"marks":3073,"data":3075},"The web of OAuth sprawl spans way beyond Google and Microsoft ",[3074],{"type":1284},{},{"nodeType":1287,"data":3077,"content":3078},{},[3079,3084],{"nodeType":1280,"value":3080,"marks":3081,"data":3083},"On average we see 17 unique AI app integrations per organization in Microsoft and Google alone",[3082],{"type":1284},{},{"nodeType":1280,"value":3085,"marks":3086,"data":3087},". If you consider that most organizations have probably approved 1 or 2 max for business use, and may have approved none at all for app-to-app OAuth connectivity, that’s quite a significant difference. ",[],{},{"nodeType":1287,"data":3089,"content":3090},{},[3091],{"nodeType":1280,"value":3092,"marks":3093,"data":3094},"The number of connections outside of these core platforms is significantly higher. Just think how the typical AI app operates. If you want it to be able to effectively automate workflows — pull data from one app, aggregate and analyze it in another, present that information in a report, dashboard, or presentation, and then distribute it — that’s a fair few integrations in just one workflow. MCP connections use OAuth to achieve this interconnectivity in the same way as any other SaaS app.",[],{},{"nodeType":1287,"data":3096,"content":3097},{},[3098],{"nodeType":1280,"value":3099,"marks":3100,"data":3101},"We used to talk about automation apps like Zapier as being a goldmine for attackers. Well, AI apps are on their way to being even more interconnected, more frequently used, and more flexible in terms of how attackers can abuse them. ",[],{},{"nodeType":1320,"data":3103,"content":3107},{"target":3104},{"sys":3105},{"id":3106,"type":1325,"linkType":1326},"4FiWyVw7mpVBA5uBVJoOKL",[],{"nodeType":1543,"data":3109,"content":3110},{},[3111],{"nodeType":1280,"value":3112,"marks":3113,"data":3115},"A note on OAuth configuration complexity",[3114],{"type":1284},{},{"nodeType":1287,"data":3117,"content":3118},{},[3119],{"nodeType":1280,"value":3120,"marks":3121,"data":3122},"A common misconception is that when a regular user consents to an OAuth app (let's use Google Workspace as the example) the app only gets access to the things they can directly access. Technically that's true — the access is scoped to that user's permissions. But in practice, the blast radius is almost always bigger than people think.",[],{},{"nodeType":1287,"data":3124,"content":3125},{},[3126],{"nodeType":1280,"value":3127,"marks":3128,"data":3129},"The scope includes shared drives, shared calendars, documents shared with them, and any other collaborative resources. A single well-permissioned user (think: developer with access to secrets, dashboards, and internal tooling) is more than enough to cause serious damage through a single OAuth grant. ",[],{},{"nodeType":1287,"data":3131,"content":3132},{},[3133],{"nodeType":1280,"value":3134,"marks":3135,"data":3136},"The scopes themselves are often deceptively broad. An app requesting https://www.googleapis.com/auth/drive gets full read/write access to everything the user can see in Drive — not just their personal files. And the blast radius is further contingent on the data and user permission hygiene in these broader environments. ",[],{},{"nodeType":1287,"data":3138,"content":3139},{},[3140],{"nodeType":1280,"value":3141,"marks":3142,"data":3143},"So if your environment hasn't got cleanly separated access and permissions for different users and groups, an attacker compromising a \"normal\" user account can end up with extensive access. You don't need tenant-wide admin access when a normal user's access already spans the crown jewels.",[],{},{"nodeType":1320,"data":3145,"content":3149},{"target":3146},{"sys":3147},{"id":3148,"type":1325,"linkType":1326},"2t81AnAHx2On3fBynM4vVe",[],{"nodeType":1543,"data":3151,"content":3152},{},[3153],{"nodeType":1280,"value":3154,"marks":3155,"data":3157},"Unsurprisingly, OAuth breaches are stacking up",[3156],{"type":1284},{},{"nodeType":1287,"data":3159,"content":3160},{},[3161],{"nodeType":1280,"value":3162,"marks":3163,"data":3164},"Widespread OAuth interconnectedness isn’t just an AI app problem. Attackers have been exploiting this for some time:",[],{},{"nodeType":2991,"data":3166,"content":3167},{},[3168,3215],{"nodeType":2995,"data":3169,"content":3170},{},[3171],{"nodeType":1287,"data":3172,"content":3173},{},[3174,3178,3186,3190,3198,3202,3211],{"nodeType":1280,"value":3175,"marks":3176,"data":3177},"In 2025, ",[],{},{"nodeType":1295,"data":3179,"content":3180},{"uri":2485},[3181],{"nodeType":1280,"value":3182,"marks":3183,"data":3185},"Scattered Lapsus$ Hunters",[3184],{"type":1412},{},{"nodeType":1280,"value":3187,"marks":3188,"data":3189}," launched OAuth-driven supply chain attacks against Salesforce and Google Workspace tenants after breaching Salesloft (specifically the ",[],{},{"nodeType":1295,"data":3191,"content":3192},{"uri":2188},[3193],{"nodeType":1280,"value":3194,"marks":3195,"data":3197},"Salesloft Drift",[3196],{"type":1412},{},{"nodeType":1280,"value":3199,"marks":3200,"data":3201}," platform) and ",[],{},{"nodeType":1295,"data":3203,"content":3205},{"uri":3204},"https://www.bleepingcomputer.com/news/security/salesforce-investigates-customer-data-theft-via-gainsight-breach/",[3206],{"nodeType":1280,"value":3207,"marks":3208,"data":3210},"Gainsight",[3209],{"type":1412},{},{"nodeType":1280,"value":3212,"marks":3213,"data":3214},". In total, over 1000 organizations were impacted, including Google, Cloudflare, Rubrik, Elastic, Proofpoint, JFrog, Zscaler, Tenable, Palo Alto Networks, CyberArk, BeyondTrust, Qualys, and many more, with over 1.5B records stolen. ",[],{},{"nodeType":2995,"data":3216,"content":3217},{},[3218],{"nodeType":1287,"data":3219,"content":3220},{},[3221,3225,3234,3238,3247],{"nodeType":1280,"value":3222,"marks":3223,"data":3224},"More recently, Snowflake customers were impacted after a ",[],{},{"nodeType":1295,"data":3226,"content":3228},{"uri":3227},"https://www.bleepingcomputer.com/news/security/snowflake-customers-hit-in-data-theft-attacks-after-saas-integrator-breach/",[3229],{"nodeType":1280,"value":3230,"marks":3231,"data":3233},"breach at data anomaly detection company Anodot",[3232],{"type":1412},{},{"nodeType":1280,"value":3235,"marks":3236,"data":3237}," where the attacker attempted to leverage the stolen authentication tokens to access Salesforce data, with ",[],{},{"nodeType":1295,"data":3239,"content":3241},{"uri":3240},"https://www.bleepingcomputer.com/news/security/stolen-rockstar-games-analytics-data-leaked-by-extortion-gang/",[3242],{"nodeType":1280,"value":3243,"marks":3244,"data":3246},"Rockstar",[3245],{"type":1412},{},{"nodeType":1280,"value":3248,"marks":3249,"data":3250}," a high-profile victim of the breach (again linked to Scattered Lapsus$ Hunters). ",[],{},{"nodeType":1320,"data":3252,"content":3256},{"target":3253},{"sys":3254},{"id":3255,"type":1325,"linkType":1326},"3oqoL9L3fxetFcIhnfQhMQ",[],{"nodeType":1371,"data":3258,"content":3259},{},[],{"nodeType":1276,"data":3261,"content":3262},{},[3263],{"nodeType":1280,"value":3264,"marks":3265,"data":3267},"Infostealers continue to drive corporate breaches",[3266],{"type":1284},{},{"nodeType":1287,"data":3269,"content":3270},{},[3271],{"nodeType":1280,"value":3272,"marks":3273,"data":3274},"While unverified, Hudson Rock’s case for an infostealer breach being the root cause of the Context.ai breach seems believable. Infostealer infections have been one of the leading security threats for some time, fuelling breaches powered by stolen credentials and session tokens.",[],{},{"nodeType":1287,"data":3276,"content":3277},{},[3278,3282,3287],{"nodeType":1280,"value":3279,"marks":3280,"data":3281},"With the assumed rise in MFA coverage, it’s often surprising to security teams that stolen credentials are still a problem. ",[],{},{"nodeType":1280,"value":3283,"marks":3284,"data":3286},"But of the last million logins we saw, 1 in 4 were password logins (not SSO), 2 in 5 were not protected by MFA, and 1 in 5 used a weak, breached, or reused password. ",[3285],{"type":1284},{},{"nodeType":1280,"value":3288,"marks":3289,"data":3290},"Plenty of scope for abuse. ",[],{},{"nodeType":1287,"data":3292,"content":3293},{},[3294],{"nodeType":1280,"value":3295,"marks":3296,"data":3297},"Stolen session tokens are even more valuable to attackers, enabling them to bypass authentication controls by replaying the token in their own browser. In theory, they should only be valid for a limited timeframe, but in practice this can be as many as 90 days, and sometimes indefinite. ",[],{},{"nodeType":1287,"data":3299,"content":3300},{},[3301],{"nodeType":1280,"value":3302,"marks":3303,"data":3304},"In this case, it seems likely that the compromised device was a developer machine (given the access to Supabase), or potentially even a personal device (given they were installing Roblox cheats…). This is relevant because these personal, developer, and BYOD machines are often less secure — developer machines are often exempt from EDR monitoring or significantly tuned-down (too noisy), while personal devices naturally lack enterprise security software.",[],{},{"nodeType":1320,"data":3306,"content":3310},{"target":3307},{"sys":3308},{"id":3309,"type":1325,"linkType":1326},"139oaGgwRKZbwJzyex9LA5",[],{"nodeType":1287,"data":3312,"content":3313},{},[3314,3318,3327],{"nodeType":1280,"value":3315,"marks":3316,"data":3317},"We’ve also seen an uptick in developer-oriented phishing and malvertising campaigns. The ",[],{},{"nodeType":1295,"data":3319,"content":3321},{"uri":3320},"https://pushsecurity.com/blog/installfix/",[3322],{"nodeType":1280,"value":3323,"marks":3324,"data":3326},"InstallFix campaign",[3325],{"type":1412},{},{"nodeType":1280,"value":3328,"marks":3329,"data":3330}," we identified, intercepting users as they attempt to install AI tools like Claude Code and NotebookLM, is an example of this — and also another way that attackers are capitalizing on AI hype. ",[],{},{"nodeType":1371,"data":3332,"content":3333},{},[],{"nodeType":1276,"data":3335,"content":3336},{},[3337],{"nodeType":1280,"value":3338,"marks":3339,"data":3341},"Advice for security teams",[3340],{"type":1284},{},{"nodeType":1287,"data":3343,"content":3344},{},[3345],{"nodeType":1280,"value":3346,"marks":3347,"data":3348},"There are some immediate next steps that we’ll quickly summarize here, as they've already been covered in wider reporting. If you’re a Vercel customer, you should urgently rotate every credential stored as a non-sensitive variable that could have been exposed, enable the sensitive variable feature toggle, and monitor your account for anomalous activity. And if you’re using the specific Context.ai integration, you need to revoke it ASAP and begin a full audit of the connected accounts, both inside Workspace and broader connected apps (this isn’t that easy, as we’ll highlight in a moment). ",[],{},{"nodeType":1320,"data":3350,"content":3354},{"target":3351},{"sys":3352},{"id":3353,"type":1325,"linkType":1326},"76HViirkH2R4QAzWg605sv",[],{"nodeType":1287,"data":3356,"content":3357},{},[3358,3362,3371],{"nodeType":1280,"value":3359,"marks":3360,"data":3361},"Taking a step back, organizations really need to get their arms around OAuth integrations in their environment. A default-deny approach to allowing users to consent to new integrations, and routinely auditing the ones already in your environment to ensure they’re still definitely required, is essential. Each integration expands your attack surface and could potentially grant an attacker extensive access to your environment. This default-deny approach isn't exactly a new concept for security teams and is the same in principle as what we recently advised for ",[],{},{"nodeType":1295,"data":3363,"content":3365},{"uri":3364},"https://pushsecurity.com/blog/browser-extension-management-guide/",[3366],{"nodeType":1280,"value":3367,"marks":3368,"data":3370},"browser extension management",[3369],{"type":1412},{},{"nodeType":1280,"value":2808,"marks":3372,"data":3373},[],{},{"nodeType":1287,"data":3375,"content":3376},{},[3377],{"nodeType":1280,"value":3378,"marks":3379,"data":3380},"This is fairly straightforward in your main enterprise cloud environment (think M365 or Google Workspace). But doing it across every SaaS app that allows some level of OAuth integration with another (i.e. every SaaS app) is somewhat harder. Not only do you need to have a comprehensive and up-to-date inventory, you need to be an app admin for every app (not always the case for self-adopted apps) and the particular app needs to give you the control to restrict and remove OAuth grants on behalf of users in your tenant. ",[],{},{"nodeType":1287,"data":3382,"content":3383},{},[3384],{"nodeType":1280,"value":3385,"marks":3386,"data":3387},"Again, this is not exclusively a Shadow AI problem, even if AI adoption is contributing significantly to the sprawl. ",[],{},{"nodeType":1320,"data":3389,"content":3393},{"target":3390},{"sys":3391},{"id":3392,"type":1325,"linkType":1326},"XKKHUiz56G82uwYhbv2Qv",[],{"nodeType":1371,"data":3395,"content":3396},{},[],{"nodeType":1276,"data":3398,"content":3399},{},[3400],{"nodeType":1280,"value":2344,"marks":3401,"data":3403},[3402],{"type":1284},{},{"nodeType":1287,"data":3405,"content":3406},{},[3407],{"nodeType":1280,"value":3408,"marks":3409,"data":3410},"As we’ve established, there are quite a few pieces to this puzzle. Push can help with all of them. ",[],{},{"nodeType":1287,"data":3412,"content":3413},{},[3414],{"nodeType":1280,"value":3415,"marks":3416,"data":3417},"Push observes every app login your employees make in their browser, building a comprehensive picture of SaaS and AI use across your organization. This includes how they’re logging in and how secure the login is: did it have MFA, what kind of MFA, was it using a weak or compromised password, did they use SSO, and so on. ",[],{},{"nodeType":1320,"data":3419,"content":3423},{"target":3420},{"sys":3421},{"id":3422,"type":1325,"linkType":1326},"2B205bUaLm6vG8mIQ0rJvA",[],{"nodeType":1287,"data":3425,"content":3426},{},[3427],{"nodeType":1280,"value":3428,"marks":3429,"data":3430},"Push also tracks OAuth integrations in your environment and gives you the ability to manage and remove them in core environments like M365 and Google Workspace, providing a single platform for you to view, manage, and secure app use across your organization. ",[],{},{"nodeType":1320,"data":3432,"content":3436},{"target":3433},{"sys":3434},{"id":3435,"type":1325,"linkType":1326},"eEbdBUfyzZsdIOjFOXHpM",[],{"nodeType":1320,"data":3438,"content":3442},{"target":3439},{"sys":3440},{"id":3441,"type":1325,"linkType":1326},"1MTFxfROuGKxnkHQwWHe8K",[],{"nodeType":1287,"data":3444,"content":3445},{},[3446,3450,3455,3459,3464],{"nodeType":1280,"value":3447,"marks":3448,"data":3449},"This makes it easy to surface both vulnerabilities and possible control gaps, and do something about them. But where Push really excels is in the ability to observe and block OAuth connection requests ",[],{},{"nodeType":1280,"value":3451,"marks":3452,"data":3454},"even outside of your primary enterprise apps.",[3453],{"type":1284},{},{"nodeType":1280,"value":3456,"marks":3457,"data":3458}," Using Push, you can detect and block OAuth integration requests as they traverse the browser. This ",[],{},{"nodeType":1280,"value":3460,"marks":3461,"data":3463},"app-agnostic",[3462],{"type":1284},{},{"nodeType":1280,"value":3465,"marks":3466,"data":3467}," level of control is absolutely critical to halting OAuth integration sprawl. ",[],{},{"nodeType":1320,"data":3469,"content":3473},{"target":3470},{"sys":3471},{"id":3472,"type":1325,"linkType":1326},"2VZ4uw6MXslXME2ueydGuT",[],{"nodeType":1543,"data":3475,"content":3476},{},[3477,3481],{"nodeType":1280,"value":3478,"marks":3479,"data":3480},"And t",[],{},{"nodeType":1280,"value":3482,"marks":3483,"data":3485},"hat’s not all …",[3484],{"type":1284},{},{"nodeType":1287,"data":3487,"content":3488},{},[3489],{"nodeType":1280,"value":3490,"marks":3491,"data":3492},"Push’s browser-based security platform also detects and blocks browser-based attacks like AiTM phishing, credential stuffing, malicious browser extensions, device code phishing, ClickFix, and session hijacking in real time. This includes the most prominent infostealer delivery vectors in terms of malvertising and *Fix-style attacks. Push analyzes every web page in every browser session and tab for threats, in real time, with no latency. ",[],{},{"nodeType":1287,"data":3494,"content":3495},{},[3496],{"nodeType":1280,"value":3497,"marks":3498,"data":3499},"But as we've established, you don't need to wait until it all goes wrong either — you can use Push to proactively find and fix vulnerabilities across the apps that your employees use, like ghost logins, SSO coverage gaps, MFA gaps, vulnerable passwords, risky OAuth integrations, and more to harden your attack surface.",[],{},{"nodeType":1287,"data":3501,"content":3502},{},[3503,3507,3515,3519,3528,3532,3540],{"nodeType":1280,"value":3504,"marks":3505,"data":3506},"To learn more about Push, ",[],{},{"nodeType":1295,"data":3508,"content":3510},{"uri":3509},"https://pushsecurity.com/resources/product-brochure",[3511],{"nodeType":1280,"value":3512,"marks":3513,"data":3514},"check out our latest product overview",[],{},{"nodeType":1280,"value":3516,"marks":3517,"data":3518},", ",[],{},{"nodeType":1295,"data":3520,"content":3522},{"uri":3521},"https://pushsecurity.com/product-demo/",[3523],{"nodeType":1280,"value":3524,"marks":3525,"data":3527},"view our demo library",[3526],{"type":1412},{},{"nodeType":1280,"value":3529,"marks":3530,"data":3531},", or ",[],{},{"nodeType":1295,"data":3533,"content":3535},{"uri":3534},"https://pushsecurity.com/demo",[3536],{"nodeType":1280,"value":3537,"marks":3538,"data":3539},"book some time with one of our team for a live demo",[],{},{"nodeType":1280,"value":1367,"marks":3541,"data":3542},[],{},"Unpacking the Vercel breach: A cautionary tale for Shadow AI and OAuth sprawl","In April 2026, Vercel was compromised via an OAuth app integrated into their Google Workspace tenant stemming from a compromised third-party AI SaaS provider.","2026-04-23T00:00:00.000Z","unpacking-the-vercel-breach",{"items":3548},[3549,3551],{"sys":3550,"name":2763},{"id":2762},{"sys":3552,"name":2767},{"id":2766},{"items":3554},[3555],{"fullName":2771,"firstName":2772,"jobTitle":2773,"profilePicture":3556},{"url":2775},{"__typename":1923,"sys":3558,"content":3560,"title":4464,"synopsis":4465,"hashTags":61,"publishedDate":4466,"slug":4467,"tagsCollection":4468,"authorsCollection":4474},{"id":3559},"10hUzI9iiY8fFtmlA0M9Ne",{"json":3561},{"nodeType":1272,"data":3562,"content":3563},{},[3564,3571,3577,3596,3599,3607,3614,3621,3624,3632,3639,3811,3818,3825,3828,3836,3843,3850,3857,3864,3867,3875,3894,3901,3909,3916,4061,4080,4088,4095,4230,4249,4255,4258,4266,4273,4280,4287,4290,4298,4338,4369,4376,4382,4385,4392,4399,4406,4413,4416,4424,4431],{"nodeType":1287,"data":3565,"content":3566},{},[3567],{"nodeType":1280,"value":3568,"marks":3569,"data":3570},"On the morning of March 11, employees at Stryker Corporation offices across 79 countries turned on their laptops and found them wiped and unusable. Personal phones enrolled in the company's BYOD program had been factory reset overnight, taking photos, banking apps, and authenticator tokens with them. Login pages had also been defaced with the logo of Handala, a persona operated by Iran's Ministry of Intelligence and Security (MOIS).",[],{},{"nodeType":1320,"data":3572,"content":3576},{"target":3573},{"sys":3574},{"id":3575,"type":1325,"linkType":1326},"6JtlGFq0RDoW9g6zyAcPvn",[],{"nodeType":1287,"data":3578,"content":3579},{},[3580,3584,3592],{"nodeType":1280,"value":3581,"marks":3582,"data":3583},"In a break from the standard Handala playbook, there was no ransomware, no malware, and no exploit chain. The attacker ",[],{},{"nodeType":1295,"data":3585,"content":3587},{"uri":3586},"https://www.bleepingcomputer.com/news/security/stryker-attack-wiped-tens-of-thousands-of-devices-no-malware-needed/",[3588],{"nodeType":1280,"value":3589,"marks":3590,"data":3591},"simply logged into Microsoft Intune",[],{},{"nodeType":1280,"value":3593,"marks":3594,"data":3595}," with compromised Global Administrator credentials, abused a legitimate feature, and wiped over 80,000 systems, servers, and mobile devices.",[],{},{"nodeType":1371,"data":3597,"content":3598},{},[],{"nodeType":1276,"data":3600,"content":3601},{},[3602],{"nodeType":1280,"value":3603,"marks":3604,"data":3606},"What a Handala attack was supposed to look like",[3605],{"type":1284},{},{"nodeType":1287,"data":3608,"content":3609},{},[3610],{"nodeType":1280,"value":3611,"marks":3612,"data":3613},"Handala has a reputation for being a manual, hands-on intrusion team whose TTPs have typically included VPN credential brute-force for initial access (hundreds of logon attempts from commercial VPN nodes), supply chain compromise via managed service providers, RDP as the primary lateral movement method, ADRecon for Active Directory enumeration, LSASS credential dumping via comsvcs.dll, and GPO logon scripts for wiper distribution.",[],{},{"nodeType":1287,"data":3615,"content":3616},{},[3617],{"nodeType":1280,"value":3618,"marks":3619,"data":3620},"If you had invested in detection logic around Handala's documented toolkit (BiBi Wiper file extensions, Cl Wiper's EldoS RawDisk driver calls, No-Justice partition table manipulation, Karma Shell's Base64-with-XOR web shell patterns) none of it would have fired. Wiper malware signatures, web shell indicators, RawDisk driver loading, MBR/GPT manipulation, SharePoint exploitation patterns, anomalous RDP/SMB lateral movement: all reasonable detection priorities given the group's threat intelligence profile, but all irrelevant when it mattered most.",[],{},{"nodeType":1371,"data":3622,"content":3623},{},[],{"nodeType":1276,"data":3625,"content":3626},{},[3627],{"nodeType":1280,"value":3628,"marks":3629,"data":3631},"What Handala actually did",[3630],{"type":1284},{},{"nodeType":1287,"data":3633,"content":3634},{},[3635],{"nodeType":1280,"value":3636,"marks":3637,"data":3638},"The Stryker attack departs from the documented baseline across the kill chain.",[],{},{"nodeType":2496,"data":3640,"content":3641},{},[3642,3679,3712,3745,3778],{"nodeType":2500,"data":3643,"content":3644},{},[3645,3657,3668],{"nodeType":3646,"data":3647,"content":3648},"table-header-cell",{},[3649],{"nodeType":1287,"data":3650,"content":3651},{},[3652],{"nodeType":1280,"value":3653,"marks":3654,"data":3656},"Kill chain phase",[3655],{"type":1284},{},{"nodeType":3646,"data":3658,"content":3659},{},[3660],{"nodeType":1287,"data":3661,"content":3662},{},[3663],{"nodeType":1280,"value":3664,"marks":3665,"data":3667},"Historical TTP",[3666],{"type":1284},{},{"nodeType":3646,"data":3669,"content":3670},{},[3671],{"nodeType":1287,"data":3672,"content":3673},{},[3674],{"nodeType":1280,"value":3675,"marks":3676,"data":3678},"Stryker TTP",[3677],{"type":1284},{},{"nodeType":2500,"data":3680,"content":3681},{},[3682,3692,3702],{"nodeType":2504,"data":3683,"content":3684},{},[3685],{"nodeType":1287,"data":3686,"content":3687},{},[3688],{"nodeType":1280,"value":3689,"marks":3690,"data":3691},"Initial access",[],{},{"nodeType":2504,"data":3693,"content":3694},{},[3695],{"nodeType":1287,"data":3696,"content":3697},{},[3698],{"nodeType":1280,"value":3699,"marks":3700,"data":3701},"VPN credential brute-force, supply chain compromise of managed service providers and IT vendors, spearphishing with wiper delivery, exploitation of SharePoint and Windows server vulnerabilities",[],{},{"nodeType":2504,"data":3703,"content":3704},{},[3705],{"nodeType":1287,"data":3706,"content":3707},{},[3708],{"nodeType":1280,"value":3709,"marks":3710,"data":3711},"Identity compromise targeting Microsoft Entra ID",[],{},{"nodeType":2500,"data":3713,"content":3714},{},[3715,3725,3735],{"nodeType":2504,"data":3716,"content":3717},{},[3718],{"nodeType":1287,"data":3719,"content":3720},{},[3721],{"nodeType":1280,"value":3722,"marks":3723,"data":3724},"Persistence",[],{},{"nodeType":2504,"data":3726,"content":3727},{},[3728],{"nodeType":1287,"data":3729,"content":3730},{},[3731],{"nodeType":1280,"value":3732,"marks":3733,"data":3734},"Web shells (Karma Shell, reGeorg)",[],{},{"nodeType":2504,"data":3736,"content":3737},{},[3738],{"nodeType":1287,"data":3739,"content":3740},{},[3741],{"nodeType":1280,"value":3742,"marks":3743,"data":3744},"Global Administrator access to cloud tenant, no persistence mechanism needed",[],{},{"nodeType":2500,"data":3746,"content":3747},{},[3748,3758,3768],{"nodeType":2504,"data":3749,"content":3750},{},[3751],{"nodeType":1287,"data":3752,"content":3753},{},[3754],{"nodeType":1280,"value":3755,"marks":3756,"data":3757},"Lateral movement",[],{},{"nodeType":2504,"data":3759,"content":3760},{},[3761],{"nodeType":1287,"data":3762,"content":3763},{},[3764],{"nodeType":1280,"value":3765,"marks":3766,"data":3767},"RDP, SMB, FTP, Mimikatz",[],{},{"nodeType":2504,"data":3769,"content":3770},{},[3771],{"nodeType":1287,"data":3772,"content":3773},{},[3774],{"nodeType":1280,"value":3775,"marks":3776,"data":3777},"None required, Intune console provides global reach from a single session",[],{},{"nodeType":2500,"data":3779,"content":3780},{},[3781,3791,3801],{"nodeType":2504,"data":3782,"content":3783},{},[3784],{"nodeType":1287,"data":3785,"content":3786},{},[3787],{"nodeType":1280,"value":3788,"marks":3789,"data":3790},"Impact",[],{},{"nodeType":2504,"data":3792,"content":3793},{},[3794],{"nodeType":1287,"data":3795,"content":3796},{},[3797],{"nodeType":1280,"value":3798,"marks":3799,"data":3800},"Custom wiper malware (BiBi, Cl Wiper, No-Justice, Hatef)",[],{},{"nodeType":2504,"data":3802,"content":3803},{},[3804],{"nodeType":1287,"data":3805,"content":3806},{},[3807],{"nodeType":1280,"value":3808,"marks":3809,"data":3810},"Microsoft Intune Remote Wipe, a legitimate built-in administrative feature",[],{},{"nodeType":1287,"data":3812,"content":3813},{},[3814],{"nodeType":1280,"value":3815,"marks":3816,"data":3817},"An organization with detections built around malware signatures, file system manipulation, and anomalous process execution would be unprepared for an attack with zero malware artifacts, where every action was a legitimate administrative command.",[],{},{"nodeType":1287,"data":3819,"content":3820},{},[3821],{"nodeType":1280,"value":3822,"marks":3823,"data":3824},"But while the methods were different, the core objective — mass destruction of data — is entirely consistent with previous campaigns, just through a legitimate management plane rather than custom malware.",[],{},{"nodeType":1371,"data":3826,"content":3827},{},[],{"nodeType":1276,"data":3829,"content":3830},{},[3831],{"nodeType":1280,"value":3832,"marks":3833,"data":3835},"The kill chain looks different now",[3834],{"type":1284},{},{"nodeType":1287,"data":3837,"content":3838},{},[3839],{"nodeType":1280,"value":3840,"marks":3841,"data":3842},"The attack path was devastatingly simple. It didn't require lateral movement because there was nothing to move laterally through. It didn't require privilege escalation because they directly compromised a global administrator account. Every device managed by Intune was already within reach.",[],{},{"nodeType":1287,"data":3844,"content":3845},{},[3846],{"nodeType":1280,"value":3847,"marks":3848,"data":3849},"The traditional network-centric kill chain collapses into: compromise identity, access management plane, execute objective.",[],{},{"nodeType":1287,"data":3851,"content":3852},{},[3853],{"nodeType":1280,"value":3854,"marks":3855,"data":3856},"This is not specific to Iran-aligned actors. Russian groups are leveraging AITM phishing kits and abusing Microsoft 365 OAuth tokens via consent attacks. Scattered Spider built an operational model around social engineering and SSO account takeover. And now Handala has demonstrated that a nation-state destructive operation can be executed entirely by abusing legitimate enterprise tooling.",[],{},{"nodeType":1287,"data":3858,"content":3859},{},[3860],{"nodeType":1280,"value":3861,"marks":3862,"data":3863},"This kind of attack is more direct, faster to execute, and carries a significantly lower barrier to entry. You don't need custom malware and exploit development when you can log in using as-a-Service kits or partner with an access brokering specialist.",[],{},{"nodeType":1371,"data":3865,"content":3866},{},[],{"nodeType":1276,"data":3868,"content":3869},{},[3870],{"nodeType":1280,"value":3871,"marks":3872,"data":3874},"The big picture of Iranian cyber TTPs",[3873],{"type":1284},{},{"nodeType":1287,"data":3876,"content":3877},{},[3878,3882,3890],{"nodeType":1280,"value":3879,"marks":3880,"data":3881},"Iran's offensive cyber capability is split between two rival intelligence bureaucracies. The Ministry of Intelligence and Security (MOIS) runs groups like APT34, MuddyWater, Scarred Manticore, and Void Manticore (Handala), which tend toward long-dwell espionage and coordinated destructive operations, often using a ",[],{},{"nodeType":1295,"data":3883,"content":3885},{"uri":3884},"https://research.checkpoint.com/2024/bad-karma-no-justice-void-manticore-destructive-activities-in-israel/",[3886],{"nodeType":1280,"value":3887,"marks":3888,"data":3889},"documented dual-actor handoff model",[],{},{"nodeType":1280,"value":3891,"marks":3892,"data":3893}," where Scarred Manticore conducts stealthy espionage before handing targets to Void Manticore (Handala) for destruction.",[],{},{"nodeType":1287,"data":3895,"content":3896},{},[3897],{"nodeType":1280,"value":3898,"marks":3899,"data":3900},"The Islamic Revolutionary Guard Corps (IRGC) runs a wider set of groups, including APT33/Peach Sandstorm, APT35/Charming Kitten, APT42, Tortoiseshell/Imperial Kitten, Cotton Sandstorm, and CyberAv3ngers. IRGC groups cover espionage, destructive attacks, influence operations, election interference, ICS targeting across U.S. water and wastewater facilities), and individual surveillance.",[],{},{"nodeType":1543,"data":3902,"content":3903},{},[3904],{"nodeType":1280,"value":3905,"marks":3906,"data":3908},"IRGC groups have already shifted to identity-first TTPs",[3907],{"type":1284},{},{"nodeType":1287,"data":3910,"content":3911},{},[3912],{"nodeType":1280,"value":3913,"marks":3914,"data":3915},"On the IRGC side, the shift toward identity-centric operations is well-documented:",[],{},{"nodeType":2991,"data":3917,"content":3918},{},[3919,3970,4008,4035],{"nodeType":2995,"data":3920,"content":3921},{},[3922],{"nodeType":1287,"data":3923,"content":3924},{},[3925,3930,3934,3942,3946,3954,3958,3966],{"nodeType":1280,"value":3926,"marks":3927,"data":3929},"APT33/Peach Sandstorm",[3928],{"type":1284},{},{"nodeType":1280,"value":3931,"marks":3932,"data":3933}," shifted decisively toward credential-based initial access starting in early 2023, with Microsoft ",[],{},{"nodeType":1295,"data":3935,"content":3937},{"uri":3936},"https://www.microsoft.com/en-us/security/blog/2023/09/14/peach-sandstorm-password-spray-campaigns-enable-intelligence-collection-at-high-value-targets/",[3938],{"nodeType":1280,"value":3939,"marks":3940,"data":3941},"documenting",[],{},{"nodeType":1280,"value":3943,"marks":3944,"data":3945}," large-scale password spray campaigns targeting thousands of organizations, ",[],{},{"nodeType":1295,"data":3947,"content":3949},{"uri":3948},"https://www.bleepingcomputer.com/news/security/iranian-hackers-breach-defense-orgs-in-password-spray-attacks/",[3950],{"nodeType":1280,"value":3951,"marks":3952,"data":3953},"Golden SAML",[],{},{"nodeType":1280,"value":3955,"marks":3956,"data":3957}," attacks for persistent cloud access, and the use of ",[],{},{"nodeType":1295,"data":3959,"content":3961},{"uri":3960},"https://www.microsoft.com/en-us/security/blog/2024/08/28/peach-sandstorm-deploys-new-custom-tickler-malware-in-long-running-intelligence-gathering-operations/",[3962],{"nodeType":1280,"value":3963,"marks":3964,"data":3965},"fraudulent Azure subscriptions",[],{},{"nodeType":1280,"value":3967,"marks":3968,"data":3969}," for C2 infrastructure.",[],{},{"nodeType":2995,"data":3971,"content":3972},{},[3973],{"nodeType":1287,"data":3974,"content":3975},{},[3976,3981,3984,3992,3996,4004],{"nodeType":1280,"value":3977,"marks":3978,"data":3980},"APT42",[3979],{"type":1284},{},{"nodeType":1280,"value":3516,"marks":3982,"data":3983},[],{},{"nodeType":1295,"data":3985,"content":3987},{"uri":3986},"https://cloud.google.com/blog/topics/threat-intelligence/untangling-iran-apt42-operations",[3988],{"nodeType":1280,"value":3989,"marks":3990,"data":3991},"assessed by Mandiant to operate on behalf of the IRGC-IO, ",[],{},{"nodeType":1280,"value":3993,"marks":3994,"data":3995},"has made credential harvesting and MFA bypass its core competency, operating almost entirely within cloud environments post-compromise and ",[],{},{"nodeType":1295,"data":3997,"content":3999},{"uri":3998},"https://cloud.google.com/blog/topics/threat-intelligence/apt42-charms-cons-compromises",[4000],{"nodeType":1280,"value":4001,"marks":4002,"data":4003},"registering its own Microsoft Authenticator",[],{},{"nodeType":1280,"value":4005,"marks":4006,"data":4007}," on compromised accounts for persistent access.",[],{},{"nodeType":2995,"data":4009,"content":4010},{},[4011],{"nodeType":1287,"data":4012,"content":4013},{},[4014,4019,4023,4031],{"nodeType":1280,"value":4015,"marks":4016,"data":4018},"APT35",[4017],{"type":1284},{},{"nodeType":1280,"value":4020,"marks":4021,"data":4022}," (aka Imperial Kitten/Tortoiseshell) was observed ",[],{},{"nodeType":1295,"data":4024,"content":4026},{"uri":4025},"https://www.crowdstrike.com/explore/2026-global-threat-report?utm_medium=org",[4027],{"nodeType":1280,"value":4028,"marks":4029,"data":4030},"targeting cloud identities in November 2025",[],{},{"nodeType":1280,"value":4032,"marks":4033,"data":4034},", deploying the Evilginx2 AitM toolkit against Microsoft 365 users in Israel.",[],{},{"nodeType":2995,"data":4036,"content":4037},{},[4038],{"nodeType":1287,"data":4039,"content":4040},{},[4041,4046,4050,4057],{"nodeType":1280,"value":4042,"marks":4043,"data":4045},"CrustyKrill",[4044],{"type":1284},{},{"nodeType":1280,"value":4047,"marks":4048,"data":4049}," (TA455/Smoke Sandstorm) ",[],{},{"nodeType":1295,"data":4051,"content":4052},{"uri":4025},[4053],{"nodeType":1280,"value":4054,"marks":4055,"data":4056},"uses fake Google Meet and Microsoft Teams pages",[],{},{"nodeType":1280,"value":4058,"marks":4059,"data":4060}," with a live operator intercepting 2FA codes in real time, alongside Azure Web Apps for C2.",[],{},{"nodeType":1287,"data":4062,"content":4063},{},[4064,4068,4076],{"nodeType":1280,"value":4065,"marks":4066,"data":4067},"A ",[],{},{"nodeType":1295,"data":4069,"content":4071},{"uri":4070},"https://media.defense.gov/2024/Oct/16/2003565317/-1/-1/0/CSA-IRAN-CYBER-BRUTE-FORCE-CRITICAL-INFRASTRUCTURE-ORGS.PDF",[4072],{"nodeType":1280,"value":4073,"marks":4074,"data":4075},"joint advisory from six nations",[],{},{"nodeType":1280,"value":4077,"marks":4078,"data":4079}," (FBI, CISA, NSA, CSE, AFP, ASD, advisory AA24-290A, October 2024) confirmed the pattern at the government level, documenting Iranian actors using brute force, password spraying, and MFA push bombing to compromise critical infrastructure accounts since October 2023, and assessing that the actors sell this access on cybercriminal forums.",[],{},{"nodeType":1543,"data":4081,"content":4082},{},[4083],{"nodeType":1280,"value":4084,"marks":4085,"data":4087},"MOIS groups are changing their approach too",[4086],{"type":1284},{},{"nodeType":1287,"data":4089,"content":4090},{},[4091],{"nodeType":1280,"value":4092,"marks":4093,"data":4094},"On the MOIS side, the documented TTP baseline has historically centred on custom malware, network-level persistence, and exploitation of on-premises infrastructure. But identity compromise, particularly credential theft, has been a consistent thread across broader MOIS groups too:",[],{},{"nodeType":2991,"data":4096,"content":4097},{},[4098,4137,4164,4215],{"nodeType":2995,"data":4099,"content":4100},{},[4101],{"nodeType":1287,"data":4102,"content":4103},{},[4104,4109,4113,4121,4125,4133],{"nodeType":1280,"value":4105,"marks":4106,"data":4108},"APT34 (OilRig) ",[4107],{"type":1284},{},{"nodeType":1280,"value":4110,"marks":4111,"data":4112},"built its reputation on DNS tunnelling and custom backdoors, but its initial access methods include spearphishing and fake VPN portals for credential harvesting. Its 2024 campaigns introduced ",[],{},{"nodeType":1295,"data":4114,"content":4116},{"uri":4115},"https://www.trendmicro.com/en_us/research/24/j/earth-simnavaz-cyberattacks.html",[4117],{"nodeType":1280,"value":4118,"marks":4119,"data":4120},"password filter DLLs",[],{},{"nodeType":1280,"value":4122,"marks":4123,"data":4124}," registered at the domain controller level to intercept plaintext credentials during password change events, with the ",[],{},{"nodeType":1295,"data":4126,"content":4128},{"uri":4127},"https://www.bleepingcomputer.com/news/security/oilrig-hackers-now-exploit-windows-flaw-to-elevate-privileges/",[4129],{"nodeType":1280,"value":4130,"marks":4131,"data":4132},"STEALHOOK backdoor",[],{},{"nodeType":1280,"value":4134,"marks":4135,"data":4136}," exfiltrating stolen domain credentials via compromised Exchange servers. Cloud-based downloaders leveraging OneDrive and Microsoft Graph API were active against Israeli targets from 2022 to 2024.",[],{},{"nodeType":2995,"data":4138,"content":4139},{},[4140],{"nodeType":1287,"data":4141,"content":4142},{},[4143,4148,4152,4160],{"nodeType":1280,"value":4144,"marks":4145,"data":4147},"APT39 (Chafer) ",[4146],{"type":1284},{},{"nodeType":1280,"value":4149,"marks":4150,"data":4151},"operated through the ",[],{},{"nodeType":1295,"data":4153,"content":4155},{"uri":4154},"https://home.treasury.gov/news/press-releases/sm1127",[4156],{"nodeType":1280,"value":4157,"marks":4158,"data":4159},"sanctioned front company Rana Intelligence Computing",[],{},{"nodeType":1280,"value":4161,"marks":4162,"data":4163},", focuses on surveillance and tracking of individuals, using credential harvesting through spoofed airline and telecom domains across 30+ countries.",[],{},{"nodeType":2995,"data":4165,"content":4166},{},[4167],{"nodeType":1287,"data":4168,"content":4169},{},[4170,4175,4179,4187,4191,4199,4203,4211],{"nodeType":1280,"value":4171,"marks":4172,"data":4174},"MuddyWater",[4173],{"type":1284},{},{"nodeType":1280,"value":4176,"marks":4177,"data":4178},", confirmed by a ",[],{},{"nodeType":1295,"data":4180,"content":4182},{"uri":4181},"https://www.cisa.gov/news-events/cybersecurity-advisories/aa22-055a",[4183],{"nodeType":1280,"value":4184,"marks":4185,"data":4186},"joint CISA/FBI/NSA/NCSC advisory",[],{},{"nodeType":1280,"value":4188,"marks":4189,"data":4190}," as a subordinate element of MOIS, functions as an initial access broker within the ecosystem. Its operations rely on spearphishing and abuse of legitimate RMM tools, but the group has developed ",[],{},{"nodeType":1295,"data":4192,"content":4194},{"uri":4193},"https://thehackernews.com/2025/12/iran-linked-hackers-hits-israeli_2.html",[4195],{"nodeType":1280,"value":4196,"marks":4197,"data":4198},"dedicated credential stealers",[],{},{"nodeType":1280,"value":4200,"marks":4201,"data":4202}," including CE-Notes (which bypasses Chrome's app-bound encryption), Blub (a multi-browser credential extractor), and LP-Notes (fake Windows Security dialogs to capture system credentials). A parallel campaign documented by ",[],{},{"nodeType":1295,"data":4204,"content":4206},{"uri":4205},"https://www.group-ib.com/blog/muddywater-espionage/",[4207],{"nodeType":1280,"value":4208,"marks":4209,"data":4210},"Group-IB",[],{},{"nodeType":1280,"value":4212,"marks":4213,"data":4214}," found the group deploying a custom Chromium credential stealer alongside its Phoenix backdoor.",[],{},{"nodeType":2995,"data":4216,"content":4217},{},[4218],{"nodeType":1287,"data":4219,"content":4220},{},[4221,4226],{"nodeType":1280,"value":4222,"marks":4223,"data":4225},"Lyceum (Hexane)",[4224],{"type":1284},{},{"nodeType":1280,"value":4227,"marks":4228,"data":4229}," overlaps operationally with APT34 and uses password spraying and brute-force attacks for initial access, and notably probed Albanian government infrastructure ahead of Handala destructive attacks in 2022, illustrating the collaborative model across MOIS groups.",[],{},{"nodeType":1287,"data":4231,"content":4232},{},[4233,4237,4245],{"nodeType":1280,"value":4234,"marks":4235,"data":4236},"Check Point has also ",[],{},{"nodeType":1295,"data":4238,"content":4240},{"uri":4239},"https://research.checkpoint.com/2026/iranian-mois-actors-the-cyber-crime-connection/",[4241],{"nodeType":1280,"value":4242,"marks":4243,"data":4244},"documented",[],{},{"nodeType":1280,"value":4246,"marks":4247,"data":4248}," a broader pattern of MOIS actors engaging directly with the criminal ecosystem, including Handala's adoption of the Rhadamanthys commercial infostealer and Iranian-affiliated operators working through the Qilin ransomware-as-a-service infrastructure.",[],{},{"nodeType":1320,"data":4250,"content":4254},{"target":4251},{"sys":4252},{"id":4253,"type":1325,"linkType":1326},"2SFtROFuPZ4SPTL87Vpjr9",[],{"nodeType":1371,"data":4256,"content":4257},{},[],{"nodeType":1276,"data":4259,"content":4260},{},[4261],{"nodeType":1280,"value":4262,"marks":4263,"data":4265},"The problem with over-indexing on TTPs",[4264],{"type":1284},{},{"nodeType":1287,"data":4267,"content":4268},{},[4269],{"nodeType":1280,"value":4270,"marks":4271,"data":4272},"Threat intelligence has real value. Attributing campaigns to named groups, mapping their techniques to MITRE ATT&CK, and generating detection rules gives defenders a meaningful starting point. The problem is treating a specific actor's historical TTP catalogue as the primary basis for detection logic, rather than combining it with the broader trends in attacker behaviour visible across the entire landscape.",[],{},{"nodeType":1287,"data":4274,"content":4275},{},[4276],{"nodeType":1280,"value":4277,"marks":4278,"data":4279},"Operators are creative and pragmatic. If the path of least resistance is a compromised admin credential and a legitimate MDM feature, no serious attacker is going to deploy custom wiper malware instead because that's what they used last time.",[],{},{"nodeType":1287,"data":4281,"content":4282},{},[4283],{"nodeType":1280,"value":4284,"marks":4285,"data":4286},"If your threat model says you're a plausible target for an Iranian threat group, and the trend data tells you that identity compromise is the most common initial access method across all actors, the rational response is to evaluate your controls aligned to identity-based initial access, not just deploy signatures for BiBi Wiper. When the specific actor profile crowds out the general trend data, you end up building defences against the last attack and leaving yourself exposed to the shift that every actor is going through.",[],{},{"nodeType":1371,"data":4288,"content":4289},{},[],{"nodeType":1276,"data":4291,"content":4292},{},[4293],{"nodeType":1280,"value":4294,"marks":4295,"data":4297},"Evaluating the security guidance",[4296],{"type":1284},{},{"nodeType":1287,"data":4299,"content":4300},{},[4301,4305,4313,4317,4325,4329,4334],{"nodeType":1280,"value":4302,"marks":4303,"data":4304},"In the wake of the breach, industry guidance has settled around enforcing phishing-resistant MFA on privileged accounts, implementing just-in-time privilege activation via ",[],{},{"nodeType":1295,"data":4306,"content":4308},{"uri":4307},"https://learn.microsoft.com/en-us/entra/id-governance/privileged-identity-management/pim-configure",[4309],{"nodeType":1280,"value":4310,"marks":4311,"data":4312},"PIM",[],{},{"nodeType":1280,"value":4314,"marks":4315,"data":4316},", enabling ",[],{},{"nodeType":1295,"data":4318,"content":4320},{"uri":4319},"https://learn.microsoft.com/en-us/intune/intune-service/fundamentals/multi-admin-approval",[4321],{"nodeType":1280,"value":4322,"marks":4323,"data":4324},"Multi Admin Approval ",[],{},{"nodeType":1280,"value":4326,"marks":4327,"data":4328},"for high-risk Intune operations, configuring anomaly alerting on bulk device actions, and segregating administrative identities from everyday user accounts. This is all sound advice, but these recommendations are designed to limit what an attacker can do ",[],{},{"nodeType":1280,"value":4330,"marks":4331,"data":4333},"after",[4332],{"type":275},{},{"nodeType":1280,"value":4335,"marks":4336,"data":4337}," an account has already been compromised — introducing friction, but not blocking them entirely.",[],{},{"nodeType":1287,"data":4339,"content":4340},{},[4341,4345,4353,4357,4365],{"nodeType":1280,"value":4342,"marks":4343,"data":4344},"The detection challenges compound this. Entra ID sign-in logs and ",[],{},{"nodeType":1295,"data":4346,"content":4348},{"uri":4347},"https://www.a6n.co.uk/2025/11/tracking-device-wipes-in-microsoft.html",[4349],{"nodeType":1280,"value":4350,"marks":4351,"data":4352},"Intune audit logs exist in separate systems",[],{},{"nodeType":1280,"value":4354,"marks":4355,"data":4356}," with separate correlation IDs. Tracing a sign-in to a subsequent device action requires deliberate log integration that many organizations haven't implemented. The ",[],{},{"nodeType":1295,"data":4358,"content":4360},{"uri":4359},"https://learn.microsoft.com/en-us/intune/intune-service/fundamentals/monitor-audit-logs",[4361],{"nodeType":1280,"value":4362,"marks":4363,"data":4364},"logs do record",[],{},{"nodeType":1280,"value":4366,"marks":4367,"data":4368}," \"wipe ManagedDevice\" events, but may not be linked to real-time alerting. And the underlying action, Intune's Remote Wipe, is a legitimate feature used routinely in enterprise IT. Again, the attack could have succeeded even with these in place.",[],{},{"nodeType":1287,"data":4370,"content":4371},{},[4372],{"nodeType":1280,"value":4373,"marks":4374,"data":4375},"In a world where a compromised account can be rapidly exploited, it's vital to focus on improving detection and prevention as early as possible in the kill chain — combating initial access techniques themselves.",[],{},{"nodeType":1320,"data":4377,"content":4381},{"target":4378},{"sys":4379},{"id":4380,"type":1325,"linkType":1326},"4H3AzW7q4QBv7pJawSqQBJ",[],{"nodeType":1371,"data":4383,"content":4384},{},[],{"nodeType":1276,"data":4386,"content":4387},{},[4388],{"nodeType":1280,"value":2426,"marks":4389,"data":4391},[4390],{"type":1284},{},{"nodeType":1287,"data":4393,"content":4394},{},[4395],{"nodeType":1280,"value":4396,"marks":4397,"data":4398},"The Stryker attack reflects what attackers everywhere — from financially motivated criminal groups to more destructive nation-state operators — are already doing. Identity-based initial access, abuse of legitimate tools and services, and living-off-the-land execution are the current standard operating procedure.",[],{},{"nodeType":1287,"data":4400,"content":4401},{},[4402],{"nodeType":1280,"value":4403,"marks":4404,"data":4405},"Even with a perfectly hardened environment, most public breaches today involve attackers hijacking SSO mechanisms to move into connected applications, exfiltrating data for resale or extortion, and in some cases leveraging cloud services and admin platforms to deploy ransomware (the Scattered Spider playbook of dropping ransomware via VMware management portal being a well-documented example).",[],{},{"nodeType":1287,"data":4407,"content":4408},{},[4409],{"nodeType":1280,"value":4410,"marks":4411,"data":4412},"The majority of attackers will have no interest in destructively wiping an Intune environment — that's difficult to monetize. But the techniques that enabled the Stryker wipe are the same as those that enable financially motivated breaches at scale, pointing to a challenge that extends well beyond Iran-nexus threat actors and MDM hardening.",[],{},{"nodeType":1371,"data":4414,"content":4415},{},[],{"nodeType":1276,"data":4417,"content":4418},{},[4419],{"nodeType":1280,"value":4420,"marks":4421,"data":4423},"About Push Security",[4422],{"type":1284},{},{"nodeType":1287,"data":4425,"content":4426},{},[4427],{"nodeType":1280,"value":4428,"marks":4429,"data":4430},"Push Security's browser-based security platform provides comprehensive detection and response capabilities against the leading cause of breaches. Push blocks browser-based attacks like AiTM phishing, credential stuffing, malicious browser extensions, ClickFix, and session hijacking. You don't need to wait until it all goes wrong — you can also use Push to proactively find and fix vulnerabilities across the apps that your employees use, like ghost logins, SSO coverage gaps, MFA gaps, vulnerable passwords, and more to harden your identity attack surface.",[],{},{"nodeType":1287,"data":4432,"content":4433},{},[4434,4437,4443,4446,4452,4455,4461],{"nodeType":1280,"value":3504,"marks":4435,"data":4436},[],{},{"nodeType":1295,"data":4438,"content":4439},{"uri":3509},[4440],{"nodeType":1280,"value":3512,"marks":4441,"data":4442},[],{},{"nodeType":1280,"value":3516,"marks":4444,"data":4445},[],{},{"nodeType":1295,"data":4447,"content":4448},{"uri":3521},[4449],{"nodeType":1280,"value":3524,"marks":4450,"data":4451},[],{},{"nodeType":1280,"value":3529,"marks":4453,"data":4454},[],{},{"nodeType":1295,"data":4456,"content":4457},{"uri":3534},[4458],{"nodeType":1280,"value":3537,"marks":4459,"data":4460},[],{},{"nodeType":1280,"value":1367,"marks":4462,"data":4463},[],{},"The Stryker breach didn't match the playbook. That shouldn't be a surprise.","Analysing the Stryker breach in line with recent changes to the Iran-nexus cyber playbook.","2026-03-19T00:00:00.000Z","stryker-handala-report",{"items":4469},[4470,4472],{"sys":4471,"name":2763},{"id":2762},{"sys":4473,"name":2767},{"id":2766},{"items":4475},[4476],{"fullName":2771,"firstName":2772,"jobTitle":2773,"profilePicture":4477},{"url":2775},"the-cisos-data-problem-and-how-browser-telemetry-can-help","blog/the-cisos-data-problem-and-how-browser-telemetry-can-help",{"json":4481},{"data":4482,"content":4483,"nodeType":1272},{},[4484],{"data":4485,"content":4486,"nodeType":1287},{},[4487],{"data":4488,"marks":4489,"value":4490,"nodeType":1280},{},[],"For most security teams, quantifying cyber risk means borrowing someone else's numbers. For the identity attack surface that now dominates modern attack campaigns, high-fidelity browser telemetry changes that.","How CISOs can use browser telemetry to support cyber risk quantification in areas where traditional data points fall short. ",{"id":4493,"publishedAt":4494},"2MWicW07sNEBp59wxYtAiC","2026-05-11T13:53:03.918Z",{"items":4496},[4497,4501],{"sys":4498,"name":4500},{"id":4499},"1gZi8NrRy2v9OqPV7C4dwD","Risk management",{"sys":4502,"name":2767},{"id":2766},"L11KqyIhVMRS55mpHxWfgvBrQ0ZUZOgTeVR4UkTx-Po",1778507930733]