[{"data":1,"prerenderedAt":3779},["ShallowReactive",2],{"application-flags":3,"navbar":7,"always-visible-banner":36,"navbar-about-highlight":100,"navbar-resource-highlight":174,"blog/the-pyramid-of-pain-in-the-ai-era":218},[4],{"enabled":5,"name":6},false,"maintenanceMode",[8],{"createdDate":9,"id":10,"name":11,"modelId":12,"published":13,"query":14,"data":15,"variations":20,"lastUpdated":21,"firstPublished":22,"testRatio":23,"createdBy":24,"lastUpdatedBy":25,"folders":26,"meta":27,"rev":35},1742208588866,"1c7a4e423bf54ac1a328bb4063459ef2","Banner","1c6207a5f24948ab82d4a0b17f251193","published",[],{"type":16,"url":17,"text":18,"link":19},"web-banner","https://pushsecurity.com/resources/browser-attacks-report","Get our latest report analyzing browser attack techniques in 2026",{},{},1774258294825,1742208637545,1,"CydmZnOWU1XuAaLhEDCoYNM4Z8W2","jKjF9r5jcvXU8tzZEfFQm31Iyvr2",[],{"kind":28,"lastPreviewUrl":29,"breakpoints":30,"hasAutosaves":34},"data","",{"xsmall":31,"small":32,"medium":33},320,640,768,true,"epwllijxqin",{"createdDate":37,"id":38,"name":39,"modelId":40,"published":13,"stageModifiedSincePublish":5,"query":41,"data":42,"variations":89,"lastUpdated":90,"firstPublished":91,"testRatio":23,"createdBy":92,"lastUpdatedBy":93,"folders":94,"meta":95,"rev":99},1774965361051,"fd266d0172cc47429be7ad10f48c99ad","always visible banner","0678d178ec8b41efb8a23c09dba7874d",[],{"url":29,"ctaText":43,"text":44,"blocks":45,"state":85},"ewrererw","testrfesssssssssss",[46,73],{"@type":47,"@version":48,"id":49,"component":50,"responsiveStyles":63},"@builder.io/sdk:Element",2,"builder-ca12c06a52de41d7b8743da53118cd38",{"name":51,"tag":51,"options":52,"isRSC":62},"TopBannerContent",{"text":53,"ctaText":54,"url":55,"mainText":56,"cta":59},"New Webinar Series: Join John Hammond, Troy Hunt, and Matt Johansen for the State of Browser Attacks","Save Your Spot","https://pushsecurity.com/webinar/state-of-browser-security",{"content":57,"fontSize":58},"\u003Cp>Is your stack covered? 51 browser & identity attacks, mapped.\u003C/p>","text-base",{"content":60,"fontSize":58,"url":61},"\u003Cp>\u003Cstrong style=\"font-weight:700;\">See the matrix →\u003C/strong>\u003C/p>\n","https://pushsecurity.com/resources/browser-identity-attacks-matrix/",null,{"large":64},{"display":65,"flexDirection":66,"position":67,"flexShrink":68,"boxSizing":69,"marginTop":70,"marginBottom":70,"fontSize":71,"fontWeight":72},"flex","column","relative","0","border-box",".56rem","1.125rem","700",{"id":74,"@type":47,"tagName":75,"properties":76,"responsiveStyles":80},"builder-pixel-htmgylwww7l","img",{"src":77,"aria-hidden":78,"alt":29,"role":79,"width":68,"height":68},"https://cdn.builder.io/api/v1/pixel?apiKey=f3a1111ff5be48cdbb123cd9f5795a05","true","presentation",{"large":81},{"height":68,"width":68,"display":82,"opacity":68,"overflow":83,"pointerEvents":84},"block","hidden","none",{"deviceSize":86,"location":87},"large",{"path":29,"query":88},{},{},1778612252607,1774968080803,"ST0tXQM8slWpFrmioqKHmENB2qe2","ax7YYfD0OCeqT1Vxxv1G4FUbqVr1",[],{"kind":96,"hasLinks":5,"breakpoints":97,"lastPreviewUrl":98,"hasAutosaves":34,"hasErrors":5},"component",{"xsmall":31,"small":32,"medium":33},"https://pushsecurity.com/?builder.space=f3a1111ff5be48cdbb123cd9f5795a05&builder.user.permissions=read%2Ccreate%2Cpublish%2CeditCode%2CeditDesigns%2CeditLayouts%2CeditLayers%2CeditContentPriority%2CeditFolders%2CeditProjects%2CmodifyMcpServers%2CmodifyWorkflowIntegrations%2CmodifyProjectSettings%2CconnectCodeRepository%2CcreateProjects%2CindexDesignSystems%2CsendPullRequests%2CmergePullRequests&builder.user.role.name=Developer&builder.user.role.id=developer&builder.cachebust=true&builder.preview=always-visible-banner&builder.noCache=true&builder.allowTextEdit=true&__builder_editing__=true&builder.overrides.always-visible-banner=fd266d0172cc47429be7ad10f48c99ad&builder.overrides.fd266d0172cc47429be7ad10f48c99ad=fd266d0172cc47429be7ad10f48c99ad&builder.options.locale=Default","swuc73porzh",[101,137],{"createdDate":102,"id":103,"name":104,"modelId":105,"published":13,"stageModifiedSincePublish":5,"query":106,"data":107,"variations":130,"lastUpdated":131,"firstPublished":132,"testRatio":23,"createdBy":24,"lastUpdatedBy":24,"folders":133,"meta":134,"rev":136},1776247359804,"9136a8f18b3b4a6ba29b8653a99372b1","testimonial-inductive-automation","20d9eaa352304613b3d1a794b400703d",[],{"link":108,"type":109,"testimonialLink":110,"testimonial":111},{},"testimonial","/customer-stories/inductive-automation",{"@type":112,"id":113,"model":109,"value":114},"@builder.io/core:Reference","f028f2b685bb47cd8bf9e82a26dd5a79",{"query":115,"folders":116,"createdDate":117,"id":113,"name":118,"modelId":119,"published":13,"data":120,"variations":124,"lastUpdated":125,"firstPublished":126,"testRatio":23,"createdBy":92,"lastUpdatedBy":92,"meta":127,"rev":129},[],[],1735823466309,"We found Push to be more accurate when compared to competitors and the browser agent offered features that others couldn’t match.","42035571a56940ac98bff4544aa79aa5",{"author":121,"jobTitle":122,"quote":118,"image":123},"Jason Waits","\u003Cp>CISO at Inductive Automation\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Ff04c0c0689ce4a89ac0f0708d78c0a07",{},1735910703862,1735823501152,{"kind":28,"lastPreviewUrl":29,"breakpoints":128,"hasAutosaves":34},{"small":32,"medium":33},"qsa1vu6biit",{},1776247404986,1776247404973,[],{"breakpoints":135,"kind":28,"lastPreviewUrl":29,"hasAutosaves":5},{"xsmall":31,"small":32,"medium":33},"qnoboxb7wqm",{"createdDate":138,"id":139,"name":140,"modelId":105,"published":13,"meta":141,"stageModifiedSincePublish":5,"query":143,"data":144,"variations":170,"lastUpdated":171,"firstPublished":172,"testRatio":23,"createdBy":24,"lastUpdatedBy":24,"folders":173,"rev":136},1776255761419,"05a9322735fc427db12e2740e4302300","Report: 2026 Browser Attack Techniques",{"breakpoints":142,"kind":28,"lastPreviewUrl":29,"hasAutosaves":5},{"xsmall":31,"small":32,"medium":33},[],{"testimonial":145,"link":164,"type":167,"title":140,"description":168,"image":169},{"@type":112,"id":146,"model":109,"value":147},"192acbb1f9ca4cac918c0ec435a8bae3",{"query":148,"folders":149,"createdDate":150,"id":146,"name":151,"modelId":119,"published":13,"data":152,"variations":158,"lastUpdated":159,"firstPublished":160,"testRatio":23,"createdBy":92,"lastUpdatedBy":24,"meta":161,"rev":163},[],[],1728981467463,"Push does for identity what CrowdStrike did for the endpoint",{"video":153,"jobTitle":154,"author":155,"qoute":29,"quote":156,"image":157},"https://cdn.builder.io/o/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F8b30e8ca50064058bbaef0f3c6164575%2Fcompressed?apiKey=f3a1111ff5be48cdbb123cd9f5795a05&token=8b30e8ca50064058bbaef0f3c6164575&alt=media&optimized=true","\u003Cp>Deputy CISO at Microsoft\u003C/p>\u003Cp>Former LinkedIn, Slack, Palantir\u003C/p>","Geoff Belknap","Push does for identity what CrowdStrike did for the endpoint.","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F748f0ad0a5064a00a13f4721fcc8dea1",{},1742902158597,1728981782923,{"kind":28,"lastPreviewUrl":29,"breakpoints":162,"hasAutosaves":34},{"small":32,"medium":33},"sjaqolsjj2",{"text":165,"url":166},"Download now","/resources/browser-attacks-report","resource","Learn about the latest techniques being used in the wild.","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F7b4a5ebf81d64e8c9d7fc35f6c96c4a9",{},1776255810913,1776255810900,[],[175,197],{"createdDate":176,"id":177,"name":140,"modelId":178,"published":13,"meta":179,"stageModifiedSincePublish":5,"query":181,"data":182,"variations":192,"lastUpdated":193,"firstPublished":194,"testRatio":23,"createdBy":24,"lastUpdatedBy":24,"folders":195,"rev":196},1776256900280,"1f429607996e4e5fae8fe3f9b9610e55","4829faa81e7c4ee8bd2d000e160e8d3c",{"breakpoints":180,"kind":28,"lastPreviewUrl":29,"hasAutosaves":5},{"xsmall":31,"small":32,"medium":33},[],{"testimonial":183,"link":191,"type":167,"title":140,"description":168,"image":169},{"@type":112,"id":146,"model":109,"value":184},{"query":185,"folders":186,"createdDate":150,"id":146,"name":151,"modelId":119,"published":13,"data":187,"variations":188,"lastUpdated":159,"firstPublished":160,"testRatio":23,"createdBy":92,"lastUpdatedBy":24,"meta":189,"rev":163},[],[],{"video":153,"jobTitle":154,"author":155,"qoute":29,"quote":156,"image":157},{},{"kind":28,"lastPreviewUrl":29,"breakpoints":190,"hasAutosaves":34},{"small":32,"medium":33},{"text":165,"url":166},{},1776256937553,1776256937540,[],"cmknjskltik",{"createdDate":198,"id":199,"name":200,"modelId":178,"published":13,"stageModifiedSincePublish":5,"query":201,"data":202,"variations":212,"lastUpdated":213,"firstPublished":214,"testRatio":23,"createdBy":24,"lastUpdatedBy":24,"folders":215,"meta":216,"rev":196},1776256949234,"ce043785b71b4ece98eac811ecf4ba10","inductive-automation",[],{"link":203,"type":109,"testimonial":204,"testimonialLink":110},{},{"@type":112,"id":113,"model":109,"value":205},{"query":206,"folders":207,"createdDate":117,"id":113,"name":118,"modelId":119,"published":13,"data":208,"variations":209,"lastUpdated":125,"firstPublished":126,"testRatio":23,"createdBy":92,"lastUpdatedBy":92,"meta":210,"rev":129},[],[],{"author":121,"jobTitle":122,"quote":118,"image":123},{},{"kind":28,"lastPreviewUrl":29,"breakpoints":211,"hasAutosaves":34},{"small":32,"medium":33},{},1776256974140,1776256974130,[],{"breakpoints":217,"kind":28,"lastPreviewUrl":29,"hasAutosaves":5},{"xsmall":31,"small":32,"medium":33},{"id":219,"title":220,"authorsCollection":221,"content":229,"extension":1108,"featured":5,"hashTags":62,"meta":1109,"metaTitle":1110,"ogImage":62,"publishedDate":1111,"relatedBlogPostsCollection":1112,"slug":3755,"stem":3756,"subtitle":62,"summary":3757,"synopsis":3768,"sys":3769,"tagsCollection":3772,"__hash__":3778},"blog/blog/the-pyramid-of-pain-in-the-ai-era.json","The Pyramid of Pain in the AI era: Why technique-level detection matters more than ever",{"items":222},[223],{"fullName":224,"firstName":225,"jobTitle":226,"profilePicture":227},"Dan Green","Dan","Threat Research",{"url":228},"https://images.ctfassets.net/y1cdw1ablpvd/7jik1VhFgA3kgzXBXTm2Vw/fcd8c171da644903d0827eafcfbcaad0/Dan_Headshot_2025.png",{"json":230,"links":1016},{"data":231,"content":232,"nodeType":1015},{},[233,255,264,271,278,282,292,311,330,337,343,350,356,363,372,379,398,431,437,443,451,458,477,508,540,547,553,561,568,580,587,628,634,676,716,722,725,733,740,746,753,760,766,773,780,809,812,820,827,835,842,849,868,875,881,888,896,903,921,928,947,950,958,965,972,979,982,989,996],{"data":234,"content":235,"nodeType":254},{},[236,241,250],{"data":237,"marks":238,"value":239,"nodeType":240},{},[],"Back in 2024, we wrote about","text",{"data":242,"content":244,"nodeType":249},{"uri":243},"https://pushsecurity.com/blog/our-design-philosophy-detecting-what-matters/",[245],{"data":246,"marks":247,"value":248,"nodeType":240},{},[]," how the Pyramid of Pain shapes Push's detection philosophy","hyperlink",{"data":251,"marks":252,"value":253,"nodeType":240},{},[]," — detections targeting indicators that are easy for attackers to change deliver diminishing returns, while detections targeting attacker techniques impose a cost that's hard to absorb. Two years on, every force that made IoC-based detection fragile has intensified.","paragraph",{"data":256,"content":262,"nodeType":263},{"target":257},{"sys":258},{"id":259,"type":260,"linkType":261},"1iuLYxwI8T1wDUIFSom0G0","Link","Entry",[],"embedded-entry-block",{"data":265,"content":266,"nodeType":254},{},[267],{"data":268,"marks":269,"value":270,"nodeType":240},{},[],"AI hasn't introduced a new problem so much as it's compressed the timelines on an existing one — attackers can generate infrastructure, iterate on tooling, and industrialize newly discovered techniques faster than before. The bottom layers of the Pyramid are collapsing under the weight of machine-speed operations, and the middle layers are starting to buckle too.",{"data":272,"content":273,"nodeType":254},{},[274],{"data":275,"marks":276,"value":277,"nodeType":240},{},[],"These changes mean that technique-level detection is more important than ever. In this article, we’ll dig into how the Pyramid is changing, and what this means for our detection philosophy at Push (TL;DR — it reinforces the path we’re already on: building detections at the top of the Pyramid by harnessing browser visibility). ",{"data":279,"content":280,"nodeType":281},{},[],"hr",{"data":283,"content":284,"nodeType":291},{},[285],{"data":286,"marks":287,"value":290,"nodeType":240},{},[288],{"type":289},"bold","The bottom of the Pyramid was already crumbling","heading-1",{"data":293,"content":294,"nodeType":254},{},[295,299,307],{"data":296,"marks":297,"value":298,"nodeType":240},{},[],"The case against indicator-based detection didn't need AI to be compelling.",{"data":300,"content":302,"nodeType":249},{"uri":301},"https://www.spamhaus.org/",[303],{"data":304,"marks":305,"value":306,"nodeType":240},{},[]," 89% of phishing domains are active for fewer than two days",{"data":308,"marks":309,"value":310,"nodeType":240},{},[],", with just 6.5% surviving past 15 days — by the time a domain makes it onto a blocklist, the campaign has moved on.",{"data":312,"content":313,"nodeType":254},{},[314,318,326],{"data":315,"marks":316,"value":317,"nodeType":240},{},[],"We've",{"data":319,"content":321,"nodeType":249},{"uri":320},"https://pushsecurity.com/blog/why-most-phishing-attacks-feel-like-a-zero-day/",[322],{"data":323,"marks":324,"value":325,"nodeType":240},{},[]," written before",{"data":327,"marks":328,"value":329,"nodeType":240},{},[]," about how this makes every phishing attack effectively a zero-day for organizations relying on known-bad detection. The phishing kit's behavior — its page structure, script signatures, malicious payload mechanics — is the only detection target that outlasts a single campaign.",{"data":331,"content":332,"nodeType":254},{},[333],{"data":334,"marks":335,"value":336,"nodeType":240},{},[],"When we blogged about the Pyramid of Pain for modern attacks that happen predominantly over the internet, with minimal (or zero) endpoint contact, it first looked like this: ",{"data":338,"content":342,"nodeType":263},{"target":339},{"sys":340},{"id":341,"type":260,"linkType":261},"2N04ycJ6RKGfHdX5X1TwU3",[],{"data":344,"content":345,"nodeType":254},{},[346],{"data":347,"marks":348,"value":349,"nodeType":240},{},[],"Now, it looks more like this:",{"data":351,"content":355,"nodeType":263},{"target":352},{"sys":353},{"id":354,"type":260,"linkType":261},"mfhP4WToOQkrHnVkXU0tX",[],{"data":357,"content":358,"nodeType":254},{},[359],{"data":360,"marks":361,"value":362,"nodeType":240},{},[],"Let’s explore why. ",{"data":364,"content":365,"nodeType":371},{},[366],{"data":367,"marks":368,"value":370,"nodeType":240},{},[369],{"type":289},"AI is accelerating phishing rotation and delivery","heading-2",{"data":373,"content":374,"nodeType":254},{},[375],{"data":376,"marks":377,"value":378,"nodeType":240},{},[],"Attackers are harnessing AI at every stage, speeding up the process of creating, rotating, and replacing phishing infrastructure at every level, as well as capitalizing on AI adoption itself to enhance their lures. The operational signature is more domains, shorter lifespans, more variation, and fewer of the reuse patterns that blocklists depend on.",{"data":380,"content":381,"nodeType":254},{},[382,386,394],{"data":383,"marks":384,"value":385,"nodeType":240},{},[],"Attackers can",{"data":387,"content":389,"nodeType":249},{"uri":388},"https://pushsecurity.com/blog/can-ai-replace-a-threat-researcher-what-we-learned-building-an-agentic-threat-hunting-pipeline/",[390],{"data":391,"marks":392,"value":393,"nodeType":240},{},[]," vibe-code entire phishing pages in minutes",{"data":395,"marks":396,"value":397,"nodeType":240},{},[]," — not just cloning legitimate login pages but vibe-cloning them, feeding an AI a screenshot and having it rebuild a convincing frontend with a completely unique backend. ",{"data":399,"content":400,"nodeType":254},{},[401,405,415,419,427],{"data":402,"marks":403,"value":404,"nodeType":240},{},[],"We've seen attackers clone free SaaS tools like background removers and PDF converters, then inject phishing components or ClickFix payloads into what looks like a functional utility. We’ve even seen attackers distributing malware using AI-generated pages shared using ",{"data":406,"content":408,"nodeType":249},{"uri":407},"https://pushsecurity.com/blog/llmshare-malvertising-campaign/",[409],{"data":410,"marks":411,"value":414,"nodeType":240},{},[412],{"type":413},"underline","LLM tool sharing functionality",{"data":416,"marks":417,"value":418,"nodeType":240},{},[],", resulting in phishing delivery pages hosted on real claude.ai and chatgpt.com. And legitimate cloud platforms like",{"data":420,"content":422,"nodeType":249},{"uri":421},"https://www.huntress.com/blog/railway-paas-m365-token-replay-campaign",[423],{"data":424,"marks":425,"value":426,"nodeType":240},{},[]," Railway",{"data":428,"marks":429,"value":430,"nodeType":240},{},[],", Cloudflare Workers, and Vercel host and dynamically rotate attack infrastructure, so the domains feeding into blocklists often belong to reputable services that can't simply be blocked. ",{"data":432,"content":436,"nodeType":263},{"target":433},{"sys":434},{"id":435,"type":260,"linkType":261},"5yoLmqysyQazfzLITCUTfc",[],{"data":438,"content":442,"nodeType":263},{"target":439},{"sys":440},{"id":441,"type":260,"linkType":261},"5XK5qZMQU19xlA8L2T5y0Z",[],{"data":444,"content":445,"nodeType":371},{},[446],{"data":447,"marks":448,"value":450,"nodeType":240},{},[449],{"type":289},"The kit ecosystem is fragmenting faster than anyone can track",{"data":452,"content":453,"nodeType":254},{},[454],{"data":455,"marks":456,"value":457,"nodeType":240},{},[],"What we see across our install base is a huge and growing variation in phishing kits — new kits, derivative kits of known platforms, derivatives of those derivatives — appearing on a weekly basis.",{"data":459,"content":460,"nodeType":254},{},[461,465,473],{"data":462,"marks":463,"value":464,"nodeType":240},{},[],"As we reported in our",{"data":466,"content":468,"nodeType":249},{"uri":467},"https://pushsecurity.com/thank-you/browser-attacks-report",[469],{"data":470,"marks":471,"value":472,"nodeType":240},{},[]," Browser Attacks Report",{"data":474,"marks":475,"value":476,"nodeType":240},{},[],", the most common AiTM kits we detected over the last year were Tycoon 2FA (59% of detections), followed by Sneaky 2FA, FlowerStorm, Evilginx (nominally a red team tool, but widely abused by attackers), NakedPages, Gabagool, and dozens more — but those established names are just the visible layer.",{"data":478,"content":479,"nodeType":254},{},[480,484,492,496,504],{"data":481,"marks":482,"value":483,"nodeType":240},{},[],"Code is forked, modified, and redeployed across kits in a pattern that",{"data":485,"content":487,"nodeType":249},{"uri":486},"https://blog.barracuda.com/2026/04/16/threat-spotlight-tycoon-2fa-scattered-everywhere",[488],{"data":489,"marks":490,"value":491,"nodeType":240},{},[]," resembles open-source development",{"data":493,"marks":494,"value":495,"nodeType":240},{},[]," more than traditional criminal enterprise, and the rate at which new variants appear is accelerating. The",{"data":497,"content":499,"nodeType":249},{"uri":498},"https://pushsecurity.com/blog/device-code-phishing/",[500],{"data":501,"marks":502,"value":503,"nodeType":240},{},[]," Venom kit",{"data":505,"marks":506,"value":507,"nodeType":240},{},[]," reuses Sneaky 2FA's AiTM infrastructure but carries different branding and adds device code phishing — whether it's the same developers, stolen code, or a deliberate fork is unclear.",{"data":509,"content":510,"nodeType":254},{},[511,515,523,527,536],{"data":512,"marks":513,"value":514,"nodeType":240},{},[],"Tycoon 2FA illustrates the scale of the evolution. The kit evolves continuously, addingnew capabilities, new evasion techniques, and hybridizing with other platforms. Even when Sekoia and Microsoft seized 330+ Tycoon domains in March 2026, the techniques it popularized were already embedded across competitors, and the slack was taken up by rival platforms within days. And in any case, Tycoon was back to",{"data":516,"content":518,"nodeType":249},{"uri":517},"https://www.crowdstrike.com/en-us/blog/tycoon2fa-phishing-as-a-service-platform-persists-following-takedown/",[519],{"data":520,"marks":521,"value":522,"nodeType":240},{},[]," normal levels of operation",{"data":524,"marks":525,"value":526,"nodeType":240},{},[]," shortly after. It has also been observed ",{"data":528,"content":530,"nodeType":249},{"uri":529},"https://www.okta.com/en-nl/blog/threat-intelligence/tycoon_2fa_phishing_actors_scatter/",[531],{"data":532,"marks":533,"value":535,"nodeType":240},{},[534],{"type":413},"pivoting to add new device code phishing capabilities",{"data":537,"marks":538,"value":539,"nodeType":240},{},[]," (more on that below). ",{"data":541,"content":542,"nodeType":254},{},[543],{"data":544,"marks":545,"value":546,"nodeType":240},{},[],"Tear one down and there are many more to take its place — and meanwhile the original is already evolving into something new.",{"data":548,"content":552,"nodeType":263},{"target":549},{"sys":550},{"id":551,"type":260,"linkType":261},"3UDzUCCizPJhXp3SsoZuSK",[],{"data":554,"content":555,"nodeType":371},{},[556],{"data":557,"marks":558,"value":560,"nodeType":240},{},[559],{"type":289},"New techniques are being industrialized faster than ever",{"data":562,"content":563,"nodeType":254},{},[564],{"data":565,"marks":566,"value":567,"nodeType":240},{},[],"As well as the fragmentation of existing kits, we’re seeing new techniques added at an accelerating rate. ",{"data":569,"content":570,"nodeType":254},{},[571,576],{"data":572,"marks":573,"value":575,"nodeType":240},{},[574],{"type":289},"Device code phishing",{"data":577,"marks":578,"value":579,"nodeType":240},{},[]," is the clearest case study. From early nation state adoption in 2024, it took until 2026 for criminal adoption to really take off, but the take-up this year is unprecedented. The EvilTokens kit packaged device code phishing into a PhaaS offering with GPT-powered spear-phishing and adaptive landing pages, hitting 340+ organizations across five countries in March 2026. ",{"data":581,"content":582,"nodeType":254},{},[583],{"data":584,"marks":585,"value":586,"nodeType":240},{},[],"Now, device code functionality is now a core phish kit component. We’re tracking 18+ kits with device code phishing capabilities and a 37.5x increase in device code phishing detections this year alone, with the technique moving from state-sponsored exclusivity to something any PhaaS customer can rent.",{"data":588,"content":589,"nodeType":254},{},[590,594,602,606,611,615,624],{"data":591,"marks":592,"value":593,"nodeType":240},{},[],"Similarly, when we",{"data":595,"content":597,"nodeType":249},{"uri":596},"https://pushsecurity.com/blog/we-infiltrated-a-criminal-phishing-panel/",[598],{"data":599,"marks":600,"value":601,"nodeType":240},{},[]," infiltrated Doko's Panel",{"data":603,"marks":604,"value":605,"nodeType":240},{},[]," — a ",{"data":607,"marks":608,"value":610,"nodeType":240},{},[609],{"type":289},"real-time vishing and AiTM platform",{"data":612,"marks":613,"value":614,"nodeType":240},{},[]," used by ShinyHunters and affiliated groups — the codebase was full of LLM-generated artifacts. Multiple groups were using the templated vishing panel and spinning up their own variants, but the AI-generated indicators persisted throughout. This approach to real-time vishing + browser payload has been a ",{"data":616,"content":618,"nodeType":249},{"uri":617},"https://pushsecurity.com/blog/analyzing-the-instructure-breach/",[619],{"data":620,"marks":621,"value":623,"nodeType":240},{},[622],{"type":413},"mainstay of the Com affiliates like ShinyHunters this year",{"data":625,"marks":626,"value":627,"nodeType":240},{},[],". ",{"data":629,"content":633,"nodeType":263},{"target":630},{"sys":631},{"id":632,"type":260,"linkType":261},"01mOiserRBXraawXwQyJNm",[],{"data":635,"content":636,"nodeType":254},{},[637,641,646,650,659,663,672],{"data":638,"marks":639,"value":640,"nodeType":240},{},[],"The broader ",{"data":642,"marks":643,"value":645,"nodeType":240},{},[644],{"type":289},"ClickFix",{"data":647,"marks":648,"value":649,"nodeType":240},{},[]," family shows the same acceleration: First reported in early 2024 and adopted by four nation-state groups within a single quarter. Fast forward and ",{"data":651,"content":653,"nodeType":249},{"uri":652},"https://www.crowdstrike.com/en-us/global-threat-report/",[654],{"data":655,"marks":656,"value":658,"nodeType":240},{},[657],{"type":413},"CrowdStrike's data",{"data":660,"marks":661,"value":662,"nodeType":240},{},[]," shows a 563% increase in fake CAPTCHA incidents (one of the more common ClickFix lure types), while ",{"data":664,"content":666,"nodeType":249},{"uri":665},"https://cdn-dynmedia-1.microsoft.com/is/content/microsoftcorp/microsoft/msc/documents/presentations/CSR/Microsoft-Digital-Defense-Report-2025.pdf",[667],{"data":668,"marks":669,"value":671,"nodeType":240},{},[670],{"type":413},"Microsoft reported",{"data":673,"marks":674,"value":675,"nodeType":240},{},[]," it as making up 47% of observed attacks according to their Digital Defense Report.",{"data":677,"content":678,"nodeType":254},{},[679,683,688,692,700,704,712],{"data":680,"marks":681,"value":682,"nodeType":240},{},[],"And ",{"data":684,"marks":685,"value":687,"nodeType":240},{},[686],{"type":289},"ConsentFix",{"data":689,"marks":690,"value":691,"nodeType":240},{},[]," — a combination of ClickFix and OAuth consent phishing techniques — suggests the next compression is already underway. Push researchers",{"data":693,"content":695,"nodeType":249},{"uri":694},"https://pushsecurity.com/blog/consentfix/",[696],{"data":697,"marks":698,"value":699,"nodeType":240},{},[]," discovered the technique",{"data":701,"marks":702,"value":703,"nodeType":240},{},[]," in December 2025 — a browser-native ClickFix variant hijacking OAuth consent grants via Azure CLI's localhost redirect. It was later confirmed to be tied to APT29. By January 2026, a",{"data":705,"content":707,"nodeType":249},{"uri":706},"https://pushsecurity.com/blog/consentfix-v3-analyzing-a-new-toolkit/",[708],{"data":709,"marks":710,"value":711,"nodeType":240},{},[]," criminal ConsentFix v3 toolkit",{"data":713,"marks":714,"value":715,"nodeType":240},{},[]," had appeared on the XSS forum with Cloudflare Workers, ZoomInfo targeting, and automated exfiltration via Pipedream.",{"data":717,"content":721,"nodeType":263},{"target":718},{"sys":719},{"id":720,"type":260,"linkType":261},"41FMif4T0y1maflzonWgL8",[],{"data":723,"content":724,"nodeType":281},{},[],{"data":726,"content":727,"nodeType":291},{},[728],{"data":729,"marks":730,"value":732,"nodeType":240},{},[731],{"type":289},"Why technique-level detection is the only layer that holds",{"data":734,"content":735,"nodeType":254},{},[736],{"data":737,"marks":738,"value":739,"nodeType":240},{},[],"The middle of the Pyramid — tool signatures and artifacts — used to offer much more durable detection than infrastructure indicators. Fingerprinting a specific phishing kit by its JavaScript structure or HTML patterns provided a detection target that survived across dozens or hundreds of campaigns, even as the underlying domains rotated. Tool level detections are still better, but not by quite the same margin.",{"data":741,"content":745,"nodeType":263},{"target":742},{"sys":743},{"id":744,"type":260,"linkType":261},"5pxaYdCIFiFKLPhRaPoldX",[],{"data":747,"content":748,"nodeType":254},{},[749],{"data":750,"marks":751,"value":752,"nodeType":240},{},[],"When the kit landscape was dominated by a handful of platforms, you could write signatures for Tycoon, Sneaky2FA, EvilProxy, and so on, and cover the lion's share of attacks. With the ecosystem now producing new variants and entirely new kits on a weekly basis, detecting by kit fingerprint starts to look uncomfortably similar to detecting by domain.",{"data":754,"content":755,"nodeType":254},{},[756],{"data":757,"marks":758,"value":759,"nodeType":240},{},[],"But many of these proliferating kits do share behavioral patterns at a deeper level than their code signatures. For example, every device code phishing kit implements fundamentally the same flow: present a lure, generate a device code via the OAuth Device Authorization endpoint, get the user to enter it on the legitimate authorization page, and poll for the resulting tokens. The frontends vary, the infrastructure varies, but the behavioral pattern doesn't.",{"data":761,"content":765,"nodeType":263},{"target":762},{"sys":763},{"id":764,"type":260,"linkType":261},"FyyHayQtsJTwoB1kluMOl",[],{"data":767,"content":768,"nodeType":254},{},[769],{"data":770,"marks":771,"value":772,"nodeType":240},{},[],"Genuinely new attack techniques still require human creativity — an attacker has to identify a gap in how a legitimate protocol or feature can be subverted. That kind of innovation hasn't been automated. But the window to discover a technique, build a detection, and then deploy it before it is adopted by criminals at scale is compressing with each generation.",{"data":774,"content":775,"nodeType":254},{},[776],{"data":777,"marks":778,"value":779,"nodeType":240},{},[],"Organizations that detect at the technique level and deploy before commoditization have a structural advantage that increases over time. Waiting for indicators — even tool-level indicators — means chasing a curve that's accelerating away from you. This is the challenge we grapple with every day as we strive for the most resilient detections possible. ",{"data":781,"content":782,"nodeType":808},{},[783],{"data":784,"content":785,"nodeType":254},{},[786,790,798,802],{"data":787,"marks":788,"value":789,"nodeType":240},{},[],"As our CPO Jacques Louw put it on",{"data":791,"content":793,"nodeType":249},{"uri":792},"https://risky.biz/RBNEWSSI128/",[794],{"data":795,"marks":796,"value":797,"nodeType":240},{},[]," Risky Business",{"data":799,"marks":800,"value":801,"nodeType":240},{},[],": ",{"data":803,"marks":804,"value":807,"nodeType":240},{},[805],{"type":806},"italic","\"There's no list of bad domains anywhere in the product. It's a crutch — a false cheat code that stops you from doing the detection in the way that actually is resilient, because the next time you see it, it will be on a different domain.\"","blockquote",{"data":810,"content":811,"nodeType":281},{},[],{"data":813,"content":814,"nodeType":291},{},[815],{"data":816,"marks":817,"value":819,"nodeType":240},{},[818],{"type":289},"What it takes to detect at the top of the Pyramid",{"data":821,"content":822,"nodeType":254},{},[823],{"data":824,"marks":825,"value":826,"nodeType":240},{},[],"If technique-level detection is the only layer that holds, two things have to be true about your detection capability: You need the right vantage point, and you need the research velocity to stay ahead.",{"data":828,"content":829,"nodeType":371},{},[830],{"data":831,"marks":832,"value":834,"nodeType":240},{},[833],{"type":289},"You need the right vantage point",{"data":836,"content":837,"nodeType":254},{},[838],{"data":839,"marks":840,"value":841,"nodeType":240},{},[],"Technique-level behaviors in browser-based identity attacks — how a phishing page orchestrates credential entry, how a device code flow presents its authorization prompt, how a ClickFix variant manipulates the clipboard — are visible in the browser session and nowhere else.",{"data":843,"content":844,"nodeType":254},{},[845],{"data":846,"marks":847,"value":848,"nodeType":240},{},[],"Network proxies see encrypted traffic and can attempt to reconstruct page behavior from metadata, but DOM manipulation, user interaction sequences, and script execution aren't visible from that vantage point. Email gateways see the delivery mechanism (or nothing at all in the increasing number of social media and search engine based attacks) but not the payload.",{"data":850,"content":851,"nodeType":254},{},[852,856,864],{"data":853,"marks":854,"value":855,"nodeType":240},{},[],"As we disclosed in our ",{"data":857,"content":858,"nodeType":249},{"uri":467},[859],{"data":860,"marks":861,"value":863,"nodeType":240},{},[862],{"type":413},"browser attacks report",{"data":865,"marks":866,"value":867,"nodeType":240},{},[],", 95% of in-browser attacks we detect use some form of bot protection, often combined with conditional loading techniques like referrer and browser checks, reliably defeating automated analysis techniques. ",{"data":869,"content":870,"nodeType":254},{},[871],{"data":872,"marks":873,"value":874,"nodeType":240},{},[],"Behavioral detection at the technique level requires observing what happens on the page at the moment the user interacts with it — analyzing pages, not links. When you see the entire browsing flow — ad click, redirect chain, page render, credential prompt — an attack stands out immediately. Without that context, any detection system is forced to fill in gaps, and the gaps are where attacks hide.",{"data":876,"content":880,"nodeType":263},{"target":877},{"sys":878},{"id":879,"type":260,"linkType":261},"4804g6u4POUDpL42bzP0EY",[],{"data":882,"content":883,"nodeType":254},{},[884],{"data":885,"marks":886,"value":887,"nodeType":240},{},[],"Push sits inside the browser session, observing this in real time. Its detections target the behavioral mechanics of techniques rather than the surface characteristics of individual kits or infrastructure.",{"data":889,"content":890,"nodeType":371},{},[891],{"data":892,"marks":893,"value":895,"nodeType":240},{},[894],{"type":289},"You need the research expertise",{"data":897,"content":898,"nodeType":254},{},[899],{"data":900,"marks":901,"value":902,"nodeType":240},{},[],"When the window between technique discovery and industrialized exploitation is measured in weeks rather than years, the detection pipeline needs to operate on that same compressed timescale.",{"data":904,"content":905,"nodeType":254},{},[906,910,917],{"data":907,"marks":908,"value":909,"nodeType":240},{},[],"This is where our",{"data":911,"content":912,"nodeType":249},{"uri":388},[913],{"data":914,"marks":915,"value":916,"nodeType":240},{},[]," agentic threat hunting pipeline",{"data":918,"marks":919,"value":920,"nodeType":240},{},[]," fits. It's tripled our monthly detection output — not by generating bigger blocklists, but by scaling the process of discovering behavioral patterns across the telemetry generated by 3+ million browser deployments.",{"data":922,"content":923,"nodeType":254},{},[924],{"data":925,"marks":926,"value":927,"nodeType":240},{},[],"The detections it produces are technique-class by design, targeting how attacks work rather than the infrastructure or specific tool that implements them. The goal is curation, not accumulation — hundreds of high-fidelity behavioral detections rather than the billions of signatures and domain entries that traditional approaches require.",{"data":929,"content":930,"nodeType":254},{},[931,935,943],{"data":932,"marks":933,"value":934,"nodeType":240},{},[],"When we detected the first in-the-wild",{"data":936,"content":938,"nodeType":249},{"uri":937},"https://pushsecurity.com/blog/installfix/",[939],{"data":940,"marks":941,"value":942,"nodeType":240},{},[]," InstallFix attack",{"data":944,"marks":945,"value":946,"nodeType":240},{},[]," through the pipeline — a user had searched for NotebookLM, clicked a paid Google ad, and was redirected to a fake page with a WebAssembly C2 connector — the detection shipped to all customers within minutes. It didn't depend on knowing the domain, the ad creative, or the specific kit. It depended on recognizing the technique itself.",{"data":948,"content":949,"nodeType":281},{},[],{"data":951,"content":952,"nodeType":291},{},[953],{"data":954,"marks":955,"value":957,"nodeType":240},{},[956],{"type":289},"Technique-level detection is now the only option",{"data":959,"content":960,"nodeType":254},{},[961],{"data":962,"marks":963,"value":964,"nodeType":240},{},[],"As a framework for detection durability, the Pyramid of Pain is more relevant than ever. ",{"data":966,"content":967,"nodeType":254},{},[968],{"data":969,"marks":970,"value":971,"nodeType":240},{},[],"AI has made infrastructure indicators essentially disposable. The tools tier is compressing as criminal vendors vibe-code, fork, and clone tooling at machine speed. Technique-level detection is the layer that holds long-term to be able to proactively detect and block net-new attacks and the kits that power them. ",{"data":973,"content":974,"nodeType":254},{},[975],{"data":976,"marks":977,"value":978,"nodeType":240},{},[],"Novel attack techniques still require human creativity to discover, and detections built around how those techniques work can survive infrastructure rotation, tool proliferation, and kit fragmentation. Defending that layer requires a vantage point inside the browser session and a research pipeline fast enough to stay ahead of the accelerating path from discovery to industrialization.",{"data":980,"content":981,"nodeType":281},{},[],{"data":983,"content":984,"nodeType":254},{},[985],{"data":986,"marks":987,"value":988,"nodeType":240},{},[],"Push Security is the most powerful AI-native security tool in the browser. Think EDR, but for the browser — high-fidelity telemetry and real-time control across every session, on every device, with no browser migration required.",{"data":990,"content":991,"nodeType":254},{},[992],{"data":993,"marks":994,"value":995,"nodeType":240},{},[],"Security teams use Push to detect and stop advanced browser-based attacks like AiTM phishing, ClickFix, and session hijacking; gain visibility and control over AI tool usage across their workforce; harden identities by surfacing credential reuse, SSO gaps, and shadow IT; and support data loss and insider investigations with browser-layer telemetry that other tools can't see.",{"data":997,"content":998,"nodeType":254},{},[999,1002,1011],{"data":1000,"marks":1001,"value":29,"nodeType":240},{},[],{"data":1003,"content":1005,"nodeType":249},{"uri":1004},"https://pushsecurity.com/demo",[1006],{"data":1007,"marks":1008,"value":1010,"nodeType":240},{},[1009],{"type":413},"Book a live demo",{"data":1012,"marks":1013,"value":1014,"nodeType":240},{},[]," to learn more.","document",{"entries":1017},{"hyperlink":1018,"inline":1019,"block":1020},[],[],[1021,1030,1038,1044,1050,1057,1062,1069,1084,1088,1102],{"sys":1022,"__typename":1023,"title":1024,"caption":1025,"layoutMode":62,"file":1026},{"id":259},"Image","The Pyramid of Pain illustrates how difficult it is for an attacker to get around different categories of detection, from Trivial to Tough","The Pyramid of Pain illustrates how difficult it is for an attacker to get around different categories of detection, from Trivial to Tough!",{"url":1027,"width":1028,"height":1029},"https://images.ctfassets.net/y1cdw1ablpvd/7dPJT7PYKX71FCCi0GeDzg/16fb3b07959612a45c1b7636da33e541/image3.png",720,405,{"sys":1031,"__typename":1023,"title":1032,"caption":1033,"layoutMode":62,"file":1034},{"id":341},"Pyramid of Pain for internet-based attacks","The Pyramid of Pain reworked for internet-based attacks.",{"url":1035,"width":1036,"height":1037},"https://images.ctfassets.net/y1cdw1ablpvd/2KJMvUn55yStIIB5jIcy0n/c64a1d128567ed1189821b8160f81fe7/image6.png",1999,1149,{"sys":1039,"__typename":1023,"title":1040,"caption":1041,"layoutMode":62,"file":1042},{"id":354},"The Pyramid of Pain in the AI era","The Pyramid of Pain in the AI era: The bar for effective detection has been raised even higher.",{"url":1043,"width":1036,"height":1037},"https://images.ctfassets.net/y1cdw1ablpvd/5cUP2dETihxQgWzIN9dsyH/fcb093c7b88b7a48190f528c87dd3935/image2.png",{"sys":1045,"__typename":1046,"title":1047,"arcadeDemoUrl":1048,"playText":1049},{"id":435},"ArcadeDemo","ClickFix featuring cloned background remover PDF converter","https://demo.arcade.software/ueVViTh501mEYchV9aBe?embed","2 mins",{"sys":1051,"__typename":1023,"title":1052,"caption":1053,"layoutMode":62,"file":1054},{"id":441},"LLMShare attack featuring a ChatGPT-designed page shared via malvertised sharing link.","LLMShare attack featuring a ChatGPT-designed page distributed via malvertised sharing link.",{"url":1055,"width":1036,"height":1056},"https://images.ctfassets.net/y1cdw1ablpvd/soQtEPyX9aQUfby2Ylm7m/0bb772950b7e3598a343f1609a955ed4/image3.png",1750,{"sys":1058,"__typename":1046,"title":1059,"arcadeDemoUrl":1060,"playText":1061},{"id":551},"Tycoon2FA Device Code Phishing","https://demo.arcade.software/SPNMxNkoyY5vTMPPlqWS?embed","30 secs",{"sys":1063,"__typename":1023,"title":1064,"caption":1064,"layoutMode":62,"file":1065},{"id":632},"Verbose phishing kit comments (a clear sign of AI involvement).",{"url":1066,"width":1067,"height":1068},"https://images.ctfassets.net/y1cdw1ablpvd/2XOX0xzOxsmBKUuQbup47x/a624c2141879f9238704167a35fdeb39/Screenshot_2026-05-07_at_12.53.27.png",1100,1332,{"sys":1070,"__typename":1071,"content":1072,"name":1083,"title":62},{"id":720},"InsightTextBlockComponent",{"json":1073},{"nodeType":1015,"data":1074,"content":1075},{},[1076],{"nodeType":254,"data":1077,"content":1078},{},[1079],{"nodeType":240,"value":1080,"marks":1081,"data":1082},"Six weeks is all it took for ConsentFix to go from nation-state technique to commoditized criminal toolkit — a compression that took device code phishing and ClickFix roughly a year. ",[],{},"Pyramid of Pain IB1",{"sys":1085,"__typename":1023,"title":1086,"caption":1086,"layoutMode":62,"file":1087},{"id":744},"Tool-level detections aren't as resilient as they were, even if they remain a useful component of the overall detection strategy.",{"url":1043,"width":1036,"height":1037},{"sys":1089,"__typename":1071,"content":1090,"name":1101,"title":62},{"id":764},{"json":1091},{"nodeType":1015,"data":1092,"content":1093},{},[1094],{"nodeType":254,"data":1095,"content":1096},{},[1097],{"nodeType":240,"value":1098,"marks":1099,"data":1100},"If you build detections around a specific kit's JavaScript patterns, then you're in an arms race with the kit's developer. Build detections around the behavioral mechanics of the technique itself — how the page interacts with the authorization endpoint, the sequence of user actions it orchestrates, the redirect patterns — and you’re tracking something that changes at a much slower rate.",[],{},"Pyramid of Pain IB2",{"sys":1103,"__typename":1023,"title":1104,"caption":1104,"layoutMode":62,"file":1105},{"id":879},"Solving the \"Missing Middle\" with browser visibility and control.",{"url":1106,"width":1036,"height":1107},"https://images.ctfassets.net/y1cdw1ablpvd/2OrpNtm3faEgGJpjUcmJ5q/275e5c84c72f43377131eb9071c9e2b4/image3.png",966,"json",{},"Using the Pyramid of Pain for threat detection in the AI era","2026-06-01T00:00:00.000Z",{"items":1113},[1114,1937,2796],{"__typename":1115,"sys":1116,"publishedDate":1118,"content":1119,"title":1916,"synopsis":1917,"hashTags":62,"slug":1918,"tagsCollection":1919,"authorsCollection":1929},"BlogPosts",{"id":1117},"Gcg7PGuICrlRcqq1QFXxH","2026-05-29T00:00:00.000Z",{"json":1120},{"nodeType":1015,"data":1121,"content":1122},{},[1123,1130,1137,1168,1175,1181,1187,1199,1202,1210,1226,1233,1239,1246,1253,1259,1262,1270,1277,1283,1289,1296,1303,1322,1328,1331,1339,1357,1363,1370,1373,1381,1388,1395,1401,1407,1455,1462,1465,1473,1480,1487,1530,1537,1568,1575,1618,1625,1628,1636,1655,1662,1670,1686,1693,1710,1717,1720,1726,1732,1750,1753,1761,1780,1787,1910],{"nodeType":254,"data":1124,"content":1125},{},[1126],{"nodeType":240,"value":1127,"marks":1128,"data":1129},"Shared conversations on AI chatbot platforms have become the latest delivery mechanism for malware campaigns targeting macOS and Windows users. Attackers create content on platforms like ChatGPT and Claude that appears to offer installation guidance or service updates, then drive traffic to it via search engine results in the form of malvertising and SEO poisoning.  ",[],{},{"nodeType":254,"data":1131,"content":1132},{},[1133],{"nodeType":240,"value":1134,"marks":1135,"data":1136},"The content lives on chatgpt.com or claude.ai — domains that users and security tools trust implicitly — so the attack bypasses URL reputation checks before the victim even reaches the malicious payload.",[],{},{"nodeType":254,"data":1138,"content":1139},{},[1140,1144,1152,1156,1164],{"nodeType":240,"value":1141,"marks":1142,"data":1143},"Several variants of this technique have been",[],{},{"nodeType":249,"data":1145,"content":1147},{"uri":1146},"https://www.bleepingcomputer.com/news/security/hackers-abuse-google-ads-claudeai-chats-to-push-mac-malware/",[1148],{"nodeType":240,"value":1149,"marks":1150,"data":1151}," reported over the past few months",[],{},{"nodeType":240,"value":1153,"marks":1154,"data":1155},". The earliest examples used shared Claude.ai conversations disguised as installation guides — complete with fake \"Apple Support\" attribution — that walked users through opening a terminal and pasting a curl command that downloaded and executed an infostealer.",[],{},{"nodeType":249,"data":1157,"content":1159},{"uri":1158},"https://www.kaspersky.com/blog/share-chatgpt-chat-clickfix-macos-amos-infostealer/54928/",[1160],{"nodeType":240,"value":1161,"marks":1162,"data":1163}," Kaspersky documented a parallel campaign",[],{},{"nodeType":240,"value":1165,"marks":1166,"data":1167}," using shared ChatGPT conversations to deliver the AMOS (Atomic macOS Stealer) via the same paste-this-command social engineering pattern. ",[],{},{"nodeType":254,"data":1169,"content":1170},{},[1171],{"nodeType":240,"value":1172,"marks":1173,"data":1174},"Push has detected a new variant that goes beyond the previously reported technique of embedding terminal commands in shared conversations: the attacker has used ChatGPT's code rendering feature to build a fully designed fake page that mimics a ChatGPT service disruption, redirecting victims to a convincing clone of ChatGPT's download page that delivers a malicious executable. ",[],{},{"nodeType":263,"data":1176,"content":1180},{"target":1177},{"sys":1178},{"id":1179,"type":260,"linkType":261},"5lz9zt223pecGvdaqdvSTQ",[],{"nodeType":263,"data":1182,"content":1186},{"target":1183},{"sys":1184},{"id":1185,"type":260,"linkType":261},"51GomAj3VOjnbmgd1DWYu0",[],{"nodeType":254,"data":1188,"content":1189},{},[1190,1195],{"nodeType":240,"value":1191,"marks":1192,"data":1194},"This is a live campaign which is still generating detections across our customer base at the time of writing. ",[1193],{"type":289},{},{"nodeType":240,"value":1196,"marks":1197,"data":1198},"Push customers are already protected and do not need to take further action. The malicious page URLs can be found at the end of this report but are not exhaustive and are liable to change. ",[],{},{"nodeType":281,"data":1200,"content":1201},{},[],{"nodeType":291,"data":1203,"content":1204},{},[1205],{"nodeType":240,"value":1206,"marks":1207,"data":1209},"A fake page, not a fake conversation",[1208],{"type":289},{},{"nodeType":254,"data":1211,"content":1212},{},[1213,1217,1222],{"nodeType":240,"value":1214,"marks":1215,"data":1216},"Previously reported variants relied on shared ",[],{},{"nodeType":240,"value":1218,"marks":1219,"data":1221},"conversations",[1220],{"type":806},{},{"nodeType":240,"value":1223,"marks":1224,"data":1225}," — the attacker created a chat that contained step-by-step instructions for the victim to follow, typically involving pasting a command into their terminal. The social engineering was conversational: the \"AI assistant\" appeared to be helpfully guiding the user through an installation process.",[],{},{"nodeType":254,"data":1227,"content":1228},{},[1229],{"nodeType":240,"value":1230,"marks":1231,"data":1232},"But now, rather than a shared conversation, the attacker has used ChatGPT's code rendering feature to create a fully designed, self-contained web page hosted at a chatgpt.com/s/ URL. It renders as what appears to be a ChatGPT service disruption notice:",[],{},{"nodeType":263,"data":1234,"content":1238},{"target":1235},{"sys":1236},{"id":1237,"type":260,"linkType":261},"1O9gyQab81SnbxhQp2aa5Z",[],{"nodeType":254,"data":1240,"content":1241},{},[1242],{"nodeType":240,"value":1243,"marks":1244,"data":1245},"A professional-looking error message reads: \"We're experiencing high traffic right now. Our website is temporarily unavailable due to a large number of users. Download our desktop app to continue.\" A prominent download button sits below.",[],{},{"nodeType":254,"data":1247,"content":1248},{},[1249],{"nodeType":240,"value":1250,"marks":1251,"data":1252},"The \"Show code\" toggle at the top of the page reveals what's actually happening — the entire thing is custom HTML and CSS, authored to mimic a ChatGPT system notice, rendered using ChatGPT's code output feature. A web page inside a web page, hosted on a domain that every URL reputation system in the world considers safe.",[],{},{"nodeType":263,"data":1254,"content":1258},{"target":1255},{"sys":1256},{"id":1257,"type":260,"linkType":261},"4kQTfxB3aVH9W9BeYOuljP",[],{"nodeType":281,"data":1260,"content":1261},{},[],{"nodeType":291,"data":1263,"content":1264},{},[1265],{"nodeType":240,"value":1266,"marks":1267,"data":1269},"The download page",[1268],{"type":289},{},{"nodeType":254,"data":1271,"content":1272},{},[1273],{"nodeType":240,"value":1274,"marks":1275,"data":1276},"Clicking the download button redirects the user to openew[.]app, which presents a convincing clone of ChatGPT's official desktop application download page — complete with OpenAI branding, macOS and Windows download buttons, a Chrome extension link, and a mobile download section.",[],{},{"nodeType":263,"data":1278,"content":1282},{"target":1279},{"sys":1280},{"id":1281,"type":260,"linkType":261},"4MdFc4OB37ZihTGx506QJ6",[],{"nodeType":263,"data":1284,"content":1288},{"target":1285},{"sys":1286},{"id":1287,"type":260,"linkType":261},"LaPUy0zpIeY8s4PF2wkat",[],{"nodeType":254,"data":1290,"content":1291},{},[1292],{"nodeType":240,"value":1293,"marks":1294,"data":1295},"The site also displays differently depending on who visits it. When Push researchers examined the URL via URLScan, the scanner was redirected to a different page entirely — a generic AR/VR company website with no obvious connection to ChatGPT. ",[],{},{"nodeType":254,"data":1297,"content":1298},{},[1299],{"nodeType":240,"value":1300,"marks":1301,"data":1302},"Real users in a browser see the fake download page; automated scanners and bots see something benign. This kind of conditional rendering is a well-established evasion technique in the malvertising ecosystem, and it makes the malicious infrastructure harder for security teams and threat intelligence services to identify and analyze.",[],{},{"nodeType":254,"data":1304,"content":1305},{},[1306,1310,1318],{"nodeType":240,"value":1307,"marks":1308,"data":1309},"The downloaded executable poses as \"ChatGPT for Desktop\" and is",[],{},{"nodeType":249,"data":1311,"content":1313},{"uri":1312},"https://www.virustotal.com/gui/file/de8c50e8ccd240ef9d10ec26c26eeb37a4d1cad7c1e0edf3bb6e5689ec2dde78",[1314],{"nodeType":240,"value":1315,"marks":1316,"data":1317}," flagged on VirusTotal",[],{},{"nodeType":240,"value":1319,"marks":1320,"data":1321},".",[],{},{"nodeType":263,"data":1323,"content":1327},{"target":1324},{"sys":1325},{"id":1326,"type":260,"linkType":261},"3FSbwoFJYQrcyo9uMsQIWI",[],{"nodeType":281,"data":1329,"content":1330},{},[],{"nodeType":291,"data":1332,"content":1333},{},[1334],{"nodeType":240,"value":1335,"marks":1336,"data":1338},"The Claude variant: same campaign, different platform",[1337],{"type":289},{},{"nodeType":254,"data":1340,"content":1341},{},[1342,1346,1353],{"nodeType":240,"value":1343,"marks":1344,"data":1345},"Alongside the ChatGPT rendered-page variant, Push has also detected the previously reported style of attack using shared Claude.ai conversations. These follow the pattern documented by",[],{},{"nodeType":249,"data":1347,"content":1348},{"uri":1146},[1349],{"nodeType":240,"value":1350,"marks":1351,"data":1352}," BleepingComputer",[],{},{"nodeType":240,"value":1354,"marks":1355,"data":1356},": a shared chat disguised as a \"Claude Code on Mac\" installation guide, attributed to \"Apple Support,\" containing a curl command that downloads and executes malware.",[],{},{"nodeType":263,"data":1358,"content":1362},{"target":1359},{"sys":1360},{"id":1361,"type":260,"linkType":261},"5sWayuTsVdiLSLoS4sv2Vc",[],{"nodeType":254,"data":1364,"content":1365},{},[1366],{"nodeType":240,"value":1367,"marks":1368,"data":1369},"The fact that both the ChatGPT and Claude variants are appearing in Push customer environments suggests a campaign — or at least a shared playbook — that is actively experimenting with different platforms and different social engineering approaches to find what converts best.",[],{},{"nodeType":281,"data":1371,"content":1372},{},[],{"nodeType":291,"data":1374,"content":1375},{},[1376],{"nodeType":240,"value":1377,"marks":1378,"data":1380},"Malvertising remains one of the top phishing delivery channels",[1379],{"type":289},{},{"nodeType":254,"data":1382,"content":1383},{},[1384],{"nodeType":240,"value":1385,"marks":1386,"data":1387},"Push has detected this variant across multiple customer environments, with users arriving at these shared chat URLs after searching for terms including \"chatgpt,\" \"chatgpt free,\" \"chat gpt,\" and common typos like \"chatgo,\" \"chatgot,\" and \"cvhatgpt.\" ",[],{},{"nodeType":254,"data":1389,"content":1390},{},[1391],{"nodeType":240,"value":1392,"marks":1393,"data":1394},"You can see an example of this below: it's incredibly convincing, and uses the real ChatGPT domain — so even users that are paying attention are liable to fall for it. ",[],{},{"nodeType":263,"data":1396,"content":1400},{"target":1397},{"sys":1398},{"id":1399,"type":260,"linkType":261},"1GYWOyHpZT1rdTm6IGOKu8",[],{"nodeType":263,"data":1402,"content":1406},{"target":1403},{"sys":1404},{"id":1405,"type":260,"linkType":261},"4HpFJRAZH2lbygaEk2xOnN",[],{"nodeType":254,"data":1408,"content":1409},{},[1410,1414,1422,1426,1434,1438,1451],{"nodeType":240,"value":1411,"marks":1412,"data":1413},"This fits a pattern Push has tracked extensively.",[],{},{"nodeType":249,"data":1415,"content":1417},{"uri":1416},"https://pushsecurity.com/blog/verizon-dbir-2026-review/",[1418],{"nodeType":240,"value":1419,"marks":1420,"data":1421}," Search-based delivery is now the dominant channel for malware distribution",[],{},{"nodeType":240,"value":1423,"marks":1424,"data":1425}," — our own data shows that ClickFix attacks are reached via search results rather than email in 4 of 5 cases, and Push's own research into",[],{},{"nodeType":249,"data":1427,"content":1429},{"uri":1428},"https://pushsecurity.com/blog/analysing-a-sophisticated-google-malvertising-attack/",[1430],{"nodeType":240,"value":1431,"marks":1432,"data":1433}," malvertising campaigns impersonating brands like TradingView",[],{},{"nodeType":240,"value":1435,"marks":1436,"data":1437}," and",[],{},{"nodeType":249,"data":1439,"content":1441},{"uri":1440},"https://pushsecurity.com/blog/google-search-malvertising-campaign-continues-now-impersonating-ahrefs/",[1442,1446],{"nodeType":240,"value":1443,"marks":1444,"data":1445}," ",[],{},{"nodeType":240,"value":1447,"marks":1448,"data":1450},"Ahrefs",[1449],{"type":413},{},{"nodeType":240,"value":1452,"marks":1453,"data":1454}," has demonstrated how effectively search ads can funnel victims to malicious pages. ",[],{},{"nodeType":254,"data":1456,"content":1457},{},[1458],{"nodeType":240,"value":1459,"marks":1460,"data":1461},"The shared-chat technique adds a new dimension: the destination URL itself is genuine (chatgpt.com, claude.ai), which means even a cautious user who checks the URL before clicking will see nothing suspicious.",[],{},{"nodeType":281,"data":1463,"content":1464},{},[],{"nodeType":291,"data":1466,"content":1467},{},[1468],{"nodeType":240,"value":1469,"marks":1470,"data":1472},"Legitimate platform abuse is everywhere",[1471],{"type":289},{},{"nodeType":254,"data":1474,"content":1475},{},[1476],{"nodeType":240,"value":1477,"marks":1478,"data":1479},"This is one example of a much broader pattern that has become one of the defining characteristics of the 2026 threat landscape: attackers systematically abusing legitimate platforms as attack infrastructure. The scale and variety of this abuse in recent months alone is striking, and it spans every stage of the phishing chain.",[],{},{"nodeType":371,"data":1481,"content":1482},{},[1483],{"nodeType":240,"value":1484,"marks":1485,"data":1486},"Legit platform abuse for delivery",[],{},{"nodeType":254,"data":1488,"content":1489},{},[1490,1494,1502,1506,1514,1518,1526],{"nodeType":240,"value":1491,"marks":1492,"data":1493},"On the delivery side, attackers have been",[],{},{"nodeType":249,"data":1495,"content":1497},{"uri":1496},"https://www.bleepingcomputer.com/news/security/amazon-ses-increasingly-abused-in-phishing-to-evade-detection/",[1498],{"nodeType":240,"value":1499,"marks":1500,"data":1501}," weaponizing stolen AWS credentials to send phishing through Amazon SES",[],{},{"nodeType":240,"value":1503,"marks":1504,"data":1505}," that passes SPF, DKIM, and DMARC validation because SES is a legitimate Amazon service. A Vietnamese operation dubbed",[],{},{"nodeType":249,"data":1507,"content":1509},{"uri":1508},"https://thehackernews.com/2026/05/30000-facebook-accounts-hacked-via.html",[1510],{"nodeType":240,"value":1511,"marks":1512,"data":1513}," AccountDumpling used Google AppSheet's built-in email capability",[],{},{"nodeType":240,"value":1515,"marks":1516,"data":1517}," as a phishing relay to harvest 30,000 Facebook credentials.",[],{},{"nodeType":249,"data":1519,"content":1521},{"uri":1520},"https://techcrunch.com/2026/05/21/scammers-are-abusing-an-internal-microsoft-account-to-send-spam/",[1522],{"nodeType":240,"value":1523,"marks":1524,"data":1525}," Scammers exploited Microsoft's own internal notification pipeline",[],{},{"nodeType":240,"value":1527,"marks":1528,"data":1529}," — sending phishing from the same msonlineservicesteam@microsoftonline.com address that delivers legitimate 2FA codes — with Spamhaus confirming months of ongoing abuse.",[],{},{"nodeType":371,"data":1531,"content":1532},{},[1533],{"nodeType":240,"value":1534,"marks":1535,"data":1536},"Legit platform abuse for hosting",[],{},{"nodeType":254,"data":1538,"content":1539},{},[1540,1544,1552,1556,1564],{"nodeType":240,"value":1541,"marks":1542,"data":1543},"For hosting, the platforms being abused read like a who's who of modern web infrastructure.",[],{},{"nodeType":249,"data":1545,"content":1547},{"uri":1546},"https://www.securityweek.com/over-500-organizations-hit-in-years-long-phishing-campaign/",[1548],{"nodeType":240,"value":1549,"marks":1550,"data":1551}," Operation HookedWing ran for four years",[],{},{"nodeType":240,"value":1553,"marks":1554,"data":1555}," on GitHub Pages and Vercel, compromising 500+ organizations across more than 100 GitHub Pages domains before anyone documented it publicly. Cofense has separately",[],{},{"nodeType":249,"data":1557,"content":1559},{"uri":1558},"https://cofense.com/blog/steal-smarter-not-harder-malicious-use-of-vercel-for-credential-phishing/",[1560],{"nodeType":240,"value":1561,"marks":1562,"data":1563}," documented the growing abuse of Vercel",[],{},{"nodeType":240,"value":1565,"marks":1566,"data":1567}," for credential phishing hosting. Pixm's Q1 2026 phishing report tracked over 100 unique Azure Blob Storage subdomain variants hosting phishing content that carried Microsoft's own domain reputation, alongside abuse of Cloudflare CDN, Cloudflare Workers, Cloudflare R2, Backblaze B2, and Supabase. ",[],{},{"nodeType":371,"data":1569,"content":1570},{},[1571],{"nodeType":240,"value":1572,"marks":1573,"data":1574},"Abuse of compromised websites that are otherwise legit",[],{},{"nodeType":254,"data":1576,"content":1577},{},[1578,1582,1590,1594,1602,1606,1614],{"nodeType":240,"value":1579,"marks":1580,"data":1581},"Compromised legitimate sites are also being repurposed at scale. A mass exploitation of a",[],{},{"nodeType":249,"data":1583,"content":1585},{"uri":1584},"https://www.bleepingcomputer.com/news/security/ghost-cms-sql-injection-flaw-exploited-in-large-scale-clickfix-campaign/",[1586],{"nodeType":240,"value":1587,"marks":1588,"data":1589}," Ghost CMS vulnerability planted ClickFix pages across 700+ websites",[],{},{"nodeType":240,"value":1591,"marks":1592,"data":1593}," including Harvard, Oxford, and DuckDuckGo subdomains. Microsoft recently documented a campaign where",[],{},{"nodeType":249,"data":1595,"content":1597},{"uri":1596},"https://www.microsoft.com/en-us/security/blog/2026/05/26/poisoned-search-results-gpu-mining-cryptojacking-campaign-abusing-screenconnect-microsoft-net-utilities/",[1598],{"nodeType":240,"value":1599,"marks":1600,"data":1601}," SEO poisoning was combined with AI chatbot recommendation manipulation",[],{},{"nodeType":240,"value":1603,"marks":1604,"data":1605}," to deliver GPU mining malware — extending the poisoning from traditional search results into AI-generated software recommendations. And",[],{},{"nodeType":249,"data":1607,"content":1609},{"uri":1608},"https://www.helpnetsecurity.com/2026/05/27/deno-rat-malware-fake-chatgpt-claude-installers/",[1610],{"nodeType":240,"value":1611,"marks":1612,"data":1613}," fake ChatGPT and Claude installers on GitHub and SourceForge",[],{},{"nodeType":240,"value":1615,"marks":1616,"data":1617}," have been delivering the DinDoor backdoor and a Deno-based RAT via repositories that mimic legitimate developer tool distributions.",[],{},{"nodeType":254,"data":1619,"content":1620},{},[1621],{"nodeType":240,"value":1622,"marks":1623,"data":1624},"The structural problem is that every one of these platforms is genuinely legitimate, and the security controls that evaluate them — domain reputation, email authentication, URL categorization — confirm them as trusted because they are trusted. This attack extends this pattern into new territory by weaponizing the content-sharing features of AI chatbot platforms specifically, but the underlying principles are the same. ",[],{},{"nodeType":281,"data":1626,"content":1627},{},[],{"nodeType":291,"data":1629,"content":1630},{},[1631],{"nodeType":240,"value":1632,"marks":1633,"data":1635},"Impact analysis",[1634],{"type":289},{},{"nodeType":254,"data":1637,"content":1638},{},[1639,1643,1651],{"nodeType":240,"value":1640,"marks":1641,"data":1642},"Shared-chat malware delivery exploits a structural property of AI platforms that traditional security controls aren't designed to handle. Domain reputation, URL categorization, and safe browsing databases all treat chatgpt.com and claude.ai as trusted — because they are. Using these trusted pages to link off to further convincing-looking pages hosting malware allows the attacker to run campaigns that blend in, as well as rotate the phishing delivery pages later in the chain should they ever be flagged, allowing the campaign to continue without interruption (a well known ",[],{},{"nodeType":249,"data":1644,"content":1646},{"uri":1645},"https://phishing-techniques.pushsecurity.com/",[1647],{"nodeType":240,"value":1648,"marks":1649,"data":1650},"detection evasion technique",[],{},{"nodeType":240,"value":1652,"marks":1653,"data":1654},"). ",[],{},{"nodeType":254,"data":1656,"content":1657},{},[1658],{"nodeType":240,"value":1659,"marks":1660,"data":1661},"What makes the rendered-page variant particularly concerning is that it eliminates the most obvious red flag in the earlier attacks. The Claude.ai conversation variants required the victim to recognize that a shared chat instructing them to paste terminal commands might be suspicious — a tall order for many users, but at least the attack surface was visible. The rendered-page variant shows nothing that looks like an attack. It presents what appears to be a routine service disruption with a reasonable call to action: download the desktop app to continue using ChatGPT. ",[],{},{"nodeType":371,"data":1663,"content":1664},{},[1665],{"nodeType":240,"value":1666,"marks":1667,"data":1669},"How Push detected the attack",[1668],{"type":289},{},{"nodeType":254,"data":1671,"content":1672},{},[1673,1677,1682],{"nodeType":240,"value":1674,"marks":1675,"data":1676},"We've aligned our detection logic for this technique under the name ",[],{},{"nodeType":240,"value":1678,"marks":1679,"data":1681},"LLMShare",[1680],{"type":289},{},{"nodeType":240,"value":1683,"marks":1684,"data":1685}," — a technique-level detection that covers shared content abuse across LLM platforms, not tied to any single campaign or set of IOCs. ",[],{},{"nodeType":254,"data":1687,"content":1688},{},[1689],{"nodeType":240,"value":1690,"marks":1691,"data":1692},"Because Push sees the full context of how a user arrived at a page and what that page does once it renders, we can identify LLMShare attacks regardless of which AI platform is being abused or what social engineering wrapper the attacker has chosen. ",[],{},{"nodeType":254,"data":1694,"content":1695},{},[1696,1700,1706],{"nodeType":240,"value":1697,"marks":1698,"data":1699},"When we identified the initial instances of this campaign, we used our",[],{},{"nodeType":249,"data":1701,"content":1702},{"uri":388},[1703],{"nodeType":240,"value":916,"marks":1704,"data":1705},[],{},{"nodeType":240,"value":1707,"marks":1708,"data":1709}," to hunt for additional examples across our customer telemetry, develop the LLMShare detection, and rapidly deploy it to customers. Push blocks users from interacting with the page before any malicious activity can occur. ",[],{},{"nodeType":254,"data":1711,"content":1712},{},[1713],{"nodeType":240,"value":1714,"marks":1715,"data":1716},"Push customers do not need to take any further action.",[],{},{"nodeType":281,"data":1718,"content":1719},{},[],{"nodeType":254,"data":1721,"content":1722},{},[1723],{"nodeType":240,"value":988,"marks":1724,"data":1725},[],{},{"nodeType":254,"data":1727,"content":1728},{},[1729],{"nodeType":240,"value":995,"marks":1730,"data":1731},[],{},{"nodeType":254,"data":1733,"content":1734},{},[1735,1738,1747],{"nodeType":240,"value":29,"marks":1736,"data":1737},[],{},{"nodeType":249,"data":1739,"content":1741},{"uri":1740},"https://pushsecurity.com/demo/",[1742],{"nodeType":240,"value":1743,"marks":1744,"data":1746},"Book a live demo to learn more.",[1745],{"type":413},{},{"nodeType":240,"value":29,"marks":1748,"data":1749},[],{},{"nodeType":281,"data":1751,"content":1752},{},[],{"nodeType":291,"data":1754,"content":1755},{},[1756],{"nodeType":240,"value":1757,"marks":1758,"data":1760},"Indicators of compromise",[1759],{"type":289},{},{"nodeType":254,"data":1762,"content":1763},{},[1764,1768,1776],{"nodeType":240,"value":1765,"marks":1766,"data":1767},"As we always say, short-lived IoCs are of limited value when tackling modern phishing attacks due to the rate at which attackers are able to ",[],{},{"nodeType":249,"data":1769,"content":1771},{"uri":1770},"https://phishing-techniques.pushsecurity.com/techniques/domain-rotation-redirection/",[1772],{"nodeType":240,"value":1773,"marks":1774,"data":1775},"quickly spin up and rotate the sites used",[],{},{"nodeType":240,"value":1777,"marks":1778,"data":1779}," in the attack chain. IoC-based detections for campaigns like this are of limited value.",[],{},{"nodeType":254,"data":1781,"content":1782},{},[1783],{"nodeType":240,"value":1784,"marks":1785,"data":1786},"At the time of writing, the indicators observed were:",[],{},{"nodeType":1788,"data":1789,"content":1790},"table",{},[1791,1818,1842,1864,1887],{"nodeType":1792,"data":1793,"content":1794},"table-row",{},[1795,1807],{"nodeType":1796,"data":1797,"content":1798},"table-header-cell",{},[1799],{"nodeType":254,"data":1800,"content":1801},{},[1802],{"nodeType":240,"value":1803,"marks":1804,"data":1806},"Indicator",[1805],{"type":289},{},{"nodeType":1796,"data":1808,"content":1809},{},[1810],{"nodeType":254,"data":1811,"content":1812},{},[1813],{"nodeType":240,"value":1814,"marks":1815,"data":1817},"Type",[1816],{"type":289},{},{"nodeType":1792,"data":1819,"content":1820},{},[1821,1832],{"nodeType":1822,"data":1823,"content":1824},"table-cell",{},[1825],{"nodeType":254,"data":1826,"content":1827},{},[1828],{"nodeType":240,"value":1829,"marks":1830,"data":1831},"hxxps://claude[.]ai/share/8e6401b5-4849-46c4-a3cb-29e1c3c49131",[],{},{"nodeType":1822,"data":1833,"content":1834},{},[1835],{"nodeType":254,"data":1836,"content":1837},{},[1838],{"nodeType":240,"value":1839,"marks":1840,"data":1841},"URL",[],{},{"nodeType":1792,"data":1843,"content":1844},{},[1845,1855],{"nodeType":1822,"data":1846,"content":1847},{},[1848],{"nodeType":254,"data":1849,"content":1850},{},[1851],{"nodeType":240,"value":1852,"marks":1853,"data":1854},"hxxps://chatgpt[.]com/s/cb_6a0f1e6bbec88191aa7fede27163f08d",[],{},{"nodeType":1822,"data":1856,"content":1857},{},[1858],{"nodeType":254,"data":1859,"content":1860},{},[1861],{"nodeType":240,"value":1839,"marks":1862,"data":1863},[],{},{"nodeType":1792,"data":1865,"content":1866},{},[1867,1877],{"nodeType":1822,"data":1868,"content":1869},{},[1870],{"nodeType":254,"data":1871,"content":1872},{},[1873],{"nodeType":240,"value":1874,"marks":1875,"data":1876},"openew[.]app",[],{},{"nodeType":1822,"data":1878,"content":1879},{},[1880],{"nodeType":254,"data":1881,"content":1882},{},[1883],{"nodeType":240,"value":1884,"marks":1885,"data":1886},"Domain",[],{},{"nodeType":1792,"data":1888,"content":1889},{},[1890,1900],{"nodeType":1822,"data":1891,"content":1892},{},[1893],{"nodeType":254,"data":1894,"content":1895},{},[1896],{"nodeType":240,"value":1897,"marks":1898,"data":1899},"de8c50e8ccd240ef9d10ec26c26eeb37a4d1cad7c1e0edf3bb6e5689ec2dde78",[],{},{"nodeType":1822,"data":1901,"content":1902},{},[1903],{"nodeType":254,"data":1904,"content":1905},{},[1906],{"nodeType":240,"value":1907,"marks":1908,"data":1909},"SHA256",[],{},{"nodeType":254,"data":1911,"content":1912},{},[1913],{"nodeType":240,"value":29,"marks":1914,"data":1915},[],{},"LLMShare: how attackers are turning AI chatbot pages into malware delivery platforms","How attackers are using shared content features on AI chatbot platforms to deliver malware via pages hosted on legitimate domains, sent via malvertising.","llmshare-malvertising-campaign",{"items":1920},[1921,1925],{"sys":1922,"name":1924},{"id":1923},"6A5RXS31ZQx3PwryGb1IMy","Browser-based attacks",{"sys":1926,"name":1928},{"id":1927},"4ksQNCFeBf8H4QIORqpRLw","Detection & response",{"items":1930},[1931],{"fullName":1932,"firstName":1933,"jobTitle":1934,"profilePicture":1935},"Keanu Maharaj","Keanu","Senior Security Researcher",{"url":1936},"https://images.ctfassets.net/y1cdw1ablpvd/VCGOm62jiocjwngWTh32U/e9a30637b1c76bf988d2fec90f5b6c36/1689361049351_1.png",{"__typename":1115,"sys":1938,"publishedDate":1940,"content":1941,"title":2783,"synopsis":2784,"hashTags":62,"slug":2785,"tagsCollection":2786,"authorsCollection":2792},{"id":1939},"211Dd0EIrXPOFpvRgs0fEE","2026-05-08T00:00:00.000Z",{"json":1942},{"data":1943,"content":1944,"nodeType":1015},{},[1945,1964,1983,2001,2007,2010,2018,2025,2032,2039,2046,2054,2057,2065,2072,2079,2086,2092,2100,2119,2126,2133,2149,2157,2187,2203,2210,2239,2247,2277,2284,2292,2310,2317,2324,2330,2337,2345,2364,2371,2390,2397,2400,2408,2415,2506,2513,2529,2532,2562,2581,2588,2595,2598,2606,2625,2632,2639,2657,2660,2668,2675,2708,2715,2732,2750,2756,2759,2766],{"data":1946,"content":1947,"nodeType":254},{},[1948,1952,1960],{"data":1949,"marks":1950,"value":1951,"nodeType":240},{},[],"When we released the",{"data":1953,"content":1955,"nodeType":249},{"uri":1954},"https://pushsecurity.com/blog/saas-attack-techniques/",[1956],{"data":1957,"marks":1958,"value":1959,"nodeType":240},{},[]," SaaS attack matrix",{"data":1961,"marks":1962,"value":1963,"nodeType":240},{},[]," in 2023, we were anticipating a shift that was just beginning to take shape. The techniques that attackers were using to compromise cloud applications and identities weren't well represented in existing frameworks, and many of the ones we documented hadn't yet been widely observed in the wild.",{"data":1965,"content":1966,"nodeType":254},{},[1967,1971,1979],{"data":1968,"marks":1969,"value":1970,"nodeType":240},{},[],"A year later, we",{"data":1972,"content":1974,"nodeType":249},{"uri":1973},"https://pushsecurity.com/blog/the-saas-attack-matrix-one-year-on/",[1975],{"data":1976,"marks":1977,"value":1978,"nodeType":240},{},[]," reviewed what had changed",{"data":1980,"marks":1981,"value":1982,"nodeType":240},{},[]," and found that the initial access phase — the techniques designed to compromise an identity in the first place — was where almost all of the attacker innovation was concentrated. And two years on, that trend has become the story of the modern threat landscape. ",{"data":1984,"content":1985,"nodeType":254},{},[1986,1990,1997],{"data":1987,"marks":1988,"value":1989,"nodeType":240},{},[],"Today, we're re-releasing the matrix as the",{"data":1991,"content":1992,"nodeType":249},{"uri":61},[1993],{"data":1994,"marks":1995,"value":1996,"nodeType":240},{},[]," Browser & Identity Attacks Matrix",{"data":1998,"marks":1999,"value":2000,"nodeType":240},{},[],". The name change isn't cosmetic. It reflects that the attacks driving the most consequential breaches are browser-based and identity-first.",{"data":2002,"content":2006,"nodeType":263},{"target":2003},{"sys":2004},{"id":2005,"type":260,"linkType":261},"MSnrBRJtiQxpv2qxFLCVE",[],{"data":2008,"content":2009,"nodeType":281},{},[],{"data":2011,"content":2012,"nodeType":291},{},[2013],{"data":2014,"marks":2015,"value":2017,"nodeType":240},{},[2016],{"type":289},"Why the scope needed to change",{"data":2019,"content":2020,"nodeType":254},{},[2021],{"data":2022,"marks":2023,"value":2024,"nodeType":240},{},[],"The original SaaS attack matrix was built around a specific insight: that attacks targeting modern business applications played out entirely over the internet, without touching endpoints or internal networks in any way that EDR or network detection tools would recognize.",{"data":2026,"content":2027,"nodeType":254},{},[2028],{"data":2029,"marks":2030,"value":2031,"nodeType":240},{},[],"That framing was useful, and it remains true. But it anchored the matrix to the post-access phase — what attackers do once they're inside a SaaS application — and didn't give enough weight to the initial access techniques that determine whether attackers get there in the first place.",{"data":2033,"content":2034,"nodeType":254},{},[2035],{"data":2036,"marks":2037,"value":2038,"nodeType":240},{},[],"The problem is that initial access is where the overwhelming majority of attacker innovation and investment is concentrated, and the techniques being used to achieve it are best understood as browser and identity attacks rather than SaaS-specific ones. AiTM phishing, ClickFix and its growing family of clipboard-injection variants, device code phishing, OAuth consent abuse, credential stuffing powered by infostealer supply chains, malicious browser extensions all happen in or via the browser.",{"data":2040,"content":2041,"nodeType":254},{},[2042],{"data":2043,"marks":2044,"value":2045,"nodeType":240},{},[],"Another issue is that \"SaaS\" has arguably ceased to be a meaningful category. When we consider that most organizations run the majority of their business on cloud applications, the difference between what constitutes \"SaaS\" versus cloud versus just \"business IT\" is pretty blurry (and feels like an academic rather than practical difference).",{"data":2047,"content":2048,"nodeType":254},{},[2049],{"data":2050,"marks":2051,"value":2053,"nodeType":240},{},[2052],{"type":289},"So it's less about whether an attack is a \"SaaS attack\" and more about how these attacks actually play out. ",{"data":2055,"content":2056,"nodeType":281},{},[],{"data":2058,"content":2059,"nodeType":291},{},[2060],{"data":2061,"marks":2062,"value":2064,"nodeType":240},{},[2063],{"type":289},"The technique landscape has transformed",{"data":2066,"content":2067,"nodeType":254},{},[2068],{"data":2069,"marks":2070,"value":2071,"nodeType":240},{},[],"The second part to the change is the fact that scale and speed of attacker innovation in the space justifies it.",{"data":2073,"content":2074,"nodeType":254},{},[2075],{"data":2076,"marks":2077,"value":2078,"nodeType":240},{},[],"When we launched the matrix in mid-2023, AiTM phishing was emerging as a serious concern but was far from ubiquitous. ClickFix didn't exist as a named technique. Device code phishing was a curiosity documented by a handful of researchers. ConsentFix was years away from being discovered. Browser extension supply chain attacks were rare enough to be individually notable.",{"data":2080,"content":2081,"nodeType":254},{},[2082],{"data":2083,"marks":2084,"value":2085,"nodeType":240},{},[],"In the two and a half years since, every one of these has become a mainstream, industrialized attack technique — and several have converged in ways that would have been hard to predict.",{"data":2087,"content":2091,"nodeType":263},{"target":2088},{"sys":2089},{"id":2090,"type":260,"linkType":261},"5Kw2kSrL8u4VyslxK8HCtR",[],{"data":2093,"content":2094,"nodeType":371},{},[2095],{"data":2096,"marks":2097,"value":2099,"nodeType":240},{},[2098],{"type":289},"AiTM phishing has become the default phishing method",{"data":2101,"content":2102,"nodeType":254},{},[2103,2107,2115],{"data":2104,"marks":2105,"value":2106,"nodeType":240},{},[],"AiTM phishing is now the standard, powered by Phishing-as-a-Service kits that operate with the release cycles and customer support of legitimate SaaS products. Tycoon 2FA alone accounted for",{"data":2108,"content":2110,"nodeType":249},{"uri":2109},"https://pushsecurity.com/blog/2025-top-phishing-trends/",[2111],{"data":2112,"marks":2113,"value":2114,"nodeType":240},{},[]," 62% of phishing detected by Microsoft",{"data":2116,"marks":2117,"value":2118,"nodeType":240},{},[]," and over 64,000 confirmed incidents, with Sneaky2FA, FlowerStorm, Evilginx, and a growing roster of competitors filling out the marketplace.",{"data":2120,"content":2121,"nodeType":254},{},[2122],{"data":2123,"marks":2124,"value":2125,"nodeType":240},{},[],"AiTM is constantly evolving, with vendors adding new features, capabilities, detection evasion techniques, and so on. Abuse of legitimate platforms, and increasingly AI-assisted development means that it’s trivial for attackers to spin up and tear down infrastructure, scale their campaigns, target specific organizations with crafted pages and lures, and generally means that attackers can operate highly sophisticated attacks with minimal effort and complexity. This makes AiTM and other PhaaS-powered techniques extremely accessible to all kinds of criminals.  ",{"data":2127,"content":2128,"nodeType":254},{},[2129],{"data":2130,"marks":2131,"value":2132,"nodeType":240},{},[],"These kits are delivered across several browser-based channels — not just email. Push data consistently shows that roughly 1 in 3 phishing payloads we intercept arrive via social media, search ads, messaging apps, or other non-email vectors.",{"data":2134,"content":2135,"nodeType":254},{},[2136,2140,2145],{"data":2137,"marks":2138,"value":2139,"nodeType":240},{},[],"Vishing has also surged as a delivery channel — CrowdStrike documented a ",{"data":2141,"marks":2142,"value":2144,"nodeType":240},{},[2143],{"type":289},"442% year-over-year increase",{"data":2146,"marks":2147,"value":2148,"nodeType":240},{},[],", and Mandiant found it was the single most common initial vector in cloud compromises at 23%. But the trend that matters isn't voice calls in isolation; it's voice calls combined with browser-based payloads, where a live operator guides the victim into an AiTM page or device code flow that the call alone could not execute.",{"data":2150,"content":2151,"nodeType":371},{},[2152],{"data":2153,"marks":2154,"value":2156,"nodeType":240},{},[2155],{"type":289},"ClickFix is the top reported initial access vector",{"data":2158,"content":2159,"nodeType":254},{},[2160,2164,2171,2175,2183],{"data":2161,"marks":2162,"value":2163,"nodeType":240},{},[],"ClickFix has gone from nonexistent to one of the most prevalent initial access techniques in under 18 months. Microsoft reported it as the",{"data":2165,"content":2166,"nodeType":249},{"uri":665},[2167],{"data":2168,"marks":2169,"value":2170,"nodeType":240},{},[]," most common initial access vector in 2025",{"data":2172,"marks":2173,"value":2174,"nodeType":240},{},[],", accounting for 47% of observed attacks, while CrowdStrike documented a",{"data":2176,"content":2178,"nodeType":249},{"uri":2177},"https://www.crowdstrike.com/explore/2026-global-threat-report",[2179],{"data":2180,"marks":2181,"value":2182,"nodeType":240},{},[]," 563% increase",{"data":2184,"marks":2185,"value":2186,"nodeType":240},{},[]," in fake CAPTCHA lures (a top ClickFix style).",{"data":2188,"content":2189,"nodeType":254},{},[2190,2194,2199],{"data":2191,"marks":2192,"value":2193,"nodeType":240},{},[],"ClickFix is admittedly an outlier in a browser attacks matrix — the payload ultimately executes on the endpoint, not in the browser — but the delivery is overwhelmingly browser-based: ",{"data":2195,"marks":2196,"value":2198,"nodeType":240},{},[2197],{"type":289},"4 in 5 ClickFix payloads",{"data":2200,"marks":2201,"value":2202,"nodeType":240},{},[]," intercepted by Push arrive via search engines as a result of malvertising or compromised web pages, not email, which means the browser is the only control point that actually sees the attack before the user pastes the malicious command.",{"data":2204,"content":2205,"nodeType":254},{},[2206],{"data":2207,"marks":2208,"value":2209,"nodeType":240},{},[],"ClickFix is now the primary delivery mechanism for infostealer malware, which is in turn the primary source of the stolen credentials and session tokens that power credential stuffing and session hijacking — which means the technique sits at the start of a cycle where one class of browser-delivered attack generates the raw material for the next.",{"data":2211,"content":2212,"nodeType":254},{},[2213,2217,2224,2228,2235],{"data":2214,"marks":2215,"value":2216,"nodeType":240},{},[],"The success of ClickFix has predictably spawned a growing family of derivatives — FileFix, CrashFix,",{"data":2218,"content":2219,"nodeType":249},{"uri":937},[2220],{"data":2221,"marks":2222,"value":2223,"nodeType":240},{},[]," InstallFix",{"data":2225,"marks":2226,"value":2227,"nodeType":240},{},[]," — and much of the naming is marketing hype around variations on the same clipboard-injection mechanic. But",{"data":2229,"content":2230,"nodeType":249},{"uri":694},[2231],{"data":2232,"marks":2233,"value":2234,"nodeType":240},{},[]," ConsentFix",{"data":2236,"marks":2237,"value":2238,"nodeType":240},{},[]," was a genuinely novel development.",{"data":2240,"content":2241,"nodeType":371},{},[2242],{"data":2243,"marks":2244,"value":2246,"nodeType":240},{},[2245],{"type":289},"Browser-native ClickFix: ConsentFix",{"data":2248,"content":2249,"nodeType":254},{},[2250,2254,2262,2266,2273],{"data":2251,"marks":2252,"value":2253,"nodeType":240},{},[],"ConsentFix is a fully browser-native attack that merged ClickFix-style social engineering with OAuth consent abuse, compromising accounts through a legitimate Microsoft authorization flow with no endpoint component at all. ConsentFix was",{"data":2255,"content":2257,"nodeType":249},{"uri":2256},"https://pushsecurity.com/blog/consentfix-debrief/",[2258],{"data":2259,"marks":2260,"value":2261,"nodeType":240},{},[]," traced to APT29",{"data":2263,"marks":2264,"value":2265,"nodeType":240},{},[]," and has since been",{"data":2267,"content":2268,"nodeType":249},{"uri":706},[2269],{"data":2270,"marks":2271,"value":2272,"nodeType":240},{},[]," commercialized on criminal forums",{"data":2274,"marks":2275,"value":2276,"nodeType":240},{},[],", following the same path from state-sponsored technique to commodity criminal tooling that we've seen repeatedly in this space.",{"data":2278,"content":2279,"nodeType":254},{},[2280],{"data":2281,"marks":2282,"value":2283,"nodeType":240},{},[],"ConsentFix demonstrates that the clipboard-injection mechanic can evolve into something that operates entirely within the browser, eliminating the endpoint detection surface that traditional ClickFix still exposed.",{"data":2285,"content":2286,"nodeType":371},{},[2287],{"data":2288,"marks":2289,"value":2291,"nodeType":240},{},[2290],{"type":289},"Attackers have pivoted to authorization attacks to get around login controls",{"data":2293,"content":2294,"nodeType":254},{},[2295,2299,2306],{"data":2296,"marks":2297,"value":2298,"nodeType":240},{},[],"Authorization attacks like device code phishing have seen a",{"data":2300,"content":2301,"nodeType":249},{"uri":498},[2302],{"data":2303,"marks":2304,"value":2305,"nodeType":240},{},[]," 37.5x increase",{"data":2307,"marks":2308,"value":2309,"nodeType":240},{},[]," since the start of 2026, with at least 12 distinct kits now offering the technique. It bypasses standard authentication controls — including passkeys — because the attack occurs through the OAuth device authorization flow rather than the standard login flow. ",{"data":2311,"content":2312,"nodeType":254},{},[2313],{"data":2314,"marks":2315,"value":2316,"nodeType":240},{},[],"The technique was first associated with nation-state actors like Storm-2372, but went from espionage-grade to commodity PhaaS tooling in roughly eighteen months, with kits like EvilTokens and Venom now offering turnkey device code phishing as a service.",{"data":2318,"content":2319,"nodeType":254},{},[2320],{"data":2321,"marks":2322,"value":2323,"nodeType":240},{},[],"The device code authorization is effectively performed post-authentication. If you already have an active session in your browser, entering the device code and selecting your account from a drop-down menu is all that's needed. No password or MFA required. You can see an example in the video below.",{"data":2325,"content":2329,"nodeType":263},{"target":2326},{"sys":2327},{"id":2328,"type":260,"linkType":261},"2WPb41lNRajdpt5pogQg8M",[],{"data":2331,"content":2332,"nodeType":254},{},[2333],{"data":2334,"marks":2335,"value":2336,"nodeType":240},{},[],"And the ecosystem is adapting to this opportunity: established AiTM vendors like Tycoon are adding authorization-focused options alongside their existing credential-harvesting capabilities, which points toward multi-technique platforms where operators pick the right tool for whatever defenses the target has in place.",{"data":2338,"content":2339,"nodeType":371},{},[2340],{"data":2341,"marks":2342,"value":2344,"nodeType":240},{},[2343],{"type":289},"Malicious and hacked browser extensions are one of the fastest growing threats",{"data":2346,"content":2347,"nodeType":254},{},[2348,2352,2360],{"data":2349,"marks":2350,"value":2351,"nodeType":240},{},[],"Malicious browser extensions have matured from an occasional nuisance into a scalable supply chain attack vector. The",{"data":2353,"content":2355,"nodeType":249},{"uri":2354},"https://pushsecurity.com/blog/why-browser-extension-risk-scoring-wont-predict-your-next-breach/",[2356],{"data":2357,"marks":2358,"value":2359,"nodeType":240},{},[]," Cyberhaven compromise",{"data":2361,"marks":2362,"value":2363,"nodeType":240},{},[]," in December 2024 — where approximately 35 extensions were weaponized through a single OAuth phishing campaign targeting developers — impacted 2.6 million users and demonstrated that extension supply chain attacks can achieve the kind of reach that used to require a compromised software update server.",{"data":2365,"content":2366,"nodeType":254},{},[2367],{"data":2368,"marks":2369,"value":2370,"nodeType":240},{},[],"Since Cyberhaven, the pace has only accelerated. In 2026 alone, researchers have publicly disclosed at least 250 confirmed malicious browser extensions affecting roughly 1.75 million users, alongside a further 370+ extensions engaged in undisclosed or policy-disclosed data harvesting affecting an additional 44 million users. That doesn't count the extensions from late-2025 campaigns (DarkSpectre, AITOPIA, Trust Wallet) whose impacts carried into 2026.",{"data":2372,"content":2373,"nodeType":254},{},[2374,2378,2386],{"data":2375,"marks":2376,"value":2377,"nodeType":240},{},[],"The attack paths have also expanded. Beyond phishing developers for take over Web Store accounts (the Cyberhaven playbook), attackers are buying existing extensions from developers, waiting for ownership transfers or abandonments to take over, and increasingly vibe-coding their own functional extensions from scratch to build an audience that can later be weaponized. The common thread is that ",{"data":2379,"content":2380,"nodeType":249},{"uri":2354},[2381],{"data":2382,"marks":2383,"value":2385,"nodeType":240},{},[2384],{"type":413},"most malicious extensions didn't start out malicious",{"data":2387,"marks":2388,"value":2389,"nodeType":240},{},[]," — they started as legitimate tools and were turned into weapons after the fact.",{"data":2391,"content":2392,"nodeType":254},{},[2393],{"data":2394,"marks":2395,"value":2396,"nodeType":240},{},[],"None of this is happening in isolation. The threat landscape has reoriented around browser-based initial access and identity compromise — and the matrix needed to catch up.",{"data":2398,"content":2399,"nodeType":281},{},[],{"data":2401,"content":2402,"nodeType":291},{},[2403],{"data":2404,"marks":2405,"value":2407,"nodeType":240},{},[2406],{"type":289},"The evolution is playing out in public breaches",{"data":2409,"content":2410,"nodeType":254},{},[2411],{"data":2412,"marks":2413,"value":2414,"nodeType":240},{},[],"It’s worth reinforcing that when the SaaS matrix was first released, many of these attacks hadn’t been seen in the wild. The change today is staggering:",{"data":2416,"content":2417,"nodeType":2505},{},[2418,2441,2463,2483],{"data":2419,"content":2420,"nodeType":2440},{},[2421],{"data":2422,"content":2423,"nodeType":254},{},[2424,2428,2436],{"data":2425,"marks":2426,"value":2427,"nodeType":240},{},[],"When",{"data":2429,"content":2431,"nodeType":249},{"uri":2430},"https://pushsecurity.com/blog/scattered-lapsus-hunters/",[2432],{"data":2433,"marks":2434,"value":2435,"nodeType":240},{},[]," Scattered Lapsus$ Hunters",{"data":2437,"marks":2438,"value":2439,"nodeType":240},{},[]," compromised over a thousand organizations' Salesforce tenants through device code phishing, the attack started with a phone call, moved through a browser-based authorization flow for the attacker’s app, and ended with mass data exfiltration via API.","list-item",{"data":2442,"content":2443,"nodeType":2440},{},[2444],{"data":2445,"content":2446,"nodeType":254},{},[2447,2451,2459],{"data":2448,"marks":2449,"value":2450,"nodeType":240},{},[],"When the same collective launched",{"data":2452,"content":2454,"nodeType":249},{"uri":2453},"https://pushsecurity.com/blog/unpacking-the-latest-slh-campaign/",[2455],{"data":2456,"marks":2457,"value":2458,"nodeType":240},{},[]," AiTM phishing campaigns",{"data":2460,"marks":2461,"value":2462,"nodeType":240},{},[]," targeting Okta and Entra SSO, the phishing page was operated by a human in real time and delivered over a voice call — not email.",{"data":2464,"content":2465,"nodeType":2440},{},[2466],{"data":2467,"content":2468,"nodeType":254},{},[2469,2472,2479],{"data":2470,"marks":2471,"value":2427,"nodeType":240},{},[],{"data":2473,"content":2474,"nodeType":249},{"uri":694},[2475],{"data":2476,"marks":2477,"value":2478,"nodeType":240},{},[]," APT29 deployed ConsentFix",{"data":2480,"marks":2481,"value":2482,"nodeType":240},{},[]," across dozens of compromised websites, the entire attack chain was browser-native, abusing a legitimate Microsoft OAuth flow to bypass MFA without proxying a single credential.",{"data":2484,"content":2485,"nodeType":2440},{},[2486],{"data":2487,"content":2488,"nodeType":254},{},[2489,2493,2501],{"data":2490,"marks":2491,"value":2492,"nodeType":240},{},[],"The",{"data":2494,"content":2496,"nodeType":249},{"uri":2495},"https://pushsecurity.com/blog/identity-attacks-in-the-wild/#id-snowflake-june-2024",[2497],{"data":2498,"marks":2499,"value":2500,"nodeType":240},{},[]," Snowflake breach",{"data":2502,"marks":2503,"value":2504,"nodeType":240},{},[]," — arguably the most consequential credential-based campaign of the past several years — saw 165 organizations breached using credentials that had been sitting in infostealer dumps for years, replayed against Snowflake tenants that lacked mandatory MFA. The attack surface wasn't Snowflake's application logic; it was the identity hygiene gap that every organization carries across hundreds of apps.","unordered-list",{"data":2507,"content":2508,"nodeType":254},{},[2509],{"data":2510,"marks":2511,"value":2512,"nodeType":240},{},[],"And that’s just the big picture. Every month we’re tracking new public breaches involving browser and identity TTPs — which again, are just the tip of the iceberg when you consider that many breaches are settled quietly without hitting the headlines. ",{"data":2514,"content":2515,"nodeType":254},{},[2516,2520,2525],{"data":2517,"marks":2518,"value":2519,"nodeType":240},{},[],"One of the key drivers here is the shrinking time-to-exploit. CrowdStrike's average e-crime breakout time is down to ",{"data":2521,"marks":2522,"value":2524,"nodeType":240},{},[2523],{"type":289},"29 minutes",{"data":2526,"marks":2527,"value":2528,"nodeType":240},{},[],", with the fastest recorded at 27 seconds. When attackers can move from initial access to data exfiltration within minutes, the window for post-compromise detection collapses to near zero. The best chance of stopping the attack is at the point of initial access before the identity is compromised.",{"data":2530,"content":2531,"nodeType":281},{},[],{"data":2533,"content":2534,"nodeType":291},{},[2535,2540,2546,2551,2557],{"data":2536,"marks":2537,"value":2539,"nodeType":240},{},[2538],{"type":289},"Sidenote: why we're looking at attacks ",{"data":2541,"marks":2542,"value":2545,"nodeType":240},{},[2543,2544],{"type":806},{"type":289},"in",{"data":2547,"marks":2548,"value":2550,"nodeType":240},{},[2549],{"type":289}," the browser, not ",{"data":2552,"marks":2553,"value":2556,"nodeType":240},{},[2554,2555],{"type":806},{"type":289},"on",{"data":2558,"marks":2559,"value":2561,"nodeType":240},{},[2560],{"type":289}," the browser",{"data":2563,"content":2564,"nodeType":254},{},[2565,2569,2577],{"data":2566,"marks":2567,"value":2568,"nodeType":240},{},[],"Calling this a \"browser attacks\" matrix needs clarification. We're not talking about browser exploits — RCE vulnerabilities, sandbox escapes, memory corruption bugs. Those attacks target the browser itself, they're extraordinarily expensive to develop, and they're increasingly rare. Browser zero-days hit a",{"data":2570,"content":2572,"nodeType":249},{"uri":2571},"https://cloud.google.com/blog/topics/threat-intelligence/2025-zero-day-review",[2573],{"data":2574,"marks":2575,"value":2576,"nodeType":240},{},[]," historic low of 9%",{"data":2578,"marks":2579,"value":2580,"nodeType":240},{},[]," of all zero-days reported to Google, and a Chrome RCE commands a $250,000 bug bounty.",{"data":2582,"content":2583,"nodeType":254},{},[2584],{"data":2585,"marks":2586,"value":2587,"nodeType":240},{},[],"In comparison, a one-year phishing kit rental costs $1,000. A bulk stolen credential list costs $15. An initial-access-broker-provided IdP admin account costs $3,000. When it costs orders of magnitude less to exploit the person using the browser than to exploit the browser itself, attackers will take the cheaper option every time.",{"data":2589,"content":2590,"nodeType":254},{},[2591],{"data":2592,"marks":2593,"value":2594,"nodeType":240},{},[],"It's worth heading off the obvious counterargument: won't AI-assisted vulnerability discovery eventually make browser exploits cheaper? Perhaps — but it will simultaneously make them easier for browser vendors to find and patch, and vendors like Google and Microsoft have the engineering capacity and financial incentive to scale AI-driven remediation far faster than attackers can scale exploit development.",{"data":2596,"content":2597,"nodeType":281},{},[],{"data":2599,"content":2600,"nodeType":291},{},[2601],{"data":2602,"marks":2603,"value":2605,"nodeType":240},{},[2604],{"type":289},"What hasn't changed",{"data":2607,"content":2608,"nodeType":254},{},[2609,2613,2621],{"data":2610,"marks":2611,"value":2612,"nodeType":240},{},[],"The matrix remains open-source, community-maintained, and available on",{"data":2614,"content":2616,"nodeType":249},{"uri":2615},"https://github.com/pushsecurity/saas-attacks",[2617],{"data":2618,"marks":2619,"value":2620,"nodeType":240},{},[]," GitHub",{"data":2622,"marks":2623,"value":2624,"nodeType":240},{},[],". The goal is the same as it was in 2023: to give offensive and defensive security teams a shared reference point for the techniques that matter most.",{"data":2626,"content":2627,"nodeType":254},{},[2628],{"data":2629,"marks":2630,"value":2631,"nodeType":240},{},[],"We built it because there was a gap in how the industry talked about these techniques, and that gap still exists — MITRE ATT&CK remains essential for endpoint and network TTPs, but the browser-based, identity-first techniques behind most modern breaches are still underrepresented in traditional frameworks.",{"data":2633,"content":2634,"nodeType":254},{},[2635],{"data":2636,"marks":2637,"value":2638,"nodeType":240},{},[],"We continue to maintain the matrix with input from red teams, detection engineers, and threat researchers across the community. Some of the most valuable additions over the past two years have come from practitioners who encountered a technique on an engagement or in an investigation and contributed it back to the repository.",{"data":2640,"content":2641,"nodeType":254},{},[2642,2646,2654],{"data":2643,"marks":2644,"value":2645,"nodeType":240},{},[],"If you're an offensive security professional using these techniques on engagements, or a defender building detections against them, we want to hear from you. Submit a PR, open a discussion, or flag a technique we've missed on ",{"data":2647,"content":2649,"nodeType":249},{"uri":2648},"https://github.com/pushsecurity/browser-identity-attacks-matrix",[2650],{"data":2651,"marks":2652,"value":2653,"nodeType":240},{},[],"GitHub",{"data":2655,"marks":2656,"value":1319,"nodeType":240},{},[],{"data":2658,"content":2659,"nodeType":281},{},[],{"data":2661,"content":2662,"nodeType":291},{},[2663],{"data":2664,"marks":2665,"value":2667,"nodeType":240},{},[2666],{"type":289},"Looking ahead",{"data":2669,"content":2670,"nodeType":254},{},[2671],{"data":2672,"marks":2673,"value":2674,"nodeType":240},{},[],"The pace of attacker innovation in browser-based initial access techniques over the past 18 months has been unlike anything we've tracked before — technique after technique moving from research curiosity to industrialized criminal tooling within months, not years.",{"data":2676,"content":2677,"nodeType":2505},{},[2678,2688,2698],{"data":2679,"content":2680,"nodeType":2440},{},[2681],{"data":2682,"content":2683,"nodeType":254},{},[2684],{"data":2685,"marks":2686,"value":2687,"nodeType":240},{},[],"AiTM platforms are adding authorization-based attack options alongside their credential-harvesting capabilities.",{"data":2689,"content":2690,"nodeType":2440},{},[2691],{"data":2692,"content":2693,"nodeType":254},{},[2694],{"data":2695,"marks":2696,"value":2697,"nodeType":240},{},[],"ClickFix has spawned fully browser-native variants.",{"data":2699,"content":2700,"nodeType":2440},{},[2701],{"data":2702,"content":2703,"nodeType":254},{},[2704],{"data":2705,"marks":2706,"value":2707,"nodeType":240},{},[],"AI is lowering the cost of producing convincing social engineering and phishing infrastructure at scale.",{"data":2709,"content":2710,"nodeType":254},{},[2711],{"data":2712,"marks":2713,"value":2714,"nodeType":240},{},[],"We don't see any of this slowing down, and that's exactly why thinking about these attacks as a browser problem instead of siloing them across email, endpoint, network, and cloud categories, each with a partial view of the picture (and still missing the whole when combined).",{"data":2716,"content":2717,"nodeType":254},{},[2718,2722,2729],{"data":2719,"marks":2720,"value":2721,"nodeType":240},{},[],"The Browser & Identity Attacks Matrix is our contribution to keeping that shared understanding current. You can",{"data":2723,"content":2724,"nodeType":249},{"uri":61},[2725],{"data":2726,"marks":2727,"value":2728,"nodeType":240},{},[]," explore the matrix here",{"data":2730,"marks":2731,"value":1319,"nodeType":240},{},[],{"data":2733,"content":2734,"nodeType":254},{},[2735,2739,2746],{"data":2736,"marks":2737,"value":2738,"nodeType":240},{},[],"You can also read our recent",{"data":2740,"content":2741,"nodeType":249},{"uri":467},[2742],{"data":2743,"marks":2744,"value":2745,"nodeType":240},{},[]," browser attack techniques report",{"data":2747,"marks":2748,"value":2749,"nodeType":240},{},[]," for more information.",{"data":2751,"content":2755,"nodeType":263},{"target":2752},{"sys":2753},{"id":2754,"type":260,"linkType":261},"1hx6sxpyEzxn4F4jc1RGQi",[],{"data":2757,"content":2758,"nodeType":281},{},[],{"data":2760,"content":2761,"nodeType":254},{},[2762],{"data":2763,"marks":2764,"value":2765,"nodeType":240},{},[],"Push Security is the most powerful AI-native security tool in the browser. Think EDR, but for the browser — high-fidelity telemetry and real-time control across every session, on every device, with no browser migration required. Security teams use Push to detect and stop advanced browser-based attacks like AiTM phishing, ClickFix, and session hijacking; gain visibility and control over AI tool usage across their workforce; harden identities by surfacing credential reuse, SSO gaps, and shadow IT; and support data loss and insider investigations with browser-layer telemetry that other tools can't see.",{"data":2767,"content":2768,"nodeType":254},{},[2769,2773,2780],{"data":2770,"marks":2771,"value":2772,"nodeType":240},{},[],"Book a",{"data":2774,"content":2775,"nodeType":249},{"uri":1004},[2776],{"data":2777,"marks":2778,"value":2779,"nodeType":240},{},[]," live demo",{"data":2781,"marks":2782,"value":1014,"nodeType":240},{},[],"Introducing the Browser & Identity Attacks Matrix","We're re-releasing the SaaS attack matrix as the Browser & Identity Attacks Matrix. Here's why we've decided to make the change and what it means.","introducing-the-browser-and-identity-attacks-matrix",{"items":2787},[2788,2790],{"sys":2789,"name":1924},{"id":1923},{"sys":2791,"name":1928},{"id":1927},{"items":2793},[2794],{"fullName":224,"firstName":225,"jobTitle":226,"profilePicture":2795},{"url":228},{"__typename":1115,"sys":2797,"publishedDate":2799,"content":2800,"title":3738,"synopsis":3739,"hashTags":62,"slug":3740,"tagsCollection":3741,"authorsCollection":3747},{"id":2798},"1jfqiWQlL6qkn3i9yjNbFB","2026-05-12T00:00:00.000Z",{"json":2801},{"nodeType":1015,"data":2802,"content":2803},{},[2804,2811,2833,2845,2852,2860,2867,2890,2897,2904,2911,2923,2929,2932,2940,2956,2976,3088,3094,3101,3107,3115,3122,3134,3141,3147,3154,3178,3185,3192,3195,3203,3210,3218,3225,3241,3248,3255,3263,3270,3277,3285,3292,3299,3302,3310,3317,3325,3332,3339,3346,3353,3361,3368,3401,3408,3415,3421,3428,3436,3443,3521,3527,3535,3551,3558,3564,3571,3587,3590,3598,3605,3612,3618,3625,3670,3677,3684,3691,3697,3700,3708,3714,3720],{"nodeType":254,"data":2805,"content":2806},{},[2807],{"nodeType":240,"value":2808,"marks":2809,"data":2810},"In March, our threat hunting engine flagged something it hadn’t seen before.",[],{},{"nodeType":254,"data":2812,"content":2813},{},[2814,2818,2829],{"nodeType":240,"value":2815,"marks":2816,"data":2817},"Our research team had already been tracking the growing use of ",[],{},{"nodeType":2819,"data":2820,"content":2824},"entry-hyperlink",{"target":2821},{"sys":2822},{"id":2823,"type":260,"linkType":261},"2U6QpQ9rkY8x5ES48okHZB",[2825],{"nodeType":240,"value":2826,"marks":2827,"data":2828},"malvertising",[],{},{"nodeType":240,"value":2830,"marks":2831,"data":2832}," tied to phishing campaigns. Malvertising frequently targets users via Google Search results, inserting malicious ads or redirects in place of legitimate ads, and using the familiar context of the search results page to trick users into clicking.",[],{},{"nodeType":254,"data":2834,"content":2835},{},[2836,2840],{"nodeType":240,"value":2837,"marks":2838,"data":2839},"To defend Push customers against this threat, we needed a way to spot malicious activity arising from clicking on Google ads. ",[],{},{"nodeType":240,"value":2841,"marks":2842,"data":2844},"But how to separate signal from noise?",[2843],{"type":806},{},{"nodeType":254,"data":2846,"content":2847},{},[2848],{"nodeType":240,"value":2849,"marks":2850,"data":2851},"Our hunt combined the skills of human researchers and AI agents to find 12 meaningful results from trillions of browser events visible to the Push extension across our install base.",[],{},{"nodeType":254,"data":2853,"content":2854},{},[2855],{"nodeType":240,"value":2856,"marks":2857,"data":2859},"Of those, one was novel. ",[2858],{"type":289},{},{"nodeType":254,"data":2861,"content":2862},{},[2863],{"nodeType":240,"value":2864,"marks":2865,"data":2866},"A user had searched for NotebookLM, clicked a paid Google ad, and gotten redirected to a page impersonating NotebookLM. The page itself was just a facade fronting a Cloudflare Pages-hosted phishing kit with a WebAssembly C2 connector. To the user, it looked like a completely on-brand NotebookLM page, and if they had run the fake install prompt, they would have installed malware. (Note: NotebookLM doesn’t even require a local install, but the page was convincing enough — and AI platforms are changing so quickly — that the lure was extremely believable.)",[],{},{"nodeType":254,"data":2868,"content":2869},{},[2870,2875,2886],{"nodeType":240,"value":2871,"marks":2872,"data":2874},"We had found our first in-the-wild ",[2873],{"type":289},{},{"nodeType":2819,"data":2876,"content":2880},{"target":2877},{"sys":2878},{"id":2879,"type":260,"linkType":261},"7bG71Eo43crbIHKzczooVS",[2881],{"nodeType":240,"value":2882,"marks":2883,"data":2885},"InstallFix attack",[2884],{"type":289},{},{"nodeType":240,"value":1319,"marks":2887,"data":2889},[2888],{"type":289},{},{"nodeType":254,"data":2891,"content":2892},{},[2893],{"nodeType":240,"value":2894,"marks":2895,"data":2896},"Within minutes, our analysis agents created detections, and researchers shipped a new detection to every Push customer. ",[],{},{"nodeType":254,"data":2898,"content":2899},{},[2900],{"nodeType":240,"value":2901,"marks":2902,"data":2903},"Eighteen months ago, it would have taken a human analyst days or even weeks to unpack the attack, comb through web requests, de-obfuscate web code, trace JavaScript execution, and extract signals of tactics, techniques, and procedures (TTPs) beyond short-lived single-use IOCs like domain name, then get their work coded up as a detection and deployed to customers. ",[],{},{"nodeType":254,"data":2905,"content":2906},{},[2907],{"nodeType":240,"value":2908,"marks":2909,"data":2910},"That was viable when new tools or techniques showed up once or twice a quarter. It doesn’t stand a chance when attack evolutions occur weekly or even daily. That’s the reality now with AI-generated adversary tools.",[],{},{"nodeType":254,"data":2912,"content":2913},{},[2914,2919],{"nodeType":240,"value":2915,"marks":2916,"data":2918},"So, can AI agents replace human threat researchers?",[2917],{"type":289},{},{"nodeType":240,"value":2920,"marks":2921,"data":2922}," That’s the wrong question. Can AI agents massively scale the expertise of a seasoned human threat hunter without getting bored of repetitive tasks, missing pertinent but easily overlooked details, or creating operational siloes dependent on one person’s knowledge — and do its work continuously across trillions of data points? Yes, absolutely.",[],{},{"nodeType":263,"data":2924,"content":2928},{"target":2925},{"sys":2926},{"id":2927,"type":260,"linkType":261},"3OiZ7BrViCTTMmHUAbloEt",[],{"nodeType":281,"data":2930,"content":2931},{},[],{"nodeType":291,"data":2933,"content":2934},{},[2935],{"nodeType":240,"value":2936,"marks":2937,"data":2939},"Why scaling browser threat detection requires more than more analysts",[2938],{"type":289},{},{"nodeType":254,"data":2941,"content":2942},{},[2943,2947,2952],{"nodeType":240,"value":2944,"marks":2945,"data":2946},"Already this year, we’ve ",[],{},{"nodeType":240,"value":2948,"marks":2949,"data":2951},"tripled",[2950],{"type":289},{},{"nodeType":240,"value":2953,"marks":2954,"data":2955}," the cumulative number of detections shipped to Push customers using this pipeline. That output points to the first problem we set out to solve by employing AI agents: Scaling our research team’s considerable expertise.",[],{},{"nodeType":254,"data":2957,"content":2958},{},[2959,2963,2972],{"nodeType":240,"value":2960,"marks":2961,"data":2962},"Push’s R&D team are experts at understanding and unpacking modern browser-based attacks. This is essential when you consider how quickly attacks themselves are evolving. When we created the ",[],{},{"nodeType":2819,"data":2964,"content":2967},{"target":2965},{"sys":2966},{"id":1939,"type":260,"linkType":261},[2968],{"nodeType":240,"value":2969,"marks":2970,"data":2971},"Browser & Identity Attacks Matrix",[],{},{"nodeType":240,"value":2973,"marks":2974,"data":2975}," in 2023 (then called the SaaS Attacks Matrix), many of the ideas in it were theoretical. Not anymore. ",[],{},{"nodeType":2505,"data":2977,"content":2978},{},[2979,2989,3013],{"nodeType":2440,"data":2980,"content":2981},{},[2982],{"nodeType":254,"data":2983,"content":2984},{},[2985],{"nodeType":240,"value":2986,"marks":2987,"data":2988},"We’ve tracked the rise of AiTM phish kits from their status as MFA-bypassing novelties to the emergence of an entire criminal ecosystem built around increasingly sophisticated Phishing-as-a-Service tools. ",[],{},{"nodeType":2440,"data":2990,"content":2991},{},[2992],{"nodeType":254,"data":2993,"content":2994},{},[2995,2999,3009],{"nodeType":240,"value":2996,"marks":2997,"data":2998},"We imagined the simple but effective power of using device code authorization for phishing three years ago; in the last few months, we’ve detected a 37x increase in ",[],{},{"nodeType":2819,"data":3000,"content":3004},{"target":3001},{"sys":3002},{"id":3003,"type":260,"linkType":261},"5DmCqTU2Tg4adYScA5vT2x",[3005],{"nodeType":240,"value":3006,"marks":3007,"data":3008},"device code phishing attacks",[],{},{"nodeType":240,"value":3010,"marks":3011,"data":3012}," across our install base. ",[],{},{"nodeType":2440,"data":3014,"content":3015},{},[3016],{"nodeType":254,"data":3017,"content":3018},{},[3019,3023,3032,3036,3045,3049,3059,3062,3071,3074,3084],{"nodeType":240,"value":3020,"marks":3021,"data":3022},"We were also the first to detect a novel post-authorization attack we dubbed ",[],{},{"nodeType":2819,"data":3024,"content":3028},{"target":3025},{"sys":3026},{"id":3027,"type":260,"linkType":261},"71EaaK7lfl6bQBbkAU0qjv",[3029],{"nodeType":240,"value":687,"marks":3030,"data":3031},[],{},{"nodeType":240,"value":3033,"marks":3034,"data":3035}," that combines OAuth consent phishing and ClickFix-style user prompts; reported on the rise of the ridiculously simple yet effective ",[],{},{"nodeType":2819,"data":3037,"content":3040},{"target":3038},{"sys":3039},{"id":2879,"type":260,"linkType":261},[3041],{"nodeType":240,"value":3042,"marks":3043,"data":3044},"InstallFix technique",[],{},{"nodeType":240,"value":3046,"marks":3047,"data":3048}," described earlier; and detected an array of other ",[],{},{"nodeType":2819,"data":3050,"content":3054},{"target":3051},{"sys":3052},{"id":3053,"type":260,"linkType":261},"2YmiesBvJHGw4wiKEKzLUq",[3055],{"nodeType":240,"value":3056,"marks":3057,"data":3058},"creative",[],{},{"nodeType":240,"value":1443,"marks":3060,"data":3061},[],{},{"nodeType":2819,"data":3063,"content":3066},{"target":3064},{"sys":3065},{"id":2823,"type":260,"linkType":261},[3067],{"nodeType":240,"value":3068,"marks":3069,"data":3070},"phishing",[],{},{"nodeType":240,"value":1443,"marks":3072,"data":3073},[],{},{"nodeType":2819,"data":3075,"content":3079},{"target":3076},{"sys":3077},{"id":3078,"type":260,"linkType":261},"6Zosy4SU0LpjlaSWX75peb",[3080],{"nodeType":240,"value":3081,"marks":3082,"data":3083},"campaigns",[],{},{"nodeType":240,"value":3085,"marks":3086,"data":3087}," tied to malvertising scams.",[],{},{"nodeType":263,"data":3089,"content":3093},{"target":3090},{"sys":3091},{"id":3092,"type":260,"linkType":261},"53U3LHhhHFYnEpShdLmDqs",[],{"nodeType":254,"data":3095,"content":3096},{},[3097],{"nodeType":240,"value":3098,"marks":3099,"data":3100},"With an agentic approach, we could scale this expertise and reduce the time it takes to go from technique discovery to production-ready detection. This speed is critical now because adversaries are also using AI tools to do their work, exploding the number of trivial-to-rotate indicators of compromise and overwhelming existing detection workflows that lack an equivalent machine speed.",[],{},{"nodeType":263,"data":3102,"content":3106},{"target":3103},{"sys":3104},{"id":3105,"type":260,"linkType":261},"1u00uFbC4xsvP9lqahXbgD",[],{"nodeType":371,"data":3108,"content":3109},{},[3110],{"nodeType":240,"value":3111,"marks":3112,"data":3114},"Scaling behavioral detections, not just making bigger blocklists",[3113],{"type":289},{},{"nodeType":254,"data":3116,"content":3117},{},[3118],{"nodeType":240,"value":3119,"marks":3120,"data":3121},"But output numbers alone don’t tell the story of successful detections. That’s the other problem we set out to solve at scale: Most secure browser solutions rely on detection logic based on blocking known-bad indicators like domains, IPs, and URLs.",[],{},{"nodeType":254,"data":3123,"content":3124},{},[3125,3130],{"nodeType":240,"value":3126,"marks":3127,"data":3129},"If your solution offers 1,000 detections, and they’re all based on known-bad indicators that are easily rotated, then you’ve got 1,000 detections that worked once and will likely never fire again. ",[3128],{"type":289},{},{"nodeType":240,"value":3131,"marks":3132,"data":3133},"They certainly won’t catch subtle adaptations in adversary techniques that don’t rely on infrastructure changes, which are easy for attackers to swap anyway. ",[],{},{"nodeType":254,"data":3135,"content":3136},{},[3137],{"nodeType":240,"value":3138,"marks":3139,"data":3140},"Push does it differently. Our detection engine is focused on hunting for tactics, techniques, and procedures: the behavioral fingerprints of an attack, not just the infrastructure it runs on. ",[],{},{"nodeType":263,"data":3142,"content":3146},{"target":3143},{"sys":3144},{"id":3145,"type":260,"linkType":261},"5jR3YVUiusHGnXDOyrgYpr",[],{"nodeType":254,"data":3148,"content":3149},{},[3150],{"nodeType":240,"value":3151,"marks":3152,"data":3153},"Instead of blocking based on known-bad domains, URLs, and IPs, our detections are built around user-level and page-level behaviors like what scripts load, how redirects behave, what events fire, what actions a user takes and what happens next, etc. (In fact, Push detections don’t even use any infrastructure-based IOCs, though customers can write their own custom detections if they have a specific IOC they’re keeping an eye on.)",[],{},{"nodeType":254,"data":3155,"content":3156},{},[3157,3162,3173],{"nodeType":240,"value":3158,"marks":3159,"data":3161},"All the detections we write would survive infrastructure rotation by adversaries, and many of our existing detections have caught never-before-seen evolutions in TTPs. That’s because we focus on the top of the ",[3160],{"type":289},{},{"nodeType":2819,"data":3163,"content":3167},{"target":3164},{"sys":3165},{"id":3166,"type":260,"linkType":261},"1qegIy4rMdm5XZXnIEoKpE",[3168],{"nodeType":240,"value":3169,"marks":3170,"data":3172},"Pyramid of Pain",[3171],{"type":289},{},{"nodeType":240,"value":3174,"marks":3175,"data":3177},", the indicators that are hardest for attackers to change.",[3176],{"type":289},{},{"nodeType":254,"data":3179,"content":3180},{},[3181],{"nodeType":240,"value":3182,"marks":3183,"data":3184},"This focus on detecting TTPs has always been our approach. But with the acceleration in both attack types and the ease with which adversaries rotate infrastructure, we needed to build capabilities that scaled our knowledge. ",[],{},{"nodeType":254,"data":3186,"content":3187},{},[3188],{"nodeType":240,"value":3189,"marks":3190,"data":3191},"We did this not by replacing researchers, but by continuously activating their expertise.",[],{},{"nodeType":281,"data":3193,"content":3194},{},[],{"nodeType":291,"data":3196,"content":3197},{},[3198],{"nodeType":240,"value":3199,"marks":3200,"data":3202},"Core principles for agentic threat hunting",[3201],{"type":289},{},{"nodeType":254,"data":3204,"content":3205},{},[3206],{"nodeType":240,"value":3207,"marks":3208,"data":3209},"Three principles make Push's agentic threat hunting and detection engineering pipeline work:",[],{},{"nodeType":371,"data":3211,"content":3212},{},[3213],{"nodeType":240,"value":3214,"marks":3215,"data":3217},"Context matters more than custom models",[3216],{"type":289},{},{"nodeType":254,"data":3219,"content":3220},{},[3221],{"nodeType":240,"value":3222,"marks":3223,"data":3224},"We’re not AI researchers; we’re security researchers — we aren't trying to compete in building the most intelligent models. And in our view, AI models are quickly becoming commoditized like cloud infrastructure, anyway. Luckily, the commercial models today already excel at understanding web code. We just need to harness their power with our expertise.",[],{},{"nodeType":254,"data":3226,"content":3227},{},[3228,3232,3237],{"nodeType":240,"value":3229,"marks":3230,"data":3231},"So at Push, we use a variety of commercial AI models and tools in complementary ways. What matters most is the telemetry they analyze, and that’s where Push’s existing product infrastructure shines: We’re already deployed into over ",[],{},{"nodeType":240,"value":3233,"marks":3234,"data":3236},"3 million browsers worldwide",[3235],{"type":289},{},{"nodeType":240,"value":3238,"marks":3239,"data":3240},", and the Push browser extension includes a component that operates as a flight recorder to locally record everything that matters inside a browser session.",[],{},{"nodeType":254,"data":3242,"content":3243},{},[3244],{"nodeType":240,"value":3245,"marks":3246,"data":3247},"This universe of metadata — DOM elements, tab context, script execution, network traffic, user actions, credential entry, etc. — becomes the searchable corpus for hunts. Metadata is stored locally in users’ browsers and only queried during targeted threat hunts. ",[],{},{"nodeType":254,"data":3249,"content":3250},{},[3251],{"nodeType":240,"value":3252,"marks":3253,"data":3254},"This approach avoids dragnet collection of sensitive data. Instead, we focus on collecting metadata and distilling that into patterns and insights that provide context for agents to perform their analysis. This means that Push also does not train or fine-tune models on customer data.",[],{},{"nodeType":371,"data":3256,"content":3257},{},[3258],{"nodeType":240,"value":3259,"marks":3260,"data":3262},"Agents are only as good as the context you give them. Good context is researcher-led",[3261],{"type":289},{},{"nodeType":254,"data":3264,"content":3265},{},[3266],{"nodeType":240,"value":3267,"marks":3268,"data":3269},"AI agents don’t know how to identify the TTPs of browser-based attacks until you give them the right context, and Push researchers have spent years unpacking these techniques and tools. Agents at Push consume our internal knowledge base of identified TTPs, and both humans and agents perform meta-analyses to check their work. The agents have access to large libraries of traces of human interactions with real phishing kits. This is a powerful dataset to build on.",[],{},{"nodeType":254,"data":3271,"content":3272},{},[3273],{"nodeType":240,"value":3274,"marks":3275,"data":3276},"When we don’t get the results we want from AI models, the question is “What context is it missing? What does our human team know that the agents don’t, and how can we give them that context — do they need data, tools, better workflows?” That closes the gap in performance and keeps quality high.",[],{},{"nodeType":371,"data":3278,"content":3279},{},[3280],{"nodeType":240,"value":3281,"marks":3282,"data":3284},"Integrated architecture that makes agentic AI the throughput layer, not a bolt-on",[3283],{"type":289},{},{"nodeType":254,"data":3286,"content":3287},{},[3288],{"nodeType":240,"value":3289,"marks":3290,"data":3291},"The constraint we’re trying to break by using AI isn’t knowledge, it’s throughput. Our researchers deeply understand the techniques and tools. An agentic pipeline can apply that understanding continuously across millions of browsers and trillions of events, ingest new external signals, generate hunt hypotheses, triage results, and return only the findings that warrant escalation.",[],{},{"nodeType":254,"data":3293,"content":3294},{},[3295],{"nodeType":240,"value":3296,"marks":3297,"data":3298},"This approach relies on tight integration of our product and our agentic workflows. We’ll take a closer look at that in the next section.",[],{},{"nodeType":281,"data":3300,"content":3301},{},[],{"nodeType":291,"data":3303,"content":3304},{},[3305],{"nodeType":240,"value":3306,"marks":3307,"data":3309},"How the agentic detection pipeline runs",[3308],{"type":289},{},{"nodeType":254,"data":3311,"content":3312},{},[3313],{"nodeType":240,"value":3314,"marks":3315,"data":3316},"Now let’s look at how agentic threat detection actually works, and some of the emerging best practices we’ve identified. We'll cover two example hunts, one initiated autonomously by the agents themselves, and one by our research team. ",[],{},{"nodeType":371,"data":3318,"content":3319},{},[3320],{"nodeType":240,"value":3321,"marks":3322,"data":3324},"Example 1: Autonomous threat hunt",[3323],{"type":289},{},{"nodeType":254,"data":3326,"content":3327},{},[3328],{"nodeType":240,"value":3329,"marks":3330,"data":3331},"Push’s threat hunting pipeline ingested context from research articles describing a new attack technique, and an agent developed hypotheses on what to hunt for across Push’s install base to identify instances of this attack. ",[],{},{"nodeType":254,"data":3333,"content":3334},{},[3335],{"nodeType":240,"value":3336,"marks":3337,"data":3338},"The agent crafted detection queries and then refined them to reduce false positives. The successful query ran across stored metadata and returned results, validating that there were zero false positives. ",[],{},{"nodeType":254,"data":3340,"content":3341},{},[3342],{"nodeType":240,"value":3343,"marks":3344,"data":3345},"The validated query became a scheduled job that runs on a regular cadence to monitor for potentially malicious signals. A triage agent then received any matches, did an initial analysis, and passed anything that looked suspicious to another agent to perform deeper analysis. This deep analysis agent wields the full investigative toolkit that a human researcher would — using Push’s internal knowledge base, domain age and registration analysis, URLScan and whois lookups, DOM image analysis, and contextual analysis of page-level and user-level behaviors, etc.",[],{},{"nodeType":254,"data":3347,"content":3348},{},[3349],{"nodeType":240,"value":3350,"marks":3351,"data":3352},"Within a few minutes, it can filter a thousand or more signals in a hunt trace down to a handful with meaning and provide an actionable assessment. Then, once the TTP was well-understood, other agents wrote and refined detections that can raise alerts for customers when an event of this type is seen. The Push platform immediately applies the customer’s configured security controls, such as blocking users from interacting with malicious pages.",[],{},{"nodeType":371,"data":3354,"content":3355},{},[3356],{"nodeType":240,"value":3357,"marks":3358,"data":3360},"Example 2: Human-initiated threat hunt",[3359],{"type":289},{},{"nodeType":254,"data":3362,"content":3363},{},[3364],{"nodeType":240,"value":3365,"marks":3366,"data":3367},"Now, going back to the example from the beginning of the article: InstallFix. This hunt started with a thorny problem our research team needed to solve: How to detect bad things downstream of a user interacting with a Google ad? We needed a way to pinpoint the bad links from the good ones.",[],{},{"nodeType":254,"data":3369,"content":3370},{},[3371,3375,3380,3384,3389,3392,3397],{"nodeType":240,"value":3372,"marks":3373,"data":3374},"Our researchers collaborated with agents to formulate the right parameters for hunt queries, taking into account that good ads are normally bought by companies with marketing budgets, so therefore ads will be expected to redirect to pages hosted on custom domains, not shared domains like ",[],{},{"nodeType":240,"value":3376,"marks":3377,"data":3379},"*pages.dev",[3378],{"type":289},{},{"nodeType":240,"value":3381,"marks":3382,"data":3383},", ",[],{},{"nodeType":240,"value":3385,"marks":3386,"data":3388},"*workers.dev",[3387],{"type":289},{},{"nodeType":240,"value":3381,"marks":3390,"data":3391},[],{},{"nodeType":240,"value":3393,"marks":3394,"data":3396},"*squarespace.com",[3395],{"type":289},{},{"nodeType":240,"value":3398,"marks":3399,"data":3400},", etc.",[],{},{"nodeType":254,"data":3402,"content":3403},{},[3404],{"nodeType":240,"value":3405,"marks":3406,"data":3407},"Our AI agents already understood key TTPs that indicated potential maliciousness on a page: password prompts, file downloads, OAuth integrations, clipboard copies, and similar user prompts that are frequently abused.",[],{},{"nodeType":254,"data":3409,"content":3410},{},[3411],{"nodeType":240,"value":3412,"marks":3413,"data":3414},"The agent ran several queries that returned matching browsing traces — the term we use for sequences of events in a session or tab context — where the user clicked a Google ad, was redirected to a page on a shared hosting domain, and then clicked a button to copy content to their clipboard.",[],{},{"nodeType":263,"data":3416,"content":3420},{"target":3417},{"sys":3418},{"id":3419,"type":260,"linkType":261},"4IWOrWuvbwzWRJUkINiwKH",[],{"nodeType":254,"data":3422,"content":3423},{},[3424],{"nodeType":240,"value":3425,"marks":3426,"data":3427},"We got back high-fidelity findings and then tuned the query into a continuous detection that leveraged existing detection logic around related techniques. This process also effectively back-tests new detections, so we know we’re not going to generate a lot of false positives. Result: A new detection against a new technique, plus several improvements to existing detections.",[],{},{"nodeType":371,"data":3429,"content":3430},{},[3431],{"nodeType":240,"value":3432,"marks":3433,"data":3435},"What infrastructure is needed for agentic threat hunting?",[3434],{"type":289},{},{"nodeType":254,"data":3437,"content":3438},{},[3439],{"nodeType":240,"value":3440,"marks":3441,"data":3442},"Both of these examples illustrate the end-to-end workflows supported by this pipeline. From an infrastructure perspective, you can think about the pipeline as composed of:",[],{},{"nodeType":2505,"data":3444,"content":3445},{},[3446,3461,3476,3491,3506],{"nodeType":2440,"data":3447,"content":3448},{},[3449],{"nodeType":254,"data":3450,"content":3451},{},[3452,3457],{"nodeType":240,"value":3453,"marks":3454,"data":3456},"A flight recorder: ",[3455],{"type":289},{},{"nodeType":240,"value":3458,"marks":3459,"data":3460},"The Push extension-powered capability that collects and locally stores browser event metadata from users’ browsers.",[],{},{"nodeType":2440,"data":3462,"content":3463},{},[3464],{"nodeType":254,"data":3465,"content":3466},{},[3467,3472],{"nodeType":240,"value":3468,"marks":3469,"data":3471},"A knowledge base:",[3470],{"type":289},{},{"nodeType":240,"value":3473,"marks":3474,"data":3475}," Structured knowledge about what Push knows about TTPs and its existing body of detection logic, as well as externally sourced signals of new attack trends.",[],{},{"nodeType":2440,"data":3477,"content":3478},{},[3479],{"nodeType":254,"data":3480,"content":3481},{},[3482,3487],{"nodeType":240,"value":3483,"marks":3484,"data":3486},"Agents as tools: ",[3485],{"type":289},{},{"nodeType":240,"value":3488,"marks":3489,"data":3490},"Role-segmented agents that work as a team to triage, investigate, develop hunt queries, return analyses, write detections, and review each others’ work for completeness and accuracy.",[],{},{"nodeType":2440,"data":3492,"content":3493},{},[3494],{"nodeType":254,"data":3495,"content":3496},{},[3497,3502],{"nodeType":240,"value":3498,"marks":3499,"data":3501},"Humans in the loop: ",[3500],{"type":289},{},{"nodeType":240,"value":3503,"marks":3504,"data":3505},"Human researchers who collaborate with agents to initiate hunts and tune detections.",[],{},{"nodeType":2440,"data":3507,"content":3508},{},[3509],{"nodeType":254,"data":3510,"content":3511},{},[3512,3517],{"nodeType":240,"value":3513,"marks":3514,"data":3516},"Platform controls: ",[3515],{"type":289},{},{"nodeType":240,"value":3518,"marks":3519,"data":3520},"The Push administrator-configured controls that specify how to respond to detected events like AiTM phishing, tuneable by scope, user groups, browser profiles, apps, etc.",[],{},{"nodeType":263,"data":3522,"content":3526},{"target":3523},{"sys":3524},{"id":3525,"type":260,"linkType":261},"7FY0vCBUXOt4vnudFuKALC",[],{"nodeType":371,"data":3528,"content":3529},{},[3530],{"nodeType":240,"value":3531,"marks":3532,"data":3534},"What are the best practices for agentic threat detection?",[3533],{"type":289},{},{"nodeType":254,"data":3536,"content":3537},{},[3538,3542,3547],{"nodeType":240,"value":3539,"marks":3540,"data":3541},"To be effective, agents must specialize and focus. This is the ",[],{},{"nodeType":240,"value":3543,"marks":3544,"data":3546},"agents as tools",[3545],{"type":289},{},{"nodeType":240,"value":3548,"marks":3549,"data":3550}," concept. When we’re asking AI agents to take massive amounts of data and make a high-level decision about a signal in observed browser events, they must work as a team, finding intelligent ways to condense information without losing important context or hallucinating.",[],{},{"nodeType":254,"data":3552,"content":3553},{},[3554],{"nodeType":240,"value":3555,"marks":3556,"data":3557},"Creating a hierarchy of agent jobs — including agents to perform meta-analyses to catch mistakes and verify conclusions — makes the agents effective by giving them a manageable focus that controls the size of context windows.",[],{},{"nodeType":263,"data":3559,"content":3563},{"target":3560},{"sys":3561},{"id":3562,"type":260,"linkType":261},"3fzJCknMUmh4Z7YnhBSbsT",[],{"nodeType":254,"data":3565,"content":3566},{},[3567],{"nodeType":240,"value":3568,"marks":3569,"data":3570},"Creating an agentic workflow requires operationalizing your internal knowledge in a repeatable and trustworthy way. Sharing rich context from human discoveries is the key to getting the best results out of agents. ",[],{},{"nodeType":254,"data":3572,"content":3573},{},[3574,3578,3583],{"nodeType":240,"value":3575,"marks":3576,"data":3577},"It's vital too that the agent uses ",[],{},{"nodeType":240,"value":3579,"marks":3580,"data":3582},"privacy-preserving methods and infrastructure.",[3581],{"type":289},{},{"nodeType":240,"value":3584,"marks":3585,"data":3586}," The Push agent is designed to respect customer and user privacy while enabling high-fidelity detections. We do this by collecting broad browser metadata but storing it locally in users’ browsers and only querying that metadata during active threat hunting investigations.",[],{},{"nodeType":281,"data":3588,"content":3589},{},[],{"nodeType":291,"data":3591,"content":3592},{},[3593],{"nodeType":240,"value":3594,"marks":3595,"data":3597},"The compounding effect and how it benefits Push customers",[3596],{"type":289},{},{"nodeType":254,"data":3599,"content":3600},{},[3601],{"nodeType":240,"value":3602,"marks":3603,"data":3604},"At Push, we think about our detection capability as two learning loops with a compounding effect: An inner loop that serves as our real-time detection and response engine for known attacker techniques, and an outer loop that is the continuous learning our agents do as they hunt for new threats, analyze emerging behaviors, and create new detections. ",[],{},{"nodeType":254,"data":3606,"content":3607},{},[3608],{"nodeType":240,"value":3609,"marks":3610,"data":3611},"The outer loop feeds the inner loop, and vice versa.",[],{},{"nodeType":263,"data":3613,"content":3617},{"target":3614},{"sys":3615},{"id":3616,"type":260,"linkType":261},"1Jjqll7IIX2QRxN37gjFMH",[],{"nodeType":254,"data":3619,"content":3620},{},[3621],{"nodeType":240,"value":3622,"marks":3623,"data":3624},"Customers benefit from this approach because it means they:",[],{},{"nodeType":2505,"data":3626,"content":3627},{},[3628,3650,3660],{"nodeType":2440,"data":3629,"content":3630},{},[3631],{"nodeType":254,"data":3632,"content":3633},{},[3634,3638,3646],{"nodeType":240,"value":3635,"marks":3636,"data":3637},"Regularly receive ready-made detections against both known and emerging browser-based threats, without having to write their own detections. (Push also provides the ability to write your own ",[],{},{"nodeType":249,"data":3639,"content":3641},{"uri":3640},"/help/audience/engineering/resources/custom-detections",[3642],{"nodeType":240,"value":3643,"marks":3644,"data":3645},"custom detections",[],{},{"nodeType":240,"value":3647,"marks":3648,"data":3649},", too, for environment-specific use cases.)",[],{},{"nodeType":2440,"data":3651,"content":3652},{},[3653],{"nodeType":254,"data":3654,"content":3655},{},[3656],{"nodeType":240,"value":3657,"marks":3658,"data":3659},"Can configure Push’s response actions based on their security goals and environment. Agents act as the threat-hunting and detection engineering team; Push customers set the thresholds for how they want to respond. For example, customers can use Push controls to block all AiTM phishing attacks (or even carve out exceptions for their own incident responders to be able to visit malicious pages with just a warning), and agents continually feed new indicators into detection logic for that class of attack.",[],{},{"nodeType":2440,"data":3661,"content":3662},{},[3663],{"nodeType":254,"data":3664,"content":3665},{},[3666],{"nodeType":240,"value":3667,"marks":3668,"data":3669},"Get pre-digested and actionable intelligence from every detection, with extremely high fidelity.",[],{},{"nodeType":254,"data":3671,"content":3672},{},[3673],{"nodeType":240,"value":3674,"marks":3675,"data":3676},"This all equates to your own advanced browser threat protection, without requiring the specialized in-house expertise we’ve spent years building.",[],{},{"nodeType":254,"data":3678,"content":3679},{},[3680],{"nodeType":240,"value":3681,"marks":3682,"data":3683},"If you’re a Push customer, you already know that we regularly collaborate with security teams to identify and refine detection use cases, and assist with investigations. In the past few months alone, we’ve worked closely with teams targeted by device code phishing, and InstallFix and ClickFix campaigns, among others. ",[],{},{"nodeType":254,"data":3685,"content":3686},{},[3687],{"nodeType":240,"value":3688,"marks":3689,"data":3690},"If you’re not a customer and are curious about how Push’s agentic threat hunting and detection engineering capabilities can address your use cases, please get in touch.",[],{},{"nodeType":263,"data":3692,"content":3696},{"target":3693},{"sys":3694},{"id":3695,"type":260,"linkType":261},"607jrBjlD1vtcbkDfD04DE",[],{"nodeType":281,"data":3698,"content":3699},{},[],{"nodeType":291,"data":3701,"content":3702},{},[3703],{"nodeType":240,"value":3704,"marks":3705,"data":3707},"Learn more",[3706],{"type":289},{},{"nodeType":254,"data":3709,"content":3710},{},[3711],{"nodeType":240,"value":988,"marks":3712,"data":3713},[],{},{"nodeType":254,"data":3715,"content":3716},{},[3717],{"nodeType":240,"value":995,"marks":3718,"data":3719},[],{},{"nodeType":254,"data":3721,"content":3722},{},[3723,3727,3735],{"nodeType":240,"value":3724,"marks":3725,"data":3726},"Book a ",[],{},{"nodeType":249,"data":3728,"content":3730},{"uri":3729},"/demo",[3731],{"nodeType":240,"value":3732,"marks":3733,"data":3734},"live demo",[],{},{"nodeType":240,"value":1014,"marks":3736,"data":3737},[],{},"Can AI replace a threat researcher? What we learned building an agentic threat hunting pipeline","How we built an end-to-end threat hunting and detection engineering capability at Push that uses AI agents as a force multiplier.","can-ai-replace-a-threat-researcher-what-we-learned-building-an-agentic-threat-hunting-pipeline",{"items":3742},[3743,3745],{"sys":3744,"name":1924},{"id":1923},{"sys":3746,"name":1928},{"id":1927},{"items":3748},[3749],{"fullName":3750,"firstName":3751,"jobTitle":3752,"profilePicture":3753},"Kelly Davenport","Kelly","Product Team",{"url":3754},"https://images.ctfassets.net/y1cdw1ablpvd/1hi8bEuVfn5sF57LivAq6d/9a3b82426c697d765e2e450e33a18424/kelly_profile_pic.jpeg","the-pyramid-of-pain-in-the-ai-era","blog/the-pyramid-of-pain-in-the-ai-era",{"json":3758},{"data":3759,"content":3760,"nodeType":1015},{},[3761],{"data":3762,"content":3763,"nodeType":254},{},[3764],{"data":3765,"marks":3766,"value":3767,"nodeType":240},{},[],"AI is accelerating the collapse of indicator-based threat detection. Technique-level detection is the only layer that holds, and requires both the right vantage point and the research capability to stay ahead.","AI is accelerating the collapse of indicator-based threat detection. Here's why you need technique-level detection to stay ahead.",{"id":3770,"publishedAt":3771},"5RDOpmzJolwT1hk0fNIxzf","2026-06-01T07:20:00.956Z",{"items":3773},[3774,3776],{"sys":3775,"name":1928},{"id":1927},{"sys":3777,"name":1924},{"id":1923},"6Iy7zFSkfO9oGWYgAScdCnKG-XfFjC02K-Sz0mBbrIo",1780298733296]