[{"data":1,"prerenderedAt":7125},["ShallowReactive",2],{"application-flags":3,"navbar":7,"always-visible-banner":36,"navbar-about-highlight":99,"navbar-resource-highlight":173,"blog/unpacking-the-vercel-breach":219,"use-case-page":6104},[4],{"name":5,"enabled":6},"maintenanceMode",false,[8],{"createdDate":9,"id":10,"name":11,"modelId":12,"published":13,"query":14,"data":15,"variations":20,"lastUpdated":21,"firstPublished":22,"testRatio":23,"createdBy":24,"lastUpdatedBy":25,"folders":26,"meta":27,"rev":35},1742208588866,"1c7a4e423bf54ac1a328bb4063459ef2","Banner","1c6207a5f24948ab82d4a0b17f251193","published",[],{"type":16,"url":17,"text":18,"link":19},"web-banner","https://pushsecurity.com/resources/browser-attacks-report","Get our latest report analyzing browser attack techniques in 2026",{},{},1774258294825,1742208637545,1,"CydmZnOWU1XuAaLhEDCoYNM4Z8W2","jKjF9r5jcvXU8tzZEfFQm31Iyvr2",[],{"kind":28,"lastPreviewUrl":29,"breakpoints":30,"hasAutosaves":34},"data","",{"xsmall":31,"small":32,"medium":33},320,640,768,true,"1bait48ugj5",{"createdDate":37,"id":38,"name":39,"modelId":40,"published":13,"query":41,"data":42,"variations":88,"lastUpdated":89,"firstPublished":90,"testRatio":23,"createdBy":91,"lastUpdatedBy":92,"folders":93,"meta":94,"rev":98},1774965361051,"fd266d0172cc47429be7ad10f48c99ad","always visible banner","0678d178ec8b41efb8a23c09dba7874d",[],{"ctaText":43,"text":44,"url":29,"blocks":45,"state":84},"ewrererw","testrfesssssssssss",[46,72],{"@type":47,"@version":48,"id":49,"component":50,"responsiveStyles":62},"@builder.io/sdk:Element",2,"builder-ca12c06a52de41d7b8743da53118cd38",{"name":51,"tag":51,"options":52,"isRSC":61},"TopBannerContent",{"text":53,"ctaText":54,"url":55,"mainText":56,"cta":59},"New Webinar Series: Join John Hammond, Troy Hunt, and Matt Johansen for the State of Browser Attacks","Save Your Spot","https://pushsecurity.com/webinar/state-of-browser-security",{"content":57,"fontSize":58},"\u003Cp>New Webinar Series: Join John Hammond, Troy Hunt, and Matt Johansen for the State of Browser Attacks\u003C/p>","text-base",{"content":60,"fontSize":58,"url":55},"\u003Cp>\u003Cstrong style=\"font-weight:700;\">Save Your Spot\u003C/strong>\u003C/p>\n",null,{"large":63},{"display":64,"flexDirection":65,"position":66,"flexShrink":67,"boxSizing":68,"marginTop":69,"marginBottom":69,"fontSize":70,"fontWeight":71},"flex","column","relative","0","border-box",".56rem","1.125rem","700",{"id":73,"@type":47,"tagName":74,"properties":75,"responsiveStyles":79},"builder-pixel-9nb7t2zog2i","img",{"src":76,"aria-hidden":77,"alt":29,"role":78,"width":67,"height":67},"https://cdn.builder.io/api/v1/pixel?apiKey=f3a1111ff5be48cdbb123cd9f5795a05","true","presentation",{"large":80},{"height":67,"width":67,"display":81,"opacity":67,"overflow":82,"pointerEvents":83},"block","hidden","none",{"deviceSize":85,"location":86},"large",{"path":29,"query":87},{},{},1775137295127,1774968080803,"ST0tXQM8slWpFrmioqKHmENB2qe2","ax7YYfD0OCeqT1Vxxv1G4FUbqVr1",[],{"breakpoints":95,"hasLinks":6,"kind":96,"lastPreviewUrl":97,"hasAutosaves":6},{"xsmall":31,"small":32,"medium":33},"component","https://pushsecurity.com/?builder.space=f3a1111ff5be48cdbb123cd9f5795a05&builder.user.permissions=read%2Ccreate%2Cpublish%2CeditCode%2CeditDesigns%2CeditLayouts%2CeditLayers%2CeditContentPriority%2CeditFolders%2CeditProjects%2CmodifyMcpServers%2CmodifyWorkflowIntegrations%2CmodifyProjectSettings%2CconnectCodeRepository%2CcreateProjects%2CindexDesignSystems%2CsendPullRequests%2CmergePullRequests&builder.user.role.name=Developer&builder.user.role.id=developer&builder.cachebust=true&builder.preview=always-visible-banner&builder.noCache=true&builder.allowTextEdit=true&__builder_editing__=true&builder.overrides.always-visible-banner=fd266d0172cc47429be7ad10f48c99ad&builder.overrides.fd266d0172cc47429be7ad10f48c99ad=fd266d0172cc47429be7ad10f48c99ad&builder.options.locale=Default","l9ad9a4zp9",[100,136],{"createdDate":101,"id":102,"name":103,"modelId":104,"published":13,"stageModifiedSincePublish":6,"query":105,"data":106,"variations":129,"lastUpdated":130,"firstPublished":131,"testRatio":23,"createdBy":24,"lastUpdatedBy":24,"folders":132,"meta":133,"rev":135},1776247359804,"9136a8f18b3b4a6ba29b8653a99372b1","testimonial-inductive-automation","20d9eaa352304613b3d1a794b400703d",[],{"link":107,"type":108,"testimonialLink":109,"testimonial":110},{},"testimonial","/customer-stories/inductive-automation",{"@type":111,"id":112,"model":108,"value":113},"@builder.io/core:Reference","f028f2b685bb47cd8bf9e82a26dd5a79",{"query":114,"folders":115,"createdDate":116,"id":112,"name":117,"modelId":118,"published":13,"data":119,"variations":123,"lastUpdated":124,"firstPublished":125,"testRatio":23,"createdBy":91,"lastUpdatedBy":91,"meta":126,"rev":128},[],[],1735823466309,"We found Push to be more accurate when compared to competitors and the browser agent offered features that others couldn’t match.","42035571a56940ac98bff4544aa79aa5",{"author":120,"jobTitle":121,"quote":117,"image":122},"Jason Waits","\u003Cp>CISO at Inductive Automation\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Ff04c0c0689ce4a89ac0f0708d78c0a07",{},1735910703862,1735823501152,{"kind":28,"lastPreviewUrl":29,"breakpoints":127,"hasAutosaves":34},{"small":32,"medium":33},"76q19pwbant",{},1776247404986,1776247404973,[],{"breakpoints":134,"kind":28,"lastPreviewUrl":29,"hasAutosaves":6},{"xsmall":31,"small":32,"medium":33},"ctmpwqs54t",{"createdDate":137,"id":138,"name":139,"modelId":104,"published":13,"meta":140,"stageModifiedSincePublish":6,"query":142,"data":143,"variations":169,"lastUpdated":170,"firstPublished":171,"testRatio":23,"createdBy":24,"lastUpdatedBy":24,"folders":172,"rev":135},1776255761419,"05a9322735fc427db12e2740e4302300","Report: 2026 Browser Attack Techniques",{"breakpoints":141,"kind":28,"lastPreviewUrl":29,"hasAutosaves":6},{"xsmall":31,"small":32,"medium":33},[],{"testimonial":144,"link":163,"type":166,"title":139,"description":167,"image":168},{"@type":111,"id":145,"model":108,"value":146},"192acbb1f9ca4cac918c0ec435a8bae3",{"query":147,"folders":148,"createdDate":149,"id":145,"name":150,"modelId":118,"published":13,"data":151,"variations":157,"lastUpdated":158,"firstPublished":159,"testRatio":23,"createdBy":91,"lastUpdatedBy":24,"meta":160,"rev":162},[],[],1728981467463,"Push does for identity what CrowdStrike did for the endpoint",{"video":152,"jobTitle":153,"author":154,"qoute":29,"quote":155,"image":156},"https://cdn.builder.io/o/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F8b30e8ca50064058bbaef0f3c6164575%2Fcompressed?apiKey=f3a1111ff5be48cdbb123cd9f5795a05&token=8b30e8ca50064058bbaef0f3c6164575&alt=media&optimized=true","\u003Cp>Deputy CISO at Microsoft\u003C/p>\u003Cp>Former LinkedIn, Slack, Palantir\u003C/p>","Geoff Belknap","Push does for identity what CrowdStrike did for the endpoint.","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F748f0ad0a5064a00a13f4721fcc8dea1",{},1742902158597,1728981782923,{"kind":28,"lastPreviewUrl":29,"breakpoints":161,"hasAutosaves":34},{"small":32,"medium":33},"gprh8st2hna",{"text":164,"url":165},"Download now","/resources/browser-attacks-report","resource","Learn about the latest techniques being used in the wild.","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F7b4a5ebf81d64e8c9d7fc35f6c96c4a9",{},1776255810913,1776255810900,[],[174,197],{"createdDate":175,"id":176,"name":139,"modelId":177,"published":13,"meta":178,"stageModifiedSincePublish":6,"query":180,"data":181,"variations":192,"lastUpdated":193,"firstPublished":194,"testRatio":23,"createdBy":24,"lastUpdatedBy":24,"folders":195,"rev":196},1776256900280,"1f429607996e4e5fae8fe3f9b9610e55","4829faa81e7c4ee8bd2d000e160e8d3c",{"breakpoints":179,"kind":28,"lastPreviewUrl":29,"hasAutosaves":6},{"xsmall":31,"small":32,"medium":33},[],{"testimonial":182,"link":191,"type":166,"title":139,"description":167,"image":168},{"@type":111,"id":145,"model":108,"value":183},{"query":184,"folders":185,"createdDate":149,"id":145,"name":150,"modelId":118,"published":13,"data":186,"variations":187,"lastUpdated":158,"firstPublished":159,"testRatio":23,"createdBy":91,"lastUpdatedBy":24,"meta":188,"rev":190},[],[],{"video":152,"jobTitle":153,"author":154,"qoute":29,"quote":155,"image":156},{},{"kind":28,"lastPreviewUrl":29,"breakpoints":189,"hasAutosaves":34},{"small":32,"medium":33},"4zg6tjtxa6",{"text":164,"url":165},{},1776256937553,1776256937540,[],"wi8e6009akr",{"createdDate":198,"id":199,"name":200,"modelId":177,"published":13,"stageModifiedSincePublish":6,"query":201,"data":202,"variations":213,"lastUpdated":214,"firstPublished":215,"testRatio":23,"createdBy":24,"lastUpdatedBy":24,"folders":216,"meta":217,"rev":196},1776256949234,"ce043785b71b4ece98eac811ecf4ba10","inductive-automation",[],{"link":203,"type":108,"testimonial":204,"testimonialLink":109},{},{"@type":111,"id":112,"model":108,"value":205},{"query":206,"folders":207,"createdDate":116,"id":112,"name":117,"modelId":118,"published":13,"data":208,"variations":209,"lastUpdated":124,"firstPublished":125,"testRatio":23,"createdBy":91,"lastUpdatedBy":91,"meta":210,"rev":212},[],[],{"author":120,"jobTitle":121,"quote":117,"image":122},{},{"kind":28,"lastPreviewUrl":29,"breakpoints":211,"hasAutosaves":34},{"small":32,"medium":33},"ajjz34zaele",{},1776256974140,1776256974130,[],{"breakpoints":218,"kind":28,"lastPreviewUrl":29,"hasAutosaves":6},{"xsmall":31,"small":32,"medium":33},{"_path":220,"_dir":221,"_draft":6,"_partial":6,"_locale":29,"sys":222,"ogImage":61,"summary":225,"title":239,"subtitle":61,"metaTitle":240,"synopsis":241,"hashTags":61,"publishedDate":242,"slug":243,"tagsCollection":244,"authorsCollection":254,"content":262,"relatedBlogPostsCollection":1138,"_id":6099,"_type":6100,"_source":6101,"_file":6102,"_stem":6103,"_extension":6100},"/blog/unpacking-the-vercel-breach","blog",{"id":223,"publishedAt":224},"Lq2AFQ8VG2rMEe4h2CYuH","2026-04-23T20:44:38.558Z",{"json":226},{"data":227,"content":228,"nodeType":238},{},[229],{"data":230,"content":231,"nodeType":237},{},[232],{"data":233,"marks":234,"value":235,"nodeType":236},{},[],"In April 2026, Vercel was compromised via an OAuth app integrated into their Google Workspace tenant stemming from a compromised third-party AI SaaS provider.Here’s what you need to know. ","text","paragraph","document","Unpacking the Vercel breach: A cautionary tale for Shadow AI and OAuth sprawl","Unpacking the Vercel breach: Shadow AI and OAuth sprawl","In April 2026, Vercel was compromised via an OAuth app integrated into their Google Workspace tenant stemming from a compromised third-party AI SaaS provider.","2026-04-23T00:00:00.000Z","unpacking-the-vercel-breach",{"items":245},[246,250],{"sys":247,"name":249},{"id":248},"6A5RXS31ZQx3PwryGb1IMy","Browser-based attacks",{"sys":251,"name":253},{"id":252},"4ksQNCFeBf8H4QIORqpRLw","Detection & response",{"items":255},[256],{"fullName":257,"firstName":258,"jobTitle":259,"profilePicture":260},"Dan Green","Dan","Threat Research",{"url":261},"https://images.ctfassets.net/y1cdw1ablpvd/7jik1VhFgA3kgzXBXTm2Vw/fcd8c171da644903d0827eafcfbcaad0/Dan_Headshot_2025.png",{"json":263,"links":971},{"nodeType":238,"data":264,"content":265},{},[266,298,331,338,342,351,358,367,386,393,402,422,439,446,453,456,464,471,478,528,535,543,555,562,569,575,583,590,677,683,686,694,701,717,724,731,737,757,760,768,775,781,800,807,814,820,823,831,838,845,851,858,864,870,895,901,913,920,927],{"nodeType":237,"data":267,"content":268},{},[269,273,284,288,294],{"nodeType":236,"value":270,"marks":271,"data":272},"This week, a user going by the name of “ShinyHunters” (though allegedly not ",[],{},{"nodeType":274,"data":275,"content":277},"hyperlink",{"uri":276},"https://pushsecurity.com/blog/scattered-lapsus-hunters/",[278],{"nodeType":236,"value":279,"marks":280,"data":283},"actual ShinyHunters",[281],{"type":282},"underline",{},{"nodeType":236,"value":285,"marks":286,"data":287},", but someone imitating them in an attempt to trade off their credibility) posted on a breach forum claiming access keys, source code, and database data allegedly stolen from cloud development platform provider ",[],{},{"nodeType":236,"value":289,"marks":290,"data":293},"Vercel",[291],{"type":292},"bold",{},{"nodeType":236,"value":295,"marks":296,"data":297},". ",[],{},{"nodeType":237,"data":299,"content":300},{},[301,305,314,318,327],{"nodeType":236,"value":302,"marks":303,"data":304},"This happened because a Vercel employee had connected an AI app, Context.ai, into their Google Workspace tenant. When Context.ai was compromised — ",[],{},{"nodeType":274,"data":306,"content":308},{"uri":307},"https://www.infostealers.com/article/breaking-vercel-breach-linked-to-infostealer-infection-at-context-ai/",[309],{"nodeType":236,"value":310,"marks":311,"data":313},"allegedly the result of an infostealer infection from an employee searching for Roblox cheats",[312],{"type":282},{},{"nodeType":236,"value":315,"marks":316,"data":317}," — the attacker was able to leverage OAuth tokens stored in Context.ai’s Supabase platform to access downstream customer accounts (pointing to a heavily permissioned victim, probably a developer, possibly even a ",[],{},{"nodeType":274,"data":319,"content":321},{"uri":320},"https://pushsecurity.com/blog/browser-sync-attacks-where-personal-account-hacks-lead-to-corporate-breaches/",[322],{"nodeType":236,"value":323,"marks":324,"data":326},"personal device with access to corp credentials",[325],{"type":282},{},{"nodeType":236,"value":328,"marks":329,"data":330},"). ",[],{},{"nodeType":237,"data":332,"content":333},{},[334],{"nodeType":236,"value":335,"marks":336,"data":337},"This access included a Vercel employee’s Google Workspace account. This particular user had significant access to data and secrets in Vercel’s systems, including internal dashboards, employee records, API keys, NPM tokens, and GitHub tokens, which the attacker was able to exfiltrate, holding Vercel to ransom for $2 million. ",[],{},{"nodeType":339,"data":340,"content":341},"hr",{},[],{"nodeType":343,"data":344,"content":345},"heading-1",{},[346],{"nodeType":236,"value":347,"marks":348,"data":350},"How did this happen, and what could have stopped it?",[349],{"type":292},{},{"nodeType":237,"data":352,"content":353},{},[354],{"nodeType":236,"value":355,"marks":356,"data":357},"From Vercel’s perspective, this attack could have been avoided had their employees been blocked from adding new OAuth integrations without admin approval (a toggle in their Google admin panel, and an essential control in a well-configured environment). Or, if the integration had been flagged in a routine audit and removed. ",[],{},{"nodeType":359,"data":360,"content":366},"embedded-entry-block",{"target":361},{"sys":362},{"id":363,"type":364,"linkType":365},"b5HFvY1m6RnuXL3a95jVt","Link","Entry",[],{"nodeType":237,"data":368,"content":369},{},[370,374,382],{"nodeType":236,"value":371,"marks":372,"data":373},"It probably should have been removed, too. The particular OAuth app that was connected into the environment was a deprecated “AI Office Suite” product intended for consumer use. ",[],{},{"nodeType":274,"data":375,"content":377},{"uri":376},"https://context.ai/security-update",[378],{"nodeType":236,"value":379,"marks":380,"data":381},"According to Context.ai",[],{},{"nodeType":236,"value":383,"marks":384,"data":385},", Vercel aren’t even a registered customer — adding more evidence that this was probably the result of a self-service trial that was subsequently forgotten about. That consumer product has also since been replaced by an enterprise product. But for whatever reason, the access hadn’t been revoked (from either side). ",[],{},{"nodeType":237,"data":387,"content":388},{},[389],{"nodeType":236,"value":390,"marks":391,"data":392},"The elephant in the room is that Context.ai is an AI app. Most organizations are rightly nervous about employees adding unapproved AI SaaS into their environment. Having employees use shadow AI in the form of LLMs is one thing — users uploading sensitive data to unapproved apps or external tenants being the key concern. But OAuth grants are even more dangerous. Because if that app or vendor is compromised, the apps and accounts you’ve integrated it with are also at risk — which is what was exploited here. ",[],{},{"nodeType":394,"data":395,"content":396},"heading-2",{},[397],{"nodeType":236,"value":398,"marks":399,"data":401},"Where’s the fault?",[400],{"type":292},{},{"nodeType":237,"data":403,"content":404},{},[405,409,418],{"nodeType":236,"value":406,"marks":407,"data":408},"It’s easy to point fingers here. There are multiple control gaps and failures for both parties. Vercel should have disabled OAuth grants without admin approval, and regularly audited the connections in their environment. From a vendor's perspective, they could have also default applied a control that ",[],{},{"nodeType":274,"data":410,"content":412},{"uri":411},"https://vercel.com/kb/bulletin/vercel-april-2026-security-incident",[413],{"nodeType":236,"value":414,"marks":415,"data":417},"prevents secret environment variables from being read",[416],{"type":282},{},{"nodeType":236,"value":419,"marks":420,"data":421}," — which would have significantly reduced the impact to Vercel customers from the data breach. ",[],{},{"nodeType":237,"data":423,"content":424},{},[425,429,435],{"nodeType":236,"value":426,"marks":427,"data":428},"Context.ai comes off worse. They could and should have had better separation of accounts and privileges — and if true, their users really shouldn’t be downloading Roblox scripts on devices they use for work access. It’s important to say ",[],{},{"nodeType":236,"value":430,"marks":431,"data":434},"if true",[432],{"type":433},"italic",{},{"nodeType":236,"value":436,"marks":437,"data":438}," here, but the prospect of third parties accessing your environment from insecure devices that they use for gaming is the stuff of nightmares for enterprise security and compliance teams.",[],{},{"nodeType":237,"data":440,"content":441},{},[442],{"nodeType":236,"value":443,"marks":444,"data":445},"You definitely don’t want to be Context.ai in this scenario. The reputational harm could be pretty significant, and is a wake-up call for other SaaS vendors to check that their house in order. But although Vercel have responded quickly and transparently to the incident, this could only really have happened as a result of technical and procedural control gaps on their end.",[],{},{"nodeType":237,"data":447,"content":448},{},[449],{"nodeType":236,"value":450,"marks":451,"data":452},"It’s worth taking a step back and looking at the bigger picture here — and how these issues might impact your organization too. ",[],{},{"nodeType":339,"data":454,"content":455},{},[],{"nodeType":343,"data":457,"content":458},{},[459],{"nodeType":236,"value":460,"marks":461,"data":463},"Shadow AI is still just shadow SaaS – but the AI scramble is a force multiplier",[462],{"type":292},{},{"nodeType":237,"data":465,"content":466},{},[467],{"nodeType":236,"value":468,"marks":469,"data":470},"Shadow IT, and in particular shadow SaaS, is not a new problem. Most organizations run heavily (or exclusively) on SaaS, accessed in the browser, with hundreds of apps per enterprise. Unmanaged, self-adopted apps have been a thorn in the side of security teams for some time. ",[],{},{"nodeType":237,"data":472,"content":473},{},[474],{"nodeType":236,"value":475,"marks":476,"data":477},"There are essentially three kinds of shadow IT to be wary of in this context:",[],{},{"nodeType":479,"data":480,"content":481},"unordered-list",{},[482,498,513],{"nodeType":483,"data":484,"content":485},"list-item",{},[486],{"nodeType":237,"data":487,"content":488},{},[489,494],{"nodeType":236,"value":490,"marks":491,"data":493},"Shadow apps:",[492],{"type":292},{},{"nodeType":236,"value":495,"marks":496,"data":497}," Apps that employees have signed up to and are using for business purposes without business approval. This includes apps signed up to with a corporate account or personal account. ",[],{},{"nodeType":483,"data":499,"content":500},{},[501],{"nodeType":237,"data":502,"content":503},{},[504,509],{"nodeType":236,"value":505,"marks":506,"data":508},"Shadow tenants:",[507],{"type":292},{},{"nodeType":236,"value":510,"marks":511,"data":512}," Apps that employees are accessing with personal accounts, essentially creating shadow tenants outside of your organization’s control — even if you’ve approved the app itself.",[],{},{"nodeType":483,"data":514,"content":515},{},[516],{"nodeType":237,"data":517,"content":518},{},[519,524],{"nodeType":236,"value":520,"marks":521,"data":523},"Shadow integrations:",[522],{"type":292},{},{"nodeType":236,"value":525,"marks":526,"data":527}," OAuth connections across apps that aren’t known or approved. Even if an app itself is approved, plugging that app directly into your primary enterprise apps — with all the sensitive data and functionality therein — isn't necessarily also approved.  ",[],{},{"nodeType":237,"data":529,"content":530},{},[531],{"nodeType":236,"value":532,"marks":533,"data":534},"In the Vercel case, we’re talking about shadow integrations. These are easy to introduce and hard to control across apps. While enterprise cloud platforms like Microsoft and Google do give admins the ability to audit and control OAuth connections, the Vercel breach shows how secure settings aren’t always on by default. And SaaS-to-SaaS connections are even less visible, often with fewer controls.",[],{},{"nodeType":394,"data":536,"content":537},{},[538],{"nodeType":236,"value":539,"marks":540,"data":542},"The web of OAuth sprawl spans way beyond Google and Microsoft ",[541],{"type":292},{},{"nodeType":237,"data":544,"content":545},{},[546,551],{"nodeType":236,"value":547,"marks":548,"data":550},"On average we see 14 unique AI app integrations per organization in Microsoft and Google alone",[549],{"type":292},{},{"nodeType":236,"value":552,"marks":553,"data":554},". If you consider that most organizations have probably approved 1 or 2 max for business use, and may have approved none at all for app-to-app OAuth connectivity, that’s quite a significant difference. ",[],{},{"nodeType":237,"data":556,"content":557},{},[558],{"nodeType":236,"value":559,"marks":560,"data":561},"The number of connections outside of these core platforms is significantly higher. Just think how the typical AI app operates. If you want it to be able to effectively automate workflows — pull data from one app, aggregate and analyze it in another, present that information in a report, dashboard, or presentation, and then distribute it — that’s a fair few integrations in just one workflow. MCP connections use OAuth to achieve this interconnectivity in the same way as any other SaaS app.",[],{},{"nodeType":237,"data":563,"content":564},{},[565],{"nodeType":236,"value":566,"marks":567,"data":568},"We used to talk about automation apps like Zapier as being a goldmine for attackers. Well, AI apps are on their way to being even more interconnected, more frequently used, and more flexible in terms of how attackers can abuse them. ",[],{},{"nodeType":359,"data":570,"content":574},{"target":571},{"sys":572},{"id":573,"type":364,"linkType":365},"4FiWyVw7mpVBA5uBVJoOKL",[],{"nodeType":394,"data":576,"content":577},{},[578],{"nodeType":236,"value":579,"marks":580,"data":582},"OAuth breaches are stacking up",[581],{"type":292},{},{"nodeType":237,"data":584,"content":585},{},[586],{"nodeType":236,"value":587,"marks":588,"data":589},"Widespread OAuth interconnectedness isn’t just an AI app problem. Attackers have been exploiting this for some time:",[],{},{"nodeType":479,"data":591,"content":592},{},[593,641],{"nodeType":483,"data":594,"content":595},{},[596],{"nodeType":237,"data":597,"content":598},{},[599,603,611,615,624,628,637],{"nodeType":236,"value":600,"marks":601,"data":602},"In 2025, ",[],{},{"nodeType":274,"data":604,"content":605},{"uri":276},[606],{"nodeType":236,"value":607,"marks":608,"data":610},"Scattered Lapsus$ Hunters",[609],{"type":282},{},{"nodeType":236,"value":612,"marks":613,"data":614}," launched OAuth-driven supply chain attacks against Salesforce and Google Workspace tenants after breaching Salesloft (specifically the ",[],{},{"nodeType":274,"data":616,"content":618},{"uri":617},"https://www.bleepingcomputer.com/news/security/shinyhunters-claims-15-billion-salesforce-records-stolen-in-drift-hacks/",[619],{"nodeType":236,"value":620,"marks":621,"data":623},"Salesloft Drift",[622],{"type":282},{},{"nodeType":236,"value":625,"marks":626,"data":627}," platform) and ",[],{},{"nodeType":274,"data":629,"content":631},{"uri":630},"https://www.bleepingcomputer.com/news/security/salesforce-investigates-customer-data-theft-via-gainsight-breach/",[632],{"nodeType":236,"value":633,"marks":634,"data":636},"Gainsight",[635],{"type":282},{},{"nodeType":236,"value":638,"marks":639,"data":640},". In total, over 1000 organizations were impacted, including Google, Cloudflare, Rubrik, Elastic, Proofpoint, JFrog, Zscaler, Tenable, Palo Alto Networks, CyberArk, BeyondTrust, Qualys, and many more, with over 1.5B records stolen. ",[],{},{"nodeType":483,"data":642,"content":643},{},[644],{"nodeType":237,"data":645,"content":646},{},[647,651,660,664,673],{"nodeType":236,"value":648,"marks":649,"data":650},"More recently, Snowflake customers were impacted after a ",[],{},{"nodeType":274,"data":652,"content":654},{"uri":653},"https://www.bleepingcomputer.com/news/security/snowflake-customers-hit-in-data-theft-attacks-after-saas-integrator-breach/",[655],{"nodeType":236,"value":656,"marks":657,"data":659},"breach at data anomaly detection company Anodot",[658],{"type":282},{},{"nodeType":236,"value":661,"marks":662,"data":663}," where the attacker attempted to leverage the stolen authentication tokens to access Salesforce data, with ",[],{},{"nodeType":274,"data":665,"content":667},{"uri":666},"https://www.bleepingcomputer.com/news/security/stolen-rockstar-games-analytics-data-leaked-by-extortion-gang/",[668],{"nodeType":236,"value":669,"marks":670,"data":672},"Rockstar",[671],{"type":282},{},{"nodeType":236,"value":674,"marks":675,"data":676}," a high-profile victim of the breach (again linked to Scattered Lapsus$ Hunters). ",[],{},{"nodeType":359,"data":678,"content":682},{"target":679},{"sys":680},{"id":681,"type":364,"linkType":365},"3oqoL9L3fxetFcIhnfQhMQ",[],{"nodeType":339,"data":684,"content":685},{},[],{"nodeType":343,"data":687,"content":688},{},[689],{"nodeType":236,"value":690,"marks":691,"data":693},"Infostealers continue to drive corporate breaches",[692],{"type":292},{},{"nodeType":237,"data":695,"content":696},{},[697],{"nodeType":236,"value":698,"marks":699,"data":700},"While unverified, Hudson Rock’s case for an infostealer breach being the root cause of the Context.ai breach seems believable. Infostealer infections have been one of the leading security threats for some time, fuelling breaches powered by stolen credentials and session tokens.",[],{},{"nodeType":237,"data":702,"content":703},{},[704,708,713],{"nodeType":236,"value":705,"marks":706,"data":707},"With the assumed rise in MFA coverage, it’s often surprising to security teams that stolen credentials are still a problem. ",[],{},{"nodeType":236,"value":709,"marks":710,"data":712},"But of the last million logins we saw, 1 in 4 were password logins (not SSO), 2 in 5 were not protected by MFA, and 1 in 5 used a weak, breached, or reused password. ",[711],{"type":292},{},{"nodeType":236,"value":714,"marks":715,"data":716},"Plenty of scope for abuse. ",[],{},{"nodeType":237,"data":718,"content":719},{},[720],{"nodeType":236,"value":721,"marks":722,"data":723},"Stolen session tokens are even more valuable to attackers, enabling them to bypass authentication controls by replaying the token in their own browser. In theory, they should only be valid for a limited timeframe, but in practice this can be as many as 90 days, and sometimes indefinite. ",[],{},{"nodeType":237,"data":725,"content":726},{},[727],{"nodeType":236,"value":728,"marks":729,"data":730},"In this case, it seems likely that the compromised device was a developer machine (given the access to Supabase), or potentially even a personal device (given they were installing Roblox cheats…). This is relevant because these personal, developer, and BYOD machines are often less secure — developer machines are often exempt from EDR monitoring or significantly tuned-down (too noisy), while personal devices naturally lack enterprise security software.",[],{},{"nodeType":359,"data":732,"content":736},{"target":733},{"sys":734},{"id":735,"type":364,"linkType":365},"139oaGgwRKZbwJzyex9LA5",[],{"nodeType":237,"data":738,"content":739},{},[740,744,753],{"nodeType":236,"value":741,"marks":742,"data":743},"We’ve also seen an uptick in developer-oriented phishing and malvertising campaigns. The ",[],{},{"nodeType":274,"data":745,"content":747},{"uri":746},"https://pushsecurity.com/blog/installfix/",[748],{"nodeType":236,"value":749,"marks":750,"data":752},"InstallFix campaign",[751],{"type":282},{},{"nodeType":236,"value":754,"marks":755,"data":756}," we identified, intercepting users as they attempt to install AI tools like Claude Code and NotebookLM, is an example of this — and also another way that attackers are capitalizing on AI hype. ",[],{},{"nodeType":339,"data":758,"content":759},{},[],{"nodeType":343,"data":761,"content":762},{},[763],{"nodeType":236,"value":764,"marks":765,"data":767},"Advice for security teams",[766],{"type":292},{},{"nodeType":237,"data":769,"content":770},{},[771],{"nodeType":236,"value":772,"marks":773,"data":774},"There are some immediate next steps that we’ll quickly summarize here, as they've already been covered in wider reporting. If you’re a Vercel customer, you should urgently rotate every credential stored as a non-sensitive variable that could have been exposed, enable the sensitive variable feature toggle, and monitor your account for anomalous activity. And if you’re using the specific Context.ai integration, you need to revoke it ASAP and begin a full audit of the connected accounts, both inside Workspace and broader connected apps (this isn’t that easy, as we’ll highlight in a moment). ",[],{},{"nodeType":359,"data":776,"content":780},{"target":777},{"sys":778},{"id":779,"type":364,"linkType":365},"76HViirkH2R4QAzWg605sv",[],{"nodeType":237,"data":782,"content":783},{},[784,788,797],{"nodeType":236,"value":785,"marks":786,"data":787},"Taking a step back, organizations really need to get their arms around OAuth integrations in their environment. A default-deny approach to allowing users to consent to new integrations, and routinely auditing the ones already in your environment to ensure they’re still definitely required, is essential. Each integration expands your attack surface and could potentially grant an attacker extensive access to your environment. This default-deny approach isn't exactly a new concept for security teams and is the same in principle as what we recently advised for ",[],{},{"nodeType":274,"data":789,"content":791},{"uri":790},"https://pushsecurity.com/blog/browser-extension-management-guide/",[792],{"nodeType":236,"value":793,"marks":794,"data":796},"browser extension management",[795],{"type":282},{},{"nodeType":236,"value":295,"marks":798,"data":799},[],{},{"nodeType":237,"data":801,"content":802},{},[803],{"nodeType":236,"value":804,"marks":805,"data":806},"This is fairly straightforward in your main enterprise cloud environment (think M365 or Google Workspace). But doing it across every SaaS app that allows some level of OAuth integration with another (i.e. every SaaS app) is somewhat harder. Not only do you need to have a comprehensive and up-to-date inventory, you need to be an app admin for every app (not always the case for self-adopted apps) and the particular app needs to give you the control to restrict and remove OAuth grants on behalf of users in your tenant. ",[],{},{"nodeType":237,"data":808,"content":809},{},[810],{"nodeType":236,"value":811,"marks":812,"data":813},"Again, this is not exclusively a Shadow AI problem, even if AI adoption is contributing significantly to the sprawl. ",[],{},{"nodeType":359,"data":815,"content":819},{"target":816},{"sys":817},{"id":818,"type":364,"linkType":365},"XKKHUiz56G82uwYhbv2Qv",[],{"nodeType":339,"data":821,"content":822},{},[],{"nodeType":343,"data":824,"content":825},{},[826],{"nodeType":236,"value":827,"marks":828,"data":830},"How Push can help",[829],{"type":292},{},{"nodeType":237,"data":832,"content":833},{},[834],{"nodeType":236,"value":835,"marks":836,"data":837},"As we’ve established, there are quite a few pieces to this puzzle. Push can help with all of them. ",[],{},{"nodeType":237,"data":839,"content":840},{},[841],{"nodeType":236,"value":842,"marks":843,"data":844},"Push observes every app login your employees make in their browser, building a comprehensive picture of SaaS and AI use across your organization. This includes how they’re logging in and how secure the login is: did it have MFA, what kind of MFA, was it using a weak or compromised password, did they use SSO, and so on. ",[],{},{"nodeType":359,"data":846,"content":850},{"target":847},{"sys":848},{"id":849,"type":364,"linkType":365},"2B205bUaLm6vG8mIQ0rJvA",[],{"nodeType":237,"data":852,"content":853},{},[854],{"nodeType":236,"value":855,"marks":856,"data":857},"Push also tracks OAuth integrations in your environment and gives you the ability to manage and remove them in core environments like M365 and Google Workspace, providing a single platform for you to view, manage, and secure app use across your organization. ",[],{},{"nodeType":359,"data":859,"content":863},{"target":860},{"sys":861},{"id":862,"type":364,"linkType":365},"eEbdBUfyzZsdIOjFOXHpM",[],{"nodeType":359,"data":865,"content":869},{"target":866},{"sys":867},{"id":868,"type":364,"linkType":365},"1MTFxfROuGKxnkHQwWHe8K",[],{"nodeType":237,"data":871,"content":872},{},[873,877,882,886,891],{"nodeType":236,"value":874,"marks":875,"data":876},"This makes it easy to surface both vulnerabilities and possible control gaps, and do something about them. But where Push really excels is in the ability to observe and block OAuth connection requests ",[],{},{"nodeType":236,"value":878,"marks":879,"data":881},"even outside of your primary enterprise apps.",[880],{"type":292},{},{"nodeType":236,"value":883,"marks":884,"data":885}," Using Push, you can detect and block OAuth integration requests as they traverse the browser. This ",[],{},{"nodeType":236,"value":887,"marks":888,"data":890},"app-agnostic",[889],{"type":292},{},{"nodeType":236,"value":892,"marks":893,"data":894}," level of control is absolutely critical to halting OAuth integration sprawl. ",[],{},{"nodeType":359,"data":896,"content":900},{"target":897},{"sys":898},{"id":899,"type":364,"linkType":365},"2VZ4uw6MXslXME2ueydGuT",[],{"nodeType":394,"data":902,"content":903},{},[904,908],{"nodeType":236,"value":905,"marks":906,"data":907},"And t",[],{},{"nodeType":236,"value":909,"marks":910,"data":912},"hat’s not all …",[911],{"type":292},{},{"nodeType":237,"data":914,"content":915},{},[916],{"nodeType":236,"value":917,"marks":918,"data":919},"Push’s browser-based security platform also detects and blocks browser-based attacks like AiTM phishing, credential stuffing, malicious browser extensions, device code phishing, ClickFix, and session hijacking in real time. This includes the most prominent infostealer delivery vectors in terms of malvertising and *Fix-style attacks. Push analyzes every web page in every browser session and tab for threats, in real time, with no latency. ",[],{},{"nodeType":237,"data":921,"content":922},{},[923],{"nodeType":236,"value":924,"marks":925,"data":926},"But as we've established, you don't need to wait until it all goes wrong either — you can use Push to proactively find and fix vulnerabilities across the apps that your employees use, like ghost logins, SSO coverage gaps, MFA gaps, vulnerable passwords, risky OAuth integrations, and more to harden your attack surface.",[],{},{"nodeType":237,"data":928,"content":929},{},[930,934,942,946,955,959,967],{"nodeType":236,"value":931,"marks":932,"data":933},"To learn more about Push, ",[],{},{"nodeType":274,"data":935,"content":937},{"uri":936},"https://pushsecurity.com/resources/product-brochure",[938],{"nodeType":236,"value":939,"marks":940,"data":941},"check out our latest product overview",[],{},{"nodeType":236,"value":943,"marks":944,"data":945},", ",[],{},{"nodeType":274,"data":947,"content":949},{"uri":948},"https://pushsecurity.com/product-demo/",[950],{"nodeType":236,"value":951,"marks":952,"data":954},"view our demo library",[953],{"type":282},{},{"nodeType":236,"value":956,"marks":957,"data":958},", or ",[],{},{"nodeType":274,"data":960,"content":962},{"uri":961},"https://pushsecurity.com/demo",[963],{"nodeType":236,"value":964,"marks":965,"data":966},"book some time with one of our team for a live demo",[],{},{"nodeType":236,"value":968,"marks":969,"data":970},".",[],{},{"entries":972},{"hyperlink":973,"inline":974,"block":975},[],[],[976,991,1000,1027,1065,1084,1111,1118,1124,1131],{"sys":977,"__typename":978,"content":979,"name":990,"title":61},{"id":363},"InsightTextBlockComponent",{"json":980},{"data":981,"content":982,"nodeType":238},{},[983],{"data":984,"content":985,"nodeType":237},{},[986],{"data":987,"marks":988,"value":989,"nodeType":236},{},[],"An all-too-common tale in the modern enterprise is the SaaS app that was trialled by a single employee, lightly used, integrated with core app tenants, and forgotten about — adding an invisible node to the organization’s attack surface.","Vercel IB 4",{"sys":992,"__typename":993,"title":994,"caption":995,"layoutMode":61,"file":996},{"id":573},"Image","Illustrative example of SaaS OAuth sprawl. AI apps are highlighted orange.","Illustrative example of SaaS OAuth sprawl, from primary enterprise cloud, to core apps, to wider SaaS. AI apps are highlighted orange.",{"url":997,"width":998,"height":999},"https://images.ctfassets.net/y1cdw1ablpvd/6u0rnGPxUjcFSxdbsIcNz0/b093fbd09053a6a764b03af9ba56e5df/Screenshot_2026-04-23_at_20.41.29.png",2516,2086,{"sys":1001,"__typename":978,"content":1002,"name":1026,"title":61},{"id":681},{"json":1003},{"nodeType":238,"data":1004,"content":1005},{},[1006],{"nodeType":237,"data":1007,"content":1008},{},[1009,1013,1022],{"nodeType":236,"value":1010,"marks":1011,"data":1012},"Not only are attackers abusing existing (legitimate) OAuth connections as part of supply chain attacks, but they’re using OAuth-focused phishing as the front door to victim environments. Last year’s Salesforce campaign began with ",[],{},{"nodeType":274,"data":1014,"content":1016},{"uri":1015},"https://pushsecurity.com/blog/device-code-phishing/",[1017],{"nodeType":236,"value":1018,"marks":1019,"data":1021},"device code phishing",[1020],{"type":282},{},{"nodeType":236,"value":1023,"marks":1024,"data":1025},", where attackers tricked victims into registering an attacker-controlled app into their Salesforce tenant, granting full API access for mass data exfiltration.",[],{},"Vercel IB 1",{"sys":1028,"__typename":978,"content":1029,"name":1064,"title":61},{"id":735},{"json":1030},{"nodeType":238,"data":1031,"content":1032},{},[1033,1052],{"nodeType":237,"data":1034,"content":1035},{},[1036,1040,1048],{"nodeType":236,"value":1037,"marks":1038,"data":1039},"If you’re wondering how a personal device could result in corporate credential leakage, browser syncing (",[],{},{"nodeType":274,"data":1041,"content":1042},{"uri":320},[1043],{"nodeType":236,"value":1044,"marks":1045,"data":1047},"where users sign into their personal account in a corporate browser",[1046],{"type":282},{},{"nodeType":236,"value":1049,"marks":1050,"data":1051},") can lead to this exact scenario. And given Vercel’s potentially lacking controls around OAuth integrations in their Workspace, it’s also possible that browser syncing had not been identified as a security risk and disabled. ",[],{},{"nodeType":237,"data":1053,"content":1054},{},[1055,1059],{"nodeType":236,"value":1056,"marks":1057,"data":1058},"The 2025 Verizon DBIR reported that 54% of all ransomware attacks traced back to infostealer-enabled credential theft. ",[],{},{"nodeType":236,"value":1060,"marks":1061,"data":1063},"46% of systems with compromised corporate credentials were non-managed devices. ",[1062],{"type":292},{},"Vercel IB 2",{"sys":1066,"__typename":978,"content":1067,"name":1083,"title":61},{"id":779},{"json":1068},{"nodeType":238,"data":1069,"content":1070},{},[1071],{"nodeType":237,"data":1072,"content":1073},{},[1074,1079],{"nodeType":236,"value":1075,"marks":1076,"data":1078},"OAuth App:",[1077],{"type":292},{},{"nodeType":236,"value":1080,"marks":1081,"data":1082}," 110671459871-30f1spbu0hptbs60cb4vsmv79i7bbvqj.apps.googleusercontent.com",[],{},"Vercel IB 5",{"sys":1085,"__typename":978,"content":1086,"name":1110,"title":61},{"id":818},{"json":1087},{"nodeType":238,"data":1088,"content":1089},{},[1090],{"nodeType":237,"data":1091,"content":1092},{},[1093,1097,1106],{"nodeType":236,"value":1094,"marks":1095,"data":1096},"Since the breach was initially reported, ",[],{},{"nodeType":274,"data":1098,"content":1100},{"uri":1099},"https://thehackernews.com/2026/04/vercel-breach-tied-to-context-ai-hack.html",[1101],{"nodeType":236,"value":1102,"marks":1103,"data":1105},"it has also emerged that",[1104],{"type":282},{},{"nodeType":236,"value":1107,"marks":1108,"data":1109}," Context.ai’s browser extension has also been pulled from the Chrome store. It’s unclear whether attackers were able to publish a malicious extension update too, whether the extension was removed at Context.ai’s request (because the app has been deprecated), or Google pulled it down as a precaution in light of the incident. ",[],{},"Vercel IB 3",{"sys":1112,"__typename":993,"title":1113,"caption":1113,"layoutMode":61,"file":1114},{"id":849},"Inspect apps and identities to uncover and remediate vulnerabilities.",{"url":1115,"width":1116,"height":1117},"https://images.ctfassets.net/y1cdw1ablpvd/4rfQX7ICFP2tiio0Ra9r0f/ef6cdc27bc3dde03127105189523e405/image5.png",1999,1074,{"sys":1119,"__typename":993,"title":1120,"caption":1120,"layoutMode":61,"file":1121},{"id":862},"Analyse OAuth integrations, including permissions, user count, and other useful metadata. ",{"url":1122,"width":1116,"height":1123},"https://images.ctfassets.net/y1cdw1ablpvd/6srKhXfs62Ql2vIUc0QszJ/58ae9672ed3e79bfef1fb65a6cd7450a/image3.png",1091,{"sys":1125,"__typename":993,"title":1126,"caption":1126,"layoutMode":61,"file":1127},{"id":868},"Easily delete unwanted integrations. ",{"url":1128,"width":1129,"height":1130},"https://images.ctfassets.net/y1cdw1ablpvd/8BTe7GRIl7aLnwcmkRQkb/eb26d8d0ecb0165d4ab3c4d4a3ac6111/image1.png",567,213,{"sys":1132,"__typename":993,"title":1133,"caption":1133,"layoutMode":61,"file":1134},{"id":899},"Block OAuth connection attempts as they transit the browser using Push.",{"url":1135,"width":1136,"height":1137},"https://images.ctfassets.net/y1cdw1ablpvd/4TIl7F28Qd1Mk5M4vrFUF7/1b983ddc567ea7130cc76c3397d8fb69/OAuth_blocking.gif",1280,720,{"items":1139},[1140,3755,4721],{"__typename":1141,"sys":1142,"content":1144,"title":3737,"synopsis":3738,"hashTags":61,"publishedDate":3739,"slug":3740,"tagsCollection":3741,"authorsCollection":3747},"BlogPosts",{"id":1143},"5DmCqTU2Tg4adYScA5vT2x",{"json":1145},{"nodeType":238,"data":1146,"content":1147},{},[1148,1168,1187,1194,1200,1207,1214,1217,1225,1231,1316,1336,1342,1349,1479,1482,1490,1497,1503,1506,1514,1555,1561,1568,1575,1582,1589,1609,1615,1621,1627,1633,1639,1645,1651,1657,1924,1927,1935,2070,2076,2079,2087,2221,2227,2230,2238,2385,2391,2394,2402,2543,2549,2552,2560,2707,2713,2716,2724,2870,2876,2879,2887,2982,2988,2991,2999,3093,3099,3102,3110,3116,3249,3255,3266,3269,3277,3289,3296,3302,3308,3315,3336,3352,3358,3361,3369,3377,3398,3419,3424,3431,3438,3446,3453,3460,3467,3475,3482,3533,3539,3542,3550,3557,3564,3615,3621,3628,3631,3639,3646,3653,3673,3679,3686,3694,3701],{"nodeType":237,"data":1149,"content":1150},{},[1151,1155,1164],{"nodeType":236,"value":1152,"marks":1153,"data":1154},"The OAuth 2.0 ",[],{},{"nodeType":274,"data":1156,"content":1158},{"uri":1157},"https://www.rfc-editor.org/rfc/rfc8628",[1159],{"nodeType":236,"value":1160,"marks":1161,"data":1163},"device authorization grant",[1162],{"type":282},{},{"nodeType":236,"value":1165,"marks":1166,"data":1167}," was designed to enable input-constrained devices to sign-in to apps by asking the user to complete the login on a separate device by entering a code. But today, it’s mainly used when accessing CLI tools, meaning that many users encounter the device code flow daily. ",[],{},{"nodeType":237,"data":1169,"content":1170},{},[1171,1174,1183],{"nodeType":236,"value":29,"marks":1172,"data":1173},[],{},{"nodeType":274,"data":1175,"content":1177},{"uri":1176},"https://github.com/pushsecurity/saas-attacks/blob/main/techniques/device_code_phishing/description.md",[1178],{"nodeType":236,"value":1179,"marks":1180,"data":1182},"Device code phishing",[1181],{"type":282},{},{"nodeType":236,"value":1184,"marks":1185,"data":1186}," attacks designed to exploit this authorization flow are not new — it was among the first techniques that we added to the SaaS attacks matrix back in 2023. But it’s taken until now for it to really enter mainstream adoption. ",[],{},{"nodeType":237,"data":1188,"content":1189},{},[1190],{"nodeType":236,"value":1191,"marks":1192,"data":1193},"The technique tricks a user into issuing access tokens for an attacker-controlled application (not a device, confusingly). Any app that supports device code logins can be a target. Popular examples include Microsoft, Google, Salesforce, GitHub, and AWS. That said, Microsoft is, as always, much more heavily targeted at scale now than any other app.",[],{},{"nodeType":359,"data":1195,"content":1199},{"target":1196},{"sys":1197},{"id":1198,"type":364,"linkType":365},"Al0pGH8vmOYiufDFiAbt0",[],{"nodeType":237,"data":1201,"content":1202},{},[1203],{"nodeType":236,"value":1204,"marks":1205,"data":1206},"We’ve always been surprised that attackers haven’t commonly used device code phishing in their standard toolkit, preferring session-stealing AITM phishing and other social engineering attacks like ClickFix. But it’s pretty clear from the recent data that the shift to mainstream adoption has now happened. ",[],{},{"nodeType":237,"data":1208,"content":1209},{},[1210],{"nodeType":236,"value":1211,"marks":1212,"data":1213},"In this blog post, we’ll explore the history of device code phishing, what’s changed for it to enter mainstream adoption, how it works under the hood (with recent examples), and what security teams can do about it. ",[],{},{"nodeType":339,"data":1215,"content":1216},{},[],{"nodeType":343,"data":1218,"content":1219},{},[1220],{"nodeType":236,"value":1221,"marks":1222,"data":1224},"A brief history of device code phishing",[1223],{"type":292},{},{"nodeType":359,"data":1226,"content":1230},{"target":1227},{"sys":1228},{"id":1229,"type":364,"linkType":365},"6u3DgvSGChtTJu7l9I7PG1",[],{"nodeType":237,"data":1232,"content":1233},{},[1234,1238,1247,1251,1260,1264,1273,1277,1286,1290,1299,1303,1312],{"nodeType":236,"value":1235,"marks":1236,"data":1237},"The technique was first documented in 2020, before Secureworks released the first tooling framework ",[],{},{"nodeType":274,"data":1239,"content":1241},{"uri":1240},"https://github.com/secureworks/PhishInSuits",[1242],{"nodeType":236,"value":1243,"marks":1244,"data":1246},"PhishInSuits",[1245],{"type":282},{},{"nodeType":236,"value":1248,"marks":1249,"data":1250}," a year later. A host of research followed, including ",[],{},{"nodeType":274,"data":1252,"content":1254},{"uri":1253},"https://github.com/secureworks/squarephish",[1255],{"nodeType":236,"value":1256,"marks":1257,"data":1259},"SquarePhish",[1258],{"type":282},{},{"nodeType":236,"value":1261,"marks":1262,"data":1263}," v1 (using QR codes to trigger the 15 minute code expiration window), Dirk-Jan Mollema’s ",[],{},{"nodeType":274,"data":1265,"content":1267},{"uri":1266},"https://dirkjanm.io/phishing-for-microsoft-entra-primary-refresh-tokens/",[1268],{"nodeType":236,"value":1269,"marks":1270,"data":1272},"key research",[1271],{"type":282},{},{"nodeType":236,"value":1274,"marks":1275,"data":1276}," (chaining device code phishing via Microsoft apps into Primary Refresh Token (PRT) acquisition to gain full browser-level access) and Dennis Kniep’s ",[],{},{"nodeType":274,"data":1278,"content":1280},{"uri":1279},"https://github.com/denniskniep/DeviceCodePhishing",[1281],{"nodeType":236,"value":1282,"marks":1283,"data":1285},"DeviceCodePhishing tool",[1284],{"type":282},{},{"nodeType":236,"value":1287,"marks":1288,"data":1289}," which automates the entire flow with a headless browser. (Other recent noteworthy tools include ",[],{},{"nodeType":274,"data":1291,"content":1293},{"uri":1292},"https://github.com/nromsdahl/squarephish2",[1294],{"nodeType":236,"value":1295,"marks":1296,"data":1298},"SquarePhish2",[1297],{"type":282},{},{"nodeType":236,"value":1300,"marks":1301,"data":1302}," and ",[],{},{"nodeType":274,"data":1304,"content":1306},{"uri":1305},"https://github.com/praetorian-inc/GitPhish",[1307],{"nodeType":236,"value":1308,"marks":1309,"data":1311},"GitPhish",[1310],{"type":282},{},{"nodeType":236,"value":1313,"marks":1314,"data":1315},", so shout out to those too). ",[],{},{"nodeType":237,"data":1317,"content":1318},{},[1319,1323,1332],{"nodeType":236,"value":1320,"marks":1321,"data":1322},"It wasn’t until August 2024 that in-the-wild exploitation was first identified, with Russia-linked campaigns then continuing into 2025 before entering mainstream criminal adoption. This trend has continued to gather momentum in 2026 with ",[],{},{"nodeType":274,"data":1324,"content":1326},{"uri":1325},"https://thehackernews.com/2026/03/device-code-phishing-hits-340-microsoft.html",[1327],{"nodeType":236,"value":1328,"marks":1329,"data":1331},"EvilTokens",[1330],{"type":282},{},{"nodeType":236,"value":1333,"marks":1334,"data":1335},", the first reported criminal PhaaS kit for device code phishing, already powering massive campaigns after launching in February. ",[],{},{"nodeType":359,"data":1337,"content":1341},{"target":1338},{"sys":1339},{"id":1340,"type":364,"linkType":365},"6xsfmbYEzpW7CdDiNzO6cu",[],{"nodeType":237,"data":1343,"content":1344},{},[1345],{"nodeType":236,"value":1346,"marks":1347,"data":1348},"Some of the noteworthy in-the-wild campaigns include:",[],{},{"nodeType":479,"data":1350,"content":1351},{},[1352,1385,1405],{"nodeType":483,"data":1353,"content":1354},{},[1355],{"nodeType":237,"data":1356,"content":1357},{},[1358,1362,1370,1373,1381],{"nodeType":236,"value":1359,"marks":1360,"data":1361},"Storm-2372, tracked by ",[],{},{"nodeType":274,"data":1363,"content":1365},{"uri":1364},"https://www.microsoft.com/en-us/security/blog/2025/02/13/storm-2372-conducts-device-code-phishing-campaign/",[1366],{"nodeType":236,"value":1367,"marks":1368,"data":1369},"Microsoft",[],{},{"nodeType":236,"value":1300,"marks":1371,"data":1372},[],{},{"nodeType":274,"data":1374,"content":1376},{"uri":1375},"https://www.volexity.com/blog/2025/02/13/multiple-russian-threat-actors-targeting-microsoft-device-code-authentication/",[1377],{"nodeType":236,"value":1378,"marks":1379,"data":1380},"Volexity",[],{},{"nodeType":236,"value":1382,"marks":1383,"data":1384},", linked to multiple Russia-aligned clusters, combining spear-phishing and social engineering with device code phishing payloads against strategic intelligence targets.",[],{},{"nodeType":483,"data":1386,"content":1387},{},[1388],{"nodeType":237,"data":1389,"content":1390},{},[1391,1395,1401],{"nodeType":236,"value":1392,"marks":1393,"data":1394},"The massive Salesforce campaign operated by ",[],{},{"nodeType":274,"data":1396,"content":1397},{"uri":276},[1398],{"nodeType":236,"value":607,"marks":1399,"data":1400},[],{},{"nodeType":236,"value":1402,"marks":1403,"data":1404}," (SLH) combined vishing with a device code phishing payload targeting Salesforce. The attacks morphed into a broader supply chain campaign using stolen credentials, ultimately resulting in 1000+ organizations being compromised and over 1.5 billion stolen records claimed. ",[],{},{"nodeType":483,"data":1406,"content":1407},{},[1408],{"nodeType":237,"data":1409,"content":1410},{},[1411,1415,1423,1427,1436,1440,1449,1453,1462,1466,1475],{"nodeType":236,"value":1412,"marks":1413,"data":1414},"A massive spike in activity in late 2025 and 2026. This includes ",[],{},{"nodeType":274,"data":1416,"content":1418},{"uri":1417},"https://www.proofpoint.com/us/blog/threat-insight/access-granted-phishing-device-code-authorization-account-takeover",[1419],{"nodeType":236,"value":1420,"marks":1421,"data":1422},"multiple threat clusters",[],{},{"nodeType":236,"value":1424,"marks":1425,"data":1426}," tracked using device code phishing techniques, more ",[],{},{"nodeType":274,"data":1428,"content":1430},{"uri":1429},"https://www.bleepingcomputer.com/news/security/hackers-target-microsoft-entra-accounts-in-device-code-vishing-attacks/",[1431],{"nodeType":236,"value":1432,"marks":1433,"data":1435},"criminal operations linked to SLH",[1434],{"type":282},{},{"nodeType":236,"value":1437,"marks":1438,"data":1439},", and ",[],{},{"nodeType":274,"data":1441,"content":1443},{"uri":1442},"https://newtonpaul.com/blog/device-code-phish-update/",[1444],{"nodeType":236,"value":1445,"marks":1446,"data":1448},"hundreds of organizations being targeted via PhaaS architecture,",[1447],{"type":282},{},{"nodeType":236,"value":1450,"marks":1451,"data":1452}," which looks to be the same campaign as the recently uncovered EvilTokens PhaaS reported by ",[],{},{"nodeType":274,"data":1454,"content":1456},{"uri":1455},"https://www.huntress.com/blog/railway-paas-m365-token-replay-campaign",[1457],{"nodeType":236,"value":1458,"marks":1459,"data":1461},"Huntress",[1460],{"type":282},{},{"nodeType":236,"value":1463,"marks":1464,"data":1465}," (featuring abuse of the Railway PaaS platform). Abnormal has also reported on a closed-source PhaaS kit called ",[],{},{"nodeType":274,"data":1467,"content":1469},{"uri":1468},"https://abnormal.ai/blog/venom-phishing-campaign-mfa-credential-theft",[1470],{"nodeType":236,"value":1471,"marks":1472,"data":1474},"Venom",[1473],{"type":282},{},{"nodeType":236,"value":1476,"marks":1477,"data":1478}," that offers device code phishing capabilities that appear visually and functionally similar to EvilTokens.   ",[],{},{"nodeType":339,"data":1480,"content":1481},{},[],{"nodeType":343,"data":1483,"content":1484},{},[1485],{"nodeType":236,"value":1486,"marks":1487,"data":1489},"What we’re seeing in the wild",[1488],{"type":292},{},{"nodeType":237,"data":1491,"content":1492},{},[1493],{"nodeType":236,"value":1494,"marks":1495,"data":1496},"As mentioned, we’ve also seen a huge spike in device code phishing activity this year, with multiple kits, page designs, and lure types. We’ve identified 10 distinct kits in circulation in the wild, with EvilTokens being the most prevalent. It’s clear that attackers are both spinning up their own kits and creative derivatives of others — we’ve seen kits that are visually similar to EvilTokens (close enough to be clones or forks) but with very different backends, for example AWS, Digital Ocean, 2cloud, and more. ",[],{},{"nodeType":359,"data":1498,"content":1502},{"target":1499},{"sys":1500},{"id":1501,"type":364,"linkType":365},"nJCbTw85GKXdqrlIkzZwi",[],{"nodeType":339,"data":1504,"content":1505},{},[],{"nodeType":394,"data":1507,"content":1508},{},[1509],{"nodeType":236,"value":1510,"marks":1511,"data":1513},"“ANTIBOT” (EvilTokens)",[1512],{"type":292},{},{"nodeType":237,"data":1515,"content":1516},{},[1517,1520,1527,1530,1539,1543,1551],{"nodeType":236,"value":29,"marks":1518,"data":1519},[],{},{"nodeType":274,"data":1521,"content":1522},{"uri":1455},[1523],{"nodeType":236,"value":1458,"marks":1524,"data":1526},[1525],{"type":282},{},{"nodeType":236,"value":943,"marks":1528,"data":1529},[],{},{"nodeType":274,"data":1531,"content":1533},{"uri":1532},"https://blog.sekoia.io/new-widespread-eviltokens-kit-device-code-phishing-as-a-service-part-1/",[1534],{"nodeType":236,"value":1535,"marks":1536,"data":1538},"Sekoia",[1537],{"type":282},{},{"nodeType":236,"value":1540,"marks":1541,"data":1542},", and researcher ",[],{},{"nodeType":274,"data":1544,"content":1545},{"uri":1442},[1546],{"nodeType":236,"value":1547,"marks":1548,"data":1550},"Paul Newton",[1549],{"type":282},{},{"nodeType":236,"value":1552,"marks":1553,"data":1554}," have already done a great job of providing IOCs for the recent EvilTokens activity spike, including multiple backend Railway IPs in authentication events. ",[],{},{"nodeType":359,"data":1556,"content":1560},{"target":1557},{"sys":1558},{"id":1559,"type":364,"linkType":365},"1XNviq5OvMf5TEAc59F6g5",[],{"nodeType":237,"data":1562,"content":1563},{},[1564],{"nodeType":236,"value":1565,"marks":1566,"data":1567},"Beyond the most widely observed implementation featuring a Cloudflare Workers frontend and Railway backend for authentication, we’ve also tracked additional versions of EvilTokens in circulation since January 2026 (many of which remain live along with the current “production” version of the kit). ",[],{},{"nodeType":237,"data":1569,"content":1570},{},[1571],{"nodeType":236,"value":1572,"marks":1573,"data":1574},"You can see an evolution of the kit in the videos and screenshots below, from early precursors seen in mid-January, the first mentions of ANTIBOT in the page code in late-January, the parallel development of a “Courts Access” fork that lacks the ANTIBOT references, and finally production EvilTokens in February. One of the key threads between the versions is the presence of a generateFallbackCode() JS function and use of a /generate-codes API call. ",[],{},{"nodeType":237,"data":1576,"content":1577},{},[1578],{"nodeType":236,"value":1579,"marks":1580,"data":1581},"Early implementations were quite different, for example using ScrapingBee to generate the displayed code, and varied hosting on vercel, fastly, edgeone, and others. ",[],{},{"nodeType":237,"data":1583,"content":1584},{},[1585],{"nodeType":236,"value":1586,"marks":1587,"data":1588},"After initially appearing on custom domains, the production version is now predominantly hosted on Cloudflare Workers, as per the broader tracking of the campaign. The descriptive HTML comments around ANTIBOT functions have also been removed in later versions. ",[],{},{"nodeType":237,"data":1590,"content":1591},{},[1592,1596,1605],{"nodeType":236,"value":1593,"marks":1594,"data":1595},"The production version of EvilTokens showcases common ",[],{},{"nodeType":274,"data":1597,"content":1599},{"uri":1598},"https://phishing-techniques.pushsecurity.com/",[1600],{"nodeType":236,"value":1601,"marks":1602,"data":1604},"detection evasion techniques",[1603],{"type":282},{},{"nodeType":236,"value":1606,"marks":1607,"data":1608}," we've come to associate with PhaaS kits in the AiTM space — using multiple redirects through trusted sites before serving the malicious page, using bot protection to block security tools from analyzing the page, and so on. It also uses a pop-up window for the device code entry rather than a redirect, reducing the friction for the victim (it looks pretty convincing, too).",[],{},{"nodeType":359,"data":1610,"content":1614},{"target":1611},{"sys":1612},{"id":1613,"type":364,"linkType":365},"73rNOIEDPfP5IJwpFaxVc2",[],{"nodeType":359,"data":1616,"content":1620},{"target":1617},{"sys":1618},{"id":1619,"type":364,"linkType":365},"5BJSvOQUW9UpsQtoDNtgTC",[],{"nodeType":359,"data":1622,"content":1626},{"target":1623},{"sys":1624},{"id":1625,"type":364,"linkType":365},"3dbePPxVb4h4SauGg3glIL",[],{"nodeType":359,"data":1628,"content":1632},{"target":1629},{"sys":1630},{"id":1631,"type":364,"linkType":365},"1UOLcmNQvOsL5tdLSVuviq",[],{"nodeType":359,"data":1634,"content":1638},{"target":1635},{"sys":1636},{"id":1637,"type":364,"linkType":365},"55XRqLSwUUi2D4ZVpJboml",[],{"nodeType":359,"data":1640,"content":1644},{"target":1641},{"sys":1642},{"id":1643,"type":364,"linkType":365},"5wg5yr2Lo8t3f72ZV815c",[],{"nodeType":359,"data":1646,"content":1650},{"target":1647},{"sys":1648},{"id":1649,"type":364,"linkType":365},"35cowlL6i3rkGXOGmSxlI1",[],{"nodeType":237,"data":1652,"content":1653},{},[1654],{"nodeType":236,"value":29,"marks":1655,"data":1656},[],{},{"nodeType":1658,"data":1659,"content":1660},"table",{},[1661,1687,1771,1823,1847],{"nodeType":1662,"data":1663,"content":1664},"table-row",{},[1665,1677],{"nodeType":1666,"data":1667,"content":1668},"table-cell",{},[1669],{"nodeType":237,"data":1670,"content":1671},{},[1672],{"nodeType":236,"value":1673,"marks":1674,"data":1676},"Frontend infrastructure",[1675],{"type":292},{},{"nodeType":1666,"data":1678,"content":1679},{},[1680],{"nodeType":237,"data":1681,"content":1682},{},[1683],{"nodeType":236,"value":1684,"marks":1685,"data":1686},"Workers.dev, vercel.app, github.io, fastly.net, edgeone.dev",[],{},{"nodeType":1662,"data":1688,"content":1689},{},[1690,1701],{"nodeType":1666,"data":1691,"content":1692},{},[1693],{"nodeType":237,"data":1694,"content":1695},{},[1696],{"nodeType":236,"value":1697,"marks":1698,"data":1700},"Backend infrastructure",[1699],{"type":292},{},{"nodeType":1666,"data":1702,"content":1703},{},[1704,1734],{"nodeType":237,"data":1705,"content":1706},{},[1707,1712,1716,1721,1725,1730],{"nodeType":236,"value":1708,"marks":1709,"data":1711},"Example IP: (V3) ",[1710],{"type":292},{},{"nodeType":236,"value":1713,"marks":1714,"data":1715},"162.220.232.71 (Railway AS400940) ",[],{},{"nodeType":236,"value":1717,"marks":1718,"data":1720},"(V2)",[1719],{"type":292},{},{"nodeType":236,"value":1722,"marks":1723,"data":1724}," 71.11.42.193 ",[],{},{"nodeType":236,"value":1726,"marks":1727,"data":1729},"(V1) ",[1728],{"type":292},{},{"nodeType":236,"value":1731,"marks":1732,"data":1733},"72.218.25.107",[],{},{"nodeType":237,"data":1735,"content":1736},{},[1737,1742,1746,1751,1755,1759,1763,1767],{"nodeType":236,"value":1738,"marks":1739,"data":1741},"Backend User Agent:",[1740],{"type":292},{},{"nodeType":236,"value":1743,"marks":1744,"data":1745}," ",[],{},{"nodeType":236,"value":1747,"marks":1748,"data":1750},"(V3) ",[1749],{"type":292},{},{"nodeType":236,"value":1752,"marks":1753,"data":1754},"node, ",[],{},{"nodeType":236,"value":1717,"marks":1756,"data":1758},[1757],{"type":292},{},{"nodeType":236,"value":1760,"marks":1761,"data":1762},", Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_4) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/73.0.3683 Safari/537.36 OPR/57.0.3098.91 ",[],{},{"nodeType":236,"value":1726,"marks":1764,"data":1766},[1765],{"type":292},{},{"nodeType":236,"value":1768,"marks":1769,"data":1770},"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/71.0.3578.98 Safari/537.36 OPR/56.0.3051.52 ",[],{},{"nodeType":1662,"data":1772,"content":1773},{},[1774,1785],{"nodeType":1666,"data":1775,"content":1776},{},[1777],{"nodeType":237,"data":1778,"content":1779},{},[1780],{"nodeType":236,"value":1781,"marks":1782,"data":1784},"Network paths",[1783],{"type":292},{},{"nodeType":1666,"data":1786,"content":1787},{},[1788,1795,1802,1809,1816],{"nodeType":237,"data":1789,"content":1790},{},[1791],{"nodeType":236,"value":1792,"marks":1793,"data":1794},"/api/rate-limit ",[],{},{"nodeType":237,"data":1796,"content":1797},{},[1798],{"nodeType":236,"value":1799,"marks":1800,"data":1801},"/api/fingerprint ",[],{},{"nodeType":237,"data":1803,"content":1804},{},[1805],{"nodeType":236,"value":1806,"marks":1807,"data":1808},"/api/captcha-verify ",[],{},{"nodeType":237,"data":1810,"content":1811},{},[1812],{"nodeType":236,"value":1813,"marks":1814,"data":1815},"/api/init /api/generate-code ",[],{},{"nodeType":237,"data":1817,"content":1818},{},[1819],{"nodeType":236,"value":1820,"marks":1821,"data":1822},"/api/check-auth",[],{},{"nodeType":1662,"data":1824,"content":1825},{},[1826,1837],{"nodeType":1666,"data":1827,"content":1828},{},[1829],{"nodeType":237,"data":1830,"content":1831},{},[1832],{"nodeType":236,"value":1833,"marks":1834,"data":1836},"Lure themes",[1835],{"type":292},{},{"nodeType":1666,"data":1838,"content":1839},{},[1840],{"nodeType":237,"data":1841,"content":1842},{},[1843],{"nodeType":236,"value":1844,"marks":1845,"data":1846},"Various MS lures (e.g. Outlook, SharePoint, Teams) DocuSign, Adobe",[],{},{"nodeType":1662,"data":1848,"content":1849},{},[1850,1861],{"nodeType":1666,"data":1851,"content":1852},{},[1853],{"nodeType":237,"data":1854,"content":1855},{},[1856],{"nodeType":236,"value":1857,"marks":1858,"data":1860},"Example Domain",[1859],{"type":292},{},{"nodeType":1666,"data":1862,"content":1863},{},[1864,1876,1888,1900,1912],{"nodeType":237,"data":1865,"content":1866},{},[1867,1872],{"nodeType":236,"value":1868,"marks":1869,"data":1871},"Precursor A:",[1870],{"type":292},{},{"nodeType":236,"value":1873,"marks":1874,"data":1875}," teams-zpfvwnpxuc[.]edgeone.dev",[],{},{"nodeType":237,"data":1877,"content":1878},{},[1879,1884],{"nodeType":236,"value":1880,"marks":1881,"data":1883},"Precursor B: ",[1882],{"type":292},{},{"nodeType":236,"value":1885,"marks":1886,"data":1887},"authenticate-m365-accountsecurity-m-pi[.]vercel.app",[],{},{"nodeType":237,"data":1889,"content":1890},{},[1891,1896],{"nodeType":236,"value":1892,"marks":1893,"data":1895},"Courts Access: ",[1894],{"type":292},{},{"nodeType":236,"value":1897,"marks":1898,"data":1899},"secure-systems-validations-courts[.]vercel.app",[],{},{"nodeType":237,"data":1901,"content":1902},{},[1903,1908],{"nodeType":236,"value":1904,"marks":1905,"data":1907},"Early ANTIBOT:",[1906],{"type":292},{},{"nodeType":236,"value":1909,"marks":1910,"data":1911}," interface-auth-en-useast[.]global.ssl.fastly.net",[],{},{"nodeType":237,"data":1913,"content":1914},{},[1915,1920],{"nodeType":236,"value":1916,"marks":1917,"data":1919},"Production ANTIBOT: ",[1918],{"type":292},{},{"nodeType":236,"value":1921,"marks":1922,"data":1923},"index-z059-document-pending-reviewsign-xlss7994824[.]awalizer[.]workers.dev",[],{},{"nodeType":339,"data":1925,"content":1926},{},[],{"nodeType":394,"data":1928,"content":1929},{},[1930],{"nodeType":236,"value":1931,"marks":1932,"data":1934},"“SHAREFILE”",[1933],{"type":292},{},{"nodeType":1658,"data":1936,"content":1937},{},[1938,1961,2000,2023,2046],{"nodeType":1662,"data":1939,"content":1940},{},[1941,1951],{"nodeType":1666,"data":1942,"content":1943},{},[1944],{"nodeType":237,"data":1945,"content":1946},{},[1947],{"nodeType":236,"value":1673,"marks":1948,"data":1950},[1949],{"type":292},{},{"nodeType":1666,"data":1952,"content":1953},{},[1954],{"nodeType":237,"data":1955,"content":1956},{},[1957],{"nodeType":236,"value":1958,"marks":1959,"data":1960},"No hosting markers visible.",[],{},{"nodeType":1662,"data":1962,"content":1963},{},[1964,1974],{"nodeType":1666,"data":1965,"content":1966},{},[1967],{"nodeType":237,"data":1968,"content":1969},{},[1970],{"nodeType":236,"value":1697,"marks":1971,"data":1973},[1972],{"type":292},{},{"nodeType":1666,"data":1975,"content":1976},{},[1977,1989],{"nodeType":237,"data":1978,"content":1979},{},[1980,1985],{"nodeType":236,"value":1981,"marks":1982,"data":1984},"Example IP:",[1983],{"type":292},{},{"nodeType":236,"value":1986,"marks":1987,"data":1988}," 147.45.60.47 (Global Connectivity Solutions LLP AS215540)",[],{},{"nodeType":237,"data":1990,"content":1991},{},[1992,1996],{"nodeType":236,"value":1738,"marks":1993,"data":1995},[1994],{"type":292},{},{"nodeType":236,"value":1997,"marks":1998,"data":1999}," node",[],{},{"nodeType":1662,"data":2001,"content":2002},{},[2003,2013],{"nodeType":1666,"data":2004,"content":2005},{},[2006],{"nodeType":237,"data":2007,"content":2008},{},[2009],{"nodeType":236,"value":1781,"marks":2010,"data":2012},[2011],{"type":292},{},{"nodeType":1666,"data":2014,"content":2015},{},[2016],{"nodeType":237,"data":2017,"content":2018},{},[2019],{"nodeType":236,"value":2020,"marks":2021,"data":2022},"POST /api/device/start  POST /api/device/poll",[],{},{"nodeType":1662,"data":2024,"content":2025},{},[2026,2036],{"nodeType":1666,"data":2027,"content":2028},{},[2029],{"nodeType":237,"data":2030,"content":2031},{},[2032],{"nodeType":236,"value":1833,"marks":2033,"data":2035},[2034],{"type":292},{},{"nodeType":1666,"data":2037,"content":2038},{},[2039],{"nodeType":237,"data":2040,"content":2041},{},[2042],{"nodeType":236,"value":2043,"marks":2044,"data":2045},"Citrix ShareFile document transfer — file card with sender info, expiry warning, download/preview buttons",[],{},{"nodeType":1662,"data":2047,"content":2048},{},[2049,2060],{"nodeType":1666,"data":2050,"content":2051},{},[2052],{"nodeType":237,"data":2053,"content":2054},{},[2055],{"nodeType":236,"value":2056,"marks":2057,"data":2059},"Example domain",[2058],{"type":292},{},{"nodeType":1666,"data":2061,"content":2062},{},[2063],{"nodeType":237,"data":2064,"content":2065},{},[2066],{"nodeType":236,"value":2067,"marks":2068,"data":2069},"cghdfg[.]vbchkioi[.]su",[],{},{"nodeType":359,"data":2071,"content":2075},{"target":2072},{"sys":2073},{"id":2074,"type":364,"linkType":365},"1TtZ6VsMSTlPvy7W996w9E",[],{"nodeType":339,"data":2077,"content":2078},{},[],{"nodeType":394,"data":2080,"content":2081},{},[2082],{"nodeType":236,"value":2083,"marks":2084,"data":2086},"“CLURE”",[2085],{"type":292},{},{"nodeType":1658,"data":2088,"content":2089},{},[2090,2113,2152,2175,2198],{"nodeType":1662,"data":2091,"content":2092},{},[2093,2103],{"nodeType":1666,"data":2094,"content":2095},{},[2096],{"nodeType":237,"data":2097,"content":2098},{},[2099],{"nodeType":236,"value":1673,"marks":2100,"data":2102},[2101],{"type":292},{},{"nodeType":1666,"data":2104,"content":2105},{},[2106],{"nodeType":237,"data":2107,"content":2108},{},[2109],{"nodeType":236,"value":2110,"marks":2111,"data":2112},"API on api.duemineral.uk:8443 and api.loadingdocuments.uk:8443 (rotates). ",[],{},{"nodeType":1662,"data":2114,"content":2115},{},[2116,2126],{"nodeType":1666,"data":2117,"content":2118},{},[2119],{"nodeType":237,"data":2120,"content":2121},{},[2122],{"nodeType":236,"value":1697,"marks":2123,"data":2125},[2124],{"type":292},{},{"nodeType":1666,"data":2127,"content":2128},{},[2129,2141],{"nodeType":237,"data":2130,"content":2131},{},[2132,2137],{"nodeType":236,"value":2133,"marks":2134,"data":2136},"Example IP: ",[2135],{"type":292},{},{"nodeType":236,"value":2138,"marks":2139,"data":2140},"162.243.166.119 (DigitalOcean AS14061)",[],{},{"nodeType":237,"data":2142,"content":2143},{},[2144,2148],{"nodeType":236,"value":1738,"marks":2145,"data":2147},[2146],{"type":292},{},{"nodeType":236,"value":2149,"marks":2150,"data":2151}," python-requests/2.32.5",[],{},{"nodeType":1662,"data":2153,"content":2154},{},[2155,2165],{"nodeType":1666,"data":2156,"content":2157},{},[2158],{"nodeType":237,"data":2159,"content":2160},{},[2161],{"nodeType":236,"value":1781,"marks":2162,"data":2164},[2163],{"type":292},{},{"nodeType":1666,"data":2166,"content":2167},{},[2168],{"nodeType":237,"data":2169,"content":2170},{},[2171],{"nodeType":236,"value":2172,"marks":2173,"data":2174},"GET /api/status/{numeric_SID} (port :8443)",[],{},{"nodeType":1662,"data":2176,"content":2177},{},[2178,2188],{"nodeType":1666,"data":2179,"content":2180},{},[2181],{"nodeType":237,"data":2182,"content":2183},{},[2184],{"nodeType":236,"value":1833,"marks":2185,"data":2187},[2186],{"type":292},{},{"nodeType":1666,"data":2189,"content":2190},{},[2191],{"nodeType":237,"data":2192,"content":2193},{},[2194],{"nodeType":236,"value":2195,"marks":2196,"data":2197},"SharePoint \"Team Site\" doc library, SharePoint \"Shared Document\" individual share",[],{},{"nodeType":1662,"data":2199,"content":2200},{},[2201,2211],{"nodeType":1666,"data":2202,"content":2203},{},[2204],{"nodeType":237,"data":2205,"content":2206},{},[2207],{"nodeType":236,"value":2056,"marks":2208,"data":2210},[2209],{"type":292},{},{"nodeType":1666,"data":2212,"content":2213},{},[2214],{"nodeType":237,"data":2215,"content":2216},{},[2217],{"nodeType":236,"value":2218,"marks":2219,"data":2220},"auth[.]duemineral[.]uk",[],{},{"nodeType":359,"data":2222,"content":2226},{"target":2223},{"sys":2224},{"id":2225,"type":364,"linkType":365},"3DAm11OYudNrqbL6pda5S1",[],{"nodeType":339,"data":2228,"content":2229},{},[],{"nodeType":394,"data":2231,"content":2232},{},[2233],{"nodeType":236,"value":2234,"marks":2235,"data":2237},"“LINKID”",[2236],{"type":292},{},{"nodeType":1658,"data":2239,"content":2240},{},[2241,2264,2309,2339,2362],{"nodeType":1662,"data":2242,"content":2243},{},[2244,2254],{"nodeType":1666,"data":2245,"content":2246},{},[2247],{"nodeType":237,"data":2248,"content":2249},{},[2250],{"nodeType":236,"value":1673,"marks":2251,"data":2253},[2252],{"type":292},{},{"nodeType":1666,"data":2255,"content":2256},{},[2257],{"nodeType":237,"data":2258,"content":2259},{},[2260],{"nodeType":236,"value":2261,"marks":2262,"data":2263},"Adobe variant has Cloudflare challenge-platform iframe (CF-protected origin). Relative API paths — self-hosted.",[],{},{"nodeType":1662,"data":2265,"content":2266},{},[2267,2277],{"nodeType":1666,"data":2268,"content":2269},{},[2270],{"nodeType":237,"data":2271,"content":2272},{},[2273],{"nodeType":236,"value":1697,"marks":2274,"data":2276},[2275],{"type":292},{},{"nodeType":1666,"data":2278,"content":2279},{},[2280,2291,2298],{"nodeType":237,"data":2281,"content":2282},{},[2283,2287],{"nodeType":236,"value":2133,"marks":2284,"data":2286},[2285],{"type":292},{},{"nodeType":236,"value":2288,"marks":2289,"data":2290},"185.176.220.22 (2cloud.eu AS39845)",[],{},{"nodeType":237,"data":2292,"content":2293},{},[2294],{"nodeType":236,"value":2295,"marks":2296,"data":2297},"2600:1f10:470d:9a00:1437:ec30:be61:3494 (AWS AS16509)",[],{},{"nodeType":237,"data":2299,"content":2300},{},[2301,2305],{"nodeType":236,"value":1738,"marks":2302,"data":2304},[2303],{"type":292},{},{"nodeType":236,"value":2306,"marks":2307,"data":2308}," axios/1.10.0 , axios/1.13.6",[],{},{"nodeType":1662,"data":2310,"content":2311},{},[2312,2322],{"nodeType":1666,"data":2313,"content":2314},{},[2315],{"nodeType":237,"data":2316,"content":2317},{},[2318],{"nodeType":236,"value":1781,"marks":2319,"data":2321},[2320],{"type":292},{},{"nodeType":1666,"data":2323,"content":2324},{},[2325,2332],{"nodeType":237,"data":2326,"content":2327},{},[2328],{"nodeType":236,"value":2329,"marks":2330,"data":2331},"POST /api/device/start",[],{},{"nodeType":237,"data":2333,"content":2334},{},[2335],{"nodeType":236,"value":2336,"marks":2337,"data":2338},"GET /api/device/status/{sessionId}",[],{},{"nodeType":1662,"data":2340,"content":2341},{},[2342,2352],{"nodeType":1666,"data":2343,"content":2344},{},[2345],{"nodeType":237,"data":2346,"content":2347},{},[2348],{"nodeType":236,"value":1833,"marks":2349,"data":2351},[2350],{"type":292},{},{"nodeType":1666,"data":2353,"content":2354},{},[2355],{"nodeType":237,"data":2356,"content":2357},{},[2358],{"nodeType":236,"value":2359,"marks":2360,"data":2361},"MS Teams meeting invitation (with interactive date/time picker), Adobe Acrobat Sign document review",[],{},{"nodeType":1662,"data":2363,"content":2364},{},[2365,2375],{"nodeType":1666,"data":2366,"content":2367},{},[2368],{"nodeType":237,"data":2369,"content":2370},{},[2371],{"nodeType":236,"value":2056,"marks":2372,"data":2374},[2373],{"type":292},{},{"nodeType":1666,"data":2376,"content":2377},{},[2378],{"nodeType":237,"data":2379,"content":2380},{},[2381],{"nodeType":236,"value":2382,"marks":2383,"data":2384},"sdtr-site[.]cfd",[],{},{"nodeType":359,"data":2386,"content":2390},{"target":2387},{"sys":2388},{"id":2389,"type":364,"linkType":365},"22hsIzlkptC2JTIUtbOuUn",[],{"nodeType":339,"data":2392,"content":2393},{},[],{"nodeType":394,"data":2395,"content":2396},{},[2397],{"nodeType":236,"value":2398,"marks":2399,"data":2401},"“AUTHOV”",[2400],{"type":292},{},{"nodeType":1658,"data":2403,"content":2404},{},[2405,2428,2474,2497,2520],{"nodeType":1662,"data":2406,"content":2407},{},[2408,2418],{"nodeType":1666,"data":2409,"content":2410},{},[2411],{"nodeType":237,"data":2412,"content":2413},{},[2414],{"nodeType":236,"value":1673,"marks":2415,"data":2417},[2416],{"type":292},{},{"nodeType":1666,"data":2419,"content":2420},{},[2421],{"nodeType":237,"data":2422,"content":2423},{},[2424],{"nodeType":236,"value":2425,"marks":2426,"data":2427},"workers.dev",[],{},{"nodeType":1662,"data":2429,"content":2430},{},[2431,2441],{"nodeType":1666,"data":2432,"content":2433},{},[2434],{"nodeType":237,"data":2435,"content":2436},{},[2437],{"nodeType":236,"value":1697,"marks":2438,"data":2440},[2439],{"type":292},{},{"nodeType":1666,"data":2442,"content":2443},{},[2444,2455],{"nodeType":237,"data":2445,"content":2446},{},[2447,2451],{"nodeType":236,"value":2133,"marks":2448,"data":2450},[2449],{"type":292},{},{"nodeType":236,"value":2452,"marks":2453,"data":2454},"192.3.225.100 (HostPapa / ColoCrossing AS36352)",[],{},{"nodeType":237,"data":2456,"content":2457},{},[2458,2462,2465,2470],{"nodeType":236,"value":1738,"marks":2459,"data":2461},[2460],{"type":292},{},{"nodeType":236,"value":1743,"marks":2463,"data":2464},[],{},{"nodeType":236,"value":2466,"marks":2467,"data":2469}," ",[2468],{"type":292},{},{"nodeType":236,"value":2471,"marks":2472,"data":2473},"python-httpx/0.28.1",[],{},{"nodeType":1662,"data":2475,"content":2476},{},[2477,2487],{"nodeType":1666,"data":2478,"content":2479},{},[2480],{"nodeType":237,"data":2481,"content":2482},{},[2483],{"nodeType":236,"value":1781,"marks":2484,"data":2486},[2485],{"type":292},{},{"nodeType":1666,"data":2488,"content":2489},{},[2490],{"nodeType":237,"data":2491,"content":2492},{},[2493],{"nodeType":236,"value":2494,"marks":2495,"data":2496},"GET /landing/api/session-status?session_id=&token=",[],{},{"nodeType":1662,"data":2498,"content":2499},{},[2500,2510],{"nodeType":1666,"data":2501,"content":2502},{},[2503],{"nodeType":237,"data":2504,"content":2505},{},[2506],{"nodeType":236,"value":1833,"marks":2507,"data":2509},[2508],{"type":292},{},{"nodeType":1666,"data":2511,"content":2512},{},[2513],{"nodeType":237,"data":2514,"content":2515},{},[2516],{"nodeType":236,"value":2517,"marks":2518,"data":2519},"Adobe Acrobat document sharing (PDF preview, sender avatar)",[],{},{"nodeType":1662,"data":2521,"content":2522},{},[2523,2533],{"nodeType":1666,"data":2524,"content":2525},{},[2526],{"nodeType":237,"data":2527,"content":2528},{},[2529],{"nodeType":236,"value":2056,"marks":2530,"data":2532},[2531],{"type":292},{},{"nodeType":1666,"data":2534,"content":2535},{},[2536],{"nodeType":237,"data":2537,"content":2538},{},[2539],{"nodeType":236,"value":2540,"marks":2541,"data":2542},"milosh-solibella-0dcio[.]sgttommy.workers.dev",[],{},{"nodeType":359,"data":2544,"content":2548},{"target":2545},{"sys":2546},{"id":2547,"type":364,"linkType":365},"6szO6IKJ32usyxIKX1efZy",[],{"nodeType":339,"data":2550,"content":2551},{},[],{"nodeType":394,"data":2553,"content":2554},{},[2555],{"nodeType":236,"value":2556,"marks":2557,"data":2559},"“DOCUPOLL”",[2558],{"type":292},{},{"nodeType":1658,"data":2561,"content":2562},{},[2563,2586,2624,2661,2684],{"nodeType":1662,"data":2564,"content":2565},{},[2566,2576],{"nodeType":1666,"data":2567,"content":2568},{},[2569],{"nodeType":237,"data":2570,"content":2571},{},[2572],{"nodeType":236,"value":1673,"marks":2573,"data":2575},[2574],{"type":292},{},{"nodeType":1666,"data":2577,"content":2578},{},[2579],{"nodeType":237,"data":2580,"content":2581},{},[2582],{"nodeType":236,"value":2583,"marks":2584,"data":2585},"Github.io and workers.dev hosting",[],{},{"nodeType":1662,"data":2587,"content":2588},{},[2589,2599],{"nodeType":1666,"data":2590,"content":2591},{},[2592],{"nodeType":237,"data":2593,"content":2594},{},[2595],{"nodeType":236,"value":1697,"marks":2596,"data":2598},[2597],{"type":292},{},{"nodeType":1666,"data":2600,"content":2601},{},[2602,2613],{"nodeType":237,"data":2603,"content":2604},{},[2605,2609],{"nodeType":236,"value":2133,"marks":2606,"data":2608},[2607],{"type":292},{},{"nodeType":236,"value":2610,"marks":2611,"data":2612},"144.172.103.240 (FranTech Solutions / RouterHosting / Cloudzy AS14956)",[],{},{"nodeType":237,"data":2614,"content":2615},{},[2616,2620],{"nodeType":236,"value":1738,"marks":2617,"data":2619},[2618],{"type":292},{},{"nodeType":236,"value":2621,"marks":2622,"data":2623}," Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19042",[],{},{"nodeType":1662,"data":2625,"content":2626},{},[2627,2637],{"nodeType":1666,"data":2628,"content":2629},{},[2630],{"nodeType":237,"data":2631,"content":2632},{},[2633],{"nodeType":236,"value":1781,"marks":2634,"data":2636},[2635],{"type":292},{},{"nodeType":1666,"data":2638,"content":2639},{},[2640,2647,2654],{"nodeType":237,"data":2641,"content":2642},{},[2643],{"nodeType":236,"value":2644,"marks":2645,"data":2646},"POST /api/v1/landing-pages/public/{slug}/init",[],{},{"nodeType":237,"data":2648,"content":2649},{},[2650],{"nodeType":236,"value":2651,"marks":2652,"data":2653},"POST .../poll",[],{},{"nodeType":237,"data":2655,"content":2656},{},[2657],{"nodeType":236,"value":2658,"marks":2659,"data":2660},"POST .../track",[],{},{"nodeType":1662,"data":2662,"content":2663},{},[2664,2674],{"nodeType":1666,"data":2665,"content":2666},{},[2667],{"nodeType":237,"data":2668,"content":2669},{},[2670],{"nodeType":236,"value":1833,"marks":2671,"data":2673},[2672],{"type":292},{},{"nodeType":1666,"data":2675,"content":2676},{},[2677],{"nodeType":237,"data":2678,"content":2679},{},[2680],{"nodeType":236,"value":2681,"marks":2682,"data":2683},"DocuSign document signing. One sample is a full scrape of real docusign.com (free-account page) with kit injected.",[],{},{"nodeType":1662,"data":2685,"content":2686},{},[2687,2697],{"nodeType":1666,"data":2688,"content":2689},{},[2690],{"nodeType":237,"data":2691,"content":2692},{},[2693],{"nodeType":236,"value":2056,"marks":2694,"data":2696},[2695],{"type":292},{},{"nodeType":1666,"data":2698,"content":2699},{},[2700],{"nodeType":237,"data":2701,"content":2702},{},[2703],{"nodeType":236,"value":2704,"marks":2705,"data":2706},"docufirmar[.]github.io",[],{},{"nodeType":359,"data":2708,"content":2712},{"target":2709},{"sys":2710},{"id":2711,"type":364,"linkType":365},"6Y1XABHnQD82R3MW80HnQZ",[],{"nodeType":339,"data":2714,"content":2715},{},[],{"nodeType":394,"data":2717,"content":2718},{},[2719],{"nodeType":236,"value":2720,"marks":2721,"data":2723},"“FLOW_TOKEN”",[2722],{"type":292},{},{"nodeType":1658,"data":2725,"content":2726},{},[2727,2749,2794,2824,2847],{"nodeType":1662,"data":2728,"content":2729},{},[2730,2740],{"nodeType":1666,"data":2731,"content":2732},{},[2733],{"nodeType":237,"data":2734,"content":2735},{},[2736],{"nodeType":236,"value":1673,"marks":2737,"data":2739},[2738],{"type":292},{},{"nodeType":1666,"data":2741,"content":2742},{},[2743],{"nodeType":237,"data":2744,"content":2745},{},[2746],{"nodeType":236,"value":2425,"marks":2747,"data":2748},[],{},{"nodeType":1662,"data":2750,"content":2751},{},[2752,2762],{"nodeType":1666,"data":2753,"content":2754},{},[2755],{"nodeType":237,"data":2756,"content":2757},{},[2758],{"nodeType":236,"value":1697,"marks":2759,"data":2761},[2760],{"type":292},{},{"nodeType":1666,"data":2763,"content":2764},{},[2765,2776],{"nodeType":237,"data":2766,"content":2767},{},[2768,2772],{"nodeType":236,"value":2133,"marks":2769,"data":2771},[2770],{"type":292},{},{"nodeType":236,"value":2773,"marks":2774,"data":2775},"43.166.163.163 (Tencent Cloud AS132203)",[],{},{"nodeType":237,"data":2777,"content":2778},{},[2779,2783,2786,2790],{"nodeType":236,"value":1738,"marks":2780,"data":2782},[2781],{"type":292},{},{"nodeType":236,"value":1743,"marks":2784,"data":2785},[],{},{"nodeType":236,"value":2466,"marks":2787,"data":2789},[2788],{"type":292},{},{"nodeType":236,"value":2791,"marks":2792,"data":2793},"(null)",[],{},{"nodeType":1662,"data":2795,"content":2796},{},[2797,2807],{"nodeType":1666,"data":2798,"content":2799},{},[2800],{"nodeType":237,"data":2801,"content":2802},{},[2803],{"nodeType":236,"value":1781,"marks":2804,"data":2806},[2805],{"type":292},{},{"nodeType":1666,"data":2808,"content":2809},{},[2810,2817],{"nodeType":237,"data":2811,"content":2812},{},[2813],{"nodeType":236,"value":2814,"marks":2815,"data":2816},"POST /api/handler.php ",[],{},{"nodeType":237,"data":2818,"content":2819},{},[2820],{"nodeType":236,"value":2821,"marks":2822,"data":2823},"(actions: device_code_generate, device_code_poll_public)",[],{},{"nodeType":1662,"data":2825,"content":2826},{},[2827,2837],{"nodeType":1666,"data":2828,"content":2829},{},[2830],{"nodeType":237,"data":2831,"content":2832},{},[2833],{"nodeType":236,"value":1833,"marks":2834,"data":2836},[2835],{"type":292},{},{"nodeType":1666,"data":2838,"content":2839},{},[2840],{"nodeType":237,"data":2841,"content":2842},{},[2843],{"nodeType":236,"value":2844,"marks":2845,"data":2846},"DocuSign \"Salary Adjustment Document — 2026\", Microsoft banner · HR Department sender",[],{},{"nodeType":1662,"data":2848,"content":2849},{},[2850,2860],{"nodeType":1666,"data":2851,"content":2852},{},[2853],{"nodeType":237,"data":2854,"content":2855},{},[2856],{"nodeType":236,"value":2056,"marks":2857,"data":2859},[2858],{"type":292},{},{"nodeType":1666,"data":2861,"content":2862},{},[2863],{"nodeType":237,"data":2864,"content":2865},{},[2866],{"nodeType":236,"value":2867,"marks":2868,"data":2869},"salaryadjustment-2afb52.pmb6fefc52b3f9aa5c2dbf[.]workers.dev",[],{},{"nodeType":359,"data":2871,"content":2875},{"target":2872},{"sys":2873},{"id":2874,"type":364,"linkType":365},"6xiTDHStbiJh7LMhjAZcPd",[],{"nodeType":339,"data":2877,"content":2878},{},[],{"nodeType":394,"data":2880,"content":2881},{},[2882],{"nodeType":236,"value":2883,"marks":2884,"data":2886},"“PAPRIKA”",[2885],{"type":292},{},{"nodeType":1658,"data":2888,"content":2889},{},[2890,2913,2936,2959],{"nodeType":1662,"data":2891,"content":2892},{},[2893,2903],{"nodeType":1666,"data":2894,"content":2895},{},[2896],{"nodeType":237,"data":2897,"content":2898},{},[2899],{"nodeType":236,"value":1673,"marks":2900,"data":2902},[2901],{"type":292},{},{"nodeType":1666,"data":2904,"content":2905},{},[2906],{"nodeType":237,"data":2907,"content":2908},{},[2909],{"nodeType":236,"value":2910,"marks":2911,"data":2912},"AWS S3 hosting",[],{},{"nodeType":1662,"data":2914,"content":2915},{},[2916,2926],{"nodeType":1666,"data":2917,"content":2918},{},[2919],{"nodeType":237,"data":2920,"content":2921},{},[2922],{"nodeType":236,"value":1781,"marks":2923,"data":2925},[2924],{"type":292},{},{"nodeType":1666,"data":2927,"content":2928},{},[2929],{"nodeType":237,"data":2930,"content":2931},{},[2932],{"nodeType":236,"value":2933,"marks":2934,"data":2935},"POST /api/v1/loader",[],{},{"nodeType":1662,"data":2937,"content":2938},{},[2939,2949],{"nodeType":1666,"data":2940,"content":2941},{},[2942],{"nodeType":237,"data":2943,"content":2944},{},[2945],{"nodeType":236,"value":1833,"marks":2946,"data":2948},[2947],{"type":292},{},{"nodeType":1666,"data":2950,"content":2951},{},[2952],{"nodeType":237,"data":2953,"content":2954},{},[2955],{"nodeType":236,"value":2956,"marks":2957,"data":2958},"MS login clone (\"Sign in to your account\"), \"Office 365\" branding, fake \"Powered by Okta\" footer",[],{},{"nodeType":1662,"data":2960,"content":2961},{},[2962,2972],{"nodeType":1666,"data":2963,"content":2964},{},[2965],{"nodeType":237,"data":2966,"content":2967},{},[2968],{"nodeType":236,"value":2056,"marks":2969,"data":2971},[2970],{"type":292},{},{"nodeType":1666,"data":2973,"content":2974},{},[2975],{"nodeType":237,"data":2976,"content":2977},{},[2978],{"nodeType":236,"value":2979,"marks":2980,"data":2981},"redirect-523346-d95027ec[.]s3.amazonaws.com",[],{},{"nodeType":359,"data":2983,"content":2987},{"target":2984},{"sys":2985},{"id":2986,"type":364,"linkType":365},"6WFXqUDzcJHKWSwVIcDZAf",[],{"nodeType":339,"data":2989,"content":2990},{},[],{"nodeType":394,"data":2992,"content":2993},{},[2994],{"nodeType":236,"value":2995,"marks":2996,"data":2998},"“DCSTATUS”",[2997],{"type":292},{},{"nodeType":1658,"data":3000,"content":3001},{},[3002,3024,3047,3070],{"nodeType":1662,"data":3003,"content":3004},{},[3005,3015],{"nodeType":1666,"data":3006,"content":3007},{},[3008],{"nodeType":237,"data":3009,"content":3010},{},[3011],{"nodeType":236,"value":1673,"marks":3012,"data":3014},[3013],{"type":292},{},{"nodeType":1666,"data":3016,"content":3017},{},[3018],{"nodeType":237,"data":3019,"content":3020},{},[3021],{"nodeType":236,"value":1958,"marks":3022,"data":3023},[],{},{"nodeType":1662,"data":3025,"content":3026},{},[3027,3037],{"nodeType":1666,"data":3028,"content":3029},{},[3030],{"nodeType":237,"data":3031,"content":3032},{},[3033],{"nodeType":236,"value":1781,"marks":3034,"data":3036},[3035],{"type":292},{},{"nodeType":1666,"data":3038,"content":3039},{},[3040],{"nodeType":237,"data":3041,"content":3042},{},[3043],{"nodeType":236,"value":3044,"marks":3045,"data":3046},"GET /dc/status/{base64url_sid}",[],{},{"nodeType":1662,"data":3048,"content":3049},{},[3050,3060],{"nodeType":1666,"data":3051,"content":3052},{},[3053],{"nodeType":237,"data":3054,"content":3055},{},[3056],{"nodeType":236,"value":1833,"marks":3057,"data":3059},[3058],{"type":292},{},{"nodeType":1666,"data":3061,"content":3062},{},[3063],{"nodeType":237,"data":3064,"content":3065},{},[3066],{"nodeType":236,"value":3067,"marks":3068,"data":3069},"Generic \"Microsoft 365 - Secure Access\" verification page",[],{},{"nodeType":1662,"data":3071,"content":3072},{},[3073,3083],{"nodeType":1666,"data":3074,"content":3075},{},[3076],{"nodeType":237,"data":3077,"content":3078},{},[3079],{"nodeType":236,"value":2056,"marks":3080,"data":3082},[3081],{"type":292},{},{"nodeType":1666,"data":3084,"content":3085},{},[3086],{"nodeType":237,"data":3087,"content":3088},{},[3089],{"nodeType":236,"value":3090,"marks":3091,"data":3092},"owa[.]apmmacleans[.]ca",[],{},{"nodeType":359,"data":3094,"content":3098},{"target":3095},{"sys":3096},{"id":3097,"type":364,"linkType":365},"ugYhHeXY1lQdKooALmrIs",[],{"nodeType":339,"data":3100,"content":3101},{},[],{"nodeType":394,"data":3103,"content":3104},{},[3105],{"nodeType":236,"value":3106,"marks":3107,"data":3109},"“DOLCE”",[3108],{"type":292},{},{"nodeType":359,"data":3111,"content":3115},{"target":3112},{"sys":3113},{"id":3114,"type":364,"linkType":365},"7TzU6kk01Un45NB0buEz2",[],{"nodeType":1658,"data":3117,"content":3118},{},[3119,3142,3180,3203,3226],{"nodeType":1662,"data":3120,"content":3121},{},[3122,3132],{"nodeType":1666,"data":3123,"content":3124},{},[3125],{"nodeType":237,"data":3126,"content":3127},{},[3128],{"nodeType":236,"value":1673,"marks":3129,"data":3131},[3130],{"type":292},{},{"nodeType":1666,"data":3133,"content":3134},{},[3135],{"nodeType":237,"data":3136,"content":3137},{},[3138],{"nodeType":236,"value":3139,"marks":3140,"data":3141},"Microsoft PowerApps hosting",[],{},{"nodeType":1662,"data":3143,"content":3144},{},[3145,3155],{"nodeType":1666,"data":3146,"content":3147},{},[3148],{"nodeType":237,"data":3149,"content":3150},{},[3151],{"nodeType":236,"value":1697,"marks":3152,"data":3154},[3153],{"type":292},{},{"nodeType":1666,"data":3156,"content":3157},{},[3158,3169],{"nodeType":237,"data":3159,"content":3160},{},[3161,3165],{"nodeType":236,"value":2133,"marks":3162,"data":3164},[3163],{"type":292},{},{"nodeType":236,"value":3166,"marks":3167,"data":3168},"34.53.159.84 (Google Cloud AS396982)",[],{},{"nodeType":237,"data":3170,"content":3171},{},[3172,3176],{"nodeType":236,"value":1738,"marks":3173,"data":3175},[3174],{"type":292},{},{"nodeType":236,"value":3177,"marks":3178,"data":3179}," Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36",[],{},{"nodeType":1662,"data":3181,"content":3182},{},[3183,3193],{"nodeType":1666,"data":3184,"content":3185},{},[3186],{"nodeType":237,"data":3187,"content":3188},{},[3189],{"nodeType":236,"value":1781,"marks":3190,"data":3192},[3191],{"type":292},{},{"nodeType":1666,"data":3194,"content":3195},{},[3196],{"nodeType":237,"data":3197,"content":3198},{},[3199],{"nodeType":236,"value":3200,"marks":3201,"data":3202},"GET /api/generatecode (CloudFront)",[],{},{"nodeType":1662,"data":3204,"content":3205},{},[3206,3216],{"nodeType":1666,"data":3207,"content":3208},{},[3209],{"nodeType":237,"data":3210,"content":3211},{},[3212],{"nodeType":236,"value":1833,"marks":3213,"data":3215},[3214],{"type":292},{},{"nodeType":1666,"data":3217,"content":3218},{},[3219],{"nodeType":237,"data":3220,"content":3221},{},[3222],{"nodeType":236,"value":3223,"marks":3224,"data":3225},"Dolce & Gabbana branded, Italian language, MS account verification",[],{},{"nodeType":1662,"data":3227,"content":3228},{},[3229,3239],{"nodeType":1666,"data":3230,"content":3231},{},[3232],{"nodeType":237,"data":3233,"content":3234},{},[3235],{"nodeType":236,"value":2056,"marks":3236,"data":3238},[3237],{"type":292},{},{"nodeType":1666,"data":3240,"content":3241},{},[3242],{"nodeType":237,"data":3243,"content":3244},{},[3245],{"nodeType":236,"value":3246,"marks":3247,"data":3248},"data-migration-dolcegabbana[.]powerappsportals.com",[],{},{"nodeType":359,"data":3250,"content":3254},{"target":3251},{"sys":3252},{"id":3253,"type":364,"linkType":365},"4ayQDvpf5NNOBrj9wZZRiO",[],{"nodeType":3256,"data":3257,"content":3258},"blockquote",{},[3259],{"nodeType":237,"data":3260,"content":3261},{},[3262],{"nodeType":236,"value":3263,"marks":3264,"data":3265},"Clearly, device code phishing has entered mainstream adoption and we should be prepared for a lot more of it in future. So how does it work, and why is it so effective?",[],{},{"nodeType":339,"data":3267,"content":3268},{},[],{"nodeType":343,"data":3270,"content":3271},{},[3272],{"nodeType":236,"value":3273,"marks":3274,"data":3276},"Device code phishing under the hood",[3275],{"type":292},{},{"nodeType":237,"data":3278,"content":3279},{},[3280,3284],{"nodeType":236,"value":3281,"marks":3282,"data":3283},"The attacker POSTs to the authorization server's device authorization endpoint with its client_id (i.e. an application ID) and requested scopes or resources. The server responds with a device_code (used for polling), a user_code, a verification_uri, an expires_in value, and a polling interval. The user visits the URL, enters the code and approves the request. Meanwhile, the device polls the token endpoint. Once approved, the server returns an access token, a refresh token (if offline_access was requested), and an ID token (if openid was included). ",[],{},{"nodeType":236,"value":3285,"marks":3286,"data":3288},"The attacker now has API access to the victim's account. ",[3287],{"type":292},{},{"nodeType":237,"data":3290,"content":3291},{},[3292],{"nodeType":236,"value":3293,"marks":3294,"data":3295},"Broadly, this gives the attacker a comparable level of control to a “normal” phishing attack (with conditions based on the scopes granted and specific app being targeted) while API access grants additional capabilities beyond standard browser sessions. When combined with other techniques, this access can be exchanged to open normal browser app sessions and access SSO connected apps.",[],{},{"nodeType":359,"data":3297,"content":3301},{"target":3298},{"sys":3299},{"id":3300,"type":364,"linkType":365},"4WtQR2xsE236yoyhSXj58Z",[],{"nodeType":359,"data":3303,"content":3307},{"target":3304},{"sys":3305},{"id":3306,"type":364,"linkType":365},"1x7Lip7JdY2xlHKKurT7qJ",[],{"nodeType":237,"data":3309,"content":3310},{},[3311],{"nodeType":236,"value":3312,"marks":3313,"data":3314},"At this point, you can achieve a number of objectives both inside the app ecosystem and across SSO connected apps — e.g. data theft, disruption, and ultimately extortion.",[],{},{"nodeType":237,"data":3316,"content":3317},{},[3318,3322,3327,3331],{"nodeType":236,"value":3319,"marks":3320,"data":3321},"Critically, the initial request to generate a device code is typically ",[],{},{"nodeType":236,"value":3323,"marks":3324,"data":3326},"unauthenticated",[3325],{"type":292},{},{"nodeType":236,"value":3328,"marks":3329,"data":3330}," across all providers — ",[],{},{"nodeType":236,"value":3332,"marks":3333,"data":3335},"anyone can generate one, from any machine, without proving any relationship to the target organization.",[3334],{"type":292},{},{"nodeType":237,"data":3337,"content":3338},{},[3339,3343,3348],{"nodeType":236,"value":3340,"marks":3341,"data":3342},"So, the attacker has to deliver a set of instructions via a phishing channel (e.g. email, social media DM, corp IM platform, and so on) with a device code that they have generated. The victim then enters this code on the ",[],{},{"nodeType":236,"value":3344,"marks":3345,"data":3347},"legitimate device code login page",[3346],{"type":292},{},{"nodeType":236,"value":3349,"marks":3350,"data":3351}," for that app and issues the tokens to the attacker.",[],{},{"nodeType":359,"data":3353,"content":3357},{"target":3354},{"sys":3355},{"id":3356,"type":364,"linkType":365},"1txUYuQjH9FlbDGTo8AbZB",[],{"nodeType":339,"data":3359,"content":3360},{},[],{"nodeType":343,"data":3362,"content":3363},{},[3364],{"nodeType":236,"value":3365,"marks":3366,"data":3368},"Why device code phishing is so dangerous",[3367],{"type":292},{},{"nodeType":394,"data":3370,"content":3371},{},[3372],{"nodeType":236,"value":3373,"marks":3374,"data":3376},"Device code phishing bypasses authentication controls (including passkeys)",[3375],{"type":292},{},{"nodeType":237,"data":3378,"content":3379},{},[3380,3384,3389,3393],{"nodeType":236,"value":3381,"marks":3382,"data":3383},"A device code phishing attack ",[],{},{"nodeType":236,"value":3385,"marks":3386,"data":3388},"cannot be prevented with authentication controls",[3387],{"type":292},{},{"nodeType":236,"value":3390,"marks":3391,"data":3392},". This includes all forms of MFA and ",[],{},{"nodeType":236,"value":3394,"marks":3395,"data":3397},"even “phishing-resistant” authentication methods such as passkeys. ",[3396],{"type":292},{},{"nodeType":237,"data":3399,"content":3400},{},[3401,3406,3410,3415],{"nodeType":236,"value":3402,"marks":3403,"data":3405},"The device code authorization is effectively performed post-authentication. ",[3404],{"type":292},{},{"nodeType":236,"value":3407,"marks":3408,"data":3409},"If you already have an active session in your browser, entering the device code and selecting your account from a drop-down menu is all that's needed. ",[],{},{"nodeType":236,"value":3411,"marks":3412,"data":3414},"No password or MFA required. ",[3413],{"type":292},{},{"nodeType":236,"value":3416,"marks":3417,"data":3418},"You can see an example in the video below.",[],{},{"nodeType":359,"data":3420,"content":3423},{"target":3421},{"sys":3422},{"id":2711,"type":364,"linkType":365},[],{"nodeType":237,"data":3425,"content":3426},{},[3427],{"nodeType":236,"value":3428,"marks":3429,"data":3430},"Even if you do have to sign in again (because you're not already signed in for some reason), the attack still works because it isn't targeting the login — it's targeting the authorization layer instead.",[],{},{"nodeType":237,"data":3432,"content":3433},{},[3434],{"nodeType":236,"value":3435,"marks":3436,"data":3437},"This is what makes device code phishing different to other standard phishing methods like AiTM phishing (and arguably even more effective in environments with strict identity control enforcement). ",[],{},{"nodeType":394,"data":3439,"content":3440},{},[3441],{"nodeType":236,"value":3442,"marks":3443,"data":3445},"Device code logins are a feature, not a vulnerability, making attacks difficult to block",[3444],{"type":292},{},{"nodeType":237,"data":3447,"content":3448},{},[3449],{"nodeType":236,"value":3450,"marks":3451,"data":3452},"Device code authorization is a legitimate mechanism regularly used in enterprise environments, particularly for CLI logins. Tools like Azure CLI, GitHub CLI, and AWS CLI all use (or have used) the device code flow as a primary or fallback authentication method. This creates a dual problem for defenders. ",[],{},{"nodeType":237,"data":3454,"content":3455},{},[3456],{"nodeType":236,"value":3457,"marks":3458,"data":3459},"First, the phishing attack happens entirely on a legitimate site — there's no fake login page, no malicious payload to scan for, and the URL in the browser is genuine. Since there's no traditional phishing content being delivered, these attacks are more resistant to detection by email and network security tools.",[],{},{"nodeType":237,"data":3461,"content":3462},{},[3463],{"nodeType":236,"value":3464,"marks":3465,"data":3466},"Second, the widespread legitimate use of device code flow — particularly among developers and technical users — normalizes the experience of entering device codes. A phishing lure asking them to do the same thing is indistinguishable from a legitimate IT request. And for non-technical users, this experience isn't much different to, for example, entering a code sent via email or authenticator app. ",[],{},{"nodeType":394,"data":3468,"content":3469},{},[3470],{"nodeType":236,"value":3471,"marks":3472,"data":3474},"Multiple apps are vulnerable, with different risk profiles",[3473],{"type":292},{},{"nodeType":237,"data":3476,"content":3477},{},[3478],{"nodeType":236,"value":3479,"marks":3480,"data":3481},"Various apps implement the device code flow, each with different levels of control and default security, but the risk is not uniform across platforms. ",[],{},{"nodeType":479,"data":3483,"content":3484},{},[3485,3500,3514],{"nodeType":483,"data":3486,"content":3487},{},[3488],{"nodeType":237,"data":3489,"content":3490},{},[3491,3496],{"nodeType":236,"value":3492,"marks":3493,"data":3495},"Google Workspace ",[3494],{"type":292},{},{"nodeType":236,"value":3497,"marks":3498,"data":3499},"is a significantly lower-risk target because Google explicitly limits which scopes are available to the device code flow — Gmail, Calendar, and most Workspace APIs are simply unavailable through this mechanism. ",[],{},{"nodeType":483,"data":3501,"content":3502},{},[3503],{"nodeType":237,"data":3504,"content":3505},{},[3506,3510],{"nodeType":236,"value":1367,"marks":3507,"data":3509},[3508],{"type":292},{},{"nodeType":236,"value":3511,"marks":3512,"data":3513}," offers the broadest attack surface due to unrestricted scopes, reusable first-party client IDs, and the FOCI/PRT escalation paths. ",[],{},{"nodeType":483,"data":3515,"content":3516},{},[3517],{"nodeType":237,"data":3518,"content":3519},{},[3520,3524,3529],{"nodeType":236,"value":3521,"marks":3522,"data":3523},"Apps like ",[],{},{"nodeType":236,"value":3525,"marks":3526,"data":3528},"GitHub",[3527],{"type":292},{},{"nodeType":236,"value":3530,"marks":3531,"data":3532}," sit in between — broad scopes are available (including full repository access), but the attacker must control their own OAuth app and the victim sees an explicit consent screen. ",[],{},{"nodeType":359,"data":3534,"content":3538},{"target":3535},{"sys":3536},{"id":3537,"type":364,"linkType":365},"ejNSC76jge1p1zzz9wwiG",[],{"nodeType":339,"data":3540,"content":3541},{},[],{"nodeType":343,"data":3543,"content":3544},{},[3545],{"nodeType":236,"value":3546,"marks":3547,"data":3549},"Security recommendations",[3548],{"type":292},{},{"nodeType":237,"data":3551,"content":3552},{},[3553],{"nodeType":236,"value":3554,"marks":3555,"data":3556},"Security teams need to consider the risk posed by device code phishing across multiple apps where device code authorization grants are common, particularly for developers and technical users. ",[],{},{"nodeType":237,"data":3558,"content":3559},{},[3560],{"nodeType":236,"value":3561,"marks":3562,"data":3563},"In an ideal world, you would simply block device code logins. But this can’t be done without causing serious disruption in some environments, while some apps simply don’t provide the tools required to do so. For example, device code is the default CLI sign-in method for GitHub. Developer-heavy organizations are likely to encounter higher levels of legitimate use.",[],{},{"nodeType":237,"data":3565,"content":3566},{},[3567,3571,3580,3584,3589,3593,3598,3602,3607,3611],{"nodeType":236,"value":3568,"marks":3569,"data":3570},"Microsoft arguably offers the strongest control options (other than Google, who negate it right out of the gate), though they do require a fair amount of work. ",[],{},{"nodeType":274,"data":3572,"content":3574},{"uri":3573},"https://techcommunity.microsoft.com/blog/microsoft-entra-blog/new-microsoft-managed-policies-to-raise-your-identity-security-posture/4286758",[3575],{"nodeType":236,"value":3576,"marks":3577,"data":3579},"Microsoft now explicitly recommends",[3578],{"type":282},{},{"nodeType":236,"value":3581,"marks":3582,"data":3583}," blocking device code flow for tenants that haven't used it in the past 25 days. Their guidance is to create a custom CA policy: target relevant users, set the ",[],{},{"nodeType":236,"value":3585,"marks":3586,"data":3588},"Authentication Flows",[3587],{"type":292},{},{"nodeType":236,"value":3590,"marks":3591,"data":3592}," condition to block ",[],{},{"nodeType":236,"value":3594,"marks":3595,"data":3597},"Device Code Flow",[3596],{"type":292},{},{"nodeType":236,"value":3599,"marks":3600,"data":3601},", and set the grant control to ",[],{},{"nodeType":236,"value":3603,"marks":3604,"data":3606},"Block Access",[3605],{"type":292},{},{"nodeType":236,"value":3608,"marks":3609,"data":3610},". Deploy in report-only mode first to identify any legitimate device code usage, ",[],{},{"nodeType":236,"value":3612,"marks":3613,"data":3614},"then enforce with narrow exceptions.",[],{},{"nodeType":359,"data":3616,"content":3620},{"target":3617},{"sys":3618},{"id":3619,"type":364,"linkType":365},"mQIj2o9xRzkZYKNmanB25",[],{"nodeType":237,"data":3622,"content":3623},{},[3624],{"nodeType":236,"value":3625,"marks":3626,"data":3627},"For other apps, you’re mainly limited to monitoring and response. Ensuring you’re getting authentication logs for these apps is vital, and searching for unusual access patterns (e.g. unusual login protocols, having different IPs for the authorization grant and subsequent account activity). ",[],{},{"nodeType":339,"data":3629,"content":3630},{},[],{"nodeType":343,"data":3632,"content":3633},{},[3634],{"nodeType":236,"value":3635,"marks":3636,"data":3638},"How Push Security can help",[3637],{"type":292},{},{"nodeType":237,"data":3640,"content":3641},{},[3642],{"nodeType":236,"value":3643,"marks":3644,"data":3645},"Push customers can use our browser-based capabilities to overcome the limitations of app-level controls and detect, intercept, and shut down attacks in real time. ",[],{},{"nodeType":237,"data":3647,"content":3648},{},[3649],{"nodeType":236,"value":3650,"marks":3651,"data":3652},"Our research team is already tracking multiple device code phishing campaigns and toolkits, including the EvilTokens kit. Blocking controls are already in place to prevent customers from interacting with malicious pages that match our detections for these new toolkits, ensuring that these pages can be identified and blocked in real time regardless of the infrastructure. ",[],{},{"nodeType":237,"data":3654,"content":3655},{},[3656,3660,3669],{"nodeType":236,"value":3657,"marks":3658,"data":3659},"Using Push you can also ",[],{},{"nodeType":274,"data":3661,"content":3663},{"uri":3662},"https://pushsecurity.com/help/can-i-use-push-to-help-protect-against-device-code-phishing-scenarios/",[3664],{"nodeType":236,"value":3665,"marks":3666,"data":3668},"configure in-browser warnings",[3667],{"type":282},{},{"nodeType":236,"value":3670,"marks":3671,"data":3672}," whenever a user accesses a URL used for device code logins. This provides universal, last-mile protection against even ‘zero-day’ device code phishing attacks using previously unidentified toolkits.  ",[],{},{"nodeType":359,"data":3674,"content":3678},{"target":3675},{"sys":3676},{"id":3677,"type":364,"linkType":365},"3JsbGaOKSS3INzBUJpoh1W",[],{"nodeType":237,"data":3680,"content":3681},{},[3682],{"nodeType":236,"value":3683,"marks":3684,"data":3685},"When a user visits those URLs, Push will also emit a webhook event that the banner was shown and acknowledged. If a user opts to proceed, you can treat this as a high-fidelity alert for your security team to investigate, providing app-agnostic telemetry that may not already be provided in your logs from that particular vendor. You can also simply use Push to block users from accessing device login pages if you’re confident that disruption won’t be caused. ",[],{},{"nodeType":394,"data":3687,"content":3688},{},[3689],{"nodeType":236,"value":3690,"marks":3691,"data":3693},"Learn more about Push",[3692],{"type":292},{},{"nodeType":237,"data":3695,"content":3696},{},[3697],{"nodeType":236,"value":3698,"marks":3699,"data":3700},"Push Security's browser-based security platform detects and blocks browser-based attacks like AiTM phishing, credential stuffing, malicious browser extensions, ClickFix, and session hijacking. You don't need to wait until it all goes wrong either — you can use Push to proactively find and fix vulnerabilities across the apps that your employees use, like ghost logins, SSO coverage gaps, MFA gaps, vulnerable passwords, and more to harden your attack surface.",[],{},{"nodeType":237,"data":3702,"content":3703},{},[3704,3707,3714,3717,3724,3727,3734],{"nodeType":236,"value":931,"marks":3705,"data":3706},[],{},{"nodeType":274,"data":3708,"content":3709},{"uri":936},[3710],{"nodeType":236,"value":939,"marks":3711,"data":3713},[3712],{"type":282},{},{"nodeType":236,"value":943,"marks":3715,"data":3716},[],{},{"nodeType":274,"data":3718,"content":3719},{"uri":948},[3720],{"nodeType":236,"value":951,"marks":3721,"data":3723},[3722],{"type":282},{},{"nodeType":236,"value":956,"marks":3725,"data":3726},[],{},{"nodeType":274,"data":3728,"content":3729},{"uri":961},[3730],{"nodeType":236,"value":964,"marks":3731,"data":3733},[3732],{"type":282},{},{"nodeType":236,"value":968,"marks":3735,"data":3736},[],{},"Device code phishing attacks have skyrocketed: here’s what you need to know","Device code phishing is seeing a huge spike in adoption in 2026, enabling attackers to steal access tokens while bypassing standard access controls.","2026-04-04T00:00:00.000Z","device-code-phishing",{"items":3742},[3743,3745],{"sys":3744,"name":249},{"id":248},{"sys":3746,"name":253},{"id":252},{"items":3748},[3749],{"fullName":3750,"firstName":3751,"jobTitle":3752,"profilePicture":3753},"Luke Jennings","Luke","Vice President, R&D",{"url":3754},"https://images.ctfassets.net/y1cdw1ablpvd/4Hosb4zKi1dA0PUyDLMe1h/27e09d894861f2196ba794037986fb08/T016S22KZ96-U02NVQM7ZD4-57761d542d83-512.jpeg",{"__typename":1141,"sys":3756,"content":3758,"title":4707,"synopsis":4708,"hashTags":61,"publishedDate":4709,"slug":4710,"tagsCollection":4711,"authorsCollection":4717},{"id":3757},"2sFCww9xnI8okIxhtOaiY1",{"json":3759},{"nodeType":238,"data":3760,"content":3761},{},[3762,3769,3776,3783,3786,3794,3801,3808,3814,3821,3827,3846,3853,3865,3868,3876,3883,3899,3906,3918,3924,3927,3935,3943,3949,3958,3978,3987,3994,4003,4022,4031,4038,4047,4080,4089,4096,4105,4123,4129,4138,4145,4154,4196,4199,4207,4216,4236,4245,4252,4261,4294,4300,4309,4316,4322,4325,4333,4342,4349,4408,4414,4417,4425,4434,4441,4447,4450,4458,4465,4472,4541,4548,4611,4618,4621,4629,4636,4643,4649,4652,4659,4666,4673,4680],{"nodeType":237,"data":3763,"content":3764},{},[3765],{"nodeType":236,"value":3766,"marks":3767,"data":3768},"The biggest cybersecurity story this year (so far) has been the emergence of “Scattered Lapsus$ Hunters” and their record-breaking worldwide hacking spree. ",[],{},{"nodeType":237,"data":3770,"content":3771},{},[3772],{"nodeType":236,"value":3773,"marks":3774,"data":3775},"Scattered Lapsus$ Hunters is part of “The Com”, the name for the broad community of English-speaking cybercriminals with international criminal connections — including with nation-state sponsored groups. They are also known to collaborate with a range of cybercrime “as-a-Service” organizations for phishing, initial access, ransomware, and more. ",[],{},{"nodeType":237,"data":3777,"content":3778},{},[3779],{"nodeType":236,"value":3780,"marks":3781,"data":3782},"It’s difficult to pin down exactly who the individuals are that make up this criminal collective. But what is known is their MO — making money through extortion by means of account takeover, mass data theft, and ransomware deployment. ",[],{},{"nodeType":339,"data":3784,"content":3785},{},[],{"nodeType":343,"data":3787,"content":3788},{},[3789],{"nodeType":236,"value":3790,"marks":3791,"data":3793},"How did we get here? ",[3792],{"type":292},{},{"nodeType":237,"data":3795,"content":3796},{},[3797],{"nodeType":236,"value":3798,"marks":3799,"data":3800},"Earlier this year, the threat group known to most analysts as Scattered Spider (also tracked as 0ktapus, Octo Tempest, Scatter Swine, Muddled Libra, and UNC3944) re-emerged after a series of arrests in late 2024. ",[],{},{"nodeType":237,"data":3802,"content":3803},{},[3804],{"nodeType":236,"value":3805,"marks":3806,"data":3807},"This group has been active in peaks and troughs over the years, but are mainly known for high-profile ransomware attacks on Caesars and MGM Resorts in 2024. ",[],{},{"nodeType":359,"data":3809,"content":3813},{"target":3810},{"sys":3811},{"id":3812,"type":364,"linkType":365},"1Vt269d7n6IGMzOrJs1FDx",[],{"nodeType":237,"data":3815,"content":3816},{},[3817],{"nodeType":236,"value":3818,"marks":3819,"data":3820},"Scattered Spider hit the headlines again in April 2025 with attacks on UK retailers Marks & Spencer and Co-op, which resulted in significant, prolonged disruption, and a serious downstream impact on the retail supply chain. ",[],{},{"nodeType":359,"data":3822,"content":3826},{"target":3823},{"sys":3824},{"id":3825,"type":364,"linkType":365},"3kvcGV2zZZUPnM8IK04Y1O",[],{"nodeType":237,"data":3828,"content":3829},{},[3830,3834,3842],{"nodeType":236,"value":3831,"marks":3832,"data":3833},"It didn’t stop there, though. What followed was a wide-scale campaign targeting Salesforce customers, with the attackers claiming to have stolen ",[],{},{"nodeType":274,"data":3835,"content":3836},{"uri":617},[3837],{"nodeType":236,"value":3838,"marks":3839,"data":3841},"over 1.5 billion records from 1000+ companies",[3840],{"type":282},{},{"nodeType":236,"value":3843,"marks":3844,"data":3845}," across multiple verticals, including heavyweights like Google, Cloudflare, Workday, Adidas, FedEx, Disney, LVMH, and many more.",[],{},{"nodeType":237,"data":3847,"content":3848},{},[3849],{"nodeType":236,"value":3850,"marks":3851,"data":3852},"Around this time, the attackers began to refer to themselves as part of a wider collective, assuming the moniker “Scattered Lapsus$ Hunters” (a mash-up of names given by analysts and self-adopted by attackers — Scattered Spider, ShinyHunters, and Lapsus$).",[],{},{"nodeType":237,"data":3854,"content":3855},{},[3856,3860],{"nodeType":236,"value":3857,"marks":3858,"data":3859},"The most significant breach this year to-date impacted Jaguar Land Rover. A ransomware attack resulted in months of disruption that directly impacted the UK’s GDP, with the government underwriting a $1.5B loan to alleviate the supply chain impact. ",[],{},{"nodeType":236,"value":3861,"marks":3862,"data":3864},"In fact, this was the most economically consequential cyber attack yet recorded in a G7 economy. ",[3863],{"type":292},{},{"nodeType":339,"data":3866,"content":3867},{},[],{"nodeType":343,"data":3869,"content":3870},{},[3871],{"nodeType":236,"value":3872,"marks":3873,"data":3875},"2025 wasn’t a one-off",[3874],{"type":292},{},{"nodeType":237,"data":3877,"content":3878},{},[3879],{"nodeType":236,"value":3880,"marks":3881,"data":3882},"The developments through 2025 have presented a stronger picture than ever before that cybercriminal operations are heavily interlinked. Groups overlap considerably, and individuals freely move between different cells. ",[],{},{"nodeType":237,"data":3884,"content":3885},{},[3886,3890,3895],{"nodeType":236,"value":3887,"marks":3888,"data":3889},"When we scratch beneath the surface, this is evident in the tactics, techniques and procedures (TTPs) used by these attackers — even stretching as far back as 2021 with the initial rise of Lapsus$. This is not an accident. ",[],{},{"nodeType":236,"value":3891,"marks":3892,"data":3894},"The TTPs used show a conscious move by attackers to move away from environments that are well-protected by traditional security tools. ",[3893],{"type":292},{},{"nodeType":236,"value":3896,"marks":3897,"data":3898},"This means avoiding targeting endpoints with malware, and not relying on software-based exploits. Instead, these attackers look to take over apps and services directly over the internet. ",[],{},{"nodeType":237,"data":3900,"content":3901},{},[3902],{"nodeType":236,"value":3903,"marks":3904,"data":3905},"Most of the time, this is as simple as logging in to a SaaS app, or an enterprise SSO account (e.g. Microsoft, Okta, or Google) and dumping the data. For attackers that want to take it further, they can abuse the sprawl of interconnected apps that make up modern business IT, seeking out specific data or exploitable functionality. Or, they can leverage internet-accessible management portals to chart a path back to your on-premise assets, giving them everything they need to pivot toward more conventional methods such as ransomware deployment. ",[],{},{"nodeType":237,"data":3907,"content":3908},{},[3909,3913],{"nodeType":236,"value":3910,"marks":3911,"data":3912},"When we look at historical breaches, the pattern is clear. ",[],{},{"nodeType":236,"value":3914,"marks":3915,"data":3917},"Not one of the attacks attributed to Scattered Lapsus$ Hunters, or its predecessors, started with an endpoint or network attack — they all began with account takeover. ",[3916],{"type":292},{},{"nodeType":359,"data":3919,"content":3923},{"target":3920},{"sys":3921},{"id":3922,"type":364,"linkType":365},"6poP5VM2ARrEvwKEG42HgK",[],{"nodeType":339,"data":3925,"content":3926},{},[],{"nodeType":343,"data":3928,"content":3929},{},[3930],{"nodeType":236,"value":3931,"marks":3932,"data":3934},"TTP breakdown: Analyzing the top “Scattered Lapsus$ Hunters” breaches since 2021",[3933],{"type":292},{},{"nodeType":394,"data":3936,"content":3937},{},[3938],{"nodeType":236,"value":3939,"marks":3940,"data":3942},"Phishing and stolen credentials",[3941],{"type":292},{},{"nodeType":359,"data":3944,"content":3948},{"target":3945},{"sys":3946},{"id":3947,"type":364,"linkType":365},"4SNOanDIdGZsvRRnMYQVSo",[],{"nodeType":237,"data":3950,"content":3951},{},[3952],{"nodeType":236,"value":3953,"marks":3954,"data":3957},"EA Games (2021)",[3955,3956],{"type":292},{"type":282},{},{"nodeType":237,"data":3959,"content":3960},{},[3961,3965,3974],{"nodeType":236,"value":3962,"marks":3963,"data":3964},"Attackers used stolen session cookies to log into EA’s Slack instance, purchased on a criminal forum. Combined with ",[],{},{"nodeType":274,"data":3966,"content":3968},{"uri":3967},"https://pushsecurity.com/blog/phishing-slack-persistence/",[3969],{"nodeType":236,"value":3970,"marks":3971,"data":3973},"social engineering via Slack",[3972],{"type":282},{},{"nodeType":236,"value":3975,"marks":3976,"data":3977},", this was used to steal 750GB of data, including video game source code. ",[],{},{"nodeType":237,"data":3979,"content":3980},{},[3981],{"nodeType":236,"value":3982,"marks":3983,"data":3986},"Nvidia (2022)",[3984,3985],{"type":292},{"type":282},{},{"nodeType":237,"data":3988,"content":3989},{},[3990],{"nodeType":236,"value":3991,"marks":3992,"data":3993},"Attackers used stolen credentials to steal 1TB of data from Nvidia’s internal shares, including a significant amount of sensitive information about the designs of Nvidia graphics cards, source code, and the usernames and passwords of more than 71,000 Nvidia employees.",[],{},{"nodeType":237,"data":3995,"content":3996},{},[3997],{"nodeType":236,"value":3998,"marks":3999,"data":4002},"Microsoft (2022)",[4000,4001],{"type":292},{"type":282},{},{"nodeType":237,"data":4004,"content":4005},{},[4006,4010,4018],{"nodeType":236,"value":4007,"marks":4008,"data":4009},"Attackers used stolen credentials combined with SIM swapping and ",[],{},{"nodeType":274,"data":4011,"content":4013},{"uri":4012},"https://github.com/pushsecurity/saas-attacks/blob/main/techniques/mfa_fatigue/description.md",[4014],{"nodeType":236,"value":4015,"marks":4016,"data":4017},"MFA fatigue",[],{},{"nodeType":236,"value":4019,"marks":4020,"data":4021}," attacks to steal Azure DevOps source code — leaked a 9GB archive of Microsoft source code – including ~90% of Bing and 45% of Cortana code. ",[],{},{"nodeType":237,"data":4023,"content":4024},{},[4025],{"nodeType":236,"value":4026,"marks":4027,"data":4030},"T-Mobile (2022)",[4028,4029],{"type":292},{"type":282},{},{"nodeType":237,"data":4032,"content":4033},{},[4034],{"nodeType":236,"value":4035,"marks":4036,"data":4037},"Attackers used stolen credentials to establish initial access, coupled with social engineering T-Mobile staff into approving the attacker’s device for VPN access. This resulted in source code being stolen from over 30,000 repositories. ",[],{},{"nodeType":237,"data":4039,"content":4040},{},[4041],{"nodeType":236,"value":4042,"marks":4043,"data":4046},"Snowflake (165 customers) (2024)",[4044,4045],{"type":292},{"type":282},{},{"nodeType":237,"data":4048,"content":4049},{},[4050,4054,4063,4067,4076],{"nodeType":236,"value":4051,"marks":4052,"data":4053},"Attackers targeted ",[],{},{"nodeType":274,"data":4055,"content":4057},{"uri":4056},"https://pushsecurity.com/blog/snowflake-retro/",[4058],{"nodeType":236,"value":4059,"marks":4060,"data":4062},"165 Snowflake customers",[4061],{"type":282},{},{"nodeType":236,"value":4064,"marks":4065,"data":4066}," using stolen credentials from credential breaches dating back as far as 2020. Due to widespread MFA gaps and the presence of ",[],{},{"nodeType":274,"data":4068,"content":4070},{"uri":4069},"https://github.com/pushsecurity/saas-attacks/blob/main/techniques/ghost_logins/description.md",[4071],{"nodeType":236,"value":4072,"marks":4073,"data":4075},"ghost logins",[4074],{"type":282},{},{"nodeType":236,"value":4077,"marks":4078,"data":4079},", attackers were able to simply log in to individual customer tenants, dump the data, and use it to extort the companies. In total, 9 public victims were named following the breach, with over 1B breached customer records. ",[],{},{"nodeType":237,"data":4081,"content":4082},{},[4083],{"nodeType":236,"value":4084,"marks":4085,"data":4088},"PowerSchool (2024)",[4086,4087],{"type":292},{"type":282},{},{"nodeType":237,"data":4090,"content":4091},{},[4092],{"nodeType":236,"value":4093,"marks":4094,"data":4095},"Attackers gained access to a community-focused customer support portal, PowerSource, using compromised credentials and stole data using an \"export data manager\" customer support tool, stealing the data of 62.4 million students and 9.5 million teachers. PowerSchool paid an undisclosed ransom fee, but hackers returned later to extort schools and individuals separately anyway.",[],{},{"nodeType":237,"data":4097,"content":4098},{},[4099],{"nodeType":236,"value":4100,"marks":4101,"data":4104},"Red Hat (2025)",[4102,4103],{"type":292},{"type":282},{},{"nodeType":237,"data":4106,"content":4107},{},[4108,4112,4119],{"nodeType":236,"value":4109,"marks":4110,"data":4111},"Attackers breached Red Hat’s GitLab instance via a compromised account — the result of ",[],{},{"nodeType":274,"data":4113,"content":4114},{"uri":4069},[4115],{"nodeType":236,"value":4072,"marks":4116,"data":4118},[4117],{"type":282},{},{"nodeType":236,"value":4120,"marks":4121,"data":4122}," providing a backdoor to access an otherwise secure, SSO-connected account. Stolen data included approximately 800 Customer Engagement Reports (CERs), authentication tokens, full database URIs, and other private information in Red Hat code and CERs, which they claimed to use to gain access to downstream customer infrastructure. ",[],{},{"nodeType":359,"data":4124,"content":4128},{"target":4125},{"sys":4126},{"id":4127,"type":364,"linkType":365},"G1V7d5Dvevmr9p0YXElPX",[],{"nodeType":237,"data":4130,"content":4131},{},[4132],{"nodeType":236,"value":4133,"marks":4134,"data":4137},"Discord (2025)",[4135,4136],{"type":292},{"type":282},{},{"nodeType":237,"data":4139,"content":4140},{},[4141],{"nodeType":236,"value":4142,"marks":4143,"data":4144},"Attackers compromised a Zendesk customer support account, stealing 1.6TB of data. The hackers say this consisted of roughly 8.4 million tickets affecting 5.5 million unique users, and that about 580,000 users contained payment information.",[],{},{"nodeType":237,"data":4146,"content":4147},{},[4148],{"nodeType":236,"value":4149,"marks":4150,"data":4153},"SoundCloud, MatchGroup, Crunchbase, Betterment... (2026)",[4151,4152],{"type":292},{"type":282},{},{"nodeType":237,"data":4155,"content":4156},{},[4157,4161,4169,4172,4180,4184,4192],{"nodeType":236,"value":4158,"marks":4159,"data":4160},"Scattered Lapsus$ Hunters have already claimed several public victims in 2026, with over 60 million breached records. ",[],{},{"nodeType":274,"data":4162,"content":4164},{"uri":4163},"https://www.bleepingcomputer.com/news/security/shinyhunters-claim-to-be-behind-sso-account-data-theft-attacks/",[4165],{"nodeType":236,"value":4166,"marks":4167,"data":4168},"SoundCloud, Betterment, Crunchbase",[],{},{"nodeType":236,"value":1300,"marks":4170,"data":4171},[],{},{"nodeType":274,"data":4173,"content":4175},{"uri":4174},"https://www.bleepingcomputer.com/news/security/match-group-breach-exposes-data-from-hinge-tinder-okcupid-and-match/",[4176],{"nodeType":236,"value":4177,"marks":4178,"data":4179},"MatchGroup",[],{},{"nodeType":236,"value":4181,"marks":4182,"data":4183}," have all reported breaches this month, powered by a brand ",[],{},{"nodeType":274,"data":4185,"content":4187},{"uri":4186},"https://pushsecurity.com/blog/unpacking-the-latest-slh-campaign/",[4188],{"nodeType":236,"value":4189,"marks":4190,"data":4191},"new real-time-operated AiTM phishing kit",[],{},{"nodeType":236,"value":4193,"marks":4194,"data":4195}," targeting Okta, Entra, and Google SSO accounts. This is a developing situation, with more victims expected to be announced publicly soon.",[],{},{"nodeType":339,"data":4197,"content":4198},{},[],{"nodeType":394,"data":4200,"content":4201},{},[4202],{"nodeType":236,"value":4203,"marks":4204,"data":4206},"Vishing and help desk scams",[4205],{"type":292},{},{"nodeType":237,"data":4208,"content":4209},{},[4210],{"nodeType":236,"value":4211,"marks":4212,"data":4215},"MGM Resorts & Caesars (2023)",[4213,4214],{"type":292},{"type":282},{},{"nodeType":237,"data":4217,"content":4218},{},[4219,4223,4232],{"nodeType":236,"value":4220,"marks":4221,"data":4222},"MGM Resorts and Caesars were hit with twin breaches in 2023. Attackers socially engineered help desk personnel to take over accounts with Super Administrator privileges within MGM Resorts’ Okta tenant, which they then used to register a second, attacker-controlled IdP via ",[],{},{"nodeType":274,"data":4224,"content":4226},{"uri":4225},"https://github.com/pushsecurity/saas-attacks/blob/main/techniques/inbound_federation/description.md",[4227],{"nodeType":236,"value":4228,"marks":4229,"data":4231},"inbound federation",[4230],{"type":282},{},{"nodeType":236,"value":4233,"marks":4234,"data":4235}," — granting comprehensive access that was used to deploy ransomware. ",[],{},{"nodeType":237,"data":4237,"content":4238},{},[4239],{"nodeType":236,"value":4240,"marks":4241,"data":4244},"Transport for London (2024)",[4242,4243],{"type":292},{"type":282},{},{"nodeType":237,"data":4246,"content":4247},{},[4248],{"nodeType":236,"value":4249,"marks":4250,"data":4251},"Attackers socially engineered the Transport for London help desk to gain privileged access to the IT environment, resulting in prolonged disruption to key online services underpinning London’s public transport network, theft of 5,000 users bank details, and all 30,000 staff members having to reset their online credentials in person.",[],{},{"nodeType":237,"data":4253,"content":4254},{},[4255],{"nodeType":236,"value":4256,"marks":4257,"data":4260},"Marks & Spencer (2025)",[4258,4259],{"type":292},{"type":282},{},{"nodeType":237,"data":4262,"content":4263},{},[4264,4268,4277,4281,4290],{"nodeType":236,"value":4265,"marks":4266,"data":4267},"Attackers compromised a Microsoft Entra account belonging to a privileged user via a ",[],{},{"nodeType":274,"data":4269,"content":4271},{"uri":4270},"https://pushsecurity.com/blog/scattered-spider-defending-against-help-desk-scams/",[4272],{"nodeType":236,"value":4273,"marks":4274,"data":4276},"help desk scam",[4275],{"type":282},{},{"nodeType":236,"value":4278,"marks":4279,"data":4280},", which enabled them to steal sensitive data from cloud environments, as well as pivot to deploy ransomware via the ",[],{},{"nodeType":274,"data":4282,"content":4284},{"uri":4283},"https://cloud.google.com/blog/topics/threat-intelligence/vsphere-active-directory-integration-risks",[4285],{"nodeType":236,"value":4286,"marks":4287,"data":4289},"VMware admin console",[4288],{"type":282},{},{"nodeType":236,"value":4291,"marks":4292,"data":4293},". This enabled ransomware to be deployed at the hypervisor layer, evading host-based protections like EDR. ",[],{},{"nodeType":359,"data":4295,"content":4299},{"target":4296},{"sys":4297},{"id":4298,"type":364,"linkType":365},"7hBdHG74NaA3bQfOMpYA9o",[],{"nodeType":237,"data":4301,"content":4302},{},[4303],{"nodeType":236,"value":4304,"marks":4305,"data":4308},"Jaguar Land Rover (2025)",[4306,4307],{"type":292},{"type":282},{},{"nodeType":237,"data":4310,"content":4311},{},[4312],{"nodeType":236,"value":4313,"marks":4314,"data":4315},"Attackers compromised highly privileged admin accounts via a help desk scam, which they leveraged to access and deploy ransomware to all aspects of Jaguar’s business, from CAD and engineering software, to payments tracking, to customer car delivery, using similar techniques to the Marks & Spencer breach. ",[],{},{"nodeType":359,"data":4317,"content":4321},{"target":4318},{"sys":4319},{"id":4320,"type":364,"linkType":365},"6s1X2fo4K9EeVLBmHm4YXb",[],{"nodeType":339,"data":4323,"content":4324},{},[],{"nodeType":394,"data":4326,"content":4327},{},[4328],{"nodeType":236,"value":4329,"marks":4330,"data":4332},"Malicious OAuth integrations",[4331],{"type":292},{},{"nodeType":237,"data":4334,"content":4335},{},[4336],{"nodeType":236,"value":4337,"marks":4338,"data":4341},"Salesforce & Salesloft (1000+ customers) (2025)",[4339,4340],{"type":292},{"type":282},{},{"nodeType":237,"data":4343,"content":4344},{},[4345],{"nodeType":236,"value":4346,"marks":4347,"data":4348},"A vast campaign against Salesforce customers resulted in the compromise of 1000+ Salesforce tenants (according to the attacker) with more than 1.5 billion records stolen. This campaign can consisted of three phases:",[],{},{"nodeType":479,"data":4350,"content":4351},{},[4352,4367,4382],{"nodeType":483,"data":4353,"content":4354},{},[4355],{"nodeType":237,"data":4356,"content":4357},{},[4358,4363],{"nodeType":236,"value":4359,"marks":4360,"data":4362},"Phase 1:",[4361],{"type":292},{},{"nodeType":236,"value":4364,"marks":4365,"data":4366}," The attacker conducted a large-scale vishing campaign against Salesforce customers, calling up users and socially engineering them into connecting a malicious version of the “Data Loader” app into their tenant. This was in fact an attacker-controlled app that enabled data to be mass-exfiltrated via API. ",[],{},{"nodeType":483,"data":4368,"content":4369},{},[4370],{"nodeType":237,"data":4371,"content":4372},{},[4373,4378],{"nodeType":236,"value":4374,"marks":4375,"data":4377},"Phase 2: ",[4376],{"type":292},{},{"nodeType":236,"value":4379,"marks":4380,"data":4381},"The attacker conducted a supply-chain compromise against customers of Salesloft. Users of Salesloft’s “Drift” integration were impacted by attackers stealing access tokens from Salesloft’s AWS environment. This integration allowed the attacker to steal data from customers that had deployed Drift to connected environments — namely, Salesforce, and Google Workspace. ",[],{},{"nodeType":483,"data":4383,"content":4384},{},[4385],{"nodeType":237,"data":4386,"content":4387},{},[4388,4393,4397,4404],{"nodeType":236,"value":4389,"marks":4390,"data":4392},"Phase 3:",[4391],{"type":292},{},{"nodeType":236,"value":4394,"marks":4395,"data":4396}," The attacker then conducted a separate supply-chain compromise involving Gainsight (allegedly using OAuth tokens stolen in the Salesloft attack) which enabled them to ",[],{},{"nodeType":274,"data":4398,"content":4399},{"uri":630},[4400],{"nodeType":236,"value":4401,"marks":4402,"data":4403},"breach a further 285 Salesforce instances",[],{},{"nodeType":236,"value":4405,"marks":4406,"data":4407}," using stolen OAuth tokens from Gainsight's integrations. ",[],{},{"nodeType":359,"data":4409,"content":4413},{"target":4410},{"sys":4411},{"id":4412,"type":364,"linkType":365},"3TwjpVKQ42SwQRhvGFbZdn",[],{"nodeType":339,"data":4415,"content":4416},{},[],{"nodeType":394,"data":4418,"content":4419},{},[4420],{"nodeType":236,"value":4421,"marks":4422,"data":4424},"Malicious browser extensions",[4423],{"type":292},{},{"nodeType":237,"data":4426,"content":4427},{},[4428],{"nodeType":236,"value":4429,"marks":4430,"data":4433},"CyberHaven (2024)",[4431,4432],{"type":292},{"type":282},{},{"nodeType":237,"data":4435,"content":4436},{},[4437],{"nodeType":236,"value":4438,"marks":4439,"data":4440},"Hackers phished a CyberHaven extension developer and uploaded a malicious version of the CyberHaven extension to the Chrome Web Store, leading to customer data breaches where installed in user browsers, impacting CyberHaven’s estimated ~400 business customers. This was part of a broader campaign that targeted 35 Chrome extensions, collectively impacting over 2.5 million users.",[],{},{"nodeType":359,"data":4442,"content":4446},{"target":4443},{"sys":4444},{"id":4445,"type":364,"linkType":365},"4ErDI0xi0Vj2Zrk8Qsb2NB",[],{"nodeType":339,"data":4448,"content":4449},{},[],{"nodeType":343,"data":4451,"content":4452},{},[4453],{"nodeType":236,"value":4454,"marks":4455,"data":4457},"The bigger picture",[4456],{"type":292},{},{"nodeType":237,"data":4459,"content":4460},{},[4461],{"nodeType":236,"value":4462,"marks":4463,"data":4464},"Scattered Lapsus$ Hunters are dominating the headlines right now, but they aren’t the only attackers using these modern techniques and consciously evading established security controls. ",[],{},{"nodeType":237,"data":4466,"content":4467},{},[4468],{"nodeType":236,"value":4469,"marks":4470,"data":4471},"Threat reports agree that attackers are steering away from traditional exploit and malware-driven breaches towards identities:",[],{},{"nodeType":479,"data":4473,"content":4474},{},[4475,4497,4519],{"nodeType":483,"data":4476,"content":4477},{},[4478],{"nodeType":237,"data":4479,"content":4480},{},[4481,4485,4493],{"nodeType":236,"value":4482,"marks":4483,"data":4484},"Identity-based attacks surged 32% in the last year, while 97% of identity attacks are password-based, driven by credential leaks and infostealer malware. (",[],{},{"nodeType":274,"data":4486,"content":4488},{"uri":4487},"https://cdn-dynmedia-1.microsoft.com/is/content/microsoftcorp/microsoft/msc/documents/presentations/CSR/Microsoft-Digital-Defense-Report-2025.pdf#page=1",[4489],{"nodeType":236,"value":1367,"marks":4490,"data":4492},[4491],{"type":282},{},{"nodeType":236,"value":4494,"marks":4495,"data":4496},")",[],{},{"nodeType":483,"data":4498,"content":4499},{},[4500],{"nodeType":237,"data":4501,"content":4502},{},[4503,4507,4516],{"nodeType":236,"value":4504,"marks":4505,"data":4506},"79% of detections were malware-free in the last year, up from 40% in 2019. (",[],{},{"nodeType":274,"data":4508,"content":4510},{"uri":4509},"https://www.crowdstrike.com/en-gb/global-threat-report/",[4511],{"nodeType":236,"value":4512,"marks":4513,"data":4515},"CrowdStrike",[4514],{"type":282},{},{"nodeType":236,"value":4494,"marks":4517,"data":4518},[],{},{"nodeType":483,"data":4520,"content":4521},{},[4522],{"nodeType":237,"data":4523,"content":4524},{},[4525,4529,4538],{"nodeType":236,"value":4526,"marks":4527,"data":4528},"Credential abuse and phishing combined accounted for 38% of breaches, making identity the primary breach vector observed. (",[],{},{"nodeType":274,"data":4530,"content":4532},{"uri":4531},"https://www.verizon.com/business/resources/reports/dbir/",[4533],{"nodeType":236,"value":4534,"marks":4535,"data":4537},"Verizon",[4536],{"type":282},{},{"nodeType":236,"value":4494,"marks":4539,"data":4540},[],{},{"nodeType":237,"data":4542,"content":4543},{},[4544],{"nodeType":236,"value":4545,"marks":4546,"data":4547},"And other public breaches from this year alone demonstrate similar TTPs from outside of the Scattered Lapsus$ Hunters orbit:",[],{},{"nodeType":479,"data":4549,"content":4550},{},[4551,4566,4581,4596],{"nodeType":483,"data":4552,"content":4553},{},[4554],{"nodeType":237,"data":4555,"content":4556},{},[4557,4562],{"nodeType":236,"value":4558,"marks":4559,"data":4561},"Nikkei",[4560],{"type":292},{},{"nodeType":236,"value":4563,"marks":4564,"data":4565},": Japanese publishing giant Nikkei’s Slack messaging platform was compromised using stolen credentials, leaking the names, email addresses, and chat histories for 17,368 individuals registered on Slack.",[],{},{"nodeType":483,"data":4567,"content":4568},{},[4569],{"nodeType":237,"data":4570,"content":4571},{},[4572,4577],{"nodeType":236,"value":4573,"marks":4574,"data":4576},"Evertec",[4575],{"type":292},{},{"nodeType":236,"value":4578,"marks":4579,"data":4580},": Hackers tried to steal $130 million from Evertec’s Brazilian subsidiary Sinqia S.A.after gaining unauthorized access to its environment on the central bank’s real-time payment system (Pix) using stolen credentials.",[],{},{"nodeType":483,"data":4582,"content":4583},{},[4584],{"nodeType":237,"data":4585,"content":4586},{},[4587,4592],{"nodeType":236,"value":4588,"marks":4589,"data":4591},"Hy-Vee:",[4590],{"type":292},{},{"nodeType":236,"value":4593,"marks":4594,"data":4595}," Was hit with a data breach after hackers logged in with stolen credentials, exposing 53GB of sensitive data.",[],{},{"nodeType":483,"data":4597,"content":4598},{},[4599],{"nodeType":237,"data":4600,"content":4601},{},[4602,4607],{"nodeType":236,"value":4603,"marks":4604,"data":4606},"Scania: ",[4605],{"type":292},{},{"nodeType":236,"value":4608,"marks":4609,"data":4610},"Automotive giant Scania confirmed it suffered a cybersecurity incident where threat actors used compromised credentials to breach its Financial Services systems and steal insurance claim documents.",[],{},{"nodeType":237,"data":4612,"content":4613},{},[4614],{"nodeType":236,"value":4615,"marks":4616,"data":4617},"Scattered Lapsus$ Hunters may be grabbing the headlines — but this a huge movement in a vast and flexible community of attackers. And criminals around the world are learning from their success. ",[],{},{"nodeType":339,"data":4619,"content":4620},{},[],{"nodeType":343,"data":4622,"content":4623},{},[4624],{"nodeType":236,"value":4625,"marks":4626,"data":4628},"Lessons learned",[4627],{"type":292},{},{"nodeType":237,"data":4630,"content":4631},{},[4632],{"nodeType":236,"value":4633,"marks":4634,"data":4635},"The common thread with all of these attacks is that they are evading established security controls by targeting applications directly, over the internet, via account takeover.",[],{},{"nodeType":237,"data":4637,"content":4638},{},[4639],{"nodeType":236,"value":4640,"marks":4641,"data":4642},"Clearly, the success of these attacks shows the limitations of multiple control layers. Endpoint and network layer controls have no visibility of this attack surface. Identity-focused controls are being undermined by ghost logins and shadow IT. And the limitations of cloud security controls in their ability to encompass all apps, and detect and stop malicious actions in real-time (that often blend in seamlessly with normal user activity). ",[],{},{"nodeType":359,"data":4644,"content":4648},{"target":4645},{"sys":4646},{"id":4647,"type":364,"linkType":365},"4Dg3fZEGf7ShyQJ8jlNDME",[],{"nodeType":339,"data":4650,"content":4651},{},[],{"nodeType":343,"data":4653,"content":4654},{},[4655],{"nodeType":236,"value":827,"marks":4656,"data":4658},[4657],{"type":292},{},{"nodeType":237,"data":4660,"content":4661},{},[4662],{"nodeType":236,"value":4663,"marks":4664,"data":4665},"Stopping attacks that are designed to evade established controls is in our DNA — it’s the reason Push was founded. ",[],{},{"nodeType":237,"data":4667,"content":4668},{},[4669],{"nodeType":236,"value":4670,"marks":4671,"data":4672},"The browser is the gateway to to the apps and identities that attackers are now targeting, with many attacks taking place inside the user’s browser — whether that’s entering credentials onto a phishing page, approving a malicious OAuth grant, installing a risky browser extension, or insecurely accessing an app with a weak password and no MFA. ",[],{},{"nodeType":237,"data":4674,"content":4675},{},[4676],{"nodeType":236,"value":4677,"marks":4678,"data":4679},"Push’s browser-based security platform provides comprehensive detection and response capabilities against attacks like AiTM phishing, credential stuffing, malicious browser extensions, malicious OAuth grants, ClickFix, and session hijacking. You don’t need to wait until it all goes wrong either — you can use Push to proactively find and fix vulnerabilities across the apps that your employees use, like ghost logins, SSO coverage gaps, MFA gaps, vulnerable passwords, and more to harden your attack surface.",[],{},{"nodeType":237,"data":4681,"content":4682},{},[4683,4686,4693,4697,4704],{"nodeType":236,"value":931,"marks":4684,"data":4685},[],{},{"nodeType":274,"data":4687,"content":4688},{"uri":936},[4689],{"nodeType":236,"value":939,"marks":4690,"data":4692},[4691],{"type":282},{},{"nodeType":236,"value":4694,"marks":4695,"data":4696}," or ",[],{},{"nodeType":274,"data":4698,"content":4699},{"uri":961},[4700],{"nodeType":236,"value":964,"marks":4701,"data":4703},[4702],{"type":282},{},{"nodeType":236,"value":968,"marks":4705,"data":4706},[],{},"\"Scattered Lapsus$ Hunters\" — how modern attackers exploit the gaps in your security stack ","How Scattered Lapsus$ Hunters breaches demonstrate the evolution of attacker TTPs, shaping the future of cyber attacks.","2025-11-13T00:00:00.000Z","scattered-lapsus-hunters",{"items":4712},[4713,4715],{"sys":4714,"name":249},{"id":248},{"sys":4716,"name":253},{"id":252},{"items":4718},[4719],{"fullName":257,"firstName":258,"jobTitle":259,"profilePicture":4720},{"url":261},{"__typename":1141,"sys":4722,"content":4724,"title":6081,"synopsis":6082,"hashTags":61,"publishedDate":6083,"slug":6084,"tagsCollection":6085,"authorsCollection":6091},{"id":4723},"wI3paLVDlEKdaRI5qMYFc",{"json":4725},{"nodeType":238,"data":4726,"content":4727},{},[4728,4735,4758,4765,4771,4778,4785,4792,4798,4801,4809,4816,4822,4828,4844,5051,5063,5071,5078,5085,5092,5112,5118,5125,5128,5136,5143,5176,5183,5199,5220,5255,5261,5268,5287,5294,5301,5304,5312,5319,5412,5419,5426,5434,5441,5448,5455,5461,5469,5476,5483,5490,5496,5503,5511,5530,5538,5545,5551,5554,5562,5569,5576,5686,5692,5699,5706,5713,5720,5727,5735,5742,5749,5773,5779,5795,5810,5826,5832,5840,5847,5855,5862,5865,5873,5880,5913,5919,5943,5950,5953,5961,5968,5984,5990,5997,6004,6007,6014,6032,6039],{"nodeType":237,"data":4729,"content":4730},{},[4731],{"nodeType":236,"value":4732,"marks":4733,"data":4734},"Here are two things that can’t both be true:",[],{},{"nodeType":479,"data":4736,"content":4737},{},[4738,4748],{"nodeType":483,"data":4739,"content":4740},{},[4741],{"nodeType":237,"data":4742,"content":4743},{},[4744],{"nodeType":236,"value":4745,"marks":4746,"data":4747},"Users are the weakest link in security. They just need to stop clicking on things.",[],{},{"nodeType":483,"data":4749,"content":4750},{},[4751],{"nodeType":237,"data":4752,"content":4753},{},[4754],{"nodeType":236,"value":4755,"marks":4756,"data":4757},"The internet is a giant clicking-on-things machine.",[],{},{"nodeType":237,"data":4759,"content":4760},{},[4761],{"nodeType":236,"value":4762,"marks":4763,"data":4764},"In particular, when we look at the TTPs of modern browser-based attacks that target employees, it’s obvious where this disconnect has real consequences. ",[],{},{"nodeType":359,"data":4766,"content":4770},{"target":4767},{"sys":4768},{"id":4769,"type":364,"linkType":365},"2x3blnHzZYcJ8c439C4NqI",[],{"nodeType":237,"data":4772,"content":4773},{},[4774],{"nodeType":236,"value":4775,"marks":4776,"data":4777},"Here’s why: Security tooling hasn’t kept up with adversary advances, and normal human behaviors are being expressly targeted via the browser to achieve compromise of accounts and endpoints. If you list the pitfalls facing the common end-user encountering these kinds of attack methods, the picture becomes even more stark.",[],{},{"nodeType":237,"data":4779,"content":4780},{},[4781],{"nodeType":236,"value":4782,"marks":4783,"data":4784},"To solve these problems, you need security tooling that sits in line with the user where they’re already working: In the browser. In this Push product guide, we’ll cover how you can use Push to provide point-in-time guidance — everything from block pages to informational banners — to protect users from modern browser-based TTPs and to guide them to remediate common vulnerabilities that can lead to account takeover.",[],{},{"nodeType":237,"data":4786,"content":4787},{},[4788],{"nodeType":236,"value":4789,"marks":4790,"data":4791},"We’ve also recently introduced custom branding and styling options for user-facing block pages and banners so you can provide a cohesive and trustworthy experience across your security ecosystem.",[],{},{"nodeType":359,"data":4793,"content":4797},{"target":4794},{"sys":4795},{"id":4796,"type":364,"linkType":365},"7fwCnr9bz76rWWCL6EReOT",[],{"nodeType":339,"data":4799,"content":4800},{},[],{"nodeType":343,"data":4802,"content":4803},{},[4804],{"nodeType":236,"value":4805,"marks":4806,"data":4808},"Why you can’t train users to recognize modern browser-based attack methods",[4807],{"type":292},{},{"nodeType":237,"data":4810,"content":4811},{},[4812],{"nodeType":236,"value":4813,"marks":4814,"data":4815},"User awareness training can help you build your workforce’s basic security baseline. But it’s not a reliable remedy for modern browser-based TTPs. When you look at the creative methods attackers are using — and rapidly improving on — it’s obvious why.",[],{},{"nodeType":359,"data":4817,"content":4821},{"target":4818},{"sys":4819},{"id":4820,"type":364,"linkType":365},"eHla7GPCH5eTpdfEqW5Zo",[],{"nodeType":359,"data":4823,"content":4827},{"target":4824},{"sys":4825},{"id":4826,"type":364,"linkType":365},"29vUtbEUam8fhbwnQdINRJ",[],{"nodeType":237,"data":4829,"content":4830},{},[4831,4835,4840],{"nodeType":236,"value":4832,"marks":4833,"data":4834},"To avoid account or endpoint compromise while going about your daily work as a user, you would need to accomplish these ",[],{},{"nodeType":236,"value":4836,"marks":4837,"data":4839},"extremely 100% achievable activities",[4838],{"type":433},{},{"nodeType":236,"value":4841,"marks":4842,"data":4843},", including:",[],{},{"nodeType":1658,"data":4845,"content":4846},{},[4847,4873,4915,4938,4973,5005],{"nodeType":1662,"data":4848,"content":4849},{},[4850,4862],{"nodeType":4851,"data":4852,"content":4853},"table-header-cell",{},[4854],{"nodeType":237,"data":4855,"content":4856},{},[4857],{"nodeType":236,"value":4858,"marks":4859,"data":4861},"Scenario",[4860],{"type":292},{},{"nodeType":4851,"data":4863,"content":4864},{},[4865],{"nodeType":237,"data":4866,"content":4867},{},[4868],{"nodeType":236,"value":4869,"marks":4870,"data":4872},"Threat",[4871],{"type":292},{},{"nodeType":1662,"data":4874,"content":4875},{},[4876,4901],{"nodeType":1666,"data":4877,"content":4878},{},[4879],{"nodeType":237,"data":4880,"content":4881},{},[4882,4886,4897],{"nodeType":236,"value":4883,"marks":4884,"data":4885},"While using search engines, never click on a ",[],{},{"nodeType":4887,"data":4888,"content":4892},"entry-hyperlink",{"target":4889},{"sys":4890},{"id":4891,"type":364,"linkType":365},"2YmiesBvJHGw4wiKEKzLUq",[4893],{"nodeType":236,"value":4894,"marks":4895,"data":4896},"malicious link",[],{},{"nodeType":236,"value":4898,"marks":4899,"data":4900}," in sponsored or organic results (it's often the first link you see, too).",[],{},{"nodeType":1666,"data":4902,"content":4903},{},[4904],{"nodeType":237,"data":4905,"content":4906},{},[4907,4911],{"nodeType":236,"value":4908,"marks":4909,"data":4910},"M",[],{},{"nodeType":236,"value":4912,"marks":4913,"data":4914},"alvertising, SEO poisoning, compromised legitimate webpages, vibecoded phishing webpages.",[],{},{"nodeType":1662,"data":4916,"content":4917},{},[4918,4928],{"nodeType":1666,"data":4919,"content":4920},{},[4921],{"nodeType":237,"data":4922,"content":4923},{},[4924],{"nodeType":236,"value":4925,"marks":4926,"data":4927},"Know when to trust an email coming from an app you use every day, and when it could be malicious (it looks the same).",[],{},{"nodeType":1666,"data":4929,"content":4930},{},[4931],{"nodeType":237,"data":4932,"content":4933},{},[4934],{"nodeType":236,"value":4935,"marks":4936,"data":4937},"Using SaaS services to distribute malicious links using trusted sites (also a handy way of evading email controls).",[],{},{"nodeType":1662,"data":4939,"content":4940},{},[4941,4963],{"nodeType":1666,"data":4942,"content":4943},{},[4944],{"nodeType":237,"data":4945,"content":4946},{},[4947,4951,4959],{"nodeType":236,"value":4948,"marks":4949,"data":4950},"When reading a LinkedIn DM from a colleague, anticipate that they might have been hacked and have sent you a malicious link. (Yes, this was a ",[],{},{"nodeType":274,"data":4952,"content":4954},{"uri":4953},"https://pushsecurity.com/blog/how-push-stopped-a-high-risk-linkedin-spear-phishing-attack/",[4955],{"nodeType":236,"value":4956,"marks":4957,"data":4958},"real scenario",[],{},{"nodeType":236,"value":4960,"marks":4961,"data":4962},"). ",[],{},{"nodeType":1666,"data":4964,"content":4965},{},[4966],{"nodeType":237,"data":4967,"content":4968},{},[4969],{"nodeType":236,"value":4970,"marks":4971,"data":4972},"Abuse of social media, IM platforms, and other apps where you can be directly contacted by users external to your organization. ",[],{},{"nodeType":1662,"data":4974,"content":4975},{},[4976,4986],{"nodeType":1666,"data":4977,"content":4978},{},[4979],{"nodeType":237,"data":4980,"content":4981},{},[4982],{"nodeType":236,"value":4983,"marks":4984,"data":4985},"When logging in to an app, never follow benign-seeming but actually malicious instructions to enter a code onto a legitimate page to complete your login.",[],{},{"nodeType":1666,"data":4987,"content":4988},{},[4989],{"nodeType":237,"data":4990,"content":4991},{},[4992,4996,5002],{"nodeType":236,"value":4993,"marks":4994,"data":4995},"AiTM phishing, OAuth consent phishing, ",[],{},{"nodeType":274,"data":4997,"content":4998},{"uri":1015},[4999],{"nodeType":236,"value":1018,"marks":5000,"data":5001},[],{},{"nodeType":236,"value":968,"marks":5003,"data":5004},[],{},{"nodeType":1662,"data":5006,"content":5007},{},[5008,5018],{"nodeType":1666,"data":5009,"content":5010},{},[5011],{"nodeType":237,"data":5012,"content":5013},{},[5014],{"nodeType":236,"value":5015,"marks":5016,"data":5017},"Know which instructions to follow and which are malicious when verifying that you're human on a CAPTCHA-style page.",[],{},{"nodeType":1666,"data":5019,"content":5020},{},[5021],{"nodeType":237,"data":5022,"content":5023},{},[5024,5027,5035,5039,5047],{"nodeType":236,"value":29,"marks":5025,"data":5026},[],{},{"nodeType":274,"data":5028,"content":5030},{"uri":5029},"https://pushsecurity.com/blog/the-most-advanced-clickfix-yet/",[5031],{"nodeType":236,"value":5032,"marks":5033,"data":5034},"ClickFix",[],{},{"nodeType":236,"value":5036,"marks":5037,"data":5038},"-style attacks that trick the user into running a malicious script or command, or ",[],{},{"nodeType":274,"data":5040,"content":5042},{"uri":5041},"https://pushsecurity.com/blog/consentfix/",[5043],{"nodeType":236,"value":5044,"marks":5045,"data":5046},"ConsentFix",[],{},{"nodeType":236,"value":5048,"marks":5049,"data":5050}," (which is even sneakier and simply involves copying a URL).",[],{},{"nodeType":237,"data":5052,"content":5053},{},[5054,5058],{"nodeType":236,"value":5055,"marks":5056,"data":5057},"And we're barely scratching the surface here. ",[],{},{"nodeType":236,"value":5059,"marks":5060,"data":5062},"Easy, right?",[5061],{"type":292},{},{"nodeType":394,"data":5064,"content":5065},{},[5066],{"nodeType":236,"value":5067,"marks":5068,"data":5070},"Can't we block users from interacting with bad content? ",[5069],{"type":292},{},{"nodeType":237,"data":5072,"content":5073},{},[5074],{"nodeType":236,"value":5075,"marks":5076,"data":5077},"So if you can’t train your way out of these problems, what about locking down and blocking your way out of the problem?",[],{},{"nodeType":237,"data":5079,"content":5080},{},[5081],{"nodeType":236,"value":5082,"marks":5083,"data":5084},"This, too, simply isn’t really feasible. ",[],{},{"nodeType":237,"data":5086,"content":5087},{},[5088],{"nodeType":236,"value":5089,"marks":5090,"data":5091},"Modern cloud-first adversaries routinely rotate domains on malicious pages; use trusted services like SharePoint, Adobe, Google Sites, Cloudflare, and Atlassian to deliver lures; target end-users across multiple channels, including social media, forums, chat platforms, Google search results, email, and webpages; and use legitimate security tools like bot protection to bypass detection by other legitimate security tools, such as web content scanning and analysis solutions.",[],{},{"nodeType":237,"data":5093,"content":5094},{},[5095,5099,5103,5108],{"nodeType":236,"value":5096,"marks":5097,"data":5098},"To safely navigate the internet today, y",[],{},{"nodeType":236,"value":5100,"marks":5101,"data":5102},"ou need to be able to spot malicious pages and content ",[],{},{"nodeType":236,"value":5104,"marks":5105,"data":5107},"the first time they're seen in the wild",[5106],{"type":292},{},{"nodeType":236,"value":5109,"marks":5110,"data":5111},". If you're relying on indicators of known bad, you're always a step behind, leaving users exposed.",[],{},{"nodeType":359,"data":5113,"content":5117},{"target":5114},{"sys":5115},{"id":5116,"type":364,"linkType":365},"3ZfqOLRdJZJIc78rj9E9JZ",[],{"nodeType":237,"data":5119,"content":5120},{},[5121],{"nodeType":236,"value":5122,"marks":5123,"data":5124},"To protect users while they work online, you need a purpose-built security tool that can respond in real time to modern TTPs and guide users securely — without introducing extra work or a lot of friction. Push can help with that.",[],{},{"nodeType":339,"data":5126,"content":5127},{},[],{"nodeType":343,"data":5129,"content":5130},{},[5131],{"nodeType":236,"value":5132,"marks":5133,"data":5135},"Why in-browser controls?",[5134],{"type":292},{},{"nodeType":237,"data":5137,"content":5138},{},[5139],{"nodeType":236,"value":5140,"marks":5141,"data":5142},"Simply put, using in-browser security controls gets you the closest to the user and their work in order to protect them from modern browser-based threats. Adding in-browser controls also solves two tricky problems for security teams: ",[],{},{"nodeType":479,"data":5144,"content":5145},{},[5146,5161],{"nodeType":483,"data":5147,"content":5148},{},[5149],{"nodeType":237,"data":5150,"content":5151},{},[5152,5157],{"nodeType":236,"value":5153,"marks":5154,"data":5156},"Filling the gap between solution layers",[5155],{"type":292},{},{"nodeType":236,"value":5158,"marks":5159,"data":5160}," in order to detect and block attack methods like Adversary-in-the-Middle phishing, malicious browser extensions, and ClickFix-style social engineering attacks that other tools miss.",[],{},{"nodeType":483,"data":5162,"content":5163},{},[5164],{"nodeType":237,"data":5165,"content":5166},{},[5167,5172],{"nodeType":236,"value":5168,"marks":5169,"data":5171},"Providing just-in-time security enforcement",[5170],{"type":292},{},{"nodeType":236,"value":5173,"marks":5174,"data":5175}," to end-users when it’s the right moment to act on that guidance, reducing your attack surface across your online apps, browser extensions, and accounts, and ensuring your app usage policies are followed.",[],{},{"nodeType":394,"data":5177,"content":5178},{},[5179],{"nodeType":236,"value":5180,"marks":5181,"data":5182},"Fill the gap between solution layers",[],{},{"nodeType":237,"data":5184,"content":5185},{},[5186,5190,5195],{"nodeType":236,"value":5187,"marks":5188,"data":5189},"Most existing security solutions operate just ",[],{},{"nodeType":236,"value":5191,"marks":5192,"data":5194},"outside",[5193],{"type":433},{},{"nodeType":236,"value":5196,"marks":5197,"data":5198}," the context of a user interacting with a webpage. This leaves blind spots that attackers are exploiting between layers of security tooling.",[],{},{"nodeType":237,"data":5200,"content":5201},{},[5202,5206,5216],{"nodeType":236,"value":5203,"marks":5204,"data":5205},"For example, network proxies see HTTP requests, URLs, and page headers, but not the ",[],{},{"nodeType":4887,"data":5207,"content":5211},{"target":5208},{"sys":5209},{"id":5210,"type":364,"linkType":365},"5caCcGCqMMPm5KlwUv0sbz",[5212],{"nodeType":236,"value":5213,"marks":5214,"data":5215},"structural elements",[],{},{"nodeType":236,"value":5217,"marks":5218,"data":5219}," of the DOM or on-page user interactions that are key to fingerprinting the behavior of AiTM phishing kits or ClickFix-style social engineering attacks. ",[],{},{"nodeType":237,"data":5221,"content":5222},{},[5223,5227,5237,5241,5251],{"nodeType":236,"value":5224,"marks":5225,"data":5226},"Similarly, ",[],{},{"nodeType":4887,"data":5228,"content":5232},{"target":5229},{"sys":5230},{"id":5231,"type":364,"linkType":365},"6YWYKGESlyUKQxvhKmBzeH",[5233],{"nodeType":236,"value":5234,"marks":5235,"data":5236},"EDR tools",[],{},{"nodeType":236,"value":5238,"marks":5239,"data":5240}," only see the bad thing when it hits the endpoint, and many ",[],{},{"nodeType":4887,"data":5242,"content":5246},{"target":5243},{"sys":5244},{"id":5245,"type":364,"linkType":365},"2k2aDK5dyQKlQBrk66pMXE",[5247],{"nodeType":236,"value":5248,"marks":5249,"data":5250},"cloud security tools",[],{},{"nodeType":236,"value":5252,"marks":5253,"data":5254}," rely on complex policy configurations across a core set of apps to provide security protection — leaving a gap in detection and response capabilities outside their purview.",[],{},{"nodeType":359,"data":5256,"content":5260},{"target":5257},{"sys":5258},{"id":5259,"type":364,"linkType":365},"50NyBpr96dKspvTzJTBOlC",[],{"nodeType":394,"data":5262,"content":5263},{},[5264],{"nodeType":236,"value":5265,"marks":5266,"data":5267},"Provide just-in-time security enforcement",[],{},{"nodeType":237,"data":5269,"content":5270},{},[5271,5275,5283],{"nodeType":236,"value":5272,"marks":5273,"data":5274},"As some of our customers like to say, Push provides security teams with a ",[],{},{"nodeType":274,"data":5276,"content":5278},{"uri":5277},"/customer-stories/upvest",[5279],{"nodeType":236,"value":5280,"marks":5281,"data":5282},"“seat on the user’s side”",[],{},{"nodeType":236,"value":5284,"marks":5285,"data":5286}," of the equation so you can enforce security best practices.",[],{},{"nodeType":237,"data":5288,"content":5289},{},[5290],{"nodeType":236,"value":5291,"marks":5292,"data":5293},"Having that seat on the user’s side also helps you deliver guidance in the right context for it to be followed: When the user is engaged in doing the behavior you want to influence (or prevent). The right information, at the right time, in the right format — not a belated reminder through a different channel that’s easy to ignore.",[],{},{"nodeType":237,"data":5295,"content":5296},{},[5297],{"nodeType":236,"value":5298,"marks":5299,"data":5300},"With those outcomes in mind, let’s look at some specific solutions from the Push platform.",[],{},{"nodeType":339,"data":5302,"content":5303},{},[],{"nodeType":343,"data":5305,"content":5306},{},[5307],{"nodeType":236,"value":5308,"marks":5309,"data":5311},"How Push helps you protect users from browser-based ATO, ClickFix, and similar attacks",[5310],{"type":292},{},{"nodeType":237,"data":5313,"content":5314},{},[5315],{"nodeType":236,"value":5316,"marks":5317,"data":5318},"The Push platform provides out-of-the-box detections for browser-based attacks, including:",[],{},{"nodeType":479,"data":5320,"content":5321},{},[5322,5345,5368,5389],{"nodeType":483,"data":5323,"content":5324},{},[5325],{"nodeType":237,"data":5326,"content":5327},{},[5328,5331,5341],{"nodeType":236,"value":29,"marks":5329,"data":5330},[],{},{"nodeType":4887,"data":5332,"content":5336},{"target":5333},{"sys":5334},{"id":5335,"type":364,"linkType":365},"7KRnTSnJAbbiho69gNyN0B",[5337],{"nodeType":236,"value":5338,"marks":5339,"data":5340},"AiTM phishing kits",[],{},{"nodeType":236,"value":5342,"marks":5343,"data":5344}," that can bypass MFA",[],{},{"nodeType":483,"data":5346,"content":5347},{},[5348],{"nodeType":237,"data":5349,"content":5350},{},[5351,5354,5364],{"nodeType":236,"value":29,"marks":5352,"data":5353},[],{},{"nodeType":4887,"data":5355,"content":5359},{"target":5356},{"sys":5357},{"id":5358,"type":364,"linkType":365},"jN3GN5ddMJZiDtl0fgUVd",[5360],{"nodeType":236,"value":5361,"marks":5362,"data":5363},"Cloned login pages",[],{},{"nodeType":236,"value":5365,"marks":5366,"data":5367}," designed to steal user credentials",[],{},{"nodeType":483,"data":5369,"content":5370},{},[5371],{"nodeType":237,"data":5372,"content":5373},{},[5374,5377,5386],{"nodeType":236,"value":29,"marks":5375,"data":5376},[],{},{"nodeType":4887,"data":5378,"content":5382},{"target":5379},{"sys":5380},{"id":5381,"type":364,"linkType":365},"5NyiWgjMDwk16XZ0S681JK",[5383],{"nodeType":236,"value":4421,"marks":5384,"data":5385},[],{},{"nodeType":236,"value":29,"marks":5387,"data":5388},[],{},{"nodeType":483,"data":5390,"content":5391},{},[5392],{"nodeType":237,"data":5393,"content":5394},{},[5395,5398,5408],{"nodeType":236,"value":29,"marks":5396,"data":5397},[],{},{"nodeType":4887,"data":5399,"content":5403},{"target":5400},{"sys":5401},{"id":5402,"type":364,"linkType":365},"7jygmadjoz0asAHv7e5PuK",[5404],{"nodeType":236,"value":5405,"marks":5406,"data":5407},"Malicious copy and paste attacks",[],{},{"nodeType":236,"value":5409,"marks":5410,"data":5411}," like ClickFix, FileFix, and similar",[],{},{"nodeType":237,"data":5413,"content":5414},{},[5415],{"nodeType":236,"value":5416,"marks":5417,"data":5418},"For each of these attack vectors, Push delivers detection events and associated metadata for quick triage by the security team, as well as employee-facing warn or block screens, based on your selected configuration.",[],{},{"nodeType":237,"data":5420,"content":5421},{},[5422],{"nodeType":236,"value":5423,"marks":5424,"data":5425},"Here’s a snapshot of the capabilities of these controls and what end-users will experience.",[],{},{"nodeType":394,"data":5427,"content":5428},{},[5429],{"nodeType":236,"value":5430,"marks":5431,"data":5433},"The scenario:",[5432],{"type":292},{},{"nodeType":237,"data":5435,"content":5436},{},[5437],{"nodeType":236,"value":5438,"marks":5439,"data":5440},"When a user encounters a malicious page — whether that’s an AiTM phishing tool running on a webpage, or a ClickFix-style attack — or attempts to install a malicious extension, Push immediately steps in. ",[],{},{"nodeType":237,"data":5442,"content":5443},{},[5444],{"nodeType":236,"value":5445,"marks":5446,"data":5447},"Push can prevent users from entering their credentials on phishing pages, including cloned login pages, or from pasting malicious clipboard contents that can run malware on their device. Push can also prevent users from installing known-bad browser extensions. ",[],{},{"nodeType":237,"data":5449,"content":5450},{},[5451],{"nodeType":236,"value":5452,"marks":5453,"data":5454},"In each of these scenarios, Push admins get detailed detection information they can use to triage the incident.",[],{},{"nodeType":359,"data":5456,"content":5460},{"target":5457},{"sys":5458},{"id":5459,"type":364,"linkType":365},"5jR3YVUiusHGnXDOyrgYpr",[],{"nodeType":394,"data":5462,"content":5463},{},[5464],{"nodeType":236,"value":5465,"marks":5466,"data":5468},"How it works:",[5467],{"type":292},{},{"nodeType":237,"data":5470,"content":5471},{},[5472],{"nodeType":236,"value":5473,"marks":5474,"data":5475},"Rather than relying on known-bad intelligence like domains or URLs, Push performs a behavioral and structural analysis of malicious pages in real time.",[],{},{"nodeType":237,"data":5477,"content":5478},{},[5479],{"nodeType":236,"value":5480,"marks":5481,"data":5482},"That means a phishing page never has to appear in a threat intelligence feed in order to be detected and blocked.",[],{},{"nodeType":237,"data":5484,"content":5485},{},[5486],{"nodeType":236,"value":5487,"marks":5488,"data":5489},"Similarly, for malicious copy and paste attacks like ClickFix, Push analyzes the content copied to the clipboard but also evaluates the context of the page to reduce false positives. In blocking mode, Push’s control for ClickFix-style attacks replaces the malicious clipboard contents with safe text — preventing potential endpoint compromise before it can occur.",[],{},{"nodeType":359,"data":5491,"content":5495},{"target":5492},{"sys":5493},{"id":5494,"type":364,"linkType":365},"3OkejjEjV9xflBc5ouOVFn",[],{"nodeType":237,"data":5497,"content":5498},{},[5499],{"nodeType":236,"value":5500,"marks":5501,"data":5502},"Finally, for identifying malicious browser extensions, Push takes a slightly different approach — combining both behavioral detections and curated intelligence of known-bad extensions from our own research and from trusted industry sources. We’ve found this combination provides the highest-fidelity way to identify malicious extensions without relying on approaches like analyzing extension permissions, which often isn’t actionable. ",[],{},{"nodeType":394,"data":5504,"content":5505},{},[5506],{"nodeType":236,"value":5507,"marks":5508,"data":5510},"Your security team gets:",[5509],{"type":292},{},{"nodeType":237,"data":5512,"content":5513},{},[5514,5518,5526],{"nodeType":236,"value":5515,"marks":5516,"data":5517},"Readymade detection and alerting, combined with detailed telemetry. Detections and their associated metadata can be consumed via ",[],{},{"nodeType":274,"data":5519,"content":5521},{"uri":5520},"/help/audience/administrators/docs/getting-started/#api-and-webhooks",[5522],{"nodeType":236,"value":5523,"marks":5524,"data":5525},"Push’s REST API and webhooks",[],{},{"nodeType":236,"value":5527,"marks":5528,"data":5529},". ",[],{},{"nodeType":394,"data":5531,"content":5532},{},[5533],{"nodeType":236,"value":5534,"marks":5535,"data":5537},"Your end-users see:",[5536],{"type":292},{},{"nodeType":237,"data":5539,"content":5540},{},[5541],{"nodeType":236,"value":5542,"marks":5543,"data":5544},"An immediate block screen in your company colors and brand style, providing a highly memorable, contextual moment of learning — and reassuring them that an incident has been prevented.",[],{},{"nodeType":359,"data":5546,"content":5550},{"target":5547},{"sys":5548},{"id":5549,"type":364,"linkType":365},"4QfjDDfKjohKr1qqDLRT0m",[],{"nodeType":339,"data":5552,"content":5553},{},[],{"nodeType":343,"data":5555,"content":5556},{},[5557],{"nodeType":236,"value":5558,"marks":5559,"data":5561},"How Push helps you remediate account vulnerabilities at scale",[5560],{"type":292},{},{"nodeType":237,"data":5563,"content":5564},{},[5565],{"nodeType":236,"value":5566,"marks":5567,"data":5568},"Just-in-time security enforcement works best when it’s trustworthy and contextual — without making a lot more work for your team. Push also provides readymade controls for remediating common account vulnerabilities that contribute to your attack surface online, helping you harden existing accounts and reduce behaviors that introduce new risks.",[],{},{"nodeType":237,"data":5570,"content":5571},{},[5572],{"nodeType":236,"value":5573,"marks":5574,"data":5575},"With Push, you can:",[],{},{"nodeType":479,"data":5577,"content":5578},{},[5579,5602,5639,5663],{"nodeType":483,"data":5580,"content":5581},{},[5582],{"nodeType":237,"data":5583,"content":5584},{},[5585,5588,5598],{"nodeType":236,"value":29,"marks":5586,"data":5587},[],{},{"nodeType":4887,"data":5589,"content":5593},{"target":5590},{"sys":5591},{"id":5592,"type":364,"linkType":365},"6FYHbkcRUrtznPo7RarRsz",[5594],{"nodeType":236,"value":5595,"marks":5596,"data":5597},"Prevent the phishing or reuse of high-value passwords",[],{},{"nodeType":236,"value":5599,"marks":5600,"data":5601},", like your IdP, AWS, or code repository passwords.",[],{},{"nodeType":483,"data":5603,"content":5604},{},[5605],{"nodeType":237,"data":5606,"content":5607},{},[5608,5612,5622,5625,5635],{"nodeType":236,"value":5609,"marks":5610,"data":5611},"Remediate ",[],{},{"nodeType":4887,"data":5613,"content":5617},{"target":5614},{"sys":5615},{"id":5616,"type":364,"linkType":365},"2WAc5HflKonFN7Jc53ROgj",[5618],{"nodeType":236,"value":5619,"marks":5620,"data":5621},"missing MFA",[],{},{"nodeType":236,"value":4694,"marks":5623,"data":5624},[],{},{"nodeType":4887,"data":5626,"content":5630},{"target":5627},{"sys":5628},{"id":5629,"type":364,"linkType":365},"2dAP36chda6ZDGKzw0Itfs",[5631],{"nodeType":236,"value":5632,"marks":5633,"data":5634},"insecure passwords",[],{},{"nodeType":236,"value":5636,"marks":5637,"data":5638}," on any work app, even those not managed by your SSO solution.",[],{},{"nodeType":483,"data":5640,"content":5641},{},[5642],{"nodeType":237,"data":5643,"content":5644},{},[5645,5649,5659],{"nodeType":236,"value":5646,"marks":5647,"data":5648},"Use ",[],{},{"nodeType":4887,"data":5650,"content":5654},{"target":5651},{"sys":5652},{"id":5653,"type":364,"linkType":365},"2ZpKnuljaUH0jzVaae4SMN",[5655],{"nodeType":236,"value":5656,"marks":5657,"data":5658},"in-browser banners",[],{},{"nodeType":236,"value":5660,"marks":5661,"data":5662}," to add guardrails to app usage, including blocking unapproved SaaS or collecting a business reason to access an app before approving it.",[],{},{"nodeType":483,"data":5664,"content":5665},{},[5666],{"nodeType":237,"data":5667,"content":5668},{},[5669,5672,5682],{"nodeType":236,"value":29,"marks":5670,"data":5671},[],{},{"nodeType":4887,"data":5673,"content":5677},{"target":5674},{"sys":5675},{"id":5676,"type":364,"linkType":365},"3ibVBa6u0XfcXXDVtON5th",[5678],{"nodeType":236,"value":5679,"marks":5680,"data":5681},"Block unwanted or unapproved browser extensions",[],{},{"nodeType":236,"value":5683,"marks":5684,"data":5685}," from being installed, or disable them if they’ve been installed previously.",[],{},{"nodeType":237,"data":5687,"content":5688},{},[5689],{"nodeType":236,"value":5423,"marks":5690,"data":5691},[],{},{"nodeType":394,"data":5693,"content":5694},{},[5695],{"nodeType":236,"value":5430,"marks":5696,"data":5698},[5697],{"type":292},{},{"nodeType":237,"data":5700,"content":5701},{},[5702],{"nodeType":236,"value":5703,"marks":5704,"data":5705},"Push uses in-browser controls to intervene when a user is missing MFA; reusing a high-value password; using an insecure password; attempting to log in to an unapproved app; or attempting to install a blocked extension. ",[],{},{"nodeType":237,"data":5707,"content":5708},{},[5709],{"nodeType":236,"value":5710,"marks":5711,"data":5712},"Push can block users from reusing passwords set as “protected” (meaning they can’t be reused on any other page or app) or from using unapproved apps or extensions. Push can guide users to update their password or register for MFA on accounts where they lack it. Push can also provide any other specific security or policy guidance to employees via banners that appear on apps in your environment, including GenAI apps. ",[],{},{"nodeType":237,"data":5714,"content":5715},{},[5716],{"nodeType":236,"value":5717,"marks":5718,"data":5719},"For all of these scenarios, you can tune Push controls to your preferred mode (informing vs. blocking, for example) and select which employees, employee groups, and apps or accounts to focus on.",[],{},{"nodeType":237,"data":5721,"content":5722},{},[5723],{"nodeType":236,"value":5724,"marks":5725,"data":5726},"You can also customize the message that employees see, to match your organizational culture and policies.",[],{},{"nodeType":394,"data":5728,"content":5729},{},[5730],{"nodeType":236,"value":5731,"marks":5732,"data":5734},"How it works: ",[5733],{"type":292},{},{"nodeType":237,"data":5736,"content":5737},{},[5738],{"nodeType":236,"value":5739,"marks":5740,"data":5741},"The Push browser agent observes real-time user behavior and securely analyzes users’ account vulnerabilities in order to identify risks and execute your preconfigured controls. ",[],{},{"nodeType":237,"data":5743,"content":5744},{},[5745],{"nodeType":236,"value":5746,"marks":5747,"data":5748},"To identify MFA status, Push uses the app’s own API to query the logged-in user’s registered MFA methods. To analyze password security, Push creates a salted, truncated hash that is stored locally in the user’s browser and then used for comparison to find reused passwords, leaked passwords, and shared passwords. ",[],{},{"nodeType":237,"data":5750,"content":5751},{},[5752,5756,5761,5764,5769],{"nodeType":236,"value":5753,"marks":5754,"data":5755},"Using the ",[],{},{"nodeType":236,"value":5757,"marks":5758,"data":5760},"MFA enforcement",[5759],{"type":292},{},{"nodeType":236,"value":1300,"marks":5762,"data":5763},[],{},{"nodeType":236,"value":5765,"marks":5766,"data":5768},"Strong password enforcement",[5767],{"type":292},{},{"nodeType":236,"value":5770,"marks":5771,"data":5772}," controls, you can then automatically display a banner to users with those account vulnerabilities, guiding them to fix the issue.",[],{},{"nodeType":359,"data":5774,"content":5778},{"target":5775},{"sys":5776},{"id":5777,"type":364,"linkType":365},"7Ka4CumZk9it6GsdlNHREA",[],{"nodeType":237,"data":5780,"content":5781},{},[5782,5786,5791],{"nodeType":236,"value":5783,"marks":5784,"data":5785},"Using Push’s ",[],{},{"nodeType":236,"value":5787,"marks":5788,"data":5790},"Password protection",[5789],{"type":292},{},{"nodeType":236,"value":5792,"marks":5793,"data":5794}," control, you can select apps where you want to essentially “pin” the high-value password to only that app and prevent its reuse (or phishing) on any other domain. ",[],{},{"nodeType":237,"data":5796,"content":5797},{},[5798,5801,5806],{"nodeType":236,"value":5783,"marks":5799,"data":5800},[],{},{"nodeType":236,"value":5802,"marks":5803,"data":5805},"Browser extension blocking",[5804],{"type":292},{},{"nodeType":236,"value":5807,"marks":5808,"data":5809}," control, you can create a blocklist or allowlist of extensions and prevent users from installing or enabling blocked extensions.",[],{},{"nodeType":237,"data":5811,"content":5812},{},[5813,5817,5822],{"nodeType":236,"value":5814,"marks":5815,"data":5816},"Finally, using Push’s ",[],{},{"nodeType":236,"value":5818,"marks":5819,"data":5821},"App banners",[5820],{"type":292},{},{"nodeType":236,"value":5823,"marks":5824,"data":5825}," feature, you can add custom messages in a range of modes — from informing to blocking — to apps in use across your business, or even specific URL patterns.",[],{},{"nodeType":359,"data":5827,"content":5831},{"target":5828},{"sys":5829},{"id":5830,"type":364,"linkType":365},"5Mq4PEzEhW8p1qLvS9aZMm",[],{"nodeType":394,"data":5833,"content":5834},{},[5835],{"nodeType":236,"value":5836,"marks":5837,"data":5839},"Your security team gets: ",[5838],{"type":292},{},{"nodeType":237,"data":5841,"content":5842},{},[5843],{"nodeType":236,"value":5844,"marks":5845,"data":5846},"A flexible and highly configurable set of controls to solve account vulnerabilities at scale and to enforce your security controls around browser extensions and app usage.",[],{},{"nodeType":394,"data":5848,"content":5849},{},[5850],{"nodeType":236,"value":5851,"marks":5852,"data":5854},"Your end-users see: ",[5853],{"type":292},{},{"nodeType":237,"data":5856,"content":5857},{},[5858],{"nodeType":236,"value":5859,"marks":5860,"data":5861},"Contextual, actionable guidance in the midst of their actual workflow, helping them fix the issue or guiding them to safety.",[],{},{"nodeType":339,"data":5863,"content":5864},{},[],{"nodeType":343,"data":5866,"content":5867},{},[5868],{"nodeType":236,"value":5869,"marks":5870,"data":5872},"Implementation tips",[5871],{"type":292},{},{"nodeType":237,"data":5874,"content":5875},{},[5876],{"nodeType":236,"value":5877,"marks":5878,"data":5879},"Push allows you to set the scope and mode of each control, making it simple to roll out. ",[],{},{"nodeType":237,"data":5881,"content":5882},{},[5883,5887,5892,5896,5900,5904,5909],{"nodeType":236,"value":5884,"marks":5885,"data":5886},"We recommend starting in ",[],{},{"nodeType":236,"value":5888,"marks":5889,"data":5891},"Monitor",[5890],{"type":292},{},{"nodeType":236,"value":5893,"marks":5894,"data":5895}," mode for controls that intervene in end-user activities. That way, you can perform testing with sample malicious sites or scenarios like reused protected passwords, tune out any benign true positives, and develop the messaging you want to use on warn or block pages. (For controls without an explicit monitor mode, like ",[],{},{"nodeType":236,"value":5765,"marks":5897,"data":5899},[5898],{"type":292},{},{"nodeType":236,"value":5901,"marks":5902,"data":5903},", you can still monitor for related events on the ",[],{},{"nodeType":236,"value":5905,"marks":5906,"data":5908},"Events",[5907],{"type":292},{},{"nodeType":236,"value":5910,"marks":5911,"data":5912}," page, such as account security findings, or by consuming webhooks into a downstream tool.)",[],{},{"nodeType":359,"data":5914,"content":5918},{"target":5915},{"sys":5916},{"id":5917,"type":364,"linkType":365},"7vk8DHv01cM1o2C0ZpAvZu",[],{"nodeType":237,"data":5920,"content":5921},{},[5922,5926,5931,5934,5939],{"nodeType":236,"value":5923,"marks":5924,"data":5925},"When you’re ready, set the mode to ",[],{},{"nodeType":236,"value":5927,"marks":5928,"data":5930},"Warn",[5929],{"type":292},{},{"nodeType":236,"value":4694,"marks":5932,"data":5933},[],{},{"nodeType":236,"value":5935,"marks":5936,"data":5938},"Block",[5937],{"type":292},{},{"nodeType":236,"value":5940,"marks":5941,"data":5942}," and use the scope options to perform a phased rollout to your user population by adding additional user groups to the control until you have complete coverage of your population.",[],{},{"nodeType":237,"data":5944,"content":5945},{},[5946],{"nodeType":236,"value":5947,"marks":5948,"data":5949},"By consuming webhook events into your SIEM, you can integrate Push alerts into your existing security workflows, monitoring for new detections or tracking when account vulnerabilities are resolved.",[],{},{"nodeType":339,"data":5951,"content":5952},{},[],{"nodeType":343,"data":5954,"content":5955},{},[5956],{"nodeType":236,"value":5957,"marks":5958,"data":5960},"Enhancing user trust with custom branding",[5959],{"type":292},{},{"nodeType":237,"data":5962,"content":5963},{},[5964],{"nodeType":236,"value":5965,"marks":5966,"data":5967},"We recently released the option to customize the look and feel of all employee-facing banners and block pages. ",[],{},{"nodeType":237,"data":5969,"content":5970},{},[5971,5975,5980],{"nodeType":236,"value":5972,"marks":5973,"data":5974},"From the ",[],{},{"nodeType":236,"value":5976,"marks":5977,"data":5979},"Settings",[5978],{"type":292},{},{"nodeType":236,"value":5981,"marks":5982,"data":5983}," page in the Push admin console, you can upload your logo, add accent colors, and choose from light or dark backgrounds.",[],{},{"nodeType":359,"data":5985,"content":5989},{"target":5986},{"sys":5987},{"id":5988,"type":364,"linkType":365},"51lk1VRP20G7H4PAoRZANI",[],{"nodeType":237,"data":5991,"content":5992},{},[5993],{"nodeType":236,"value":5994,"marks":5995,"data":5996},"Custom branding increases the trustworthiness of these in-the-moment security guardrails so that users recognize them immediately and act on their guidance.",[],{},{"nodeType":237,"data":5998,"content":5999},{},[6000],{"nodeType":236,"value":6001,"marks":6002,"data":6003},"The result: Better compliance and lower friction for you and your employees.",[],{},{"nodeType":339,"data":6005,"content":6006},{},[],{"nodeType":343,"data":6008,"content":6009},{},[6010],{"nodeType":236,"value":3690,"marks":6011,"data":6013},[6012],{"type":292},{},{"nodeType":237,"data":6015,"content":6016},{},[6017,6021,6028],{"nodeType":236,"value":6018,"marks":6019,"data":6020},"Push Security’s browser-based security platform stops browser-based attacks like AiTM phishing, credential stuffing, malicious browser extensions, ClickFix, and session hijacking — ",[],{},{"nodeType":274,"data":6022,"content":6023},{"uri":165},[6024],{"nodeType":236,"value":6025,"marks":6026,"data":6027},"modern attack techniques",[],{},{"nodeType":236,"value":6029,"marks":6030,"data":6031}," that are the leading cause of breaches today.",[],{},{"nodeType":237,"data":6033,"content":6034},{},[6035],{"nodeType":236,"value":6036,"marks":6037,"data":6038},"You don’t need to wait until it all goes wrong either. You can also use Push to proactively find and fix vulnerabilities across the apps that your employees use, like ghost logins, SSO coverage gaps, MFA gaps, vulnerable passwords, and more to harden your attack surface.",[],{},{"nodeType":237,"data":6040,"content":6041},{},[6042,6046,6054,6058,6066,6070,6078],{"nodeType":236,"value":6043,"marks":6044,"data":6045},"Want to learn more about Push? Check out our latest ",[],{},{"nodeType":274,"data":6047,"content":6049},{"uri":6048},"/resources/product-brochure",[6050],{"nodeType":236,"value":6051,"marks":6052,"data":6053},"product overview",[],{},{"nodeType":236,"value":6055,"marks":6056,"data":6057},", visit our ",[],{},{"nodeType":274,"data":6059,"content":6061},{"uri":6060},"/product-demo/",[6062],{"nodeType":236,"value":6063,"marks":6064,"data":6065},"demo library",[],{},{"nodeType":236,"value":6067,"marks":6068,"data":6069},", or book some time with one of our team for a ",[],{},{"nodeType":274,"data":6071,"content":6073},{"uri":6072},"/demo",[6074],{"nodeType":236,"value":6075,"marks":6076,"data":6077},"live demo",[],{},{"nodeType":236,"value":968,"marks":6079,"data":6080},[],{},"Guide: How to use Push controls to protect your users from modern browser threats","How to use in-browser controls to stop browser-based attacks before compromise can occur","2026-04-08T00:00:00.000Z","guide-how-to-use-push-controls-to-protect-your-users-from-modern-attacks",{"items":6086},[6087,6089],{"sys":6088,"name":249},{"id":248},{"sys":6090,"name":253},{"id":252},{"items":6092},[6093],{"fullName":6094,"firstName":6095,"jobTitle":6096,"profilePicture":6097},"Kelly Davenport","Kelly","Product Team",{"url":6098},"https://images.ctfassets.net/y1cdw1ablpvd/1hi8bEuVfn5sF57LivAq6d/9a3b82426c697d765e2e450e33a18424/kelly_profile_pic.jpeg","content:blog:unpacking-the-vercel-breach.json","json","content","blog/unpacking-the-vercel-breach.json","blog/unpacking-the-vercel-breach",[6105,6288,6407,6526,6644,6764,6884,7004],{"createdDate":6106,"id":6107,"name":6108,"modelId":6109,"published":13,"stageModifiedSincePublish":6,"query":6110,"data":6116,"variations":6276,"lastUpdated":6277,"firstPublished":6278,"testRatio":23,"screenshot":6279,"createdBy":91,"lastUpdatedBy":6280,"folders":6281,"meta":6282,"rev":6287},1744829487099,"387451215c314dd5bd654668cdc1a197","Zero-day phishing","cca4143377554c5a9163cc203a8ed2ba",[6111],{"@type":6112,"property":6113,"operator":6114,"value":6115},"@builder.io/core:Query","urlPath","is","/uc/zero-day-phishing-protection",{"inputs":6117,"customFonts":6118,"seoTitle":6165,"title":6165,"tsCode":29,"seoDescription":6166,"fontAwesomeIcon":6167,"jsCode":29,"blocks":6168,"url":6115,"state":6273},[],[6119],{"family":6120,"kind":6121,"version":6122,"lastModified":6123,"files":6124,"category":6143,"menu":6144,"subsets":6145,"variants":6148},"DM Sans","webfonts#webfont","v14","2023-07-13",{"100":6125,"200":6126,"300":6127,"500":6128,"600":6129,"700":6130,"800":6131,"900":6132,"800italic":6133,"900italic":6134,"700italic":6135,"100italic":6136,"italic":6137,"regular":6138,"200italic":6139,"500italic":6140,"300italic":6141,"600italic":6142},"https://fonts.gstatic.com/s/dmsans/v14/rP2tp2ywxg089UriI5-g4vlH9VoD8CmcqZG40F9JadbnoEwAop1hTmf3ZGMZpg.ttf","https://fonts.gstatic.com/s/dmsans/v14/rP2tp2ywxg089UriI5-g4vlH9VoD8CmcqZG40F9JadbnoEwAIpxhTmf3ZGMZpg.ttf","https://fonts.gstatic.com/s/dmsans/v14/rP2tp2ywxg089UriI5-g4vlH9VoD8CmcqZG40F9JadbnoEwA_JxhTmf3ZGMZpg.ttf","https://fonts.gstatic.com/s/dmsans/v14/rP2tp2ywxg089UriI5-g4vlH9VoD8CmcqZG40F9JadbnoEwAkJxhTmf3ZGMZpg.ttf","https://fonts.gstatic.com/s/dmsans/v14/rP2tp2ywxg089UriI5-g4vlH9VoD8CmcqZG40F9JadbnoEwAfJthTmf3ZGMZpg.ttf","https://fonts.gstatic.com/s/dmsans/v14/rP2tp2ywxg089UriI5-g4vlH9VoD8CmcqZG40F9JadbnoEwARZthTmf3ZGMZpg.ttf","https://fonts.gstatic.com/s/dmsans/v14/rP2tp2ywxg089UriI5-g4vlH9VoD8CmcqZG40F9JadbnoEwAIpthTmf3ZGMZpg.ttf","https://fonts.gstatic.com/s/dmsans/v14/rP2tp2ywxg089UriI5-g4vlH9VoD8CmcqZG40F9JadbnoEwAC5thTmf3ZGMZpg.ttf","https://fonts.gstatic.com/s/dmsans/v14/rP2rp2ywxg089UriCZaSExd86J3t9jz86Mvy4qCRAL19DksVat8JCm3zRmYJpso5.ttf","https://fonts.gstatic.com/s/dmsans/v14/rP2rp2ywxg089UriCZaSExd86J3t9jz86Mvy4qCRAL19DksVat8gCm3zRmYJpso5.ttf","https://fonts.gstatic.com/s/dmsans/v14/rP2rp2ywxg089UriCZaSExd86J3t9jz86Mvy4qCRAL19DksVat9uCm3zRmYJpso5.ttf","https://fonts.gstatic.com/s/dmsans/v14/rP2rp2ywxg089UriCZaSExd86J3t9jz86Mvy4qCRAL19DksVat-JDG3zRmYJpso5.ttf","https://fonts.gstatic.com/s/dmsans/v14/rP2rp2ywxg089UriCZaSExd86J3t9jz86Mvy4qCRAL19DksVat-JDW3zRmYJpso5.ttf","https://fonts.gstatic.com/s/dmsans/v14/rP2tp2ywxg089UriI5-g4vlH9VoD8CmcqZG40F9JadbnoEwAopxhTmf3ZGMZpg.ttf","https://fonts.gstatic.com/s/dmsans/v14/rP2rp2ywxg089UriCZaSExd86J3t9jz86Mvy4qCRAL19DksVat8JDW3zRmYJpso5.ttf","https://fonts.gstatic.com/s/dmsans/v14/rP2rp2ywxg089UriCZaSExd86J3t9jz86Mvy4qCRAL19DksVat-7DW3zRmYJpso5.ttf","https://fonts.gstatic.com/s/dmsans/v14/rP2rp2ywxg089UriCZaSExd86J3t9jz86Mvy4qCRAL19DksVat_XDW3zRmYJpso5.ttf","https://fonts.gstatic.com/s/dmsans/v14/rP2rp2ywxg089UriCZaSExd86J3t9jz86Mvy4qCRAL19DksVat9XCm3zRmYJpso5.ttf","sans-serif","https://fonts.gstatic.com/s/dmsans/v14/rP2tp2ywxg089UriI5-g4vlH9VoD8CmcqZG40F9JadbnoEwAopxRT23z.ttf",[6146,6147],"latin","latin-ext",[6149,6150,6151,6152,6153,6154,71,6155,6156,6157,6158,6159,433,6160,6161,6162,6163,6164],"100","200","300","regular","500","600","800","900","100italic","200italic","300italic","500italic","600italic","700italic","800italic","900italic","Zero-day phishing protection","Detect phishing TTPs directly in the browser and stop credential theft.","faFishingRod",[6169,6268],{"@type":47,"@version":48,"tagName":6170,"id":6171,"children":6172},"div","builder-76c6b8d1499346c7bc1fd56ae4e93638",[6173,6190,6198,6205,6217,6232,6243,6254,6260],{"@type":47,"@version":48,"layerName":6174,"id":6175,"component":6176,"responsiveStyles":6187},"UseCaseHero","builder-5228fe062bef4a40a91e43f1112832fa",{"name":6174,"options":6177,"isRSC":61},{"title":6165,"description":6178,"points":6179,"video":6186},"\u003Cp>Push detects phishing as it happens. Autonomous agents hunt for new phishing techniques, identify kit signatures, and deploy detections within minutes of a new attack being analyzed. From cloned login pages to AiTM credential harvesting, Push sees what traditional filters miss and stops threats before they escalate.\u003C/p>",[6180,6182,6184],{"item":6181},"Detect phishing that bypasses traditional filters, including AiTM, SSO password theft, and fake login pages",{"item":6183},"Stop never-before-seen attacks with AI-native behavioral and on-page analysis inside the browser",{"item":6185},"Investigate faster with unified browser, user, and page context","https://cdn.builder.io/o/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F40433ceeb4f94b43a82e039a0f4fd411%2Fcompressed?apiKey=f3a1111ff5be48cdbb123cd9f5795a05&token=40433ceeb4f94b43a82e039a0f4fd411&alt=media&optimized=true",{"large":6188},{"display":64,"flexDirection":65,"position":66,"flexShrink":67,"boxSizing":68,"backgroundColor":6189},"transparent",{"@type":47,"@version":48,"id":6191,"component":6192,"responsiveStyles":6195},"builder-96634044407e491299e291ed64669e39",{"name":6193,"options":6194,"isRSC":61},"TrustedBy",{"AllPartners":34,"backgroundTransparent":6},{"large":6196},{"display":64,"flexDirection":65,"position":66,"flexShrink":67,"boxSizing":68,"backgroundColor":6197},"#000",{"@type":47,"@version":48,"id":6199,"component":6200,"responsiveStyles":6203},"builder-2c3768f930534557bb8978e32b6a6a0f",{"name":6201,"options":6202,"isRSC":61},"Diagonal",{"darkMode":34},{"large":6204},{"display":64,"flexDirection":65,"position":66,"flexShrink":67,"boxSizing":68},{"@type":47,"@version":48,"layerName":6206,"id":6207,"component":6208,"responsiveStyles":6215},"TextImageBlockVertical","builder-7c3c1c2840424db2ad2ccbfaf382dd64",{"name":6206,"tag":6206,"options":6209,"isRSC":61},{"darkMode":6,"maxWidth":6210,"maxTextWidth":6211,"title":6212,"description":6213,"animatedTitle":29,"image":6214,"reverse":6,"descriptionPaddingHorizontal":61},1200,800,"\u003Ch2>Why stop at the inbox?\u003C/h2>","\u003Cp>Phishing attacks have evolved. Whether attackers lure users with QR codes, instant messages, or OAuth consent screens, the outcome is the same: it plays out in the browser. Push gives you real-time detection for in-browser threats, stopping phishing and consent-based attacks before they lead to compromise\u003C/p>\u003Cp>\u003Cbr>\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F7fdcac241f0e4a049166d7076858adeb",{"large":6216},{"display":64,"flexDirection":65,"position":66,"flexShrink":67,"boxSizing":68},{"@type":47,"@version":48,"id":6218,"component":6219,"responsiveStyles":6227},"builder-41c978b3669749cf947e622b4e79e4d7",{"name":6220,"options":6221,"isRSC":61},"TextImageBlockHorizontal",{"darkMode":6,"maxWidth":6210,"imageMaxWidth":6222,"textPaddingTop":6223,"title":6224,"description":6225,"reverse":34,"image":6226},600,100,"\u003Cp>Detect phishing at the edge\u003C/p>","\u003Cp>Push uses industry-first telemetry to detect phishing based on behavior, not static indicators. Autonomous agents analyze how phishing pages behave and how users interact with them, uncovering fake logins, credential theft, and phishing kits the moment they load in the browser.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F9df3d180c97b4e61af142af2ccd68721",{"large":6228},{"display":64,"flexDirection":65,"position":66,"flexShrink":67,"boxSizing":68,"fontFamily":6229,"paddingTop":6230,"marginTop":6231},"DM Sans, sans-serif","20px","0px",{"@type":47,"@version":48,"id":6233,"component":6234,"responsiveStyles":6240},"builder-d2a7bc941feb43cdb898bc116b203cf9",{"name":6220,"options":6235,"isRSC":61},{"darkMode":6,"maxWidth":6210,"imageMaxWidth":6222,"textPaddingTop":6236,"title":6237,"description":6238,"reverse":6,"image":6239},120,"\u003Ch2>Go beyond blocklists and IOCs\u003C/h2>","\u003Cp>Push goes beyond URLs and easy-to-change indicators. It reads the full phishing playbook like script behavior, session hijacks, DOM changes, user inputs, then connects the dots in real time. This gives your team a complete picture of how the phishing attempt worked, not just an alert.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Fabfd58db169b433e96d3f1261797156e",{"large":6241},{"display":64,"flexDirection":65,"position":66,"flexShrink":67,"boxSizing":68,"paddingTop":6242},"36px",{"@type":47,"@version":48,"layerName":6220,"id":6244,"component":6245,"responsiveStyles":6251},"builder-42c32198083f4880acb37c5cb76934da",{"name":6220,"options":6246,"isRSC":61},{"darkMode":6,"maxWidth":6210,"imageMaxWidth":6222,"textPaddingTop":6247,"title":6248,"description":6249,"reverse":34,"image":6250},140,"\u003Ch2>Enhance your phishing response\u003C/h2>","\u003Cp>When phishing enters your environment, speed matters. Push gives you instant access to the telemetry that counts like session data, user behavior, and page activity, so you can investigate fast, trigger in-browser prompts, or forward alerts to your SIEM or SOAR for response. All in real time, right from the browser.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Fbb195aec46904056b85e8688629e558e",{"large":6252},{"display":64,"flexDirection":65,"position":66,"flexShrink":67,"boxSizing":68,"paddingTop":6253},"47px",{"@type":47,"@version":48,"id":6255,"component":6256,"responsiveStyles":6258},"builder-9a95b9cbc4854421a92ef7b90f6c7adb",{"name":6201,"options":6257,"isRSC":61},{"darkMode":6},{"large":6259},{"display":64,"flexDirection":65,"position":66,"flexShrink":67,"boxSizing":68},{"@type":47,"@version":48,"id":6261,"component":6262,"responsiveStyles":6266},"builder-0afa17a9f25c4661a90f314d5578aa18",{"name":6263,"tag":6263,"options":6264,"isRSC":61},"LatestResources",{"sectionHeading":29,"customClass":6265},"bg-black",{"large":6267},{"display":64,"flexDirection":65,"position":66,"flexShrink":67,"boxSizing":68},{"id":6269,"@type":47,"tagName":74,"properties":6270,"responsiveStyles":6271},"builder-pixel-1e5lson4quf",{"src":76,"aria-hidden":77,"alt":29,"role":78,"width":67,"height":67},{"large":6272},{"height":67,"width":67,"display":81,"opacity":67,"overflow":82,"pointerEvents":83},{"deviceSize":85,"location":6274},{"path":29,"query":6275},{},{},1776275046831,1745499158657,"https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Fff60c30a8442489c8ed7e0af9599d14f","kYgMv6WsbvfmlOUYqR2SFwGzw6e2",[],{"lastPreviewUrl":6283,"winningTest":61,"breakpoints":6284,"kind":6285,"hasLinks":6,"originalContentId":6286,"hasAutosaves":6},"https://pushsecurity.com/uc/zero-day-phishing-protection?builder.space=f3a1111ff5be48cdbb123cd9f5795a05&builder.user.permissions=read%2Ccreate%2Cpublish%2CeditDesigns%2CeditLayouts%2CeditLayers%2CeditContentPriority%2CeditFolders%2CcreateProjects%2CsendPullRequests&builder.user.role.name=Designer&builder.user.role.id=creator&builder.cachebust=true&builder.preview=use-case-page&builder.noCache=true&builder.allowTextEdit=true&__builder_editing__=true&builder.overrides.use-case-page=387451215c314dd5bd654668cdc1a197&builder.overrides.387451215c314dd5bd654668cdc1a197=387451215c314dd5bd654668cdc1a197&builder.overrides.use-case-page:/uc/zero-day-phishing-protection=387451215c314dd5bd654668cdc1a197&builder.options.locale=Default",{"xsmall":31,"small":32,"medium":33},"page","2daa5670b8504fc7ba4700633e8bd921","aw7armw9l7u",{"createdDate":6289,"id":6290,"name":6291,"modelId":6109,"published":13,"stageModifiedSincePublish":6,"query":6292,"data":6295,"variations":6399,"lastUpdated":6400,"firstPublished":6401,"testRatio":23,"screenshot":6402,"createdBy":91,"lastUpdatedBy":6280,"folders":6403,"meta":6404,"rev":6287},1756833377777,"54f8256648f54d439303734b1e69221b","Browser extension security",[6293],{"@type":6112,"property":6113,"operator":6114,"value":6294},"/uc/browser-extension-security",{"seoDescription":6296,"jsCode":29,"fontAwesomeIcon":6297,"tsCode":29,"title":6291,"seoTitle":6291,"customFonts":6298,"inputs":6303,"blocks":6304,"url":6294,"state":6396},"Shine a light on risky browser extensions.","faPuzzlePiece",[6299],{"kind":6121,"family":6120,"version":6122,"files":6300,"category":6143,"lastModified":6123,"subsets":6301,"variants":6302,"menu":6144},{"100":6125,"200":6126,"300":6127,"500":6128,"600":6129,"700":6130,"800":6131,"900":6132,"100italic":6136,"italic":6137,"regular":6138,"900italic":6134,"800italic":6133,"700italic":6135,"200italic":6139,"300italic":6141,"500italic":6140,"600italic":6142},[6146,6147],[6149,6150,6151,6152,6153,6154,71,6155,6156,6157,6158,6159,433,6160,6161,6162,6163,6164],[],[6305,6391],{"@type":47,"@version":48,"tagName":6170,"id":6306,"meta":6307,"children":6308},"builder-71d0648c1d2f4ede8d0d0b5b28b7b94c",{"previousId":6171},[6309,6325,6332,6339,6348,6358,6368,6378,6385],{"@type":47,"@version":48,"id":6310,"meta":6311,"component":6312,"responsiveStyles":6323},"builder-ff325b4b8fad4edea53f38865947e854",{"previousId":6175},{"name":6174,"options":6313,"isRSC":61},{"title":6291,"description":6314,"points":6315,"video":6322},"\u003Cp>Browser extensions introduce new code, new permissions, and new potential for risk. Many include AI features, and most go completely unnoticed. Push gives you full visibility into every extension used across your workforce, across major browsers, so you can uncover shadow IT, assess risky permissions, and block unsafe tools before they lead to compromise.\u003C/p>",[6316,6318,6320],{"item":6317},"Discover every browser extension in use",{"item":6319},"Spot risky or unsanctioned behavior",{"item":6321},"Make informed decisions on extension policy","https://cdn.builder.io/o/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Fc538aad95d7f403aa3c3551af72f67c0?alt=media&token=1411fa6d-2eac-4e6c-94bf-ea117da12d67&apiKey=f3a1111ff5be48cdbb123cd9f5795a05",{"large":6324},{"display":64,"flexDirection":65,"position":66,"flexShrink":67,"boxSizing":68,"backgroundColor":6189},{"@type":47,"@version":48,"id":6326,"meta":6327,"component":6328,"responsiveStyles":6330},"builder-fb89d128c64e47cf9cbb11d90fc24523",{"previousId":6191},{"name":6193,"options":6329,"isRSC":61},{"AllPartners":34,"backgroundTransparent":6},{"large":6331},{"display":64,"flexDirection":65,"position":66,"flexShrink":67,"boxSizing":68,"backgroundColor":6197},{"@type":47,"@version":48,"id":6333,"meta":6334,"component":6335,"responsiveStyles":6337},"builder-54388d35126c4d0096eeebaf8c4448cd",{"previousId":6199},{"name":6201,"options":6336,"isRSC":61},{"darkMode":34},{"large":6338},{"display":64,"flexDirection":65,"position":66,"flexShrink":67,"boxSizing":68},{"@type":47,"@version":48,"layerName":6206,"id":6340,"component":6341,"responsiveStyles":6346},"builder-3c8fa6785dd6466abf52a2470d66d85a",{"name":6206,"tag":6206,"options":6342,"isRSC":61},{"darkMode":6,"maxWidth":6210,"maxTextWidth":6211,"title":6343,"description":6344,"image":6345,"reverse":6},"\u003Ch2>Take control of browser extensions\u003C/h2>","\u003Cp>Attackers are increasingly using malicious browser extensions to gain access to data processed and stored in the browser. And the problem is, most security teams have no visibility into what extensions are being used. Push changes that. With browser-native telemetry, the Push extension continuously inventories browser extensions across your environment, flags the risky ones, and gives you intelligence to act. \u003C/p>\u003Cp>\u003Cbr>\u003C/p>\u003Cp>\u003Cbr>\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F0a004f16a6874f4c8fdf14344acc9fec",{"large":6347},{"display":64,"flexDirection":65,"position":66,"flexShrink":67,"boxSizing":68},{"@type":47,"@version":48,"id":6349,"meta":6350,"component":6351,"responsiveStyles":6356},"builder-93738f98109a4009affb349afd7bb182",{"previousId":6218},{"name":6220,"options":6352,"isRSC":61},{"darkMode":6,"maxWidth":6210,"imageMaxWidth":6222,"textPaddingTop":6223,"title":6353,"description":6354,"reverse":34,"image":6355},"\u003Ch2>Discover every extension in use\u003C/h2>","\u003Cp>Push gives you structured, searchable data about every extension in your environment, so you’re not just seeing what’s there, but also understanding how it got there, what it can do, and who it affects. It’s the kind of granular insight that’s nearly impossible to get from traditional tools, and it lays the groundwork for better policy decisions and faster investigations.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F0e5727ca99474f14b1b7916bf6bbb782",{"large":6357},{"display":64,"flexDirection":65,"position":66,"flexShrink":67,"boxSizing":68,"fontFamily":6229,"paddingTop":6230,"marginTop":6231},{"@type":47,"@version":48,"id":6359,"meta":6360,"component":6361,"responsiveStyles":6366},"builder-83393acb12ee4fdd840839185b51edb4",{"previousId":6233},{"name":6220,"options":6362,"isRSC":61},{"darkMode":6,"maxWidth":6210,"imageMaxWidth":6222,"textPaddingTop":6236,"title":6363,"description":6364,"reverse":6,"image":6365},"\u003Ch2>Spot risky or malicious extensions\u003C/h2>","\u003Cp>Push highlights extensions with dangerous permissions, broad access, or poor reputations. This includes AI extensions that request access far beyond what their stated purpose requires. You can quickly detect sideloaded, manually installed, or development-mode extensions that bypass normal controls. And because Push shows you who’s using them and where, you can respond precisely and effectively.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Fa104d58c8da34fbb8901f738fb21453b",{"large":6367},{"display":64,"flexDirection":65,"position":66,"flexShrink":67,"boxSizing":68,"paddingTop":6242},{"@type":47,"@version":48,"layerName":6220,"id":6369,"meta":6370,"component":6371,"responsiveStyles":6376},"builder-da98e3de949646d89c53a0d1c2784664",{"previousId":6244},{"name":6220,"options":6372,"isRSC":61},{"darkMode":6,"maxWidth":6210,"imageMaxWidth":6222,"textPaddingTop":6247,"title":6373,"description":6374,"reverse":34,"image":6375},"\u003Ch2>Accelerate security reviews\u003C/h2>","\u003Cp>Most teams have extension policies, they just don’t have the data to enforce them. Push reveals how each extension entered your environment, whether it was installed manually, sideloaded, or deployed in dev mode. You’ll see which users are running what, and where, so you can surface violations, investigate quickly, and respond with confidence.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F229f355be6f243b180f410d237a75bb3",{"large":6377},{"display":64,"flexDirection":65,"position":66,"flexShrink":67,"boxSizing":68,"paddingTop":6253},{"@type":47,"@version":48,"id":6379,"meta":6380,"component":6381,"responsiveStyles":6383},"builder-1a689287d1a1418997d57db578a71105",{"previousId":6255},{"name":6201,"options":6382,"isRSC":61},{"darkMode":6},{"large":6384},{"display":64,"flexDirection":65,"position":66,"flexShrink":67,"boxSizing":68},{"@type":47,"@version":48,"id":6386,"component":6387,"responsiveStyles":6389},"builder-feb4e75029f84c10b6498ef1f8f79128",{"name":6263,"tag":6263,"options":6388,"isRSC":61},{"sectionHeading":29,"customClass":6265},{"large":6390},{"display":64,"flexDirection":65,"position":66,"flexShrink":67,"boxSizing":68},{"id":6392,"@type":47,"tagName":74,"properties":6393,"responsiveStyles":6394},"builder-pixel-4csozgnx06s",{"src":76,"aria-hidden":77,"alt":29,"role":78,"width":67,"height":67},{"large":6395},{"height":67,"width":67,"display":81,"opacity":67,"overflow":82,"pointerEvents":83},{"deviceSize":85,"location":6397},{"path":29,"query":6398},{},{},1776275365038,1757000441666,"https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F8d496cf111644ee5afcc046b72d1ca5a",[],{"kind":6285,"winningTest":61,"breakpoints":6405,"lastPreviewUrl":6406,"hasLinks":6,"originalContentId":6107,"hasAutosaves":6},{"xsmall":31,"small":32,"medium":33},"https://pushsecurity.com/uc/browser-extension-security?builder.space=f3a1111ff5be48cdbb123cd9f5795a05&builder.user.permissions=read%2Ccreate%2Cpublish%2CeditDesigns%2CeditLayouts%2CeditLayers%2CeditContentPriority%2CeditFolders%2CcreateProjects%2CsendPullRequests&builder.user.role.name=Designer&builder.user.role.id=creator&builder.cachebust=true&builder.preview=use-case-page&builder.noCache=true&builder.allowTextEdit=true&__builder_editing__=true&builder.overrides.use-case-page=54f8256648f54d439303734b1e69221b&builder.overrides.54f8256648f54d439303734b1e69221b=54f8256648f54d439303734b1e69221b&builder.overrides.use-case-page:/uc/browser-extension-security=54f8256648f54d439303734b1e69221b&builder.options.locale=Default",{"createdDate":6408,"id":6409,"name":6410,"modelId":6109,"published":13,"query":6411,"data":6414,"variations":6517,"lastUpdated":6518,"firstPublished":6519,"testRatio":23,"screenshot":6520,"createdBy":91,"lastUpdatedBy":6521,"folders":6522,"meta":6523,"rev":6287},1744923509705,"94bebb7bb99d48629ad157e80cf4d81d","Account takeover detection",[6412],{"@type":6112,"property":6113,"operator":6114,"value":6413},"/uc/account-takeover-detection",{"title":6410,"customFonts":6415,"jsCode":29,"seoTitle":6410,"seoDescription":6420,"fontAwesomeIcon":6421,"tsCode":29,"blocks":6422,"url":6413,"state":6514},[6416],{"kind":6121,"category":6143,"variants":6417,"menu":6144,"files":6418,"family":6120,"subsets":6419,"version":6122,"lastModified":6123},[6149,6150,6151,6152,6153,6154,71,6155,6156,6157,6158,6159,433,6160,6161,6162,6163,6164],{"100":6125,"200":6126,"300":6127,"500":6128,"600":6129,"700":6130,"800":6131,"900":6132,"300italic":6141,"500italic":6140,"800italic":6133,"700italic":6135,"italic":6137,"900italic":6134,"600italic":6142,"200italic":6139,"regular":6138,"100italic":6136},[6146,6147],"Stop ATO with stolen credential and compromised token detection.","faUserSecret",[6423,6509],{"@type":47,"@version":48,"tagName":6170,"id":6424,"meta":6425,"children":6426},"builder-e7913a774cae44c5a23d6081c5c30a52",{"previousId":6171},[6427,6443,6450,6457,6466,6476,6486,6496,6503],{"@type":47,"@version":48,"id":6428,"meta":6429,"component":6430,"responsiveStyles":6441},"builder-f1f1ab1601bc4c0f8c2a8aafd173675d",{"previousId":6175},{"name":6174,"options":6431,"isRSC":61},{"title":6410,"description":6432,"points":6433,"video":6440},"\u003Cp>Attackers don’t need to phish, they just need a password that works. Push monitors for signs of credential-based attacks in real time, directly in the browser, catching account takeover attempts before the damage spreads. From ghost logins to credential stuffing, Push cuts off the paths attackers use to quietly slip in the back door.\u003C/p>\u003Cp>\u003Cbr>\u003C/p>",[6434,6436,6438],{"item":6435},"Identify credential-based ATO as it unfolds",{"item":6437},"Surface hijacked sessions and token misuse",{"item":6439},"Strengthen authentication where your IdP can’t","https://cdn.builder.io/o/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Fb4dd9db24bc9495b8a686b1b4d492016%2Fcompressed?apiKey=f3a1111ff5be48cdbb123cd9f5795a05&token=b4dd9db24bc9495b8a686b1b4d492016&alt=media&optimized=true",{"large":6442},{"display":64,"flexDirection":65,"position":66,"flexShrink":67,"boxSizing":68,"backgroundColor":6189},{"@type":47,"@version":48,"id":6444,"meta":6445,"component":6446,"responsiveStyles":6448},"builder-0bc0d1c78ece4994993c3a6427a4d533",{"previousId":6191},{"name":6193,"options":6447,"isRSC":61},{"AllPartners":34,"backgroundTransparent":6},{"large":6449},{"display":64,"flexDirection":65,"position":66,"flexShrink":67,"boxSizing":68,"backgroundColor":6197},{"@type":47,"@version":48,"id":6451,"meta":6452,"component":6453,"responsiveStyles":6455},"builder-e45de8f3768c4f16938dbf78e4e87524",{"previousId":6199},{"name":6201,"options":6454,"isRSC":61},{"darkMode":34},{"large":6456},{"display":64,"flexDirection":65,"position":66,"flexShrink":67,"boxSizing":68},{"@type":47,"@version":48,"id":6458,"component":6459,"responsiveStyles":6464},"builder-c98e8bfd341146c1b67c02d5698ff093",{"name":6206,"tag":6206,"options":6460,"isRSC":61},{"darkMode":6,"maxWidth":6210,"maxTextWidth":6211,"title":6461,"description":6462,"image":6463,"reverse":6},"\u003Ch2>Assume less. See more.\u003C/h2>","\u003Cp>Most account takeovers don’t start with a breach, they start with a login. Whether it’s a reused password, a local account, or an outdated login flow, Push shows you how accounts are actually accessed day to day, not just how policies say they should be. That means no more blind spots around ghost logins, bypassed SSO, or stale access paths that quietly persist.\u003C/p>\u003Cp>\u003Cbr>\u003C/p>\u003Cp>\u003Cbr>\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F18630ad2746d4eb7b7fcc0428b11a8f0",{"large":6465},{"display":64,"flexDirection":65,"position":66,"flexShrink":67,"boxSizing":68},{"@type":47,"@version":48,"id":6467,"meta":6468,"component":6469,"responsiveStyles":6474},"builder-55c1fc38ddc04fd1a0d6a8e2fb819e00",{"previousId":6218},{"name":6220,"options":6470,"isRSC":61},{"darkMode":6,"maxWidth":6210,"imageMaxWidth":6222,"textPaddingTop":6223,"title":6471,"description":6472,"reverse":34,"image":6473},"\u003Ch2>Catch stolen credential use in real time\u003C/h2>","\u003Cp>Push monitors login activity directly in the browser to detect signs of credential-based attacks like leaked password use or suspicious login flows. By analyzing attacker TTPs instead of relying on known indicators, Push spots credential stuffing and account takeover attempts the moment they begin, not after they’ve succeeded.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F52b0123cac2c4dfdb1dc0af6adf9d603",{"large":6475},{"display":64,"flexDirection":65,"position":66,"flexShrink":67,"boxSizing":68,"fontFamily":6229,"paddingTop":6231,"marginTop":6231},{"@type":47,"@version":48,"id":6477,"meta":6478,"component":6479,"responsiveStyles":6484},"builder-dfb31737b30948c6b95323655d571a50",{"previousId":6233},{"name":6220,"options":6480,"isRSC":61},{"darkMode":6,"maxWidth":6210,"imageMaxWidth":6222,"textPaddingTop":6236,"title":6481,"description":6482,"reverse":6,"image":6483},"\u003Ch2>Detect session hijacks and stealth access\u003C/h2>","\u003Cp>Attackers don’t always need a login screen, they often sidestep it entirely using stolen session tokens. Push detects when valid sessions are reused in unexpected ways, identifying hijacked sessions and stealth access attempts that traditional tools miss. Because we monitor directly in the browser, you see what’s happening inside active sessions in real time.\u003C/p>\u003Cp>\u003Cbr>\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F94a6859a99e04d309ffe5841f3dbdf5c",{"large":6485},{"display":64,"flexDirection":65,"position":66,"flexShrink":67,"boxSizing":68,"paddingTop":6242},{"@type":47,"@version":48,"layerName":6220,"id":6487,"meta":6488,"component":6489,"responsiveStyles":6494},"builder-f7585b90eb974d03a7dc7eae5b58d227",{"previousId":6244},{"name":6220,"options":6490,"isRSC":61},{"darkMode":6,"maxWidth":6210,"imageMaxWidth":6222,"textPaddingTop":6247,"title":6491,"description":6492,"reverse":34,"image":6493},"\u003Ch2>Harden accounts before they’re compromised\u003C/h2>","\u003Cp>Push goes beyond alerts. It identifies apps that still allow local logins, even when SSO is configured, so you can remove weak access paths. Push also flags users without MFA, reused work credentials, or weak passwords, and prompts users in-browser to fix risky behaviors before they’re exploited.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F01c1b638f1b6497093a4f2b8ceddb5bb",{"large":6495},{"display":64,"flexDirection":65,"position":66,"flexShrink":67,"boxSizing":68,"paddingTop":6253},{"@type":47,"@version":48,"id":6497,"meta":6498,"component":6499,"responsiveStyles":6501},"builder-ad81d1e3afec49a791214194eae09bdc",{"previousId":6255},{"name":6201,"options":6500,"isRSC":61},{"darkMode":6},{"large":6502},{"display":64,"flexDirection":65,"position":66,"flexShrink":67,"boxSizing":68},{"@type":47,"@version":48,"id":6504,"component":6505,"responsiveStyles":6507},"builder-8dac1aa4b9d148628d92252bd8eff822",{"name":6263,"tag":6263,"options":6506,"isRSC":61},{"sectionHeading":29,"customClass":6265},{"large":6508},{"display":64,"flexDirection":65,"position":66,"flexShrink":67,"boxSizing":68},{"id":6510,"@type":47,"tagName":74,"properties":6511,"responsiveStyles":6512},"builder-pixel-6ae7z3694no",{"src":76,"aria-hidden":77,"alt":29,"role":78,"width":67,"height":67},{"large":6513},{"height":67,"width":67,"display":81,"opacity":67,"overflow":82,"pointerEvents":83},{"deviceSize":85,"location":6515},{"path":29,"query":6516},{},{},1770892814499,1745499162732,"https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F58b660fa94aa4b30b0faeb9b663ae41a","SfUPqW5tkibIPby49keNFMdHFTr1",[],{"lastPreviewUrl":6524,"hasLinks":6,"originalContentId":6107,"breakpoints":6525,"winningTest":61,"kind":6285,"hasAutosaves":34},"https://pushsecurity.com/uc/account-takeover-detection?builder.space=f3a1111ff5be48cdbb123cd9f5795a05&builder.user.permissions=read%2Ccreate%2Cpublish%2CeditCode%2CeditDesigns%2CeditLayouts%2CeditLayers%2CeditContentPriority%2CeditFolders%2CeditProjects%2CmodifyMcpServers%2CmodifyWorkflowIntegrations%2CmodifyProjectSettings%2CconnectCodeRepository%2CcreateProjects%2CindexDesignSystems%2CsendPullRequests&builder.user.role.name=Developer&builder.user.role.id=developer&builder.cachebust=true&builder.preview=use-case-page&builder.noCache=true&builder.allowTextEdit=true&__builder_editing__=true&builder.overrides.use-case-page=94bebb7bb99d48629ad157e80cf4d81d&builder.overrides.94bebb7bb99d48629ad157e80cf4d81d=94bebb7bb99d48629ad157e80cf4d81d&builder.overrides.use-case-page:/uc/account-takeover-detection=94bebb7bb99d48629ad157e80cf4d81d&builder.options.includeRefs=true&builder.options.enrich=true&builder.options.locale=Default",{"xsmall":31,"small":32,"medium":33},{"createdDate":6527,"id":6528,"name":6529,"modelId":6109,"published":13,"query":6530,"data":6533,"variations":6636,"lastUpdated":6637,"firstPublished":6638,"testRatio":23,"screenshot":6639,"createdBy":91,"lastUpdatedBy":6521,"folders":6640,"meta":6641,"rev":6287},1745009370904,"23eb48fb56d3451cab77cb6ed140ee6d","Attack path hardening",[6531],{"@type":6112,"property":6113,"operator":6114,"value":6532},"/uc/attack-path-hardening",{"tsCode":29,"seoDescription":6534,"jsCode":29,"customFonts":6535,"fontAwesomeIcon":6540,"seoTitle":6529,"title":6529,"blocks":6541,"url":6532,"state":6633},"Harden access paths with visibility,  detection, and guardrails.",[6536],{"kind":6121,"files":6537,"version":6122,"lastModified":6123,"subsets":6538,"menu":6144,"category":6143,"variants":6539,"family":6120},{"100":6125,"200":6126,"300":6127,"500":6128,"600":6129,"700":6130,"800":6131,"900":6132,"regular":6138,"italic":6137,"800italic":6133,"500italic":6140,"600italic":6142,"200italic":6139,"900italic":6134,"700italic":6135,"100italic":6136,"300italic":6141},[6146,6147],[6149,6150,6151,6152,6153,6154,71,6155,6156,6157,6158,6159,433,6160,6161,6162,6163,6164],"faRadar",[6542,6628],{"@type":47,"@version":48,"tagName":6170,"id":6543,"meta":6544,"children":6545},"builder-1d8553eddcaa44d7bba9e2f4ca13af2a",{"previousId":6424},[6546,6562,6569,6576,6585,6595,6605,6615,6622],{"@type":47,"@version":48,"id":6547,"meta":6548,"component":6549,"responsiveStyles":6560},"builder-84fe3d7c85a743cf8cef649aa974f1ef",{"previousId":6428},{"name":6174,"options":6550,"isRSC":61},{"title":6529,"description":6551,"points":6552,"video":6559},"\u003Cp>Push continuously monitors your environment for exposed login paths, weak credentials, and missing protections like MFA. It detects the gaps attackers exploit and helps you close them before they’re used.\u003C/p>",[6553,6555,6557],{"item":6554},"Find weak spots like reused passwords, local logins, and missing MFA",{"item":6556},"Monitor how users actually log in across apps, flows, and tools",{"item":6558},"Enforce secure access with in-browser guardrails","https://cdn.builder.io/o/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Fdbdcf52892034f1bbddded77f753a343%2Fcompressed?apiKey=f3a1111ff5be48cdbb123cd9f5795a05&token=dbdcf52892034f1bbddded77f753a343&alt=media&optimized=true",{"large":6561},{"display":64,"flexDirection":65,"position":66,"flexShrink":67,"boxSizing":68,"backgroundColor":6189},{"@type":47,"@version":48,"id":6563,"meta":6564,"component":6565,"responsiveStyles":6567},"builder-b3f66f5b08054cc78a06fecfc3ae2337",{"previousId":6444},{"name":6193,"options":6566,"isRSC":61},{"AllPartners":34,"backgroundTransparent":6},{"large":6568},{"display":64,"flexDirection":65,"position":66,"flexShrink":67,"boxSizing":68,"backgroundColor":6197},{"@type":47,"@version":48,"id":6570,"meta":6571,"component":6572,"responsiveStyles":6574},"builder-4c73418b84be49ed85e6e13d2625c5a0",{"previousId":6451},{"name":6201,"options":6573,"isRSC":61},{"darkMode":34},{"large":6575},{"display":64,"flexDirection":65,"position":66,"flexShrink":67,"boxSizing":68},{"@type":47,"@version":48,"id":6577,"component":6578,"responsiveStyles":6583},"builder-dec0246085e1485c803f7152b1922a81",{"name":6206,"tag":6206,"options":6579,"isRSC":61},{"darkMode":6,"maxWidth":6210,"maxTextWidth":6211,"title":6580,"description":6581,"image":6582,"reverse":6},"\u003Ch2>Find the gaps that lead to compromise\u003C/h2>","\u003Cp>Misconfigurations don’t show up in your config files, they show up in how users actually access apps. Push monitors real login behavior in the browser, surfacing risky patterns like local login access, duplicate accounts, or missing protections that leave doors wide open.\u003C/p>\u003Cp>\u003Cbr>\u003C/p>\u003Cp>\u003Cbr>\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F309a59bba8d247a19476bb369397460e",{"large":6584},{"display":64,"flexDirection":65,"position":66,"flexShrink":67,"boxSizing":68},{"@type":47,"@version":48,"id":6586,"meta":6587,"component":6588,"responsiveStyles":6593},"builder-ebf049a645604a249550996a88f8f3b6",{"previousId":6467},{"name":6220,"options":6589,"isRSC":61},{"darkMode":6,"maxWidth":6210,"imageMaxWidth":6222,"textPaddingTop":6223,"title":6590,"description":6591,"reverse":34,"image":6592},"\u003Ch2>See real login behavior\u003C/h2>","\u003Cp>Push watches authentication flows as they happen, giving you a live view of how users log in, which methods they choose, and where protections like MFA are missing. Plus, uncover every app and account in use, even shadow IT you didn’t know existed, without relying on stale config files or IdP assumptions. \u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Fb51f6b0357cc451b87a7a5016d984e5e",{"large":6594},{"display":64,"flexDirection":65,"position":66,"flexShrink":67,"boxSizing":68,"fontFamily":6229,"paddingTop":6230,"marginTop":6231},{"@type":47,"@version":48,"id":6596,"meta":6597,"component":6598,"responsiveStyles":6603},"builder-431d175c59004669b0b2776b07d71737",{"previousId":6477},{"name":6220,"options":6599,"isRSC":61},{"darkMode":6,"maxWidth":6210,"imageMaxWidth":6222,"textPaddingTop":6236,"title":6600,"description":6601,"reverse":6,"image":6602},"\u003Ch2>Find and fix posture drift\u003C/h2>","\u003Cp>Security posture isn’t static. Push continuously monitors for issues like missing MFA or legacy login methods. When something falls out of policy, you know immediately with custom notifications so you can act before it turns into risk.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F324e39127dfc41e592b1183dfb39892d",{"large":6604},{"display":64,"flexDirection":65,"position":66,"flexShrink":67,"boxSizing":68,"paddingTop":6242},{"@type":47,"@version":48,"layerName":6220,"id":6606,"meta":6607,"component":6608,"responsiveStyles":6613},"builder-3dffdcbe0a484e2ca4c03f019b6d40ee",{"previousId":6487},{"name":6220,"options":6609,"isRSC":61},{"darkMode":6,"maxWidth":6210,"imageMaxWidth":6222,"textPaddingTop":6247,"title":6610,"description":6611,"reverse":34,"image":6612},"\u003Ch2>Guide users with in-browser guardrails\u003C/h2>","\u003Cp>Push doesn’t just surface problems, it helps you fix them. When users sign in without MFA, reuse a password, or use insecure credentials, Push prompts them directly in the browser to secure their access. It’s faster, more effective, and actually gets results.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Fee8b75d13e45488aba55434a8b49ebb0",{"large":6614},{"display":64,"flexDirection":65,"position":66,"flexShrink":67,"boxSizing":68,"paddingTop":6253},{"@type":47,"@version":48,"id":6616,"meta":6617,"component":6618,"responsiveStyles":6620},"builder-976bc222cd7647ff905f1e01cfedc453",{"previousId":6497},{"name":6201,"options":6619,"isRSC":61},{"darkMode":6},{"large":6621},{"display":64,"flexDirection":65,"position":66,"flexShrink":67,"boxSizing":68},{"@type":47,"@version":48,"id":6623,"component":6624,"responsiveStyles":6626},"builder-8c47ec2fd0f74382bb3e6c870555632c",{"name":6263,"tag":6263,"options":6625,"isRSC":61},{"sectionHeading":29,"customClass":6265},{"large":6627},{"display":64,"flexDirection":65,"position":66,"flexShrink":67,"boxSizing":68},{"id":6629,"@type":47,"tagName":74,"properties":6630,"responsiveStyles":6631},"builder-pixel-i0svb7ttaar",{"src":76,"aria-hidden":77,"alt":29,"role":78,"width":67,"height":67},{"large":6632},{"height":67,"width":67,"display":81,"opacity":67,"overflow":82,"pointerEvents":83},{"deviceSize":85,"location":6634},{"path":29,"query":6635},{},{},1770892844854,1745499166112,"https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F6ca12bf728a045f1a31d40c0beb3bfe5",[],{"kind":6285,"lastPreviewUrl":6642,"breakpoints":6643,"hasLinks":6,"originalContentId":6409,"winningTest":61,"hasAutosaves":6},"https://pushsecurity.com/uc/attack-path-hardening?builder.space=f3a1111ff5be48cdbb123cd9f5795a05&builder.user.permissions=read%2Ccreate%2Cpublish%2CeditCode%2CeditDesigns%2CeditLayouts%2CeditLayers%2CeditContentPriority%2CeditFolders%2CeditProjects%2CmodifyMcpServers%2CmodifyWorkflowIntegrations%2CmodifyProjectSettings%2CconnectCodeRepository%2CcreateProjects%2CindexDesignSystems%2CsendPullRequests&builder.user.role.name=Developer&builder.user.role.id=developer&builder.cachebust=true&builder.preview=use-case-page&builder.noCache=true&builder.allowTextEdit=true&__builder_editing__=true&builder.overrides.use-case-page=23eb48fb56d3451cab77cb6ed140ee6d&builder.overrides.23eb48fb56d3451cab77cb6ed140ee6d=23eb48fb56d3451cab77cb6ed140ee6d&builder.overrides.use-case-page:/uc/attack-path-hardening=23eb48fb56d3451cab77cb6ed140ee6d&builder.options.includeRefs=true&builder.options.enrich=true&builder.options.locale=Default",{"xsmall":31,"small":32,"medium":33},{"createdDate":6645,"id":6646,"name":6647,"modelId":6109,"published":13,"query":6648,"data":6651,"variations":6756,"lastUpdated":6757,"firstPublished":6758,"testRatio":23,"screenshot":6759,"createdBy":91,"lastUpdatedBy":6521,"folders":6760,"meta":6761,"rev":6287},1761675020232,"ea4f309d2ffe46c5aa97ebf0fda4e2e3","ClickFix Protection",[6649],{"@type":6112,"property":6113,"operator":6114,"value":6650},"/uc/clickfix-protection",{"seoDescription":6652,"fontAwesomeIcon":6653,"customFonts":6654,"seoTitle":6659,"jsCode":29,"tsCode":29,"title":6659,"blocks":6660,"url":6650,"state":6753},"Block attacks that trick users into running malicious code.","faLaptopCode",[6655],{"files":6656,"subsets":6657,"menu":6144,"version":6122,"kind":6121,"family":6120,"lastModified":6123,"variants":6658,"category":6143},{"100":6125,"200":6126,"300":6127,"500":6128,"600":6129,"700":6130,"800":6131,"900":6132,"200italic":6139,"800italic":6133,"700italic":6135,"600italic":6142,"100italic":6136,"italic":6137,"regular":6138,"300italic":6141,"500italic":6140,"900italic":6134},[6146,6147],[6149,6150,6151,6152,6153,6154,71,6155,6156,6157,6158,6159,433,6160,6161,6162,6163,6164],"ClickFix protection",[6661,6748],{"@type":47,"@version":48,"tagName":6170,"id":6662,"meta":6663,"children":6664},"builder-d7eefdde0f2a4b2b9de3dcb2978fd6cb",{"previousId":6543},[6665,6681,6688,6695,6705,6715,6725,6735,6742],{"@type":47,"@version":48,"id":6666,"meta":6667,"component":6668,"responsiveStyles":6679},"builder-56e2c54bcce040a4af8b92ae03706c12",{"previousId":6547},{"name":6174,"options":6669,"isRSC":61},{"title":6659,"description":6670,"points":6671,"image":6678},"\u003Cp>ClickFix attacks are one of the fastest-growing threats, tricking users into copying malicious code from a webpage and running it locally. This technique bypasses traditional EDR, email gateways, and network filters, leading directly to ransomware and data theft. Push stops this attack at the source, in the browser, by detecting and blocking the malicious behavior before the user can ever paste the code.\u003C/p>\u003Cp>\u003Cbr>\u003C/p>",[6672,6674,6676],{"item":6673},"Detect ClickFix, FileFix, and fake CAPTCHA in the browser",{"item":6675},"Block malicious copy-and-paste actions before code is executed",{"item":6677},"See full telemetry into which users were targeted and what they saw","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F7b74af62889847ebb3927364485b0546",{"large":6680},{"display":64,"flexDirection":65,"position":66,"flexShrink":67,"boxSizing":68,"backgroundColor":6189},{"@type":47,"@version":48,"id":6682,"meta":6683,"component":6684,"responsiveStyles":6686},"builder-05f9614d4e3e4dc88b3ee8658f54e10e",{"previousId":6563},{"name":6193,"options":6685,"isRSC":61},{"AllPartners":34,"backgroundTransparent":6},{"large":6687},{"display":64,"flexDirection":65,"position":66,"flexShrink":67,"boxSizing":68,"backgroundColor":6197},{"@type":47,"@version":48,"id":6689,"meta":6690,"component":6691,"responsiveStyles":6693},"builder-c4fb5179366243c1b6c32d368675cf47",{"previousId":6570},{"name":6201,"options":6692,"isRSC":61},{"darkMode":34},{"large":6694},{"display":64,"flexDirection":65,"position":66,"flexShrink":67,"boxSizing":68},{"@type":47,"@version":48,"id":6696,"meta":6697,"component":6698,"responsiveStyles":6703},"builder-261af50705fd445d8cca4a6ba20d5391",{"previousId":6577},{"name":6206,"tag":6206,"options":6699,"isRSC":61},{"darkMode":6,"maxWidth":6210,"maxTextWidth":6211,"title":6700,"description":6701,"reverse":6,"image":6702},"\u003Ch2>Stop ClickFix-style attacks before they become a breach\u003C/h2>","\u003Cp>Traditional security tools are blind to malicious copy and paste attacks because the attack exploits a gap between the browser and the endpoint. EDR only sees the payload after it runs, and network tools see only part of the picture.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F98b2f7e08dec4eafaf8e24937605b8cf",{"large":6704},{"display":64,"flexDirection":65,"position":66,"flexShrink":67,"boxSizing":68},{"@type":47,"@version":48,"id":6706,"meta":6707,"component":6708,"responsiveStyles":6713},"builder-7d21b8aab8064c40b1e5dd23c4749309",{"previousId":6586},{"name":6220,"options":6709,"isRSC":61},{"darkMode":6,"maxWidth":6210,"imageMaxWidth":6222,"textPaddingTop":6223,"title":6710,"description":6711,"reverse":34,"image":6712},"\u003Ch2>Discover lures at the source\u003C/h2>","\u003Cp>Push inspects page behavior to identify ClickFix attacks as they happen. By inspecting the page, its structure, and how the user interacts with it, Push can detect and block these in-browser threats in real time. This deep, TTP-based inspection spots the trap even on novel pages that are built to bypass traditional web filters and blocklists.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F665bf47e01544c75bf9ddafd3917927b",{"large":6714},{"display":64,"flexDirection":65,"position":66,"flexShrink":67,"boxSizing":68,"fontFamily":6229,"paddingTop":6230,"marginTop":6231},{"@type":47,"@version":48,"id":6716,"meta":6717,"component":6718,"responsiveStyles":6723},"builder-fb91943adf6149259ed9e1e6566c9afe",{"previousId":6596},{"name":6220,"options":6719,"isRSC":61},{"darkMode":6,"maxWidth":6210,"imageMaxWidth":6222,"textPaddingTop":6236,"title":6720,"description":6721,"reverse":6,"image":6722},"\u003Ch2>Block the malicious action\u003C/h2>","\u003Cp>When Push detects a malicious script, it intercepts the user's action and blocks the code from being copied to the clipboard. The user is protected, the attack is stopped, and no malicious code ever reaches the endpoint. Unlike broad DLP tools, this action is surgical, targeting only malicious behavior without disrupting normal work.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F5ee68f81f1ac416685cbfe91298cf827",{"large":6724},{"display":64,"flexDirection":65,"position":66,"flexShrink":67,"boxSizing":68,"paddingTop":6242},{"@type":47,"@version":48,"layerName":6220,"id":6726,"meta":6727,"component":6728,"responsiveStyles":6733},"builder-bfac95fada864e5a8259b955b5b5f98b",{"previousId":6606},{"name":6220,"options":6729,"isRSC":61},{"darkMode":6,"maxWidth":6210,"imageMaxWidth":6222,"textPaddingTop":6247,"title":6730,"description":6731,"reverse":34,"image":6732},"\u003Ch2>Accelerate ClickFix investigations\u003C/h2>","\u003Cp>When an attack happens, knowing what the user saw or did is critical. Push provides rich browser session data for rapid investigation and containment. Security teams get detailed telemetry on which users were targeted, what lure they were served, and when the block occurred. This enables defenders to reconstruct what happened and respond quickly, even when other tools miss the activity entirely.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F6cdf2a8aeddc4e9a9023cbf974e40239",{"large":6734},{"display":64,"flexDirection":65,"position":66,"flexShrink":67,"boxSizing":68,"paddingTop":6253},{"@type":47,"@version":48,"id":6736,"meta":6737,"component":6738,"responsiveStyles":6740},"builder-136892e831684a6987f87d3be67c33d1",{"previousId":6616},{"name":6201,"options":6739,"isRSC":61},{"darkMode":6},{"large":6741},{"display":64,"flexDirection":65,"position":66,"flexShrink":67,"boxSizing":68},{"@type":47,"@version":48,"id":6743,"component":6744,"responsiveStyles":6746},"builder-dec26b739f2f42beb5a73cfc6c675b60",{"name":6263,"tag":6263,"options":6745,"isRSC":61},{"sectionHeading":29,"customClass":6265},{"large":6747},{"display":64,"flexDirection":65,"position":66,"flexShrink":67,"boxSizing":68},{"id":6749,"@type":47,"tagName":74,"properties":6750,"responsiveStyles":6751},"builder-pixel-7qodgzdr9k3",{"src":76,"aria-hidden":77,"alt":29,"role":78,"width":67,"height":67},{"large":6752},{"height":67,"width":67,"display":81,"opacity":67,"overflow":82,"pointerEvents":83},{"deviceSize":85,"location":6754},{"path":29,"query":6755},{},{},1770892881888,1761847585203,"https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F375467b8bef34ed1a8a1cc5b8b67d75f",[],{"lastPreviewUrl":6762,"originalContentId":6528,"winningTest":61,"hasLinks":6,"kind":6285,"breakpoints":6763,"hasAutosaves":6},"https://pushsecurity.com/uc/clickfix-protection?builder.space=f3a1111ff5be48cdbb123cd9f5795a05&builder.user.permissions=read%2Ccreate%2Cpublish%2CeditCode%2CeditDesigns%2CeditLayouts%2CeditLayers%2CeditContentPriority%2CeditFolders%2CeditProjects%2CmodifyMcpServers%2CmodifyWorkflowIntegrations%2CmodifyProjectSettings%2CconnectCodeRepository%2CcreateProjects%2CindexDesignSystems%2CsendPullRequests&builder.user.role.name=Developer&builder.user.role.id=developer&builder.cachebust=true&builder.preview=use-case-page&builder.noCache=true&builder.allowTextEdit=true&__builder_editing__=true&builder.overrides.use-case-page=ea4f309d2ffe46c5aa97ebf0fda4e2e3&builder.overrides.ea4f309d2ffe46c5aa97ebf0fda4e2e3=ea4f309d2ffe46c5aa97ebf0fda4e2e3&builder.overrides.use-case-page:/uc/clickfix-protection=ea4f309d2ffe46c5aa97ebf0fda4e2e3&builder.options.includeRefs=true&builder.options.enrich=true&builder.options.locale=Default",{"xsmall":31,"small":32,"medium":33},{"createdDate":6765,"id":6766,"name":6767,"modelId":6109,"published":13,"query":6768,"data":6771,"variations":6876,"lastUpdated":6877,"firstPublished":6878,"testRatio":23,"screenshot":6879,"createdBy":91,"lastUpdatedBy":6521,"folders":6880,"meta":6881,"rev":6287},1745009743870,"a9d5556e77f84a37b5bd52310a7110c1","Incident response",[6769],{"@type":6112,"property":6113,"operator":6114,"value":6770},"/uc/incident-response",{"seoDescription":6772,"customFonts":6773,"title":6767,"jsCode":29,"fontAwesomeIcon":6778,"seoTitle":6779,"tsCode":29,"blocks":6780,"url":6770,"state":6873},"Investigate and respond faster with unique browser telemetry.",[6774],{"kind":6121,"subsets":6775,"menu":6144,"variants":6776,"category":6143,"family":6120,"version":6122,"lastModified":6123,"files":6777},[6146,6147],[6149,6150,6151,6152,6153,6154,71,6155,6156,6157,6158,6159,433,6160,6161,6162,6163,6164],{"100":6125,"200":6126,"300":6127,"500":6128,"600":6129,"700":6130,"800":6131,"900":6132,"900italic":6134,"600italic":6142,"200italic":6139,"300italic":6141,"100italic":6136,"700italic":6135,"800italic":6133,"regular":6138,"italic":6137,"500italic":6140},"faSatelliteDish","Browser based incident response",[6781,6868],{"@type":47,"@version":48,"tagName":6170,"id":6782,"meta":6783,"children":6784},"builder-653c4aed737b4def88dc4cd2d695660a",{"previousId":6543},[6785,6802,6809,6816,6825,6835,6845,6855,6862],{"@type":47,"@version":48,"id":6786,"meta":6787,"component":6788,"responsiveStyles":6800},"builder-18190bd36518467d9154d27d7e945b9b",{"previousId":6547},{"name":6174,"options":6789,"isRSC":61},{"title":6790,"description":6791,"points":6792,"video":6799},"Browser-based incident response","\u003Cp>Push gives you real-time visibility into what actually happened during a breach, right in the browser where the attack played out. From credential theft to session hijacking, Push captures high-fidelity telemetry so you can investigate quickly, contain confidently, and shut it down before it spreads.\u003C/p>\u003Cp>\u003Cbr>\u003C/p>",[6793,6795,6797],{"item":6794},"Reconstruct what happened with real browser session context",{"item":6796},"Investigate faster with real-world session context",{"item":6798},"Trigger response actions automatically through your SIEM or SOAR","https://cdn.builder.io/o/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Fd00e39d3b6e346c296261d875cf55652%2Fcompressed?apiKey=f3a1111ff5be48cdbb123cd9f5795a05&token=d00e39d3b6e346c296261d875cf55652&alt=media&optimized=true",{"large":6801},{"display":64,"flexDirection":65,"position":66,"flexShrink":67,"boxSizing":68,"backgroundColor":6189},{"@type":47,"@version":48,"id":6803,"meta":6804,"component":6805,"responsiveStyles":6807},"builder-8a0a8ea63f5d48dd8a6726f2d49cf0ca",{"previousId":6563},{"name":6193,"options":6806,"isRSC":61},{"AllPartners":34,"backgroundTransparent":6},{"large":6808},{"display":64,"flexDirection":65,"position":66,"flexShrink":67,"boxSizing":68,"backgroundColor":6197},{"@type":47,"@version":48,"id":6810,"meta":6811,"component":6812,"responsiveStyles":6814},"builder-2df65c3f54334df2b26e7cb744886cdc",{"previousId":6570},{"name":6201,"options":6813,"isRSC":61},{"darkMode":34},{"large":6815},{"display":64,"flexDirection":65,"position":66,"flexShrink":67,"boxSizing":68},{"@type":47,"@version":48,"id":6817,"component":6818,"responsiveStyles":6823},"builder-2c32c869efc2423ab69ef06b150e9f97",{"name":6206,"tag":6206,"options":6819,"isRSC":61},{"darkMode":6,"maxWidth":6210,"maxTextWidth":6211,"title":6820,"description":6821,"image":6822,"reverse":6},"\u003Ch2>See attacks unfold, not just their aftermath\u003C/h2>","\u003Cp>Attacks happen in the browser, not in logs. Push captures what traditional tools miss: what users clicked, what loaded, what was entered, and how attackers moved. That gives you real-world evidence, not just assumptions, when every second matters.\u003C/p>\u003Cp>\u003Cbr>\u003C/p>\u003Cp>\u003Cbr>\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F36fc719bd1de4a38b916f4d25c81a26d",{"large":6824},{"display":64,"flexDirection":65,"position":66,"flexShrink":67,"boxSizing":68},{"@type":47,"@version":48,"id":6826,"meta":6827,"component":6828,"responsiveStyles":6833},"builder-370e53c6016e432db01e9193a2ce90f6",{"previousId":6586},{"name":6220,"options":6829,"isRSC":61},{"darkMode":6,"maxWidth":6210,"imageMaxWidth":6222,"textPaddingTop":6223,"title":6830,"description":6831,"reverse":34,"image":6832},"\u003Ch2>Investigate faster with high-fidelity data\u003C/h2>","\u003Cp>Reconstructing an incident shouldn’t feel like guesswork. Push records detailed telemetry from inside the browser: page loads, credential inputs, DOM changes, session activity, user behavior. It’s structured, exportable, and ready to plug into your investigation workflows, so you can move fast without digging through proxy logs or relying on user reports.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Fa6adda040e684e67a8d68a55c5ce5f6d",{"large":6834},{"display":64,"flexDirection":65,"position":66,"flexShrink":67,"boxSizing":68,"fontFamily":6229,"paddingTop":6231,"marginTop":6231},{"@type":47,"@version":48,"id":6836,"meta":6837,"component":6838,"responsiveStyles":6843},"builder-a7f3767a8d184bd08fb24520bf210e95",{"previousId":6596},{"name":6220,"options":6839,"isRSC":61},{"darkMode":6,"maxWidth":6210,"imageMaxWidth":6222,"textPaddingTop":6236,"title":6840,"description":6841,"reverse":6,"image":6842},"\u003Ch2>Contain and respond in real time\u003C/h2>","\u003Cp>When something looks off, Push doesn’t just alert you, it gives you options. Guide users with in-browser prompts. Terminate sessions. Trigger SOAR workflows. Enrich SIEM alerts. Push gives you the context and control to stop spread before it starts.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Fb3dedeed5aba4847a2c2d22e10d0ec12",{"large":6844},{"display":64,"flexDirection":65,"position":66,"flexShrink":67,"boxSizing":68,"paddingTop":6242},{"@type":47,"@version":48,"layerName":6220,"id":6846,"meta":6847,"component":6848,"responsiveStyles":6853},"builder-b92036ee0ece4b32acdbdcc7c377366b",{"previousId":6606},{"name":6220,"options":6849,"isRSC":61},{"darkMode":6,"maxWidth":6210,"imageMaxWidth":6222,"textPaddingTop":6247,"title":6850,"description":6851,"reverse":34,"image":6852},"\u003Ch2>Prevent the next one\u003C/h2>","\u003Cp>Push helps you respond fast, but it also helps you fix what went wrong. It surfaces misconfigurations and risky behaviors that made the attack possible in the first place, then guides users in-browser to remediate. One tool. Full loop. No loose ends.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Fc1ecc2d5d3814b62b072fac01827ff96",{"large":6854},{"display":64,"flexDirection":65,"position":66,"flexShrink":67,"boxSizing":68,"paddingTop":6253},{"@type":47,"@version":48,"id":6856,"meta":6857,"component":6858,"responsiveStyles":6860},"builder-5e8ae39655274de89da32ab573a2525a",{"previousId":6616},{"name":6201,"options":6859,"isRSC":61},{"darkMode":6},{"large":6861},{"display":64,"flexDirection":65,"position":66,"flexShrink":67,"boxSizing":68},{"@type":47,"@version":48,"id":6863,"component":6864,"responsiveStyles":6866},"builder-dfd6850cfb4741d2b8a0c16c2780f00a",{"name":6263,"tag":6263,"options":6865,"isRSC":61},{"sectionHeading":29,"customClass":6265},{"large":6867},{"display":64,"flexDirection":65,"position":66,"flexShrink":67,"boxSizing":68},{"id":6869,"@type":47,"tagName":74,"properties":6870,"responsiveStyles":6871},"builder-pixel-raysirrjkj",{"src":76,"aria-hidden":77,"alt":29,"role":78,"width":67,"height":67},{"large":6872},{"height":67,"width":67,"display":81,"opacity":67,"overflow":82,"pointerEvents":83},{"deviceSize":85,"location":6874},{"path":29,"query":6875},{},{},1770892908052,1745427419274,"https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Fb07017bfd318431690a5bb35bda35b99",[],{"kind":6285,"breakpoints":6882,"originalContentId":6528,"winningTest":61,"lastPreviewUrl":6883,"hasLinks":6,"hasAutosaves":6},{"xsmall":31,"small":32,"medium":33},"https://pushsecurity.com/uc/incident-response?builder.space=f3a1111ff5be48cdbb123cd9f5795a05&builder.user.permissions=read%2Ccreate%2Cpublish%2CeditCode%2CeditDesigns%2CeditLayouts%2CeditLayers%2CeditContentPriority%2CeditFolders%2CeditProjects%2CmodifyMcpServers%2CmodifyWorkflowIntegrations%2CmodifyProjectSettings%2CconnectCodeRepository%2CcreateProjects%2CindexDesignSystems%2CsendPullRequests&builder.user.role.name=Developer&builder.user.role.id=developer&builder.cachebust=true&builder.preview=use-case-page&builder.noCache=true&builder.allowTextEdit=true&__builder_editing__=true&builder.overrides.use-case-page=a9d5556e77f84a37b5bd52310a7110c1&builder.overrides.a9d5556e77f84a37b5bd52310a7110c1=a9d5556e77f84a37b5bd52310a7110c1&builder.overrides.use-case-page:/uc/incident-response=a9d5556e77f84a37b5bd52310a7110c1&builder.options.includeRefs=true&builder.options.enrich=true&builder.options.locale=Default",{"createdDate":6885,"id":6886,"name":6887,"modelId":6109,"published":13,"query":6888,"data":6891,"variations":6996,"lastUpdated":6997,"firstPublished":6998,"testRatio":23,"screenshot":6999,"createdBy":91,"lastUpdatedBy":6521,"folders":7000,"meta":7001,"rev":6287},1746122471259,"5f118e24433d46ceb79f5099987156d7","Shadow SaaS",[6889],{"@type":6112,"property":6113,"operator":6114,"value":6890},"/uc/shadow-saas",{"seoTitle":6892,"seoDescription":6893,"customFonts":6894,"fontAwesomeIcon":6899,"title":6900,"jsCode":29,"tsCode":29,"blocks":6901,"url":6890,"state":6993},"Find and secure shadow SaaS","See and control shadow SaaS in the browser.",[6895],{"kind":6121,"variants":6896,"files":6897,"family":6120,"version":6122,"subsets":6898,"lastModified":6123,"category":6143,"menu":6144},[6149,6150,6151,6152,6153,6154,71,6155,6156,6157,6158,6159,433,6160,6161,6162,6163,6164],{"100":6125,"200":6126,"300":6127,"500":6128,"600":6129,"700":6130,"800":6131,"900":6132,"300italic":6141,"500italic":6140,"regular":6138,"900italic":6134,"italic":6137,"100italic":6136,"200italic":6139,"600italic":6142,"700italic":6135,"800italic":6133},[6146,6147],"faShieldCheck","Secure shadow SaaS",[6902,6988],{"@type":47,"@version":48,"tagName":6170,"id":6903,"meta":6904,"children":6905},"builder-04da805c4cd34652a2db452fcda52e1d",{"previousId":6782},[6906,6922,6929,6936,6945,6955,6965,6975,6982],{"@type":47,"@version":48,"id":6907,"meta":6908,"component":6909,"responsiveStyles":6920},"builder-830d414faeaf41439142f9157e8288c8",{"previousId":6786},{"name":6174,"options":6910,"isRSC":61},{"title":6892,"description":6911,"points":6912,"video":6919},"\u003Cp>SaaS sprawl is one of today’s fastest-growing security blind spots because most tools monitor around the edges. Push sees it at the source, in the browser, revealing every app users access, flagging risky tools, and helping you shut down exposure before it leads to a breach. No guesswork. No nasty surprises. Just real-time visibility and control.\u003C/p>",[6913,6915,6917],{"item":6914},"Discover every SaaS app users access, managed or not",{"item":6916},"Spot accounts with weak security postures like missing MFA, unmanaged access, and no SSO",{"item":6918},"Control usage with in-browser prompts, blocks, and security guardrails","https://cdn.builder.io/o/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F3e4eece318d04d6586e691d59d0741cf%2Fcompressed?apiKey=f3a1111ff5be48cdbb123cd9f5795a05&token=3e4eece318d04d6586e691d59d0741cf&alt=media&optimized=true",{"large":6921},{"display":64,"flexDirection":65,"position":66,"flexShrink":67,"boxSizing":68,"backgroundColor":6189},{"@type":47,"@version":48,"id":6923,"meta":6924,"component":6925,"responsiveStyles":6927},"builder-cd7833f966cb4c7e8adf0d6c979414a6",{"previousId":6803},{"name":6193,"options":6926,"isRSC":61},{"AllPartners":34,"backgroundTransparent":6},{"large":6928},{"display":64,"flexDirection":65,"position":66,"flexShrink":67,"boxSizing":68,"backgroundColor":6197},{"@type":47,"@version":48,"id":6930,"meta":6931,"component":6932,"responsiveStyles":6934},"builder-49d720b45430454e8b08c526f267c19f",{"previousId":6810},{"name":6201,"options":6933,"isRSC":61},{"darkMode":34},{"large":6935},{"display":64,"flexDirection":65,"position":66,"flexShrink":67,"boxSizing":68},{"@type":47,"@version":48,"id":6937,"component":6938,"responsiveStyles":6943},"builder-3dde0bf6c8544e5e9ab41b18a9d68034",{"name":6206,"tag":6206,"options":6939,"isRSC":61},{"darkMode":6,"maxWidth":6210,"maxTextWidth":6211,"title":6940,"description":6941,"image":6942,"reverse":6},"\u003Ch2>Use your browser to curb Saas Sprawl\u003C/h2>","\u003Cp>Shadow SaaS isn’t hiding in your network, it’s in your browser. From AI tools to unsanctioned file-sharing sites, security risks live in the apps your users sign into every day. Push maps your organization's true SaaS footprint in real time, exposing apps and accounts with unmanaged access, poor authentication, or no security oversight.\u003C/p>\u003Cp>\u003Cbr>\u003C/p>\u003Cp>\u003Cbr>\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Fb6811a214c7949b6bbe0b9a3bca62efd",{"large":6944},{"display":64,"flexDirection":65,"position":66,"flexShrink":67,"boxSizing":68},{"@type":47,"@version":48,"id":6946,"meta":6947,"component":6948,"responsiveStyles":6953},"builder-e2420451ccdc4f088d0a4904cff45935",{"previousId":6826},{"name":6220,"options":6949,"isRSC":61},{"darkMode":6,"maxWidth":6210,"imageMaxWidth":6222,"textPaddingTop":6223,"title":6950,"description":6951,"reverse":34,"image":6952},"\u003Ch2>Discover hidden SaaS usage\u003C/h2>","\u003Cp>Push captures live browser telemetry across every tab and session. Whether a user signs into a sanctioned app with a personal account or tries a new AI plugin, you’ll see it in real time, with no integrations or manual tagging.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Fe16e301f9af94665b95d98232a863d8a",{"large":6954},{"display":64,"flexDirection":65,"position":66,"flexShrink":67,"boxSizing":68,"fontFamily":6229,"paddingTop":6231,"marginTop":6231},{"@type":47,"@version":48,"id":6956,"meta":6957,"component":6958,"responsiveStyles":6963},"builder-b36de7fce7994beea9e58d94662e7166",{"previousId":6836},{"name":6220,"options":6959,"isRSC":61},{"darkMode":6,"maxWidth":6210,"imageMaxWidth":6222,"textPaddingTop":6236,"title":6960,"description":6961,"reverse":6,"image":6962},"\u003Ch2>Spot risky access and unsafe usage\u003C/h2>","\u003Cp>Discovery is just the beginning. Push flags apps with risky traits, no MFA, no SSO, known vulnerabilities, or broad access scopes. You’ll know which tools introduce real risk, and which users are exposed so you can act with precision.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F6585f3c242da4d70ae3cb7d02f481bef",{"large":6964},{"display":64,"flexDirection":65,"position":66,"flexShrink":67,"boxSizing":68,"paddingTop":6242},{"@type":47,"@version":48,"layerName":6220,"id":6966,"meta":6967,"component":6968,"responsiveStyles":6973},"builder-dc366b5134684fe7a508edf8913103ea",{"previousId":6846},{"name":6220,"options":6969,"isRSC":61},{"darkMode":6,"maxWidth":6210,"imageMaxWidth":6222,"textPaddingTop":6247,"title":6970,"description":6971,"reverse":34,"image":6972},"\u003Ch2>Close gaps before they grow\u003C/h2>","\u003Cp>Push turns insight into action. When risky SaaS use is detected, guide users to enable MFA, block high-risk apps, or apply in-browser guardrails automatically. All without deploying new infrastructure or managing dozens of integrations.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Fe6d60b6d91414819bc6258a318f00557",{"large":6974},{"display":64,"flexDirection":65,"position":66,"flexShrink":67,"boxSizing":68,"paddingTop":6253},{"@type":47,"@version":48,"id":6976,"meta":6977,"component":6978,"responsiveStyles":6980},"builder-8708f6f0d8da4b3f9e17bf16cda70219",{"previousId":6856},{"name":6201,"options":6979,"isRSC":61},{"darkMode":6},{"large":6981},{"display":64,"flexDirection":65,"position":66,"flexShrink":67,"boxSizing":68},{"@type":47,"@version":48,"id":6983,"component":6984,"responsiveStyles":6986},"builder-8ff4b38d60534cf28cb523ab0f754875",{"name":6263,"tag":6263,"options":6985,"isRSC":61},{"sectionHeading":29,"customClass":6265},{"large":6987},{"display":64,"flexDirection":65,"position":66,"flexShrink":67,"boxSizing":68},{"id":6989,"@type":47,"tagName":74,"properties":6990,"responsiveStyles":6991},"builder-pixel-x1d5jxzono",{"src":76,"aria-hidden":77,"alt":29,"role":78,"width":67,"height":67},{"large":6992},{"height":67,"width":67,"display":81,"opacity":67,"overflow":82,"pointerEvents":83},{"deviceSize":85,"location":6994},{"path":29,"query":6995},{},{},1770892936802,1746714967208,"https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F01bfb2304521412fbd2e1a1180904d40",[],{"originalContentId":6766,"winningTest":61,"lastPreviewUrl":7002,"breakpoints":7003,"kind":6285,"hasLinks":6,"hasAutosaves":6},"https://pushsecurity.com/uc/shadow-saas?builder.space=f3a1111ff5be48cdbb123cd9f5795a05&builder.user.permissions=read%2Ccreate%2Cpublish%2CeditCode%2CeditDesigns%2CeditLayouts%2CeditLayers%2CeditContentPriority%2CeditFolders%2CeditProjects%2CmodifyMcpServers%2CmodifyWorkflowIntegrations%2CmodifyProjectSettings%2CconnectCodeRepository%2CcreateProjects%2CindexDesignSystems%2CsendPullRequests&builder.user.role.name=Developer&builder.user.role.id=developer&builder.cachebust=true&builder.preview=use-case-page&builder.noCache=true&builder.allowTextEdit=true&__builder_editing__=true&builder.overrides.use-case-page=5f118e24433d46ceb79f5099987156d7&builder.overrides.5f118e24433d46ceb79f5099987156d7=5f118e24433d46ceb79f5099987156d7&builder.overrides.use-case-page:/uc/shadow-saas=5f118e24433d46ceb79f5099987156d7&builder.options.includeRefs=true&builder.options.enrich=true&builder.options.locale=Default",{"xsmall":31,"small":32,"medium":33},{"createdDate":7005,"id":7006,"name":7007,"modelId":6109,"published":13,"stageModifiedSincePublish":6,"query":7008,"data":7011,"variations":7117,"lastUpdated":7118,"firstPublished":7119,"testRatio":23,"screenshot":7120,"createdBy":91,"lastUpdatedBy":6280,"folders":7121,"meta":7122,"rev":6287},1764707470172,"b62629ce2f3741158d961cd10fe74b31","Shadow AI",[7009],{"@type":6112,"property":6113,"operator":6114,"value":7010},"/uc/shadow-ai",{"fontAwesomeIcon":7012,"jsCode":29,"tsCode":29,"seoTitle":7013,"title":7014,"customFonts":7015,"seoDescription":7020,"blocks":7021,"url":7010,"state":7114},"faBrainCircuit","Secure AI native and AI enhanced apps. ","Secure AI",[7016],{"family":6120,"subsets":7017,"category":6143,"files":7018,"variants":7019,"kind":6121,"lastModified":6123,"menu":6144,"version":6122},[6146,6147],{"100":6125,"200":6126,"300":6127,"500":6128,"600":6129,"700":6130,"800":6131,"900":6132,"800italic":6133,"100italic":6136,"600italic":6142,"italic":6137,"700italic":6135,"200italic":6139,"regular":6138,"900italic":6134,"300italic":6141,"500italic":6140},[6149,6150,6151,6152,6153,6154,71,6155,6156,6157,6158,6159,433,6160,6161,6162,6163,6164],"See and control AI apps in the browser.",[7022,7109],{"@type":47,"@version":48,"tagName":6170,"id":7023,"meta":7024,"children":7025},"builder-a6e5717a2c914d5695058e4ee201a05d",{"previousId":6903},[7026,7042,7049,7056,7066,7076,7086,7096,7103],{"@type":47,"@version":48,"id":7027,"meta":7028,"component":7029,"responsiveStyles":7040},"builder-3e0ed678683f4a0eb7aa00253cf263b2",{"previousId":6907},{"name":6174,"options":7030,"isRSC":61},{"title":7014,"description":7031,"points":7032,"image":7039},"\u003Cp>Every AI interaction traverses the browser. Employees use GenAI tools, connect AI apps to corporate accounts, and run agentic workflows, often outside security oversight. Push gives security teams the visibility to see what AI is doing across their environment and the controls to intervene before sensitive data leaves or access gets abused.\u003C/p>",[7033,7035,7037],{"item":7034},"Discover every AI tool and agent active across your workforce",{"item":7036},"Detect sensitive data being submitted to AI apps",{"item":7038},"Enforce AI policy directly in the browser","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F33cf153d920f4e389f3650253577cff7",{"large":7041},{"display":64,"flexDirection":65,"position":66,"flexShrink":67,"boxSizing":68,"backgroundColor":6189},{"@type":47,"@version":48,"id":7043,"meta":7044,"component":7045,"responsiveStyles":7047},"builder-76968f8471d14893b8189d75b08fb426",{"previousId":6923},{"name":6193,"options":7046,"isRSC":61},{"AllPartners":34,"backgroundTransparent":6},{"large":7048},{"display":64,"flexDirection":65,"position":66,"flexShrink":67,"boxSizing":68,"backgroundColor":6197},{"@type":47,"@version":48,"id":7050,"meta":7051,"component":7052,"responsiveStyles":7054},"builder-b55b9d4bc5a649d8839ce7f6c2043d95",{"previousId":6930},{"name":6201,"options":7053,"isRSC":61},{"darkMode":34},{"large":7055},{"display":64,"flexDirection":65,"position":66,"flexShrink":67,"boxSizing":68},{"@type":47,"@version":48,"id":7057,"meta":7058,"component":7059,"responsiveStyles":7064},"builder-c3f38ef4d75d4989a29b5903175ed8a1",{"previousId":6937},{"name":6206,"tag":6206,"options":7060,"isRSC":61},{"darkMode":6,"maxWidth":6210,"maxTextWidth":6211,"title":7061,"description":7062,"image":7063,"reverse":6},"\u003Ch2>The browser is where AI lives\u003C/h2>","\u003Cp>AI activity doesn't happen at the network layer or the endpoint. It happens in the browser, where employees interact with AI tools, where agents execute tasks, and where sensitive data gets submitted to external services. Push captures live telemetry from inside the browser session, identifying every AI-native and AI-enhanced application in use. \u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F30b43bda6f1644c19478fb1efa20050c",{"large":7065},{"display":64,"flexDirection":65,"position":66,"flexShrink":67,"boxSizing":68},{"@type":47,"@version":48,"id":7067,"meta":7068,"component":7069,"responsiveStyles":7074},"builder-90ee9cb9afc44e7f885523715bf51a53",{"previousId":6946},{"name":6220,"options":7070,"isRSC":61},{"darkMode":6,"maxWidth":6210,"imageMaxWidth":6222,"textPaddingTop":6223,"title":7071,"description":7072,"reverse":34,"image":7073},"\u003Ch2>Discover every AI tool users touch\u003C/h2>","\u003Cp>Most organisations are using far more AI than they've approved. Push identifies every AI-native and AI-enhanced application accessed across the workforce, which corporate identities are connected, and what new tools appear in the environment. Applications are categorized by risk and policy status so security teams can prioritize exposure before it becomes an incident.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F636e65ad0c4c43faa3e626c41e90d8a3",{"large":7075},{"display":64,"flexDirection":65,"position":66,"flexShrink":67,"boxSizing":68,"fontFamily":6229,"paddingTop":6231,"marginTop":6231},{"@type":47,"@version":48,"id":7077,"meta":7078,"component":7079,"responsiveStyles":7084},"builder-9e44539fa53c4d8e87406036c921fc46",{"previousId":6956},{"name":6220,"options":7080,"isRSC":61},{"darkMode":6,"maxWidth":6210,"imageMaxWidth":6222,"textPaddingTop":6236,"title":7081,"description":7082,"reverse":6,"image":7083},"\u003Ch2>Prevent sensitive data from reaching the wrong AI tools\u003C/h2>","\u003Cp>Employees paste credentials, customer data, and internal documents into AI tools without realizsing the risk. Push detects sensitive data interactions in the browser in real time, including file uploads, clipboard activity, and form submissions to unsanctioned or high-risk AI applications. Controls can be applied to warn users, require policy acknowledgment, or block the interaction entirely.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F011332d42dab4a299f25ab3847741ed9",{"large":7085},{"display":64,"flexDirection":65,"position":66,"flexShrink":67,"boxSizing":68,"paddingTop":6242},{"@type":47,"@version":48,"layerName":6220,"id":7087,"meta":7088,"component":7089,"responsiveStyles":7094},"builder-44c1a891926f4bdeaaa37e90721fe6ac",{"previousId":6966},{"name":6220,"options":7090,"isRSC":61},{"darkMode":6,"maxWidth":6210,"imageMaxWidth":6222,"textPaddingTop":6247,"title":7091,"description":7092,"reverse":34,"image":7093},"\u003Ch2>Govern agentic AI permissions and activity\u003C/h2>","\u003Cp>AI agents operating in the browser can access applications, execute actions, and handle data on behalf of users, often with permissions that were never explicitly reviewed. Push surfaces agentic permissions and data flows so security teams can see what agents are doing, where they have access, and apply controls before that access is exploited or abused.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F71549a73d0b84f1c8cb151c05e493e8d",{"large":7095},{"display":64,"flexDirection":65,"position":66,"flexShrink":67,"boxSizing":68,"paddingTop":6253},{"@type":47,"@version":48,"id":7097,"meta":7098,"component":7099,"responsiveStyles":7101},"builder-dcc906f9cbe54dc68b3c672668e7a38f",{"previousId":6976},{"name":6201,"options":7100,"isRSC":61},{"darkMode":6},{"large":7102},{"display":64,"flexDirection":65,"position":66,"flexShrink":67,"boxSizing":68},{"@type":47,"@version":48,"id":7104,"component":7105,"responsiveStyles":7107},"builder-d2d64780c31b4349bc75805b23a07e38",{"name":6263,"tag":6263,"options":7106,"isRSC":61},{"sectionHeading":29,"customClass":6265},{"large":7108},{"display":64,"flexDirection":65,"position":66,"flexShrink":67,"boxSizing":68},{"id":7110,"@type":47,"tagName":74,"properties":7111,"responsiveStyles":7112},"builder-pixel-jfmwel968kf",{"src":76,"aria-hidden":77,"alt":29,"role":78,"width":67,"height":67},{"large":7113},{"height":67,"width":67,"display":81,"opacity":67,"overflow":82,"pointerEvents":83},{"deviceSize":85,"location":7115},{"path":29,"query":7116},{},{},1776875934687,1764950077593,"https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F6ce1c8d6242349f8b66cb3afa7885651",[],{"hasLinks":6,"winningTest":61,"originalContentId":6886,"kind":6285,"breakpoints":7123,"lastPreviewUrl":7124,"hasAutosaves":6},{"xsmall":31,"small":32,"medium":33},"https://pushsecurity.com/uc/shadow-ai?builder.space=f3a1111ff5be48cdbb123cd9f5795a05&builder.user.permissions=read%2Ccreate%2Cpublish%2CeditDesigns%2CeditLayouts%2CeditLayers%2CeditContentPriority%2CeditFolders%2CcreateProjects%2CsendPullRequests&builder.user.role.name=Designer&builder.user.role.id=creator&builder.cachebust=true&builder.preview=use-case-page&builder.noCache=true&builder.allowTextEdit=true&__builder_editing__=true&builder.overrides.use-case-page=b62629ce2f3741158d961cd10fe74b31&builder.overrides.b62629ce2f3741158d961cd10fe74b31=b62629ce2f3741158d961cd10fe74b31&builder.overrides.use-case-page:/uc/shadow-ai=b62629ce2f3741158d961cd10fe74b31&builder.options.locale=Default",1776977526287]