[{"data":1,"prerenderedAt":3616},["ShallowReactive",2],{"application-flags":3,"navbar":7,"always-visible-banner":36,"navbar-about-highlight":100,"navbar-resource-highlight":174,"blog/why-you-cant-control-ai-without-being-in-the-browser":220},[4],{"enabled":5,"name":6},false,"maintenanceMode",[8],{"createdDate":9,"id":10,"name":11,"modelId":12,"published":13,"query":14,"data":15,"variations":20,"lastUpdated":21,"firstPublished":22,"testRatio":23,"createdBy":24,"lastUpdatedBy":25,"folders":26,"meta":27,"rev":35},1742208588866,"1c7a4e423bf54ac1a328bb4063459ef2","Banner","1c6207a5f24948ab82d4a0b17f251193","published",[],{"type":16,"url":17,"text":18,"link":19},"web-banner","https://pushsecurity.com/resources/browser-attacks-report","Get our latest report analyzing browser attack techniques in 2026",{},{},1774258294825,1742208637545,1,"CydmZnOWU1XuAaLhEDCoYNM4Z8W2","jKjF9r5jcvXU8tzZEfFQm31Iyvr2",[],{"kind":28,"lastPreviewUrl":29,"breakpoints":30,"hasAutosaves":34},"data","",{"xsmall":31,"small":32,"medium":33},320,640,768,true,"7ec0c6aa90q",{"createdDate":37,"id":38,"name":39,"modelId":40,"published":13,"stageModifiedSincePublish":5,"query":41,"data":42,"variations":89,"lastUpdated":90,"firstPublished":91,"testRatio":23,"createdBy":92,"lastUpdatedBy":93,"folders":94,"meta":95,"rev":99},1774965361051,"fd266d0172cc47429be7ad10f48c99ad","always visible banner","0678d178ec8b41efb8a23c09dba7874d",[],{"url":29,"ctaText":43,"text":44,"blocks":45,"state":85},"ewrererw","testrfesssssssssss",[46,73],{"@type":47,"@version":48,"id":49,"component":50,"responsiveStyles":63},"@builder.io/sdk:Element",2,"builder-ca12c06a52de41d7b8743da53118cd38",{"name":51,"tag":51,"options":52,"isRSC":62},"TopBannerContent",{"text":53,"ctaText":54,"url":55,"mainText":56,"cta":59},"New Webinar Series: Join John Hammond, Troy Hunt, and Matt Johansen for the State of Browser Attacks","Save Your Spot","https://pushsecurity.com/webinar/state-of-browser-security",{"content":57,"fontSize":58},"\u003Cp>Is your stack covered? 51 browser & identity attacks, mapped.\u003C/p>","text-base",{"content":60,"fontSize":58,"url":61},"\u003Cp>\u003Cstrong style=\"font-weight:700;\">See the matrix →\u003C/strong>\u003C/p>\n","https://pushsecurity.com/resources/browser-identity-attacks-matrix/",null,{"large":64},{"display":65,"flexDirection":66,"position":67,"flexShrink":68,"boxSizing":69,"marginTop":70,"marginBottom":70,"fontSize":71,"fontWeight":72},"flex","column","relative","0","border-box",".56rem","1.125rem","700",{"id":74,"@type":47,"tagName":75,"properties":76,"responsiveStyles":80},"builder-pixel-ea963hyr71","img",{"src":77,"aria-hidden":78,"alt":29,"role":79,"width":68,"height":68},"https://cdn.builder.io/api/v1/pixel?apiKey=f3a1111ff5be48cdbb123cd9f5795a05","true","presentation",{"large":81},{"height":68,"width":68,"display":82,"opacity":68,"overflow":83,"pointerEvents":84},"block","hidden","none",{"deviceSize":86,"location":87},"large",{"path":29,"query":88},{},{},1778612252607,1774968080803,"ST0tXQM8slWpFrmioqKHmENB2qe2","ax7YYfD0OCeqT1Vxxv1G4FUbqVr1",[],{"kind":96,"hasLinks":5,"breakpoints":97,"lastPreviewUrl":98,"hasAutosaves":34,"hasErrors":5},"component",{"xsmall":31,"small":32,"medium":33},"https://pushsecurity.com/?builder.space=f3a1111ff5be48cdbb123cd9f5795a05&builder.user.permissions=read%2Ccreate%2Cpublish%2CeditCode%2CeditDesigns%2CeditLayouts%2CeditLayers%2CeditContentPriority%2CeditFolders%2CeditProjects%2CmodifyMcpServers%2CmodifyWorkflowIntegrations%2CmodifyProjectSettings%2CconnectCodeRepository%2CcreateProjects%2CindexDesignSystems%2CsendPullRequests%2CmergePullRequests&builder.user.role.name=Developer&builder.user.role.id=developer&builder.cachebust=true&builder.preview=always-visible-banner&builder.noCache=true&builder.allowTextEdit=true&__builder_editing__=true&builder.overrides.always-visible-banner=fd266d0172cc47429be7ad10f48c99ad&builder.overrides.fd266d0172cc47429be7ad10f48c99ad=fd266d0172cc47429be7ad10f48c99ad&builder.options.locale=Default","nvvs606wpyf",[101,137],{"createdDate":102,"id":103,"name":104,"modelId":105,"published":13,"stageModifiedSincePublish":5,"query":106,"data":107,"variations":130,"lastUpdated":131,"firstPublished":132,"testRatio":23,"createdBy":24,"lastUpdatedBy":24,"folders":133,"meta":134,"rev":136},1776247359804,"9136a8f18b3b4a6ba29b8653a99372b1","testimonial-inductive-automation","20d9eaa352304613b3d1a794b400703d",[],{"link":108,"type":109,"testimonialLink":110,"testimonial":111},{},"testimonial","/customer-stories/inductive-automation",{"@type":112,"id":113,"model":109,"value":114},"@builder.io/core:Reference","f028f2b685bb47cd8bf9e82a26dd5a79",{"query":115,"folders":116,"createdDate":117,"id":113,"name":118,"modelId":119,"published":13,"data":120,"variations":124,"lastUpdated":125,"firstPublished":126,"testRatio":23,"createdBy":92,"lastUpdatedBy":92,"meta":127,"rev":129},[],[],1735823466309,"We found Push to be more accurate when compared to competitors and the browser agent offered features that others couldn’t match.","42035571a56940ac98bff4544aa79aa5",{"author":121,"jobTitle":122,"quote":118,"image":123},"Jason Waits","\u003Cp>CISO at Inductive Automation\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Ff04c0c0689ce4a89ac0f0708d78c0a07",{},1735910703862,1735823501152,{"kind":28,"lastPreviewUrl":29,"breakpoints":128,"hasAutosaves":34},{"small":32,"medium":33},"p5cq5iu5ttn",{},1776247404986,1776247404973,[],{"breakpoints":135,"kind":28,"lastPreviewUrl":29,"hasAutosaves":5},{"xsmall":31,"small":32,"medium":33},"14m5qhc3fj8",{"createdDate":138,"id":139,"name":140,"modelId":105,"published":13,"meta":141,"stageModifiedSincePublish":5,"query":143,"data":144,"variations":170,"lastUpdated":171,"firstPublished":172,"testRatio":23,"createdBy":24,"lastUpdatedBy":24,"folders":173,"rev":136},1776255761419,"05a9322735fc427db12e2740e4302300","Report: 2026 Browser Attack Techniques",{"breakpoints":142,"kind":28,"lastPreviewUrl":29,"hasAutosaves":5},{"xsmall":31,"small":32,"medium":33},[],{"testimonial":145,"link":164,"type":167,"title":140,"description":168,"image":169},{"@type":112,"id":146,"model":109,"value":147},"192acbb1f9ca4cac918c0ec435a8bae3",{"query":148,"folders":149,"createdDate":150,"id":146,"name":151,"modelId":119,"published":13,"data":152,"variations":158,"lastUpdated":159,"firstPublished":160,"testRatio":23,"createdBy":92,"lastUpdatedBy":24,"meta":161,"rev":163},[],[],1728981467463,"Push does for identity what CrowdStrike did for the endpoint",{"video":153,"jobTitle":154,"author":155,"qoute":29,"quote":156,"image":157},"https://cdn.builder.io/o/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F8b30e8ca50064058bbaef0f3c6164575%2Fcompressed?apiKey=f3a1111ff5be48cdbb123cd9f5795a05&token=8b30e8ca50064058bbaef0f3c6164575&alt=media&optimized=true","\u003Cp>Deputy CISO at Microsoft\u003C/p>\u003Cp>Former LinkedIn, Slack, Palantir\u003C/p>","Geoff Belknap","Push does for identity what CrowdStrike did for the endpoint.","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F748f0ad0a5064a00a13f4721fcc8dea1",{},1742902158597,1728981782923,{"kind":28,"lastPreviewUrl":29,"breakpoints":162,"hasAutosaves":34},{"small":32,"medium":33},"a3qf9jq159n",{"text":165,"url":166},"Download now","/resources/browser-attacks-report","resource","Learn about the latest techniques being used in the wild.","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F7b4a5ebf81d64e8c9d7fc35f6c96c4a9",{},1776255810913,1776255810900,[],[175,198],{"createdDate":176,"id":177,"name":140,"modelId":178,"published":13,"meta":179,"stageModifiedSincePublish":5,"query":181,"data":182,"variations":193,"lastUpdated":194,"firstPublished":195,"testRatio":23,"createdBy":24,"lastUpdatedBy":24,"folders":196,"rev":197},1776256900280,"1f429607996e4e5fae8fe3f9b9610e55","4829faa81e7c4ee8bd2d000e160e8d3c",{"breakpoints":180,"kind":28,"lastPreviewUrl":29,"hasAutosaves":5},{"xsmall":31,"small":32,"medium":33},[],{"testimonial":183,"link":192,"type":167,"title":140,"description":168,"image":169},{"@type":112,"id":146,"model":109,"value":184},{"query":185,"folders":186,"createdDate":150,"id":146,"name":151,"modelId":119,"published":13,"data":187,"variations":188,"lastUpdated":159,"firstPublished":160,"testRatio":23,"createdBy":92,"lastUpdatedBy":24,"meta":189,"rev":191},[],[],{"video":153,"jobTitle":154,"author":155,"qoute":29,"quote":156,"image":157},{},{"kind":28,"lastPreviewUrl":29,"breakpoints":190,"hasAutosaves":34},{"small":32,"medium":33},"ja9ru9mmnw",{"text":165,"url":166},{},1776256937553,1776256937540,[],"wyr0vaut6s",{"createdDate":199,"id":200,"name":201,"modelId":178,"published":13,"stageModifiedSincePublish":5,"query":202,"data":203,"variations":214,"lastUpdated":215,"firstPublished":216,"testRatio":23,"createdBy":24,"lastUpdatedBy":24,"folders":217,"meta":218,"rev":197},1776256949234,"ce043785b71b4ece98eac811ecf4ba10","inductive-automation",[],{"link":204,"type":109,"testimonial":205,"testimonialLink":110},{},{"@type":112,"id":113,"model":109,"value":206},{"query":207,"folders":208,"createdDate":117,"id":113,"name":118,"modelId":119,"published":13,"data":209,"variations":210,"lastUpdated":125,"firstPublished":126,"testRatio":23,"createdBy":92,"lastUpdatedBy":92,"meta":211,"rev":213},[],[],{"author":121,"jobTitle":122,"quote":118,"image":123},{},{"kind":28,"lastPreviewUrl":29,"breakpoints":212,"hasAutosaves":34},{"small":32,"medium":33},"cys0ljv4vru",{},1776256974140,1776256974130,[],{"breakpoints":219,"kind":28,"lastPreviewUrl":29,"hasAutosaves":5},{"xsmall":31,"small":32,"medium":33},{"id":221,"title":222,"authorsCollection":223,"content":231,"extension":1359,"featured":5,"hashTags":62,"meta":1360,"metaTitle":222,"ogImage":62,"publishedDate":1361,"relatedBlogPostsCollection":1362,"slug":3592,"stem":3593,"subtitle":3594,"summary":3595,"synopsis":3605,"sys":3606,"tagsCollection":3609,"__hash__":3615},"blog/blog/why-you-cant-control-ai-without-being-in-the-browser.json","Why you can't control AI without being in the browser",{"items":224},[225],{"fullName":226,"firstName":227,"jobTitle":228,"profilePicture":229},"Kelly Davenport","Kelly","Product Team",{"url":230},"https://images.ctfassets.net/y1cdw1ablpvd/1hi8bEuVfn5sF57LivAq6d/9a3b82426c697d765e2e450e33a18424/kelly_profile_pic.jpeg",{"json":232,"links":1174},{"nodeType":233,"data":234,"content":235},"document",{},[236,245,252,275,282,289,293,302,309,316,341,348,355,364,367,375,382,388,395,404,439,458,464,472,479,485,505,513,520,552,558,574,577,585,592,598,615,622,629,641,661,668,675,683,690,710,716,723,729,735,738,746,753,760,823,830,837,844,851,867,874,881,888,895,902,909,916,923,930,937,944,951,958,961,969,976,988,995,1002,1009,1016,1140,1146,1152,1155],{"nodeType":237,"data":238,"content":239},"paragraph",{},[240],{"nodeType":241,"value":242,"marks":243,"data":244},"text","When is a fork not a fork? When it's a browser security platform built to solve both problems of the AI era.",[],{},{"nodeType":237,"data":246,"content":247},{},[248],{"nodeType":241,"value":249,"marks":250,"data":251},"Many security leaders are rightly worried about two big problems in the age of AI: AI-enabled attacks targeting their employees via the browser; and employees introducing the risk of data loss through their use of AI tools.",[],{},{"nodeType":237,"data":253,"content":254},{},[255,261,265,271],{"nodeType":241,"value":256,"marks":257,"data":260},"For security teams researching browser-based solutions to these challenges, the decision at first looks like a fork in the road: ",[258],{"type":259},"bold",{},{"nodeType":241,"value":262,"marks":263,"data":264},"Choose a solution that's purpose-built to detect and respond to modern browser-based attacks like AI-enabled phish kits, ClickFix and other *Fix-style attacks, malicious browser extensions, device code phishing, and others; ",[],{},{"nodeType":241,"value":266,"marks":267,"data":270},"or",[268],{"type":269},"italic",{},{"nodeType":241,"value":272,"marks":273,"data":274}," select an AI governance tool to enforce sensible policies for sensitive data in the browser.",[],{},{"nodeType":237,"data":276,"content":277},{},[278],{"nodeType":241,"value":279,"marks":280,"data":281},"Push solves both of these problems. One platform, one SKU.",[],{},{"nodeType":237,"data":283,"content":284},{},[285],{"nodeType":241,"value":286,"marks":287,"data":288},"In this article, we'll take a look at the two big AI security and data governance problems that security teams are facing and outline how Push solves them in a single solution. We’ll cover what questions to ask as you evaluate browser security solutions, and describe Push's focus on providing foundational telemetry, detections, and controls that allow you to answer the question “What actually happened here?” not just “What policy was violated?”",[],{},{"nodeType":290,"data":291,"content":292},"hr",{},[],{"nodeType":294,"data":295,"content":296},"heading-1",{},[297],{"nodeType":241,"value":298,"marks":299,"data":301},"The AI risks every security team is now responsible for",[300],{"type":259},{},{"nodeType":237,"data":303,"content":304},{},[305],{"nodeType":241,"value":306,"marks":307,"data":308},"AI is an amplifier, for adversaries and for your employees. Whatever they could do before, they can now do faster, more powerfully, and at scale.",[],{},{"nodeType":237,"data":310,"content":311},{},[312],{"nodeType":241,"value":313,"marks":314,"data":315},"The two risks that every security team now must manage: ",[],{},{"nodeType":317,"data":318,"content":319},"unordered-list",{},[320,331],{"nodeType":321,"data":322,"content":323},"list-item",{},[324],{"nodeType":237,"data":325,"content":326},{},[327],{"nodeType":241,"value":328,"marks":329,"data":330},"AI is making browser-based attacks faster, cheaper, and harder to detect.",[],{},{"nodeType":321,"data":332,"content":333},{},[334],{"nodeType":237,"data":335,"content":336},{},[337],{"nodeType":241,"value":338,"marks":339,"data":340},"Employee AI adoption is creating data exposure faster than security teams can respond.",[],{},{"nodeType":237,"data":342,"content":343},{},[344],{"nodeType":241,"value":345,"marks":346,"data":347},"Both of these challenges intersect in the same place: The browser. It's the place where adversaries target employees with modern attacks designed to accomplish account takeover and data exfiltration. It's also the place where workers discover and use new AI-enabled apps and introduce risk into the business in the form of data loss, shadow apps, risky browser extensions, and shadow integrations.",[],{},{"nodeType":237,"data":349,"content":350},{},[351],{"nodeType":241,"value":352,"marks":353,"data":354},"To address both problems, security teams need visibility and control in the browser.",[],{},{"nodeType":356,"data":357,"content":363},"embedded-entry-block",{"target":358},{"sys":359},{"id":360,"type":361,"linkType":362},"1U2Hmn4XrFpdcxyjxY3aCc","Link","Entry",[],{"nodeType":290,"data":365,"content":366},{},[],{"nodeType":294,"data":368,"content":369},{},[370],{"nodeType":241,"value":371,"marks":372,"data":374},"How AI is transforming attacks",[373],{"type":259},{},{"nodeType":237,"data":376,"content":377},{},[378],{"nodeType":241,"value":379,"marks":380,"data":381},"On the adversary side of the equation, adversaries are using AI tooling to rapidly iterate on new attack types or new iterations of existing browser-based TTPs that target employees to achieve account or endpoint compromise — usually with the end goal of harvesting valuable corporate identities in order to exfiltrate data or hold it for ransom.",[],{},{"nodeType":356,"data":383,"content":387},{"target":384},{"sys":385},{"id":386,"type":361,"linkType":362},"G8xv1seFz1wJnY5HpfV6z",[],{"nodeType":237,"data":389,"content":390},{},[391],{"nodeType":241,"value":392,"marks":393,"data":394},"AI is changing attacks in three key ways.",[],{},{"nodeType":396,"data":397,"content":398},"heading-2",{},[399],{"nodeType":241,"value":400,"marks":401,"data":403},"AI has supercharged the iteration and evolution of adversary tools and techniques",[402],{"type":259},{},{"nodeType":237,"data":405,"content":406},{},[407,411,422,426,435],{"nodeType":241,"value":408,"marks":409,"data":410},"Attackers are using the same AI capabilities as any other engineer who wants to multiply their output. That translates to an array of new attack techniques: multiple increasingly sophisticated variations of the ",[],{},{"nodeType":412,"data":413,"content":415},"hyperlink",{"uri":414},"https://pushsecurity.com/blog/consentfix-v3-analyzing-a-new-toolkit/",[416],{"nodeType":241,"value":417,"marks":418,"data":421},"ClickFix-style attacks",[419],{"type":420},"underline",{},{"nodeType":241,"value":423,"marks":424,"data":425}," that use social engineering techniques to get users to unknowingly install malware via malicious scripts; as well as creative ",[],{},{"nodeType":412,"data":427,"content":429},{"uri":428},"https://pushsecurity.com/blog/device-code-phishing/",[430],{"nodeType":241,"value":431,"marks":432,"data":434},"exploitation of device codes",[433],{"type":420},{},{"nodeType":241,"value":436,"marks":437,"data":438},", a legitimate authentication mechanism, that allows attackers to phish access post-authentication.",[],{},{"nodeType":237,"data":440,"content":441},{},[442,446,454],{"nodeType":241,"value":443,"marks":444,"data":445},"Device code phishing in particular demonstrates the rapid growth of new techniques, with early documented appearances of the TTP occurring in 2024, and by early the next year, the method had been packaged as a PhaaS offering with GPT-enhanced spear-phishing and customized landing pages. The ",[],{},{"nodeType":412,"data":447,"content":449},{"uri":448},"https://www.huntress.com/blog/device-code-phishing-ai-mfa-bypass",[450],{"nodeType":241,"value":451,"marks":452,"data":453},"campaign",[],{},{"nodeType":241,"value":455,"marks":456,"data":457}," targeted more than 340 organizations across five countries in March 2026, using personalized AI-generated lures at a scale that would have been impractical to produce manually.",[],{},{"nodeType":356,"data":459,"content":463},{"target":460},{"sys":461},{"id":462,"type":361,"linkType":362},"eNUpU2GtGOcXRrHBKHnLN",[],{"nodeType":396,"data":465,"content":466},{},[467],{"nodeType":241,"value":468,"marks":469,"data":471},"Infrastructure-based detections are increasingly degraded by AI-enabled approaches",[470],{"type":259},{},{"nodeType":237,"data":473,"content":474},{},[475],{"nodeType":241,"value":476,"marks":477,"data":478},"AI has also collapsed the cost and time it takes to build convincing phishing infrastructure: Attackers can vibecode a convincing phishing page in minutes, burn the domain, and regenerate another one before any blocklist updates. ",[],{},{"nodeType":356,"data":480,"content":484},{"target":481},{"sys":482},{"id":483,"type":361,"linkType":362},"2obvOhMWjy64h94tEIbx04",[],{"nodeType":237,"data":486,"content":487},{},[488,492,501],{"nodeType":241,"value":489,"marks":490,"data":491},"The impact on IOC-based detections that rely on infrastructure elements is severe: When elements constantly change, every phishing attack is essentially a zero-day. Complicating the picture further is the increasing use of legitimate cloud platforms like ",[],{},{"nodeType":412,"data":493,"content":495},{"uri":494},"https://www.huntress.com/blog/railway-paas-m365-token-replay-campaign",[496],{"nodeType":241,"value":497,"marks":498,"data":500},"Railway",[499],{"type":420},{},{"nodeType":241,"value":502,"marks":503,"data":504},", Cloudflare Workers, and Vercel, which attackers use to host and dynamically rotate attack infrastructure.",[],{},{"nodeType":396,"data":506,"content":507},{},[508],{"nodeType":241,"value":509,"marks":510,"data":512},"AI is making it easier to build and run omni-channel campaigns",[511],{"type":259},{},{"nodeType":237,"data":514,"content":515},{},[516],{"nodeType":241,"value":517,"marks":518,"data":519},"Push researchers have written extensively over the last year about malvertising campaigns that serve malicious pages to users via search engine results, enticing them to visit sites designed to steal credentials or deliver malware. ",[],{},{"nodeType":237,"data":521,"content":522},{},[523,527,536,540,548],{"nodeType":241,"value":524,"marks":525,"data":526},"We've tracked ",[],{},{"nodeType":412,"data":528,"content":530},{"uri":529},"https://pushsecurity.com/blog/cyber-criminal-ecosystem-analysis/",[531],{"nodeType":241,"value":532,"marks":533,"data":535},"sustained campaigns",[534],{"type":420},{},{"nodeType":241,"value":537,"marks":538,"data":539}," impersonating Onfido, TradingView, Ahrefs, Semrush, and others. These campaigns are part of a self-reinforcing criminal ecosystem: Malvertising campaigns paid for by stolen ad accounts, with credential theft that funds the next round of credential theft. And the recent ",[],{},{"nodeType":412,"data":541,"content":543},{"uri":542},"https://pushsecurity.com/blog/llmshare-malvertising-campaign/",[544],{"nodeType":241,"value":545,"marks":546,"data":547},"LLMShare",[],{},{"nodeType":241,"value":549,"marks":550,"data":551}," campaign identified by Push shows how attackers are combining their abuse of AI tools of AI-assisted phishing page creation with malvertising, helping them to spin up lookalike pages quickly and cheaply to serve as convincing lures.",[],{},{"nodeType":356,"data":553,"content":557},{"target":554},{"sys":555},{"id":556,"type":361,"linkType":362},"2Gwj25KBjClQ5u8uiEYuYR",[],{"nodeType":237,"data":559,"content":560},{},[561,565,570],{"nodeType":241,"value":562,"marks":563,"data":564},"These are just a few examples of how phishing has moved beyond the inbox, targeting users through malvertising, SEO poisoning, and social media DMs. Over the last year, Push researchers found that ",[],{},{"nodeType":241,"value":566,"marks":567,"data":569},"1 in 3 payloads intercepted by the platform were sent outside of email",[568],{"type":259},{},{"nodeType":241,"value":571,"marks":572,"data":573},".",[],{},{"nodeType":290,"data":575,"content":576},{},[],{"nodeType":294,"data":578,"content":579},{},[580],{"nodeType":241,"value":581,"marks":582,"data":584},"How AI is creating risky employee behaviors ",[583],{"type":259},{},{"nodeType":237,"data":586,"content":587},{},[588],{"nodeType":241,"value":589,"marks":590,"data":591},"Meanwhile, on the employee side of the equation, there are three other key concerns that security teams should be paying attention to when it comes to the risks associated with AI use.",[],{},{"nodeType":356,"data":593,"content":597},{"target":594},{"sys":595},{"id":596,"type":361,"linkType":362},"2hsKQ9DEspflhmtR0bE7QY",[],{"nodeType":396,"data":599,"content":600},{},[601,606,610],{"nodeType":241,"value":602,"marks":603,"data":605},"Data leaving the business via shadow AI",[604],{"type":259},{},{"nodeType":241,"value":607,"marks":608,"data":609}," ",[],{},{"nodeType":241,"value":611,"marks":612,"data":614},"and AI extensions",[613],{"type":259},{},{"nodeType":237,"data":616,"content":617},{},[618],{"nodeType":241,"value":619,"marks":620,"data":621},"Employees are signing up to AI tools directly, beyond the bounds of procurement or security review. That means security teams can't see sensitive data going into LLMs — clipboard pastes of API keys, file uploads to coding assistants, customer data in uploaded spreadsheets, etc.",[],{},{"nodeType":237,"data":623,"content":624},{},[625],{"nodeType":241,"value":626,"marks":627,"data":628},"Most teams also don't have visibility of AI browser extensions, another avenue for data to leave the business. Extensions are also an attack surface in their own right, as previously benign extensions can be compromised by threat actors through account takeover of the extension developer.",[],{},{"nodeType":396,"data":630,"content":631},{},[632,637],{"nodeType":241,"value":633,"marks":634,"data":636},"Employees using personal accounts on corporate AI app tenants",[635],{"type":259},{},{"nodeType":241,"value":638,"marks":639,"data":640}," ",[],{},{"nodeType":237,"data":642,"content":643},{},[644,648,657],{"nodeType":241,"value":645,"marks":646,"data":647},"The 2026 ",[],{},{"nodeType":412,"data":649,"content":651},{"uri":650},"https://www.verizon.com/business/resources/reports/dbir/",[652],{"nodeType":241,"value":653,"marks":654,"data":656},"Verizon DBIR",[655],{"type":420},{},{"nodeType":241,"value":658,"marks":659,"data":660}," found that 67% of GenAI users on corporate devices are using non-corporate accounts, and our own data shows that 38% of file uploads to AI tools are made from shadow accounts rather than approved organizational ones.",[],{},{"nodeType":237,"data":662,"content":663},{},[664],{"nodeType":241,"value":665,"marks":666,"data":667},"That means a large number of employees in most organizations are using AI apps with personal accounts, outside of organizational data governance, retention policies, access controls, or basic security oversight. ",[],{},{"nodeType":237,"data":669,"content":670},{},[671],{"nodeType":241,"value":672,"marks":673,"data":674},"The compounding risk is that personal accounts are typically protected by weaker passwords, inconsistent MFA, and credential reuse from other personal services — meaning a compromise of the personal account could give an attacker access to corporate data and tools.",[],{},{"nodeType":396,"data":676,"content":677},{},[678],{"nodeType":241,"value":679,"marks":680,"data":682},"Shadow integrations between AI tools and corporate systems",[681],{"type":259},{},{"nodeType":237,"data":684,"content":685},{},[686],{"nodeType":241,"value":687,"marks":688,"data":689},"App-to-app connections accomplished through OAuth are also proliferating faster than most teams can observe and review them. For the average organization, Push sees 17 unique AI app OAuth integrations connected just to Microsoft and Google corporate tenants.",[],{},{"nodeType":237,"data":691,"content":692},{},[693,697,706],{"nodeType":241,"value":694,"marks":695,"data":696},"The ",[],{},{"nodeType":412,"data":698,"content":700},{"uri":699},"https://pushsecurity.com/blog/unpacking-the-vercel-breach/",[701],{"nodeType":241,"value":702,"marks":703,"data":705},"recent Vercel breach",[704],{"type":420},{},{"nodeType":241,"value":707,"marks":708,"data":709}," illustrates the risks of even a single OAuth connection from a compromised third-party AI SaaS provider. This isn't really a new AI threat so much as a shadow SaaS problem that's accelerating alongside AI adoption, given that AI apps are specifically designed to pull data from one system, analyze it in another, and present it in a third — with MCP connections now creating the same kind of persistent, permissioned access through an authentication protocol (OAuth) that most organizations have no process to review.",[],{},{"nodeType":356,"data":711,"content":715},{"target":712},{"sys":713},{"id":714,"type":361,"linkType":362},"1t2jn4fLxMlH0adMyQqkXk",[],{"nodeType":237,"data":717,"content":718},{},[719],{"nodeType":241,"value":720,"marks":721,"data":722},"This is the same web of OAuth-connected apps that is being exposed at scale through AI tool integrations. For many organizations, AI tools are now the hub of modern activity that orchestrates and automates across the mesh of cloud apps, which adds a useful perspective on what's changed. ",[],{},{"nodeType":356,"data":724,"content":728},{"target":725},{"sys":726},{"id":727,"type":361,"linkType":362},"6cRnPkGdwWXRWcct6LfMzo",[],{"nodeType":356,"data":730,"content":734},{"target":731},{"sys":732},{"id":733,"type":361,"linkType":362},"5WQZNpnPETWeys1VqubVW",[],{"nodeType":290,"data":736,"content":737},{},[],{"nodeType":294,"data":739,"content":740},{},[741],{"nodeType":241,"value":742,"marks":743,"data":745},"What to ask when evaluating browser-based AI visibility and control solutions",[744],{"type":259},{},{"nodeType":237,"data":747,"content":748},{},[749],{"nodeType":241,"value":750,"marks":751,"data":752},"When you're evaluating AI visibility and control platforms that operate in the browser, there are two lines of questioning that can be useful to unpack.",[],{},{"nodeType":237,"data":754,"content":755},{},[756],{"nodeType":241,"value":757,"marks":758,"data":759},"The first is the tactical basics: What use cases does the product cover, and how quickly will you see value? In this category, you'll likely be looking for:",[],{},{"nodeType":317,"data":761,"content":762},{},[763,778,793,808],{"nodeType":321,"data":764,"content":765},{},[766],{"nodeType":237,"data":767,"content":768},{},[769,774],{"nodeType":241,"value":770,"marks":771,"data":773},"Depth of visibility:",[772],{"type":259},{},{"nodeType":241,"value":775,"marks":776,"data":777}," Can the solution observe both corporate and personal account usage of AI apps? Does the solution work with all major browsers, including emerging AI browsers? Does the solution automatically classify AI apps and automatically discover shadow AI?",[],{},{"nodeType":321,"data":779,"content":780},{},[781],{"nodeType":237,"data":782,"content":783},{},[784,789],{"nodeType":241,"value":785,"marks":786,"data":788},"Granularity of controls:",[787],{"type":259},{},{"nodeType":241,"value":790,"marks":791,"data":792}," Does the solution support visibility and control over clipboard interactions, allowing you to identify sensitive data strings like personal access tokens (PATs) or API keys? Does the solution allow you to set multiple enforcement modes (monitor, warn, block) and carve out exceptions for tools, teams and individuals where necessary? ",[],{},{"nodeType":321,"data":794,"content":795},{},[796],{"nodeType":237,"data":797,"content":798},{},[799,804],{"nodeType":241,"value":800,"marks":801,"data":803},"Ease of deployment:",[802],{"type":259},{},{"nodeType":241,"value":805,"marks":806,"data":807}," How is the solution deployed? Browser extension-based solutions like Push can be deployed at scale in an hour. Solutions that require an endpoint agent or a complete browser replacement will be a heavier lift.",[],{},{"nodeType":321,"data":809,"content":810},{},[811],{"nodeType":237,"data":812,"content":813},{},[814,819],{"nodeType":241,"value":815,"marks":816,"data":818},"Scope of coverage:",[817],{"type":259},{},{"nodeType":241,"value":820,"marks":821,"data":822}," Does the solution only enforce policy around AI usage, or does it also prevent AI-enabled attacks in the browser? ",[],{},{"nodeType":237,"data":824,"content":825},{},[826],{"nodeType":241,"value":827,"marks":828,"data":829},"The second set of questions is more about the underlying architectural choices a product has made, and how those translate into actionable intelligence for security teams — or where there may be blind spots. In this category, you will want to ask:",[],{},{"nodeType":396,"data":831,"content":832},{},[833],{"nodeType":241,"value":834,"marks":835,"data":836},"Does the tool capture AI interactions that didn’t trigger a policy violation — or only the ones it blocked?",[],{},{"nodeType":237,"data":838,"content":839},{},[840],{"nodeType":241,"value":841,"marks":842,"data":843},"This is the most useful diagnostic if you're focused on understanding the wider security meaning and impact of an AI interaction, not just whether it violated a policy. ",[],{},{"nodeType":237,"data":845,"content":846},{},[847],{"nodeType":241,"value":848,"marks":849,"data":850},"Enforcement-first tools record what they stopped: blocked uploads, attempted usage of unapproved apps, flagged file names, etc. ",[],{},{"nodeType":237,"data":852,"content":853},{},[854,858,863],{"nodeType":241,"value":855,"marks":856,"data":857},"That's useful for compliance reporting but incomplete for security investigation, because ",[],{},{"nodeType":241,"value":859,"marks":860,"data":862},"the most significant events are often the ones that looked normal at the time",[861],{"type":259},{},{"nodeType":241,"value":864,"marks":865,"data":866},": A user whose behavior shifted gradually over weeks before a resignation. An approved AI browser extension that updates its permissions, putting it in risky territory. An OAuth consent grant that was technically permitted but shouldn't have been.",[],{},{"nodeType":237,"data":868,"content":869},{},[870],{"nodeType":241,"value":871,"marks":872,"data":873},"Ask whether the tool can collect user behavior telemetry, file upload and download activity, and AI usage logs for permitted events — not just policy violations — and whether that telemetry can be forwarded to your SIEM. ",[],{},{"nodeType":237,"data":875,"content":876},{},[877],{"nodeType":241,"value":878,"marks":879,"data":880},"One approach gives you an investigation tool. The other gives you compliance alerts without deeper context.",[],{},{"nodeType":396,"data":882,"content":883},{},[884],{"nodeType":241,"value":885,"marks":886,"data":887},"When an AI agent requests OAuth permissions to access your organization's data, does the tool capture the consent flow — what scopes were requested on which app, which user initiated the consent, and what was the outcome?",[],{},{"nodeType":237,"data":889,"content":890},{},[891],{"nodeType":241,"value":892,"marks":893,"data":894},"Most enforcement-first tools treat OAuth as a binary: approved app or blocked app. That was a reasonable model when OAuth grants were primarily app-to-app integrations managed by IT. It isn't sufficient for agentic AI.",[],{},{"nodeType":237,"data":896,"content":897},{},[898],{"nodeType":241,"value":899,"marks":900,"data":901},"AI agents request OAuth permissions to access organizational data on behalf of users. These are user-initiated consent grants that happen inside browser sessions, often with broad scopes, and frequently without security team awareness. The right tool needs to capture the consent event itself: what permissions were requested, what scopes were granted, who approved them, and what application received them. ",[],{},{"nodeType":237,"data":903,"content":904},{},[905],{"nodeType":241,"value":906,"marks":907,"data":908},"Ask whether the tool monitors OAuth consent flows across authorization servers, whether it can warn or block consent grants in real time based on policy, and whether that coverage extends to AI-enabled apps and MCP connections.",[],{},{"nodeType":396,"data":910,"content":911},{},[912],{"nodeType":241,"value":913,"marks":914,"data":915},"When a new browser attack technique emerges that no tool has a signature for, how long does it take the platform to detect it — and can you show a specific example?",[],{},{"nodeType":237,"data":917,"content":918},{},[919],{"nodeType":241,"value":920,"marks":921,"data":922},"Attackers are rotating infrastructure in hours and using AI to generate new lures and phishing pages at scale. A detection model built on blocklists, reputation feeds, and known-bad indicators is architecturally behind any novel technique because by the time the indicator appears on a feed, the attacker has already moved on.",[],{},{"nodeType":237,"data":924,"content":925},{},[926],{"nodeType":241,"value":927,"marks":928,"data":929},"Ask vendors to show you a specific detection that fired on a novel technique before the infrastructure appeared on any threat feed.",[],{},{"nodeType":396,"data":931,"content":932},{},[933],{"nodeType":241,"value":934,"marks":935,"data":936},"What browser telemetry reaches your SIEM — just alerts, or the underlying session data that makes those alerts investigable?",[],{},{"nodeType":237,"data":938,"content":939},{},[940],{"nodeType":241,"value":941,"marks":942,"data":943},"Ask to see a sample SIEM event from a real detection. Many browser security tools integrate with SIEMs, but the depth of what they forward varies a lot. ",[],{},{"nodeType":237,"data":945,"content":946},{},[947],{"nodeType":241,"value":948,"marks":949,"data":950},"Some send alert metadata that captures policy violations, timestamps, and involved users. Others forward a broader set of telemetry for deeper context — credential reuse, app logins, newly installed extensions, detected phishing kits, file uploads, clipboard activity, OAuth consent flows, file downloads, etc. ",[],{},{"nodeType":237,"data":952,"content":953},{},[954],{"nodeType":241,"value":955,"marks":956,"data":957},"The difference determines whether your SOC team can easily correlate signals from the browser-based tool with other layers of their stack and begin an investigation from the SIEM event itself — or whether they need to pivot back into the vendor's console for the actual evidence.",[],{},{"nodeType":290,"data":959,"content":960},{},[],{"nodeType":294,"data":962,"content":963},{},[964],{"nodeType":241,"value":965,"marks":966,"data":968},"AI visibility and control is a feature of the right browser security platform, not a separate purchase",[967],{"type":259},{},{"nodeType":237,"data":970,"content":971},{},[972],{"nodeType":241,"value":973,"marks":974,"data":975},"Ultimately, the choice of browser platform for solving the two big problems of the AI era comes down to whether you need broader attack coverage and telemetry context in order to secure your organization, or whether a policy-based approach is enough. ",[],{},{"nodeType":237,"data":977,"content":978},{},[979,983],{"nodeType":241,"value":980,"marks":981,"data":982},"Push treats the challenges of stopping AI-enabled attacks and providing visibility and control over AI usage as features that extend naturally from the platform's underlying architectural model: Rich browser-layer telemetry in ",[],{},{"nodeType":241,"value":984,"marks":985,"data":987},"a single tool that helps security teams answer the question “What actually happened here?” not just “What policy was violated?”",[986],{"type":259},{},{"nodeType":237,"data":989,"content":990},{},[991],{"nodeType":241,"value":992,"marks":993,"data":994},"This unified architecture matters because the AI control problem and the browser threat detection problem share a root cause: Security-relevant activity is happening inside browser sessions that most tools can't see. ",[],{},{"nodeType":237,"data":996,"content":997},{},[998],{"nodeType":241,"value":999,"marks":1000,"data":1001},"A standalone AI governance tool can tell you which AI apps are in use and whether employees violated a usage policy. It can't tell you whether the OAuth grant an AI agent just received was part of a broader pattern that includes credential entry on an unfamiliar domain, a clipboard paste from an internal document, and a login to a shadow SaaS app — all in the same session, all visible in the same telemetry stream. ",[],{},{"nodeType":237,"data":1003,"content":1004},{},[1005],{"nodeType":241,"value":1006,"marks":1007,"data":1008},"Separating AI governance from browser security means maintaining two tools that each only see half the picture. ",[],{},{"nodeType":396,"data":1010,"content":1011},{},[1012],{"nodeType":241,"value":1013,"marks":1014,"data":1015},"How Push can help",[],{},{"nodeType":317,"data":1017,"content":1018},{},[1019,1042,1065,1087,1097,1107,1117],{"nodeType":321,"data":1020,"content":1021},{},[1022],{"nodeType":237,"data":1023,"content":1024},{},[1025,1029,1038],{"nodeType":241,"value":1026,"marks":1027,"data":1028},"Block emerging ",[],{},{"nodeType":412,"data":1030,"content":1032},{"uri":1031},"https://pushsecurity.com/blog/introducing-the-browser-and-identity-attacks-matrix/",[1033],{"nodeType":241,"value":1034,"marks":1035,"data":1037},"browser-based attack techniques",[1036],{"type":420},{},{"nodeType":241,"value":1039,"marks":1040,"data":1041},", including AI-enabled phishing and quickly evolving *Fix-style attacks.",[],{},{"nodeType":321,"data":1043,"content":1044},{},[1045],{"nodeType":237,"data":1046,"content":1047},{},[1048,1052,1061],{"nodeType":241,"value":1049,"marks":1050,"data":1051},"Benefit from Push's ",[],{},{"nodeType":412,"data":1053,"content":1055},{"uri":1054},"https://pushsecurity.com/blog/can-ai-replace-a-threat-researcher-what-we-learned-building-an-agentic-threat-hunting-pipeline/",[1056],{"nodeType":241,"value":1057,"marks":1058,"data":1060},"agentic detection pipeline",[1059],{"type":420},{},{"nodeType":241,"value":1062,"marks":1063,"data":1064},", which continuously hunts across customer environments to identify emerging threats and ship new detections.",[],{},{"nodeType":321,"data":1066,"content":1067},{},[1068],{"nodeType":237,"data":1069,"content":1070},{},[1071,1074,1083],{"nodeType":241,"value":29,"marks":1072,"data":1073},[],{},{"nodeType":412,"data":1075,"content":1077},{"uri":1076},"https://pushsecurity.com/help/audience/engineering/rest-v1",[1078],{"nodeType":241,"value":1079,"marks":1080,"data":1082},"Stream telemetry",[1081],{"type":420},{},{"nodeType":241,"value":1084,"marks":1085,"data":1086}," to your SIEM for a wide variety of events, including attack detections; newly installed browser extensions or newly adopted apps; updates to extension permissions; file uploads and downloads; clipboard pastes; app logins; credential reuse; OAuth consents; and more.",[],{},{"nodeType":321,"data":1088,"content":1089},{},[1090],{"nodeType":237,"data":1091,"content":1092},{},[1093],{"nodeType":241,"value":1094,"marks":1095,"data":1096},"Block file uploads and downloads.",[],{},{"nodeType":321,"data":1098,"content":1099},{},[1100],{"nodeType":237,"data":1101,"content":1102},{},[1103],{"nodeType":241,"value":1104,"marks":1105,"data":1106},"Block clipboard pastes of sensitive data, with regex-based patterns you can define.",[],{},{"nodeType":321,"data":1108,"content":1109},{},[1110],{"nodeType":237,"data":1111,"content":1112},{},[1113],{"nodeType":241,"value":1114,"marks":1115,"data":1116},"Monitor for or block unauthorized MCP connections.",[],{},{"nodeType":321,"data":1118,"content":1119},{},[1120],{"nodeType":237,"data":1121,"content":1122},{},[1123,1127,1136],{"nodeType":241,"value":1124,"marks":1125,"data":1126},"Write your own ",[],{},{"nodeType":412,"data":1128,"content":1130},{"uri":1129},"https://pushsecurity.com/help/audience/engineering/resources/custom-detections",[1131],{"nodeType":241,"value":1132,"marks":1133,"data":1135},"custom YAML rules",[1134],{"type":420},{},{"nodeType":241,"value":1137,"marks":1138,"data":1139}," targeting specific elements of the page DOM, web requests and responses, HTTP headers such as cookies, and a lot more.",[],{},{"nodeType":237,"data":1141,"content":1142},{},[1143],{"nodeType":241,"value":29,"marks":1144,"data":1145},[],{},{"nodeType":356,"data":1147,"content":1151},{"target":1148},{"sys":1149},{"id":1150,"type":361,"linkType":362},"7AwQv7bLbARq6mdAgv7uGq",[],{"nodeType":290,"data":1153,"content":1154},{},[],{"nodeType":237,"data":1156,"content":1157},{},[1158,1162,1171],{"nodeType":241,"value":1159,"marks":1160,"data":1161},"If you'd like to learn more about Push, ",[],{},{"nodeType":412,"data":1163,"content":1165},{"uri":1164},"https://pushsecurity.com/demo",[1166],{"nodeType":241,"value":1167,"marks":1168,"data":1170},"book a live demo",[1169],{"type":420},{},{"nodeType":241,"value":571,"marks":1172,"data":1173},[],{},{"entries":1175},{"hyperlink":1176,"inline":1177,"block":1178},[],[],[1179,1187,1213,1240,1267,1274,1282,1309,1316,1353],{"sys":1180,"__typename":1181,"title":1182,"caption":1182,"layoutMode":62,"file":1183},{"id":360},"Image","The browser is the natural control point for both AI-enabled attacks targeting employees and AI tool usage that introduces risk into organizations. ",{"url":1184,"width":1185,"height":1186},"https://images.ctfassets.net/y1cdw1ablpvd/3vtPqgrZRuVxkVKw9sGLor/ce1d265590cfc23848e25b03fb3ed5a2/image4.png",1999,1142,{"sys":1188,"__typename":1189,"content":1190,"name":1212,"title":62},{"id":386},"InsightTextBlockComponent",{"json":1191},{"data":1192,"content":1193,"nodeType":233},{},[1194],{"data":1195,"content":1196,"nodeType":237},{},[1197,1201,1209],{"data":1198,"marks":1199,"value":1200,"nodeType":241},{},[],"Learn how AI-enabled attacks are making infrastructure-based detection increasingly ineffective in our ",{"data":1202,"content":1204,"nodeType":412},{"uri":1203},"https://pushsecurity.com/blog/the-pyramid-of-pain-in-the-ai-era/",[1205],{"data":1206,"marks":1207,"value":1208,"nodeType":241},{},[],"update on the Pyramid of Pain concept for 2026",{"data":1210,"marks":1211,"value":571,"nodeType":241},{},[],"AI Browser Control IB1",{"sys":1214,"__typename":1189,"content":1215,"name":1239,"title":62},{"id":462},{"json":1216},{"data":1217,"content":1218,"nodeType":233},{},[1219],{"data":1220,"content":1221,"nodeType":237},{},[1222,1226,1235],{"data":1223,"marks":1224,"value":1225,"nodeType":241},{},[],"Nearly every phishing toolkit that Push encounters in the wild today displays the fingerprints of AI use. Check out our ",{"data":1227,"content":1229,"nodeType":412},{"uri":1228},"https://pushsecurity.com/blog/inside-criminal-phishing-panel/",[1230],{"data":1231,"marks":1232,"value":1234,"nodeType":241},{},[1233],{"type":420},"recent analysis",{"data":1236,"marks":1237,"value":1238,"nodeType":241},{},[]," of Doko's Panel, a real-time vishing and AiTM kit, for a under-the-hood look at this. ","AI Browser Control IB3",{"sys":1241,"__typename":1189,"content":1242,"name":1266,"title":62},{"id":483},{"json":1243},{"data":1244,"content":1245,"nodeType":233},{},[1246],{"data":1247,"content":1248,"nodeType":237},{},[1249,1253,1262],{"data":1250,"marks":1251,"value":1252,"nodeType":241},{},[],"According to ",{"data":1254,"content":1256,"nodeType":412},{"uri":1255},"https://www.spamhaus.com/resource-center/supporting-researchers-with-passive-dns/",[1257],{"data":1258,"marks":1259,"value":1261,"nodeType":241},{},[1260],{"type":420},"Spamhaus",{"data":1263,"marks":1264,"value":1265,"nodeType":241},{},[],", 89% of phishing domains are active for fewer than two days, with just 6.5% surviving past 15 days. That means that if you're primarily looking at static indicators, you're already behind. IOC-based detections can't keep up with how quickly attackers can rotate infrastructure.","AI Browser Control IB2",{"sys":1268,"__typename":1181,"title":1269,"caption":1270,"layoutMode":62,"file":1271},{"id":556},"LLMShare example","The recent LLMShare campaign shows how attackers are abusing AI tools, legitimate pages, and malvertising. ",{"url":1272,"width":1185,"height":1273},"https://images.ctfassets.net/y1cdw1ablpvd/7u7yyvyg3P9jepZi7iIwxf/d2c42d257d2e7ac4dfe28c37aa69a4b3/image4.png",875,{"sys":1275,"__typename":1181,"title":1276,"caption":1277,"layoutMode":62,"file":1278},{"id":596},"ai-sprawl-infographic","AI sprawl is worse than most organizations realize. ",{"url":1279,"width":1280,"height":1281},"https://images.ctfassets.net/y1cdw1ablpvd/7vCbQdyRkjLs5EmsjBBAQp/3bfb13e7ec19be76325cdc69297c48c3/ai-sprawl-infographic_2x__3_.png",1800,1192,{"sys":1283,"__typename":1189,"content":1284,"name":1308,"title":62},{"id":714},{"json":1285},{"nodeType":233,"data":1286,"content":1287},{},[1288],{"nodeType":237,"data":1289,"content":1290},{},[1291,1295,1304],{"nodeType":241,"value":1292,"marks":1293,"data":1294},"The Vercel breach isn't an isolated incident. ShinyHunters demonstrated the breadth and scale of ",[],{},{"nodeType":412,"data":1296,"content":1298},{"uri":1297},"https://pushsecurity.com/blog/analyzing-the-instructure-breach/#id-vector-3-oauth-supply-chain-attacks-through-compromised-integrators",[1299],{"nodeType":241,"value":1300,"marks":1301,"data":1303},"OAuth-targeted attacks last year",[1302],{"type":420},{},{"nodeType":241,"value":1305,"marks":1306,"data":1307},", impacting more than 1,000 organizations in targeted campaigns against Salesloft/Drift. Adversaries compromised Salesloft’s GitHub environment, stole Drift OAuth tokens, and used them to access downstream Salesforce environments. The same pattern was later repeated at Gainsight.",[],{},"AI Browser Control IB5",{"sys":1310,"__typename":1181,"title":1311,"caption":1311,"layoutMode":62,"file":1312},{"id":727},"AI tools are the hub of the modern workplace. ",{"url":1313,"width":1314,"height":1315},"https://images.ctfassets.net/y1cdw1ablpvd/7mRgALIClC1R2Cmuu7xKse/cdaf8cbb26a54ad75b7d52a8c92b1f84/Group_737.png",6824,4280,{"sys":1317,"__typename":1189,"content":1318,"name":1352,"title":62},{"id":733},{"json":1319},{"nodeType":233,"data":1320,"content":1321},{},[1322,1334,1341],{"nodeType":237,"data":1323,"content":1324},{},[1325,1330],{"nodeType":241,"value":1326,"marks":1327,"data":1329},"A word on prompt injection: ",[1328],{"type":259},{},{"nodeType":241,"value":1331,"marks":1332,"data":1333},"Prompt injection is a serious and structurally difficult to solve problem, and one AI researchers and the security industry are still working out how to defend against. ",[],{},{"nodeType":237,"data":1335,"content":1336},{},[1337],{"nodeType":241,"value":1338,"marks":1339,"data":1340},"High-impact attacks of this kind are still rare in the wild, but the building blocks are all demonstrated and the attack surface is growing as agentic browsers and in-app AI features proliferate. The threat is evolving quickly and detections are still limited, so it pays to start with the controls that hold up regardless of how attacks evolve. ",[],{},{"nodeType":237,"data":1342,"content":1343},{},[1344,1348],{"nodeType":241,"value":1345,"marks":1346,"data":1347},"This starts with k",[],{},{"nodeType":241,"value":1349,"marks":1350,"data":1351},"nowing which AI browsers, extensions, and assistants employees are using, which SaaS apps have AI features enabled, and what OAuth scopes those AIs have been granted. The blast radius of any successful prompt injection is exactly the data and actions those grants permit, so visibility into AI tooling and AI-connected identity is the foundation that any further defense builds on.",[],{},"AI Browser Control IB4",{"sys":1354,"__typename":1355,"title":1356,"arcadeDemoUrl":1357,"playText":1358},{"id":1150},"ArcadeDemo","Secure AI apps demo","https://demo.arcade.software/ibou7WyNSvBX4uRpK25H?embed","2 mins","json",{},"2026-06-02T00:00:00.000Z",{"items":1363},[1364,2157,2969],{"__typename":1365,"sys":1366,"publishedDate":1368,"content":1369,"title":2136,"synopsis":2137,"hashTags":62,"slug":2138,"tagsCollection":2139,"authorsCollection":2149},"BlogPosts",{"id":1367},"5RDOpmzJolwT1hk0fNIxzf","2026-06-01T00:00:00.000Z",{"json":1370},{"nodeType":233,"data":1371,"content":1372},{},[1373,1392,1398,1405,1412,1415,1423,1442,1461,1468,1474,1481,1487,1494,1502,1509,1527,1556,1562,1568,1576,1583,1602,1632,1664,1671,1677,1685,1692,1704,1711,1752,1758,1800,1839,1845,1848,1856,1863,1869,1876,1883,1889,1896,1903,1931,1934,1942,1949,1957,1964,1971,1990,1997,2003,2010,2018,2025,2043,2050,2069,2072,2080,2087,2094,2101,2104,2111,2118],{"nodeType":237,"data":1374,"content":1375},{},[1376,1380,1388],{"nodeType":241,"value":1377,"marks":1378,"data":1379},"Back in 2024, we wrote about ",[],{},{"nodeType":412,"data":1381,"content":1383},{"uri":1382},"https://pushsecurity.com/blog/our-design-philosophy-detecting-what-matters/",[1384],{"nodeType":241,"value":1385,"marks":1386,"data":1387},"how the Pyramid of Pain shapes Push's detection philosophy",[],{},{"nodeType":241,"value":1389,"marks":1390,"data":1391}," — detections targeting indicators that are easy for attackers to change deliver diminishing returns, while detections targeting attacker techniques impose a cost that's hard to absorb. Two years on, every force that made IoC-based detection fragile has intensified.",[],{},{"nodeType":356,"data":1393,"content":1397},{"target":1394},{"sys":1395},{"id":1396,"type":361,"linkType":362},"1iuLYxwI8T1wDUIFSom0G0",[],{"nodeType":237,"data":1399,"content":1400},{},[1401],{"nodeType":241,"value":1402,"marks":1403,"data":1404},"AI hasn't introduced a new problem so much as it's compressed the timelines on an existing one — attackers can generate infrastructure, iterate on tooling, and industrialize newly discovered techniques faster than before. The bottom layers of the Pyramid are collapsing under the weight of machine-speed operations, and the middle layers are starting to buckle too.",[],{},{"nodeType":237,"data":1406,"content":1407},{},[1408],{"nodeType":241,"value":1409,"marks":1410,"data":1411},"These changes mean that technique-level detection is more important than ever. In this article, we’ll dig into how the Pyramid is changing, and what this means for our detection philosophy at Push (TL;DR — it reinforces the path we’re already on: building detections at the top of the Pyramid by harnessing browser visibility). ",[],{},{"nodeType":290,"data":1413,"content":1414},{},[],{"nodeType":294,"data":1416,"content":1417},{},[1418],{"nodeType":241,"value":1419,"marks":1420,"data":1422},"The bottom of the Pyramid was already crumbling",[1421],{"type":259},{},{"nodeType":237,"data":1424,"content":1425},{},[1426,1430,1438],{"nodeType":241,"value":1427,"marks":1428,"data":1429},"The case against indicator-based detection didn't need AI to be compelling. ",[],{},{"nodeType":412,"data":1431,"content":1433},{"uri":1432},"https://www.spamhaus.org/",[1434],{"nodeType":241,"value":1435,"marks":1436,"data":1437},"89% of phishing domains are active for fewer than two days",[],{},{"nodeType":241,"value":1439,"marks":1440,"data":1441},", with just 6.5% surviving past 15 days — by the time a domain makes it onto a blocklist, the campaign has moved on.",[],{},{"nodeType":237,"data":1443,"content":1444},{},[1445,1449,1457],{"nodeType":241,"value":1446,"marks":1447,"data":1448},"We've ",[],{},{"nodeType":412,"data":1450,"content":1452},{"uri":1451},"https://pushsecurity.com/blog/why-most-phishing-attacks-feel-like-a-zero-day/",[1453],{"nodeType":241,"value":1454,"marks":1455,"data":1456},"written before",[],{},{"nodeType":241,"value":1458,"marks":1459,"data":1460}," about how this makes every phishing attack effectively a zero-day for organizations relying on known-bad detection. The phishing kit's behavior — its page structure, script signatures, malicious payload mechanics — is the only detection target that outlasts a single campaign.",[],{},{"nodeType":237,"data":1462,"content":1463},{},[1464],{"nodeType":241,"value":1465,"marks":1466,"data":1467},"When we blogged about the Pyramid of Pain for modern attacks that happen predominantly over the internet, with minimal (or zero) endpoint contact, it first looked like this: ",[],{},{"nodeType":356,"data":1469,"content":1473},{"target":1470},{"sys":1471},{"id":1472,"type":361,"linkType":362},"2N04ycJ6RKGfHdX5X1TwU3",[],{"nodeType":237,"data":1475,"content":1476},{},[1477],{"nodeType":241,"value":1478,"marks":1479,"data":1480},"Now, it looks more like this:",[],{},{"nodeType":356,"data":1482,"content":1486},{"target":1483},{"sys":1484},{"id":1485,"type":361,"linkType":362},"mfhP4WToOQkrHnVkXU0tX",[],{"nodeType":237,"data":1488,"content":1489},{},[1490],{"nodeType":241,"value":1491,"marks":1492,"data":1493},"Let’s explore why. ",[],{},{"nodeType":396,"data":1495,"content":1496},{},[1497],{"nodeType":241,"value":1498,"marks":1499,"data":1501},"AI is accelerating phishing rotation and delivery",[1500],{"type":259},{},{"nodeType":237,"data":1503,"content":1504},{},[1505],{"nodeType":241,"value":1506,"marks":1507,"data":1508},"Attackers are harnessing AI at every stage, speeding up the process of creating, rotating, and replacing phishing infrastructure at every level, as well as capitalizing on AI adoption itself to enhance their lures. The operational signature is more domains, shorter lifespans, more variation, and fewer of the reuse patterns that blocklists depend on.",[],{},{"nodeType":237,"data":1510,"content":1511},{},[1512,1516,1523],{"nodeType":241,"value":1513,"marks":1514,"data":1515},"Attackers can ",[],{},{"nodeType":412,"data":1517,"content":1518},{"uri":1054},[1519],{"nodeType":241,"value":1520,"marks":1521,"data":1522},"vibe-code entire phishing pages in minutes",[],{},{"nodeType":241,"value":1524,"marks":1525,"data":1526}," — not just cloning legitimate login pages but vibe-cloning them, feeding an AI a screenshot and having it rebuild a convincing frontend with a completely unique backend. ",[],{},{"nodeType":237,"data":1528,"content":1529},{},[1530,1534,1542,1546,1552],{"nodeType":241,"value":1531,"marks":1532,"data":1533},"We've seen attackers clone free SaaS tools like background removers and PDF converters, then inject phishing components or ClickFix payloads into what looks like a functional utility. We’ve even seen attackers distributing malware using AI-generated pages shared using ",[],{},{"nodeType":412,"data":1535,"content":1536},{"uri":542},[1537],{"nodeType":241,"value":1538,"marks":1539,"data":1541},"LLM tool sharing functionality",[1540],{"type":420},{},{"nodeType":241,"value":1543,"marks":1544,"data":1545},", resulting in phishing delivery pages hosted on real claude.ai and chatgpt.com. And legitimate cloud platforms like ",[],{},{"nodeType":412,"data":1547,"content":1548},{"uri":494},[1549],{"nodeType":241,"value":497,"marks":1550,"data":1551},[],{},{"nodeType":241,"value":1553,"marks":1554,"data":1555},", Cloudflare Workers, and Vercel host and dynamically rotate attack infrastructure, so the domains feeding into blocklists often belong to reputable services that can't simply be blocked. ",[],{},{"nodeType":356,"data":1557,"content":1561},{"target":1558},{"sys":1559},{"id":1560,"type":361,"linkType":362},"5yoLmqysyQazfzLITCUTfc",[],{"nodeType":356,"data":1563,"content":1567},{"target":1564},{"sys":1565},{"id":1566,"type":361,"linkType":362},"5XK5qZMQU19xlA8L2T5y0Z",[],{"nodeType":396,"data":1569,"content":1570},{},[1571],{"nodeType":241,"value":1572,"marks":1573,"data":1575},"The kit ecosystem is fragmenting faster than anyone can track",[1574],{"type":259},{},{"nodeType":237,"data":1577,"content":1578},{},[1579],{"nodeType":241,"value":1580,"marks":1581,"data":1582},"What we see across our install base is a huge and growing variation in phishing kits — new kits, derivative kits of known platforms, derivatives of those derivatives — appearing on a weekly basis.",[],{},{"nodeType":237,"data":1584,"content":1585},{},[1586,1590,1598],{"nodeType":241,"value":1587,"marks":1588,"data":1589},"As we reported in our ",[],{},{"nodeType":412,"data":1591,"content":1593},{"uri":1592},"https://pushsecurity.com/thank-you/browser-attacks-report",[1594],{"nodeType":241,"value":1595,"marks":1596,"data":1597},"Browser Attacks Report",[],{},{"nodeType":241,"value":1599,"marks":1600,"data":1601},", the most common AiTM kits we detected over the last year were Tycoon 2FA (59% of detections), followed by Sneaky 2FA, FlowerStorm, Evilginx (nominally a red team tool, but widely abused by attackers), NakedPages, Gabagool, and dozens more — but those established names are just the visible layer.",[],{},{"nodeType":237,"data":1603,"content":1604},{},[1605,1609,1617,1621,1628],{"nodeType":241,"value":1606,"marks":1607,"data":1608},"Code is forked, modified, and redeployed across kits in a pattern that ",[],{},{"nodeType":412,"data":1610,"content":1612},{"uri":1611},"https://blog.barracuda.com/2026/04/16/threat-spotlight-tycoon-2fa-scattered-everywhere",[1613],{"nodeType":241,"value":1614,"marks":1615,"data":1616},"resembles open-source development",[],{},{"nodeType":241,"value":1618,"marks":1619,"data":1620}," more than traditional criminal enterprise, and the rate at which new variants appear is accelerating. The ",[],{},{"nodeType":412,"data":1622,"content":1623},{"uri":428},[1624],{"nodeType":241,"value":1625,"marks":1626,"data":1627},"Venom kit",[],{},{"nodeType":241,"value":1629,"marks":1630,"data":1631}," reuses Sneaky 2FA's AiTM infrastructure but carries different branding and adds device code phishing — whether it's the same developers, stolen code, or a deliberate fork is unclear.",[],{},{"nodeType":237,"data":1633,"content":1634},{},[1635,1639,1647,1651,1660],{"nodeType":241,"value":1636,"marks":1637,"data":1638},"Tycoon 2FA illustrates the scale of the evolution. The kit evolves continuously, addingnew capabilities, new evasion techniques, and hybridizing with other platforms. Even when Sekoia and Microsoft seized 330+ Tycoon domains in March 2026, the techniques it popularized were already embedded across competitors, and the slack was taken up by rival platforms within days. And in any case, Tycoon was back to ",[],{},{"nodeType":412,"data":1640,"content":1642},{"uri":1641},"https://www.crowdstrike.com/en-us/blog/tycoon2fa-phishing-as-a-service-platform-persists-following-takedown/",[1643],{"nodeType":241,"value":1644,"marks":1645,"data":1646},"normal levels of operation",[],{},{"nodeType":241,"value":1648,"marks":1649,"data":1650}," shortly after. It has also been observed ",[],{},{"nodeType":412,"data":1652,"content":1654},{"uri":1653},"https://www.okta.com/en-nl/blog/threat-intelligence/tycoon_2fa_phishing_actors_scatter/",[1655],{"nodeType":241,"value":1656,"marks":1657,"data":1659},"pivoting to add new device code phishing capabilities",[1658],{"type":420},{},{"nodeType":241,"value":1661,"marks":1662,"data":1663}," (more on that below). ",[],{},{"nodeType":237,"data":1665,"content":1666},{},[1667],{"nodeType":241,"value":1668,"marks":1669,"data":1670},"Tear one down and there are many more to take its place — and meanwhile the original is already evolving into something new.",[],{},{"nodeType":356,"data":1672,"content":1676},{"target":1673},{"sys":1674},{"id":1675,"type":361,"linkType":362},"3UDzUCCizPJhXp3SsoZuSK",[],{"nodeType":396,"data":1678,"content":1679},{},[1680],{"nodeType":241,"value":1681,"marks":1682,"data":1684},"New techniques are being industrialized faster than ever",[1683],{"type":259},{},{"nodeType":237,"data":1686,"content":1687},{},[1688],{"nodeType":241,"value":1689,"marks":1690,"data":1691},"As well as the fragmentation of existing kits, we’re seeing new techniques added at an accelerating rate. ",[],{},{"nodeType":237,"data":1693,"content":1694},{},[1695,1700],{"nodeType":241,"value":1696,"marks":1697,"data":1699},"Device code phishing",[1698],{"type":259},{},{"nodeType":241,"value":1701,"marks":1702,"data":1703}," is the clearest case study. From early nation state adoption in 2024, it took until 2026 for criminal adoption to really take off, but the take-up this year is unprecedented. The EvilTokens kit packaged device code phishing into a PhaaS offering with GPT-powered spear-phishing and adaptive landing pages, hitting 340+ organizations across five countries in March 2026. ",[],{},{"nodeType":237,"data":1705,"content":1706},{},[1707],{"nodeType":241,"value":1708,"marks":1709,"data":1710},"Now, device code functionality is now a core phish kit component. We’re tracking 18+ kits with device code phishing capabilities and a 37.5x increase in device code phishing detections this year alone, with the technique moving from state-sponsored exclusivity to something any PhaaS customer can rent.",[],{},{"nodeType":237,"data":1712,"content":1713},{},[1714,1718,1726,1730,1735,1739,1748],{"nodeType":241,"value":1715,"marks":1716,"data":1717},"Similarly, when we ",[],{},{"nodeType":412,"data":1719,"content":1721},{"uri":1720},"https://pushsecurity.com/blog/we-infiltrated-a-criminal-phishing-panel/",[1722],{"nodeType":241,"value":1723,"marks":1724,"data":1725},"infiltrated Doko's Panel",[],{},{"nodeType":241,"value":1727,"marks":1728,"data":1729}," — a ",[],{},{"nodeType":241,"value":1731,"marks":1732,"data":1734},"real-time vishing and AiTM platform",[1733],{"type":259},{},{"nodeType":241,"value":1736,"marks":1737,"data":1738}," used by ShinyHunters and affiliated groups — the codebase was full of LLM-generated artifacts. Multiple groups were using the templated vishing panel and spinning up their own variants, but the AI-generated indicators persisted throughout. This approach to real-time vishing + browser payload has been a ",[],{},{"nodeType":412,"data":1740,"content":1742},{"uri":1741},"https://pushsecurity.com/blog/analyzing-the-instructure-breach/",[1743],{"nodeType":241,"value":1744,"marks":1745,"data":1747},"mainstay of the Com affiliates like ShinyHunters this year",[1746],{"type":420},{},{"nodeType":241,"value":1749,"marks":1750,"data":1751},". ",[],{},{"nodeType":356,"data":1753,"content":1757},{"target":1754},{"sys":1755},{"id":1756,"type":361,"linkType":362},"01mOiserRBXraawXwQyJNm",[],{"nodeType":237,"data":1759,"content":1760},{},[1761,1765,1770,1774,1783,1787,1796],{"nodeType":241,"value":1762,"marks":1763,"data":1764},"The broader ",[],{},{"nodeType":241,"value":1766,"marks":1767,"data":1769},"ClickFix",[1768],{"type":259},{},{"nodeType":241,"value":1771,"marks":1772,"data":1773}," family shows the same acceleration: First reported in early 2024 and adopted by four nation-state groups within a single quarter. Fast forward and ",[],{},{"nodeType":412,"data":1775,"content":1777},{"uri":1776},"https://www.crowdstrike.com/en-us/global-threat-report/",[1778],{"nodeType":241,"value":1779,"marks":1780,"data":1782},"CrowdStrike's data",[1781],{"type":420},{},{"nodeType":241,"value":1784,"marks":1785,"data":1786}," shows a 563% increase in fake CAPTCHA incidents (one of the more common ClickFix lure types), while ",[],{},{"nodeType":412,"data":1788,"content":1790},{"uri":1789},"https://cdn-dynmedia-1.microsoft.com/is/content/microsoftcorp/microsoft/msc/documents/presentations/CSR/Microsoft-Digital-Defense-Report-2025.pdf",[1791],{"nodeType":241,"value":1792,"marks":1793,"data":1795},"Microsoft reported",[1794],{"type":420},{},{"nodeType":241,"value":1797,"marks":1798,"data":1799}," it as making up 47% of observed attacks according to their Digital Defense Report.",[],{},{"nodeType":237,"data":1801,"content":1802},{},[1803,1807,1812,1816,1824,1828,1835],{"nodeType":241,"value":1804,"marks":1805,"data":1806},"And ",[],{},{"nodeType":241,"value":1808,"marks":1809,"data":1811},"ConsentFix",[1810],{"type":259},{},{"nodeType":241,"value":1813,"marks":1814,"data":1815}," — a combination of ClickFix and OAuth consent phishing techniques — suggests the next compression is already underway. Push researchers ",[],{},{"nodeType":412,"data":1817,"content":1819},{"uri":1818},"https://pushsecurity.com/blog/consentfix/",[1820],{"nodeType":241,"value":1821,"marks":1822,"data":1823},"discovered the technique",[],{},{"nodeType":241,"value":1825,"marks":1826,"data":1827}," in December 2025 — a browser-native ClickFix variant hijacking OAuth consent grants via Azure CLI's localhost redirect. It was later confirmed to be tied to APT29. By January 2026, a ",[],{},{"nodeType":412,"data":1829,"content":1830},{"uri":414},[1831],{"nodeType":241,"value":1832,"marks":1833,"data":1834},"criminal ConsentFix v3 toolkit",[],{},{"nodeType":241,"value":1836,"marks":1837,"data":1838}," had appeared on the XSS forum with Cloudflare Workers, ZoomInfo targeting, and automated exfiltration via Pipedream.",[],{},{"nodeType":356,"data":1840,"content":1844},{"target":1841},{"sys":1842},{"id":1843,"type":361,"linkType":362},"41FMif4T0y1maflzonWgL8",[],{"nodeType":290,"data":1846,"content":1847},{},[],{"nodeType":294,"data":1849,"content":1850},{},[1851],{"nodeType":241,"value":1852,"marks":1853,"data":1855},"Why technique-level detection is the only layer that holds",[1854],{"type":259},{},{"nodeType":237,"data":1857,"content":1858},{},[1859],{"nodeType":241,"value":1860,"marks":1861,"data":1862},"The middle of the Pyramid — tool signatures and artifacts — used to offer much more durable detection than infrastructure indicators. Fingerprinting a specific phishing kit by its JavaScript structure or HTML patterns provided a detection target that survived across dozens or hundreds of campaigns, even as the underlying domains rotated. Tool level detections are still better, but not by quite the same margin.",[],{},{"nodeType":356,"data":1864,"content":1868},{"target":1865},{"sys":1866},{"id":1867,"type":361,"linkType":362},"5pxaYdCIFiFKLPhRaPoldX",[],{"nodeType":237,"data":1870,"content":1871},{},[1872],{"nodeType":241,"value":1873,"marks":1874,"data":1875},"When the kit landscape was dominated by a handful of platforms, you could write signatures for Tycoon, Sneaky2FA, EvilProxy, and so on, and cover the lion's share of attacks. With the ecosystem now producing new variants and entirely new kits on a weekly basis, detecting by kit fingerprint starts to look uncomfortably similar to detecting by domain.",[],{},{"nodeType":237,"data":1877,"content":1878},{},[1879],{"nodeType":241,"value":1880,"marks":1881,"data":1882},"But many of these proliferating kits do share behavioral patterns at a deeper level than their code signatures. For example, every device code phishing kit implements fundamentally the same flow: present a lure, generate a device code via the OAuth Device Authorization endpoint, get the user to enter it on the legitimate authorization page, and poll for the resulting tokens. The frontends vary, the infrastructure varies, but the behavioral pattern doesn't.",[],{},{"nodeType":356,"data":1884,"content":1888},{"target":1885},{"sys":1886},{"id":1887,"type":361,"linkType":362},"FyyHayQtsJTwoB1kluMOl",[],{"nodeType":237,"data":1890,"content":1891},{},[1892],{"nodeType":241,"value":1893,"marks":1894,"data":1895},"Genuinely new attack techniques still require human creativity — an attacker has to identify a gap in how a legitimate protocol or feature can be subverted. That kind of innovation hasn't been automated. But the window to discover a technique, build a detection, and then deploy it before it is adopted by criminals at scale is compressing with each generation.",[],{},{"nodeType":237,"data":1897,"content":1898},{},[1899],{"nodeType":241,"value":1900,"marks":1901,"data":1902},"Organizations that detect at the technique level and deploy before commoditization have a structural advantage that increases over time. Waiting for indicators — even tool-level indicators — means chasing a curve that's accelerating away from you. This is the challenge we grapple with every day as we strive for the most resilient detections possible. ",[],{},{"nodeType":1904,"data":1905,"content":1906},"blockquote",{},[1907],{"nodeType":237,"data":1908,"content":1909},{},[1910,1914,1922,1926],{"nodeType":241,"value":1911,"marks":1912,"data":1913},"As our CPO Jacques Louw put it on ",[],{},{"nodeType":412,"data":1915,"content":1917},{"uri":1916},"https://risky.biz/RBNEWSSI128/",[1918],{"nodeType":241,"value":1919,"marks":1920,"data":1921},"Risky Business",[],{},{"nodeType":241,"value":1923,"marks":1924,"data":1925},": ",[],{},{"nodeType":241,"value":1927,"marks":1928,"data":1930},"\"There's no list of bad domains anywhere in the product. It's a crutch — a false cheat code that stops you from doing the detection in the way that actually is resilient, because the next time you see it, it will be on a different domain.\"",[1929],{"type":269},{},{"nodeType":290,"data":1932,"content":1933},{},[],{"nodeType":294,"data":1935,"content":1936},{},[1937],{"nodeType":241,"value":1938,"marks":1939,"data":1941},"What it takes to detect at the top of the Pyramid",[1940],{"type":259},{},{"nodeType":237,"data":1943,"content":1944},{},[1945],{"nodeType":241,"value":1946,"marks":1947,"data":1948},"If technique-level detection is the only layer that holds, two things have to be true about your detection capability: You need the right vantage point, and you need the research velocity to stay ahead.",[],{},{"nodeType":396,"data":1950,"content":1951},{},[1952],{"nodeType":241,"value":1953,"marks":1954,"data":1956},"You need the right vantage point",[1955],{"type":259},{},{"nodeType":237,"data":1958,"content":1959},{},[1960],{"nodeType":241,"value":1961,"marks":1962,"data":1963},"Technique-level behaviors in browser-based identity attacks — how a phishing page orchestrates credential entry, how a device code flow presents its authorization prompt, how a ClickFix variant manipulates the clipboard — are visible in the browser session and nowhere else.",[],{},{"nodeType":237,"data":1965,"content":1966},{},[1967],{"nodeType":241,"value":1968,"marks":1969,"data":1970},"Network proxies see encrypted traffic and can attempt to reconstruct page behavior from metadata, but DOM manipulation, user interaction sequences, and script execution aren't visible from that vantage point. Email gateways see the delivery mechanism (or nothing at all in the increasing number of social media and search engine based attacks) but not the payload.",[],{},{"nodeType":237,"data":1972,"content":1973},{},[1974,1978,1986],{"nodeType":241,"value":1975,"marks":1976,"data":1977},"As we disclosed in our ",[],{},{"nodeType":412,"data":1979,"content":1980},{"uri":1592},[1981],{"nodeType":241,"value":1982,"marks":1983,"data":1985},"browser attacks report",[1984],{"type":420},{},{"nodeType":241,"value":1987,"marks":1988,"data":1989},", 95% of in-browser attacks we detect use some form of bot protection, often combined with conditional loading techniques like referrer and browser checks, reliably defeating automated analysis techniques. ",[],{},{"nodeType":237,"data":1991,"content":1992},{},[1993],{"nodeType":241,"value":1994,"marks":1995,"data":1996},"Behavioral detection at the technique level requires observing what happens on the page at the moment the user interacts with it — analyzing pages, not links. When you see the entire browsing flow — ad click, redirect chain, page render, credential prompt — an attack stands out immediately. Without that context, any detection system is forced to fill in gaps, and the gaps are where attacks hide.",[],{},{"nodeType":356,"data":1998,"content":2002},{"target":1999},{"sys":2000},{"id":2001,"type":361,"linkType":362},"4804g6u4POUDpL42bzP0EY",[],{"nodeType":237,"data":2004,"content":2005},{},[2006],{"nodeType":241,"value":2007,"marks":2008,"data":2009},"Push sits inside the browser session, observing this in real time. Its detections target the behavioral mechanics of techniques rather than the surface characteristics of individual kits or infrastructure.",[],{},{"nodeType":396,"data":2011,"content":2012},{},[2013],{"nodeType":241,"value":2014,"marks":2015,"data":2017},"You need the research expertise",[2016],{"type":259},{},{"nodeType":237,"data":2019,"content":2020},{},[2021],{"nodeType":241,"value":2022,"marks":2023,"data":2024},"When the window between technique discovery and industrialized exploitation is measured in weeks rather than years, the detection pipeline needs to operate on that same compressed timescale.",[],{},{"nodeType":237,"data":2026,"content":2027},{},[2028,2032,2039],{"nodeType":241,"value":2029,"marks":2030,"data":2031},"This is where our ",[],{},{"nodeType":412,"data":2033,"content":2034},{"uri":1054},[2035],{"nodeType":241,"value":2036,"marks":2037,"data":2038},"agentic threat hunting pipeline",[],{},{"nodeType":241,"value":2040,"marks":2041,"data":2042}," fits. It's tripled our monthly detection output — not by generating bigger blocklists, but by scaling the process of discovering behavioral patterns across the telemetry generated by 3+ million browser deployments.",[],{},{"nodeType":237,"data":2044,"content":2045},{},[2046],{"nodeType":241,"value":2047,"marks":2048,"data":2049},"The detections it produces are technique-class by design, targeting how attacks work rather than the infrastructure or specific tool that implements them. The goal is curation, not accumulation — hundreds of high-fidelity behavioral detections rather than the billions of signatures and domain entries that traditional approaches require.",[],{},{"nodeType":237,"data":2051,"content":2052},{},[2053,2057,2065],{"nodeType":241,"value":2054,"marks":2055,"data":2056},"When we detected the first in-the-wild ",[],{},{"nodeType":412,"data":2058,"content":2060},{"uri":2059},"https://pushsecurity.com/blog/installfix/",[2061],{"nodeType":241,"value":2062,"marks":2063,"data":2064},"InstallFix attack",[],{},{"nodeType":241,"value":2066,"marks":2067,"data":2068}," through the pipeline — a user had searched for NotebookLM, clicked a paid Google ad, and was redirected to a fake page with a WebAssembly C2 connector — the detection shipped to all customers within minutes. It didn't depend on knowing the domain, the ad creative, or the specific kit. It depended on recognizing the technique itself.",[],{},{"nodeType":290,"data":2070,"content":2071},{},[],{"nodeType":294,"data":2073,"content":2074},{},[2075],{"nodeType":241,"value":2076,"marks":2077,"data":2079},"Technique-level detection is now the only option",[2078],{"type":259},{},{"nodeType":237,"data":2081,"content":2082},{},[2083],{"nodeType":241,"value":2084,"marks":2085,"data":2086},"As a framework for detection durability, the Pyramid of Pain is more relevant than ever. ",[],{},{"nodeType":237,"data":2088,"content":2089},{},[2090],{"nodeType":241,"value":2091,"marks":2092,"data":2093},"AI has made infrastructure indicators essentially disposable. The tools tier is compressing as criminal vendors vibe-code, fork, and clone tooling at machine speed. Technique-level detection is the layer that holds long-term to be able to proactively detect and block net-new attacks and the kits that power them. ",[],{},{"nodeType":237,"data":2095,"content":2096},{},[2097],{"nodeType":241,"value":2098,"marks":2099,"data":2100},"Novel attack techniques still require human creativity to discover, and detections built around how those techniques work can survive infrastructure rotation, tool proliferation, and kit fragmentation. Defending that layer requires a vantage point inside the browser session and a research pipeline fast enough to stay ahead of the accelerating path from discovery to industrialization.",[],{},{"nodeType":290,"data":2102,"content":2103},{},[],{"nodeType":237,"data":2105,"content":2106},{},[2107],{"nodeType":241,"value":2108,"marks":2109,"data":2110},"Push Security is the most powerful AI-native security tool in the browser. Think EDR, but for the browser — high-fidelity telemetry and real-time control across every session, on every device, with no browser migration required.",[],{},{"nodeType":237,"data":2112,"content":2113},{},[2114],{"nodeType":241,"value":2115,"marks":2116,"data":2117},"Security teams use Push to detect and stop advanced browser-based attacks like AiTM phishing, ClickFix, and session hijacking; gain visibility and control over AI tool usage across their workforce; harden identities by surfacing credential reuse, SSO gaps, and shadow IT; and support data loss and insider investigations with browser-layer telemetry that other tools can't see.",[],{},{"nodeType":237,"data":2119,"content":2120},{},[2121,2124,2132],{"nodeType":241,"value":29,"marks":2122,"data":2123},[],{},{"nodeType":412,"data":2125,"content":2126},{"uri":1164},[2127],{"nodeType":241,"value":2128,"marks":2129,"data":2131},"Book a live demo",[2130],{"type":420},{},{"nodeType":241,"value":2133,"marks":2134,"data":2135}," to learn more.",[],{},"The Pyramid of Pain in the AI era: Why technique-level detection matters more than ever","AI is accelerating the collapse of indicator-based threat detection. Here's why you need technique-level detection to stay ahead.","the-pyramid-of-pain-in-the-ai-era",{"items":2140},[2141,2145],{"sys":2142,"name":2144},{"id":2143},"4ksQNCFeBf8H4QIORqpRLw","Detection & response",{"sys":2146,"name":2148},{"id":2147},"6A5RXS31ZQx3PwryGb1IMy","Browser-based attacks",{"items":2150},[2151],{"fullName":2152,"firstName":2153,"jobTitle":2154,"profilePicture":2155},"Dan Green","Dan","Threat Research",{"url":2156},"https://images.ctfassets.net/y1cdw1ablpvd/7jik1VhFgA3kgzXBXTm2Vw/fcd8c171da644903d0827eafcfbcaad0/Dan_Headshot_2025.png",{"__typename":1365,"sys":2158,"publishedDate":2160,"content":2161,"title":2952,"synopsis":2953,"hashTags":62,"slug":2954,"tagsCollection":2955,"authorsCollection":2961},{"id":2159},"Gcg7PGuICrlRcqq1QFXxH","2026-05-29T00:00:00.000Z",{"json":2162},{"nodeType":233,"data":2163,"content":2164},{},[2165,2172,2179,2210,2217,2223,2229,2241,2244,2252,2268,2275,2281,2288,2295,2301,2304,2312,2319,2325,2331,2338,2345,2363,2369,2372,2380,2398,2404,2411,2414,2422,2429,2436,2442,2448,2492,2499,2502,2510,2517,2524,2567,2574,2605,2612,2655,2662,2665,2673,2692,2699,2707,2722,2729,2746,2753,2756,2762,2768,2786,2789,2797,2816,2823,2946],{"nodeType":237,"data":2166,"content":2167},{},[2168],{"nodeType":241,"value":2169,"marks":2170,"data":2171},"Shared conversations on AI chatbot platforms have become the latest delivery mechanism for malware campaigns targeting macOS and Windows users. Attackers create content on platforms like ChatGPT and Claude that appears to offer installation guidance or service updates, then drive traffic to it via search engine results in the form of malvertising and SEO poisoning.  ",[],{},{"nodeType":237,"data":2173,"content":2174},{},[2175],{"nodeType":241,"value":2176,"marks":2177,"data":2178},"The content lives on chatgpt.com or claude.ai — domains that users and security tools trust implicitly — so the attack bypasses URL reputation checks before the victim even reaches the malicious payload.",[],{},{"nodeType":237,"data":2180,"content":2181},{},[2182,2186,2194,2198,2206],{"nodeType":241,"value":2183,"marks":2184,"data":2185},"Several variants of this technique have been ",[],{},{"nodeType":412,"data":2187,"content":2189},{"uri":2188},"https://www.bleepingcomputer.com/news/security/hackers-abuse-google-ads-claudeai-chats-to-push-mac-malware/",[2190],{"nodeType":241,"value":2191,"marks":2192,"data":2193},"reported over the past few months",[],{},{"nodeType":241,"value":2195,"marks":2196,"data":2197},". The earliest examples used shared Claude.ai conversations disguised as installation guides — complete with fake \"Apple Support\" attribution — that walked users through opening a terminal and pasting a curl command that downloaded and executed an infostealer. ",[],{},{"nodeType":412,"data":2199,"content":2201},{"uri":2200},"https://www.kaspersky.com/blog/share-chatgpt-chat-clickfix-macos-amos-infostealer/54928/",[2202],{"nodeType":241,"value":2203,"marks":2204,"data":2205},"Kaspersky documented a parallel campaign",[],{},{"nodeType":241,"value":2207,"marks":2208,"data":2209}," using shared ChatGPT conversations to deliver the AMOS (Atomic macOS Stealer) via the same paste-this-command social engineering pattern. ",[],{},{"nodeType":237,"data":2211,"content":2212},{},[2213],{"nodeType":241,"value":2214,"marks":2215,"data":2216},"Push has detected a new variant that goes beyond the previously reported technique of embedding terminal commands in shared conversations: the attacker has used ChatGPT's code rendering feature to build a fully designed fake page that mimics a ChatGPT service disruption, redirecting victims to a convincing clone of ChatGPT's download page that delivers a malicious executable. ",[],{},{"nodeType":356,"data":2218,"content":2222},{"target":2219},{"sys":2220},{"id":2221,"type":361,"linkType":362},"5lz9zt223pecGvdaqdvSTQ",[],{"nodeType":356,"data":2224,"content":2228},{"target":2225},{"sys":2226},{"id":2227,"type":361,"linkType":362},"51GomAj3VOjnbmgd1DWYu0",[],{"nodeType":237,"data":2230,"content":2231},{},[2232,2237],{"nodeType":241,"value":2233,"marks":2234,"data":2236},"This is a live campaign which is still generating detections across our customer base at the time of writing. ",[2235],{"type":259},{},{"nodeType":241,"value":2238,"marks":2239,"data":2240},"Push customers are already protected and do not need to take further action. The malicious page URLs can be found at the end of this report but are not exhaustive and are liable to change. ",[],{},{"nodeType":290,"data":2242,"content":2243},{},[],{"nodeType":294,"data":2245,"content":2246},{},[2247],{"nodeType":241,"value":2248,"marks":2249,"data":2251},"A fake page, not a fake conversation",[2250],{"type":259},{},{"nodeType":237,"data":2253,"content":2254},{},[2255,2259,2264],{"nodeType":241,"value":2256,"marks":2257,"data":2258},"Previously reported variants relied on shared ",[],{},{"nodeType":241,"value":2260,"marks":2261,"data":2263},"conversations",[2262],{"type":269},{},{"nodeType":241,"value":2265,"marks":2266,"data":2267}," — the attacker created a chat that contained step-by-step instructions for the victim to follow, typically involving pasting a command into their terminal. The social engineering was conversational: the \"AI assistant\" appeared to be helpfully guiding the user through an installation process.",[],{},{"nodeType":237,"data":2269,"content":2270},{},[2271],{"nodeType":241,"value":2272,"marks":2273,"data":2274},"But now, rather than a shared conversation, the attacker has used ChatGPT's code rendering feature to create a fully designed, self-contained web page hosted at a chatgpt.com/s/ URL. It renders as what appears to be a ChatGPT service disruption notice:",[],{},{"nodeType":356,"data":2276,"content":2280},{"target":2277},{"sys":2278},{"id":2279,"type":361,"linkType":362},"1O9gyQab81SnbxhQp2aa5Z",[],{"nodeType":237,"data":2282,"content":2283},{},[2284],{"nodeType":241,"value":2285,"marks":2286,"data":2287},"A professional-looking error message reads: \"We're experiencing high traffic right now. Our website is temporarily unavailable due to a large number of users. Download our desktop app to continue.\" A prominent download button sits below.",[],{},{"nodeType":237,"data":2289,"content":2290},{},[2291],{"nodeType":241,"value":2292,"marks":2293,"data":2294},"The \"Show code\" toggle at the top of the page reveals what's actually happening — the entire thing is custom HTML and CSS, authored to mimic a ChatGPT system notice, rendered using ChatGPT's code output feature. A web page inside a web page, hosted on a domain that every URL reputation system in the world considers safe.",[],{},{"nodeType":356,"data":2296,"content":2300},{"target":2297},{"sys":2298},{"id":2299,"type":361,"linkType":362},"4kQTfxB3aVH9W9BeYOuljP",[],{"nodeType":290,"data":2302,"content":2303},{},[],{"nodeType":294,"data":2305,"content":2306},{},[2307],{"nodeType":241,"value":2308,"marks":2309,"data":2311},"The download page",[2310],{"type":259},{},{"nodeType":237,"data":2313,"content":2314},{},[2315],{"nodeType":241,"value":2316,"marks":2317,"data":2318},"Clicking the download button redirects the user to openew[.]app, which presents a convincing clone of ChatGPT's official desktop application download page — complete with OpenAI branding, macOS and Windows download buttons, a Chrome extension link, and a mobile download section.",[],{},{"nodeType":356,"data":2320,"content":2324},{"target":2321},{"sys":2322},{"id":2323,"type":361,"linkType":362},"4MdFc4OB37ZihTGx506QJ6",[],{"nodeType":356,"data":2326,"content":2330},{"target":2327},{"sys":2328},{"id":2329,"type":361,"linkType":362},"LaPUy0zpIeY8s4PF2wkat",[],{"nodeType":237,"data":2332,"content":2333},{},[2334],{"nodeType":241,"value":2335,"marks":2336,"data":2337},"The site also displays differently depending on who visits it. When Push researchers examined the URL via URLScan, the scanner was redirected to a different page entirely — a generic AR/VR company website with no obvious connection to ChatGPT. ",[],{},{"nodeType":237,"data":2339,"content":2340},{},[2341],{"nodeType":241,"value":2342,"marks":2343,"data":2344},"Real users in a browser see the fake download page; automated scanners and bots see something benign. This kind of conditional rendering is a well-established evasion technique in the malvertising ecosystem, and it makes the malicious infrastructure harder for security teams and threat intelligence services to identify and analyze.",[],{},{"nodeType":237,"data":2346,"content":2347},{},[2348,2352,2360],{"nodeType":241,"value":2349,"marks":2350,"data":2351},"The downloaded executable poses as \"ChatGPT for Desktop\" and is ",[],{},{"nodeType":412,"data":2353,"content":2355},{"uri":2354},"https://www.virustotal.com/gui/file/de8c50e8ccd240ef9d10ec26c26eeb37a4d1cad7c1e0edf3bb6e5689ec2dde78",[2356],{"nodeType":241,"value":2357,"marks":2358,"data":2359},"flagged on VirusTotal",[],{},{"nodeType":241,"value":571,"marks":2361,"data":2362},[],{},{"nodeType":356,"data":2364,"content":2368},{"target":2365},{"sys":2366},{"id":2367,"type":361,"linkType":362},"3FSbwoFJYQrcyo9uMsQIWI",[],{"nodeType":290,"data":2370,"content":2371},{},[],{"nodeType":294,"data":2373,"content":2374},{},[2375],{"nodeType":241,"value":2376,"marks":2377,"data":2379},"The Claude variant: same campaign, different platform",[2378],{"type":259},{},{"nodeType":237,"data":2381,"content":2382},{},[2383,2387,2394],{"nodeType":241,"value":2384,"marks":2385,"data":2386},"Alongside the ChatGPT rendered-page variant, Push has also detected the previously reported style of attack using shared Claude.ai conversations. These follow the pattern documented by ",[],{},{"nodeType":412,"data":2388,"content":2389},{"uri":2188},[2390],{"nodeType":241,"value":2391,"marks":2392,"data":2393},"BleepingComputer",[],{},{"nodeType":241,"value":2395,"marks":2396,"data":2397},": a shared chat disguised as a \"Claude Code on Mac\" installation guide, attributed to \"Apple Support,\" containing a curl command that downloads and executes malware.",[],{},{"nodeType":356,"data":2399,"content":2403},{"target":2400},{"sys":2401},{"id":2402,"type":361,"linkType":362},"5sWayuTsVdiLSLoS4sv2Vc",[],{"nodeType":237,"data":2405,"content":2406},{},[2407],{"nodeType":241,"value":2408,"marks":2409,"data":2410},"The fact that both the ChatGPT and Claude variants are appearing in Push customer environments suggests a campaign — or at least a shared playbook — that is actively experimenting with different platforms and different social engineering approaches to find what converts best.",[],{},{"nodeType":290,"data":2412,"content":2413},{},[],{"nodeType":294,"data":2415,"content":2416},{},[2417],{"nodeType":241,"value":2418,"marks":2419,"data":2421},"Malvertising remains one of the top phishing delivery channels",[2420],{"type":259},{},{"nodeType":237,"data":2423,"content":2424},{},[2425],{"nodeType":241,"value":2426,"marks":2427,"data":2428},"Push has detected this variant across multiple customer environments, with users arriving at these shared chat URLs after searching for terms including \"chatgpt,\" \"chatgpt free,\" \"chat gpt,\" and common typos like \"chatgo,\" \"chatgot,\" and \"cvhatgpt.\" ",[],{},{"nodeType":237,"data":2430,"content":2431},{},[2432],{"nodeType":241,"value":2433,"marks":2434,"data":2435},"You can see an example of this below: it's incredibly convincing, and uses the real ChatGPT domain — so even users that are paying attention are liable to fall for it. ",[],{},{"nodeType":356,"data":2437,"content":2441},{"target":2438},{"sys":2439},{"id":2440,"type":361,"linkType":362},"1GYWOyHpZT1rdTm6IGOKu8",[],{"nodeType":356,"data":2443,"content":2447},{"target":2444},{"sys":2445},{"id":2446,"type":361,"linkType":362},"4HpFJRAZH2lbygaEk2xOnN",[],{"nodeType":237,"data":2449,"content":2450},{},[2451,2455,2463,2467,2475,2479,2488],{"nodeType":241,"value":2452,"marks":2453,"data":2454},"This fits a pattern Push has tracked extensively. ",[],{},{"nodeType":412,"data":2456,"content":2458},{"uri":2457},"https://pushsecurity.com/blog/verizon-dbir-2026-review/",[2459],{"nodeType":241,"value":2460,"marks":2461,"data":2462},"Search-based delivery is now the dominant channel for malware distribution",[],{},{"nodeType":241,"value":2464,"marks":2465,"data":2466}," — our own data shows that ClickFix attacks are reached via search results rather than email in 4 of 5 cases, and Push's own research into ",[],{},{"nodeType":412,"data":2468,"content":2470},{"uri":2469},"https://pushsecurity.com/blog/analysing-a-sophisticated-google-malvertising-attack/",[2471],{"nodeType":241,"value":2472,"marks":2473,"data":2474},"malvertising campaigns impersonating brands like TradingView",[],{},{"nodeType":241,"value":2476,"marks":2477,"data":2478}," and ",[],{},{"nodeType":412,"data":2480,"content":2482},{"uri":2481},"https://pushsecurity.com/blog/google-search-malvertising-campaign-continues-now-impersonating-ahrefs/",[2483],{"nodeType":241,"value":2484,"marks":2485,"data":2487},"Ahrefs",[2486],{"type":420},{},{"nodeType":241,"value":2489,"marks":2490,"data":2491}," has demonstrated how effectively search ads can funnel victims to malicious pages. ",[],{},{"nodeType":237,"data":2493,"content":2494},{},[2495],{"nodeType":241,"value":2496,"marks":2497,"data":2498},"The shared-chat technique adds a new dimension: the destination URL itself is genuine (chatgpt.com, claude.ai), which means even a cautious user who checks the URL before clicking will see nothing suspicious.",[],{},{"nodeType":290,"data":2500,"content":2501},{},[],{"nodeType":294,"data":2503,"content":2504},{},[2505],{"nodeType":241,"value":2506,"marks":2507,"data":2509},"Legitimate platform abuse is everywhere",[2508],{"type":259},{},{"nodeType":237,"data":2511,"content":2512},{},[2513],{"nodeType":241,"value":2514,"marks":2515,"data":2516},"This is one example of a much broader pattern that has become one of the defining characteristics of the 2026 threat landscape: attackers systematically abusing legitimate platforms as attack infrastructure. The scale and variety of this abuse in recent months alone is striking, and it spans every stage of the phishing chain.",[],{},{"nodeType":396,"data":2518,"content":2519},{},[2520],{"nodeType":241,"value":2521,"marks":2522,"data":2523},"Legit platform abuse for delivery",[],{},{"nodeType":237,"data":2525,"content":2526},{},[2527,2531,2539,2543,2551,2555,2563],{"nodeType":241,"value":2528,"marks":2529,"data":2530},"On the delivery side, attackers have been ",[],{},{"nodeType":412,"data":2532,"content":2534},{"uri":2533},"https://www.bleepingcomputer.com/news/security/amazon-ses-increasingly-abused-in-phishing-to-evade-detection/",[2535],{"nodeType":241,"value":2536,"marks":2537,"data":2538},"weaponizing stolen AWS credentials to send phishing through Amazon SES",[],{},{"nodeType":241,"value":2540,"marks":2541,"data":2542}," that passes SPF, DKIM, and DMARC validation because SES is a legitimate Amazon service. A Vietnamese operation dubbed ",[],{},{"nodeType":412,"data":2544,"content":2546},{"uri":2545},"https://thehackernews.com/2026/05/30000-facebook-accounts-hacked-via.html",[2547],{"nodeType":241,"value":2548,"marks":2549,"data":2550},"AccountDumpling used Google AppSheet's built-in email capability",[],{},{"nodeType":241,"value":2552,"marks":2553,"data":2554}," as a phishing relay to harvest 30,000 Facebook credentials. ",[],{},{"nodeType":412,"data":2556,"content":2558},{"uri":2557},"https://techcrunch.com/2026/05/21/scammers-are-abusing-an-internal-microsoft-account-to-send-spam/",[2559],{"nodeType":241,"value":2560,"marks":2561,"data":2562},"Scammers exploited Microsoft's own internal notification pipeline",[],{},{"nodeType":241,"value":2564,"marks":2565,"data":2566}," — sending phishing from the same msonlineservicesteam@microsoftonline.com address that delivers legitimate 2FA codes — with Spamhaus confirming months of ongoing abuse.",[],{},{"nodeType":396,"data":2568,"content":2569},{},[2570],{"nodeType":241,"value":2571,"marks":2572,"data":2573},"Legit platform abuse for hosting",[],{},{"nodeType":237,"data":2575,"content":2576},{},[2577,2581,2589,2593,2601],{"nodeType":241,"value":2578,"marks":2579,"data":2580},"For hosting, the platforms being abused read like a who's who of modern web infrastructure. ",[],{},{"nodeType":412,"data":2582,"content":2584},{"uri":2583},"https://www.securityweek.com/over-500-organizations-hit-in-years-long-phishing-campaign/",[2585],{"nodeType":241,"value":2586,"marks":2587,"data":2588},"Operation HookedWing ran for four years",[],{},{"nodeType":241,"value":2590,"marks":2591,"data":2592}," on GitHub Pages and Vercel, compromising 500+ organizations across more than 100 GitHub Pages domains before anyone documented it publicly. Cofense has separately ",[],{},{"nodeType":412,"data":2594,"content":2596},{"uri":2595},"https://cofense.com/blog/steal-smarter-not-harder-malicious-use-of-vercel-for-credential-phishing/",[2597],{"nodeType":241,"value":2598,"marks":2599,"data":2600},"documented the growing abuse of Vercel",[],{},{"nodeType":241,"value":2602,"marks":2603,"data":2604}," for credential phishing hosting. Pixm's Q1 2026 phishing report tracked over 100 unique Azure Blob Storage subdomain variants hosting phishing content that carried Microsoft's own domain reputation, alongside abuse of Cloudflare CDN, Cloudflare Workers, Cloudflare R2, Backblaze B2, and Supabase. ",[],{},{"nodeType":396,"data":2606,"content":2607},{},[2608],{"nodeType":241,"value":2609,"marks":2610,"data":2611},"Abuse of compromised websites that are otherwise legit",[],{},{"nodeType":237,"data":2613,"content":2614},{},[2615,2619,2627,2631,2639,2643,2651],{"nodeType":241,"value":2616,"marks":2617,"data":2618},"Compromised legitimate sites are also being repurposed at scale. A mass exploitation of a ",[],{},{"nodeType":412,"data":2620,"content":2622},{"uri":2621},"https://www.bleepingcomputer.com/news/security/ghost-cms-sql-injection-flaw-exploited-in-large-scale-clickfix-campaign/",[2623],{"nodeType":241,"value":2624,"marks":2625,"data":2626},"Ghost CMS vulnerability planted ClickFix pages across 700+ websites",[],{},{"nodeType":241,"value":2628,"marks":2629,"data":2630}," including Harvard, Oxford, and DuckDuckGo subdomains. Microsoft recently documented a campaign where ",[],{},{"nodeType":412,"data":2632,"content":2634},{"uri":2633},"https://www.microsoft.com/en-us/security/blog/2026/05/26/poisoned-search-results-gpu-mining-cryptojacking-campaign-abusing-screenconnect-microsoft-net-utilities/",[2635],{"nodeType":241,"value":2636,"marks":2637,"data":2638},"SEO poisoning was combined with AI chatbot recommendation manipulation",[],{},{"nodeType":241,"value":2640,"marks":2641,"data":2642}," to deliver GPU mining malware — extending the poisoning from traditional search results into AI-generated software recommendations. And ",[],{},{"nodeType":412,"data":2644,"content":2646},{"uri":2645},"https://www.helpnetsecurity.com/2026/05/27/deno-rat-malware-fake-chatgpt-claude-installers/",[2647],{"nodeType":241,"value":2648,"marks":2649,"data":2650},"fake ChatGPT and Claude installers on GitHub and SourceForge",[],{},{"nodeType":241,"value":2652,"marks":2653,"data":2654}," have been delivering the DinDoor backdoor and a Deno-based RAT via repositories that mimic legitimate developer tool distributions.",[],{},{"nodeType":237,"data":2656,"content":2657},{},[2658],{"nodeType":241,"value":2659,"marks":2660,"data":2661},"The structural problem is that every one of these platforms is genuinely legitimate, and the security controls that evaluate them — domain reputation, email authentication, URL categorization — confirm them as trusted because they are trusted. This attack extends this pattern into new territory by weaponizing the content-sharing features of AI chatbot platforms specifically, but the underlying principles are the same. ",[],{},{"nodeType":290,"data":2663,"content":2664},{},[],{"nodeType":294,"data":2666,"content":2667},{},[2668],{"nodeType":241,"value":2669,"marks":2670,"data":2672},"Impact analysis",[2671],{"type":259},{},{"nodeType":237,"data":2674,"content":2675},{},[2676,2680,2688],{"nodeType":241,"value":2677,"marks":2678,"data":2679},"Shared-chat malware delivery exploits a structural property of AI platforms that traditional security controls aren't designed to handle. Domain reputation, URL categorization, and safe browsing databases all treat chatgpt.com and claude.ai as trusted — because they are. Using these trusted pages to link off to further convincing-looking pages hosting malware allows the attacker to run campaigns that blend in, as well as rotate the phishing delivery pages later in the chain should they ever be flagged, allowing the campaign to continue without interruption (a well known ",[],{},{"nodeType":412,"data":2681,"content":2683},{"uri":2682},"https://phishing-techniques.pushsecurity.com/",[2684],{"nodeType":241,"value":2685,"marks":2686,"data":2687},"detection evasion technique",[],{},{"nodeType":241,"value":2689,"marks":2690,"data":2691},"). ",[],{},{"nodeType":237,"data":2693,"content":2694},{},[2695],{"nodeType":241,"value":2696,"marks":2697,"data":2698},"What makes the rendered-page variant particularly concerning is that it eliminates the most obvious red flag in the earlier attacks. The Claude.ai conversation variants required the victim to recognize that a shared chat instructing them to paste terminal commands might be suspicious — a tall order for many users, but at least the attack surface was visible. The rendered-page variant shows nothing that looks like an attack. It presents what appears to be a routine service disruption with a reasonable call to action: download the desktop app to continue using ChatGPT. ",[],{},{"nodeType":396,"data":2700,"content":2701},{},[2702],{"nodeType":241,"value":2703,"marks":2704,"data":2706},"How Push detected the attack",[2705],{"type":259},{},{"nodeType":237,"data":2708,"content":2709},{},[2710,2714,2718],{"nodeType":241,"value":2711,"marks":2712,"data":2713},"We've aligned our detection logic for this technique under the name ",[],{},{"nodeType":241,"value":545,"marks":2715,"data":2717},[2716],{"type":259},{},{"nodeType":241,"value":2719,"marks":2720,"data":2721}," — a technique-level detection that covers shared content abuse across LLM platforms, not tied to any single campaign or set of IOCs. ",[],{},{"nodeType":237,"data":2723,"content":2724},{},[2725],{"nodeType":241,"value":2726,"marks":2727,"data":2728},"Because Push sees the full context of how a user arrived at a page and what that page does once it renders, we can identify LLMShare attacks regardless of which AI platform is being abused or what social engineering wrapper the attacker has chosen. ",[],{},{"nodeType":237,"data":2730,"content":2731},{},[2732,2736,2742],{"nodeType":241,"value":2733,"marks":2734,"data":2735},"When we identified the initial instances of this campaign, we used our ",[],{},{"nodeType":412,"data":2737,"content":2738},{"uri":1054},[2739],{"nodeType":241,"value":2036,"marks":2740,"data":2741},[],{},{"nodeType":241,"value":2743,"marks":2744,"data":2745}," to hunt for additional examples across our customer telemetry, develop the LLMShare detection, and rapidly deploy it to customers. Push blocks users from interacting with the page before any malicious activity can occur. ",[],{},{"nodeType":237,"data":2747,"content":2748},{},[2749],{"nodeType":241,"value":2750,"marks":2751,"data":2752},"Push customers do not need to take any further action.",[],{},{"nodeType":290,"data":2754,"content":2755},{},[],{"nodeType":237,"data":2757,"content":2758},{},[2759],{"nodeType":241,"value":2108,"marks":2760,"data":2761},[],{},{"nodeType":237,"data":2763,"content":2764},{},[2765],{"nodeType":241,"value":2115,"marks":2766,"data":2767},[],{},{"nodeType":237,"data":2769,"content":2770},{},[2771,2774,2783],{"nodeType":241,"value":29,"marks":2772,"data":2773},[],{},{"nodeType":412,"data":2775,"content":2777},{"uri":2776},"https://pushsecurity.com/demo/",[2778],{"nodeType":241,"value":2779,"marks":2780,"data":2782},"Book a live demo to learn more.",[2781],{"type":420},{},{"nodeType":241,"value":29,"marks":2784,"data":2785},[],{},{"nodeType":290,"data":2787,"content":2788},{},[],{"nodeType":294,"data":2790,"content":2791},{},[2792],{"nodeType":241,"value":2793,"marks":2794,"data":2796},"Indicators of compromise",[2795],{"type":259},{},{"nodeType":237,"data":2798,"content":2799},{},[2800,2804,2812],{"nodeType":241,"value":2801,"marks":2802,"data":2803},"As we always say, short-lived IoCs are of limited value when tackling modern phishing attacks due to the rate at which attackers are able to ",[],{},{"nodeType":412,"data":2805,"content":2807},{"uri":2806},"https://phishing-techniques.pushsecurity.com/techniques/domain-rotation-redirection/",[2808],{"nodeType":241,"value":2809,"marks":2810,"data":2811},"quickly spin up and rotate the sites used",[],{},{"nodeType":241,"value":2813,"marks":2814,"data":2815}," in the attack chain. IoC-based detections for campaigns like this are of limited value.",[],{},{"nodeType":237,"data":2817,"content":2818},{},[2819],{"nodeType":241,"value":2820,"marks":2821,"data":2822},"At the time of writing, the indicators observed were:",[],{},{"nodeType":2824,"data":2825,"content":2826},"table",{},[2827,2854,2878,2900,2923],{"nodeType":2828,"data":2829,"content":2830},"table-row",{},[2831,2843],{"nodeType":2832,"data":2833,"content":2834},"table-header-cell",{},[2835],{"nodeType":237,"data":2836,"content":2837},{},[2838],{"nodeType":241,"value":2839,"marks":2840,"data":2842},"Indicator",[2841],{"type":259},{},{"nodeType":2832,"data":2844,"content":2845},{},[2846],{"nodeType":237,"data":2847,"content":2848},{},[2849],{"nodeType":241,"value":2850,"marks":2851,"data":2853},"Type",[2852],{"type":259},{},{"nodeType":2828,"data":2855,"content":2856},{},[2857,2868],{"nodeType":2858,"data":2859,"content":2860},"table-cell",{},[2861],{"nodeType":237,"data":2862,"content":2863},{},[2864],{"nodeType":241,"value":2865,"marks":2866,"data":2867},"hxxps://claude[.]ai/share/8e6401b5-4849-46c4-a3cb-29e1c3c49131",[],{},{"nodeType":2858,"data":2869,"content":2870},{},[2871],{"nodeType":237,"data":2872,"content":2873},{},[2874],{"nodeType":241,"value":2875,"marks":2876,"data":2877},"URL",[],{},{"nodeType":2828,"data":2879,"content":2880},{},[2881,2891],{"nodeType":2858,"data":2882,"content":2883},{},[2884],{"nodeType":237,"data":2885,"content":2886},{},[2887],{"nodeType":241,"value":2888,"marks":2889,"data":2890},"hxxps://chatgpt[.]com/s/cb_6a0f1e6bbec88191aa7fede27163f08d",[],{},{"nodeType":2858,"data":2892,"content":2893},{},[2894],{"nodeType":237,"data":2895,"content":2896},{},[2897],{"nodeType":241,"value":2875,"marks":2898,"data":2899},[],{},{"nodeType":2828,"data":2901,"content":2902},{},[2903,2913],{"nodeType":2858,"data":2904,"content":2905},{},[2906],{"nodeType":237,"data":2907,"content":2908},{},[2909],{"nodeType":241,"value":2910,"marks":2911,"data":2912},"openew[.]app",[],{},{"nodeType":2858,"data":2914,"content":2915},{},[2916],{"nodeType":237,"data":2917,"content":2918},{},[2919],{"nodeType":241,"value":2920,"marks":2921,"data":2922},"Domain",[],{},{"nodeType":2828,"data":2924,"content":2925},{},[2926,2936],{"nodeType":2858,"data":2927,"content":2928},{},[2929],{"nodeType":237,"data":2930,"content":2931},{},[2932],{"nodeType":241,"value":2933,"marks":2934,"data":2935},"de8c50e8ccd240ef9d10ec26c26eeb37a4d1cad7c1e0edf3bb6e5689ec2dde78",[],{},{"nodeType":2858,"data":2937,"content":2938},{},[2939],{"nodeType":237,"data":2940,"content":2941},{},[2942],{"nodeType":241,"value":2943,"marks":2944,"data":2945},"SHA256",[],{},{"nodeType":237,"data":2947,"content":2948},{},[2949],{"nodeType":241,"value":29,"marks":2950,"data":2951},[],{},"LLMShare: how attackers are turning AI chatbot pages into malware delivery platforms","How attackers are using shared content features on AI chatbot platforms to deliver malware via pages hosted on legitimate domains, sent via malvertising.","llmshare-malvertising-campaign",{"items":2956},[2957,2959],{"sys":2958,"name":2148},{"id":2147},{"sys":2960,"name":2144},{"id":2143},{"items":2962},[2963],{"fullName":2964,"firstName":2965,"jobTitle":2966,"profilePicture":2967},"Keanu Maharaj","Keanu","Senior Security Researcher",{"url":2968},"https://images.ctfassets.net/y1cdw1ablpvd/VCGOm62jiocjwngWTh32U/e9a30637b1c76bf988d2fec90f5b6c36/1689361049351_1.png",{"__typename":1365,"sys":2970,"publishedDate":2972,"content":2973,"title":3575,"synopsis":3576,"hashTags":62,"slug":3577,"tagsCollection":3578,"authorsCollection":3588},{"id":2971},"4NY2NbkAPucFOJY45yrrrE","2026-05-28T00:00:00.000Z",{"json":2974},{"nodeType":233,"data":2975,"content":2976},{},[2977,2984,2991,2998,3004,3044,3047,3055,3062,3070,3113,3119,3126,3131,3134,3142,3149,3157,3164,3171,3187,3195,3220,3227,3233,3240,3248,3263,3291,3297,3315,3321,3329,3336,3361,3368,3375,3382,3388,3391,3399,3406,3413,3432,3440,3447,3455,3478,3490,3493,3501,3508,3515,3522,3542,3545,3551,3557],{"nodeType":237,"data":2978,"content":2979},{},[2980],{"nodeType":241,"value":2981,"marks":2982,"data":2983},"Employees have been self-adopting apps, creating unmanaged accounts, and introducing third-party software dependencies into their organizations for years, and the core problem hasn't changed: unmanaged software expanding your attack surface without your knowledge.",[],{},{"nodeType":237,"data":2985,"content":2986},{},[2987],{"nodeType":241,"value":2988,"marks":2989,"data":2990},"But the rate at which employees are signing up for AI tools is unprecedented, and the depth of interconnectivity those tools demand is fundamentally different from traditional shadow SaaS. ",[],{},{"nodeType":237,"data":2992,"content":2993},{},[2994],{"nodeType":241,"value":2995,"marks":2996,"data":2997},"AI tools aren't just standalone apps that employees sign into — they're increasingly used as agents that drive other applications, pulling data from one platform, acting on another — they are becoming a core that other apps are integrating to, and that users are integrating with their wider SaaS stack. It’s becoming a focal integration point for app access and functionality in a way that's more comparable to an enterprise cloud platform than a typical SaaS tool. ",[],{},{"nodeType":356,"data":2999,"content":3003},{"target":3000},{"sys":3001},{"id":3002,"type":361,"linkType":362},"4jsomkKmK7Vjijo8UkCQkf",[],{"nodeType":237,"data":3005,"content":3006},{},[3007,3011,3018,3022,3027,3031,3040],{"nodeType":241,"value":3008,"marks":3009,"data":3010},"The industry data backs this up. The ",[],{},{"nodeType":412,"data":3012,"content":3013},{"uri":650},[3014],{"nodeType":241,"value":3015,"marks":3016,"data":3017},"Verizon DBIR 2026",[],{},{"nodeType":241,"value":3019,"marks":3020,"data":3021}," reports that ",[],{},{"nodeType":241,"value":3023,"marks":3024,"data":3026},"45% of employees are now regular AI users on corporate devices",[3025],{"type":259},{},{"nodeType":241,"value":3028,"marks":3029,"data":3030},", up from 15% the year before. ",[],{},{"nodeType":412,"data":3032,"content":3034},{"uri":3033},"https://omdia.tech.informa.com/",[3035],{"nodeType":241,"value":3036,"marks":3037,"data":3039},"Omdia's 2026 browser security research",[3038],{"type":420},{},{"nodeType":241,"value":3041,"marks":3042,"data":3043}," presents a stronger picture, finding that 92% allow employees to use public GenAI applications. However, given that the typical company policy sanctions a small number of approved tools, this means everything else employees are using is unsanctioned by default. In other words: every organization in the survey had unsanctioned AI usage.",[],{},{"nodeType":290,"data":3045,"content":3046},{},[],{"nodeType":294,"data":3048,"content":3049},{},[3050],{"nodeType":241,"value":3051,"marks":3052,"data":3054},"The state of shadow AI, using Push data",[3053],{"type":259},{},{"nodeType":237,"data":3056,"content":3057},{},[3058],{"nodeType":241,"value":3059,"marks":3060,"data":3061},"We analyzed a snapshot of AI activity across Push customers during an average week in April 2026. We wanted to make sure it captured actual activity, not just historical data on apps that were added once and no longer used.",[],{},{"nodeType":237,"data":3063,"content":3064},{},[3065],{"nodeType":241,"value":3066,"marks":3067,"data":3069},"The numbers paint a picture that most security teams will find uncomfortable.",[3068],{"type":259},{},{"nodeType":237,"data":3071,"content":3072},{},[3073,3077,3082,3086,3091,3095,3100,3104,3109],{"nodeType":241,"value":3074,"marks":3075,"data":3076},"The average organization has ",[],{},{"nodeType":241,"value":3078,"marks":3079,"data":3081},"16 unique AI apps",[3080],{"type":259},{},{"nodeType":241,"value":3083,"marks":3084,"data":3085}," in active use, ",[],{},{"nodeType":241,"value":3087,"marks":3088,"data":3090},"17 unique AI browser extensions",[3089],{"type":259},{},{"nodeType":241,"value":3092,"marks":3093,"data":3094},", and ",[],{},{"nodeType":241,"value":3096,"marks":3097,"data":3099},"17 unique AI OAuth integrations",[3098],{"type":259},{},{"nodeType":241,"value":3101,"marks":3102,"data":3103}," connected into just Google Workspace and Microsoft 365 — with some organizations reaching as high as 40 unique AI apps, 163 AI extensions, and 55 OAuth connections to AI apps respectively. At the other end, the smallest organization with the ",[],{},{"nodeType":241,"value":3105,"marks":3106,"data":3108},"lowest",[3107],{"type":269},{},{"nodeType":241,"value":3110,"marks":3111,"data":3112}," adoption level is actively using two. ",[],{},{"nodeType":356,"data":3114,"content":3118},{"target":3115},{"sys":3116},{"id":3117,"type":361,"linkType":362},"2AfeiHub5kyZN8wuf6CJch",[],{"nodeType":237,"data":3120,"content":3121},{},[3122],{"nodeType":241,"value":3123,"marks":3124,"data":3125},"If most organizations have sanctioned one or two core AI assistants/platforms for business use, the gap between what's approved and what's actually happening is significant.",[],{},{"nodeType":356,"data":3127,"content":3130},{"target":3128},{"sys":3129},{"id":596,"type":361,"linkType":362},[],{"nodeType":290,"data":3132,"content":3133},{},[],{"nodeType":294,"data":3135,"content":3136},{},[3137],{"nodeType":241,"value":3138,"marks":3139,"data":3141},"Understanding the four categories of shadow AI",[3140],{"type":259},{},{"nodeType":237,"data":3143,"content":3144},{},[3145],{"nodeType":241,"value":3146,"marks":3147,"data":3148},"Shadow SaaS has always been a problem, but in the context of AI apps there are four categories of shadow IT that security teams need to understand, because each one introduces a different kind of risk and requires a different approach to tackling it.",[],{},{"nodeType":396,"data":3150,"content":3151},{},[3152],{"nodeType":241,"value":3153,"marks":3154,"data":3156},"Shadow AI apps",[3155],{"type":259},{},{"nodeType":237,"data":3158,"content":3159},{},[3160],{"nodeType":241,"value":3161,"marks":3162,"data":3163},"Shadow apps are AI tools that employees have signed up to and are using for business purposes without approval. This is the most visible dimension of the problem, and the one most people think of when they hear \"shadow AI\" — an employee pastes sensitive internal documents into ChatGPT, uploads confidential files to an AI assistant, or uses an unapproved coding tool to generate production code.",[],{},{"nodeType":237,"data":3165,"content":3166},{},[3167],{"nodeType":241,"value":3168,"marks":3169,"data":3170},"All of that is sensitive data leaving the organization through channels the security team can't see - and often accessible using personal accounts that can be compromised on personal devices or workstations. ",[],{},{"nodeType":237,"data":3172,"content":3173},{},[3174,3178,3183],{"nodeType":241,"value":3175,"marks":3176,"data":3177},"The 2026 DBIR's data loss prevention analysis underscores the scale — shadow AI is now the ",[],{},{"nodeType":241,"value":3179,"marks":3180,"data":3182},"third most common non-malicious insider action",[3181],{"type":259},{},{"nodeType":241,"value":3184,"marks":3185,"data":3186}," in DLP data, a 4x increase year-over-year. Across 858,000+ DLP events targeting GenAI tools, the most common data types being submitted were source code (28%), images (16%), structured data (14%), documents (13%), and PDFs (10%). That's not employees asking ChatGPT to fix their grammar — it's core intellectual property, production code, and internal documentation flowing into platforms the security team has no visibility into. But shadow apps themselves are only the most obvious part of the problem.",[],{},{"nodeType":396,"data":3188,"content":3189},{},[3190],{"nodeType":241,"value":3191,"marks":3192,"data":3194},"Shadow tenants",[3193],{"type":259},{},{"nodeType":237,"data":3196,"content":3197},{},[3198,3202,3207,3211,3216],{"nodeType":241,"value":3199,"marks":3200,"data":3201},"Even when an organization has approved an AI tool — say, an enterprise ChatGPT deployment — employees frequently access the same app with personal accounts, creating shadow tenants that sit entirely outside organizational control. The DBIR found that ",[],{},{"nodeType":241,"value":3203,"marks":3204,"data":3206},"67% of GenAI users on corporate devices are using non-corporate accounts",[3205],{"type":259},{},{"nodeType":241,"value":3208,"marks":3209,"data":3210},", and our own data shows that ",[],{},{"nodeType":241,"value":3212,"marks":3213,"data":3215},"38% of file uploads to AI tools are made from shadow accounts",[3214],{"type":259},{},{"nodeType":241,"value":3217,"marks":3218,"data":3219}," rather than approved organizational ones.",[],{},{"nodeType":237,"data":3221,"content":3222},{},[3223],{"nodeType":241,"value":3224,"marks":3225,"data":3226},"When an organization approves Claude, ChatGPT, or another core AI platform, you typically also approve the OAuth integration and browser extension for core apps (e.g. M365, Google Workspace, and so on). When that integration is approved, it is approved for all tenants — not just your corporate tenant. ",[],{},{"nodeType":356,"data":3228,"content":3232},{"target":3229},{"sys":3230},{"id":3231,"type":361,"linkType":362},"3Rvw0n28AYIM3FQXtHyafD",[],{"nodeType":237,"data":3234,"content":3235},{},[3236],{"nodeType":241,"value":3237,"marks":3238,"data":3239},"This means that even if you've deployed enterprise controls around your sanctioned AI tools — DLP policies, retention settings, admin oversight — more than a third of the file uploads hitting AI tools are bypassing those controls entirely because they're happening through personal accounts on corporate devices.",[],{},{"nodeType":396,"data":3241,"content":3242},{},[3243],{"nodeType":241,"value":3244,"marks":3245,"data":3247},"Shadow extensions",[3246],{"type":259},{},{"nodeType":237,"data":3249,"content":3250},{},[3251,3255,3259],{"nodeType":241,"value":3252,"marks":3253,"data":3254},"Many AI tools come with a browser extension counterpart, and there's a large ecosystem of third-party AI extensions that offer everything from writing assistance to automated data extraction. The average organization in our dataset has ",[],{},{"nodeType":241,"value":3087,"marks":3256,"data":3258},[3257],{"type":259},{},{"nodeType":241,"value":3260,"marks":3261,"data":3262}," deployed across its workforce, with the highest we observed reaching 163 — and since each of those average 17 different extensions may be installed by multiple employees, the actual number of individual extension installs across the organization is much higher still.",[],{},{"nodeType":237,"data":3264,"content":3265},{},[3266,3270,3278,3282,3287],{"nodeType":241,"value":3267,"marks":3268,"data":3269},"The extension dimension is particularly concerning because most extensions operate with significant privilege inside the browser — they can read and modify page content, access cookies and session tokens, and interact with virtually every web application an employee uses. As we detailed in our recent analysis of ",[],{},{"nodeType":412,"data":3271,"content":3273},{"uri":3272},"https://pushsecurity.com/blog/why-browser-extension-risk-scoring-wont-predict-your-next-breach/",[3274],{"nodeType":241,"value":3275,"marks":3276,"data":3277},"browser extension risk scoring",[],{},{"nodeType":241,"value":3279,"marks":3280,"data":3281},", at least ",[],{},{"nodeType":241,"value":3283,"marks":3284,"data":3286},"46.76% of all extensions across Push customers have the permission combinations needed to perform account takeover with no user interaction",[3285],{"type":259},{},{"nodeType":241,"value":3288,"marks":3289,"data":3290},", and the extensions involved in every major supply chain breach of the past 18 months scored as normal or low-risk beforehand.",[],{},{"nodeType":356,"data":3292,"content":3296},{"target":3293},{"sys":3294},{"id":3295,"type":361,"linkType":362},"3z4JOMALI52xoOXZkzPHLD",[],{"nodeType":237,"data":3298,"content":3299},{},[3300,3304,3311],{"nodeType":241,"value":3301,"marks":3302,"data":3303},"AI extensions add a specific wrinkle to this problem: many are branded to look like official companions to well-known AI tools but are actually third-party creations with no affiliation to the original vendor. They're not necessarily malicious at the point of installation, but they're exactly the kind of extension that's likely to be ",[],{},{"nodeType":412,"data":3305,"content":3306},{"uri":3272},[3307],{"nodeType":241,"value":3308,"marks":3309,"data":3310},"acquired and weaponized",[],{},{"nodeType":241,"value":3312,"marks":3313,"data":3314}," down the line — and in the meantime, they're collecting data that their permissions entitle them to (which, in most cases, means everything the user can see in their browser).",[],{},{"nodeType":356,"data":3316,"content":3320},{"target":3317},{"sys":3318},{"id":3319,"type":361,"linkType":362},"6K3z67rohss6H3lCsSn12B",[],{"nodeType":396,"data":3322,"content":3323},{},[3324],{"nodeType":241,"value":3325,"marks":3326,"data":3328},"Shadow integrations",[3327],{"type":259},{},{"nodeType":237,"data":3330,"content":3331},{},[3332],{"nodeType":241,"value":3333,"marks":3334,"data":3335},"The fourth dimension — and arguably the most dangerous — is shadow integrations: OAuth connections between AI tools and core enterprise apps that aren't known or approved by the security team. Even if an organization has approved an AI tool for standalone use, plugging that tool directly into Google Workspace, Microsoft 365, Salesforce, or any other one of the dozen or so SaaS apps in a typical user’s work stack is a fundamentally different risk decision, because it creates a persistent, programmatic bridge between your environment and a third party.",[],{},{"nodeType":237,"data":3337,"content":3338},{},[3339,3343,3348,3352,3357],{"nodeType":241,"value":3340,"marks":3341,"data":3342},"On average, we see ",[],{},{"nodeType":241,"value":3344,"marks":3345,"data":3347},"17 unique AI app OAuth integrations per organization",[3346],{"type":259},{},{"nodeType":241,"value":3349,"marks":3350,"data":3351}," in ",[],{},{"nodeType":241,"value":3353,"marks":3354,"data":3356},"just",[3355],{"type":269},{},{"nodeType":241,"value":3358,"marks":3359,"data":3360}," Google Workspace and Microsoft 365 (to be clear: this number excludes the dozens of downstream apps the AI assistants are integrated with as well), with the highest reaching 55. Each of those represents a unique AI product that has been granted OAuth access — the total number of individual consent grants across users is larger, because popular integrations get authorized by multiple employees independently.",[],{},{"nodeType":237,"data":3362,"content":3363},{},[3364],{"nodeType":241,"value":3365,"marks":3366,"data":3367},"The actual number of AI-related OAuth connections across the full SaaS estate is considerably higher again, because AI tools that automate workflows need to be connected to be useful — pulling data from one app, analyzing it in another, presenting results in a third.",[],{},{"nodeType":237,"data":3369,"content":3370},{},[3371],{"nodeType":241,"value":3372,"marks":3373,"data":3374},"MCP connections use OAuth to achieve this interconnectivity in the same way, and AI coding agents create a particularly concentrated version of the risk: a single agent configuration can hold OAuth tokens for Jira, Confluence, Salesforce, GitHub, and more, meaning that compromising one agent — whether through prompt injection, a malicious repository config, or a supply chain attack on an MCP server — yields persistent, broadly scoped tokens for every service it was connected to, tokens that survive session restarts and generate audit log entries indistinguishable from legitimate user activity.",[],{},{"nodeType":237,"data":3376,"content":3377},{},[3378],{"nodeType":241,"value":3379,"marks":3380,"data":3381},"It's also worth noting that OAuth blast radius is almost always larger than organizations expect. A single well-permissioned user can expose secrets, dashboards, and internal tooling without tenant-wide admin access. And every new AI tool an employee connects makes the web of abusable permissions a little wider.",[],{},{"nodeType":356,"data":3383,"content":3387},{"target":3384},{"sys":3385},{"id":3386,"type":361,"linkType":362},"4SnzJ9T93gHzFIUASx7Yb3",[],{"nodeType":290,"data":3389,"content":3390},{},[],{"nodeType":294,"data":3392,"content":3393},{},[3394],{"nodeType":241,"value":3395,"marks":3396,"data":3398},"Why shadow AI needs a different solution to shadow SaaS",[3397],{"type":259},{},{"nodeType":237,"data":3400,"content":3401},{},[3402],{"nodeType":241,"value":3403,"marks":3404,"data":3405},"The reason it's worth distinguishing between these four dimensions isn't academic. Each one requires a different control, and addressing one doesn't solve the others.",[],{},{"nodeType":237,"data":3407,"content":3408},{},[3409],{"nodeType":241,"value":3410,"marks":3411,"data":3412},"Blocking unsanctioned AI apps does nothing for the personal accounts accessing approved ones, and neither addresses the average 17 different AI extensions running with broad browser permissions, let alone the dozens of OAuth integrations that have already been granted persistent access to core enterprise apps — and even auditing OAuth in Google Workspace and Microsoft 365, where the controls are relatively mature, leaves the broader SaaS estate unaddressed, where admin tooling is inconsistent and visibility is limited.",[],{},{"nodeType":237,"data":3414,"content":3415},{},[3416,3420,3428],{"nodeType":241,"value":3417,"marks":3418,"data":3419},"The tooling gap compounds the policy gap. ",[],{},{"nodeType":412,"data":3421,"content":3423},{"uri":3422},"https://pushsecurity.com/blog/7-things-omdias-latest-report-tells-us-about-the-secure-enterprise-browser-market/",[3424],{"nodeType":241,"value":3425,"marks":3426,"data":3427},"Omdia found",[],{},{"nodeType":241,"value":3429,"marks":3430,"data":3431}," that 58% of organizations rely on secure web gateways to secure GenAI usage — but an SWG can tell you that a user visited ChatGPT, not whether they pasted your source code into the prompt. That link between knowing where data went and knowing what the user actually did is the fundamental visibility gap that makes GenAI policies unenforceable without browser-layer tooling.",[],{},{"nodeType":396,"data":3433,"content":3434},{},[3435],{"nodeType":241,"value":3436,"marks":3437,"data":3439},"Advice for security teams",[3438],{"type":259},{},{"nodeType":237,"data":3441,"content":3442},{},[3443],{"nodeType":241,"value":3444,"marks":3445,"data":3446},"The principles behind managing shadow AI are the same ones that have governed shadow SaaS and software supply chain management for years: default-deny where feasible, comprehensive inventory where it isn't, and continuous monitoring for changes that signal increased risk. But it's vital that teams act fast to stop the snowball.",[],{},{"nodeType":237,"data":3448,"content":3449},{},[3450],{"nodeType":241,"value":3451,"marks":3452,"data":3454},"That starts with visibility into which AI tools employees are actually using and which accounts they're using to access them — without that baseline, every other control is built on assumptions.",[3453],{"type":259},{},{"nodeType":237,"data":3456,"content":3457},{},[3458,3463,3467,3474],{"nodeType":241,"value":3459,"marks":3460,"data":3462},"Extensions",[3461],{"type":259},{},{"nodeType":241,"value":3464,"marks":3465,"data":3466}," need the same ",[],{},{"nodeType":412,"data":3468,"content":3469},{"uri":3272},[3470],{"nodeType":241,"value":3471,"marks":3472,"data":3473},"default-deny allowlisting approach",[],{},{"nodeType":241,"value":3475,"marks":3476,"data":3477}," that has been best practice for software management elsewhere: build a complete inventory, allowlist what's vetted, block everything else, and monitor the approved set for changes that precede weaponization.",[],{},{"nodeType":237,"data":3479,"content":3480},{},[3481,3486],{"nodeType":241,"value":3482,"marks":3483,"data":3485},"OAuth",[3484],{"type":259},{},{"nodeType":241,"value":3487,"marks":3488,"data":3489}," demands the most urgency, because each unmanaged integration is a persistent trust relationship that survives password resets and MFA changes — adopt default-deny for consent grants in your primary enterprise apps, routinely audit what's already connected, and critically extend that visibility beyond Google and Microsoft to the broader SaaS estate where the controls are weaker and the sprawl is harder to track.",[],{},{"nodeType":290,"data":3491,"content":3492},{},[],{"nodeType":294,"data":3494,"content":3495},{},[3496],{"nodeType":241,"value":3497,"marks":3498,"data":3500},"Browser visibility and control is key to de-risking AI adoption",[3499],{"type":259},{},{"nodeType":237,"data":3502,"content":3503},{},[3504],{"nodeType":241,"value":3505,"marks":3506,"data":3507},"AI usage is fundamentally browser-based activity — every LLM interaction, every prompt containing sensitive data, every AI agent authorization, every OAuth consent grant happens inside a browser session — which makes the browser the natural control point for AI governance across the workforce. ",[],{},{"nodeType":237,"data":3509,"content":3510},{},[3511],{"nodeType":241,"value":3512,"marks":3513,"data":3514},"Push tracks AI app usage and login security across the workforce, inventories and controls AI browser extensions, monitors and blocks OAuth consent flows across any app (not just the primary enterprise platforms), and gives security teams a single view of the full shadow AI picture across all four dimensions.",[],{},{"nodeType":237,"data":3516,"content":3517},{},[3518],{"nodeType":241,"value":3519,"marks":3520,"data":3521},"Shadow AI isn't a problem that will age well if ignored. Every week that passes without visibility adds more apps, more extensions, more integrations, and more potential breach paths into the environment — and as the Vercel breach demonstrated, it only takes one forgotten OAuth grant to turn an employee's idle curiosity into an organization-wide incident.",[],{},{"nodeType":237,"data":3523,"content":3524},{},[3525,3529,3538],{"nodeType":241,"value":3526,"marks":3527,"data":3528},"Learn more about how you can tackle ",[],{},{"nodeType":412,"data":3530,"content":3532},{"uri":3531},"https://pushsecurity.com/uc/shadow-ai",[3533],{"nodeType":241,"value":3534,"marks":3535,"data":3537},"Shadow AI",[3536],{"type":420},{},{"nodeType":241,"value":3539,"marks":3540,"data":3541}," with Push. ",[],{},{"nodeType":290,"data":3543,"content":3544},{},[],{"nodeType":237,"data":3546,"content":3547},{},[3548],{"nodeType":241,"value":2108,"marks":3549,"data":3550},[],{},{"nodeType":237,"data":3552,"content":3553},{},[3554],{"nodeType":241,"value":2115,"marks":3555,"data":3556},[],{},{"nodeType":237,"data":3558,"content":3559},{},[3560,3564,3572],{"nodeType":241,"value":3561,"marks":3562,"data":3563},"Book a ",[],{},{"nodeType":412,"data":3565,"content":3566},{"uri":1164},[3567],{"nodeType":241,"value":3568,"marks":3569,"data":3571},"live demo",[3570],{"type":420},{},{"nodeType":241,"value":2133,"marks":3573,"data":3574},[],{},"What Push data reveals about the state of shadow AI","Shadow AI isn't a new category of risk, it's shadow SaaS with better marketing. But AI adoption has been a genuine force multiplier for the problem.","what-push-data-reveals-about-the-state-of-shadow-ai",{"items":3579},[3580,3584],{"sys":3581,"name":3583},{"id":3582},"1gZi8NrRy2v9OqPV7C4dwD","Risk management",{"sys":3585,"name":3587},{"id":3586},"3pjES4THCIfSAwhGdNwBcy","Browser security",{"items":3589},[3590],{"fullName":2152,"firstName":2153,"jobTitle":2154,"profilePicture":3591},{"url":2156},"why-you-cant-control-ai-without-being-in-the-browser","blog/why-you-cant-control-ai-without-being-in-the-browser","AI visibility and control is a feature. Browser security is the foundation.",{"json":3596},{"data":3597,"content":3598,"nodeType":233},{},[3599],{"data":3600,"content":3601,"nodeType":237},{},[3602],{"data":3603,"marks":3604,"value":3605,"nodeType":241},{},[],"Why the right browser security tool makes a separate AI visibility and control purchase unnecessary — and how to decide what you actually need.",{"id":3607,"publishedAt":3608},"I5SoVIYsYVgutpLIzZRpC","2026-06-02T05:21:33.551Z",{"items":3610},[3611,3613],{"sys":3612,"name":3587},{"id":3586},{"sys":3614,"name":3583},{"id":3582},"1yBjoer_SeES4CDefqSEfcSf1ISZjtR3-bzW9rkCKm4",1780385366496]