Snowflake: Three practical takeaways // Register Now

Ready to help

Can I use Push to detect phishing tools like EvilNoVNC, Evilginx, Modlishka, or Muraena?

Yes. The Push browser agent can detect when employees visit websites that are using phishing toolkits such as EvilNoVNC, Evilginx, Modliskha, Muraena, and others. Based on your configuration, Push can then warn or block employees from accessing those phishing sites.

These kinds of Adversary-in-the-Middle (AitM) malware can mimic legitimate login screens in order to steal credentials and bypass MFA.

You can enable Phishing tool detection on the Controls page of the Push admin console.

Learn more about how Push can help you detect and prevent phishing attacks in this related article.

How does phishing tool detection work?

The Push browser agent analyzes the behavioral attributes of phishing tools, e.g. “something the malware does” vs. just a static signature like a URL path or domain.

When Push detects a phishing tool in use on a website that an employee is trying to access, Push will enforce the Phishing tool detection settings set by an administrator.

Phishing toolkit detection config page - KB 10113

Note: The browser agent will ignore flagging any scenarios in which the webpage is in the company domain(s), is on the ignore list under Settings > Advanced, or is in a private IP address space, including localhost.

What will end-users see?

If the feature is in Monitor mode, employees will not be notified that a phishing tool was detected and they will not be blocked from accessing the website. The Push platform will emit a webhook event that administrators can ingest into a SIEM or other monitoring tool.

In Warn mode, employees who attempt to access a website where Push detects a phishing tool in use will immediately see a custom warning message. They must click the acknowledgement button to proceed if they are sure the site is trusted.

If the feature is in Block mode, employees will immediately see a block page with your custom block message and be unable to access the site.

Phishing toolkit block page - KB 10113
Customizable block page

Markdown for styling custom message

The custom message field for the block page supports link and email syntax using markdown, but no other formatting.

Example markdown:

  • [Push Security](https://pushsecurity.com)

  • [Steph](mailto:steph@ctrlaltsecure.com)

How do I get alerts about detected phishing tools?

In order to consume detected events, you will need to consume a webhook event from Push via your SIEM or similar platform.

These events are not currently displayed in the Push admin console.

Read more in our developer documentation.

Recommendations on using Warn and Block mode

By default, this feature is in Monitor mode. We recommend running the detection in Monitor for a little while to discover any false positives in your environment. You can add any sites that generate false positives to the Ignore specific domains list.

Then, when you’re ready, enable Warn or Block mode with your custom end-user message.