Blog

Introducing in-browser app banners: Set guardrails for cloud apps | Learn more →

Ready to help

How does Push detect and prevent phishing attacks?

You can use Push to detect when an end-user has entered their identity provider password on a login page that does not belong to a recognized app.

Based on your configured settings, Push can then either report the presumed phishing attempt to administrators without notifying the end-user or block the end-user from submitting their IdP password on the potentially suspicious site.

This capability is powered by the Push browser agent. You can configure the Phishing prevention feature on the Settings page of the Push admin console. By default, this feature is in Monitor mode.

To use this feature, you must ensure your employees’ browsers are enrolled in Push by installing the Push browser extension and assigning them a license in the platform.

How does it work?

When observing logins, the Push browser extension generates a salted partial hash of the user’s password, known as a fingerprint. This fingerprint is then stored locally to allow Push to perform comparisons. Learn more about how the extension securely observes passwords in this help article.

To detect possible phishing attempts, the extension compares the observed password fingerprint to known fingerprints for identity provider passwords that already exist in local storage. This means that the extension must have observed the end-user logging into their IdP account at least once before phishing prevention can start detecting attacks.

Push can detect the following identity providers:

  • Okta

  • Microsoft 365

  • Google Workspace

  • JumpCloud

  • Duo

  • Ping Identity

If an employee has entered a known IdP password on a webpage that Push doesn’t recognize, it will enforce the Phishing prevention settings set by an administrator.

Phishing prevention config screen - KB 10109

Note: The browser agent will ignore flagging any scenarios in which the login page is in the company domain(s), is on the ignore list under Settings > Advanced, or is in a private IP address space, including localhost.

What will end-users see?

If the feature is in Monitor mode, employees will not be notified that a potential phishing event was detected and they will not be blocked from submitting their password. The Push platform will emit a webhook event that administrators can ingest into a SIEM or other monitoring tool.

If the feature is in Block mode, employees who enter their IdP password on an unrecognized webpage will be quickly redirected to a Push-hosted page with the following message:

Phishing block screen for end-users - KB 10109

The event will also be recorded via a webhook.

How do I get alerted to suspected phishing events?

The Push platform provides a webhook event PASSWORD_PHISHING that administrators can listen for in their SIEM or other monitoring tool.

These events are not currently displayed in the Push admin console.

Read more in our developer documentation.

Recommendations on using Block mode

Push recommends using this feature in Monitor mode for a few weeks before you enable Block mode. This will allow you to find any sites in your environment that cause false positives, such as sites that are configured to legitimately use IdP credentials for authentication.

Monitor for webhook events during this testing period, and then add any sites that generate false positives to the Ignore specific domains list.

Ignore domains list for phishing prevention - KB 10109

Once you have tested the feature and updated the ignore list, then you can enable Block mode.