How does Push detect cloned login pages?

Push can detect when employees visit sites using cloned login screens. Adversaries use cloned login pages, often disguised to look like identity provider login pages, to steal credentials.

On the Controls page of the Push admin console, you can enable Cloned login page detection. Push will then emit a webhook event when it detects that an employee has visited a page that appears to be a clone of a legitimate login page.

It does this by fingerprinting the page structure and resources of your legitimate login pages and monitoring for pages that are very similar.

The Cloned login page detection feature can identify clones of the following legitimate providers’ login and signup pages:

• Google Workspace

• Microsoft 365

• Okta

• Jumpcloud

• Duo Security

• Ping Identity

• IBM identity provider

• SAP identity provider

• Github

• AWS

When Push detects a cloned app, it will emit a webhook event that you can view on the Events page of the admin console (as part of a rolling 7-day snapshot of all events) and that you can ingest into a SIEM or other tool.

Some identity providers and apps, such as Okta, allow you to set a custom domain for your login page.

If you use any custom domains for the providers listed above, you must specify those domains on the Settings page by going to Advanced > Custom login URLs. Otherwise, Push will not be able to create a baseline for comparison between those legitimate login pages and any cloned pages that it detects.

You can configure this control to apply to all employees, employee groups, or just specific individuals. You can also create an exception for specific employees or employee groups who will be exempted from this control.

When you enable the control, you’ll create a configuration rule that sets the Mode (Off or Monitor) and the Scope (all employees, specific groups, or specific individuals).

To exempt an individual or group, create a rule where the Mode is set to Off and then choose the group or people who should be exempted.