[{"data":1,"prerenderedAt":20720},["ShallowReactive",2],{"application-flags":3,"navbar":7,"always-visible-banner":36,"navbar-about-highlight":99,"navbar-resource-highlight":173,"use-case-page":217,"fa-icon-regular-faFishingRod":1239,"fa-icon-regular-faPuzzlePiece":1243,"fa-icon-regular-faUserSecret":1245,"fa-icon-regular-faRadar":1247,"fa-icon-regular-faLaptopCode":1249,"fa-icon-regular-faSatelliteDish":1251,"fa-icon-regular-faShieldCheck":1253,"fa-icon-regular-faBrainCircuit":1255,"video-carousel":1257,"home-page-v-2":1356,"latestResourcesBlogPosts":1608,"supported-browsers":20202,"push-partner":20350,"product-outcomes":20619},[4],{"name":5,"enabled":6},"maintenanceMode",false,[8],{"createdDate":9,"id":10,"name":11,"modelId":12,"published":13,"query":14,"data":15,"variations":20,"lastUpdated":21,"firstPublished":22,"testRatio":23,"createdBy":24,"lastUpdatedBy":25,"folders":26,"meta":27,"rev":35},1742208588866,"1c7a4e423bf54ac1a328bb4063459ef2","Banner","1c6207a5f24948ab82d4a0b17f251193","published",[],{"type":16,"url":17,"text":18,"link":19},"web-banner","https://pushsecurity.com/resources/browser-attacks-report","Get our latest report analyzing browser attack techniques in 2026",{},{},1774258294825,1742208637545,1,"CydmZnOWU1XuAaLhEDCoYNM4Z8W2","jKjF9r5jcvXU8tzZEfFQm31Iyvr2",[],{"kind":28,"lastPreviewUrl":29,"breakpoints":30,"hasAutosaves":34},"data","",{"xsmall":31,"small":32,"medium":33},320,640,768,true,"2u3s8indql4",{"createdDate":37,"id":38,"name":39,"modelId":40,"published":13,"query":41,"data":42,"variations":88,"lastUpdated":89,"firstPublished":90,"testRatio":23,"createdBy":91,"lastUpdatedBy":92,"folders":93,"meta":94,"rev":98},1774965361051,"fd266d0172cc47429be7ad10f48c99ad","always visible banner","0678d178ec8b41efb8a23c09dba7874d",[],{"ctaText":43,"text":44,"url":29,"blocks":45,"state":84},"ewrererw","testrfesssssssssss",[46,72],{"@type":47,"@version":48,"id":49,"component":50,"responsiveStyles":62},"@builder.io/sdk:Element",2,"builder-ca12c06a52de41d7b8743da53118cd38",{"name":51,"tag":51,"options":52,"isRSC":61},"TopBannerContent",{"text":53,"ctaText":54,"url":55,"mainText":56,"cta":59},"New Webinar Series: Join John Hammond, Troy Hunt, and Matt Johansen for the State of Browser Attacks","Save Your Spot","https://pushsecurity.com/webinar/state-of-browser-security",{"content":57,"fontSize":58},"\u003Cp>New Webinar Series: Join John Hammond, Troy Hunt, and Matt Johansen for the State of Browser Attacks\u003C/p>","text-base",{"content":60,"fontSize":58,"url":55},"\u003Cp>\u003Cstrong style=\"font-weight:700;\">Save Your Spot\u003C/strong>\u003C/p>\n",null,{"large":63},{"display":64,"flexDirection":65,"position":66,"flexShrink":67,"boxSizing":68,"marginTop":69,"marginBottom":69,"fontSize":70,"fontWeight":71},"flex","column","relative","0","border-box",".56rem","1.125rem","700",{"id":73,"@type":47,"tagName":74,"properties":75,"responsiveStyles":79},"builder-pixel-ppq48ew4f5","img",{"src":76,"aria-hidden":77,"alt":29,"role":78,"width":67,"height":67},"https://cdn.builder.io/api/v1/pixel?apiKey=f3a1111ff5be48cdbb123cd9f5795a05","true","presentation",{"large":80},{"height":67,"width":67,"display":81,"opacity":67,"overflow":82,"pointerEvents":83},"block","hidden","none",{"deviceSize":85,"location":86},"large",{"path":29,"query":87},{},{},1775137295127,1774968080803,"ST0tXQM8slWpFrmioqKHmENB2qe2","ax7YYfD0OCeqT1Vxxv1G4FUbqVr1",[],{"breakpoints":95,"hasLinks":6,"kind":96,"lastPreviewUrl":97,"hasAutosaves":6},{"xsmall":31,"small":32,"medium":33},"component","https://pushsecurity.com/?builder.space=f3a1111ff5be48cdbb123cd9f5795a05&builder.user.permissions=read%2Ccreate%2Cpublish%2CeditCode%2CeditDesigns%2CeditLayouts%2CeditLayers%2CeditContentPriority%2CeditFolders%2CeditProjects%2CmodifyMcpServers%2CmodifyWorkflowIntegrations%2CmodifyProjectSettings%2CconnectCodeRepository%2CcreateProjects%2CindexDesignSystems%2CsendPullRequests%2CmergePullRequests&builder.user.role.name=Developer&builder.user.role.id=developer&builder.cachebust=true&builder.preview=always-visible-banner&builder.noCache=true&builder.allowTextEdit=true&__builder_editing__=true&builder.overrides.always-visible-banner=fd266d0172cc47429be7ad10f48c99ad&builder.overrides.fd266d0172cc47429be7ad10f48c99ad=fd266d0172cc47429be7ad10f48c99ad&builder.options.locale=Default","9fh8c06rvi8",[100,136],{"createdDate":101,"id":102,"name":103,"modelId":104,"published":13,"stageModifiedSincePublish":6,"query":105,"data":106,"variations":129,"lastUpdated":130,"firstPublished":131,"testRatio":23,"createdBy":24,"lastUpdatedBy":24,"folders":132,"meta":133,"rev":135},1776247359804,"9136a8f18b3b4a6ba29b8653a99372b1","testimonial-inductive-automation","20d9eaa352304613b3d1a794b400703d",[],{"link":107,"type":108,"testimonialLink":109,"testimonial":110},{},"testimonial","/customer-stories/inductive-automation",{"@type":111,"id":112,"model":108,"value":113},"@builder.io/core:Reference","f028f2b685bb47cd8bf9e82a26dd5a79",{"query":114,"folders":115,"createdDate":116,"id":112,"name":117,"modelId":118,"published":13,"data":119,"variations":123,"lastUpdated":124,"firstPublished":125,"testRatio":23,"createdBy":91,"lastUpdatedBy":91,"meta":126,"rev":128},[],[],1735823466309,"We found Push to be more accurate when compared to competitors and the browser agent offered features that others couldn’t match.","42035571a56940ac98bff4544aa79aa5",{"author":120,"jobTitle":121,"quote":117,"image":122},"Jason Waits","\u003Cp>CISO at Inductive Automation\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Ff04c0c0689ce4a89ac0f0708d78c0a07",{},1735910703862,1735823501152,{"kind":28,"lastPreviewUrl":29,"breakpoints":127,"hasAutosaves":34},{"small":32,"medium":33},"9apbneoil7a",{},1776247404986,1776247404973,[],{"breakpoints":134,"kind":28,"lastPreviewUrl":29,"hasAutosaves":6},{"xsmall":31,"small":32,"medium":33},"mwtjpfjaac",{"createdDate":137,"id":138,"name":139,"modelId":104,"published":13,"meta":140,"stageModifiedSincePublish":6,"query":142,"data":143,"variations":169,"lastUpdated":170,"firstPublished":171,"testRatio":23,"createdBy":24,"lastUpdatedBy":24,"folders":172,"rev":135},1776255761419,"05a9322735fc427db12e2740e4302300","Report: 2026 Browser Attack Techniques",{"breakpoints":141,"kind":28,"lastPreviewUrl":29,"hasAutosaves":6},{"xsmall":31,"small":32,"medium":33},[],{"testimonial":144,"link":163,"type":166,"title":139,"description":167,"image":168},{"@type":111,"id":145,"model":108,"value":146},"192acbb1f9ca4cac918c0ec435a8bae3",{"query":147,"folders":148,"createdDate":149,"id":145,"name":150,"modelId":118,"published":13,"data":151,"variations":157,"lastUpdated":158,"firstPublished":159,"testRatio":23,"createdBy":91,"lastUpdatedBy":24,"meta":160,"rev":162},[],[],1728981467463,"Push does for identity what CrowdStrike did for the endpoint",{"video":152,"jobTitle":153,"author":154,"qoute":29,"quote":155,"image":156},"https://cdn.builder.io/o/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F8b30e8ca50064058bbaef0f3c6164575%2Fcompressed?apiKey=f3a1111ff5be48cdbb123cd9f5795a05&token=8b30e8ca50064058bbaef0f3c6164575&alt=media&optimized=true","\u003Cp>Deputy CISO at Microsoft\u003C/p>\u003Cp>Former LinkedIn, Slack, Palantir\u003C/p>","Geoff Belknap","Push does for identity what CrowdStrike did for the endpoint.","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F748f0ad0a5064a00a13f4721fcc8dea1",{},1742902158597,1728981782923,{"kind":28,"lastPreviewUrl":29,"breakpoints":161,"hasAutosaves":34},{"small":32,"medium":33},"wi59cuc7wfh",{"text":164,"url":165},"Download now","/resources/browser-attacks-report","resource","Learn about the latest techniques being used in the wild.","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F7b4a5ebf81d64e8c9d7fc35f6c96c4a9",{},1776255810913,1776255810900,[],[174,196],{"createdDate":175,"id":176,"name":139,"modelId":177,"published":13,"meta":178,"stageModifiedSincePublish":6,"query":180,"data":181,"variations":191,"lastUpdated":192,"firstPublished":193,"testRatio":23,"createdBy":24,"lastUpdatedBy":24,"folders":194,"rev":195},1776256900280,"1f429607996e4e5fae8fe3f9b9610e55","4829faa81e7c4ee8bd2d000e160e8d3c",{"breakpoints":179,"kind":28,"lastPreviewUrl":29,"hasAutosaves":6},{"xsmall":31,"small":32,"medium":33},[],{"testimonial":182,"link":190,"type":166,"title":139,"description":167,"image":168},{"@type":111,"id":145,"model":108,"value":183},{"query":184,"folders":185,"createdDate":149,"id":145,"name":150,"modelId":118,"published":13,"data":186,"variations":187,"lastUpdated":158,"firstPublished":159,"testRatio":23,"createdBy":91,"lastUpdatedBy":24,"meta":188,"rev":162},[],[],{"video":152,"jobTitle":153,"author":154,"qoute":29,"quote":155,"image":156},{},{"kind":28,"lastPreviewUrl":29,"breakpoints":189,"hasAutosaves":34},{"small":32,"medium":33},{"text":164,"url":165},{},1776256937553,1776256937540,[],"1t4cxgjnfe",{"createdDate":197,"id":198,"name":199,"modelId":177,"published":13,"stageModifiedSincePublish":6,"query":200,"data":201,"variations":211,"lastUpdated":212,"firstPublished":213,"testRatio":23,"createdBy":24,"lastUpdatedBy":24,"folders":214,"meta":215,"rev":195},1776256949234,"ce043785b71b4ece98eac811ecf4ba10","inductive-automation",[],{"link":202,"type":108,"testimonial":203,"testimonialLink":109},{},{"@type":111,"id":112,"model":108,"value":204},{"query":205,"folders":206,"createdDate":116,"id":112,"name":117,"modelId":118,"published":13,"data":207,"variations":208,"lastUpdated":124,"firstPublished":125,"testRatio":23,"createdBy":91,"lastUpdatedBy":91,"meta":209,"rev":128},[],[],{"author":120,"jobTitle":121,"quote":117,"image":122},{},{"kind":28,"lastPreviewUrl":29,"breakpoints":210,"hasAutosaves":34},{"small":32,"medium":33},{},1776256974140,1776256974130,[],{"breakpoints":216,"kind":28,"lastPreviewUrl":29,"hasAutosaves":6},{"xsmall":31,"small":32,"medium":33},[218,402,521,640,758,878,998,1118],{"createdDate":219,"id":220,"name":221,"modelId":222,"published":13,"stageModifiedSincePublish":6,"query":223,"data":229,"variations":390,"lastUpdated":391,"firstPublished":392,"testRatio":23,"screenshot":393,"createdBy":91,"lastUpdatedBy":394,"folders":395,"meta":396,"rev":401},1744829487099,"387451215c314dd5bd654668cdc1a197","Zero-day phishing","cca4143377554c5a9163cc203a8ed2ba",[224],{"@type":225,"property":226,"operator":227,"value":228},"@builder.io/core:Query","urlPath","is","/uc/zero-day-phishing-protection",{"inputs":230,"customFonts":231,"seoTitle":279,"title":279,"tsCode":29,"seoDescription":280,"fontAwesomeIcon":281,"jsCode":29,"blocks":282,"url":228,"state":387},[],[232],{"family":233,"kind":234,"version":235,"lastModified":236,"files":237,"category":256,"menu":257,"subsets":258,"variants":261},"DM Sans","webfonts#webfont","v14","2023-07-13",{"100":238,"200":239,"300":240,"500":241,"600":242,"700":243,"800":244,"900":245,"800italic":246,"900italic":247,"700italic":248,"100italic":249,"italic":250,"regular":251,"200italic":252,"500italic":253,"300italic":254,"600italic":255},"https://fonts.gstatic.com/s/dmsans/v14/rP2tp2ywxg089UriI5-g4vlH9VoD8CmcqZG40F9JadbnoEwAop1hTmf3ZGMZpg.ttf","https://fonts.gstatic.com/s/dmsans/v14/rP2tp2ywxg089UriI5-g4vlH9VoD8CmcqZG40F9JadbnoEwAIpxhTmf3ZGMZpg.ttf","https://fonts.gstatic.com/s/dmsans/v14/rP2tp2ywxg089UriI5-g4vlH9VoD8CmcqZG40F9JadbnoEwA_JxhTmf3ZGMZpg.ttf","https://fonts.gstatic.com/s/dmsans/v14/rP2tp2ywxg089UriI5-g4vlH9VoD8CmcqZG40F9JadbnoEwAkJxhTmf3ZGMZpg.ttf","https://fonts.gstatic.com/s/dmsans/v14/rP2tp2ywxg089UriI5-g4vlH9VoD8CmcqZG40F9JadbnoEwAfJthTmf3ZGMZpg.ttf","https://fonts.gstatic.com/s/dmsans/v14/rP2tp2ywxg089UriI5-g4vlH9VoD8CmcqZG40F9JadbnoEwARZthTmf3ZGMZpg.ttf","https://fonts.gstatic.com/s/dmsans/v14/rP2tp2ywxg089UriI5-g4vlH9VoD8CmcqZG40F9JadbnoEwAIpthTmf3ZGMZpg.ttf","https://fonts.gstatic.com/s/dmsans/v14/rP2tp2ywxg089UriI5-g4vlH9VoD8CmcqZG40F9JadbnoEwAC5thTmf3ZGMZpg.ttf","https://fonts.gstatic.com/s/dmsans/v14/rP2rp2ywxg089UriCZaSExd86J3t9jz86Mvy4qCRAL19DksVat8JCm3zRmYJpso5.ttf","https://fonts.gstatic.com/s/dmsans/v14/rP2rp2ywxg089UriCZaSExd86J3t9jz86Mvy4qCRAL19DksVat8gCm3zRmYJpso5.ttf","https://fonts.gstatic.com/s/dmsans/v14/rP2rp2ywxg089UriCZaSExd86J3t9jz86Mvy4qCRAL19DksVat9uCm3zRmYJpso5.ttf","https://fonts.gstatic.com/s/dmsans/v14/rP2rp2ywxg089UriCZaSExd86J3t9jz86Mvy4qCRAL19DksVat-JDG3zRmYJpso5.ttf","https://fonts.gstatic.com/s/dmsans/v14/rP2rp2ywxg089UriCZaSExd86J3t9jz86Mvy4qCRAL19DksVat-JDW3zRmYJpso5.ttf","https://fonts.gstatic.com/s/dmsans/v14/rP2tp2ywxg089UriI5-g4vlH9VoD8CmcqZG40F9JadbnoEwAopxhTmf3ZGMZpg.ttf","https://fonts.gstatic.com/s/dmsans/v14/rP2rp2ywxg089UriCZaSExd86J3t9jz86Mvy4qCRAL19DksVat8JDW3zRmYJpso5.ttf","https://fonts.gstatic.com/s/dmsans/v14/rP2rp2ywxg089UriCZaSExd86J3t9jz86Mvy4qCRAL19DksVat-7DW3zRmYJpso5.ttf","https://fonts.gstatic.com/s/dmsans/v14/rP2rp2ywxg089UriCZaSExd86J3t9jz86Mvy4qCRAL19DksVat_XDW3zRmYJpso5.ttf","https://fonts.gstatic.com/s/dmsans/v14/rP2rp2ywxg089UriCZaSExd86J3t9jz86Mvy4qCRAL19DksVat9XCm3zRmYJpso5.ttf","sans-serif","https://fonts.gstatic.com/s/dmsans/v14/rP2tp2ywxg089UriI5-g4vlH9VoD8CmcqZG40F9JadbnoEwAopxRT23z.ttf",[259,260],"latin","latin-ext",[262,263,264,265,266,267,71,268,269,270,271,272,273,274,275,276,277,278],"100","200","300","regular","500","600","800","900","100italic","200italic","300italic","italic","500italic","600italic","700italic","800italic","900italic","Zero-day phishing protection","Detect phishing TTPs directly in the browser and stop credential theft.","faFishingRod",[283,382],{"@type":47,"@version":48,"tagName":284,"id":285,"children":286},"div","builder-76c6b8d1499346c7bc1fd56ae4e93638",[287,304,312,319,331,346,357,368,374],{"@type":47,"@version":48,"layerName":288,"id":289,"component":290,"responsiveStyles":301},"UseCaseHero","builder-5228fe062bef4a40a91e43f1112832fa",{"name":288,"options":291,"isRSC":61},{"title":279,"description":292,"points":293,"video":300},"\u003Cp>Push detects phishing as it happens. Autonomous agents hunt for new phishing techniques, identify kit signatures, and deploy detections within minutes of a new attack being analyzed. From cloned login pages to AiTM credential harvesting, Push sees what traditional filters miss and stops threats before they escalate.\u003C/p>",[294,296,298],{"item":295},"Detect phishing that bypasses traditional filters, including AiTM, SSO password theft, and fake login pages",{"item":297},"Stop never-before-seen attacks with AI-native behavioral and on-page analysis inside the browser",{"item":299},"Investigate faster with unified browser, user, and page context","https://cdn.builder.io/o/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F40433ceeb4f94b43a82e039a0f4fd411%2Fcompressed?apiKey=f3a1111ff5be48cdbb123cd9f5795a05&token=40433ceeb4f94b43a82e039a0f4fd411&alt=media&optimized=true",{"large":302},{"display":64,"flexDirection":65,"position":66,"flexShrink":67,"boxSizing":68,"backgroundColor":303},"transparent",{"@type":47,"@version":48,"id":305,"component":306,"responsiveStyles":309},"builder-96634044407e491299e291ed64669e39",{"name":307,"options":308,"isRSC":61},"TrustedBy",{"AllPartners":34,"backgroundTransparent":6},{"large":310},{"display":64,"flexDirection":65,"position":66,"flexShrink":67,"boxSizing":68,"backgroundColor":311},"#000",{"@type":47,"@version":48,"id":313,"component":314,"responsiveStyles":317},"builder-2c3768f930534557bb8978e32b6a6a0f",{"name":315,"options":316,"isRSC":61},"Diagonal",{"darkMode":34},{"large":318},{"display":64,"flexDirection":65,"position":66,"flexShrink":67,"boxSizing":68},{"@type":47,"@version":48,"layerName":320,"id":321,"component":322,"responsiveStyles":329},"TextImageBlockVertical","builder-7c3c1c2840424db2ad2ccbfaf382dd64",{"name":320,"tag":320,"options":323,"isRSC":61},{"darkMode":6,"maxWidth":324,"maxTextWidth":325,"title":326,"description":327,"animatedTitle":29,"image":328,"reverse":6,"descriptionPaddingHorizontal":61},1200,800,"\u003Ch2>Why stop at the inbox?\u003C/h2>","\u003Cp>Phishing attacks have evolved. Whether attackers lure users with QR codes, instant messages, or OAuth consent screens, the outcome is the same: it plays out in the browser. Push gives you real-time detection for in-browser threats, stopping phishing and consent-based attacks before they lead to compromise\u003C/p>\u003Cp>\u003Cbr>\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F7fdcac241f0e4a049166d7076858adeb",{"large":330},{"display":64,"flexDirection":65,"position":66,"flexShrink":67,"boxSizing":68},{"@type":47,"@version":48,"id":332,"component":333,"responsiveStyles":341},"builder-41c978b3669749cf947e622b4e79e4d7",{"name":334,"options":335,"isRSC":61},"TextImageBlockHorizontal",{"darkMode":6,"maxWidth":324,"imageMaxWidth":336,"textPaddingTop":337,"title":338,"description":339,"reverse":34,"image":340},600,100,"\u003Cp>Detect phishing at the edge\u003C/p>","\u003Cp>Push uses industry-first telemetry to detect phishing based on behavior, not static indicators. Autonomous agents analyze how phishing pages behave and how users interact with them, uncovering fake logins, credential theft, and phishing kits the moment they load in the browser.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F9df3d180c97b4e61af142af2ccd68721",{"large":342},{"display":64,"flexDirection":65,"position":66,"flexShrink":67,"boxSizing":68,"fontFamily":343,"paddingTop":344,"marginTop":345},"DM Sans, sans-serif","20px","0px",{"@type":47,"@version":48,"id":347,"component":348,"responsiveStyles":354},"builder-d2a7bc941feb43cdb898bc116b203cf9",{"name":334,"options":349,"isRSC":61},{"darkMode":6,"maxWidth":324,"imageMaxWidth":336,"textPaddingTop":350,"title":351,"description":352,"reverse":6,"image":353},120,"\u003Ch2>Go beyond blocklists and IOCs\u003C/h2>","\u003Cp>Push goes beyond URLs and easy-to-change indicators. It reads the full phishing playbook like script behavior, session hijacks, DOM changes, user inputs, then connects the dots in real time. This gives your team a complete picture of how the phishing attempt worked, not just an alert.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Fabfd58db169b433e96d3f1261797156e",{"large":355},{"display":64,"flexDirection":65,"position":66,"flexShrink":67,"boxSizing":68,"paddingTop":356},"36px",{"@type":47,"@version":48,"layerName":334,"id":358,"component":359,"responsiveStyles":365},"builder-42c32198083f4880acb37c5cb76934da",{"name":334,"options":360,"isRSC":61},{"darkMode":6,"maxWidth":324,"imageMaxWidth":336,"textPaddingTop":361,"title":362,"description":363,"reverse":34,"image":364},140,"\u003Ch2>Enhance your phishing response\u003C/h2>","\u003Cp>When phishing enters your environment, speed matters. Push gives you instant access to the telemetry that counts like session data, user behavior, and page activity, so you can investigate fast, trigger in-browser prompts, or forward alerts to your SIEM or SOAR for response. All in real time, right from the browser.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Fbb195aec46904056b85e8688629e558e",{"large":366},{"display":64,"flexDirection":65,"position":66,"flexShrink":67,"boxSizing":68,"paddingTop":367},"47px",{"@type":47,"@version":48,"id":369,"component":370,"responsiveStyles":372},"builder-9a95b9cbc4854421a92ef7b90f6c7adb",{"name":315,"options":371,"isRSC":61},{"darkMode":6},{"large":373},{"display":64,"flexDirection":65,"position":66,"flexShrink":67,"boxSizing":68},{"@type":47,"@version":48,"id":375,"component":376,"responsiveStyles":380},"builder-0afa17a9f25c4661a90f314d5578aa18",{"name":377,"tag":377,"options":378,"isRSC":61},"LatestResources",{"sectionHeading":29,"customClass":379},"bg-black",{"large":381},{"display":64,"flexDirection":65,"position":66,"flexShrink":67,"boxSizing":68},{"id":383,"@type":47,"tagName":74,"properties":384,"responsiveStyles":385},"builder-pixel-3swd5wh25am",{"src":76,"aria-hidden":77,"alt":29,"role":78,"width":67,"height":67},{"large":386},{"height":67,"width":67,"display":81,"opacity":67,"overflow":82,"pointerEvents":83},{"deviceSize":85,"location":388},{"path":29,"query":389},{},{},1776275046831,1745499158657,"https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Fff60c30a8442489c8ed7e0af9599d14f","kYgMv6WsbvfmlOUYqR2SFwGzw6e2",[],{"lastPreviewUrl":397,"winningTest":61,"breakpoints":398,"kind":399,"hasLinks":6,"originalContentId":400,"hasAutosaves":6},"https://pushsecurity.com/uc/zero-day-phishing-protection?builder.space=f3a1111ff5be48cdbb123cd9f5795a05&builder.user.permissions=read%2Ccreate%2Cpublish%2CeditDesigns%2CeditLayouts%2CeditLayers%2CeditContentPriority%2CeditFolders%2CcreateProjects%2CsendPullRequests&builder.user.role.name=Designer&builder.user.role.id=creator&builder.cachebust=true&builder.preview=use-case-page&builder.noCache=true&builder.allowTextEdit=true&__builder_editing__=true&builder.overrides.use-case-page=387451215c314dd5bd654668cdc1a197&builder.overrides.387451215c314dd5bd654668cdc1a197=387451215c314dd5bd654668cdc1a197&builder.overrides.use-case-page:/uc/zero-day-phishing-protection=387451215c314dd5bd654668cdc1a197&builder.options.locale=Default",{"xsmall":31,"small":32,"medium":33},"page","2daa5670b8504fc7ba4700633e8bd921","xsafp15hcqg",{"createdDate":403,"id":404,"name":405,"modelId":222,"published":13,"stageModifiedSincePublish":6,"query":406,"data":409,"variations":513,"lastUpdated":514,"firstPublished":515,"testRatio":23,"screenshot":516,"createdBy":91,"lastUpdatedBy":394,"folders":517,"meta":518,"rev":401},1756833377777,"54f8256648f54d439303734b1e69221b","Browser extension security",[407],{"@type":225,"property":226,"operator":227,"value":408},"/uc/browser-extension-security",{"seoDescription":410,"jsCode":29,"fontAwesomeIcon":411,"tsCode":29,"title":405,"seoTitle":405,"customFonts":412,"inputs":417,"blocks":418,"url":408,"state":510},"Shine a light on risky browser extensions.","faPuzzlePiece",[413],{"kind":234,"family":233,"version":235,"files":414,"category":256,"lastModified":236,"subsets":415,"variants":416,"menu":257},{"100":238,"200":239,"300":240,"500":241,"600":242,"700":243,"800":244,"900":245,"100italic":249,"italic":250,"regular":251,"900italic":247,"800italic":246,"700italic":248,"200italic":252,"300italic":254,"500italic":253,"600italic":255},[259,260],[262,263,264,265,266,267,71,268,269,270,271,272,273,274,275,276,277,278],[],[419,505],{"@type":47,"@version":48,"tagName":284,"id":420,"meta":421,"children":422},"builder-71d0648c1d2f4ede8d0d0b5b28b7b94c",{"previousId":285},[423,439,446,453,462,472,482,492,499],{"@type":47,"@version":48,"id":424,"meta":425,"component":426,"responsiveStyles":437},"builder-ff325b4b8fad4edea53f38865947e854",{"previousId":289},{"name":288,"options":427,"isRSC":61},{"title":405,"description":428,"points":429,"video":436},"\u003Cp>Browser extensions introduce new code, new permissions, and new potential for risk. Many include AI features, and most go completely unnoticed. Push gives you full visibility into every extension used across your workforce, across major browsers, so you can uncover shadow IT, assess risky permissions, and block unsafe tools before they lead to compromise.\u003C/p>",[430,432,434],{"item":431},"Discover every browser extension in use",{"item":433},"Spot risky or unsanctioned behavior",{"item":435},"Make informed decisions on extension policy","https://cdn.builder.io/o/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Fc538aad95d7f403aa3c3551af72f67c0?alt=media&token=1411fa6d-2eac-4e6c-94bf-ea117da12d67&apiKey=f3a1111ff5be48cdbb123cd9f5795a05",{"large":438},{"display":64,"flexDirection":65,"position":66,"flexShrink":67,"boxSizing":68,"backgroundColor":303},{"@type":47,"@version":48,"id":440,"meta":441,"component":442,"responsiveStyles":444},"builder-fb89d128c64e47cf9cbb11d90fc24523",{"previousId":305},{"name":307,"options":443,"isRSC":61},{"AllPartners":34,"backgroundTransparent":6},{"large":445},{"display":64,"flexDirection":65,"position":66,"flexShrink":67,"boxSizing":68,"backgroundColor":311},{"@type":47,"@version":48,"id":447,"meta":448,"component":449,"responsiveStyles":451},"builder-54388d35126c4d0096eeebaf8c4448cd",{"previousId":313},{"name":315,"options":450,"isRSC":61},{"darkMode":34},{"large":452},{"display":64,"flexDirection":65,"position":66,"flexShrink":67,"boxSizing":68},{"@type":47,"@version":48,"layerName":320,"id":454,"component":455,"responsiveStyles":460},"builder-3c8fa6785dd6466abf52a2470d66d85a",{"name":320,"tag":320,"options":456,"isRSC":61},{"darkMode":6,"maxWidth":324,"maxTextWidth":325,"title":457,"description":458,"image":459,"reverse":6},"\u003Ch2>Take control of browser extensions\u003C/h2>","\u003Cp>Attackers are increasingly using malicious browser extensions to gain access to data processed and stored in the browser. And the problem is, most security teams have no visibility into what extensions are being used. Push changes that. With browser-native telemetry, the Push extension continuously inventories browser extensions across your environment, flags the risky ones, and gives you intelligence to act. \u003C/p>\u003Cp>\u003Cbr>\u003C/p>\u003Cp>\u003Cbr>\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F0a004f16a6874f4c8fdf14344acc9fec",{"large":461},{"display":64,"flexDirection":65,"position":66,"flexShrink":67,"boxSizing":68},{"@type":47,"@version":48,"id":463,"meta":464,"component":465,"responsiveStyles":470},"builder-93738f98109a4009affb349afd7bb182",{"previousId":332},{"name":334,"options":466,"isRSC":61},{"darkMode":6,"maxWidth":324,"imageMaxWidth":336,"textPaddingTop":337,"title":467,"description":468,"reverse":34,"image":469},"\u003Ch2>Discover every extension in use\u003C/h2>","\u003Cp>Push gives you structured, searchable data about every extension in your environment, so you’re not just seeing what’s there, but also understanding how it got there, what it can do, and who it affects. It’s the kind of granular insight that’s nearly impossible to get from traditional tools, and it lays the groundwork for better policy decisions and faster investigations.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F0e5727ca99474f14b1b7916bf6bbb782",{"large":471},{"display":64,"flexDirection":65,"position":66,"flexShrink":67,"boxSizing":68,"fontFamily":343,"paddingTop":344,"marginTop":345},{"@type":47,"@version":48,"id":473,"meta":474,"component":475,"responsiveStyles":480},"builder-83393acb12ee4fdd840839185b51edb4",{"previousId":347},{"name":334,"options":476,"isRSC":61},{"darkMode":6,"maxWidth":324,"imageMaxWidth":336,"textPaddingTop":350,"title":477,"description":478,"reverse":6,"image":479},"\u003Ch2>Spot risky or malicious extensions\u003C/h2>","\u003Cp>Push highlights extensions with dangerous permissions, broad access, or poor reputations. This includes AI extensions that request access far beyond what their stated purpose requires. You can quickly detect sideloaded, manually installed, or development-mode extensions that bypass normal controls. And because Push shows you who’s using them and where, you can respond precisely and effectively.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Fa104d58c8da34fbb8901f738fb21453b",{"large":481},{"display":64,"flexDirection":65,"position":66,"flexShrink":67,"boxSizing":68,"paddingTop":356},{"@type":47,"@version":48,"layerName":334,"id":483,"meta":484,"component":485,"responsiveStyles":490},"builder-da98e3de949646d89c53a0d1c2784664",{"previousId":358},{"name":334,"options":486,"isRSC":61},{"darkMode":6,"maxWidth":324,"imageMaxWidth":336,"textPaddingTop":361,"title":487,"description":488,"reverse":34,"image":489},"\u003Ch2>Accelerate security reviews\u003C/h2>","\u003Cp>Most teams have extension policies, they just don’t have the data to enforce them. Push reveals how each extension entered your environment, whether it was installed manually, sideloaded, or deployed in dev mode. You’ll see which users are running what, and where, so you can surface violations, investigate quickly, and respond with confidence.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F229f355be6f243b180f410d237a75bb3",{"large":491},{"display":64,"flexDirection":65,"position":66,"flexShrink":67,"boxSizing":68,"paddingTop":367},{"@type":47,"@version":48,"id":493,"meta":494,"component":495,"responsiveStyles":497},"builder-1a689287d1a1418997d57db578a71105",{"previousId":369},{"name":315,"options":496,"isRSC":61},{"darkMode":6},{"large":498},{"display":64,"flexDirection":65,"position":66,"flexShrink":67,"boxSizing":68},{"@type":47,"@version":48,"id":500,"component":501,"responsiveStyles":503},"builder-feb4e75029f84c10b6498ef1f8f79128",{"name":377,"tag":377,"options":502,"isRSC":61},{"sectionHeading":29,"customClass":379},{"large":504},{"display":64,"flexDirection":65,"position":66,"flexShrink":67,"boxSizing":68},{"id":506,"@type":47,"tagName":74,"properties":507,"responsiveStyles":508},"builder-pixel-7q0uzy7ijzd",{"src":76,"aria-hidden":77,"alt":29,"role":78,"width":67,"height":67},{"large":509},{"height":67,"width":67,"display":81,"opacity":67,"overflow":82,"pointerEvents":83},{"deviceSize":85,"location":511},{"path":29,"query":512},{},{},1776275365038,1757000441666,"https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F8d496cf111644ee5afcc046b72d1ca5a",[],{"kind":399,"winningTest":61,"breakpoints":519,"lastPreviewUrl":520,"hasLinks":6,"originalContentId":220,"hasAutosaves":6},{"xsmall":31,"small":32,"medium":33},"https://pushsecurity.com/uc/browser-extension-security?builder.space=f3a1111ff5be48cdbb123cd9f5795a05&builder.user.permissions=read%2Ccreate%2Cpublish%2CeditDesigns%2CeditLayouts%2CeditLayers%2CeditContentPriority%2CeditFolders%2CcreateProjects%2CsendPullRequests&builder.user.role.name=Designer&builder.user.role.id=creator&builder.cachebust=true&builder.preview=use-case-page&builder.noCache=true&builder.allowTextEdit=true&__builder_editing__=true&builder.overrides.use-case-page=54f8256648f54d439303734b1e69221b&builder.overrides.54f8256648f54d439303734b1e69221b=54f8256648f54d439303734b1e69221b&builder.overrides.use-case-page:/uc/browser-extension-security=54f8256648f54d439303734b1e69221b&builder.options.locale=Default",{"createdDate":522,"id":523,"name":524,"modelId":222,"published":13,"query":525,"data":528,"variations":631,"lastUpdated":632,"firstPublished":633,"testRatio":23,"screenshot":634,"createdBy":91,"lastUpdatedBy":635,"folders":636,"meta":637,"rev":401},1744923509705,"94bebb7bb99d48629ad157e80cf4d81d","Account takeover detection",[526],{"@type":225,"property":226,"operator":227,"value":527},"/uc/account-takeover-detection",{"title":524,"customFonts":529,"jsCode":29,"seoTitle":524,"seoDescription":534,"fontAwesomeIcon":535,"tsCode":29,"blocks":536,"url":527,"state":628},[530],{"kind":234,"category":256,"variants":531,"menu":257,"files":532,"family":233,"subsets":533,"version":235,"lastModified":236},[262,263,264,265,266,267,71,268,269,270,271,272,273,274,275,276,277,278],{"100":238,"200":239,"300":240,"500":241,"600":242,"700":243,"800":244,"900":245,"300italic":254,"500italic":253,"800italic":246,"700italic":248,"italic":250,"900italic":247,"600italic":255,"200italic":252,"regular":251,"100italic":249},[259,260],"Stop ATO with stolen credential and compromised token detection.","faUserSecret",[537,623],{"@type":47,"@version":48,"tagName":284,"id":538,"meta":539,"children":540},"builder-e7913a774cae44c5a23d6081c5c30a52",{"previousId":285},[541,557,564,571,580,590,600,610,617],{"@type":47,"@version":48,"id":542,"meta":543,"component":544,"responsiveStyles":555},"builder-f1f1ab1601bc4c0f8c2a8aafd173675d",{"previousId":289},{"name":288,"options":545,"isRSC":61},{"title":524,"description":546,"points":547,"video":554},"\u003Cp>Attackers don’t need to phish, they just need a password that works. Push monitors for signs of credential-based attacks in real time, directly in the browser, catching account takeover attempts before the damage spreads. From ghost logins to credential stuffing, Push cuts off the paths attackers use to quietly slip in the back door.\u003C/p>\u003Cp>\u003Cbr>\u003C/p>",[548,550,552],{"item":549},"Identify credential-based ATO as it unfolds",{"item":551},"Surface hijacked sessions and token misuse",{"item":553},"Strengthen authentication where your IdP can’t","https://cdn.builder.io/o/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Fb4dd9db24bc9495b8a686b1b4d492016%2Fcompressed?apiKey=f3a1111ff5be48cdbb123cd9f5795a05&token=b4dd9db24bc9495b8a686b1b4d492016&alt=media&optimized=true",{"large":556},{"display":64,"flexDirection":65,"position":66,"flexShrink":67,"boxSizing":68,"backgroundColor":303},{"@type":47,"@version":48,"id":558,"meta":559,"component":560,"responsiveStyles":562},"builder-0bc0d1c78ece4994993c3a6427a4d533",{"previousId":305},{"name":307,"options":561,"isRSC":61},{"AllPartners":34,"backgroundTransparent":6},{"large":563},{"display":64,"flexDirection":65,"position":66,"flexShrink":67,"boxSizing":68,"backgroundColor":311},{"@type":47,"@version":48,"id":565,"meta":566,"component":567,"responsiveStyles":569},"builder-e45de8f3768c4f16938dbf78e4e87524",{"previousId":313},{"name":315,"options":568,"isRSC":61},{"darkMode":34},{"large":570},{"display":64,"flexDirection":65,"position":66,"flexShrink":67,"boxSizing":68},{"@type":47,"@version":48,"id":572,"component":573,"responsiveStyles":578},"builder-c98e8bfd341146c1b67c02d5698ff093",{"name":320,"tag":320,"options":574,"isRSC":61},{"darkMode":6,"maxWidth":324,"maxTextWidth":325,"title":575,"description":576,"image":577,"reverse":6},"\u003Ch2>Assume less. See more.\u003C/h2>","\u003Cp>Most account takeovers don’t start with a breach, they start with a login. Whether it’s a reused password, a local account, or an outdated login flow, Push shows you how accounts are actually accessed day to day, not just how policies say they should be. That means no more blind spots around ghost logins, bypassed SSO, or stale access paths that quietly persist.\u003C/p>\u003Cp>\u003Cbr>\u003C/p>\u003Cp>\u003Cbr>\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F18630ad2746d4eb7b7fcc0428b11a8f0",{"large":579},{"display":64,"flexDirection":65,"position":66,"flexShrink":67,"boxSizing":68},{"@type":47,"@version":48,"id":581,"meta":582,"component":583,"responsiveStyles":588},"builder-55c1fc38ddc04fd1a0d6a8e2fb819e00",{"previousId":332},{"name":334,"options":584,"isRSC":61},{"darkMode":6,"maxWidth":324,"imageMaxWidth":336,"textPaddingTop":337,"title":585,"description":586,"reverse":34,"image":587},"\u003Ch2>Catch stolen credential use in real time\u003C/h2>","\u003Cp>Push monitors login activity directly in the browser to detect signs of credential-based attacks like leaked password use or suspicious login flows. By analyzing attacker TTPs instead of relying on known indicators, Push spots credential stuffing and account takeover attempts the moment they begin, not after they’ve succeeded.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F52b0123cac2c4dfdb1dc0af6adf9d603",{"large":589},{"display":64,"flexDirection":65,"position":66,"flexShrink":67,"boxSizing":68,"fontFamily":343,"paddingTop":345,"marginTop":345},{"@type":47,"@version":48,"id":591,"meta":592,"component":593,"responsiveStyles":598},"builder-dfb31737b30948c6b95323655d571a50",{"previousId":347},{"name":334,"options":594,"isRSC":61},{"darkMode":6,"maxWidth":324,"imageMaxWidth":336,"textPaddingTop":350,"title":595,"description":596,"reverse":6,"image":597},"\u003Ch2>Detect session hijacks and stealth access\u003C/h2>","\u003Cp>Attackers don’t always need a login screen, they often sidestep it entirely using stolen session tokens. Push detects when valid sessions are reused in unexpected ways, identifying hijacked sessions and stealth access attempts that traditional tools miss. Because we monitor directly in the browser, you see what’s happening inside active sessions in real time.\u003C/p>\u003Cp>\u003Cbr>\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F94a6859a99e04d309ffe5841f3dbdf5c",{"large":599},{"display":64,"flexDirection":65,"position":66,"flexShrink":67,"boxSizing":68,"paddingTop":356},{"@type":47,"@version":48,"layerName":334,"id":601,"meta":602,"component":603,"responsiveStyles":608},"builder-f7585b90eb974d03a7dc7eae5b58d227",{"previousId":358},{"name":334,"options":604,"isRSC":61},{"darkMode":6,"maxWidth":324,"imageMaxWidth":336,"textPaddingTop":361,"title":605,"description":606,"reverse":34,"image":607},"\u003Ch2>Harden accounts before they’re compromised\u003C/h2>","\u003Cp>Push goes beyond alerts. It identifies apps that still allow local logins, even when SSO is configured, so you can remove weak access paths. Push also flags users without MFA, reused work credentials, or weak passwords, and prompts users in-browser to fix risky behaviors before they’re exploited.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F01c1b638f1b6497093a4f2b8ceddb5bb",{"large":609},{"display":64,"flexDirection":65,"position":66,"flexShrink":67,"boxSizing":68,"paddingTop":367},{"@type":47,"@version":48,"id":611,"meta":612,"component":613,"responsiveStyles":615},"builder-ad81d1e3afec49a791214194eae09bdc",{"previousId":369},{"name":315,"options":614,"isRSC":61},{"darkMode":6},{"large":616},{"display":64,"flexDirection":65,"position":66,"flexShrink":67,"boxSizing":68},{"@type":47,"@version":48,"id":618,"component":619,"responsiveStyles":621},"builder-8dac1aa4b9d148628d92252bd8eff822",{"name":377,"tag":377,"options":620,"isRSC":61},{"sectionHeading":29,"customClass":379},{"large":622},{"display":64,"flexDirection":65,"position":66,"flexShrink":67,"boxSizing":68},{"id":624,"@type":47,"tagName":74,"properties":625,"responsiveStyles":626},"builder-pixel-am8pew6kvw",{"src":76,"aria-hidden":77,"alt":29,"role":78,"width":67,"height":67},{"large":627},{"height":67,"width":67,"display":81,"opacity":67,"overflow":82,"pointerEvents":83},{"deviceSize":85,"location":629},{"path":29,"query":630},{},{},1770892814499,1745499162732,"https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F58b660fa94aa4b30b0faeb9b663ae41a","SfUPqW5tkibIPby49keNFMdHFTr1",[],{"lastPreviewUrl":638,"hasLinks":6,"originalContentId":220,"breakpoints":639,"winningTest":61,"kind":399,"hasAutosaves":34},"https://pushsecurity.com/uc/account-takeover-detection?builder.space=f3a1111ff5be48cdbb123cd9f5795a05&builder.user.permissions=read%2Ccreate%2Cpublish%2CeditCode%2CeditDesigns%2CeditLayouts%2CeditLayers%2CeditContentPriority%2CeditFolders%2CeditProjects%2CmodifyMcpServers%2CmodifyWorkflowIntegrations%2CmodifyProjectSettings%2CconnectCodeRepository%2CcreateProjects%2CindexDesignSystems%2CsendPullRequests&builder.user.role.name=Developer&builder.user.role.id=developer&builder.cachebust=true&builder.preview=use-case-page&builder.noCache=true&builder.allowTextEdit=true&__builder_editing__=true&builder.overrides.use-case-page=94bebb7bb99d48629ad157e80cf4d81d&builder.overrides.94bebb7bb99d48629ad157e80cf4d81d=94bebb7bb99d48629ad157e80cf4d81d&builder.overrides.use-case-page:/uc/account-takeover-detection=94bebb7bb99d48629ad157e80cf4d81d&builder.options.includeRefs=true&builder.options.enrich=true&builder.options.locale=Default",{"xsmall":31,"small":32,"medium":33},{"createdDate":641,"id":642,"name":643,"modelId":222,"published":13,"query":644,"data":647,"variations":750,"lastUpdated":751,"firstPublished":752,"testRatio":23,"screenshot":753,"createdBy":91,"lastUpdatedBy":635,"folders":754,"meta":755,"rev":401},1745009370904,"23eb48fb56d3451cab77cb6ed140ee6d","Attack path hardening",[645],{"@type":225,"property":226,"operator":227,"value":646},"/uc/attack-path-hardening",{"tsCode":29,"seoDescription":648,"jsCode":29,"customFonts":649,"fontAwesomeIcon":654,"seoTitle":643,"title":643,"blocks":655,"url":646,"state":747},"Harden access paths with visibility,  detection, and guardrails.",[650],{"kind":234,"files":651,"version":235,"lastModified":236,"subsets":652,"menu":257,"category":256,"variants":653,"family":233},{"100":238,"200":239,"300":240,"500":241,"600":242,"700":243,"800":244,"900":245,"regular":251,"italic":250,"800italic":246,"500italic":253,"600italic":255,"200italic":252,"900italic":247,"700italic":248,"100italic":249,"300italic":254},[259,260],[262,263,264,265,266,267,71,268,269,270,271,272,273,274,275,276,277,278],"faRadar",[656,742],{"@type":47,"@version":48,"tagName":284,"id":657,"meta":658,"children":659},"builder-1d8553eddcaa44d7bba9e2f4ca13af2a",{"previousId":538},[660,676,683,690,699,709,719,729,736],{"@type":47,"@version":48,"id":661,"meta":662,"component":663,"responsiveStyles":674},"builder-84fe3d7c85a743cf8cef649aa974f1ef",{"previousId":542},{"name":288,"options":664,"isRSC":61},{"title":643,"description":665,"points":666,"video":673},"\u003Cp>Push continuously monitors your environment for exposed login paths, weak credentials, and missing protections like MFA. It detects the gaps attackers exploit and helps you close them before they’re used.\u003C/p>",[667,669,671],{"item":668},"Find weak spots like reused passwords, local logins, and missing MFA",{"item":670},"Monitor how users actually log in across apps, flows, and tools",{"item":672},"Enforce secure access with in-browser guardrails","https://cdn.builder.io/o/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Fdbdcf52892034f1bbddded77f753a343%2Fcompressed?apiKey=f3a1111ff5be48cdbb123cd9f5795a05&token=dbdcf52892034f1bbddded77f753a343&alt=media&optimized=true",{"large":675},{"display":64,"flexDirection":65,"position":66,"flexShrink":67,"boxSizing":68,"backgroundColor":303},{"@type":47,"@version":48,"id":677,"meta":678,"component":679,"responsiveStyles":681},"builder-b3f66f5b08054cc78a06fecfc3ae2337",{"previousId":558},{"name":307,"options":680,"isRSC":61},{"AllPartners":34,"backgroundTransparent":6},{"large":682},{"display":64,"flexDirection":65,"position":66,"flexShrink":67,"boxSizing":68,"backgroundColor":311},{"@type":47,"@version":48,"id":684,"meta":685,"component":686,"responsiveStyles":688},"builder-4c73418b84be49ed85e6e13d2625c5a0",{"previousId":565},{"name":315,"options":687,"isRSC":61},{"darkMode":34},{"large":689},{"display":64,"flexDirection":65,"position":66,"flexShrink":67,"boxSizing":68},{"@type":47,"@version":48,"id":691,"component":692,"responsiveStyles":697},"builder-dec0246085e1485c803f7152b1922a81",{"name":320,"tag":320,"options":693,"isRSC":61},{"darkMode":6,"maxWidth":324,"maxTextWidth":325,"title":694,"description":695,"image":696,"reverse":6},"\u003Ch2>Find the gaps that lead to compromise\u003C/h2>","\u003Cp>Misconfigurations don’t show up in your config files, they show up in how users actually access apps. Push monitors real login behavior in the browser, surfacing risky patterns like local login access, duplicate accounts, or missing protections that leave doors wide open.\u003C/p>\u003Cp>\u003Cbr>\u003C/p>\u003Cp>\u003Cbr>\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F309a59bba8d247a19476bb369397460e",{"large":698},{"display":64,"flexDirection":65,"position":66,"flexShrink":67,"boxSizing":68},{"@type":47,"@version":48,"id":700,"meta":701,"component":702,"responsiveStyles":707},"builder-ebf049a645604a249550996a88f8f3b6",{"previousId":581},{"name":334,"options":703,"isRSC":61},{"darkMode":6,"maxWidth":324,"imageMaxWidth":336,"textPaddingTop":337,"title":704,"description":705,"reverse":34,"image":706},"\u003Ch2>See real login behavior\u003C/h2>","\u003Cp>Push watches authentication flows as they happen, giving you a live view of how users log in, which methods they choose, and where protections like MFA are missing. Plus, uncover every app and account in use, even shadow IT you didn’t know existed, without relying on stale config files or IdP assumptions. \u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Fb51f6b0357cc451b87a7a5016d984e5e",{"large":708},{"display":64,"flexDirection":65,"position":66,"flexShrink":67,"boxSizing":68,"fontFamily":343,"paddingTop":344,"marginTop":345},{"@type":47,"@version":48,"id":710,"meta":711,"component":712,"responsiveStyles":717},"builder-431d175c59004669b0b2776b07d71737",{"previousId":591},{"name":334,"options":713,"isRSC":61},{"darkMode":6,"maxWidth":324,"imageMaxWidth":336,"textPaddingTop":350,"title":714,"description":715,"reverse":6,"image":716},"\u003Ch2>Find and fix posture drift\u003C/h2>","\u003Cp>Security posture isn’t static. Push continuously monitors for issues like missing MFA or legacy login methods. When something falls out of policy, you know immediately with custom notifications so you can act before it turns into risk.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F324e39127dfc41e592b1183dfb39892d",{"large":718},{"display":64,"flexDirection":65,"position":66,"flexShrink":67,"boxSizing":68,"paddingTop":356},{"@type":47,"@version":48,"layerName":334,"id":720,"meta":721,"component":722,"responsiveStyles":727},"builder-3dffdcbe0a484e2ca4c03f019b6d40ee",{"previousId":601},{"name":334,"options":723,"isRSC":61},{"darkMode":6,"maxWidth":324,"imageMaxWidth":336,"textPaddingTop":361,"title":724,"description":725,"reverse":34,"image":726},"\u003Ch2>Guide users with in-browser guardrails\u003C/h2>","\u003Cp>Push doesn’t just surface problems, it helps you fix them. When users sign in without MFA, reuse a password, or use insecure credentials, Push prompts them directly in the browser to secure their access. It’s faster, more effective, and actually gets results.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Fee8b75d13e45488aba55434a8b49ebb0",{"large":728},{"display":64,"flexDirection":65,"position":66,"flexShrink":67,"boxSizing":68,"paddingTop":367},{"@type":47,"@version":48,"id":730,"meta":731,"component":732,"responsiveStyles":734},"builder-976bc222cd7647ff905f1e01cfedc453",{"previousId":611},{"name":315,"options":733,"isRSC":61},{"darkMode":6},{"large":735},{"display":64,"flexDirection":65,"position":66,"flexShrink":67,"boxSizing":68},{"@type":47,"@version":48,"id":737,"component":738,"responsiveStyles":740},"builder-8c47ec2fd0f74382bb3e6c870555632c",{"name":377,"tag":377,"options":739,"isRSC":61},{"sectionHeading":29,"customClass":379},{"large":741},{"display":64,"flexDirection":65,"position":66,"flexShrink":67,"boxSizing":68},{"id":743,"@type":47,"tagName":74,"properties":744,"responsiveStyles":745},"builder-pixel-98lvtvlp7tm",{"src":76,"aria-hidden":77,"alt":29,"role":78,"width":67,"height":67},{"large":746},{"height":67,"width":67,"display":81,"opacity":67,"overflow":82,"pointerEvents":83},{"deviceSize":85,"location":748},{"path":29,"query":749},{},{},1770892844854,1745499166112,"https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F6ca12bf728a045f1a31d40c0beb3bfe5",[],{"kind":399,"lastPreviewUrl":756,"breakpoints":757,"hasLinks":6,"originalContentId":523,"winningTest":61,"hasAutosaves":6},"https://pushsecurity.com/uc/attack-path-hardening?builder.space=f3a1111ff5be48cdbb123cd9f5795a05&builder.user.permissions=read%2Ccreate%2Cpublish%2CeditCode%2CeditDesigns%2CeditLayouts%2CeditLayers%2CeditContentPriority%2CeditFolders%2CeditProjects%2CmodifyMcpServers%2CmodifyWorkflowIntegrations%2CmodifyProjectSettings%2CconnectCodeRepository%2CcreateProjects%2CindexDesignSystems%2CsendPullRequests&builder.user.role.name=Developer&builder.user.role.id=developer&builder.cachebust=true&builder.preview=use-case-page&builder.noCache=true&builder.allowTextEdit=true&__builder_editing__=true&builder.overrides.use-case-page=23eb48fb56d3451cab77cb6ed140ee6d&builder.overrides.23eb48fb56d3451cab77cb6ed140ee6d=23eb48fb56d3451cab77cb6ed140ee6d&builder.overrides.use-case-page:/uc/attack-path-hardening=23eb48fb56d3451cab77cb6ed140ee6d&builder.options.includeRefs=true&builder.options.enrich=true&builder.options.locale=Default",{"xsmall":31,"small":32,"medium":33},{"createdDate":759,"id":760,"name":761,"modelId":222,"published":13,"query":762,"data":765,"variations":870,"lastUpdated":871,"firstPublished":872,"testRatio":23,"screenshot":873,"createdBy":91,"lastUpdatedBy":635,"folders":874,"meta":875,"rev":401},1761675020232,"ea4f309d2ffe46c5aa97ebf0fda4e2e3","ClickFix Protection",[763],{"@type":225,"property":226,"operator":227,"value":764},"/uc/clickfix-protection",{"seoDescription":766,"fontAwesomeIcon":767,"customFonts":768,"seoTitle":773,"jsCode":29,"tsCode":29,"title":773,"blocks":774,"url":764,"state":867},"Block attacks that trick users into running malicious code.","faLaptopCode",[769],{"files":770,"subsets":771,"menu":257,"version":235,"kind":234,"family":233,"lastModified":236,"variants":772,"category":256},{"100":238,"200":239,"300":240,"500":241,"600":242,"700":243,"800":244,"900":245,"200italic":252,"800italic":246,"700italic":248,"600italic":255,"100italic":249,"italic":250,"regular":251,"300italic":254,"500italic":253,"900italic":247},[259,260],[262,263,264,265,266,267,71,268,269,270,271,272,273,274,275,276,277,278],"ClickFix protection",[775,862],{"@type":47,"@version":48,"tagName":284,"id":776,"meta":777,"children":778},"builder-d7eefdde0f2a4b2b9de3dcb2978fd6cb",{"previousId":657},[779,795,802,809,819,829,839,849,856],{"@type":47,"@version":48,"id":780,"meta":781,"component":782,"responsiveStyles":793},"builder-56e2c54bcce040a4af8b92ae03706c12",{"previousId":661},{"name":288,"options":783,"isRSC":61},{"title":773,"description":784,"points":785,"image":792},"\u003Cp>ClickFix attacks are one of the fastest-growing threats, tricking users into copying malicious code from a webpage and running it locally. This technique bypasses traditional EDR, email gateways, and network filters, leading directly to ransomware and data theft. Push stops this attack at the source, in the browser, by detecting and blocking the malicious behavior before the user can ever paste the code.\u003C/p>\u003Cp>\u003Cbr>\u003C/p>",[786,788,790],{"item":787},"Detect ClickFix, FileFix, and fake CAPTCHA in the browser",{"item":789},"Block malicious copy-and-paste actions before code is executed",{"item":791},"See full telemetry into which users were targeted and what they saw","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F7b74af62889847ebb3927364485b0546",{"large":794},{"display":64,"flexDirection":65,"position":66,"flexShrink":67,"boxSizing":68,"backgroundColor":303},{"@type":47,"@version":48,"id":796,"meta":797,"component":798,"responsiveStyles":800},"builder-05f9614d4e3e4dc88b3ee8658f54e10e",{"previousId":677},{"name":307,"options":799,"isRSC":61},{"AllPartners":34,"backgroundTransparent":6},{"large":801},{"display":64,"flexDirection":65,"position":66,"flexShrink":67,"boxSizing":68,"backgroundColor":311},{"@type":47,"@version":48,"id":803,"meta":804,"component":805,"responsiveStyles":807},"builder-c4fb5179366243c1b6c32d368675cf47",{"previousId":684},{"name":315,"options":806,"isRSC":61},{"darkMode":34},{"large":808},{"display":64,"flexDirection":65,"position":66,"flexShrink":67,"boxSizing":68},{"@type":47,"@version":48,"id":810,"meta":811,"component":812,"responsiveStyles":817},"builder-261af50705fd445d8cca4a6ba20d5391",{"previousId":691},{"name":320,"tag":320,"options":813,"isRSC":61},{"darkMode":6,"maxWidth":324,"maxTextWidth":325,"title":814,"description":815,"reverse":6,"image":816},"\u003Ch2>Stop ClickFix-style attacks before they become a breach\u003C/h2>","\u003Cp>Traditional security tools are blind to malicious copy and paste attacks because the attack exploits a gap between the browser and the endpoint. EDR only sees the payload after it runs, and network tools see only part of the picture.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F98b2f7e08dec4eafaf8e24937605b8cf",{"large":818},{"display":64,"flexDirection":65,"position":66,"flexShrink":67,"boxSizing":68},{"@type":47,"@version":48,"id":820,"meta":821,"component":822,"responsiveStyles":827},"builder-7d21b8aab8064c40b1e5dd23c4749309",{"previousId":700},{"name":334,"options":823,"isRSC":61},{"darkMode":6,"maxWidth":324,"imageMaxWidth":336,"textPaddingTop":337,"title":824,"description":825,"reverse":34,"image":826},"\u003Ch2>Discover lures at the source\u003C/h2>","\u003Cp>Push inspects page behavior to identify ClickFix attacks as they happen. By inspecting the page, its structure, and how the user interacts with it, Push can detect and block these in-browser threats in real time. This deep, TTP-based inspection spots the trap even on novel pages that are built to bypass traditional web filters and blocklists.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F665bf47e01544c75bf9ddafd3917927b",{"large":828},{"display":64,"flexDirection":65,"position":66,"flexShrink":67,"boxSizing":68,"fontFamily":343,"paddingTop":344,"marginTop":345},{"@type":47,"@version":48,"id":830,"meta":831,"component":832,"responsiveStyles":837},"builder-fb91943adf6149259ed9e1e6566c9afe",{"previousId":710},{"name":334,"options":833,"isRSC":61},{"darkMode":6,"maxWidth":324,"imageMaxWidth":336,"textPaddingTop":350,"title":834,"description":835,"reverse":6,"image":836},"\u003Ch2>Block the malicious action\u003C/h2>","\u003Cp>When Push detects a malicious script, it intercepts the user's action and blocks the code from being copied to the clipboard. The user is protected, the attack is stopped, and no malicious code ever reaches the endpoint. Unlike broad DLP tools, this action is surgical, targeting only malicious behavior without disrupting normal work.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F5ee68f81f1ac416685cbfe91298cf827",{"large":838},{"display":64,"flexDirection":65,"position":66,"flexShrink":67,"boxSizing":68,"paddingTop":356},{"@type":47,"@version":48,"layerName":334,"id":840,"meta":841,"component":842,"responsiveStyles":847},"builder-bfac95fada864e5a8259b955b5b5f98b",{"previousId":720},{"name":334,"options":843,"isRSC":61},{"darkMode":6,"maxWidth":324,"imageMaxWidth":336,"textPaddingTop":361,"title":844,"description":845,"reverse":34,"image":846},"\u003Ch2>Accelerate ClickFix investigations\u003C/h2>","\u003Cp>When an attack happens, knowing what the user saw or did is critical. Push provides rich browser session data for rapid investigation and containment. Security teams get detailed telemetry on which users were targeted, what lure they were served, and when the block occurred. This enables defenders to reconstruct what happened and respond quickly, even when other tools miss the activity entirely.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F6cdf2a8aeddc4e9a9023cbf974e40239",{"large":848},{"display":64,"flexDirection":65,"position":66,"flexShrink":67,"boxSizing":68,"paddingTop":367},{"@type":47,"@version":48,"id":850,"meta":851,"component":852,"responsiveStyles":854},"builder-136892e831684a6987f87d3be67c33d1",{"previousId":730},{"name":315,"options":853,"isRSC":61},{"darkMode":6},{"large":855},{"display":64,"flexDirection":65,"position":66,"flexShrink":67,"boxSizing":68},{"@type":47,"@version":48,"id":857,"component":858,"responsiveStyles":860},"builder-dec26b739f2f42beb5a73cfc6c675b60",{"name":377,"tag":377,"options":859,"isRSC":61},{"sectionHeading":29,"customClass":379},{"large":861},{"display":64,"flexDirection":65,"position":66,"flexShrink":67,"boxSizing":68},{"id":863,"@type":47,"tagName":74,"properties":864,"responsiveStyles":865},"builder-pixel-i8qg9yuzhy",{"src":76,"aria-hidden":77,"alt":29,"role":78,"width":67,"height":67},{"large":866},{"height":67,"width":67,"display":81,"opacity":67,"overflow":82,"pointerEvents":83},{"deviceSize":85,"location":868},{"path":29,"query":869},{},{},1770892881888,1761847585203,"https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F375467b8bef34ed1a8a1cc5b8b67d75f",[],{"lastPreviewUrl":876,"originalContentId":642,"winningTest":61,"hasLinks":6,"kind":399,"breakpoints":877,"hasAutosaves":6},"https://pushsecurity.com/uc/clickfix-protection?builder.space=f3a1111ff5be48cdbb123cd9f5795a05&builder.user.permissions=read%2Ccreate%2Cpublish%2CeditCode%2CeditDesigns%2CeditLayouts%2CeditLayers%2CeditContentPriority%2CeditFolders%2CeditProjects%2CmodifyMcpServers%2CmodifyWorkflowIntegrations%2CmodifyProjectSettings%2CconnectCodeRepository%2CcreateProjects%2CindexDesignSystems%2CsendPullRequests&builder.user.role.name=Developer&builder.user.role.id=developer&builder.cachebust=true&builder.preview=use-case-page&builder.noCache=true&builder.allowTextEdit=true&__builder_editing__=true&builder.overrides.use-case-page=ea4f309d2ffe46c5aa97ebf0fda4e2e3&builder.overrides.ea4f309d2ffe46c5aa97ebf0fda4e2e3=ea4f309d2ffe46c5aa97ebf0fda4e2e3&builder.overrides.use-case-page:/uc/clickfix-protection=ea4f309d2ffe46c5aa97ebf0fda4e2e3&builder.options.includeRefs=true&builder.options.enrich=true&builder.options.locale=Default",{"xsmall":31,"small":32,"medium":33},{"createdDate":879,"id":880,"name":881,"modelId":222,"published":13,"query":882,"data":885,"variations":990,"lastUpdated":991,"firstPublished":992,"testRatio":23,"screenshot":993,"createdBy":91,"lastUpdatedBy":635,"folders":994,"meta":995,"rev":401},1745009743870,"a9d5556e77f84a37b5bd52310a7110c1","Incident response",[883],{"@type":225,"property":226,"operator":227,"value":884},"/uc/incident-response",{"seoDescription":886,"customFonts":887,"title":881,"jsCode":29,"fontAwesomeIcon":892,"seoTitle":893,"tsCode":29,"blocks":894,"url":884,"state":987},"Investigate and respond faster with unique browser telemetry.",[888],{"kind":234,"subsets":889,"menu":257,"variants":890,"category":256,"family":233,"version":235,"lastModified":236,"files":891},[259,260],[262,263,264,265,266,267,71,268,269,270,271,272,273,274,275,276,277,278],{"100":238,"200":239,"300":240,"500":241,"600":242,"700":243,"800":244,"900":245,"900italic":247,"600italic":255,"200italic":252,"300italic":254,"100italic":249,"700italic":248,"800italic":246,"regular":251,"italic":250,"500italic":253},"faSatelliteDish","Browser based incident response",[895,982],{"@type":47,"@version":48,"tagName":284,"id":896,"meta":897,"children":898},"builder-653c4aed737b4def88dc4cd2d695660a",{"previousId":657},[899,916,923,930,939,949,959,969,976],{"@type":47,"@version":48,"id":900,"meta":901,"component":902,"responsiveStyles":914},"builder-18190bd36518467d9154d27d7e945b9b",{"previousId":661},{"name":288,"options":903,"isRSC":61},{"title":904,"description":905,"points":906,"video":913},"Browser-based incident response","\u003Cp>Push gives you real-time visibility into what actually happened during a breach, right in the browser where the attack played out. From credential theft to session hijacking, Push captures high-fidelity telemetry so you can investigate quickly, contain confidently, and shut it down before it spreads.\u003C/p>\u003Cp>\u003Cbr>\u003C/p>",[907,909,911],{"item":908},"Reconstruct what happened with real browser session context",{"item":910},"Investigate faster with real-world session context",{"item":912},"Trigger response actions automatically through your SIEM or SOAR","https://cdn.builder.io/o/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Fd00e39d3b6e346c296261d875cf55652%2Fcompressed?apiKey=f3a1111ff5be48cdbb123cd9f5795a05&token=d00e39d3b6e346c296261d875cf55652&alt=media&optimized=true",{"large":915},{"display":64,"flexDirection":65,"position":66,"flexShrink":67,"boxSizing":68,"backgroundColor":303},{"@type":47,"@version":48,"id":917,"meta":918,"component":919,"responsiveStyles":921},"builder-8a0a8ea63f5d48dd8a6726f2d49cf0ca",{"previousId":677},{"name":307,"options":920,"isRSC":61},{"AllPartners":34,"backgroundTransparent":6},{"large":922},{"display":64,"flexDirection":65,"position":66,"flexShrink":67,"boxSizing":68,"backgroundColor":311},{"@type":47,"@version":48,"id":924,"meta":925,"component":926,"responsiveStyles":928},"builder-2df65c3f54334df2b26e7cb744886cdc",{"previousId":684},{"name":315,"options":927,"isRSC":61},{"darkMode":34},{"large":929},{"display":64,"flexDirection":65,"position":66,"flexShrink":67,"boxSizing":68},{"@type":47,"@version":48,"id":931,"component":932,"responsiveStyles":937},"builder-2c32c869efc2423ab69ef06b150e9f97",{"name":320,"tag":320,"options":933,"isRSC":61},{"darkMode":6,"maxWidth":324,"maxTextWidth":325,"title":934,"description":935,"image":936,"reverse":6},"\u003Ch2>See attacks unfold, not just their aftermath\u003C/h2>","\u003Cp>Attacks happen in the browser, not in logs. Push captures what traditional tools miss: what users clicked, what loaded, what was entered, and how attackers moved. That gives you real-world evidence, not just assumptions, when every second matters.\u003C/p>\u003Cp>\u003Cbr>\u003C/p>\u003Cp>\u003Cbr>\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F36fc719bd1de4a38b916f4d25c81a26d",{"large":938},{"display":64,"flexDirection":65,"position":66,"flexShrink":67,"boxSizing":68},{"@type":47,"@version":48,"id":940,"meta":941,"component":942,"responsiveStyles":947},"builder-370e53c6016e432db01e9193a2ce90f6",{"previousId":700},{"name":334,"options":943,"isRSC":61},{"darkMode":6,"maxWidth":324,"imageMaxWidth":336,"textPaddingTop":337,"title":944,"description":945,"reverse":34,"image":946},"\u003Ch2>Investigate faster with high-fidelity data\u003C/h2>","\u003Cp>Reconstructing an incident shouldn’t feel like guesswork. Push records detailed telemetry from inside the browser: page loads, credential inputs, DOM changes, session activity, user behavior. It’s structured, exportable, and ready to plug into your investigation workflows, so you can move fast without digging through proxy logs or relying on user reports.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Fa6adda040e684e67a8d68a55c5ce5f6d",{"large":948},{"display":64,"flexDirection":65,"position":66,"flexShrink":67,"boxSizing":68,"fontFamily":343,"paddingTop":345,"marginTop":345},{"@type":47,"@version":48,"id":950,"meta":951,"component":952,"responsiveStyles":957},"builder-a7f3767a8d184bd08fb24520bf210e95",{"previousId":710},{"name":334,"options":953,"isRSC":61},{"darkMode":6,"maxWidth":324,"imageMaxWidth":336,"textPaddingTop":350,"title":954,"description":955,"reverse":6,"image":956},"\u003Ch2>Contain and respond in real time\u003C/h2>","\u003Cp>When something looks off, Push doesn’t just alert you, it gives you options. Guide users with in-browser prompts. Terminate sessions. Trigger SOAR workflows. Enrich SIEM alerts. Push gives you the context and control to stop spread before it starts.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Fb3dedeed5aba4847a2c2d22e10d0ec12",{"large":958},{"display":64,"flexDirection":65,"position":66,"flexShrink":67,"boxSizing":68,"paddingTop":356},{"@type":47,"@version":48,"layerName":334,"id":960,"meta":961,"component":962,"responsiveStyles":967},"builder-b92036ee0ece4b32acdbdcc7c377366b",{"previousId":720},{"name":334,"options":963,"isRSC":61},{"darkMode":6,"maxWidth":324,"imageMaxWidth":336,"textPaddingTop":361,"title":964,"description":965,"reverse":34,"image":966},"\u003Ch2>Prevent the next one\u003C/h2>","\u003Cp>Push helps you respond fast, but it also helps you fix what went wrong. It surfaces misconfigurations and risky behaviors that made the attack possible in the first place, then guides users in-browser to remediate. One tool. Full loop. No loose ends.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Fc1ecc2d5d3814b62b072fac01827ff96",{"large":968},{"display":64,"flexDirection":65,"position":66,"flexShrink":67,"boxSizing":68,"paddingTop":367},{"@type":47,"@version":48,"id":970,"meta":971,"component":972,"responsiveStyles":974},"builder-5e8ae39655274de89da32ab573a2525a",{"previousId":730},{"name":315,"options":973,"isRSC":61},{"darkMode":6},{"large":975},{"display":64,"flexDirection":65,"position":66,"flexShrink":67,"boxSizing":68},{"@type":47,"@version":48,"id":977,"component":978,"responsiveStyles":980},"builder-dfd6850cfb4741d2b8a0c16c2780f00a",{"name":377,"tag":377,"options":979,"isRSC":61},{"sectionHeading":29,"customClass":379},{"large":981},{"display":64,"flexDirection":65,"position":66,"flexShrink":67,"boxSizing":68},{"id":983,"@type":47,"tagName":74,"properties":984,"responsiveStyles":985},"builder-pixel-hjesp5pzk8s",{"src":76,"aria-hidden":77,"alt":29,"role":78,"width":67,"height":67},{"large":986},{"height":67,"width":67,"display":81,"opacity":67,"overflow":82,"pointerEvents":83},{"deviceSize":85,"location":988},{"path":29,"query":989},{},{},1770892908052,1745427419274,"https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Fb07017bfd318431690a5bb35bda35b99",[],{"kind":399,"breakpoints":996,"originalContentId":642,"winningTest":61,"lastPreviewUrl":997,"hasLinks":6,"hasAutosaves":6},{"xsmall":31,"small":32,"medium":33},"https://pushsecurity.com/uc/incident-response?builder.space=f3a1111ff5be48cdbb123cd9f5795a05&builder.user.permissions=read%2Ccreate%2Cpublish%2CeditCode%2CeditDesigns%2CeditLayouts%2CeditLayers%2CeditContentPriority%2CeditFolders%2CeditProjects%2CmodifyMcpServers%2CmodifyWorkflowIntegrations%2CmodifyProjectSettings%2CconnectCodeRepository%2CcreateProjects%2CindexDesignSystems%2CsendPullRequests&builder.user.role.name=Developer&builder.user.role.id=developer&builder.cachebust=true&builder.preview=use-case-page&builder.noCache=true&builder.allowTextEdit=true&__builder_editing__=true&builder.overrides.use-case-page=a9d5556e77f84a37b5bd52310a7110c1&builder.overrides.a9d5556e77f84a37b5bd52310a7110c1=a9d5556e77f84a37b5bd52310a7110c1&builder.overrides.use-case-page:/uc/incident-response=a9d5556e77f84a37b5bd52310a7110c1&builder.options.includeRefs=true&builder.options.enrich=true&builder.options.locale=Default",{"createdDate":999,"id":1000,"name":1001,"modelId":222,"published":13,"query":1002,"data":1005,"variations":1110,"lastUpdated":1111,"firstPublished":1112,"testRatio":23,"screenshot":1113,"createdBy":91,"lastUpdatedBy":635,"folders":1114,"meta":1115,"rev":401},1746122471259,"5f118e24433d46ceb79f5099987156d7","Shadow SaaS",[1003],{"@type":225,"property":226,"operator":227,"value":1004},"/uc/shadow-saas",{"seoTitle":1006,"seoDescription":1007,"customFonts":1008,"fontAwesomeIcon":1013,"title":1014,"jsCode":29,"tsCode":29,"blocks":1015,"url":1004,"state":1107},"Find and secure shadow SaaS","See and control shadow SaaS in the browser.",[1009],{"kind":234,"variants":1010,"files":1011,"family":233,"version":235,"subsets":1012,"lastModified":236,"category":256,"menu":257},[262,263,264,265,266,267,71,268,269,270,271,272,273,274,275,276,277,278],{"100":238,"200":239,"300":240,"500":241,"600":242,"700":243,"800":244,"900":245,"300italic":254,"500italic":253,"regular":251,"900italic":247,"italic":250,"100italic":249,"200italic":252,"600italic":255,"700italic":248,"800italic":246},[259,260],"faShieldCheck","Secure shadow SaaS",[1016,1102],{"@type":47,"@version":48,"tagName":284,"id":1017,"meta":1018,"children":1019},"builder-04da805c4cd34652a2db452fcda52e1d",{"previousId":896},[1020,1036,1043,1050,1059,1069,1079,1089,1096],{"@type":47,"@version":48,"id":1021,"meta":1022,"component":1023,"responsiveStyles":1034},"builder-830d414faeaf41439142f9157e8288c8",{"previousId":900},{"name":288,"options":1024,"isRSC":61},{"title":1006,"description":1025,"points":1026,"video":1033},"\u003Cp>SaaS sprawl is one of today’s fastest-growing security blind spots because most tools monitor around the edges. Push sees it at the source, in the browser, revealing every app users access, flagging risky tools, and helping you shut down exposure before it leads to a breach. No guesswork. No nasty surprises. Just real-time visibility and control.\u003C/p>",[1027,1029,1031],{"item":1028},"Discover every SaaS app users access, managed or not",{"item":1030},"Spot accounts with weak security postures like missing MFA, unmanaged access, and no SSO",{"item":1032},"Control usage with in-browser prompts, blocks, and security guardrails","https://cdn.builder.io/o/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F3e4eece318d04d6586e691d59d0741cf%2Fcompressed?apiKey=f3a1111ff5be48cdbb123cd9f5795a05&token=3e4eece318d04d6586e691d59d0741cf&alt=media&optimized=true",{"large":1035},{"display":64,"flexDirection":65,"position":66,"flexShrink":67,"boxSizing":68,"backgroundColor":303},{"@type":47,"@version":48,"id":1037,"meta":1038,"component":1039,"responsiveStyles":1041},"builder-cd7833f966cb4c7e8adf0d6c979414a6",{"previousId":917},{"name":307,"options":1040,"isRSC":61},{"AllPartners":34,"backgroundTransparent":6},{"large":1042},{"display":64,"flexDirection":65,"position":66,"flexShrink":67,"boxSizing":68,"backgroundColor":311},{"@type":47,"@version":48,"id":1044,"meta":1045,"component":1046,"responsiveStyles":1048},"builder-49d720b45430454e8b08c526f267c19f",{"previousId":924},{"name":315,"options":1047,"isRSC":61},{"darkMode":34},{"large":1049},{"display":64,"flexDirection":65,"position":66,"flexShrink":67,"boxSizing":68},{"@type":47,"@version":48,"id":1051,"component":1052,"responsiveStyles":1057},"builder-3dde0bf6c8544e5e9ab41b18a9d68034",{"name":320,"tag":320,"options":1053,"isRSC":61},{"darkMode":6,"maxWidth":324,"maxTextWidth":325,"title":1054,"description":1055,"image":1056,"reverse":6},"\u003Ch2>Use your browser to curb Saas Sprawl\u003C/h2>","\u003Cp>Shadow SaaS isn’t hiding in your network, it’s in your browser. From AI tools to unsanctioned file-sharing sites, security risks live in the apps your users sign into every day. Push maps your organization's true SaaS footprint in real time, exposing apps and accounts with unmanaged access, poor authentication, or no security oversight.\u003C/p>\u003Cp>\u003Cbr>\u003C/p>\u003Cp>\u003Cbr>\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Fb6811a214c7949b6bbe0b9a3bca62efd",{"large":1058},{"display":64,"flexDirection":65,"position":66,"flexShrink":67,"boxSizing":68},{"@type":47,"@version":48,"id":1060,"meta":1061,"component":1062,"responsiveStyles":1067},"builder-e2420451ccdc4f088d0a4904cff45935",{"previousId":940},{"name":334,"options":1063,"isRSC":61},{"darkMode":6,"maxWidth":324,"imageMaxWidth":336,"textPaddingTop":337,"title":1064,"description":1065,"reverse":34,"image":1066},"\u003Ch2>Discover hidden SaaS usage\u003C/h2>","\u003Cp>Push captures live browser telemetry across every tab and session. Whether a user signs into a sanctioned app with a personal account or tries a new AI plugin, you’ll see it in real time, with no integrations or manual tagging.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Fe16e301f9af94665b95d98232a863d8a",{"large":1068},{"display":64,"flexDirection":65,"position":66,"flexShrink":67,"boxSizing":68,"fontFamily":343,"paddingTop":345,"marginTop":345},{"@type":47,"@version":48,"id":1070,"meta":1071,"component":1072,"responsiveStyles":1077},"builder-b36de7fce7994beea9e58d94662e7166",{"previousId":950},{"name":334,"options":1073,"isRSC":61},{"darkMode":6,"maxWidth":324,"imageMaxWidth":336,"textPaddingTop":350,"title":1074,"description":1075,"reverse":6,"image":1076},"\u003Ch2>Spot risky access and unsafe usage\u003C/h2>","\u003Cp>Discovery is just the beginning. Push flags apps with risky traits, no MFA, no SSO, known vulnerabilities, or broad access scopes. You’ll know which tools introduce real risk, and which users are exposed so you can act with precision.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F6585f3c242da4d70ae3cb7d02f481bef",{"large":1078},{"display":64,"flexDirection":65,"position":66,"flexShrink":67,"boxSizing":68,"paddingTop":356},{"@type":47,"@version":48,"layerName":334,"id":1080,"meta":1081,"component":1082,"responsiveStyles":1087},"builder-dc366b5134684fe7a508edf8913103ea",{"previousId":960},{"name":334,"options":1083,"isRSC":61},{"darkMode":6,"maxWidth":324,"imageMaxWidth":336,"textPaddingTop":361,"title":1084,"description":1085,"reverse":34,"image":1086},"\u003Ch2>Close gaps before they grow\u003C/h2>","\u003Cp>Push turns insight into action. When risky SaaS use is detected, guide users to enable MFA, block high-risk apps, or apply in-browser guardrails automatically. All without deploying new infrastructure or managing dozens of integrations.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Fe6d60b6d91414819bc6258a318f00557",{"large":1088},{"display":64,"flexDirection":65,"position":66,"flexShrink":67,"boxSizing":68,"paddingTop":367},{"@type":47,"@version":48,"id":1090,"meta":1091,"component":1092,"responsiveStyles":1094},"builder-8708f6f0d8da4b3f9e17bf16cda70219",{"previousId":970},{"name":315,"options":1093,"isRSC":61},{"darkMode":6},{"large":1095},{"display":64,"flexDirection":65,"position":66,"flexShrink":67,"boxSizing":68},{"@type":47,"@version":48,"id":1097,"component":1098,"responsiveStyles":1100},"builder-8ff4b38d60534cf28cb523ab0f754875",{"name":377,"tag":377,"options":1099,"isRSC":61},{"sectionHeading":29,"customClass":379},{"large":1101},{"display":64,"flexDirection":65,"position":66,"flexShrink":67,"boxSizing":68},{"id":1103,"@type":47,"tagName":74,"properties":1104,"responsiveStyles":1105},"builder-pixel-zfh3sxknhck",{"src":76,"aria-hidden":77,"alt":29,"role":78,"width":67,"height":67},{"large":1106},{"height":67,"width":67,"display":81,"opacity":67,"overflow":82,"pointerEvents":83},{"deviceSize":85,"location":1108},{"path":29,"query":1109},{},{},1770892936802,1746714967208,"https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F01bfb2304521412fbd2e1a1180904d40",[],{"originalContentId":880,"winningTest":61,"lastPreviewUrl":1116,"breakpoints":1117,"kind":399,"hasLinks":6,"hasAutosaves":6},"https://pushsecurity.com/uc/shadow-saas?builder.space=f3a1111ff5be48cdbb123cd9f5795a05&builder.user.permissions=read%2Ccreate%2Cpublish%2CeditCode%2CeditDesigns%2CeditLayouts%2CeditLayers%2CeditContentPriority%2CeditFolders%2CeditProjects%2CmodifyMcpServers%2CmodifyWorkflowIntegrations%2CmodifyProjectSettings%2CconnectCodeRepository%2CcreateProjects%2CindexDesignSystems%2CsendPullRequests&builder.user.role.name=Developer&builder.user.role.id=developer&builder.cachebust=true&builder.preview=use-case-page&builder.noCache=true&builder.allowTextEdit=true&__builder_editing__=true&builder.overrides.use-case-page=5f118e24433d46ceb79f5099987156d7&builder.overrides.5f118e24433d46ceb79f5099987156d7=5f118e24433d46ceb79f5099987156d7&builder.overrides.use-case-page:/uc/shadow-saas=5f118e24433d46ceb79f5099987156d7&builder.options.includeRefs=true&builder.options.enrich=true&builder.options.locale=Default",{"xsmall":31,"small":32,"medium":33},{"createdDate":1119,"id":1120,"name":1121,"modelId":222,"published":13,"stageModifiedSincePublish":6,"query":1122,"data":1125,"variations":1231,"lastUpdated":1232,"firstPublished":1233,"testRatio":23,"screenshot":1234,"createdBy":91,"lastUpdatedBy":394,"folders":1235,"meta":1236,"rev":401},1764707470172,"b62629ce2f3741158d961cd10fe74b31","Shadow AI",[1123],{"@type":225,"property":226,"operator":227,"value":1124},"/uc/shadow-ai",{"fontAwesomeIcon":1126,"jsCode":29,"tsCode":29,"seoTitle":1127,"title":1128,"customFonts":1129,"seoDescription":1134,"blocks":1135,"url":1124,"state":1228},"faBrainCircuit","Secure AI native and AI enhanced apps. ","Secure AI",[1130],{"family":233,"subsets":1131,"category":256,"files":1132,"variants":1133,"kind":234,"lastModified":236,"menu":257,"version":235},[259,260],{"100":238,"200":239,"300":240,"500":241,"600":242,"700":243,"800":244,"900":245,"800italic":246,"100italic":249,"600italic":255,"italic":250,"700italic":248,"200italic":252,"regular":251,"900italic":247,"300italic":254,"500italic":253},[262,263,264,265,266,267,71,268,269,270,271,272,273,274,275,276,277,278],"See and control AI apps in the browser.",[1136,1223],{"@type":47,"@version":48,"tagName":284,"id":1137,"meta":1138,"children":1139},"builder-a6e5717a2c914d5695058e4ee201a05d",{"previousId":1017},[1140,1156,1163,1170,1180,1190,1200,1210,1217],{"@type":47,"@version":48,"id":1141,"meta":1142,"component":1143,"responsiveStyles":1154},"builder-3e0ed678683f4a0eb7aa00253cf263b2",{"previousId":1021},{"name":288,"options":1144,"isRSC":61},{"title":1128,"description":1145,"points":1146,"image":1153},"\u003Cp>Every AI interaction traverses the browser. Employees use GenAI tools, connect AI apps to corporate accounts, and run agentic workflows, often outside security oversight. Push gives security teams the visibility to see what AI is doing across their environment and the controls to intervene before sensitive data leaves or access gets abused.\u003C/p>",[1147,1149,1151],{"item":1148},"Discover every AI tool and agent active across your workforce",{"item":1150},"Detect sensitive data being submitted to AI apps",{"item":1152},"Enforce AI policy directly in the browser","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F33cf153d920f4e389f3650253577cff7",{"large":1155},{"display":64,"flexDirection":65,"position":66,"flexShrink":67,"boxSizing":68,"backgroundColor":303},{"@type":47,"@version":48,"id":1157,"meta":1158,"component":1159,"responsiveStyles":1161},"builder-76968f8471d14893b8189d75b08fb426",{"previousId":1037},{"name":307,"options":1160,"isRSC":61},{"AllPartners":34,"backgroundTransparent":6},{"large":1162},{"display":64,"flexDirection":65,"position":66,"flexShrink":67,"boxSizing":68,"backgroundColor":311},{"@type":47,"@version":48,"id":1164,"meta":1165,"component":1166,"responsiveStyles":1168},"builder-b55b9d4bc5a649d8839ce7f6c2043d95",{"previousId":1044},{"name":315,"options":1167,"isRSC":61},{"darkMode":34},{"large":1169},{"display":64,"flexDirection":65,"position":66,"flexShrink":67,"boxSizing":68},{"@type":47,"@version":48,"id":1171,"meta":1172,"component":1173,"responsiveStyles":1178},"builder-c3f38ef4d75d4989a29b5903175ed8a1",{"previousId":1051},{"name":320,"tag":320,"options":1174,"isRSC":61},{"darkMode":6,"maxWidth":324,"maxTextWidth":325,"title":1175,"description":1176,"image":1177,"reverse":6},"\u003Ch2>The browser is where AI lives\u003C/h2>","\u003Cp>AI activity doesn't happen at the network layer or the endpoint. It happens in the browser, where employees interact with AI tools, where agents execute tasks, and where sensitive data gets submitted to external services. Push captures live telemetry from inside the browser session, identifying every AI-native and AI-enhanced application in use. \u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F30b43bda6f1644c19478fb1efa20050c",{"large":1179},{"display":64,"flexDirection":65,"position":66,"flexShrink":67,"boxSizing":68},{"@type":47,"@version":48,"id":1181,"meta":1182,"component":1183,"responsiveStyles":1188},"builder-90ee9cb9afc44e7f885523715bf51a53",{"previousId":1060},{"name":334,"options":1184,"isRSC":61},{"darkMode":6,"maxWidth":324,"imageMaxWidth":336,"textPaddingTop":337,"title":1185,"description":1186,"reverse":34,"image":1187},"\u003Ch2>Discover every AI tool users touch\u003C/h2>","\u003Cp>Most organisations are using far more AI than they've approved. Push identifies every AI-native and AI-enhanced application accessed across the workforce, which corporate identities are connected, and what new tools appear in the environment. Applications are categorized by risk and policy status so security teams can prioritize exposure before it becomes an incident.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F636e65ad0c4c43faa3e626c41e90d8a3",{"large":1189},{"display":64,"flexDirection":65,"position":66,"flexShrink":67,"boxSizing":68,"fontFamily":343,"paddingTop":345,"marginTop":345},{"@type":47,"@version":48,"id":1191,"meta":1192,"component":1193,"responsiveStyles":1198},"builder-9e44539fa53c4d8e87406036c921fc46",{"previousId":1070},{"name":334,"options":1194,"isRSC":61},{"darkMode":6,"maxWidth":324,"imageMaxWidth":336,"textPaddingTop":350,"title":1195,"description":1196,"reverse":6,"image":1197},"\u003Ch2>Prevent sensitive data from reaching the wrong AI tools\u003C/h2>","\u003Cp>Employees paste credentials, customer data, and internal documents into AI tools without realizsing the risk. Push detects sensitive data interactions in the browser in real time, including file uploads, clipboard activity, and form submissions to unsanctioned or high-risk AI applications. Controls can be applied to warn users, require policy acknowledgment, or block the interaction entirely.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F011332d42dab4a299f25ab3847741ed9",{"large":1199},{"display":64,"flexDirection":65,"position":66,"flexShrink":67,"boxSizing":68,"paddingTop":356},{"@type":47,"@version":48,"layerName":334,"id":1201,"meta":1202,"component":1203,"responsiveStyles":1208},"builder-44c1a891926f4bdeaaa37e90721fe6ac",{"previousId":1080},{"name":334,"options":1204,"isRSC":61},{"darkMode":6,"maxWidth":324,"imageMaxWidth":336,"textPaddingTop":361,"title":1205,"description":1206,"reverse":34,"image":1207},"\u003Ch2>Govern agentic AI permissions and activity\u003C/h2>","\u003Cp>AI agents operating in the browser can access applications, execute actions, and handle data on behalf of users, often with permissions that were never explicitly reviewed. Push surfaces agentic permissions and data flows so security teams can see what agents are doing, where they have access, and apply controls before that access is exploited or abused.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F71549a73d0b84f1c8cb151c05e493e8d",{"large":1209},{"display":64,"flexDirection":65,"position":66,"flexShrink":67,"boxSizing":68,"paddingTop":367},{"@type":47,"@version":48,"id":1211,"meta":1212,"component":1213,"responsiveStyles":1215},"builder-dcc906f9cbe54dc68b3c672668e7a38f",{"previousId":1090},{"name":315,"options":1214,"isRSC":61},{"darkMode":6},{"large":1216},{"display":64,"flexDirection":65,"position":66,"flexShrink":67,"boxSizing":68},{"@type":47,"@version":48,"id":1218,"component":1219,"responsiveStyles":1221},"builder-d2d64780c31b4349bc75805b23a07e38",{"name":377,"tag":377,"options":1220,"isRSC":61},{"sectionHeading":29,"customClass":379},{"large":1222},{"display":64,"flexDirection":65,"position":66,"flexShrink":67,"boxSizing":68},{"id":1224,"@type":47,"tagName":74,"properties":1225,"responsiveStyles":1226},"builder-pixel-t4vf821dl3c",{"src":76,"aria-hidden":77,"alt":29,"role":78,"width":67,"height":67},{"large":1227},{"height":67,"width":67,"display":81,"opacity":67,"overflow":82,"pointerEvents":83},{"deviceSize":85,"location":1229},{"path":29,"query":1230},{},{},1776875934687,1764950077593,"https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F6ce1c8d6242349f8b66cb3afa7885651",[],{"hasLinks":6,"winningTest":61,"originalContentId":1000,"kind":399,"breakpoints":1237,"lastPreviewUrl":1238,"hasAutosaves":6},{"xsmall":31,"small":32,"medium":33},"https://pushsecurity.com/uc/shadow-ai?builder.space=f3a1111ff5be48cdbb123cd9f5795a05&builder.user.permissions=read%2Ccreate%2Cpublish%2CeditDesigns%2CeditLayouts%2CeditLayers%2CeditContentPriority%2CeditFolders%2CcreateProjects%2CsendPullRequests&builder.user.role.name=Designer&builder.user.role.id=creator&builder.cachebust=true&builder.preview=use-case-page&builder.noCache=true&builder.allowTextEdit=true&__builder_editing__=true&builder.overrides.use-case-page=b62629ce2f3741158d961cd10fe74b31&builder.overrides.b62629ce2f3741158d961cd10fe74b31=b62629ce2f3741158d961cd10fe74b31&builder.overrides.use-case-page:/uc/shadow-ai=b62629ce2f3741158d961cd10fe74b31&builder.options.locale=Default",{"w":1240,"h":1241,"d":1242},448,512,"M280.4 48c-3.2 0-6.3 .5-9.3 1.4L206.6 69.2C136.1 90.9 88 156.1 88 229.8l0 42.9c22.7 3.8 40 23.6 40 47.3l0 144c0 26.5-21.5 48-48 48l-32 0c-26.5 0-48-21.5-48-48L0 320c0-23.8 17.3-43.5 40-47.3l0-42.9C40 135 101.8 51.2 192.5 23.4L256.9 3.5c7.6-2.3 15.5-3.5 23.4-3.5 44 0 79.6 35.7 79.6 79.6l0 56.4c0 13.3-10.7 24-24 24s-24-10.7-24-24l0-56.4C312 62.2 297.8 48 280.4 48zM48 320l0 144 32 0 0-144-32 0zm208 24c0-71.6 55.6-127.8 89-148.1 4.3-2.6 9.6-2.6 14 0 33.5 20.3 89 76.6 89 148.1 0 32-16 80-64 112l27.3 27.3c3 3 4.7 7.1 4.7 11.3l0 1.4c0 8.8-7.2 16-16 16l-96 0c-8.8 0-16-7.2-16-16l0-1.4c0-4.2 1.7-8.3 4.7-11.3L320 456c-48-32-64-80-64-112zm128-32a24 24 0 1 0 -48 0 24 24 0 1 0 48 0z",{"w":1241,"h":1241,"d":1244},"M201.1 57.3c-7 5.3-9.1 10.7-9.1 14.7 0 4.2 2.4 10.1 10.4 15.6 7.8 5.3 13.6 14.6 13.6 25.6 0 17-13.8 30.7-30.7 30.7L56 144c-4.4 0-8 3.6-8 8l0 52.5c7.4-2.9 15.5-4.5 24-4.5 43.1 0 72 39.4 72 80s-28.9 80-72 80c-8.5 0-16.6-1.6-24-4.5L48 456c0 4.4 3.6 8 8 8l100.5 0c-2.9-7.4-4.5-15.5-4.5-24 0-43.1 39.4-72 80-72s80 28.9 80 72c0 8.5-1.6 16.6-4.5 24l52.5 0c4.4 0 8-3.6 8-8l0-129.3c0-17 13.8-30.7 30.7-30.7 11.1 0 20.3 5.8 25.6 13.6 5.5 8 11.4 10.4 15.6 10.4 4 0 9.5-2.1 14.7-9.1s9.3-17.9 9.3-30.9-4-23.8-9.3-30.9-10.7-9.1-14.7-9.1c-4.2 0-10.1 2.4-15.6 10.4-5.3 7.8-14.6 13.6-25.6 13.6-17 0-30.7-13.8-30.7-30.7l0-81.3c0-4.4-3.6-8-8-8l-81.3 0c-17 0-30.7-13.8-30.7-30.7 0-11.1 5.8-20.3 13.6-25.6 8-5.5 10.4-11.4 10.4-15.6 0-4-2.1-9.5-9.1-14.7S245 48 232 48 208.2 52 201.1 57.3zM172.3 18.9C188.5 6.8 209.6 0 232 0S275.5 6.8 291.7 18.9 320 49.5 320 72c0 8.6-1.8 16.7-4.9 24L360 96c30.9 0 56 25.1 56 56l0 44.9c7.3-3.1 15.4-4.9 24-4.9 22.5 0 41 12.2 53.1 28.3s18.9 37.3 18.9 59.7-6.8 43.5-18.9 59.7-30.6 28.3-53.1 28.3c-8.6 0-16.7-1.8-24-4.9l0 92.9c0 30.9-25.1 56-56 56l-78.1 0c-18.7 0-33.9-15.2-33.9-33.9 0-10.1 4.5-18.5 9.9-24.2 4.2-4.3 6.1-9.2 6.1-13.9 0-9.9-10.7-24-32-24s-32 14.1-32 24c0 4.7 1.9 9.5 6.1 13.9 5.5 5.7 9.9 14.1 9.9 24.2 0 18.7-15.2 33.9-33.9 33.9L56 512c-30.9 0-56-25.1-56-56L0 329.9c0-18.7 15.2-33.9 33.9-33.9 10.1 0 18.5 4.5 24.2 9.9 4.3 4.2 9.2 6.1 13.9 6.1 9.9 0 24-10.7 24-32s-14.1-32-24-32c-4.7 0-9.5 1.9-13.9 6.1-5.7 5.5-14.1 9.9-24.2 9.9-18.7 0-33.9-15.2-33.9-33.9L0 152c0-30.9 25.1-56 56-56l92.9 0c-3.1-7.3-4.9-15.4-4.9-24 0-22.5 12.2-41 28.3-53.1z",{"w":1240,"h":1241,"d":1246},"M102.7 96c10.4-53.7 31.9-112 68.3-112 9.6 0 19 3.9 27.5 8.2 8.2 4.1 18.4 7.8 25.5 7.8s17.3-3.7 25.5-7.8c8.5-4.3 17.9-8.2 27.5-8.2 36.4 0 57.8 58.3 68.3 112L376 96c13.3 0 24 10.7 24 24s-10.7 24-24 24l-24 0 0 32c0 17-3.3 33.2-9.3 48l33.3 0c8.1 0 15.6 4 20 10.8s5.2 15.2 2.1 22.6l-31.5 74.2c48.9 31.2 81.4 86 81.4 148.5l0 8c0 13.3-10.7 24-24 24s-24-10.7-24-24l0-8c0-51.4-30.3-95.8-74.1-116.1-11.7-5.5-17-19.2-12-31.2l25.8-60.7-27.7 0c-1.1 0-2.1-.1-3.1-.2-22.6 20-52.3 32.2-84.9 32.2s-62.3-12.2-84.9-32.2c-1 .1-2.1 .2-3.1 .2l-27.7 0 25.8 60.7c5.1 11.9-.2 25.7-12 31.2-43.8 20.4-74.1 64.7-74.1 116.1l0 8c0 13.3-10.7 24-24 24S0 501.3 0 488l0-8c0-62.4 32.5-117.2 81.4-148.5L49.9 257.4c-3.2-7.4-2.4-15.9 2.1-22.6S63.9 224 72 224l33.3 0c-6-14.8-9.3-31-9.3-48l0-32-24 0c-13.3 0-24-10.7-24-24S58.7 96 72 96l30.7 0zm45.9 107c11.1 30.9 40.6 53 75.3 53s64.2-22.1 75.3-53c-5.7 3.2-12.3 5-19.3 5l-12.4 0c-16.5 0-31.1-10.6-36.3-26.2-2.3-7-12.2-7-14.5 0-5.2 15.6-19.9 26.2-36.3 26.2L168 208c-7 0-13.6-1.8-19.3-5zm44.8 133l61 0c9.7 0 17.5 7.8 17.5 17.5 0 4.2-1.5 8.2-4.2 11.4l-27.9 32.5 28.9 82.6c5.5 15.6-6.1 31.9-22.7 31.9l-44.3 0c-16.5 0-28.1-16.3-22.7-31.9l28.9-82.6-27.9-32.5c-2.7-3.2-4.2-7.2-4.2-11.4 0-9.7 7.8-17.5 17.5-17.5z",{"w":1241,"h":1241,"d":1248},"M304.8 173.3c-14.3-8.4-31-13.3-48.8-13.3-53 0-96 43-96 96s43 96 96 96 96-43 96-96l48 0c0 79.5-64.5 144-144 144s-144-64.5-144-144 64.5-144 144-144c31.1 0 59.9 9.9 83.4 26.6l45.7-45.7C349.7 64.8 304.8 48 256 48 141.1 48 48 141.1 48 256s93.1 208 208 208 208-93.1 208-208l48 0c0 141.4-114.6 256-256 256S0 397.4 0 256 114.6 0 256 0c62.1 0 118.9 22.1 163.3 58.8L463 15c9.4-9.4 24.6-9.4 33.9 0s9.4 24.6 0 33.9L273 273c-9.4 9.4-24.6 9.4-33.9 0s-9.4-24.6 0-33.9l65.7-65.7z",{"w":32,"h":1241,"d":1250},"M128 80l384 0c8.8 0 16 7.2 16 16l0 208 48 0 0-208c0-35.3-28.7-64-64-64L128 32C92.7 32 64 60.7 64 96l0 208 48 0 0-208c0-8.8 7.2-16 16-16zM52.8 400l534.4 0c-8.5 18.9-27.5 32-49.6 32l-435.2 0c-22.1 0-41.1-13.1-49.6-32zM25.6 352C11.5 352 0 363.5 0 377.6 0 434.2 45.8 480 102.4 480l435.2 0c56.6 0 102.4-45.8 102.4-102.4 0-14.1-11.5-25.6-25.6-25.6L25.6 352zM281 169c9.4-9.4 9.4-24.6 0-33.9s-24.6-9.4-33.9 0l-48 48c-9.4 9.4-9.4 24.6 0 33.9l48 48c9.4 9.4 24.6 9.4 33.9 0s9.4-24.6 0-33.9l-31-31 31-31zM393 135c-9.4-9.4-24.6-9.4-33.9 0s-9.4 24.6 0 33.9l31 31-31 31c-9.4 9.4-9.4 24.6 0 33.9s24.6 9.4 33.9 0l48-48c9.4-9.4 9.4-24.6 0-33.9l-48-48z",{"w":1241,"h":1241,"d":1252},"M232 0c-13.3 0-24 10.7-24 24s10.7 24 24 24c128.1 0 232 103.9 232 232 0 13.3 10.7 24 24 24s24-10.7 24-24C512 125.4 386.6 0 232 0zM48 256c0-23 3.7-45 10.5-65.6l263 263C301 460.3 279 464 256 464 141.1 464 48 370.9 48 256zM72.8 136.8c-14.1-14.1-37.6-12-46.5 5.8-16.9 34.2-26.4 72.6-26.4 113.3 0 141.4 114.6 256 256 256 40.7 0 79.2-9.5 113.3-26.4 17.9-8.8 19.9-32.4 5.8-46.5L241 305 281 265c9.4-9.4 9.4-24.6 0-33.9s-24.6-9.4-33.9 0L207 271 72.8 136.8zM208 120c0 13.3 10.7 24 24 24 75.1 0 136 60.9 136 136 0 13.3 10.7 24 24 24s24-10.7 24-24c0-101.6-82.4-184-184-184-13.3 0-24 10.7-24 24z",{"w":1241,"h":1241,"d":1254},"M256.1 0c4.6 0 9.2 1 13.3 2.9L457.8 82.8c22 9.3 38.4 31 38.3 57.2-.5 99.2-41.3 280.7-213.6 363.2-16.7 8-36.1 8-52.8 0-172.4-82.5-213.2-263.9-213.7-363.2-.1-26.2 16.3-47.9 38.3-57.2L242.7 2.9C246.8 1 251.4 0 256.1 0zM73.1 127c-5.9 2.5-9.1 7.7-9 12.7 .5 91.4 38.4 249.3 186.4 320.1 3.6 1.7 7.8 1.7 11.3 0 148-70.8 185.9-228.7 186.3-320.1 0-5-3.1-10.2-9-12.7l-183-77.6-183 77.6zm240.3 34.9c7.8-10.7 22.8-13.1 33.5-5.3 10.7 7.8 13.1 22.8 5.3 33.5L249.8 330.9c-4.2 5.7-10.7 9.3-17.8 9.8s-14-2.2-18.9-7.3l-46.4-48c-9.2-9.5-9-24.7 .6-33.9 9.5-9.2 24.7-8.9 33.9 .6l26.5 27.4 85.6-117.7z",{"w":1241,"h":1241,"d":1256},"M123 58.1c9.5-33.5 40.4-58.1 77-58.1 21.8 0 41.6 8.7 56 22.9 14.4-14.1 34.2-22.9 56-22.9 36.6 0 67.4 24.6 77 58.1 47.4 9.7 83 51.6 83 101.9 0 11.3-1.8 22.2-5.1 32.3 22.7 19.1 37.1 47.7 37.1 79.7 0 23.7-8 45.6-21.3 63.1 3.5 10.4 5.3 21.4 5.3 32.9 0 54-41.2 98.5-93.9 103.5-15.6 24.3-42.9 40.5-74.1 40.5-25.2 0-48-10.6-64-27.6-16 17-38.8 27.6-64 27.6-31.1 0-58.4-16.2-74.1-40.5-52.7-5.1-93.9-49.5-93.9-103.5 0-11.5 1.9-22.5 5.3-32.9-13.4-17.5-21.3-39.4-21.3-63.1 0-32 14.5-60.6 37.1-79.7-3.3-10.2-5.1-21.1-5.1-32.3 0-50.3 35.6-92.2 83-101.9zM200 48c-17.7 0-32 14.3-32 32 0 13.3-10.7 24-24 24-30.9 0-56 25.1-56 56 0 10.5 2.9 20.3 7.9 28.6 3.4 5.7 4.3 12.5 2.5 18.9s-6.2 11.7-12 14.7c-18 9.3-30.3 28.1-30.3 49.8 0 16.1 6.8 30.7 17.8 40.9 7.9 7.4 9.9 19.2 4.8 28.8-4.2 7.8-6.5 16.7-6.5 26.3 0 30.9 25.1 56 56 56 1.1 0 2.2 0 3.2-.1 10.3-.6 19.8 5.5 23.6 15 5.9 14.7 20.4 25.1 37.1 25.1 20.4 0 37.2-15.3 39.7-35 .1-.6 .2-1.3 .3-1.9l0-135.1-40 0c-6.6 0-12 5.4-12 12l0 4.4c16.5 7.6 28 24.3 28 43.6 0 26.5-21.5 48-48 48s-48-21.5-48-48c0-19.4 11.5-36.1 28-43.6l0-4.4c0-28.7 23.3-52 52-52l40 0 0-56-12.4 0c-7.6 16.5-24.3 28-43.6 28-26.5 0-48-21.5-48-48s21.5-48 48-48c19.4 0 36.1 11.5 43.6 28l12.4 0 0-76c0-17.7-14.3-32-32-32zm80 148l0 152 40 0c6.6 0 12-5.4 12-12l0-4.4c-16.5-7.6-28-24.3-28-43.6 0-26.5 21.5-48 48-48s48 21.5 48 48c0 19.4-11.5 36.1-28 43.6l0 4.4c0 28.7-23.3 52-52 52l-40 0 0 39.1c.1 .6 .2 1.2 .3 1.9 2.5 19.7 19.3 35 39.7 35 16.8 0 31.2-10.3 37.1-25.1 3.8-9.6 13.3-15.6 23.6-15 1.1 .1 2.2 .1 3.2 .1 30.9 0 56-25.1 56-56 0-9.5-2.4-18.5-6.5-26.3-5.1-9.6-3.1-21.4 4.8-28.8 11-10.2 17.8-24.8 17.8-40.9 0-21.6-12.2-40.4-30.3-49.8-5.9-3-10.2-8.4-12-14.7s-.9-13.2 2.5-18.9c5-8.4 7.9-18.1 7.9-28.6 0-30.9-25.1-56-56-56-13.3 0-24-10.7-24-24 0-17.7-14.3-32-32-32s-32 14.3-32 32l0 76 12.4 0c7.6-16.5 24.3-28 43.6-28 26.5 0 48 21.5 48 48s-21.5 48-48 48c-19.4 0-36.1-11.5-43.6-28L280 196zm56-36a16 16 0 1 0 0 32 16 16 0 1 0 0-32zm0 128a16 16 0 1 0 32 0 16 16 0 1 0 -32 0zM144 352a16 16 0 1 0 32 0 16 16 0 1 0 -32 0zm16-176a16 16 0 1 0 32 0 16 16 0 1 0 -32 0z",[1258,1276,1292,1308,1324,1340],{"createdDate":1259,"id":1260,"name":1261,"modelId":1262,"published":13,"meta":1263,"query":1265,"data":1266,"variations":1271,"lastUpdated":1272,"firstPublished":1273,"testRatio":23,"createdBy":24,"lastUpdatedBy":25,"folders":1274,"rev":1275},1753178645778,"5449fa4538394c349e095425c5d11836","Phil Beyer","d7293847ee82498daac1405b43442f51",{"lastPreviewUrl":29,"kind":28,"breakpoints":1264},{"xsmall":31,"small":32,"medium":33},[],{"title":1261,"thumbnail":1267,"description":1268,"subTitle":1269,"vimeoId":1270},"https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F59c53c6fef43465aaba78eb58a3453dc","I really like how Push approaches things. With Push, I get a platform that let's me know about the stuff I should really worry about.","Head of Security, Flex","1102046942",{},1753971645046,1753178667228,[],"jn8p9ms5on",{"createdDate":1277,"id":1278,"name":1279,"modelId":1262,"published":13,"query":1280,"data":1281,"variations":1286,"lastUpdated":1287,"firstPublished":1288,"testRatio":23,"createdBy":24,"lastUpdatedBy":25,"folders":1289,"meta":1290,"rev":1275},1753178561135,"dc289e14fe9348248692186620322f2c","Josh Lemos",[],{"vimeoId":1282,"thumbnail":1283,"subTitle":1284,"description":1285,"title":1279},"1102047122","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F33ad464e24f34c82906a0a38468c971c","CISO","Push gives me the security context I need in the browser without requiring everyone to converge on a single enterprise browser platform.",{},1773656078003,1753178598901,[],{"lastPreviewUrl":29,"kind":28,"breakpoints":1291,"hasAutosaves":6},{"xsmall":31,"small":32,"medium":33},{"createdDate":1293,"id":1294,"name":1295,"modelId":1262,"published":13,"meta":1296,"query":1298,"data":1299,"variations":1304,"lastUpdated":1305,"firstPublished":1306,"testRatio":23,"createdBy":24,"lastUpdatedBy":25,"folders":1307,"rev":1275},1753178508341,"502211493fb74b12b5e02179bac81918","Ash Devata",{"lastPreviewUrl":29,"breakpoints":1297,"kind":28},{"xsmall":31,"small":32,"medium":33},[],{"title":1295,"vimeoId":1300,"subTitle":1301,"description":1302,"thumbnail":1303},"1102047399","CEO, GreyNoise","We love the product and use it every day. When an employee clicks on a link and opens a browser session, that's where Push is.","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F6e3400d3b113480eb4309a7509d72ef2",{},1753978134235,1753178537654,[],{"createdDate":1309,"id":1310,"name":120,"modelId":1262,"published":13,"meta":1311,"query":1313,"data":1314,"variations":1320,"lastUpdated":1321,"firstPublished":1322,"testRatio":23,"createdBy":24,"lastUpdatedBy":25,"folders":1323,"rev":1275},1753178281400,"429b3b67348348b2ada89563e90359a0",{"kind":28,"breakpoints":1312,"lastPreviewUrl":29},{"xsmall":31,"small":32,"medium":33},[],{"title":1315,"vimeoId":1316,"thumbnail":1317,"subTitle":1318,"description":1319},"Jason Waits ","1102047623","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Fca9487bd90e1496ba915b2356236d85a","CISO, Inductive Automation","Push has actually been one of our favorite vendors to work with. We're thrilled with the feature direction and are extremely excited for the future.",{},1753971706068,1753178396316,[],{"createdDate":1325,"id":1326,"name":1327,"modelId":1262,"published":13,"meta":1328,"query":1330,"data":1331,"variations":1336,"lastUpdated":1337,"firstPublished":1338,"testRatio":23,"createdBy":24,"lastUpdatedBy":25,"folders":1339,"rev":1275},1753095741593,"709549a39cfa4d7ea37af7a1df16a366","Myke Lyons",{"lastPreviewUrl":29,"breakpoints":1329,"kind":28},{"xsmall":31,"small":32,"medium":33},[],{"description":1332,"vimeoId":1333,"thumbnail":1334,"title":1327,"subTitle":1335},"Push is giving us the ability to play a better, more interactive role model for users in the browser, while allowing people to choose their own path.","1102047806","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F849139d92f174c78b647c7d3a9d45c4c","CISO, Cribl",{},1753971720977,1753095780459,[],{"createdDate":1341,"id":1342,"name":1343,"modelId":1262,"published":13,"meta":1344,"query":1346,"data":1347,"variations":1352,"lastUpdated":1353,"firstPublished":1354,"testRatio":23,"createdBy":24,"lastUpdatedBy":25,"folders":1355,"rev":1275},1753093796185,"3faab6414c4d49b8b35162589933c4c9","Ross McKerchar",{"breakpoints":1345,"kind":28,"lastPreviewUrl":29},{"xsmall":31,"small":32,"medium":33},[],{"vimeoId":1348,"title":1343,"subTitle":1349,"vimeoUrl":1348,"thumbnail":1350,"description":1351},"1102048247","Investor","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F29861ccc980b472da4a531c3ce31efe7","Being in the browser gives a unique view that enables security teams to observe attacks that you otherwise can't.",{},1753978147205,1753093910375,[],{"createdDate":1357,"id":1358,"name":1359,"modelId":1360,"published":13,"stageModifiedSincePublish":6,"query":1361,"data":1364,"variations":1599,"lastUpdated":1600,"firstPublished":1601,"testRatio":23,"screenshot":1602,"createdBy":635,"lastUpdatedBy":92,"folders":1603,"meta":1604,"rev":1607},1767697952565,"7ce8d00dd97548548e0fda82e97c1a87","Home Page","984a8e8ed5dc4292a8d86566bcbf21fc",[1362],{"@type":225,"property":226,"operator":227,"value":1363},"/",{"seoDescription":1365,"seoTitle":1366,"inputs":1367,"themeId":6,"title":1368,"blocks":1369,"url":1363,"state":1596},"Enterprise browser security without replacing your browser. Stop attacks, secure AI usage & harden your identity attack surface. Built for the AI era.","Browser Security for the AI Era",[],"Home Page V2",[1370,1380,1418,1426,1436,1457,1502,1509,1568,1576,1584,1591],{"@type":47,"@version":48,"id":1371,"component":1372,"responsiveStyles":1378},"builder-c61bbb2837634436aca0628b44cc5dd5",{"name":1373,"tag":1373,"options":1374,"isRSC":61},"HeroBlock",{"title":1375,"subtext":1376,"trustedBy":1377},"\u003Cp>Browser Security for the AI era\u003C/p>","\u003Cp>The Secure Enterprise Browser extension that combines browser telemetry, real-time control, and autonomous agents to stop  attacks, secure AI, harden identities, and prevent data loss.\u003C/p>",{"AllPartners":34},{"large":1379},{"display":64,"flexDirection":65,"position":66,"flexShrink":67,"boxSizing":68},{"@type":47,"@version":48,"id":1381,"component":1382,"responsiveStyles":1416},"builder-3bc5905f3813468b897292dcb4b7cd09",{"name":1383,"options":1384,"isRSC":34},"Columns",{"columns":1385,"space":1414,"stackColumnsAt":1415,"reverseColumnsWhenStacked":6},[1386,1404],{"blocks":1387,"link":55},[1388],{"@type":47,"@version":48,"id":1389,"component":1390,"responsiveStyles":1401},"builder-81143dde89514bfa86e3d5476babb549",{"name":1391,"options":1392,"isRSC":61},"Image",{"backgroundSize":1393,"backgroundPosition":1394,"lazy":6,"fitContent":34,"aspectRatio":1395,"lockAspectRatio":6,"sizes":1396,"height":1397,"width":1398,"image":1399,"altText":1400},"contain","top",0.77,"(max-width: 998px) 55vw, 63vw",739,960,"https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F6256f1b283694f7ba89cf8dfb30a9224?format=webp&width=871","Guest speakers",{"large":1402},{"display":64,"flexDirection":65,"position":66,"flexShrink":67,"boxSizing":68,"width":1403,"minHeight":344,"minWidth":344,"overflow":82},"100%",{"blocks":1405},[1406],{"@type":47,"@version":48,"id":1407,"component":1408,"responsiveStyles":1412},"builder-7d771cc8682a4d8bb11982109351f2ae",{"name":1409,"options":1410,"isRSC":61},"Custom Code",{"code":1411,"scriptsClientOnly":6},"\u003Cdiv class=\"text-left relative flex flex-col adjustment\">\n  \u003Ch2 class=\"md:text-5xl text-3xl text-pretty font-bold heading max-w-3xl opacity-0 sm:[&>span]:block\" style=\" opacity: 1; color: #fff;\">\n    \u003Cspan\n      >\u003Cstrong>State of \u003Cspan class=\"browser-attack-orange-block-clip\">Browser Attacks\u003C/span> Series\u003C/strong>\u003C/span\n    >\n  \u003C/h2>\n  \u003Cdiv class=\"flex gap-5 justify-left items-center\">\u003C/div>\n  \u003Ch3 class=\"lg:text-2xl text-xl subheading font-light mt-6\" style=\"opacity: 1; color: #fff;\">Join Push Security and special guests John Hammond, Troy Hunt, and Matt Johansen.\u003C/h3>\n  \u003Cp class=\"mt-3 text-pretty series-description\" style=\"opacity: 1; color: #fff;\">Join the industry's top security minds as they break down the browser attack landscape — from credential theft and AiTM phishing to malicious OAuth integrations, rogue browser extensions and beyond.\u003C/p>\n  \u003Cdiv class=\"flex gap-5 mt-10 justify-left items-center\" id=\"cta-button\">\n    \u003Cdiv class=\"cta-button opacity-0\" style=\"opacity: 1;\">\n      \u003Ca href=\"/webinar/state-of-browser-security\" class=\"px-9 py-3 border border-web-orange rounded-full cursor-pointer text-white bg-gradient-to-b from-web-orange to-web-orange-dark text-xl transition-all duration-500 hover:shadow-primary-button\"\n        >\u003C!--[-->\n        Register Now\n        \u003C!--]-->\u003C/a\n      >\n    \u003C/div>\n  \u003C/div>\n  \u003Cdiv id=\"guest-speakers\" class=\"mt-4\">\n    \u003Cimg alt=\"3 speakers\" src=\"https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Fb9c87c651f7b4d3b8bdc74952b032e54\" />\n  \u003C/div>\n\u003C/div>\n\u003Cstyle>\n        .builder-3bc5905f3813468b897292dcb4b7cd09.builder-block {background-image: url('https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F1753a3ecdbf34097aec69cd1ed8bccc0');\n        background-size: cover;\n        background-repeat: no-repeat;\n        background-position: center;\n        height: 972px;\n        width: 100%;\n        position: relative;\n        max-width: 1560px;\n        margin-left: auto;\n        margin-right: auto;\n        padding-top: 0px;\n        padding-bottom: 10px;\n        margin-bottom: -9.5rem;\n        }\n\n\n      .builder-81143dde89514bfa86e3d5476babb549 {\n        justify-content: center;\n        align-items: center;\n        min-height: 100%;\n      }\n\n       .builder-3bc5905f3813468b897292dcb4b7cd09.builder-block .adjustment {\n        max-width: 415px;\n      }\n\n      .builder-3bc5905f3813468b897292dcb4b7cd09.builder-block img {\n        height: 100vh;\n        margin: auto;\n        position: relative;\n        right: 0;\n        top: 1rem !important;\n      }\n\n      .builder-3bc5905f3813468b897292dcb4b7cd09.builder-block .builder-column:first-child {\n        justify-content: center;\n        align-items: center;\n        display: flex;\n      }\n\n      .div-t43jfuqn6g {\n        padding-top: 0 !important;\n        height: auto !important;\n      }\n\n      .adjustment {\n        padding-top: 111px;\n      }\n\n      .adjustment .cta-button {\n        position: relative;\n        z-index:1;\n      }\n\n      .adjustment .subheading {\n        font-size: 20px;\n        font-weight: 600;\n      }\n\n      .adjustment .font-bold.heading strong {\n        font-weight: 700;\n      }\n\n      .browser-attack-orange-block-clip {\n        -webkit-text-fill-color: transparent;\n          -webkit-text-fill-color: transparent;\n          background-image: linear-gradient(14deg, #ff9d29 35%, #e73918 73%);\n          -webkit-background-clip: text;\n          background-clip: text;\n      }\n\n      .series-description {\n        line-height: 28px;\n          font-size: 16px;\n      }\n\n      #guest-speakers {\n        display: none;\n      }\n\n      .builder-81143dde89514bfa86e3d5476babb549 {\n        width: 113%;\n      }\n\n      @media (max-width: 991px) {\n        .adjustment .justify-left.items-center {\n          justify-content: center;\n        }\n        .adjustment {\n        padding-top: 60px;\n        padding-left: 20px;\n        padding-right: 20px;\n      }\n      }\n\n      @media (max-width: 768px) {\n        .builder-3bc5905f3813468b897292dcb4b7cd09.builder-block .adjustment {\n        max-width: 915px;\n        align-items: center;\n        text-align: center;\n        }\n\n        #guest-speakers {\n        object-fit: contain;\n        position: relative;\n        display: inline-flex;\n        height: 30px;\n        left: 0px;\n        top: 0px;\n        }\n\n        #guest-speakers.mt-4 {\n          margin-top:1.75rem;\n        }\n\n        .builder-3bc5905f3813468b897292dcb4b7cd09.builder-block #guest-speakers img\n        {\n            height: 30vw;\n        }\n      }\n\n        @media (max-width: 450px) {\n    .builder-3bc5905f3813468b897292dcb4b7cd09.builder-block #guest-speakers img\n        {\n            height: 20vw;\n        }\n\n        #cta-button {\n          margin-top: 1.75rem;\n        }\n\n        #guest-speakers.mt-4 {\n          margin-top:1rem;\n        }\n\n        .builder-3bc5905f3813468b897292dcb4b7cd09.builder-block {\n          height: 1000px;\n          margin-bottom: -13.5rem;\n        }\n        }\n\n  @media (max-width: 300px) {\n        .builder-3bc5905f3813468b897292dcb4b7cd09.builder-block {\n          height: 1150px;\n        }\n  }\n\u003C/style>\n",{"large":1413},{"display":64,"flexDirection":65,"position":66,"flexShrink":67,"boxSizing":68},20,"tablet",{"large":1417},{"display":64,"flexDirection":65,"position":66,"flexShrink":67,"boxSizing":68},{"@type":47,"@version":48,"id":1419,"component":1420,"responsiveStyles":1424},"builder-d23a792035c7495ba8169ef324cabbb6",{"name":1421,"tag":1421,"options":1422,"isRSC":61},"PrincipalVideo",{"videoId":1423},"1104148321",{"large":1425},{"display":64,"flexDirection":65,"position":66,"flexShrink":67,"boxSizing":68},{"@type":47,"@version":48,"id":1427,"component":1428,"responsiveStyles":1434},"builder-a6ceace16a854c279adb850d44fe9588",{"name":1429,"tag":1429,"options":1430,"isRSC":61},"WorkHappens",{"title":1431,"subtext":1432,"image":1433},"\u003Cp>Work happens in the browser. \u003C/p>\u003Cp>So do attacks.\u003C/p>","\u003Cp>Every sensitive login and critical dataset your company owns is now accessed through a browser session. This creates a massive attack surface that allows criminals to bypass your defenses and disrupt your business. You can’t secure this surface from the outside; you need native detection built directly into the browser.\u003C/p>\n","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F6a007340c16a4449a942a476a04f939f",{"large":1435},{"display":64,"flexDirection":65,"position":66,"flexShrink":67,"boxSizing":68},{"@type":47,"@version":48,"id":1437,"component":1438,"responsiveStyles":1455},"builder-a3a57bac716c48759c797e27a14d7c17",{"name":1439,"tag":1439,"options":1440,"isRSC":61},"BrowserAiSecurity",{"attackersCard":1441,"employeesCard":1444,"browserCard":1447,"securityCard":1450,"title":1453,"subtext":1454},{"title":1442,"subtext":1443},"\u003Cp>Attackers are AI-enabled. Traditional defenses can't keep up.\u003C/p>\n","\u003Cp>Attackers use AI to generate flawless phishing lures, vibe-code convincing websites and automate ATO techniques across thousands of apps.\u003C/p>\n",{"title":1445,"subtext":1446},"\u003Cp>Employees are adopting AI faster than security teams can handle.\u003C/p>","\u003Cp>Employees use LLMs, paste sensitive data into prompts, authorize AI agents, and install AI browser extensions — at a pace no team can track manually.\u003C/p>",{"title":1448,"subtext":1449},"\u003Cp>The browser is the \u2028control point for both.\u003C/p>","\u003Cp>It's the only layer where external attacks and internal AI misuse are both visible and stoppable.\u003C/p>",{"title":1451,"subtext":1452},"\u003Cp>AI-native browser security\u003C/p>","\u003Cp>Push's autonomous agents use the highest-fidelity telemetry to detect and stop advanced AI-enabled attacks and risky AI user activity where they happen — in the browser  —  all at machine speed and scale, across every browser in your organization, no migration required.\u003C/p>","\u003Cp>AI security delivered in the browser\u003C/p>\n","\u003Cp>Attackers are using AI to hit harder. Employees are adopting AI faster than security can track. \u003C/p>\u003Cp>Push addresses both where they happen — inside the browser.\u003C/p>",{"large":1456},{"display":64,"flexDirection":65,"position":66,"flexShrink":67,"boxSizing":68},{"@type":47,"@version":48,"id":1458,"component":1459,"responsiveStyles":1500},"builder-72c8364648774eb1a5af4a08fa4959d1",{"name":1460,"tag":1460,"options":1461,"isRSC":61},"CuratedThreatResearch",{"items":1462,"sectionHeading":1499},[1463,1470,1476,1482,1488,1494],{"title":1464,"subtext":1465,"cta":1466,"image":1469},"ConsentFix: Analysing a browser-native ClickFix-style attack that hijacks OAuth consent grants","\u003Cp>We recently intercepted a phishing campaign using a new kind of attack technique that we’re calling “ConsentFix” — combining OAuth consent phishing with a ClickFix-style user prompt that leads to account compromise. Here's what you need to know.\u003C/p>",{"text":1467,"link":1468},"Learn more","/blog/consentfix/","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F1264ba271b1f4271a8ff31bc0604a5ba",{"title":1471,"subtext":1472,"cta":1473,"image":1475},"\"Scattered Lapsus$ Hunters\" — how modern attackers exploit the gaps in your security stack","\u003Cp>How \"Scattered Lapsus$ Hunters\" breaches demonstrate the evolution of attacker TTPs, shaping the future of cyber attacks.\u003C/p>",{"text":1467,"link":1474},"/blog/scattered-lapsus-hunters/","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F80869548fed44fc6b019f14232f11bb3",{"title":1477,"subtext":1478,"cta":1479,"image":1481},"On-demand Webinar: Analyzing ClickFix","\u003Cp>Learn how ClickFix social engineering attacks are bypassing controls and driving security breaches.\u003C/p>\n",{"text":1467,"link":1480},"/resources/clickfix","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F740254cfcbff4ba99bf25fad8fc1b278",{"title":1483,"subtext":1484,"cta":1485,"image":1487},"Uncovering a Calendly-themed phishing campaign targeting business ad manager accounts","\u003Cp>Investigating a phishing campaign targeting Google Ads Manager MCC accounts to propagate malvertising lures.\u003C/p>",{"text":1467,"link":1486},"/blog/uncovering-a-calendly-themed-phishing-campaign/","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F83c0cf9b0d674389a139758c3429c727",{"title":1489,"subtext":1490,"cta":1491,"image":1493},"How Phishing Attacks Evolved in 2025","\u003Cp>In real-world phishing attempts detected by Push in 2025, we’ve seen a huge rise in the volume and sophistication of phishing as attackers double-down on identity-based techniques — the leading cause of security breaches. \u003C/p>",{"text":1467,"link":1492},"/resources/phishing-2025-review","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F8eb553367fa44fde8d4c7c2f2cddb7fb",{"title":1495,"subtext":1496,"cta":1497,"image":1498},"New Report: 2026 Browser Attack Techniques","\u003Cp>Learn about the browser-based attack techniques behind the biggest breaches today, how they’re bypassing controls, and what security teams can do about it.\u003C/p>",{"text":1467,"link":165},"https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F9dd42c378a3c403c8bc38f15904beffd","Latest threat research",{"large":1501},{"display":64,"flexDirection":65,"position":66,"flexShrink":67,"boxSizing":68},{"@type":47,"@version":48,"id":1503,"component":1504,"responsiveStyles":1507},"builder-7abbbf2f94f14cbca3cdbaa79e0e525b",{"name":1505,"tag":1505,"options":1506,"isRSC":61},"Testimonial",{},{"large":1508},{"display":64,"flexDirection":65,"position":66,"flexShrink":67,"boxSizing":68},{"@type":47,"@version":48,"id":1510,"component":1511,"responsiveStyles":1566},"builder-5d87d5b221c345a6baa965246322ea2c",{"name":1512,"tag":1512,"options":1513,"isRSC":61},"SecurityPlatform",{"title":1514,"description":1515,"card1":1516,"card2":1520,"card3":1524,"browsers":1528,"cta":1565},"Push Security Platform","\u003Cp>True security delivered via the browser shouldn't come at the cost of productivity. Push enhances the browsers your team already knows and loves, deploying in minutes to provide powerful security without friction or forcing a disruptive switch.\u003C/p>\n",{"title":1517,"description":1518,"icon":1519},"Real-time detection","\u003Cp>Block threats that bypass your perimeter defenses. Push sees in-browser attacks the moment they appear, stopping phishing, token theft, and account takeover attempts in real time.\u003C/p>\n","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Ffceefa8356c5460c878547e8d93130d3",{"title":1521,"description":1522,"icon":1523},"Faster investigations","\u003Cp>Get the context your EDR and SIEM logs are missing. Push delivers opinionated browser telemetry that gives defenders unmatched clarity to detect attacks, harden posture, and respond with confidence.\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F7d5924d8882147c9a8081abc0e025c3e",{"icon":1525,"title":1526,"description":1527},"https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Fa6795c0c7a5746cfb4abe81ba0a1bd9e","Proactive response","\u003Cp>Guide users to safer behavior. Push enforces MFA, SSO, and strong credentials in the browser, preventing risky actions before they become incidents and strengthening your security posture.\u003C/p>",[1529,1532,1535,1538,1541,1544,1547,1550,1553,1556,1559,1562],{"logo":1530,"name":1531},"https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Fc789f5d1b5994f04a86159de322982ba","Chrome",{"logo":1533,"name":1534},"https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F9d8028df206343c787e2af64f08ef86d","Edge",{"logo":1536,"name":1537},"https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F32571fbf202041feb5676d3bce0b9637","Firefox",{"logo":1539,"name":1540},"https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Fb20fdf6905944322aa107a614fd5ddeb","Brave",{"logo":1542,"name":1543},"https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F15978b6afec142a9ac7bd1016fe72e04","Arc",{"logo":1545,"name":1546},"https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Fa2148c02a66b413293c5028fe9b42cf8","Safari",{"logo":1548,"name":1549},"https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Ff13b8e514ef84b6895308576eb056c66","Opera",{"logo":1551,"name":1552},"https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Ff41c85be445c4010a2cc8e654eabff9e","Island",{"name":1554,"logo":1555},"Prisma Access","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F7e3bc4194afd4d4180db04f9243323d6",{"name":1557,"logo":1558},"Dia","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Fd55f76480aca4e799949667943cd9a03",{"name":1560,"logo":1561},"Comet","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Fd0fc362014dc47e4a9a02f187b7629af",{"name":1563,"logo":1564},"Atlas","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Fb48727a36dc641e7b5aaef583317932b",{"openInNewTab":6},{"large":1567},{"display":64,"flexDirection":65,"position":66,"flexShrink":67,"boxSizing":68},{"@type":47,"@version":48,"id":1569,"component":1570,"responsiveStyles":1574},"builder-27d61d8d09094f4c9ab77feb3cfc608b",{"name":1571,"tag":1571,"options":1572,"isRSC":61},"CustomerStoriesVideoCarousel",{"title":1573},"Hear what people are saying about Push",{"large":1575},{"display":64,"flexDirection":65,"position":66,"flexShrink":67,"boxSizing":68},{"@type":47,"@version":48,"id":1577,"component":1578,"responsiveStyles":1582},"builder-7fa149eada544501a6b035a5b704bff5",{"name":1579,"tag":1579,"options":1580,"isRSC":61},"ProductOutcomes",{"sectionHeading":1581},"Outcomes that matter most",{"large":1583},{"display":64,"flexDirection":65,"position":66,"flexShrink":67,"boxSizing":68},{"@type":47,"@version":48,"id":1585,"component":1586,"responsiveStyles":1589},"builder-11bad9b7baf7415e9f75141c19eb04a1",{"name":377,"tag":377,"options":1587,"isRSC":61},{"sectionHeading":1588},"Latest resources",{"large":1590},{"display":64,"flexDirection":65,"position":66,"flexShrink":67,"boxSizing":68},{"id":1592,"@type":47,"tagName":74,"properties":1593,"responsiveStyles":1594},"builder-pixel-082z9wkzapm",{"src":76,"aria-hidden":77,"alt":29,"role":78,"width":67,"height":67},{"large":1595},{"height":67,"width":67,"display":81,"opacity":67,"overflow":82,"pointerEvents":83},{"deviceSize":85,"location":1597},{"path":29,"query":1598},{},{},1777391543593,1767698434884,"https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F9e09bb1bdc9c4764b3eabeb79fbb4351",[],{"breakpoints":1605,"kind":399,"lastPreviewUrl":1606,"hasLinks":6,"hasAutosaves":6},{"xsmall":31,"small":32,"medium":33},"https://pushsecurity.com/?builder.space=f3a1111ff5be48cdbb123cd9f5795a05&builder.user.permissions=read%2Ccreate%2Cpublish%2CeditCode%2CeditDesigns%2CeditLayouts%2CeditLayers%2CeditContentPriority%2CeditFolders%2CeditProjects%2CmodifyMcpServers%2CmodifyWorkflowIntegrations%2CmodifyProjectSettings%2CconnectCodeRepository%2CcreateProjects%2CindexDesignSystems%2CsendPullRequests%2CmergePullRequests&builder.user.role.name=Developer&builder.user.role.id=developer&builder.cachebust=true&builder.preview=home-page-v-2&builder.noCache=true&builder.allowTextEdit=true&__builder_editing__=true&builder.overrides.home-page-v-2=7ce8d00dd97548548e0fda82e97c1a87&builder.overrides.7ce8d00dd97548548e0fda82e97c1a87=7ce8d00dd97548548e0fda82e97c1a87&builder.overrides.home-page-v-2:/=7ce8d00dd97548548e0fda82e97c1a87&builder.options.locale=Default","ifm56q56yf",[1609,6051,11298,16492],{"id":1610,"title":1611,"authorsCollection":1612,"content":1620,"extension":2606,"hashTags":61,"meta":2607,"metaTitle":2608,"ogImage":61,"publishedDate":2609,"relatedBlogPostsCollection":2610,"slug":6027,"stem":6028,"subtitle":61,"summary":6029,"synopsis":6040,"sys":6041,"tagsCollection":6044,"__hash__":6050},"blog/blog/why-browser-extension-risk-scoring-wont-predict-your-next-breach.json","Why relying on browser extension risk scoring is an antipattern that won’t predict your next breach",{"items":1613},[1614],{"fullName":1615,"firstName":1616,"jobTitle":1617,"profilePicture":1618},"Dan Green","Dan","Threat Research",{"url":1619},"https://images.ctfassets.net/y1cdw1ablpvd/7jik1VhFgA3kgzXBXTm2Vw/fcd8c171da644903d0827eafcfbcaad0/Dan_Headshot_2025.png",{"json":1621,"links":2507},{"nodeType":1622,"data":1623,"content":1624},"document",{},[1625,1634,1682,1689,1696,1700,1710,1717,1725,1767,1789,1792,1800,1807,1814,1822,1838,1854,1861,1877,1884,1900,1921,1941,1998,2010,2030,2036,2043,2050,2057,2064,2087,2093,2100,2107,2114,2126,2151,2154,2162,2169,2176,2183,2203,2209,2232,2239,2246,2371,2377,2384,2391,2394,2402,2409,2429,2436,2444,2447,2466],{"nodeType":1626,"data":1627,"content":1633},"embedded-entry-block",{"target":1628},{"sys":1629},{"id":1630,"type":1631,"linkType":1632},"4Lk4sATAlk2wPcevG0cJCu","Link","Entry",[],{"nodeType":1635,"data":1636,"content":1637},"paragraph",{},[1638,1643,1654,1658,1666,1669,1678],{"nodeType":1639,"value":1640,"marks":1641,"data":1642},"text","Browser extensions have become one of the most talked-about attack surfaces in security over the past 18 months, and understandably so — a string of high-profile supply chain compromises have collectively impacted tens of millions of users since late 2024 (",[],{},{"nodeType":1644,"data":1645,"content":1647},"hyperlink",{"uri":1646},"https://www.cyberhaven.com/blog/cyberhavens-chrome-extension-security-incident-and-what-were-doing-about-it",[1648],{"nodeType":1639,"value":1649,"marks":1650,"data":1653},"Cyberhaven",[1651],{"type":1652},"underline",{},{"nodeType":1639,"value":1655,"marks":1656,"data":1657},", ",[],{},{"nodeType":1644,"data":1659,"content":1661},{"uri":1660},"https://thehackernews.com/2025/12/darkspectre-browser-extension-campaigns.html",[1662],{"nodeType":1639,"value":1663,"marks":1664,"data":1665},"DarkSpectre",[],{},{"nodeType":1639,"value":1655,"marks":1667,"data":1668},[],{},{"nodeType":1644,"data":1670,"content":1672},{"uri":1671},"https://thehackernews.com/2025/12/trust-wallet-chrome-extension-hack.html",[1673],{"nodeType":1639,"value":1674,"marks":1675,"data":1677},"Trust Wallet",[1676],{"type":1652},{},{"nodeType":1639,"value":1679,"marks":1680,"data":1681},", among many others). ",[],{},{"nodeType":1635,"data":1683,"content":1684},{},[1685],{"nodeType":1639,"value":1686,"marks":1687,"data":1688},"But as the industry scrambles to respond, there's a tendency to treat browser extension management as an entirely new paradigm that requires a new approach, particularly risk scoring systems that attempt to rate each extension on a spectrum from safe to dangerous.",[],{},{"nodeType":1635,"data":1690,"content":1691},{},[1692],{"nodeType":1639,"value":1693,"marks":1694,"data":1695},"We think this framing misses the point, and that it's leading security teams toward a strategy that won't protect them from the attacks that actually cause damage.",[],{},{"nodeType":1697,"data":1698,"content":1699},"hr",{},[],{"nodeType":1701,"data":1702,"content":1703},"heading-1",{},[1704],{"nodeType":1639,"value":1705,"marks":1706,"data":1709},"The practical problem: \"just remove the high-risk ones\" doesn't work",[1707],{"type":1708},"bold",{},{"nodeType":1635,"data":1711,"content":1712},{},[1713],{"nodeType":1639,"value":1714,"marks":1715,"data":1716},"The strategy we see most often is some version of \"identify and remove the highest-risk extensions.\" On the surface this seems reasonable — you can't address everything, so you prioritize. The problem is that it doesn't materially reduce your exposure to the attacks that are actually happening.",[],{},{"nodeType":1635,"data":1718,"content":1719},{},[1720],{"nodeType":1639,"value":1721,"marks":1722,"data":1724},"Browser extension attacks almost always follow one of two patterns: ",[1723],{"type":1708},{},{"nodeType":1726,"data":1727,"content":1728},"unordered-list",{},[1729,1740],{"nodeType":1730,"data":1731,"content":1732},"list-item",{},[1733],{"nodeType":1635,"data":1734,"content":1735},{},[1736],{"nodeType":1639,"value":1737,"marks":1738,"data":1739},"A legitimate developer is compromised through consent phishing, session theft, or AiTM phishing, and a malicious update is pushed to the existing user base. Cyberhaven is a good example of this — a developer got consent phished with a specific app that granted the attacker access to the extension store.",[],{},{"nodeType":1730,"data":1741,"content":1742},{},[1743],{"nodeType":1635,"data":1744,"content":1745},{},[1746,1750,1763],{"nodeType":1639,"value":1747,"marks":1748,"data":1749},"An attacker builds or acquires a clean extension, operates it legitimately until it accumulates a sufficient user base, then deploys a malicious update. GitLab's threat intelligence team documented a cluster of",[],{},{"nodeType":1644,"data":1751,"content":1753},{"uri":1752},"https://gitlab-com.gitlab.io/gl-security/security-tech-notes/threat-intelligence-tech-notes/malicious-browser-extensions-feb-2025/",[1754,1758],{"nodeType":1639,"value":1755,"marks":1756,"data":1757}," ",[],{},{"nodeType":1639,"value":1759,"marks":1760,"data":1762},"16 extensions impacting 3.2 million users",[1761],{"type":1652},{},{"nodeType":1639,"value":1764,"marks":1765,"data":1766}," where access had been acquired from original developers rather than via compromise.",[],{},{"nodeType":1635,"data":1768,"content":1769},{},[1770,1775,1780,1784],{"nodeType":1639,"value":1771,"marks":1772,"data":1774},"This means that r",[1773],{"type":1708},{},{"nodeType":1639,"value":1776,"marks":1777,"data":1779},"eal-world extension breaches aren't coming from extensions that looked risky beforehand.",[1778],{"type":1708},{},{"nodeType":1639,"value":1781,"marks":1782,"data":1783}," If your strategy is \"identify and remove the highest-risk extensions,\" you're optimizing for the wrong thing — because even extensions that score as moderate or low risk by every conventional measure still have the permissions and access needed for a full compromise. ",[],{},{"nodeType":1639,"value":1785,"marks":1786,"data":1788},"If you skim off the top 10% “riskiest” extensions, 90% of the extensions in your environment could still become a breach vector. ",[1787],{"type":1708},{},{"nodeType":1697,"data":1790,"content":1791},{},[],{"nodeType":1701,"data":1793,"content":1794},{},[1795],{"nodeType":1639,"value":1796,"marks":1797,"data":1799},"What risk scoring is designed to measure — and why it can’t predict future compromise",[1798],{"type":1708},{},{"nodeType":1635,"data":1801,"content":1802},{},[1803],{"nodeType":1639,"value":1804,"marks":1805,"data":1806},"Most extension risk scoring systems evaluate some combination of permissions, install count, user ratings, code analysis, developer reputation, and web store trust signals. Nice-to-have data points, but with a common limitation: they describe the extension as it is today, not what it will become after the next update. That makes them poor predictors of the thing that actually causes breaches — a previously-clean extension being weaponized through a supply chain compromise.",[],{},{"nodeType":1635,"data":1808,"content":1809},{},[1810],{"nodeType":1639,"value":1811,"marks":1812,"data":1813},"It's worth examining why each signal falls short as a predictor specifically of future compromise, because the failure modes are different and well-documented.",[],{},{"nodeType":1815,"data":1816,"content":1817},"heading-2",{},[1818],{"nodeType":1639,"value":1819,"marks":1820,"data":1821},"Permissions",[],{},{"nodeType":1635,"data":1823,"content":1824},{},[1825,1829,1834],{"nodeType":1639,"value":1826,"marks":1827,"data":1828},"Permissions are the most meaningful input to a risk score, because they determine what an extension is ",[],{},{"nodeType":1639,"value":1830,"marks":1831,"data":1833},"capable",[1832],{"type":273},{},{"nodeType":1639,"value":1835,"marks":1836,"data":1837}," of doing if it turns malicious. An extension with access to cookies, scripting, and broad host permissions can steal session tokens, log keystrokes, and exfiltrate data from any site the user visits. This is the data that actually answers the question \"what could this extension do to us if it went bad?\"",[],{},{"nodeType":1635,"data":1839,"content":1840},{},[1841,1845,1850],{"nodeType":1639,"value":1842,"marks":1843,"data":1844},"The problem is that these permissions are extraordinarily common. We analyzed a sample of 20,000 unique extensions deployed across Push customers and found that ",[],{},{"nodeType":1639,"value":1846,"marks":1847,"data":1849},"46.76% have the permission combinations needed to perform account takeover with no user interaction",[1848],{"type":1708},{},{"nodeType":1639,"value":1851,"marks":1852,"data":1853},". ",[],{},{"nodeType":1635,"data":1855,"content":1856},{},[1857],{"nodeType":1639,"value":1858,"marks":1859,"data":1860},"These figures also understate the real exposure. One of the most straightforward attack techniques involves injecting content scripts into web pages to hook request functions and extract cookies. The user-facing warning Chrome shows for this capability — \"Read and change all your data on the websites you visit\" — is the same generic string shown for ad blockers, password managers, and translation tools. ",[],{},{"nodeType":1635,"data":1862,"content":1863},{},[1864,1868,1873],{"nodeType":1639,"value":1865,"marks":1866,"data":1867},"You can't practically remove everything that ",[],{},{"nodeType":1639,"value":1869,"marks":1870,"data":1872},"could",[1871],{"type":273},{},{"nodeType":1639,"value":1874,"marks":1875,"data":1876}," be dangerous, because that includes most of the extensions people actually use for work. And if you set the threshold lower to keep the list manageable, you're excluding extensions that have the same permissions and pose the same theoretical risk.",[],{},{"nodeType":1815,"data":1878,"content":1879},{},[1880],{"nodeType":1639,"value":1881,"marks":1882,"data":1883},"Install counts, ratings, developer reputation, and web store badges",[],{},{"nodeType":1635,"data":1885,"content":1886},{},[1887,1891,1896],{"nodeType":1639,"value":1888,"marks":1889,"data":1890},"These signals share a common failure mode, so it's worth addressing them together: they all describe the extension's ",[],{},{"nodeType":1639,"value":1892,"marks":1893,"data":1895},"reputation",[1894],{"type":273},{},{"nodeType":1639,"value":1897,"marks":1898,"data":1899}," at a point in time, and attackers have both the means and the incentive to ensure that reputation looks clean.",[],{},{"nodeType":1635,"data":1901,"content":1902},{},[1903,1908,1912,1917],{"nodeType":1639,"value":1904,"marks":1905,"data":1907},"Install count ",[1906],{"type":1708},{},{"nodeType":1639,"value":1909,"marks":1910,"data":1911},"is sometimes used as a proxy for trustworthiness, on the assumption that widely-adopted extensions are more likely to be legitimate. In practice, high install count is often a ",[],{},{"nodeType":1639,"value":1913,"marks":1914,"data":1916},"precondition",[1915],{"type":273},{},{"nodeType":1639,"value":1918,"marks":1919,"data":1920}," for the attack rather than a signal against it. ",[],{},{"nodeType":1635,"data":1922,"content":1923},{},[1924,1928,1937],{"nodeType":1639,"value":1925,"marks":1926,"data":1927},"Attackers who acquire or build extensions are specifically waiting for the install base to grow before weaponizing — what researchers are calling the \"",[],{},{"nodeType":1644,"data":1929,"content":1931},{"uri":1930},"https://www.malwarebytes.com/blog/news/2025/12/sleeper-browser-extensions-woke-up-as-spyware-on-4-million-devices",[1932],{"nodeType":1639,"value":1933,"marks":1934,"data":1936},"sleeper agent",[1935],{"type":1652},{},{"nodeType":1639,"value":1938,"marks":1939,"data":1940},"\" strategy. Install counts can also be easily inflated with bots, meaning that using them as a positive risk signal actively rewards the attackers who are best at gaming the system.",[],{},{"nodeType":1726,"data":1942,"content":1943},{},[1944,1966,1988],{"nodeType":1730,"data":1945,"content":1946},{},[1947],{"nodeType":1635,"data":1948,"content":1949},{},[1950,1954,1962],{"nodeType":1639,"value":1951,"marks":1952,"data":1953},"The ",[],{},{"nodeType":1644,"data":1955,"content":1956},{"uri":1660},[1957],{"nodeType":1639,"value":1958,"marks":1959,"data":1961},"DarkSpectre campaign",[1960],{"type":1652},{},{"nodeType":1639,"value":1963,"marks":1964,"data":1965}," accumulated over 8.8 million compromised browsers across extensions that held \"verified\" status and healthy install counts throughout a seven-year operational period. ",[],{},{"nodeType":1730,"data":1967,"content":1968},{},[1969],{"nodeType":1635,"data":1970,"content":1971},{},[1972,1975,1984],{"nodeType":1639,"value":1951,"marks":1973,"data":1974},[],{},{"nodeType":1644,"data":1976,"content":1978},{"uri":1977},"https://www.ox.security/blog/malicious-chrome-extensions-steal-chatgpt-deepseek-conversations/",[1979],{"nodeType":1639,"value":1980,"marks":1981,"data":1983},"AITOPIA",[1982],{"type":1652},{},{"nodeType":1639,"value":1985,"marks":1986,"data":1987}," impersonation extensions had over 900,000 combined installs and a Google \"Featured\" badge. ",[],{},{"nodeType":1730,"data":1989,"content":1990},{},[1991],{"nodeType":1635,"data":1992,"content":1993},{},[1994],{"nodeType":1639,"value":1995,"marks":1996,"data":1997},"Cyberhaven had approximately 400,000 users at the time of compromise. ",[],{},{"nodeType":1635,"data":1999,"content":2000},{},[2001,2006],{"nodeType":1639,"value":2002,"marks":2003,"data":2005},"User ratings",[2004],{"type":1708},{},{"nodeType":1639,"value":2007,"marks":2008,"data":2009}," suffer from the same problems. Attackers use bot networks to generate positive reviews, and even genuinely clean extensions will carry good ratings right up until they're compromised. By the time users start leaving negative reviews the attack has already run its course.",[],{},{"nodeType":1635,"data":2011,"content":2012},{},[2013,2018,2021,2026],{"nodeType":1639,"value":2014,"marks":2015,"data":2017},"Developer reputation and \"Featured\" and \"Verified\"",[2016],{"type":1708},{},{"nodeType":1639,"value":1755,"marks":2019,"data":2020},[],{},{"nodeType":1639,"value":2022,"marks":2023,"data":2025},"badges",[2024],{"type":1708},{},{"nodeType":1639,"value":2027,"marks":2028,"data":2029}," fail for a related but slightly different reason: the attack typically doesn't come from a known-bad developer. It comes from a reputable developer whose account has been compromised, or from an extension that has changed hands. ",[],{},{"nodeType":1626,"data":2031,"content":2035},{"target":2032},{"sys":2033},{"id":2034,"type":1631,"linkType":1632},"d1C5wKxUnKFwfhf4OBQAq",[],{"nodeType":1635,"data":2037,"content":2038},{},[2039],{"nodeType":1639,"value":2040,"marks":2041,"data":2042},"The net result across all of these signals is that the extensions most likely to appear in breach headlines — established tools with large user bases, good ratings, verified badges, and reputable developers — are precisely the ones that risk scoring would rate as low-risk.",[],{},{"nodeType":1815,"data":2044,"content":2045},{},[2046],{"nodeType":1639,"value":2047,"marks":2048,"data":2049},"Code analysis",[],{},{"nodeType":1635,"data":2051,"content":2052},{},[2053],{"nodeType":1639,"value":2054,"marks":2055,"data":2056},"Static analysis of extension code is the approach that sounds most rigorous, and it's the basis for Chrome Web Store's own review process. Google operates a hybrid system combining automated analysis and manual review, with manual review typically reserved for submissions that trigger specific signals such as sensitive permissions or large code volumes.",[],{},{"nodeType":1635,"data":2058,"content":2059},{},[2060],{"nodeType":1639,"value":2061,"marks":2062,"data":2063},"But attackers have developed reliable techniques to pass these checks, and the specific evasion methods used in major campaigns illustrate why static analysis consistently falls short. ",[],{},{"nodeType":1726,"data":2065,"content":2066},{},[2067,2077],{"nodeType":1730,"data":2068,"content":2069},{},[2070],{"nodeType":1635,"data":2071,"content":2072},{},[2073],{"nodeType":1639,"value":2074,"marks":2075,"data":2076},"The Cyberhaven compromise used dynamically loaded content fetched from a remote server via service workers, with the C2 infrastructure delivering different malicious configurations to different end-users — meaning that even if a scanner fetched the remote payload, it might receive a benign configuration depending on the target profile.",[],{},{"nodeType":1730,"data":2078,"content":2079},{},[2080],{"nodeType":1635,"data":2081,"content":2082},{},[2083],{"nodeType":1639,"value":2084,"marks":2085,"data":2086},"The GhostPoster campaign (part of the broader DarkSpectre operation) took evasion further still: the extension waited 48 hours between configuration check-ins and only loaded a malicious payload 10% of the time. No sandbox is running for 48 hours, and a 10% activation rate means that nine out of ten analysis runs would see nothing at all.",[],{},{"nodeType":1626,"data":2088,"content":2092},{"target":2089},{"sys":2090},{"id":2091,"type":1631,"linkType":1632},"6jy6jvYcHTXO2uMd7kx647",[],{"nodeType":1635,"data":2094,"content":2095},{},[2096],{"nodeType":1639,"value":2097,"marks":2098,"data":2099},"It's also worth noting that Chrome Web Store policy explicitly disallows code obfuscation, precisely because it makes review impossible. The fact that attackers have found ways to hide malicious behavior without technically obfuscating their code speaks to the fundamental asymmetry at play: the attacker controls when and how malicious functionality appears, and static analysis can only evaluate what's present at the time of review.",[],{},{"nodeType":1815,"data":2101,"content":2102},{},[2103],{"nodeType":1639,"value":2104,"marks":2105,"data":2106},"But extension scores combine all of these things …",[],{},{"nodeType":1635,"data":2108,"content":2109},{},[2110],{"nodeType":1639,"value":2111,"marks":2112,"data":2113},"The obvious counterargument is that no serious risk scoring system relies on any single signal in isolation — the value is supposed to come from combining permissions, install count, ratings, code analysis, and developer reputation into a composite score that's more predictive than any individual input. In theory, this sounds like the right approach: weak signals aggregated together should produce a stronger signal.",[],{},{"nodeType":1635,"data":2115,"content":2116},{},[2117,2122],{"nodeType":1639,"value":2118,"marks":2119,"data":2121},"In practice, combining signals that are individually unable to predict supply chain compromise doesn't produce a signal that can. ",[2120],{"type":1708},{},{"nodeType":1639,"value":2123,"marks":2124,"data":2125},"Aggregating a set of backward-looking indicators doesn't make the aggregate forward-looking; it just gives you a more detailed description of the present state, which is the state before the attack has happened. No weighting or combination of install count, code behavior, and developer reputation would have flagged Cyberhaven, or DarkSpectre, or Trust Wallet before the malicious update shipped, because at that point every input to the composite score was returning a legitimate value.",[],{},{"nodeType":1635,"data":2127,"content":2128},{},[2129,2133,2138,2142,2147],{"nodeType":1639,"value":2130,"marks":2131,"data":2132},"Meanwhile, the indicators that ",[],{},{"nodeType":1639,"value":2134,"marks":2135,"data":2137},"do",[2136],{"type":273},{},{"nodeType":1639,"value":2139,"marks":2140,"data":2141}," predict real-world compromise — an extension changing ownership, a developer account being phished, an update introducing behavior that wasn't present in prior versions, or an extension being explicitly confirmed as malicious through threat intelligence — aren't predictive risk score inputs. ",[],{},{"nodeType":1639,"value":2143,"marks":2144,"data":2146},"They're discrete events that require monitoring and an immediate response, not a recalculated number on a dashboard. ",[2145],{"type":1708},{},{"nodeType":1639,"value":2148,"marks":2149,"data":2150},"This is an important distinction: the signals that matter are changes over time, not static attributes at a point in time, and they call for a detection-and-response workflow rather than a periodic risk review.",[],{},{"nodeType":1697,"data":2152,"content":2153},{},[],{"nodeType":1701,"data":2155,"content":2156},{},[2157],{"nodeType":1639,"value":2158,"marks":2159,"data":2161},"What works instead",[2160],{"type":1708},{},{"nodeType":1635,"data":2163,"content":2164},{},[2165],{"nodeType":1639,"value":2166,"marks":2167,"data":2168},"If the goal is to reduce your exposure to extension-based supply chain compromise rather than to generate a ranked list of risk, the approach is operationally straightforward — even if it requires more discipline than deploying a scoring dashboard.",[],{},{"nodeType":1815,"data":2170,"content":2171},{},[2172],{"nodeType":1639,"value":2173,"marks":2174,"data":2175},"Reduce your attack surface through allowlisting",[],{},{"nodeType":1635,"data":2177,"content":2178},{},[2179],{"nodeType":1639,"value":2180,"marks":2181,"data":2182},"Build a complete inventory of every extension running across your environment — what's installed, how it got there (managed deployment, manual install, sideloaded, developer mode), what permissions it has, who's using it, and whether it serves a legitimate work purpose. Then create a strict allowlist of vetted and approved extensions and block everything else.",[],{},{"nodeType":1635,"data":2184,"content":2185},{},[2186,2190,2199],{"nodeType":1639,"value":2187,"marks":2188,"data":2189},"This is the same default-deny approach that's been best practice for firewall policy and endpoint allowlisting for decades. ",[],{},{"nodeType":1644,"data":2191,"content":2193},{"uri":2192},"https://pushsecurity.com/blog/browser-extension-management-guide/",[2194],{"nodeType":1639,"value":2195,"marks":2196,"data":2198},"In Push, it works like building a firewall rule",[2197],{"type":1652},{},{"nodeType":1639,"value":2200,"marks":2201,"data":2202},": a global block rule at the bottom that disables all browser extensions, with explicit exceptions above it for approved tools. Users who attempt to install unapproved extensions see a block screen.",[],{},{"nodeType":1626,"data":2204,"content":2208},{"target":2205},{"sys":2206},{"id":2207,"type":1631,"linkType":1632},"97dDukjKsRsAptpHV1kpn",[],{"nodeType":1635,"data":2210,"content":2211},{},[2212,2217,2223,2228],{"nodeType":1639,"value":2213,"marks":2214,"data":2216},"The key insight is that every extension you don't ",[2215],{"type":1708},{},{"nodeType":1639,"value":2218,"marks":2219,"data":2222},"really ",[2220,2221],{"type":1708},{"type":273},{},{"nodeType":1639,"value":2224,"marks":2225,"data":2227},"need, but haven't blocked, is attack surface that exists for no business reason. ",[2226],{"type":1708},{},{"nodeType":1639,"value":2229,"marks":2230,"data":2231},"Most organizations are surprised by how many of the extensions in their environment are unused, forgotten, or have readily available alternatives. Reducing the population of installed extensions to only the ones that serve a genuine work purpose is the single most effective thing you can do — and it doesn't require a risk score to accomplish.",[],{},{"nodeType":1815,"data":2233,"content":2234},{},[2235],{"nodeType":1639,"value":2236,"marks":2237,"data":2238},"Monitor for changes that indicate weaponization",[],{},{"nodeType":1635,"data":2240,"content":2241},{},[2242],{"nodeType":1639,"value":2243,"marks":2244,"data":2245},"Once you have a controlled baseline, the risk shifts from unmanaged installations (those are blocked) to changes in the extensions you've already approved. These are the signals that map to real-world attack patterns and serve as leading indicators of weaponization:",[],{},{"nodeType":1726,"data":2247,"content":2248},{},[2249,2294,2309,2324,2339],{"nodeType":1730,"data":2250,"content":2251},{},[2252],{"nodeType":1635,"data":2253,"content":2254},{},[2255,2260,2264,2273,2278,2282,2290],{"nodeType":1639,"value":2256,"marks":2257,"data":2259},"Ownership changes",[2258],{"type":1708},{},{"nodeType":1639,"value":2261,"marks":2262,"data":2263}," — an extension changing hands is one of the most reliable precursors to supply chain compromise, as demonstrated by the ",[],{},{"nodeType":1644,"data":2265,"content":2267},{"uri":2266},"https://thehackernews.com/2026/03/chrome-extension-turns-malicious-after.html",[2268],{"nodeType":1639,"value":2269,"marks":2270,"data":2272},"QuickLens and ShotBird attack",[2271],{"type":1652},{},{"nodeType":1639,"value":2274,"marks":2275,"data":2277},"s",[2276],{"type":1652},{},{"nodeType":1639,"value":2279,"marks":2280,"data":2281}," and the acquired-extension clusters documented by ",[],{},{"nodeType":1644,"data":2283,"content":2284},{"uri":1752},[2285],{"nodeType":1639,"value":2286,"marks":2287,"data":2289},"GitLab",[2288],{"type":1652},{},{"nodeType":1639,"value":2291,"marks":2292,"data":2293},".",[],{},{"nodeType":1730,"data":2295,"content":2296},{},[2297],{"nodeType":1635,"data":2298,"content":2299},{},[2300,2305],{"nodeType":1639,"value":2301,"marks":2302,"data":2304},"Developer contact information changes",[2303],{"type":1708},{},{"nodeType":1639,"value":2306,"marks":2307,"data":2308}," — often an early indicator that an extension has been sold or that a developer account has been taken over.",[],{},{"nodeType":1730,"data":2310,"content":2311},{},[2312],{"nodeType":1635,"data":2313,"content":2314},{},[2315,2320],{"nodeType":1639,"value":2316,"marks":2317,"data":2319},"Permission escalations in updates",[2318],{"type":1708},{},{"nodeType":1639,"value":2321,"marks":2322,"data":2323}," — a previously-scoped extension suddenly requesting broad host permissions or cookie access.",[],{},{"nodeType":1730,"data":2325,"content":2326},{},[2327],{"nodeType":1635,"data":2328,"content":2329},{},[2330,2335],{"nodeType":1639,"value":2331,"marks":2332,"data":2334},"Delisting from the web store",[2333],{"type":1708},{},{"nodeType":1639,"value":2336,"marks":2337,"data":2338}," — can indicate that the store's review process has caught something, or that the developer has abandoned the extension.",[],{},{"nodeType":1730,"data":2340,"content":2341},{},[2342],{"nodeType":1635,"data":2343,"content":2344},{},[2345,2350,2354,2362,2367],{"nodeType":1639,"value":2346,"marks":2347,"data":2349},"Known malicious classification",[2348],{"type":1708},{},{"nodeType":1639,"value":2351,"marks":2352,"data":2353}," — when an extension is confirmed as weaponized or linked to an active campaign through threat intelligence. (",[],{},{"nodeType":1644,"data":2355,"content":2356},{"uri":2192},[2357],{"nodeType":1639,"value":2358,"marks":2359,"data":2361},"Push blocks known-bad extensions automaticall",[2360],{"type":1652},{},{"nodeType":1639,"value":2363,"marks":2364,"data":2366},"y",[2365],{"type":1652},{},{"nodeType":1639,"value":2368,"marks":2369,"data":2370},").",[],{},{"nodeType":1626,"data":2372,"content":2376},{"target":2373},{"sys":2374},{"id":2375,"type":1631,"linkType":1632},"4PWyOD92E549plkeNH1DxO",[],{"nodeType":1635,"data":2378,"content":2379},{},[2380],{"nodeType":1639,"value":2381,"marks":2382,"data":2383},"To make this concrete: Push emits structured events via webhook whenever extension metadata changes that captures all of the variables above. These these can be fed directly into your SIEM or SOAR workflows, making it easy for security teams to detect when a meaningful change occurs. An ownership change on its own warrants investigation; an ownership change paired with a new version and added permissions warrants an immediate block pending review.",[],{},{"nodeType":1635,"data":2385,"content":2386},{},[2387],{"nodeType":1639,"value":2388,"marks":2389,"data":2390},"Push detects these changes in real time and can automatically block an extension when a meaningful risk indicator fires, before the damage propagates. This is fundamentally different from a periodic risk score: rather than attempting to predict which extensions might go bad based on static attributes, Push monitors for the specific events that precede or accompany weaponization in the attacks we've actually observed.",[],{},{"nodeType":1697,"data":2392,"content":2393},{},[],{"nodeType":1701,"data":2395,"content":2396},{},[2397],{"nodeType":1639,"value":2398,"marks":2399,"data":2401},"The bottom line",[2400],{"type":1708},{},{"nodeType":1635,"data":2403,"content":2404},{},[2405],{"nodeType":1639,"value":2406,"marks":2407,"data":2408},"Traditional extension risk scores — based on permissions, store metadata, code analysis, and developer reputation — are poor predictors of which extensions will actually compromise you. The extensions involved in the major breaches of the past 18 months consistently scored as normal or low-risk right up until the moment they were weaponized. If your extension management strategy is built around \"identify the riskiest extensions and remove them,\" the extension that gets you is the one that wasn't on the list.",[],{},{"nodeType":1635,"data":2410,"content":2411},{},[2412,2416,2425],{"nodeType":1639,"value":2413,"marks":2414,"data":2415},"Browser extensions are software. They're third-party code running with significant privilege inside the browser, capable of reading and modifying page content, accessing cookies and session tokens, and interacting with virtually every web application your employees use. Like any other software dependency — ",[],{},{"nodeType":1644,"data":2417,"content":2419},{"uri":2418},"https://pushsecurity.com/blog/unpacking-the-vercel-breach/",[2420],{"nodeType":1639,"value":2421,"marks":2422,"data":2424},"OAuth integrations",[2423],{"type":1652},{},{"nodeType":1639,"value":2426,"marks":2427,"data":2428}," being another relevant recent example in public breaches — each one expands your attack surface. ",[],{},{"nodeType":1635,"data":2430,"content":2431},{},[2432],{"nodeType":1639,"value":2433,"marks":2434,"data":2435},"The principles behind managing browser extensions need to be the same as any other software — default-deny, build an allowlist, monitor and maintain that allowlist. This might trigger some PTSD for security teams, but it shouldn’t. On the endpoint, application allowlisting has always been operationally painful — diverse workflows, unpredictable application needs, and the overhead of vetting every binary made it impractical for most organizations outside of high-security environments. In the browser, it’s not that serious. You’re not going to brick an endpoint by blocking a third-party browser extension. ",[],{},{"nodeType":1635,"data":2437,"content":2438},{},[2439],{"nodeType":1639,"value":2440,"marks":2441,"data":2443},"The browser is one of the few environments where an allowlisting approach is both technically feasible and operationally lightweight: use it to your advantage. ",[2442],{"type":1708},{},{"nodeType":1697,"data":2445,"content":2446},{},[],{"nodeType":1635,"data":2448,"content":2449},{},[2450,2454,2462],{"nodeType":1639,"value":2451,"marks":2452,"data":2453},"Push detects and blocks malicious browser extensions, and gives security teams the controls to ",[],{},{"nodeType":1644,"data":2455,"content":2456},{"uri":2192},[2457],{"nodeType":1639,"value":2458,"marks":2459,"data":2461},"enforce an extension allowlist and monitor for risky changes",[2460],{"type":1652},{},{"nodeType":1639,"value":2463,"marks":2464,"data":2465}," across every browser in the environment. Combined with protection against AiTM phishing, ClickFix attacks, session hijacking, and stolen credentials — plus proactive hardening for ghost logins, SSO coverage gaps, MFA gaps, and vulnerable passwords — Push provides browser-native visibility and control where it matters most.",[],{},{"nodeType":1635,"data":2467,"content":2468},{},[2469,2473,2481,2484,2492,2496,2504],{"nodeType":1639,"value":2470,"marks":2471,"data":2472},"To learn more about Push, ",[],{},{"nodeType":1644,"data":2474,"content":2476},{"uri":2475},"https://pushsecurity.com/resources/product-brochure",[2477],{"nodeType":1639,"value":2478,"marks":2479,"data":2480},"check out our latest product overview",[],{},{"nodeType":1639,"value":1655,"marks":2482,"data":2483},[],{},{"nodeType":1644,"data":2485,"content":2487},{"uri":2486},"https://pushsecurity.com/product-demo/",[2488],{"nodeType":1639,"value":2489,"marks":2490,"data":2491},"view our demo library",[],{},{"nodeType":1639,"value":2493,"marks":2494,"data":2495},", or ",[],{},{"nodeType":1644,"data":2497,"content":2499},{"uri":2498},"https://pushsecurity.com/demo",[2500],{"nodeType":1639,"value":2501,"marks":2502,"data":2503},"book some time with one of our team for a live demo",[],{},{"nodeType":1639,"value":2291,"marks":2505,"data":2506},[],{},{"entries":2508},{"hyperlink":2509,"inline":2510,"block":2511},[],[],[2512,2539,2565,2591,2599],{"sys":2513,"__typename":2514,"content":2515,"name":2538,"title":61},{"id":1630},"InsightTextBlockComponent",{"json":2516},{"data":2517,"content":2518,"nodeType":1622},{},[2519,2531],{"data":2520,"content":2521,"nodeType":1635},{},[2522,2527],{"data":2523,"marks":2524,"value":2526,"nodeType":1639},{},[2525],{"type":1708},"TL;DR:",{"data":2528,"marks":2529,"value":2530,"nodeType":1639},{},[]," Traditional extension risk scores — based on data like permissions, store metadata, code analysis, and developer reputation — are poor predictors of which extensions will actually lead to a compromise. The extensions behind every major breach of the past 18 months scored as normal or low-risk beforehand. ",{"data":2532,"content":2533,"nodeType":1635},{},[2534],{"data":2535,"marks":2536,"value":2537,"nodeType":1639},{},[],"If your strategy is \"remove the highest-risk extensions,\" you're optimizing for the wrong question. The more effective approach is to implement an allowlist, block the rest, and monitor the approved set for the changes — like ownership transfers and permission escalations — that actually precede real-world attacks. ","Browser extension risk scoring IB1",{"sys":2540,"__typename":2514,"content":2541,"name":2564,"title":61},{"id":2034},{"json":2542},{"nodeType":1622,"data":2543,"content":2544},{},[2545],{"nodeType":1635,"data":2546,"content":2547},{},[2548,2552,2560],{"nodeType":1639,"value":2549,"marks":2550,"data":2551},"Extensions compromised in the broader campaign impacting Cyberhaven had been legitimate, well-maintained tools with strong developer reputations before the developer accounts were phished. Likewise, the ",[],{},{"nodeType":1644,"data":2553,"content":2554},{"uri":2266},[2555],{"nodeType":1639,"value":2556,"marks":2557,"data":2559},"QuickLens and ShotBird ownership transfer attacks",[2558],{"type":1652},{},{"nodeType":1639,"value":2561,"marks":2562,"data":2563}," in March 2026 involved extensions acquired through a legitimate marketplace, with malicious code introduced after the sale. Developer reputation at time of installation told you nothing about the developer at time of attack. ",[],{},"Browser extension risk scoring IB2",{"sys":2566,"__typename":2514,"content":2567,"name":2590,"title":61},{"id":2091},{"json":2568},{"nodeType":1622,"data":2569,"content":2570},{},[2571],{"nodeType":1635,"data":2572,"content":2573},{},[2574,2578,2586],{"nodeType":1639,"value":2575,"marks":2576,"data":2577},"These are not outlier techniques. Across the major campaigns documented since late 2024 — including the 108-extension campaign ",[],{},{"nodeType":1644,"data":2579,"content":2581},{"uri":2580},"https://thehackernews.com/2026/04/108-malicious-chrome-extensions-steal.html",[2582],{"nodeType":1639,"value":2583,"marks":2584,"data":2585},"discovered in April 2026 ",[],{},{"nodeType":1639,"value":2587,"marks":2588,"data":2589},"— some combination of dynamically loaded payloads, conditional execution, time-delayed activation, and base64-encoded endpoints has been present in virtually every case. If these techniques are bypassing Google's own review infrastructure, which has both the scale and the incentive to detect them, they will bypass third-party code analysis tools as well.",[],{},"Browser extension risk scoring IB3",{"sys":2592,"__typename":1391,"title":2593,"caption":2594,"layoutMode":61,"file":2595},{"id":2207},"This extension is not approved for business use","Employees will see a customizable block screen when trying to use extensions that are not approved.",{"url":2596,"width":2597,"height":2598},"https://images.ctfassets.net/y1cdw1ablpvd/2hFpE2X60adttS6vAtyUIO/963e14eb2899163f583e7342db3f0650/image5.png",1440,744,{"sys":2600,"__typename":1391,"title":2601,"caption":2601,"layoutMode":61,"file":2602},{"id":2375},"Push automatically blocks known-bad browser extensions.",{"url":2603,"width":2604,"height":2605},"https://images.ctfassets.net/y1cdw1ablpvd/31TgJEkYVua0s5ecwgQPmM/efb0a7048f9ecc9eacf2e29b7b2233bc/image1.png",1433,810,"json",{},"Why browser extension risk scoring won’t predict a breach","2026-04-29T00:00:00.000Z",{"items":2611},[2612,3388,4640],{"__typename":2613,"sys":2614,"content":2616,"title":3370,"synopsis":3371,"hashTags":61,"publishedDate":3372,"slug":3373,"tagsCollection":3374,"authorsCollection":3384},"BlogPosts",{"id":2615},"Lq2AFQ8VG2rMEe4h2CYuH",{"json":2617},{"nodeType":1622,"data":2618,"content":2619},{},[2620,2648,2681,2688,2694,2697,2705,2712,2718,2737,2744,2752,2772,2788,2795,2802,2805,2813,2820,2827,2890,2897,2903,2911,2923,2930,2937,2943,2951,2958,2965,2972,2979,2985,2993,3000,3087,3093,3096,3104,3111,3127,3134,3141,3147,3167,3170,3178,3185,3191,3209,3216,3223,3229,3232,3240,3247,3254,3260,3267,3273,3279,3304,3310,3322,3329,3336],{"nodeType":1635,"data":2621,"content":2622},{},[2623,2627,2636,2640,2645],{"nodeType":1639,"value":2624,"marks":2625,"data":2626},"This week, a user going by the name of “ShinyHunters” (though allegedly not ",[],{},{"nodeType":1644,"data":2628,"content":2630},{"uri":2629},"https://pushsecurity.com/blog/scattered-lapsus-hunters/",[2631],{"nodeType":1639,"value":2632,"marks":2633,"data":2635},"actual ShinyHunters",[2634],{"type":1652},{},{"nodeType":1639,"value":2637,"marks":2638,"data":2639},", but someone imitating them in an attempt to trade off their credibility) posted on a breach forum claiming access keys, source code, and database data stolen from cloud development platform provider ",[],{},{"nodeType":1639,"value":2641,"marks":2642,"data":2644},"Vercel",[2643],{"type":1708},{},{"nodeType":1639,"value":1851,"marks":2646,"data":2647},[],{},{"nodeType":1635,"data":2649,"content":2650},{},[2651,2655,2664,2668,2677],{"nodeType":1639,"value":2652,"marks":2653,"data":2654},"This happened because a Vercel employee had connected an AI app, Context.ai, into their Google Workspace tenant. When Context.ai was compromised — ",[],{},{"nodeType":1644,"data":2656,"content":2658},{"uri":2657},"https://www.infostealers.com/article/breaking-vercel-breach-linked-to-infostealer-infection-at-context-ai/",[2659],{"nodeType":1639,"value":2660,"marks":2661,"data":2663},"allegedly the result of an infostealer infection from an employee searching for Roblox cheats",[2662],{"type":1652},{},{"nodeType":1639,"value":2665,"marks":2666,"data":2667}," — the attacker was able to leverage OAuth tokens stored in Context.ai’s Supabase platform to access downstream customer accounts (pointing to a heavily permissioned victim, probably a developer, possibly even a ",[],{},{"nodeType":1644,"data":2669,"content":2671},{"uri":2670},"https://pushsecurity.com/blog/browser-sync-attacks-where-personal-account-hacks-lead-to-corporate-breaches/",[2672],{"nodeType":1639,"value":2673,"marks":2674,"data":2676},"personal device with access to corp credentials",[2675],{"type":1652},{},{"nodeType":1639,"value":2678,"marks":2679,"data":2680},"). ",[],{},{"nodeType":1635,"data":2682,"content":2683},{},[2684],{"nodeType":1639,"value":2685,"marks":2686,"data":2687},"This access included a Vercel employee’s Google Workspace account. This particular user had significant access to data and secrets in Vercel’s systems, including internal dashboards, employee records, API keys, NPM tokens, and GitHub tokens, which the attacker was able to exfiltrate, holding Vercel to ransom for $2 million. ",[],{},{"nodeType":1626,"data":2689,"content":2693},{"target":2690},{"sys":2691},{"id":2692,"type":1631,"linkType":1632},"6Ft8aSnzfYVZ7j57mYeXgQ",[],{"nodeType":1697,"data":2695,"content":2696},{},[],{"nodeType":1701,"data":2698,"content":2699},{},[2700],{"nodeType":1639,"value":2701,"marks":2702,"data":2704},"How did this happen, and what could have stopped it?",[2703],{"type":1708},{},{"nodeType":1635,"data":2706,"content":2707},{},[2708],{"nodeType":1639,"value":2709,"marks":2710,"data":2711},"From Vercel’s perspective, this attack could have been avoided had their employees been blocked from adding new OAuth integrations without admin approval (a toggle in their Google admin panel, and an essential control in a well-configured environment). Or, if the integration had been flagged in a routine audit and removed. ",[],{},{"nodeType":1626,"data":2713,"content":2717},{"target":2714},{"sys":2715},{"id":2716,"type":1631,"linkType":1632},"b5HFvY1m6RnuXL3a95jVt",[],{"nodeType":1635,"data":2719,"content":2720},{},[2721,2725,2733],{"nodeType":1639,"value":2722,"marks":2723,"data":2724},"It probably should have been removed, too. The particular OAuth app that was connected into the environment was a deprecated “AI Office Suite” product intended for consumer use. ",[],{},{"nodeType":1644,"data":2726,"content":2728},{"uri":2727},"https://context.ai/security-update",[2729],{"nodeType":1639,"value":2730,"marks":2731,"data":2732},"According to Context.ai",[],{},{"nodeType":1639,"value":2734,"marks":2735,"data":2736},", Vercel aren’t even a registered customer — adding more evidence that this was probably the result of a self-service trial that was subsequently forgotten about. That consumer product has also since been replaced by an enterprise product. But for whatever reason, the access hadn’t been revoked (from either side). ",[],{},{"nodeType":1635,"data":2738,"content":2739},{},[2740],{"nodeType":1639,"value":2741,"marks":2742,"data":2743},"The elephant in the room is that Context.ai is an AI app. Most organizations are rightly nervous about employees adding unapproved AI SaaS into their environment. Having employees use shadow AI in the form of LLMs is one thing — users uploading sensitive data to unapproved apps or external tenants being the key concern. But OAuth grants are even more dangerous. Because if that app or vendor is compromised, the apps and accounts you’ve integrated it with are also at risk — which is what was exploited here. ",[],{},{"nodeType":1815,"data":2745,"content":2746},{},[2747],{"nodeType":1639,"value":2748,"marks":2749,"data":2751},"Where’s the fault?",[2750],{"type":1708},{},{"nodeType":1635,"data":2753,"content":2754},{},[2755,2759,2768],{"nodeType":1639,"value":2756,"marks":2757,"data":2758},"It’s easy to point fingers here. There are multiple control gaps and failures for both parties. Vercel should have disabled OAuth grants without admin approval, and regularly audited the connections in their environment. From a vendor's perspective, they could have also default applied a control that ",[],{},{"nodeType":1644,"data":2760,"content":2762},{"uri":2761},"https://vercel.com/kb/bulletin/vercel-april-2026-security-incident",[2763],{"nodeType":1639,"value":2764,"marks":2765,"data":2767},"prevents secret environment variables from being read",[2766],{"type":1652},{},{"nodeType":1639,"value":2769,"marks":2770,"data":2771}," — which would have significantly reduced the impact to Vercel customers from the data breach. ",[],{},{"nodeType":1635,"data":2773,"content":2774},{},[2775,2779,2784],{"nodeType":1639,"value":2776,"marks":2777,"data":2778},"Context.ai comes off worse. They could and should have had better separation of accounts and privileges — and if true, their users really shouldn’t be downloading Roblox scripts on devices they use for work access. It’s important to say ",[],{},{"nodeType":1639,"value":2780,"marks":2781,"data":2783},"if true",[2782],{"type":273},{},{"nodeType":1639,"value":2785,"marks":2786,"data":2787}," here, but the prospect of third parties accessing your environment from insecure devices that they use for gaming is the stuff of nightmares for enterprise security and compliance teams.",[],{},{"nodeType":1635,"data":2789,"content":2790},{},[2791],{"nodeType":1639,"value":2792,"marks":2793,"data":2794},"You definitely don’t want to be Context.ai in this scenario. The reputational harm could be pretty significant, and is a wake-up call for other SaaS vendors to check that their house is in order. But although Vercel have responded quickly and transparently to the incident, this could only really have happened as a result of technical and procedural control gaps on their end.",[],{},{"nodeType":1635,"data":2796,"content":2797},{},[2798],{"nodeType":1639,"value":2799,"marks":2800,"data":2801},"It’s worth taking a step back and looking at the bigger picture here — and how these issues might impact your organization too. ",[],{},{"nodeType":1697,"data":2803,"content":2804},{},[],{"nodeType":1701,"data":2806,"content":2807},{},[2808],{"nodeType":1639,"value":2809,"marks":2810,"data":2812},"Shadow AI is still just shadow SaaS – but the AI scramble is a force multiplier",[2811],{"type":1708},{},{"nodeType":1635,"data":2814,"content":2815},{},[2816],{"nodeType":1639,"value":2817,"marks":2818,"data":2819},"Shadow IT, and in particular shadow SaaS, is not a new problem. Most organizations run heavily (or exclusively) on SaaS, accessed in the browser, with hundreds of apps per enterprise. Unmanaged, self-adopted apps have been a thorn in the side of security teams for some time. ",[],{},{"nodeType":1635,"data":2821,"content":2822},{},[2823],{"nodeType":1639,"value":2824,"marks":2825,"data":2826},"There are essentially four kinds of shadow IT to be wary of in the context of AI apps:",[],{},{"nodeType":1726,"data":2828,"content":2829},{},[2830,2845,2860,2875],{"nodeType":1730,"data":2831,"content":2832},{},[2833],{"nodeType":1635,"data":2834,"content":2835},{},[2836,2841],{"nodeType":1639,"value":2837,"marks":2838,"data":2840},"Shadow apps:",[2839],{"type":1708},{},{"nodeType":1639,"value":2842,"marks":2843,"data":2844}," Apps that employees have signed up to and are using for business purposes without business approval. This includes apps signed up to with a corporate account or personal account. ",[],{},{"nodeType":1730,"data":2846,"content":2847},{},[2848],{"nodeType":1635,"data":2849,"content":2850},{},[2851,2856],{"nodeType":1639,"value":2852,"marks":2853,"data":2855},"Shadow tenants:",[2854],{"type":1708},{},{"nodeType":1639,"value":2857,"marks":2858,"data":2859}," Apps that employees are accessing with personal accounts, essentially creating shadow tenants outside of your organization’s control — even if you’ve approved the app itself.",[],{},{"nodeType":1730,"data":2861,"content":2862},{},[2863],{"nodeType":1635,"data":2864,"content":2865},{},[2866,2871],{"nodeType":1639,"value":2867,"marks":2868,"data":2870},"Shadow extensions:",[2869],{"type":1708},{},{"nodeType":1639,"value":2872,"marks":2873,"data":2874}," Many AI apps come with an extension counterpart, along with countless third-party extensions that are either untrustworthy or downright malicious. Browser extensions add another angle to the equation by presenting visibility beyond the application into browser activity. ",[],{},{"nodeType":1730,"data":2876,"content":2877},{},[2878],{"nodeType":1635,"data":2879,"content":2880},{},[2881,2886],{"nodeType":1639,"value":2882,"marks":2883,"data":2885},"Shadow integrations:",[2884],{"type":1708},{},{"nodeType":1639,"value":2887,"marks":2888,"data":2889}," OAuth connections across apps that aren’t known or approved. Even if an app itself is approved, plugging that app directly into your primary enterprise apps — with all the sensitive data and functionality therein — isn't necessarily also approved.  ",[],{},{"nodeType":1635,"data":2891,"content":2892},{},[2893],{"nodeType":1639,"value":2894,"marks":2895,"data":2896},"In the Vercel case, we’re talking specifically about shadow integrations. But all of these present a key risk to your organization. ",[],{},{"nodeType":1626,"data":2898,"content":2902},{"target":2899},{"sys":2900},{"id":2901,"type":1631,"linkType":1632},"2hsKQ9DEspflhmtR0bE7QY",[],{"nodeType":1815,"data":2904,"content":2905},{},[2906],{"nodeType":1639,"value":2907,"marks":2908,"data":2910},"The web of OAuth sprawl spans way beyond Google and Microsoft ",[2909],{"type":1708},{},{"nodeType":1635,"data":2912,"content":2913},{},[2914,2919],{"nodeType":1639,"value":2915,"marks":2916,"data":2918},"On average we see 17 unique AI app integrations per organization in Microsoft and Google alone",[2917],{"type":1708},{},{"nodeType":1639,"value":2920,"marks":2921,"data":2922},". If you consider that most organizations have probably approved 1 or 2 max for business use, and may have approved none at all for app-to-app OAuth connectivity, that’s quite a significant difference. ",[],{},{"nodeType":1635,"data":2924,"content":2925},{},[2926],{"nodeType":1639,"value":2927,"marks":2928,"data":2929},"The number of connections outside of these core platforms is significantly higher. Just think how the typical AI app operates. If you want it to be able to effectively automate workflows — pull data from one app, aggregate and analyze it in another, present that information in a report, dashboard, or presentation, and then distribute it — that’s a fair few integrations in just one workflow. MCP connections use OAuth to achieve this interconnectivity in the same way as any other SaaS app.",[],{},{"nodeType":1635,"data":2931,"content":2932},{},[2933],{"nodeType":1639,"value":2934,"marks":2935,"data":2936},"We used to talk about automation apps like Zapier as being a goldmine for attackers. Well, AI apps are on their way to being even more interconnected, more frequently used, and more flexible in terms of how attackers can abuse them. ",[],{},{"nodeType":1626,"data":2938,"content":2942},{"target":2939},{"sys":2940},{"id":2941,"type":1631,"linkType":1632},"4FiWyVw7mpVBA5uBVJoOKL",[],{"nodeType":1815,"data":2944,"content":2945},{},[2946],{"nodeType":1639,"value":2947,"marks":2948,"data":2950},"A note on OAuth configuration complexity",[2949],{"type":1708},{},{"nodeType":1635,"data":2952,"content":2953},{},[2954],{"nodeType":1639,"value":2955,"marks":2956,"data":2957},"A common misconception is that when a regular user consents to an OAuth app (let's use Google Workspace as the example) the app only gets access to the things they can directly access. Technically that's true — the access is scoped to that user's permissions. But in practice, the blast radius is almost always bigger than people think.",[],{},{"nodeType":1635,"data":2959,"content":2960},{},[2961],{"nodeType":1639,"value":2962,"marks":2963,"data":2964},"The scope includes shared drives, shared calendars, documents shared with them, and any other collaborative resources. A single well-permissioned user (think: developer with access to secrets, dashboards, and internal tooling) is more than enough to cause serious damage through a single OAuth grant. ",[],{},{"nodeType":1635,"data":2966,"content":2967},{},[2968],{"nodeType":1639,"value":2969,"marks":2970,"data":2971},"The scopes themselves are often deceptively broad. An app requesting https://www.googleapis.com/auth/drive gets full read/write access to everything the user can see in Drive — not just their personal files. And the blast radius is further contingent on the data and user permission hygiene in these broader environments. ",[],{},{"nodeType":1635,"data":2973,"content":2974},{},[2975],{"nodeType":1639,"value":2976,"marks":2977,"data":2978},"So if your environment hasn't got cleanly separated access and permissions for different users and groups, an attacker compromising a \"normal\" user account can end up with extensive access. You don't need tenant-wide admin access when a normal user's access already spans the crown jewels.",[],{},{"nodeType":1626,"data":2980,"content":2984},{"target":2981},{"sys":2982},{"id":2983,"type":1631,"linkType":1632},"2t81AnAHx2On3fBynM4vVe",[],{"nodeType":1815,"data":2986,"content":2987},{},[2988],{"nodeType":1639,"value":2989,"marks":2990,"data":2992},"Unsurprisingly, OAuth breaches are stacking up",[2991],{"type":1708},{},{"nodeType":1635,"data":2994,"content":2995},{},[2996],{"nodeType":1639,"value":2997,"marks":2998,"data":2999},"Widespread OAuth interconnectedness isn’t just an AI app problem. Attackers have been exploiting this for some time:",[],{},{"nodeType":1726,"data":3001,"content":3002},{},[3003,3051],{"nodeType":1730,"data":3004,"content":3005},{},[3006],{"nodeType":1635,"data":3007,"content":3008},{},[3009,3013,3021,3025,3034,3038,3047],{"nodeType":1639,"value":3010,"marks":3011,"data":3012},"In 2025, ",[],{},{"nodeType":1644,"data":3014,"content":3015},{"uri":2629},[3016],{"nodeType":1639,"value":3017,"marks":3018,"data":3020},"Scattered Lapsus$ Hunters",[3019],{"type":1652},{},{"nodeType":1639,"value":3022,"marks":3023,"data":3024}," launched OAuth-driven supply chain attacks against Salesforce and Google Workspace tenants after breaching Salesloft (specifically the ",[],{},{"nodeType":1644,"data":3026,"content":3028},{"uri":3027},"https://www.bleepingcomputer.com/news/security/shinyhunters-claims-15-billion-salesforce-records-stolen-in-drift-hacks/",[3029],{"nodeType":1639,"value":3030,"marks":3031,"data":3033},"Salesloft Drift",[3032],{"type":1652},{},{"nodeType":1639,"value":3035,"marks":3036,"data":3037}," platform) and ",[],{},{"nodeType":1644,"data":3039,"content":3041},{"uri":3040},"https://www.bleepingcomputer.com/news/security/salesforce-investigates-customer-data-theft-via-gainsight-breach/",[3042],{"nodeType":1639,"value":3043,"marks":3044,"data":3046},"Gainsight",[3045],{"type":1652},{},{"nodeType":1639,"value":3048,"marks":3049,"data":3050},". In total, over 1000 organizations were impacted, including Google, Cloudflare, Rubrik, Elastic, Proofpoint, JFrog, Zscaler, Tenable, Palo Alto Networks, CyberArk, BeyondTrust, Qualys, and many more, with over 1.5B records stolen. ",[],{},{"nodeType":1730,"data":3052,"content":3053},{},[3054],{"nodeType":1635,"data":3055,"content":3056},{},[3057,3061,3070,3074,3083],{"nodeType":1639,"value":3058,"marks":3059,"data":3060},"More recently, Snowflake customers were impacted after a ",[],{},{"nodeType":1644,"data":3062,"content":3064},{"uri":3063},"https://www.bleepingcomputer.com/news/security/snowflake-customers-hit-in-data-theft-attacks-after-saas-integrator-breach/",[3065],{"nodeType":1639,"value":3066,"marks":3067,"data":3069},"breach at data anomaly detection company Anodot",[3068],{"type":1652},{},{"nodeType":1639,"value":3071,"marks":3072,"data":3073}," where the attacker attempted to leverage the stolen authentication tokens to access Salesforce data, with ",[],{},{"nodeType":1644,"data":3075,"content":3077},{"uri":3076},"https://www.bleepingcomputer.com/news/security/stolen-rockstar-games-analytics-data-leaked-by-extortion-gang/",[3078],{"nodeType":1639,"value":3079,"marks":3080,"data":3082},"Rockstar",[3081],{"type":1652},{},{"nodeType":1639,"value":3084,"marks":3085,"data":3086}," a high-profile victim of the breach (again linked to Scattered Lapsus$ Hunters). ",[],{},{"nodeType":1626,"data":3088,"content":3092},{"target":3089},{"sys":3090},{"id":3091,"type":1631,"linkType":1632},"3oqoL9L3fxetFcIhnfQhMQ",[],{"nodeType":1697,"data":3094,"content":3095},{},[],{"nodeType":1701,"data":3097,"content":3098},{},[3099],{"nodeType":1639,"value":3100,"marks":3101,"data":3103},"Infostealers continue to drive corporate breaches",[3102],{"type":1708},{},{"nodeType":1635,"data":3105,"content":3106},{},[3107],{"nodeType":1639,"value":3108,"marks":3109,"data":3110},"While unverified, Hudson Rock’s case for an infostealer breach being the root cause of the Context.ai breach seems believable. Infostealer infections have been one of the leading security threats for some time, fuelling breaches powered by stolen credentials and session tokens.",[],{},{"nodeType":1635,"data":3112,"content":3113},{},[3114,3118,3123],{"nodeType":1639,"value":3115,"marks":3116,"data":3117},"With the assumed rise in MFA coverage, it’s often surprising to security teams that stolen credentials are still a problem. ",[],{},{"nodeType":1639,"value":3119,"marks":3120,"data":3122},"But of the last million logins we saw, 1 in 4 were password logins (not SSO), 2 in 5 were not protected by MFA, and 1 in 5 used a weak, breached, or reused password. ",[3121],{"type":1708},{},{"nodeType":1639,"value":3124,"marks":3125,"data":3126},"Plenty of scope for abuse. ",[],{},{"nodeType":1635,"data":3128,"content":3129},{},[3130],{"nodeType":1639,"value":3131,"marks":3132,"data":3133},"Stolen session tokens are even more valuable to attackers, enabling them to bypass authentication controls by replaying the token in their own browser. In theory, they should only be valid for a limited timeframe, but in practice this can be as many as 90 days, and sometimes indefinite. ",[],{},{"nodeType":1635,"data":3135,"content":3136},{},[3137],{"nodeType":1639,"value":3138,"marks":3139,"data":3140},"In this case, it seems likely that the compromised device was a developer machine (given the access to Supabase), or potentially even a personal device (given they were installing Roblox cheats…). This is relevant because these personal, developer, and BYOD machines are often less secure — developer machines are often exempt from EDR monitoring or significantly tuned-down (too noisy), while personal devices naturally lack enterprise security software.",[],{},{"nodeType":1626,"data":3142,"content":3146},{"target":3143},{"sys":3144},{"id":3145,"type":1631,"linkType":1632},"139oaGgwRKZbwJzyex9LA5",[],{"nodeType":1635,"data":3148,"content":3149},{},[3150,3154,3163],{"nodeType":1639,"value":3151,"marks":3152,"data":3153},"We’ve also seen an uptick in developer-oriented phishing and malvertising campaigns. The ",[],{},{"nodeType":1644,"data":3155,"content":3157},{"uri":3156},"https://pushsecurity.com/blog/installfix/",[3158],{"nodeType":1639,"value":3159,"marks":3160,"data":3162},"InstallFix campaign",[3161],{"type":1652},{},{"nodeType":1639,"value":3164,"marks":3165,"data":3166}," we identified, intercepting users as they attempt to install AI tools like Claude Code and NotebookLM, is an example of this — and also another way that attackers are capitalizing on AI hype. ",[],{},{"nodeType":1697,"data":3168,"content":3169},{},[],{"nodeType":1701,"data":3171,"content":3172},{},[3173],{"nodeType":1639,"value":3174,"marks":3175,"data":3177},"Advice for security teams",[3176],{"type":1708},{},{"nodeType":1635,"data":3179,"content":3180},{},[3181],{"nodeType":1639,"value":3182,"marks":3183,"data":3184},"There are some immediate next steps that we’ll quickly summarize here, as they've already been covered in wider reporting. If you’re a Vercel customer, you should urgently rotate every credential stored as a non-sensitive variable that could have been exposed, enable the sensitive variable feature toggle, and monitor your account for anomalous activity. And if you’re using the specific Context.ai integration, you need to revoke it ASAP and begin a full audit of the connected accounts, both inside Workspace and broader connected apps (this isn’t that easy, as we’ll highlight in a moment). ",[],{},{"nodeType":1626,"data":3186,"content":3190},{"target":3187},{"sys":3188},{"id":3189,"type":1631,"linkType":1632},"76HViirkH2R4QAzWg605sv",[],{"nodeType":1635,"data":3192,"content":3193},{},[3194,3198,3206],{"nodeType":1639,"value":3195,"marks":3196,"data":3197},"Taking a step back, organizations really need to get their arms around OAuth integrations in their environment. A default-deny approach to allowing users to consent to new integrations, and routinely auditing the ones already in your environment to ensure they’re still definitely required, is essential. Each integration expands your attack surface and could potentially grant an attacker extensive access to your environment. This default-deny approach isn't exactly a new concept for security teams and is the same in principle as what we recently advised for ",[],{},{"nodeType":1644,"data":3199,"content":3200},{"uri":2192},[3201],{"nodeType":1639,"value":3202,"marks":3203,"data":3205},"browser extension management",[3204],{"type":1652},{},{"nodeType":1639,"value":1851,"marks":3207,"data":3208},[],{},{"nodeType":1635,"data":3210,"content":3211},{},[3212],{"nodeType":1639,"value":3213,"marks":3214,"data":3215},"This is fairly straightforward in your main enterprise cloud environment (think M365 or Google Workspace). But doing it across every SaaS app that allows some level of OAuth integration with another (i.e. every SaaS app) is somewhat harder. Not only do you need to have a comprehensive and up-to-date inventory, you need to be an app admin for every app (not always the case for self-adopted apps) and the particular app needs to give you the control to restrict and remove OAuth grants on behalf of users in your tenant. ",[],{},{"nodeType":1635,"data":3217,"content":3218},{},[3219],{"nodeType":1639,"value":3220,"marks":3221,"data":3222},"Again, this is not exclusively a Shadow AI problem, even if AI adoption is contributing significantly to the sprawl. ",[],{},{"nodeType":1626,"data":3224,"content":3228},{"target":3225},{"sys":3226},{"id":3227,"type":1631,"linkType":1632},"XKKHUiz56G82uwYhbv2Qv",[],{"nodeType":1697,"data":3230,"content":3231},{},[],{"nodeType":1701,"data":3233,"content":3234},{},[3235],{"nodeType":1639,"value":3236,"marks":3237,"data":3239},"How Push can help",[3238],{"type":1708},{},{"nodeType":1635,"data":3241,"content":3242},{},[3243],{"nodeType":1639,"value":3244,"marks":3245,"data":3246},"As we’ve established, there are quite a few pieces to this puzzle. Push can help with all of them. ",[],{},{"nodeType":1635,"data":3248,"content":3249},{},[3250],{"nodeType":1639,"value":3251,"marks":3252,"data":3253},"Push observes every app login your employees make in their browser, building a comprehensive picture of SaaS and AI use across your organization. This includes how they’re logging in and how secure the login is: did it have MFA, what kind of MFA, was it using a weak or compromised password, did they use SSO, and so on. ",[],{},{"nodeType":1626,"data":3255,"content":3259},{"target":3256},{"sys":3257},{"id":3258,"type":1631,"linkType":1632},"2B205bUaLm6vG8mIQ0rJvA",[],{"nodeType":1635,"data":3261,"content":3262},{},[3263],{"nodeType":1639,"value":3264,"marks":3265,"data":3266},"Push also tracks OAuth integrations in your environment and gives you the ability to manage and remove them in core environments like M365 and Google Workspace, providing a single platform for you to view, manage, and secure app use across your organization. ",[],{},{"nodeType":1626,"data":3268,"content":3272},{"target":3269},{"sys":3270},{"id":3271,"type":1631,"linkType":1632},"eEbdBUfyzZsdIOjFOXHpM",[],{"nodeType":1626,"data":3274,"content":3278},{"target":3275},{"sys":3276},{"id":3277,"type":1631,"linkType":1632},"1MTFxfROuGKxnkHQwWHe8K",[],{"nodeType":1635,"data":3280,"content":3281},{},[3282,3286,3291,3295,3300],{"nodeType":1639,"value":3283,"marks":3284,"data":3285},"This makes it easy to surface both vulnerabilities and possible control gaps, and do something about them. But where Push really excels is in the ability to observe and block OAuth connection requests ",[],{},{"nodeType":1639,"value":3287,"marks":3288,"data":3290},"even outside of your primary enterprise apps.",[3289],{"type":1708},{},{"nodeType":1639,"value":3292,"marks":3293,"data":3294}," Using Push, you can detect and block OAuth integration requests as they traverse the browser. This ",[],{},{"nodeType":1639,"value":3296,"marks":3297,"data":3299},"app-agnostic",[3298],{"type":1708},{},{"nodeType":1639,"value":3301,"marks":3302,"data":3303}," level of control is absolutely critical to halting OAuth integration sprawl. ",[],{},{"nodeType":1626,"data":3305,"content":3309},{"target":3306},{"sys":3307},{"id":3308,"type":1631,"linkType":1632},"2VZ4uw6MXslXME2ueydGuT",[],{"nodeType":1815,"data":3311,"content":3312},{},[3313,3317],{"nodeType":1639,"value":3314,"marks":3315,"data":3316},"And t",[],{},{"nodeType":1639,"value":3318,"marks":3319,"data":3321},"hat’s not all …",[3320],{"type":1708},{},{"nodeType":1635,"data":3323,"content":3324},{},[3325],{"nodeType":1639,"value":3326,"marks":3327,"data":3328},"Push’s browser-based security platform also detects and blocks browser-based attacks like AiTM phishing, credential stuffing, malicious browser extensions, device code phishing, ClickFix, and session hijacking in real time. This includes the most prominent infostealer delivery vectors in terms of malvertising and *Fix-style attacks. Push analyzes every web page in every browser session and tab for threats, in real time, with no latency. ",[],{},{"nodeType":1635,"data":3330,"content":3331},{},[3332],{"nodeType":1639,"value":3333,"marks":3334,"data":3335},"But as we've established, you don't need to wait until it all goes wrong either — you can use Push to proactively find and fix vulnerabilities across the apps that your employees use, like ghost logins, SSO coverage gaps, MFA gaps, vulnerable passwords, risky OAuth integrations, and more to harden your attack surface.",[],{},{"nodeType":1635,"data":3337,"content":3338},{},[3339,3342,3348,3351,3358,3361,3367],{"nodeType":1639,"value":2470,"marks":3340,"data":3341},[],{},{"nodeType":1644,"data":3343,"content":3344},{"uri":2475},[3345],{"nodeType":1639,"value":2478,"marks":3346,"data":3347},[],{},{"nodeType":1639,"value":1655,"marks":3349,"data":3350},[],{},{"nodeType":1644,"data":3352,"content":3353},{"uri":2486},[3354],{"nodeType":1639,"value":2489,"marks":3355,"data":3357},[3356],{"type":1652},{},{"nodeType":1639,"value":2493,"marks":3359,"data":3360},[],{},{"nodeType":1644,"data":3362,"content":3363},{"uri":2498},[3364],{"nodeType":1639,"value":2501,"marks":3365,"data":3366},[],{},{"nodeType":1639,"value":2291,"marks":3368,"data":3369},[],{},"Unpacking the Vercel breach: A cautionary tale for Shadow AI and OAuth sprawl","In April 2026, Vercel was compromised via an OAuth app integrated into their Google Workspace tenant stemming from a compromised third-party AI SaaS provider.","2026-04-23T00:00:00.000Z","unpacking-the-vercel-breach",{"items":3375},[3376,3380],{"sys":3377,"name":3379},{"id":3378},"6A5RXS31ZQx3PwryGb1IMy","Browser-based attacks",{"sys":3381,"name":3383},{"id":3382},"4ksQNCFeBf8H4QIORqpRLw","Detection & response",{"items":3385},[3386],{"fullName":1615,"firstName":1616,"jobTitle":1617,"profilePicture":3387},{"url":1619},{"__typename":2613,"sys":3389,"content":3391,"title":4620,"synopsis":4621,"hashTags":61,"publishedDate":4622,"slug":4623,"tagsCollection":4624,"authorsCollection":4632},{"id":3390},"6sprbTRpfnTJsP3mGR2gKa",{"json":3392},{"nodeType":1622,"data":3393,"content":3394},{},[3395,3402,3405,3412,3419,3452,3459,3462,3469,3489,3522,3529,3536,3539,3546,3553,3560,3583,3590,3597,3600,3607,3614,3621,3628,3635,3642,3649,3656,3663,3670,3703,3710,3717,3720,3727,3734,3740,3747,3780,3787,3790,3797,3804,3811,3834,3841,3848,3855,3862,3869,3876,3883,3890,3923,3966,3973,3980,3987,3994,4001,4008,4015,4063,4069,4089,4096,4129,4136,4142,4145,4152,4159,4166,4173,4180,4187,4194,4201,4208,4211,4218,4225,4232,4239,4259,4266,4273,4306,4313,4320,4327,4334,4341,4407,4410,4417,4424,4467,4470,4477,4484,4504,4511,4518,4525,4528,4535,4542,4549,4569,4576,4583,4590,4597,4604],{"nodeType":1635,"data":3396,"content":3397},{},[3398],{"nodeType":1639,"value":3399,"marks":3400,"data":3401},"Inline with what was targeted in this campaign, our focus here is on the extension deployment process. All browser vendors stand to benefit from greater security in this area — we hope that sharing what we’ve learned is useful, and look forward to comments and feedback so we can collectively reduce the scope for attacks on browser extensions in the future. ",[],{},{"nodeType":1697,"data":3403,"content":3404},{},[],{"nodeType":1701,"data":3406,"content":3407},{},[3408],{"nodeType":1639,"value":3409,"marks":3410,"data":3411},"TL;DR",[],{},{"nodeType":1635,"data":3413,"content":3414},{},[3415],{"nodeType":1639,"value":3416,"marks":3417,"data":3418},"In this blog, we’ll start with some background and walk through the “why” before discussing the key improvements that we feel are needed. But if you don’t care about the why or just want to cut to the chase, the key parts of defending against these attacks are:",[],{},{"nodeType":1726,"data":3420,"content":3421},{},[3422,3432,3442],{"nodeType":1730,"data":3423,"content":3424},{},[3425],{"nodeType":1635,"data":3426,"content":3427},{},[3428],{"nodeType":1639,"value":3429,"marks":3430,"data":3431},"Disable always-on access for all users to the browser extension store developer portals — you need to automate deployments through CI/CD to enable this.",[],{},{"nodeType":1730,"data":3433,"content":3434},{},[3435],{"nodeType":1635,"data":3436,"content":3437},{},[3438],{"nodeType":1639,"value":3439,"marks":3440,"data":3441},"Implement a multiparty approval process for extension deployments.",[],{},{"nodeType":1730,"data":3443,"content":3444},{},[3445],{"nodeType":1635,"data":3446,"content":3447},{},[3448],{"nodeType":1639,"value":3449,"marks":3450,"data":3451},"Secure your admin identities.",[],{},{"nodeType":1635,"data":3453,"content":3454},{},[3455],{"nodeType":1639,"value":3456,"marks":3457,"data":3458},"For details of how to do this practically, skip ahead to the “Recommended security architecture” section.",[],{},{"nodeType":1697,"data":3460,"content":3461},{},[],{"nodeType":1701,"data":3463,"content":3464},{},[3465],{"nodeType":1639,"value":3466,"marks":3467,"data":3468},"Background: The Cyberhaven incident",[],{},{"nodeType":1635,"data":3470,"content":3471},{},[3472,3476,3485],{"nodeType":1639,"value":3473,"marks":3474,"data":3475},"In December 2024, a campaign targeting browser extension developers was launched, and succeeded in compromising at least ",[],{},{"nodeType":1644,"data":3477,"content":3479},{"uri":3478},"https://www.bleepingcomputer.com/news/security/new-details-reveal-how-hackers-hijacked-35-google-chrome-extensions/",[3480],{"nodeType":1639,"value":3481,"marks":3482,"data":3484},"35 Google Chrome extensions",[3483],{"type":1652},{},{"nodeType":1639,"value":3486,"marks":3487,"data":3488},". Cyberhaven’s extension was the most notable of these, and the campaign has inherited their name.",[],{},{"nodeType":1635,"data":3490,"content":3491},{},[3492,3496,3505,3509,3518],{"nodeType":1639,"value":3493,"marks":3494,"data":3495},"The campaign targeted extension devs through the support email address listed on the extension stores, but notably, the ",[],{},{"nodeType":1644,"data":3497,"content":3499},{"uri":3498},"https://github.com/pushsecurity/saas-attacks/blob/main/techniques/consent_phishing/description.md",[3500],{"nodeType":1639,"value":3501,"marks":3502,"data":3504},"consent phishing attack technique",[3503],{"type":1652},{},{"nodeType":1639,"value":3506,"marks":3507,"data":3508}," was used. While not a new technique, it has rarely been seen — especially given how powerful it is. Rather than a traditional credential and MFA phishing attacks which harvest credentials (or session tokens to bypass MFA), with consent phishing the attacker's goal is to trick the victim into granting them an OAuth token to perform actions on their behalf. In this case the permission or scope used by the attacker granted that token the ability to upload and publish new versions of the victim’s extension to the Chrome Web Store — which in this case included some backdoor code that executed commands that were dynamically configured by the attacker. For more in-depth information, see the ",[],{},{"nodeType":1644,"data":3510,"content":3512},{"uri":3511},"https://secureannex.com/blog/cyberhaven-extension-compromise/",[3513],{"nodeType":1639,"value":3514,"marks":3515,"data":3517},"excellent analysis",[3516],{"type":1652},{},{"nodeType":1639,"value":3519,"marks":3520,"data":3521}," by the Secure Annex team.",[],{},{"nodeType":1635,"data":3523,"content":3524},{},[3525],{"nodeType":1639,"value":3526,"marks":3527,"data":3528},"Because of the dynamic nature of the commands sent to backdoored extensions, it’s difficult to be sure what the impact was — but whatever the case was in this specific incident, it’s perhaps more useful to understand what the impact to users might be so we can work to mitigate future attacks.",[],{},{"nodeType":1635,"data":3530,"content":3531},{},[3532],{"nodeType":1639,"value":3533,"marks":3534,"data":3535},"The simple fact is that for most common extensions that operate across multiple sites (like ad-blockers etc.), using fairly typical permissions, a backdoor would likely be able to reach credentials and session tokens. This would mean an attacker could use a backdoored extension to get access to a user’s accounts on various websites. This poses a very high impact to users, and something that all extension developers should be focused on preventing. ",[],{},{"nodeType":1697,"data":3537,"content":3538},{},[],{"nodeType":1701,"data":3540,"content":3541},{},[3542],{"nodeType":1639,"value":3543,"marks":3544,"data":3545},"How do we stop the next iteration of this attack?",[],{},{"nodeType":1635,"data":3547,"content":3548},{},[3549],{"nodeType":1639,"value":3550,"marks":3551,"data":3552},"Given the value of the data, the relative ease with which this attack was performed (vs. for example something like a browser 0-day), and the success of the attack, it seems very likely this type of attack will happen again. As we saw in 2024, the success of the attacks on Snowflake customers gave rise to a huge increase in infostealer attacks. Attackers are quick to identify areas of potential opportunity and capitalize on them.",[],{},{"nodeType":1635,"data":3554,"content":3555},{},[3556],{"nodeType":1639,"value":3557,"marks":3558,"data":3559},"As an extension user, you should be mainly worried about one of two scenarios;",[],{},{"nodeType":1726,"data":3561,"content":3562},{},[3563,3573],{"nodeType":1730,"data":3564,"content":3565},{},[3566],{"nodeType":1635,"data":3567,"content":3568},{},[3569],{"nodeType":1639,"value":3570,"marks":3571,"data":3572},"The developer of the extension adds malicious code to an extension, they publish the update to the app store, your browser automatically updates, and malicious code runs in your browser",[],{},{"nodeType":1730,"data":3574,"content":3575},{},[3576],{"nodeType":1635,"data":3577,"content":3578},{},[3579],{"nodeType":1639,"value":3580,"marks":3581,"data":3582},"The developer of your extension is attacked, and the attacker gains access to publish an updated version of the extension to the app store, and uses this to push an update that includes their backdoor, your browser automatically updates, and malicious code runs in your browser",[],{},{"nodeType":1635,"data":3584,"content":3585},{},[3586],{"nodeType":1639,"value":3587,"marks":3588,"data":3589},"However, since we’re writing this for honest extension developers, and these attacks targeted the second scenario, that’s what we’ll be focussing on. ",[],{},{"nodeType":1635,"data":3591,"content":3592},{},[3593],{"nodeType":1639,"value":3594,"marks":3595,"data":3596},"The challenge then is to make sure that only legitimate developers can push updates to the extension store. Easy to say, harder to do in the real world.",[],{},{"nodeType":1697,"data":3598,"content":3599},{},[],{"nodeType":1701,"data":3601,"content":3602},{},[3603],{"nodeType":1639,"value":3604,"marks":3605,"data":3606},"Primer on extension stores and the publication process",[],{},{"nodeType":1635,"data":3608,"content":3609},{},[3610],{"nodeType":1639,"value":3611,"marks":3612,"data":3613},"As a light intro for folks that aren’t extension developers but are still interested, here’s a very brief description of this process. It’s not critical to understand the inner workings and differences between the stores to follow this blog, but it is very interesting (in my opinion). ",[],{},{"nodeType":1635,"data":3615,"content":3616},{},[3617],{"nodeType":1639,"value":3618,"marks":3619,"data":3620},"At Push we publish to three main extension stores; Chrome Web Store (this lets us cover all the Chromium-based browsers including Edge and Arc), Firefox Add-ons, and the Apple Store, so these are the stores we’re covering here.",[],{},{"nodeType":1635,"data":3622,"content":3623},{},[3624],{"nodeType":1639,"value":3625,"marks":3626,"data":3627},"The generic process is the same for all stores. To publish an update, you first build (or package, really) your extension source, upload it to your tenant/team/org in the store, and publish it. The publishing step triggers a manual review process in the Chrome and Apple stores, and once complete, the new version appears on the extension stores. In Firefox it goes straight out immediately.",[],{},{"nodeType":1635,"data":3629,"content":3630},{},[3631],{"nodeType":1639,"value":3632,"marks":3633,"data":3634},"A note on the reviews; if you aren’t adding new permissions (something we haven’t seen attackers do because it triggers a new interactive approval for the end-user when the extension is updated — something an attacker wants to avoid to evade detection) then our experience is that the the manual review process is typically fairly cursory. This is likely why the checks implemented at the store level failed to discover malicious updates in these cases.",[],{},{"nodeType":1635,"data":3636,"content":3637},{},[3638],{"nodeType":1639,"value":3639,"marks":3640,"data":3641},"While it’s possible to do this process completely manually, developers often automate builds and include some of the deployment steps above in the build automation process — I’ll use the term CI/CD to refer to this build and deployment process in the rest of this piece. All three stores provide API keys (albeit in different ways) to enable this process.",[],{},{"nodeType":1635,"data":3643,"content":3644},{},[3645],{"nodeType":1639,"value":3646,"marks":3647,"data":3648},"I’ll leave it there for now, but again see the “Extension store differences” section in the Appendix for more detail.",[],{},{"nodeType":1815,"data":3650,"content":3651},{},[3652],{"nodeType":1639,"value":3653,"marks":3654,"data":3655},"So what's the problem with the stores?",[],{},{"nodeType":1635,"data":3657,"content":3658},{},[3659],{"nodeType":1639,"value":3660,"marks":3661,"data":3662},"Ok, so far it sounds like the stores are all pretty standardised, so what's the actual problem here? Why did these attacks succeed?",[],{},{"nodeType":1635,"data":3664,"content":3665},{},[3666],{"nodeType":1639,"value":3667,"marks":3668,"data":3669},"There are a few notable control gaps relating to the extension stores which made this attack possible, and could have mitigated it were they in place. ",[],{},{"nodeType":1726,"data":3671,"content":3672},{},[3673,3683,3693],{"nodeType":1730,"data":3674,"content":3675},{},[3676],{"nodeType":1635,"data":3677,"content":3678},{},[3679],{"nodeType":1639,"value":3680,"marks":3681,"data":3682},"Despite the massive risk related to publishing a malicious extension, none of the mainstream stores provide a mechanism to implement a multiparty approval process, increasing the number of successful phishing attempts required. ",[],{},{"nodeType":1730,"data":3684,"content":3685},{},[3686],{"nodeType":1635,"data":3687,"content":3688},{},[3689],{"nodeType":1639,"value":3690,"marks":3691,"data":3692},"Due to the lack of granular permissions in the Chrome store, any dev with access to the store could be phished. A slightly more granular permission model — for example the ability to have one developer with the permission to upload an extension (but not publish it), and another with the ability to publish an uploaded extension (but not upload a new package) — could have addressed this. ",[],{},{"nodeType":1730,"data":3694,"content":3695},{},[3696],{"nodeType":1635,"data":3697,"content":3698},{},[3699],{"nodeType":1639,"value":3700,"marks":3701,"data":3702},"No log stream that could be easily ingested by a SIEM tool is provided, making it much harder to detect and respond. ",[],{},{"nodeType":1635,"data":3704,"content":3705},{},[3706],{"nodeType":1639,"value":3707,"marks":3708,"data":3709},"But alas, we’re not here to complain about the stores — that’s a different blog post — we’re here to solve problems today!",[],{},{"nodeType":1635,"data":3711,"content":3712},{},[3713],{"nodeType":1639,"value":3714,"marks":3715,"data":3716},"I mentioned before that a multiparty approval process is key. But to understand why, it’s useful to think about this in terms of how this system will be attacked. Threat or attack models are typical approaches to doing this.",[],{},{"nodeType":1697,"data":3718,"content":3719},{},[],{"nodeType":1701,"data":3721,"content":3722},{},[3723],{"nodeType":1639,"value":3724,"marks":3725,"data":3726},"Attack model for publishing a malicious extension",[],{},{"nodeType":1635,"data":3728,"content":3729},{},[3730],{"nodeType":1639,"value":3731,"marks":3732,"data":3733},"The main attack paths enabling an attacker to publish a malicious extension are outlined below. ",[],{},{"nodeType":1626,"data":3735,"content":3739},{"target":3736},{"sys":3737},{"id":3738,"type":1631,"linkType":1632},"2RQTz9QmPxOxAvy4EtXIQZ",[],{"nodeType":1635,"data":3741,"content":3742},{},[3743],{"nodeType":1639,"value":3744,"marks":3745,"data":3746},"You don’t need to follow all the minutia of these attack paths, but some things to note about these attack paths are that they all target single points of failure (a single identity, a single endpoint), primarily through Social Engineering attacks:",[],{},{"nodeType":1726,"data":3748,"content":3749},{},[3750,3760,3770],{"nodeType":1730,"data":3751,"content":3752},{},[3753],{"nodeType":1635,"data":3754,"content":3755},{},[3756],{"nodeType":1639,"value":3757,"marks":3758,"data":3759},"A single user with access to the store needs to fall for a social engineering attack for this to work (as happened in this case). ",[],{},{"nodeType":1730,"data":3761,"content":3762},{},[3763],{"nodeType":1635,"data":3764,"content":3765},{},[3766],{"nodeType":1639,"value":3767,"marks":3768,"data":3769},"Many paths can be completed with an identity or endpoint attack, and in most cases a single identity or endpoint is sufficient.",[],{},{"nodeType":1730,"data":3771,"content":3772},{},[3773],{"nodeType":1635,"data":3774,"content":3775},{},[3776],{"nodeType":1639,"value":3777,"marks":3778,"data":3779},"Attacks against code repos and CI/CD flows are parallel paths, you need to trust those systems already.",[],{},{"nodeType":1635,"data":3781,"content":3782},{},[3783],{"nodeType":1639,"value":3784,"marks":3785,"data":3786},"So in designing a security architecture, we want to do as much to reduce single points of failure, and make social engineering ineffective (even when it succeeds).",[],{},{"nodeType":1697,"data":3788,"content":3789},{},[],{"nodeType":1701,"data":3791,"content":3792},{},[3793],{"nodeType":1639,"value":3794,"marks":3795,"data":3796},"Recommended security architecture",[],{},{"nodeType":1635,"data":3798,"content":3799},{},[3800],{"nodeType":1639,"value":3801,"marks":3802,"data":3803},"You could literally write a book on everything it takes to secure identities, endpoints and code repositories in general, and we’ll certainly mention some of the identity controls we think are effective later on. One thing to note here is that whatever you implement, the attack that succeeds in the real-word today is vastly more likely to involve an element of social engineering vs. for example a vulnerability exploit. This is not just my opinion (solid as I like to think that is), but also well supported by threat reports like the Verizon DBIR, with 68% of attacks involving ‘the human element’ in the 2024 edition. ",[],{},{"nodeType":1635,"data":3805,"content":3806},{},[3807],{"nodeType":1639,"value":3808,"marks":3809,"data":3810},"In tackling attacks that involve social engineering, there are two main workable options:",[],{},{"nodeType":1726,"data":3812,"content":3813},{},[3814,3824],{"nodeType":1730,"data":3815,"content":3816},{},[3817],{"nodeType":1635,"data":3818,"content":3819},{},[3820],{"nodeType":1639,"value":3821,"marks":3822,"data":3823},"Remove the user’s ability to give the attacker what they need.",[],{},{"nodeType":1730,"data":3825,"content":3826},{},[3827],{"nodeType":1635,"data":3828,"content":3829},{},[3830],{"nodeType":1639,"value":3831,"marks":3832,"data":3833},"Assume that at least some users will fall for the attack, and make it as hard as possible for the attacker.",[],{},{"nodeType":1635,"data":3835,"content":3836},{},[3837],{"nodeType":1639,"value":3838,"marks":3839,"data":3840},"You may note I didn’t include security or awareness training in the above — essentially because I’ve never seen it be effective enough to be relied on, which is not to say it’s not very useful (especially if it’s well targeted and relevant — like unpacking what happened to Cyberhaven with your whole extension developer team would be!), just that technical controls are generally more reliable.",[],{},{"nodeType":1635,"data":3842,"content":3843},{},[3844],{"nodeType":1639,"value":3845,"marks":3846,"data":3847},"Anyway, back to what I think makes the cornerstones of a solution.",[],{},{"nodeType":1815,"data":3849,"content":3850},{},[3851],{"nodeType":1639,"value":3852,"marks":3853,"data":3854},"Remove BAU access to extension stores",[],{},{"nodeType":1635,"data":3856,"content":3857},{},[3858],{"nodeType":1639,"value":3859,"marks":3860,"data":3861},"If developers don’t have access to extension stores, they cannot be manipulated into giving attackers access to API keys, they cannot grant attackers authorization to access the store on their behalf, and if the identities are compromised they cannot be used to access the store.",[],{},{"nodeType":1635,"data":3863,"content":3864},{},[3865],{"nodeType":1639,"value":3866,"marks":3867,"data":3868},"The key to achieving this is to lean fully into completely automated CI/CD processes for normal extension updates. This means that after you’ve configured the CI/CD flows, no developer needs access to the extension stores to do their normal work (publishing new versions of the extension).",[],{},{"nodeType":1635,"data":3870,"content":3871},{},[3872],{"nodeType":1639,"value":3873,"marks":3874,"data":3875},"Unfortunately, you will still need to access the web console manually for some tasks like updating branding, updating extension descriptions, and proving justification for new permissions (Chrome and Apple only). For our team, these tasks are infrequent enough that they can be handled using break-glass accounts.",[],{},{"nodeType":1635,"data":3877,"content":3878},{},[3879],{"nodeType":1639,"value":3880,"marks":3881,"data":3882},"A side note here: it might seem that you are just moving the risk around, from the extension store to the code repo & CI/CD system, but you are really already dependent on the security of these systems, so this is just removing the direct access to the extension store from the attack surface. You also have far greater flexibility and control in the CI/CD system as we’ll see in the “Implement multiparty approval in CI/CD” section below.",[],{},{"nodeType":1815,"data":3884,"content":3885},{},[3886],{"nodeType":1639,"value":3887,"marks":3888,"data":3889},"Break-glass store admin accounts",[],{},{"nodeType":1635,"data":3891,"content":3892},{},[3893,3897,3906,3910,3919],{"nodeType":1639,"value":3894,"marks":3895,"data":3896},"In practice you might implement this by issuing developers that need access to the extension stores a second SSO identity that is dedicated to this. You could have a ",[],{},{"nodeType":1644,"data":3898,"content":3900},{"uri":3899},"mailto:john@amce.com",[3901],{"nodeType":1639,"value":3902,"marks":3903,"data":3905},"john@acme.com",[3904],{"type":1652},{},{"nodeType":1639,"value":3907,"marks":3908,"data":3909}," Google account to do normal development work, and a ",[],{},{"nodeType":1644,"data":3911,"content":3913},{"uri":3912},"mailto:john.admin@acme.com",[3914],{"nodeType":1639,"value":3915,"marks":3916,"data":3918},"john.admin@acme.com",[3917],{"type":1652},{},{"nodeType":1639,"value":3920,"marks":3921,"data":3922}," Google account to access the extension stores. You could also:",[],{},{"nodeType":1726,"data":3924,"content":3925},{},[3926,3936,3946,3956],{"nodeType":1730,"data":3927,"content":3928},{},[3929],{"nodeType":1635,"data":3930,"content":3931},{},[3932],{"nodeType":1639,"value":3933,"marks":3934,"data":3935},"Make the .admin accounts disabled by default in Google, and enable one of them at a time as and when needed (this should be very rare).",[],{},{"nodeType":1730,"data":3937,"content":3938},{},[3939],{"nodeType":1635,"data":3940,"content":3941},{},[3942],{"nodeType":1639,"value":3943,"marks":3944,"data":3945},"Put the .admin accounts in a separate OU in GWS, and configure that OU so that those accounts are not allowed to authorize any OAuth integrations.",[],{},{"nodeType":1730,"data":3947,"content":3948},{},[3949],{"nodeType":1635,"data":3950,"content":3951},{},[3952],{"nodeType":1639,"value":3953,"marks":3954,"data":3955},"Ensure that all the .admin accounts use hardware backed passkeys that don’t sync anywhere (we like Yubikeys) and disable password logins.",[],{},{"nodeType":1730,"data":3957,"content":3958},{},[3959],{"nodeType":1635,"data":3960,"content":3961},{},[3962],{"nodeType":1639,"value":3963,"marks":3964,"data":3965},"For bonus points, make sure .admin accounts can only be used on a separate dedicated endpoint (e.g. a locked-down Chromebook).",[],{},{"nodeType":1635,"data":3967,"content":3968},{},[3969],{"nodeType":1639,"value":3970,"marks":3971,"data":3972},"In this way you can have a setup where an attacker would have to successfully target a developer using a hardware-backed identity during the few minutes a year their account is active, and do so without using consent phishing attacks (because all OAuth integrations are disabled for your break-glass accounts). This is a majorly tall order for the attacker.",[],{},{"nodeType":1815,"data":3974,"content":3975},{},[3976],{"nodeType":1639,"value":3977,"marks":3978,"data":3979},"Implement multiparty approval in CI/CD",[],{},{"nodeType":1635,"data":3981,"content":3982},{},[3983],{"nodeType":1639,"value":3984,"marks":3985,"data":3986},"If nobody has active BAU access to extension stores for more than very brief periods, the attacker’s next best option is to target the process that developers are using to publish, i.e. committing code to the repository and waiting for the CI/CD system to publish the extension automatically.",[],{},{"nodeType":1635,"data":3988,"content":3989},{},[3990],{"nodeType":1639,"value":3991,"marks":3992,"data":3993},"In practice this means the attacker would need to attack the identity (account) the employee uses to access the code repository (assuming a typical cloud hosted system like GitHub here), or sneak code in through an endpoint attack. Overwhelmingly, these attacks are likely to include an element of social engineering — whether that’s phishing credentials or session tokens, or tricking the user into downloading malware, perhaps through a malicious dependency or vscode extension.",[],{},{"nodeType":1635,"data":3995,"content":3996},{},[3997],{"nodeType":1639,"value":3998,"marks":3999,"data":4000},"We can make the attacker’s life exponentially harder by requiring that they successfully attack two developers, at the same time, before anyone notices. Quick intuition might make it seem like we’re only doubling the difficulty, but other red-teamers with experience doing this will agree that it’s often very easy to target a random user in a large population quickly (one employee in a large corporate), but a single user in a much smaller team (say an extension dev team) might take repeated attacks. When you need to target multiple users in a small team, in a single attack, and maintain the breach concurrently while taking actions (e.g. committing malicious code hoping no-one notices) it becomes much more likely that the alarm will be raised. ",[],{},{"nodeType":1815,"data":4002,"content":4003},{},[4004],{"nodeType":1639,"value":4005,"marks":4006,"data":4007},"How to implement multiparty approval through CI/CD",[],{},{"nodeType":1635,"data":4009,"content":4010},{},[4011],{"nodeType":1639,"value":4012,"marks":4013,"data":4014},"There are probably dozens of ways to skin this cat, but I’ll share one way of doing this that works with mainstream tools and developer processes — using protected git branches.",[],{},{"nodeType":1726,"data":4016,"content":4017},{},[4018,4033,4048],{"nodeType":1730,"data":4019,"content":4020},{},[4021],{"nodeType":1635,"data":4022,"content":4023},{},[4024,4029],{"nodeType":1639,"value":4025,"marks":4026,"data":4028},"Step 1: ",[4027],{"type":1708},{},{"nodeType":1639,"value":4030,"marks":4031,"data":4032},"Setup multiple branches, these might be dev/stg/prd, or development/prerelease/release, and trigger automated build and deploy to the stores using CI/CD with PR merges to the prd/release branches. ",[],{},{"nodeType":1730,"data":4034,"content":4035},{},[4036],{"nodeType":1635,"data":4037,"content":4038},{},[4039,4044],{"nodeType":1639,"value":4040,"marks":4041,"data":4043},"Step 2: ",[4042],{"type":1708},{},{"nodeType":1639,"value":4045,"marks":4046,"data":4047},"Use branch protection rules that require a second (or even third) named or group of developers to review and approve the PR merge. This achieves multiparty approval.",[],{},{"nodeType":1730,"data":4049,"content":4050},{},[4051],{"nodeType":1635,"data":4052,"content":4053},{},[4054,4059],{"nodeType":1639,"value":4055,"marks":4056,"data":4058},"Step 3:",[4057],{"type":1708},{},{"nodeType":1639,"value":4060,"marks":4061,"data":4062}," Configure fully automated builds and deployments as part of your CI/CD flows. While this is possible for all three stores, some of the stores do make you jump through a few hoops. Take a look at the steps required to automate a publish to the Apple Store:",[],{},{"nodeType":1626,"data":4064,"content":4068},{"target":4065},{"sys":4066},{"id":4067,"type":1631,"linkType":1632},"4b9fc1ZUj4HdKl6Iv7Yx8T",[],{"nodeType":1635,"data":4070,"content":4071},{},[4072,4076,4085],{"nodeType":1639,"value":4073,"marks":4074,"data":4075},"Since we’ve done the work of figuring this out once already, we extracted the critical steps into a ",[],{},{"nodeType":1644,"data":4077,"content":4079},{"uri":4078},"https://github.com/pushsecurity/extension-security-guide",[4080],{"nodeType":1639,"value":4081,"marks":4082,"data":4084},"companion Github repo",[4083],{"type":1652},{},{"nodeType":1639,"value":4086,"marks":4087,"data":4088}," to make this a bit easier to implement.",[],{},{"nodeType":1635,"data":4090,"content":4091},{},[4092],{"nodeType":1639,"value":4093,"marks":4094,"data":4095},"As we’ve described it so far, this is a fairly basic implementation, and there are several other controls you might consider to harden this process, including:",[],{},{"nodeType":1726,"data":4097,"content":4098},{},[4099,4109,4119],{"nodeType":1730,"data":4100,"content":4101},{},[4102],{"nodeType":1635,"data":4103,"content":4104},{},[4105],{"nodeType":1639,"value":4106,"marks":4107,"data":4108},"Make sure you use a secrets protection system to store Web Store API keys in the CI/CD (it’s no use if the attacker can read the API keys from a config file in your code).",[],{},{"nodeType":1730,"data":4110,"content":4111},{},[4112],{"nodeType":1635,"data":4113,"content":4114},{},[4115],{"nodeType":1639,"value":4116,"marks":4117,"data":4118},"Ensure that developers don’t have access to change branch protection rules, or access CI/CD secrets (otherwise one compromised developer account can undo all this good work — let DevOps or other admin users that are not extension developers handle this admin).",[],{},{"nodeType":1730,"data":4120,"content":4121},{},[4122],{"nodeType":1635,"data":4123,"content":4124},{},[4125],{"nodeType":1639,"value":4126,"marks":4127,"data":4128},"Enforce hardware-backed signed commits as a condition for PR merges (this makes it very very difficult to get bad code into the repo without also compromising your dev team’s Yubikeys)",[],{},{"nodeType":1635,"data":4130,"content":4131},{},[4132],{"nodeType":1639,"value":4133,"marks":4134,"data":4135},"Now you have strong hardware-backed multiparty authenticated deployments to the stores, and should end up with something that looks a bit like this:",[],{},{"nodeType":1626,"data":4137,"content":4141},{"target":4138},{"sys":4139},{"id":4140,"type":1631,"linkType":1632},"6tWdfgYKyH2i2Zai05BxzB",[],{"nodeType":1697,"data":4143,"content":4144},{},[],{"nodeType":1701,"data":4146,"content":4147},{},[4148],{"nodeType":1639,"value":4149,"marks":4150,"data":4151},"The next best attack path — IdP admin compromise",[],{},{"nodeType":1635,"data":4153,"content":4154},{},[4155],{"nodeType":1639,"value":4156,"marks":4157,"data":4158},"Once developers don’t have direct access to the stores, and you have multiparty approvals to get code into CI/CD, the next best attack paths are to target other single-points-of-failure — most likely the administrators. ",[],{},{"nodeType":1635,"data":4160,"content":4161},{},[4162],{"nodeType":1639,"value":4163,"marks":4164,"data":4165},"This might be the IdP (Google Workspace, Entra, Okta, etc.) admins, which can then be used to provision access to the stores, or simply recover one or more of the developer or break-glass accounts. Or it might target the code repo or CI/CD (GitHub in our example) admins which have access to API keys and can change branch protection rules.",[],{},{"nodeType":1635,"data":4167,"content":4168},{},[4169],{"nodeType":1639,"value":4170,"marks":4171,"data":4172},"Managing privileged identities like these admin accounts is a constant challenge, but continuing what is perhaps the central thread of this blog, identity attacks (likely through social engineering) are going to be the first port of call for an attacker.",[],{},{"nodeType":1815,"data":4174,"content":4175},{},[4176],{"nodeType":1639,"value":4177,"marks":4178,"data":4179},"Recommendations for hardening admin identities",[],{},{"nodeType":1635,"data":4181,"content":4182},{},[4183],{"nodeType":1639,"value":4184,"marks":4185,"data":4186},"If there’s one thing we know here at Push, it’s identity security — but I’ll fight the urge to go into too much depth with generic recommendations, and focus on where there are opportunities specific to this scope.",[],{},{"nodeType":1635,"data":4188,"content":4189},{},[4190],{"nodeType":1639,"value":4191,"marks":4192,"data":4193},"One of the most critical aspects of securing these admin accounts is making sure that they are phishing resistant. Where possible, you should be using phishing resistant MFA methods. Typically this means some kind of domain bound security key using the WebAuthn protocol — a passkey using your fingerprint reader is good, something like Yubikey is great. I think this is pretty well understood, but where it goes wrong most often is when backup methods and alternative login methods exist. For example, you might be using an Google OIDC login secured with a Yubikey to access the Firefox store, but not realize that this account also has a password to set that doesn’t have MFA, or has phish-able MFA like SMS or an app-code set.",[],{},{"nodeType":1635,"data":4195,"content":4196},{},[4197],{"nodeType":1639,"value":4198,"marks":4199,"data":4200},"Attackers are increasingly using attacks that downgrade MFA methods (so the attacker will request the least secure active MFA method when phishing you, rather than the strong method you might use day-to-day), and this is completely automated in modern MFA-bypass phishing kits.",[],{},{"nodeType":1635,"data":4202,"content":4203},{},[4204],{"nodeType":1639,"value":4205,"marks":4206,"data":4207},"Warning, product plug coming 🙂 — what we do at Push is help you identify issues like these at scale, across all admin, break-glass, dev, and normal user accounts. We also block credential phishing by detecting when users try to enter their SSO credentials on the wrong page, detecting session theft, and can even monitor when credentials stolen via infostealers show up on underground forums.",[],{},{"nodeType":1697,"data":4209,"content":4210},{},[],{"nodeType":1701,"data":4212,"content":4213},{},[4214],{"nodeType":1639,"value":4215,"marks":4216,"data":4217},"Going even further to harden extension deployment",[],{},{"nodeType":1635,"data":4219,"content":4220},{},[4221],{"nodeType":1639,"value":4222,"marks":4223,"data":4224},"This blog is already getting way too long, but there are a lot of other controls that can really help harden extension deployment — if there is interest I might go into detail in a future blog post, but for now let me just mention some of them.",[],{},{"nodeType":1815,"data":4226,"content":4227},{},[4228],{"nodeType":1639,"value":4229,"marks":4230,"data":4231},"Multiparty approvals for Google",[],{},{"nodeType":1635,"data":4233,"content":4234},{},[4235],{"nodeType":1639,"value":4236,"marks":4237,"data":4238},"If you’re going to do multiparty approvals for extension deployments, then enabling this for admin actions that protect that infrastructure seems like a no-brainer.",[],{},{"nodeType":1635,"data":4240,"content":4241},{},[4242,4246,4255],{"nodeType":1639,"value":4243,"marks":4244,"data":4245},"Google allows you to enable ",[],{},{"nodeType":1644,"data":4247,"content":4249},{"uri":4248},"https://support.google.com/a/answer/13790448?hl=en",[4250],{"nodeType":1639,"value":4251,"marks":4252,"data":4254},"multiparty approval for sensitive actions",[4253],{"type":1652},{},{"nodeType":1639,"value":4256,"marks":4257,"data":4258}," in Google Workspace. We wish it was a bit more granular, and covered more configurable actions — but it’s an awesome start, nice work Google!",[],{},{"nodeType":1815,"data":4260,"content":4261},{},[4262],{"nodeType":1639,"value":4263,"marks":4264,"data":4265},"Admin workstations",[],{},{"nodeType":1635,"data":4267,"content":4268},{},[4269],{"nodeType":1639,"value":4270,"marks":4271,"data":4272},"When we used to do red-team exercises, one of the most challenging controls to work around was when the admin accounts we were targeting were only used on dedicated admin workstations. Ideally those workstations would do nothing except admin tasks, and the accounts would be locked down, so in this case that might mean:",[],{},{"nodeType":1726,"data":4274,"content":4275},{},[4276,4286,4296],{"nodeType":1730,"data":4277,"content":4278},{},[4279],{"nodeType":1635,"data":4280,"content":4281},{},[4282],{"nodeType":1639,"value":4283,"marks":4284,"data":4285},"No email access",[],{},{"nodeType":1730,"data":4287,"content":4288},{},[4289],{"nodeType":1635,"data":4290,"content":4291},{},[4292],{"nodeType":1639,"value":4293,"marks":4294,"data":4295},"No extensions",[],{},{"nodeType":1730,"data":4297,"content":4298},{},[4299],{"nodeType":1635,"data":4300,"content":4301},{},[4302],{"nodeType":1639,"value":4303,"marks":4304,"data":4305},"No OAuth apps",[],{},{"nodeType":1635,"data":4307,"content":4308},{},[4309],{"nodeType":1639,"value":4310,"marks":4311,"data":4312},"This becomes incredibly challenging to attack — but it does come with some obvious painful UX impact for admins, so I don’t think this is a no-brainer for everyone.",[],{},{"nodeType":1815,"data":4314,"content":4315},{},[4316],{"nodeType":1639,"value":4317,"marks":4318,"data":4319},"Isolate support emails",[],{},{"nodeType":1635,"data":4321,"content":4322},{},[4323],{"nodeType":1639,"value":4324,"marks":4325,"data":4326},"Sending your support emails to extension developers creates a direct path to start social engineering — something attackers used to great effect in this campaign. If your developers are not also your frontline support team, consider ringfencing developers from that public support email group so attackers have to at least do some reconnaissance work to identify the developers to target.",[],{},{"nodeType":1815,"data":4328,"content":4329},{},[4330],{"nodeType":1639,"value":4331,"marks":4332,"data":4333},"Detection and response",[],{},{"nodeType":1635,"data":4335,"content":4336},{},[4337],{"nodeType":1639,"value":4338,"marks":4339,"data":4340},"As always there are a myriad of things that can be monitored. We think high value would be doing things like:",[],{},{"nodeType":1726,"data":4342,"content":4343},{},[4344,4387,4397],{"nodeType":1730,"data":4345,"content":4346},{},[4347,4354],{"nodeType":1635,"data":4348,"content":4349},{},[4350],{"nodeType":1639,"value":4351,"marks":4352,"data":4353},"Checking whether new versions of your extension appearing in the store is directly related or caused by the CI/CD process, and:",[],{},{"nodeType":1726,"data":4355,"content":4356},{},[4357,4367,4377],{"nodeType":1730,"data":4358,"content":4359},{},[4360],{"nodeType":1635,"data":4361,"content":4362},{},[4363],{"nodeType":1639,"value":4364,"marks":4365,"data":4366},"Alert if there is no direct link here.",[],{},{"nodeType":1730,"data":4368,"content":4369},{},[4370],{"nodeType":1635,"data":4371,"content":4372},{},[4373],{"nodeType":1639,"value":4374,"marks":4375,"data":4376},"You can configure email alerts to trigger this automated check.",[],{},{"nodeType":1730,"data":4378,"content":4379},{},[4380],{"nodeType":1635,"data":4381,"content":4382},{},[4383],{"nodeType":1639,"value":4384,"marks":4385,"data":4386},"You could consider immediate automated roll-back to a previous version of the extension if it wasn’t published via the CI/CD system.",[],{},{"nodeType":1730,"data":4388,"content":4389},{},[4390],{"nodeType":1635,"data":4391,"content":4392},{},[4393],{"nodeType":1639,"value":4394,"marks":4395,"data":4396},"Any activity on break-glass accounts — these accounts should only be used after they are activated by admins to complete a specific task, so this is an obvious alert to configure.",[],{},{"nodeType":1730,"data":4398,"content":4399},{},[4400],{"nodeType":1635,"data":4401,"content":4402},{},[4403],{"nodeType":1639,"value":4404,"marks":4405,"data":4406},"Unusual activity on service accounts — this is a bit of work to profile, but very valuable.",[],{},{"nodeType":1697,"data":4408,"content":4409},{},[],{"nodeType":1701,"data":4411,"content":4412},{},[4413],{"nodeType":1639,"value":4414,"marks":4415,"data":4416},"Our request to extension stores",[],{},{"nodeType":1635,"data":4418,"content":4419},{},[4420],{"nodeType":1639,"value":4421,"marks":4422,"data":4423},"I’ll use this opportunity to make an open request to the browser extension stores for a couple of features that I think would really benefit the entire ecosystem:",[],{},{"nodeType":1726,"data":4425,"content":4426},{},[4427,4437,4447,4457],{"nodeType":1730,"data":4428,"content":4429},{},[4430],{"nodeType":1635,"data":4431,"content":4432},{},[4433],{"nodeType":1639,"value":4434,"marks":4435,"data":4436},"Add the ability to configure an explicit multiparty approval process (and show the public which extensions have enabled these controls!).",[],{},{"nodeType":1730,"data":4438,"content":4439},{},[4440],{"nodeType":1635,"data":4441,"content":4442},{},[4443],{"nodeType":1639,"value":4444,"marks":4445,"data":4446},"More granular permissions or roles (e.g. only edit descriptions, only only upload, only publish, only accept new terms).",[],{},{"nodeType":1730,"data":4448,"content":4449},{},[4450],{"nodeType":1635,"data":4451,"content":4452},{},[4453],{"nodeType":1639,"value":4454,"marks":4455,"data":4456},"Better logs and monitoring – making it easier to ingest events related to your extension via the store into a SIEM would make alerts much easier to configure.",[],{},{"nodeType":1730,"data":4458,"content":4459},{},[4460],{"nodeType":1635,"data":4461,"content":4462},{},[4463],{"nodeType":1639,"value":4464,"marks":4465,"data":4466},"Enforce stronger default identity security controls (even if only for risky or popular extensions) — we enforce MFA by default for GitHub repositories now, it’s about time that we require MFA to access an extension store as well.",[],{},{"nodeType":1697,"data":4468,"content":4469},{},[],{"nodeType":1701,"data":4471,"content":4472},{},[4473],{"nodeType":1639,"value":4474,"marks":4475,"data":4476},"Conclusion",[],{},{"nodeType":1635,"data":4478,"content":4479},{},[4480],{"nodeType":1639,"value":4481,"marks":4482,"data":4483},"We’ve seen in the past that the successful use of new techniques seem to inspire other attackers and lead to many similar attacks, so the smart money is on this happening again.",[],{},{"nodeType":1635,"data":4485,"content":4486},{},[4487,4491,4500],{"nodeType":1639,"value":4488,"marks":4489,"data":4490},"There is lots to work needed to secure this process, and hopefully this blog has provided a starting point. We’d love to hear from you — let’s start ",[],{},{"nodeType":1644,"data":4492,"content":4494},{"uri":4493},"https://github.com/pushsecurity/extension-security-guide/discussions",[4495],{"nodeType":1639,"value":4496,"marks":4497,"data":4499},"sharing some ideas",[4498],{"type":1652},{},{"nodeType":1639,"value":4501,"marks":4502,"data":4503}," around hardening this process even more!",[],{},{"nodeType":1635,"data":4505,"content":4506},{},[4507],{"nodeType":1639,"value":4508,"marks":4509,"data":4510},"If you're a customer rather than an extension developer, this guide hopefully gives you a sense of the supply chain attacks that are likely to happen in the future. Asking your vendors which steps they’ve taken to prevent these attacks might be a sensible addition to your vendor risk assessment process (when the product includes a browser extension). ",[],{},{"nodeType":1635,"data":4512,"content":4513},{},[4514],{"nodeType":1639,"value":4515,"marks":4516,"data":4517},"This kind of due diligence is viable where the developer is a vendor you have a commercial relationship with, but is a non-starter when it’s an extension that’s offered for free by well meaning open source developers. In these cases a sensible response might be to require approvals for new browser extensions, a technical risk review based on (at least) the permissions the extension is asking for, and managed browser policies to control and further limit what some or all extensions can do. For example, you may decide to block access for extensions to your IdP’s domains to protect your SSO accounts. ",[],{},{"nodeType":1635,"data":4519,"content":4520},{},[4521],{"nodeType":1639,"value":4522,"marks":4523,"data":4524},"We’ll be releasing guidance on how to manage third party extensions used in your organization in the near future — subscribe to our mailing list to be notified when we do.",[],{},{"nodeType":1697,"data":4526,"content":4527},{},[],{"nodeType":1701,"data":4529,"content":4530},{},[4531],{"nodeType":1639,"value":4532,"marks":4533,"data":4534},"Appendix: Extension store differences",[],{},{"nodeType":1635,"data":4536,"content":4537},{},[4538],{"nodeType":1639,"value":4539,"marks":4540,"data":4541},"We covered the general process of publishing extensions to the different stores in the “Primer on extension stores and the publication process” section above, now let’s talk about the differences between the stores. Let’s start with how they provision for automated deployments.",[],{},{"nodeType":1815,"data":4543,"content":4544},{},[4545],{"nodeType":1639,"value":4546,"marks":4547,"data":4548},"Automation keys",[],{},{"nodeType":1635,"data":4550,"content":4551},{},[4552,4556,4565],{"nodeType":1639,"value":4553,"marks":4554,"data":4555},"The Chrome Web Store allows automation through an OAuth app. As described in ",[],{},{"nodeType":1644,"data":4557,"content":4559},{"uri":4558},"https://developer.chrome.com/docs/webstore/using-api",[4560],{"nodeType":1639,"value":4561,"marks":4562,"data":4564},"their documentation",[4563],{"type":1652},{},{"nodeType":1639,"value":4566,"marks":4567,"data":4568},", the process is for a developer to create a custom OAuth app (a client on OAuth speak), then a user with access to the store authorizes the OAuth app to access the chrome store on their behalf using the https://www.googleapis.com/auth/chromewebstore scope. ",[],{},{"nodeType":1635,"data":4570,"content":4571},{},[4572],{"nodeType":1639,"value":4573,"marks":4574,"data":4575},"If this sounds familiar, that’s because this is exactly what attackers tricked developers into doing using their own OAuth app in the Cyberhave campaign. In the normal flow, the developer then uses a service key linked to the OAuth app in their CI/CD flow to automate the deployment process.",[],{},{"nodeType":1635,"data":4577,"content":4578},{},[4579],{"nodeType":1639,"value":4580,"marks":4581,"data":4582},"The situation is a bit simpler for Firefox and Apple, which both work by developers just creating simple static API keys, though Apple does allow you to create personal API keys linked to a single account (and that account’s permissions).",[],{},{"nodeType":1815,"data":4584,"content":4585},{},[4586],{"nodeType":1639,"value":4587,"marks":4588,"data":4589},"Accessing the store",[],{},{"nodeType":1635,"data":4591,"content":4592},{},[4593],{"nodeType":1639,"value":4594,"marks":4595,"data":4596},"In a business environment, using SSO to access apps is extremely useful as it simplifies the provisioning and security-ops work of maintaining secure identities — and often provides more secure authentication methods (e.g. hardware backed WebAuthn MFA) than the target app does (as is the case for the web stores). It also simplifies and centralizes the ability to log and monitor the use of these accounts. I can’t recommend the use of strong SSO authentication enough in cases like this where ensuring you have the right controls in place is paramount.",[],{},{"nodeType":1635,"data":4598,"content":4599},{},[4600],{"nodeType":1639,"value":4601,"marks":4602,"data":4603},"Fortunately all the stores provide SSO login methods. For the Chrome store, users login (only) using Google SSO accounts — and if they are part of a Google Workspace, access can be provisioned through membership to a group. Firefox allows access using a username and password, but also offers OIDC SSO logins through Google or Apple accounts. If you make use of Managed Apple IDs, Apple offers OIDC SSO authentication as well. ",[],{},{"nodeType":1635,"data":4605,"content":4606},{},[4607,4611,4616],{"nodeType":1639,"value":4608,"marks":4609,"data":4610},"For Chrome and Firefox there is no real concept of roles (or nothing really useful), and ",[],{},{"nodeType":1639,"value":4612,"marks":4613,"data":4615},"you should assume any user with access to a team in your account has the ability to publish extension updates",[4614],{"type":1652},{},{"nodeType":1639,"value":4617,"marks":4618,"data":4619},". Apple offers more granular roles and permissions - and there are low privileged roles that can’t publish updates.",[],{},"Guide to secure browser extension deployment","How extension developers can improve their security controls to prevent extension compromise.","2025-01-14T00:00:00.000Z","guide-to-secure-browser-extension-deployment",{"items":4625},[4626,4630],{"sys":4627,"name":4629},{"id":4628},"3pjES4THCIfSAwhGdNwBcy","Identity security",{"sys":4631,"name":3383},{"id":3382},{"items":4633},[4634],{"fullName":4635,"firstName":4636,"jobTitle":4637,"profilePicture":4638},"Jacques Louw","Jacques","Co-founder / CRO",{"url":4639},"https://images.ctfassets.net/y1cdw1ablpvd/39m8bektV23lnCRcEq0G8h/2a08f6276a50744f1a4b499b273f6bb2/Push_Founders_at_Cahoots_October_28_2022_by_Doug_Coombe-21.jpg",{"__typename":2613,"sys":4641,"content":4643,"title":6009,"synopsis":6010,"hashTags":61,"publishedDate":6011,"slug":6012,"tagsCollection":6013,"authorsCollection":6019},{"id":4642},"wI3paLVDlEKdaRI5qMYFc",{"json":4644},{"nodeType":1622,"data":4645,"content":4646},{},[4647,4654,4677,4684,4690,4697,4704,4711,4717,4720,4728,4735,4741,4747,4763,4975,4987,4995,5002,5009,5016,5036,5042,5049,5052,5060,5067,5100,5107,5123,5144,5179,5185,5192,5211,5218,5225,5228,5236,5243,5337,5344,5351,5359,5366,5373,5380,5386,5394,5401,5408,5415,5421,5428,5436,5455,5463,5470,5476,5479,5487,5494,5501,5612,5618,5625,5632,5639,5646,5653,5661,5668,5675,5700,5706,5722,5737,5753,5759,5767,5774,5782,5789,5792,5800,5807,5840,5846,5870,5877,5880,5888,5895,5911,5917,5924,5931,5934,5942,5960,5967],{"nodeType":1635,"data":4648,"content":4649},{},[4650],{"nodeType":1639,"value":4651,"marks":4652,"data":4653},"Here are two things that can’t both be true:",[],{},{"nodeType":1726,"data":4655,"content":4656},{},[4657,4667],{"nodeType":1730,"data":4658,"content":4659},{},[4660],{"nodeType":1635,"data":4661,"content":4662},{},[4663],{"nodeType":1639,"value":4664,"marks":4665,"data":4666},"Users are the weakest link in security. They just need to stop clicking on things.",[],{},{"nodeType":1730,"data":4668,"content":4669},{},[4670],{"nodeType":1635,"data":4671,"content":4672},{},[4673],{"nodeType":1639,"value":4674,"marks":4675,"data":4676},"The internet is a giant clicking-on-things machine.",[],{},{"nodeType":1635,"data":4678,"content":4679},{},[4680],{"nodeType":1639,"value":4681,"marks":4682,"data":4683},"In particular, when we look at the TTPs of modern browser-based attacks that target employees, it’s obvious where this disconnect has real consequences. ",[],{},{"nodeType":1626,"data":4685,"content":4689},{"target":4686},{"sys":4687},{"id":4688,"type":1631,"linkType":1632},"2x3blnHzZYcJ8c439C4NqI",[],{"nodeType":1635,"data":4691,"content":4692},{},[4693],{"nodeType":1639,"value":4694,"marks":4695,"data":4696},"Here’s why: Security tooling hasn’t kept up with adversary advances, and normal human behaviors are being expressly targeted via the browser to achieve compromise of accounts and endpoints. If you list the pitfalls facing the common end-user encountering these kinds of attack methods, the picture becomes even more stark.",[],{},{"nodeType":1635,"data":4698,"content":4699},{},[4700],{"nodeType":1639,"value":4701,"marks":4702,"data":4703},"To solve these problems, you need security tooling that sits in line with the user where they’re already working: In the browser. In this Push product guide, we’ll cover how you can use Push to provide point-in-time guidance — everything from block pages to informational banners — to protect users from modern browser-based TTPs and to guide them to remediate common vulnerabilities that can lead to account takeover.",[],{},{"nodeType":1635,"data":4705,"content":4706},{},[4707],{"nodeType":1639,"value":4708,"marks":4709,"data":4710},"We’ve also recently introduced custom branding and styling options for user-facing block pages and banners so you can provide a cohesive and trustworthy experience across your security ecosystem.",[],{},{"nodeType":1626,"data":4712,"content":4716},{"target":4713},{"sys":4714},{"id":4715,"type":1631,"linkType":1632},"7fwCnr9bz76rWWCL6EReOT",[],{"nodeType":1697,"data":4718,"content":4719},{},[],{"nodeType":1701,"data":4721,"content":4722},{},[4723],{"nodeType":1639,"value":4724,"marks":4725,"data":4727},"Why you can’t train users to recognize modern browser-based attack methods",[4726],{"type":1708},{},{"nodeType":1635,"data":4729,"content":4730},{},[4731],{"nodeType":1639,"value":4732,"marks":4733,"data":4734},"User awareness training can help you build your workforce’s basic security baseline. But it’s not a reliable remedy for modern browser-based TTPs. When you look at the creative methods attackers are using — and rapidly improving on — it’s obvious why.",[],{},{"nodeType":1626,"data":4736,"content":4740},{"target":4737},{"sys":4738},{"id":4739,"type":1631,"linkType":1632},"eHla7GPCH5eTpdfEqW5Zo",[],{"nodeType":1626,"data":4742,"content":4746},{"target":4743},{"sys":4744},{"id":4745,"type":1631,"linkType":1632},"29vUtbEUam8fhbwnQdINRJ",[],{"nodeType":1635,"data":4748,"content":4749},{},[4750,4754,4759],{"nodeType":1639,"value":4751,"marks":4752,"data":4753},"To avoid account or endpoint compromise while going about your daily work as a user, you would need to accomplish these ",[],{},{"nodeType":1639,"value":4755,"marks":4756,"data":4758},"extremely 100% achievable activities",[4757],{"type":273},{},{"nodeType":1639,"value":4760,"marks":4761,"data":4762},", including:",[],{},{"nodeType":4764,"data":4765,"content":4766},"table",{},[4767,4794,4837,4860,4895,4929],{"nodeType":4768,"data":4769,"content":4770},"table-row",{},[4771,4783],{"nodeType":4772,"data":4773,"content":4774},"table-header-cell",{},[4775],{"nodeType":1635,"data":4776,"content":4777},{},[4778],{"nodeType":1639,"value":4779,"marks":4780,"data":4782},"Scenario",[4781],{"type":1708},{},{"nodeType":4772,"data":4784,"content":4785},{},[4786],{"nodeType":1635,"data":4787,"content":4788},{},[4789],{"nodeType":1639,"value":4790,"marks":4791,"data":4793},"Threat",[4792],{"type":1708},{},{"nodeType":4768,"data":4795,"content":4796},{},[4797,4823],{"nodeType":4798,"data":4799,"content":4800},"table-cell",{},[4801],{"nodeType":1635,"data":4802,"content":4803},{},[4804,4808,4819],{"nodeType":1639,"value":4805,"marks":4806,"data":4807},"While using search engines, never click on a ",[],{},{"nodeType":4809,"data":4810,"content":4814},"entry-hyperlink",{"target":4811},{"sys":4812},{"id":4813,"type":1631,"linkType":1632},"2YmiesBvJHGw4wiKEKzLUq",[4815],{"nodeType":1639,"value":4816,"marks":4817,"data":4818},"malicious link",[],{},{"nodeType":1639,"value":4820,"marks":4821,"data":4822}," in sponsored or organic results (it's often the first link you see, too).",[],{},{"nodeType":4798,"data":4824,"content":4825},{},[4826],{"nodeType":1635,"data":4827,"content":4828},{},[4829,4833],{"nodeType":1639,"value":4830,"marks":4831,"data":4832},"M",[],{},{"nodeType":1639,"value":4834,"marks":4835,"data":4836},"alvertising, SEO poisoning, compromised legitimate webpages, vibecoded phishing webpages.",[],{},{"nodeType":4768,"data":4838,"content":4839},{},[4840,4850],{"nodeType":4798,"data":4841,"content":4842},{},[4843],{"nodeType":1635,"data":4844,"content":4845},{},[4846],{"nodeType":1639,"value":4847,"marks":4848,"data":4849},"Know when to trust an email coming from an app you use every day, and when it could be malicious (it looks the same).",[],{},{"nodeType":4798,"data":4851,"content":4852},{},[4853],{"nodeType":1635,"data":4854,"content":4855},{},[4856],{"nodeType":1639,"value":4857,"marks":4858,"data":4859},"Using SaaS services to distribute malicious links using trusted sites (also a handy way of evading email controls).",[],{},{"nodeType":4768,"data":4861,"content":4862},{},[4863,4885],{"nodeType":4798,"data":4864,"content":4865},{},[4866],{"nodeType":1635,"data":4867,"content":4868},{},[4869,4873,4881],{"nodeType":1639,"value":4870,"marks":4871,"data":4872},"When reading a LinkedIn DM from a colleague, anticipate that they might have been hacked and have sent you a malicious link. (Yes, this was a ",[],{},{"nodeType":1644,"data":4874,"content":4876},{"uri":4875},"https://pushsecurity.com/blog/how-push-stopped-a-high-risk-linkedin-spear-phishing-attack/",[4877],{"nodeType":1639,"value":4878,"marks":4879,"data":4880},"real scenario",[],{},{"nodeType":1639,"value":4882,"marks":4883,"data":4884},"). ",[],{},{"nodeType":4798,"data":4886,"content":4887},{},[4888],{"nodeType":1635,"data":4889,"content":4890},{},[4891],{"nodeType":1639,"value":4892,"marks":4893,"data":4894},"Abuse of social media, IM platforms, and other apps where you can be directly contacted by users external to your organization. ",[],{},{"nodeType":4768,"data":4896,"content":4897},{},[4898,4908],{"nodeType":4798,"data":4899,"content":4900},{},[4901],{"nodeType":1635,"data":4902,"content":4903},{},[4904],{"nodeType":1639,"value":4905,"marks":4906,"data":4907},"When logging in to an app, never follow benign-seeming but actually malicious instructions to enter a code onto a legitimate page to complete your login.",[],{},{"nodeType":4798,"data":4909,"content":4910},{},[4911],{"nodeType":1635,"data":4912,"content":4913},{},[4914,4918,4926],{"nodeType":1639,"value":4915,"marks":4916,"data":4917},"AiTM phishing, OAuth consent phishing, ",[],{},{"nodeType":1644,"data":4919,"content":4921},{"uri":4920},"https://pushsecurity.com/blog/device-code-phishing/",[4922],{"nodeType":1639,"value":4923,"marks":4924,"data":4925},"device code phishing",[],{},{"nodeType":1639,"value":2291,"marks":4927,"data":4928},[],{},{"nodeType":4768,"data":4930,"content":4931},{},[4932,4942],{"nodeType":4798,"data":4933,"content":4934},{},[4935],{"nodeType":1635,"data":4936,"content":4937},{},[4938],{"nodeType":1639,"value":4939,"marks":4940,"data":4941},"Know which instructions to follow and which are malicious when verifying that you're human on a CAPTCHA-style page.",[],{},{"nodeType":4798,"data":4943,"content":4944},{},[4945],{"nodeType":1635,"data":4946,"content":4947},{},[4948,4951,4959,4963,4971],{"nodeType":1639,"value":29,"marks":4949,"data":4950},[],{},{"nodeType":1644,"data":4952,"content":4954},{"uri":4953},"https://pushsecurity.com/blog/the-most-advanced-clickfix-yet/",[4955],{"nodeType":1639,"value":4956,"marks":4957,"data":4958},"ClickFix",[],{},{"nodeType":1639,"value":4960,"marks":4961,"data":4962},"-style attacks that trick the user into running a malicious script or command, or ",[],{},{"nodeType":1644,"data":4964,"content":4966},{"uri":4965},"https://pushsecurity.com/blog/consentfix/",[4967],{"nodeType":1639,"value":4968,"marks":4969,"data":4970},"ConsentFix",[],{},{"nodeType":1639,"value":4972,"marks":4973,"data":4974}," (which is even sneakier and simply involves copying a URL).",[],{},{"nodeType":1635,"data":4976,"content":4977},{},[4978,4982],{"nodeType":1639,"value":4979,"marks":4980,"data":4981},"And we're barely scratching the surface here. ",[],{},{"nodeType":1639,"value":4983,"marks":4984,"data":4986},"Easy, right?",[4985],{"type":1708},{},{"nodeType":1815,"data":4988,"content":4989},{},[4990],{"nodeType":1639,"value":4991,"marks":4992,"data":4994},"Can't we block users from interacting with bad content? ",[4993],{"type":1708},{},{"nodeType":1635,"data":4996,"content":4997},{},[4998],{"nodeType":1639,"value":4999,"marks":5000,"data":5001},"So if you can’t train your way out of these problems, what about locking down and blocking your way out of the problem?",[],{},{"nodeType":1635,"data":5003,"content":5004},{},[5005],{"nodeType":1639,"value":5006,"marks":5007,"data":5008},"This, too, simply isn’t really feasible. ",[],{},{"nodeType":1635,"data":5010,"content":5011},{},[5012],{"nodeType":1639,"value":5013,"marks":5014,"data":5015},"Modern cloud-first adversaries routinely rotate domains on malicious pages; use trusted services like SharePoint, Adobe, Google Sites, Cloudflare, and Atlassian to deliver lures; target end-users across multiple channels, including social media, forums, chat platforms, Google search results, email, and webpages; and use legitimate security tools like bot protection to bypass detection by other legitimate security tools, such as web content scanning and analysis solutions.",[],{},{"nodeType":1635,"data":5017,"content":5018},{},[5019,5023,5027,5032],{"nodeType":1639,"value":5020,"marks":5021,"data":5022},"To safely navigate the internet today, y",[],{},{"nodeType":1639,"value":5024,"marks":5025,"data":5026},"ou need to be able to spot malicious pages and content ",[],{},{"nodeType":1639,"value":5028,"marks":5029,"data":5031},"the first time they're seen in the wild",[5030],{"type":1708},{},{"nodeType":1639,"value":5033,"marks":5034,"data":5035},". If you're relying on indicators of known bad, you're always a step behind, leaving users exposed.",[],{},{"nodeType":1626,"data":5037,"content":5041},{"target":5038},{"sys":5039},{"id":5040,"type":1631,"linkType":1632},"3ZfqOLRdJZJIc78rj9E9JZ",[],{"nodeType":1635,"data":5043,"content":5044},{},[5045],{"nodeType":1639,"value":5046,"marks":5047,"data":5048},"To protect users while they work online, you need a purpose-built security tool that can respond in real time to modern TTPs and guide users securely — without introducing extra work or a lot of friction. Push can help with that.",[],{},{"nodeType":1697,"data":5050,"content":5051},{},[],{"nodeType":1701,"data":5053,"content":5054},{},[5055],{"nodeType":1639,"value":5056,"marks":5057,"data":5059},"Why in-browser controls?",[5058],{"type":1708},{},{"nodeType":1635,"data":5061,"content":5062},{},[5063],{"nodeType":1639,"value":5064,"marks":5065,"data":5066},"Simply put, using in-browser security controls gets you the closest to the user and their work in order to protect them from modern browser-based threats. Adding in-browser controls also solves two tricky problems for security teams: ",[],{},{"nodeType":1726,"data":5068,"content":5069},{},[5070,5085],{"nodeType":1730,"data":5071,"content":5072},{},[5073],{"nodeType":1635,"data":5074,"content":5075},{},[5076,5081],{"nodeType":1639,"value":5077,"marks":5078,"data":5080},"Filling the gap between solution layers",[5079],{"type":1708},{},{"nodeType":1639,"value":5082,"marks":5083,"data":5084}," in order to detect and block attack methods like Adversary-in-the-Middle phishing, malicious browser extensions, and ClickFix-style social engineering attacks that other tools miss.",[],{},{"nodeType":1730,"data":5086,"content":5087},{},[5088],{"nodeType":1635,"data":5089,"content":5090},{},[5091,5096],{"nodeType":1639,"value":5092,"marks":5093,"data":5095},"Providing just-in-time security enforcement",[5094],{"type":1708},{},{"nodeType":1639,"value":5097,"marks":5098,"data":5099}," to end-users when it’s the right moment to act on that guidance, reducing your attack surface across your online apps, browser extensions, and accounts, and ensuring your app usage policies are followed.",[],{},{"nodeType":1815,"data":5101,"content":5102},{},[5103],{"nodeType":1639,"value":5104,"marks":5105,"data":5106},"Fill the gap between solution layers",[],{},{"nodeType":1635,"data":5108,"content":5109},{},[5110,5114,5119],{"nodeType":1639,"value":5111,"marks":5112,"data":5113},"Most existing security solutions operate just ",[],{},{"nodeType":1639,"value":5115,"marks":5116,"data":5118},"outside",[5117],{"type":273},{},{"nodeType":1639,"value":5120,"marks":5121,"data":5122}," the context of a user interacting with a webpage. This leaves blind spots that attackers are exploiting between layers of security tooling.",[],{},{"nodeType":1635,"data":5124,"content":5125},{},[5126,5130,5140],{"nodeType":1639,"value":5127,"marks":5128,"data":5129},"For example, network proxies see HTTP requests, URLs, and page headers, but not the ",[],{},{"nodeType":4809,"data":5131,"content":5135},{"target":5132},{"sys":5133},{"id":5134,"type":1631,"linkType":1632},"5caCcGCqMMPm5KlwUv0sbz",[5136],{"nodeType":1639,"value":5137,"marks":5138,"data":5139},"structural elements",[],{},{"nodeType":1639,"value":5141,"marks":5142,"data":5143}," of the DOM or on-page user interactions that are key to fingerprinting the behavior of AiTM phishing kits or ClickFix-style social engineering attacks. ",[],{},{"nodeType":1635,"data":5145,"content":5146},{},[5147,5151,5161,5165,5175],{"nodeType":1639,"value":5148,"marks":5149,"data":5150},"Similarly, ",[],{},{"nodeType":4809,"data":5152,"content":5156},{"target":5153},{"sys":5154},{"id":5155,"type":1631,"linkType":1632},"6YWYKGESlyUKQxvhKmBzeH",[5157],{"nodeType":1639,"value":5158,"marks":5159,"data":5160},"EDR tools",[],{},{"nodeType":1639,"value":5162,"marks":5163,"data":5164}," only see the bad thing when it hits the endpoint, and many ",[],{},{"nodeType":4809,"data":5166,"content":5170},{"target":5167},{"sys":5168},{"id":5169,"type":1631,"linkType":1632},"2k2aDK5dyQKlQBrk66pMXE",[5171],{"nodeType":1639,"value":5172,"marks":5173,"data":5174},"cloud security tools",[],{},{"nodeType":1639,"value":5176,"marks":5177,"data":5178}," rely on complex policy configurations across a core set of apps to provide security protection — leaving a gap in detection and response capabilities outside their purview.",[],{},{"nodeType":1626,"data":5180,"content":5184},{"target":5181},{"sys":5182},{"id":5183,"type":1631,"linkType":1632},"50NyBpr96dKspvTzJTBOlC",[],{"nodeType":1815,"data":5186,"content":5187},{},[5188],{"nodeType":1639,"value":5189,"marks":5190,"data":5191},"Provide just-in-time security enforcement",[],{},{"nodeType":1635,"data":5193,"content":5194},{},[5195,5199,5207],{"nodeType":1639,"value":5196,"marks":5197,"data":5198},"As some of our customers like to say, Push provides security teams with a ",[],{},{"nodeType":1644,"data":5200,"content":5202},{"uri":5201},"/customer-stories/upvest",[5203],{"nodeType":1639,"value":5204,"marks":5205,"data":5206},"“seat on the user’s side”",[],{},{"nodeType":1639,"value":5208,"marks":5209,"data":5210}," of the equation so you can enforce security best practices.",[],{},{"nodeType":1635,"data":5212,"content":5213},{},[5214],{"nodeType":1639,"value":5215,"marks":5216,"data":5217},"Having that seat on the user’s side also helps you deliver guidance in the right context for it to be followed: When the user is engaged in doing the behavior you want to influence (or prevent). The right information, at the right time, in the right format — not a belated reminder through a different channel that’s easy to ignore.",[],{},{"nodeType":1635,"data":5219,"content":5220},{},[5221],{"nodeType":1639,"value":5222,"marks":5223,"data":5224},"With those outcomes in mind, let’s look at some specific solutions from the Push platform.",[],{},{"nodeType":1697,"data":5226,"content":5227},{},[],{"nodeType":1701,"data":5229,"content":5230},{},[5231],{"nodeType":1639,"value":5232,"marks":5233,"data":5235},"How Push helps you protect users from browser-based ATO, ClickFix, and similar attacks",[5234],{"type":1708},{},{"nodeType":1635,"data":5237,"content":5238},{},[5239],{"nodeType":1639,"value":5240,"marks":5241,"data":5242},"The Push platform provides out-of-the-box detections for browser-based attacks, including:",[],{},{"nodeType":1726,"data":5244,"content":5245},{},[5246,5269,5292,5314],{"nodeType":1730,"data":5247,"content":5248},{},[5249],{"nodeType":1635,"data":5250,"content":5251},{},[5252,5255,5265],{"nodeType":1639,"value":29,"marks":5253,"data":5254},[],{},{"nodeType":4809,"data":5256,"content":5260},{"target":5257},{"sys":5258},{"id":5259,"type":1631,"linkType":1632},"7KRnTSnJAbbiho69gNyN0B",[5261],{"nodeType":1639,"value":5262,"marks":5263,"data":5264},"AiTM phishing kits",[],{},{"nodeType":1639,"value":5266,"marks":5267,"data":5268}," that can bypass MFA",[],{},{"nodeType":1730,"data":5270,"content":5271},{},[5272],{"nodeType":1635,"data":5273,"content":5274},{},[5275,5278,5288],{"nodeType":1639,"value":29,"marks":5276,"data":5277},[],{},{"nodeType":4809,"data":5279,"content":5283},{"target":5280},{"sys":5281},{"id":5282,"type":1631,"linkType":1632},"jN3GN5ddMJZiDtl0fgUVd",[5284],{"nodeType":1639,"value":5285,"marks":5286,"data":5287},"Cloned login pages",[],{},{"nodeType":1639,"value":5289,"marks":5290,"data":5291}," designed to steal user credentials",[],{},{"nodeType":1730,"data":5293,"content":5294},{},[5295],{"nodeType":1635,"data":5296,"content":5297},{},[5298,5301,5311],{"nodeType":1639,"value":29,"marks":5299,"data":5300},[],{},{"nodeType":4809,"data":5302,"content":5306},{"target":5303},{"sys":5304},{"id":5305,"type":1631,"linkType":1632},"5NyiWgjMDwk16XZ0S681JK",[5307],{"nodeType":1639,"value":5308,"marks":5309,"data":5310},"Malicious browser extensions",[],{},{"nodeType":1639,"value":29,"marks":5312,"data":5313},[],{},{"nodeType":1730,"data":5315,"content":5316},{},[5317],{"nodeType":1635,"data":5318,"content":5319},{},[5320,5323,5333],{"nodeType":1639,"value":29,"marks":5321,"data":5322},[],{},{"nodeType":4809,"data":5324,"content":5328},{"target":5325},{"sys":5326},{"id":5327,"type":1631,"linkType":1632},"7jygmadjoz0asAHv7e5PuK",[5329],{"nodeType":1639,"value":5330,"marks":5331,"data":5332},"Malicious copy and paste attacks",[],{},{"nodeType":1639,"value":5334,"marks":5335,"data":5336}," like ClickFix, FileFix, and similar",[],{},{"nodeType":1635,"data":5338,"content":5339},{},[5340],{"nodeType":1639,"value":5341,"marks":5342,"data":5343},"For each of these attack vectors, Push delivers detection events and associated metadata for quick triage by the security team, as well as employee-facing warn or block screens, based on your selected configuration.",[],{},{"nodeType":1635,"data":5345,"content":5346},{},[5347],{"nodeType":1639,"value":5348,"marks":5349,"data":5350},"Here’s a snapshot of the capabilities of these controls and what end-users will experience.",[],{},{"nodeType":1815,"data":5352,"content":5353},{},[5354],{"nodeType":1639,"value":5355,"marks":5356,"data":5358},"The scenario:",[5357],{"type":1708},{},{"nodeType":1635,"data":5360,"content":5361},{},[5362],{"nodeType":1639,"value":5363,"marks":5364,"data":5365},"When a user encounters a malicious page — whether that’s an AiTM phishing tool running on a webpage, or a ClickFix-style attack — or attempts to install a malicious extension, Push immediately steps in. ",[],{},{"nodeType":1635,"data":5367,"content":5368},{},[5369],{"nodeType":1639,"value":5370,"marks":5371,"data":5372},"Push can prevent users from entering their credentials on phishing pages, including cloned login pages, or from pasting malicious clipboard contents that can run malware on their device. Push can also prevent users from installing known-bad browser extensions. ",[],{},{"nodeType":1635,"data":5374,"content":5375},{},[5376],{"nodeType":1639,"value":5377,"marks":5378,"data":5379},"In each of these scenarios, Push admins get detailed detection information they can use to triage the incident.",[],{},{"nodeType":1626,"data":5381,"content":5385},{"target":5382},{"sys":5383},{"id":5384,"type":1631,"linkType":1632},"5jR3YVUiusHGnXDOyrgYpr",[],{"nodeType":1815,"data":5387,"content":5388},{},[5389],{"nodeType":1639,"value":5390,"marks":5391,"data":5393},"How it works:",[5392],{"type":1708},{},{"nodeType":1635,"data":5395,"content":5396},{},[5397],{"nodeType":1639,"value":5398,"marks":5399,"data":5400},"Rather than relying on known-bad intelligence like domains or URLs, Push performs a behavioral and structural analysis of malicious pages in real time.",[],{},{"nodeType":1635,"data":5402,"content":5403},{},[5404],{"nodeType":1639,"value":5405,"marks":5406,"data":5407},"That means a phishing page never has to appear in a threat intelligence feed in order to be detected and blocked.",[],{},{"nodeType":1635,"data":5409,"content":5410},{},[5411],{"nodeType":1639,"value":5412,"marks":5413,"data":5414},"Similarly, for malicious copy and paste attacks like ClickFix, Push analyzes the content copied to the clipboard but also evaluates the context of the page to reduce false positives. In blocking mode, Push’s control for ClickFix-style attacks replaces the malicious clipboard contents with safe text — preventing potential endpoint compromise before it can occur.",[],{},{"nodeType":1626,"data":5416,"content":5420},{"target":5417},{"sys":5418},{"id":5419,"type":1631,"linkType":1632},"3OkejjEjV9xflBc5ouOVFn",[],{"nodeType":1635,"data":5422,"content":5423},{},[5424],{"nodeType":1639,"value":5425,"marks":5426,"data":5427},"Finally, for identifying malicious browser extensions, Push takes a slightly different approach — combining both behavioral detections and curated intelligence of known-bad extensions from our own research and from trusted industry sources. We’ve found this combination provides the highest-fidelity way to identify malicious extensions without relying on approaches like analyzing extension permissions, which often isn’t actionable. ",[],{},{"nodeType":1815,"data":5429,"content":5430},{},[5431],{"nodeType":1639,"value":5432,"marks":5433,"data":5435},"Your security team gets:",[5434],{"type":1708},{},{"nodeType":1635,"data":5437,"content":5438},{},[5439,5443,5451],{"nodeType":1639,"value":5440,"marks":5441,"data":5442},"Readymade detection and alerting, combined with detailed telemetry. Detections and their associated metadata can be consumed via ",[],{},{"nodeType":1644,"data":5444,"content":5446},{"uri":5445},"/help/audience/administrators/docs/getting-started/#api-and-webhooks",[5447],{"nodeType":1639,"value":5448,"marks":5449,"data":5450},"Push’s REST API and webhooks",[],{},{"nodeType":1639,"value":5452,"marks":5453,"data":5454},". ",[],{},{"nodeType":1815,"data":5456,"content":5457},{},[5458],{"nodeType":1639,"value":5459,"marks":5460,"data":5462},"Your end-users see:",[5461],{"type":1708},{},{"nodeType":1635,"data":5464,"content":5465},{},[5466],{"nodeType":1639,"value":5467,"marks":5468,"data":5469},"An immediate block screen in your company colors and brand style, providing a highly memorable, contextual moment of learning — and reassuring them that an incident has been prevented.",[],{},{"nodeType":1626,"data":5471,"content":5475},{"target":5472},{"sys":5473},{"id":5474,"type":1631,"linkType":1632},"4QfjDDfKjohKr1qqDLRT0m",[],{"nodeType":1697,"data":5477,"content":5478},{},[],{"nodeType":1701,"data":5480,"content":5481},{},[5482],{"nodeType":1639,"value":5483,"marks":5484,"data":5486},"How Push helps you remediate account vulnerabilities at scale",[5485],{"type":1708},{},{"nodeType":1635,"data":5488,"content":5489},{},[5490],{"nodeType":1639,"value":5491,"marks":5492,"data":5493},"Just-in-time security enforcement works best when it’s trustworthy and contextual — without making a lot more work for your team. Push also provides readymade controls for remediating common account vulnerabilities that contribute to your attack surface online, helping you harden existing accounts and reduce behaviors that introduce new risks.",[],{},{"nodeType":1635,"data":5495,"content":5496},{},[5497],{"nodeType":1639,"value":5498,"marks":5499,"data":5500},"With Push, you can:",[],{},{"nodeType":1726,"data":5502,"content":5503},{},[5504,5527,5565,5589],{"nodeType":1730,"data":5505,"content":5506},{},[5507],{"nodeType":1635,"data":5508,"content":5509},{},[5510,5513,5523],{"nodeType":1639,"value":29,"marks":5511,"data":5512},[],{},{"nodeType":4809,"data":5514,"content":5518},{"target":5515},{"sys":5516},{"id":5517,"type":1631,"linkType":1632},"6FYHbkcRUrtznPo7RarRsz",[5519],{"nodeType":1639,"value":5520,"marks":5521,"data":5522},"Prevent the phishing or reuse of high-value passwords",[],{},{"nodeType":1639,"value":5524,"marks":5525,"data":5526},", like your IdP, AWS, or code repository passwords.",[],{},{"nodeType":1730,"data":5528,"content":5529},{},[5530],{"nodeType":1635,"data":5531,"content":5532},{},[5533,5537,5547,5551,5561],{"nodeType":1639,"value":5534,"marks":5535,"data":5536},"Remediate ",[],{},{"nodeType":4809,"data":5538,"content":5542},{"target":5539},{"sys":5540},{"id":5541,"type":1631,"linkType":1632},"2WAc5HflKonFN7Jc53ROgj",[5543],{"nodeType":1639,"value":5544,"marks":5545,"data":5546},"missing MFA",[],{},{"nodeType":1639,"value":5548,"marks":5549,"data":5550}," or ",[],{},{"nodeType":4809,"data":5552,"content":5556},{"target":5553},{"sys":5554},{"id":5555,"type":1631,"linkType":1632},"2dAP36chda6ZDGKzw0Itfs",[5557],{"nodeType":1639,"value":5558,"marks":5559,"data":5560},"insecure passwords",[],{},{"nodeType":1639,"value":5562,"marks":5563,"data":5564}," on any work app, even those not managed by your SSO solution.",[],{},{"nodeType":1730,"data":5566,"content":5567},{},[5568],{"nodeType":1635,"data":5569,"content":5570},{},[5571,5575,5585],{"nodeType":1639,"value":5572,"marks":5573,"data":5574},"Use ",[],{},{"nodeType":4809,"data":5576,"content":5580},{"target":5577},{"sys":5578},{"id":5579,"type":1631,"linkType":1632},"2ZpKnuljaUH0jzVaae4SMN",[5581],{"nodeType":1639,"value":5582,"marks":5583,"data":5584},"in-browser banners",[],{},{"nodeType":1639,"value":5586,"marks":5587,"data":5588}," to add guardrails to app usage, including blocking unapproved SaaS or collecting a business reason to access an app before approving it.",[],{},{"nodeType":1730,"data":5590,"content":5591},{},[5592],{"nodeType":1635,"data":5593,"content":5594},{},[5595,5598,5608],{"nodeType":1639,"value":29,"marks":5596,"data":5597},[],{},{"nodeType":4809,"data":5599,"content":5603},{"target":5600},{"sys":5601},{"id":5602,"type":1631,"linkType":1632},"3ibVBa6u0XfcXXDVtON5th",[5604],{"nodeType":1639,"value":5605,"marks":5606,"data":5607},"Block unwanted or unapproved browser extensions",[],{},{"nodeType":1639,"value":5609,"marks":5610,"data":5611}," from being installed, or disable them if they’ve been installed previously.",[],{},{"nodeType":1635,"data":5613,"content":5614},{},[5615],{"nodeType":1639,"value":5348,"marks":5616,"data":5617},[],{},{"nodeType":1815,"data":5619,"content":5620},{},[5621],{"nodeType":1639,"value":5355,"marks":5622,"data":5624},[5623],{"type":1708},{},{"nodeType":1635,"data":5626,"content":5627},{},[5628],{"nodeType":1639,"value":5629,"marks":5630,"data":5631},"Push uses in-browser controls to intervene when a user is missing MFA; reusing a high-value password; using an insecure password; attempting to log in to an unapproved app; or attempting to install a blocked extension. ",[],{},{"nodeType":1635,"data":5633,"content":5634},{},[5635],{"nodeType":1639,"value":5636,"marks":5637,"data":5638},"Push can block users from reusing passwords set as “protected” (meaning they can’t be reused on any other page or app) or from using unapproved apps or extensions. Push can guide users to update their password or register for MFA on accounts where they lack it. Push can also provide any other specific security or policy guidance to employees via banners that appear on apps in your environment, including GenAI apps. ",[],{},{"nodeType":1635,"data":5640,"content":5641},{},[5642],{"nodeType":1639,"value":5643,"marks":5644,"data":5645},"For all of these scenarios, you can tune Push controls to your preferred mode (informing vs. blocking, for example) and select which employees, employee groups, and apps or accounts to focus on.",[],{},{"nodeType":1635,"data":5647,"content":5648},{},[5649],{"nodeType":1639,"value":5650,"marks":5651,"data":5652},"You can also customize the message that employees see, to match your organizational culture and policies.",[],{},{"nodeType":1815,"data":5654,"content":5655},{},[5656],{"nodeType":1639,"value":5657,"marks":5658,"data":5660},"How it works: ",[5659],{"type":1708},{},{"nodeType":1635,"data":5662,"content":5663},{},[5664],{"nodeType":1639,"value":5665,"marks":5666,"data":5667},"The Push browser agent observes real-time user behavior and securely analyzes users’ account vulnerabilities in order to identify risks and execute your preconfigured controls. ",[],{},{"nodeType":1635,"data":5669,"content":5670},{},[5671],{"nodeType":1639,"value":5672,"marks":5673,"data":5674},"To identify MFA status, Push uses the app’s own API to query the logged-in user’s registered MFA methods. To analyze password security, Push creates a salted, truncated hash that is stored locally in the user’s browser and then used for comparison to find reused passwords, leaked passwords, and shared passwords. ",[],{},{"nodeType":1635,"data":5676,"content":5677},{},[5678,5682,5687,5691,5696],{"nodeType":1639,"value":5679,"marks":5680,"data":5681},"Using the ",[],{},{"nodeType":1639,"value":5683,"marks":5684,"data":5686},"MFA enforcement",[5685],{"type":1708},{},{"nodeType":1639,"value":5688,"marks":5689,"data":5690}," and ",[],{},{"nodeType":1639,"value":5692,"marks":5693,"data":5695},"Strong password enforcement",[5694],{"type":1708},{},{"nodeType":1639,"value":5697,"marks":5698,"data":5699}," controls, you can then automatically display a banner to users with those account vulnerabilities, guiding them to fix the issue.",[],{},{"nodeType":1626,"data":5701,"content":5705},{"target":5702},{"sys":5703},{"id":5704,"type":1631,"linkType":1632},"7Ka4CumZk9it6GsdlNHREA",[],{"nodeType":1635,"data":5707,"content":5708},{},[5709,5713,5718],{"nodeType":1639,"value":5710,"marks":5711,"data":5712},"Using Push’s ",[],{},{"nodeType":1639,"value":5714,"marks":5715,"data":5717},"Password protection",[5716],{"type":1708},{},{"nodeType":1639,"value":5719,"marks":5720,"data":5721}," control, you can select apps where you want to essentially “pin” the high-value password to only that app and prevent its reuse (or phishing) on any other domain. ",[],{},{"nodeType":1635,"data":5723,"content":5724},{},[5725,5728,5733],{"nodeType":1639,"value":5710,"marks":5726,"data":5727},[],{},{"nodeType":1639,"value":5729,"marks":5730,"data":5732},"Browser extension blocking",[5731],{"type":1708},{},{"nodeType":1639,"value":5734,"marks":5735,"data":5736}," control, you can create a blocklist or allowlist of extensions and prevent users from installing or enabling blocked extensions.",[],{},{"nodeType":1635,"data":5738,"content":5739},{},[5740,5744,5749],{"nodeType":1639,"value":5741,"marks":5742,"data":5743},"Finally, using Push’s ",[],{},{"nodeType":1639,"value":5745,"marks":5746,"data":5748},"App banners",[5747],{"type":1708},{},{"nodeType":1639,"value":5750,"marks":5751,"data":5752}," feature, you can add custom messages in a range of modes — from informing to blocking — to apps in use across your business, or even specific URL patterns.",[],{},{"nodeType":1626,"data":5754,"content":5758},{"target":5755},{"sys":5756},{"id":5757,"type":1631,"linkType":1632},"5Mq4PEzEhW8p1qLvS9aZMm",[],{"nodeType":1815,"data":5760,"content":5761},{},[5762],{"nodeType":1639,"value":5763,"marks":5764,"data":5766},"Your security team gets: ",[5765],{"type":1708},{},{"nodeType":1635,"data":5768,"content":5769},{},[5770],{"nodeType":1639,"value":5771,"marks":5772,"data":5773},"A flexible and highly configurable set of controls to solve account vulnerabilities at scale and to enforce your security controls around browser extensions and app usage.",[],{},{"nodeType":1815,"data":5775,"content":5776},{},[5777],{"nodeType":1639,"value":5778,"marks":5779,"data":5781},"Your end-users see: ",[5780],{"type":1708},{},{"nodeType":1635,"data":5783,"content":5784},{},[5785],{"nodeType":1639,"value":5786,"marks":5787,"data":5788},"Contextual, actionable guidance in the midst of their actual workflow, helping them fix the issue or guiding them to safety.",[],{},{"nodeType":1697,"data":5790,"content":5791},{},[],{"nodeType":1701,"data":5793,"content":5794},{},[5795],{"nodeType":1639,"value":5796,"marks":5797,"data":5799},"Implementation tips",[5798],{"type":1708},{},{"nodeType":1635,"data":5801,"content":5802},{},[5803],{"nodeType":1639,"value":5804,"marks":5805,"data":5806},"Push allows you to set the scope and mode of each control, making it simple to roll out. ",[],{},{"nodeType":1635,"data":5808,"content":5809},{},[5810,5814,5819,5823,5827,5831,5836],{"nodeType":1639,"value":5811,"marks":5812,"data":5813},"We recommend starting in ",[],{},{"nodeType":1639,"value":5815,"marks":5816,"data":5818},"Monitor",[5817],{"type":1708},{},{"nodeType":1639,"value":5820,"marks":5821,"data":5822}," mode for controls that intervene in end-user activities. That way, you can perform testing with sample malicious sites or scenarios like reused protected passwords, tune out any benign true positives, and develop the messaging you want to use on warn or block pages. (For controls without an explicit monitor mode, like ",[],{},{"nodeType":1639,"value":5692,"marks":5824,"data":5826},[5825],{"type":1708},{},{"nodeType":1639,"value":5828,"marks":5829,"data":5830},", you can still monitor for related events on the ",[],{},{"nodeType":1639,"value":5832,"marks":5833,"data":5835},"Events",[5834],{"type":1708},{},{"nodeType":1639,"value":5837,"marks":5838,"data":5839}," page, such as account security findings, or by consuming webhooks into a downstream tool.)",[],{},{"nodeType":1626,"data":5841,"content":5845},{"target":5842},{"sys":5843},{"id":5844,"type":1631,"linkType":1632},"7vk8DHv01cM1o2C0ZpAvZu",[],{"nodeType":1635,"data":5847,"content":5848},{},[5849,5853,5858,5861,5866],{"nodeType":1639,"value":5850,"marks":5851,"data":5852},"When you’re ready, set the mode to ",[],{},{"nodeType":1639,"value":5854,"marks":5855,"data":5857},"Warn",[5856],{"type":1708},{},{"nodeType":1639,"value":5548,"marks":5859,"data":5860},[],{},{"nodeType":1639,"value":5862,"marks":5863,"data":5865},"Block",[5864],{"type":1708},{},{"nodeType":1639,"value":5867,"marks":5868,"data":5869}," and use the scope options to perform a phased rollout to your user population by adding additional user groups to the control until you have complete coverage of your population.",[],{},{"nodeType":1635,"data":5871,"content":5872},{},[5873],{"nodeType":1639,"value":5874,"marks":5875,"data":5876},"By consuming webhook events into your SIEM, you can integrate Push alerts into your existing security workflows, monitoring for new detections or tracking when account vulnerabilities are resolved.",[],{},{"nodeType":1697,"data":5878,"content":5879},{},[],{"nodeType":1701,"data":5881,"content":5882},{},[5883],{"nodeType":1639,"value":5884,"marks":5885,"data":5887},"Enhancing user trust with custom branding",[5886],{"type":1708},{},{"nodeType":1635,"data":5889,"content":5890},{},[5891],{"nodeType":1639,"value":5892,"marks":5893,"data":5894},"We recently released the option to customize the look and feel of all employee-facing banners and block pages. ",[],{},{"nodeType":1635,"data":5896,"content":5897},{},[5898,5902,5907],{"nodeType":1639,"value":5899,"marks":5900,"data":5901},"From the ",[],{},{"nodeType":1639,"value":5903,"marks":5904,"data":5906},"Settings",[5905],{"type":1708},{},{"nodeType":1639,"value":5908,"marks":5909,"data":5910}," page in the Push admin console, you can upload your logo, add accent colors, and choose from light or dark backgrounds.",[],{},{"nodeType":1626,"data":5912,"content":5916},{"target":5913},{"sys":5914},{"id":5915,"type":1631,"linkType":1632},"51lk1VRP20G7H4PAoRZANI",[],{"nodeType":1635,"data":5918,"content":5919},{},[5920],{"nodeType":1639,"value":5921,"marks":5922,"data":5923},"Custom branding increases the trustworthiness of these in-the-moment security guardrails so that users recognize them immediately and act on their guidance.",[],{},{"nodeType":1635,"data":5925,"content":5926},{},[5927],{"nodeType":1639,"value":5928,"marks":5929,"data":5930},"The result: Better compliance and lower friction for you and your employees.",[],{},{"nodeType":1697,"data":5932,"content":5933},{},[],{"nodeType":1701,"data":5935,"content":5936},{},[5937],{"nodeType":1639,"value":5938,"marks":5939,"data":5941},"Learn more about Push",[5940],{"type":1708},{},{"nodeType":1635,"data":5943,"content":5944},{},[5945,5949,5956],{"nodeType":1639,"value":5946,"marks":5947,"data":5948},"Push Security’s browser-based security platform stops browser-based attacks like AiTM phishing, credential stuffing, malicious browser extensions, ClickFix, and session hijacking — ",[],{},{"nodeType":1644,"data":5950,"content":5951},{"uri":165},[5952],{"nodeType":1639,"value":5953,"marks":5954,"data":5955},"modern attack techniques",[],{},{"nodeType":1639,"value":5957,"marks":5958,"data":5959}," that are the leading cause of breaches today.",[],{},{"nodeType":1635,"data":5961,"content":5962},{},[5963],{"nodeType":1639,"value":5964,"marks":5965,"data":5966},"You don’t need to wait until it all goes wrong either. You can also use Push to proactively find and fix vulnerabilities across the apps that your employees use, like ghost logins, SSO coverage gaps, MFA gaps, vulnerable passwords, and more to harden your attack surface.",[],{},{"nodeType":1635,"data":5968,"content":5969},{},[5970,5974,5982,5986,5994,5998,6006],{"nodeType":1639,"value":5971,"marks":5972,"data":5973},"Want to learn more about Push? Check out our latest ",[],{},{"nodeType":1644,"data":5975,"content":5977},{"uri":5976},"/resources/product-brochure",[5978],{"nodeType":1639,"value":5979,"marks":5980,"data":5981},"product overview",[],{},{"nodeType":1639,"value":5983,"marks":5984,"data":5985},", visit our ",[],{},{"nodeType":1644,"data":5987,"content":5989},{"uri":5988},"/product-demo/",[5990],{"nodeType":1639,"value":5991,"marks":5992,"data":5993},"demo library",[],{},{"nodeType":1639,"value":5995,"marks":5996,"data":5997},", or book some time with one of our team for a ",[],{},{"nodeType":1644,"data":5999,"content":6001},{"uri":6000},"/demo",[6002],{"nodeType":1639,"value":6003,"marks":6004,"data":6005},"live demo",[],{},{"nodeType":1639,"value":2291,"marks":6007,"data":6008},[],{},"Guide: How to use Push controls to protect your users from modern browser threats","How to use in-browser controls to stop browser-based attacks before compromise can occur","2026-04-08T00:00:00.000Z","guide-how-to-use-push-controls-to-protect-your-users-from-modern-attacks",{"items":6014},[6015,6017],{"sys":6016,"name":3379},{"id":3378},{"sys":6018,"name":3383},{"id":3382},{"items":6020},[6021],{"fullName":6022,"firstName":6023,"jobTitle":6024,"profilePicture":6025},"Kelly Davenport","Kelly","Product Team",{"url":6026},"https://images.ctfassets.net/y1cdw1ablpvd/1hi8bEuVfn5sF57LivAq6d/9a3b82426c697d765e2e450e33a18424/kelly_profile_pic.jpeg","why-browser-extension-risk-scoring-wont-predict-your-next-breach","blog/why-browser-extension-risk-scoring-wont-predict-your-next-breach",{"json":6030},{"data":6031,"content":6032,"nodeType":1622},{},[6033],{"data":6034,"content":6035,"nodeType":1635},{},[6036],{"data":6037,"marks":6038,"value":6039,"nodeType":1639},{},[],"Why typical browser extension risk scores are poor predictors of which extensions could actually lead to a compromise.","Why typical browser extension risk scores are poor predictors of which extensions will actually lead to a compromise.",{"id":6042,"publishedAt":6043},"6X3wP0WhtDk2l1jKH2fPIb","2026-04-30T08:35:08.573Z",{"items":6045},[6046,6048],{"sys":6047,"name":3383},{"id":3382},{"sys":6049,"name":3379},{"id":3378},"5dPl3XIDwYJszTfgK3zRrfFLX9OTDOiIYaECJY1szCA",{"id":6052,"title":6053,"authorsCollection":6054,"content":6058,"extension":2606,"hashTags":61,"meta":6836,"metaTitle":6837,"ogImage":61,"publishedDate":3372,"relatedBlogPostsCollection":6838,"slug":11269,"stem":11270,"subtitle":61,"summary":11271,"synopsis":11281,"sys":11288,"tagsCollection":11291,"__hash__":11297},"blog/blog/consentfix-v3-analyzing-a-new-toolkit.json","ConsentFix v3: Analyzing a new criminal toolkit",{"items":6055},[6056],{"fullName":1615,"firstName":1616,"jobTitle":1617,"profilePicture":6057},{"url":1619},{"json":6059,"links":6625},{"nodeType":1622,"data":6060,"content":6061},{},[6062,6080,6087,6093,6100,6106,6126,6132,6138,6141,6149,6169,6175,6181,6187,6204,6211,6219,6226,6233,6240,6243,6251,6269,6292,6297,6303,6310,6317,6324,6327,6335,6354,6387,6394,6400,6403,6411,6418,6421,6429,6436,6444,6464,6484,6491,6497,6505,6512,6519,6522,6529,6536,6542,6562,6568,6575,6582,6589],{"nodeType":1635,"data":6063,"content":6064},{},[6065,6069,6076],{"nodeType":1639,"value":6066,"marks":6067,"data":6068},"In December 2025, we uncovered a state-sponsored campaign linked to Russian state-affiliated APT29 that used a new technique we called ",[],{},{"nodeType":1644,"data":6070,"content":6071},{"uri":4965},[6072],{"nodeType":1639,"value":4968,"marks":6073,"data":6075},[6074],{"type":1652},{},{"nodeType":1639,"value":6077,"marks":6078,"data":6079},". This technique merged ClickFix-style social engineering with OAuth consent phishing to hijack Microsoft accounts. Effectively, ConsentFix is a browser-native attack that results in account takeover, without the downside of needing to touch the endpoint like typical ClickFix (really, the point that it's most likely to be detected and blocked). ",[],{},{"nodeType":1635,"data":6081,"content":6082},{},[6083],{"nodeType":1639,"value":6084,"marks":6085,"data":6086},"The quick 101 is that victims are tricked into copy-and-pasting a legitimate Microsoft URL into the phishing page. This URL contains an OAuth authorization code that the attacker uses to sign in to a first-party Microsoft application like Azure CLI — specifically targeting apps with known Conditional Access exclusions. ",[],{},{"nodeType":1626,"data":6088,"content":6092},{"target":6089},{"sys":6090},{"id":6091,"type":1631,"linkType":1632},"7s4kF5CUFUmdkhpzuwNalX",[],{"nodeType":1635,"data":6094,"content":6095},{},[6096],{"nodeType":1639,"value":6097,"marks":6098,"data":6099},"At the end of the attack chain, the attacker is effectively granted API access to the victim's Entra account, while sidestepping MFA (even passkeys), device compliance checks, and in some cases conditional access controls (depending on the application ID targeted by the attacker). ",[],{},{"nodeType":1626,"data":6101,"content":6105},{"target":6102},{"sys":6103},{"id":6104,"type":1631,"linkType":1632},"IMtJXMWeaIbRsWxuQ1CaS",[],{"nodeType":1635,"data":6107,"content":6108},{},[6109,6113,6122],{"nodeType":1639,"value":6110,"marks":6111,"data":6112},"It didn’t take long for security researchers to jump on this new technique. Lots of contributors rallied round the security recommendations (which we covered in a ",[],{},{"nodeType":1644,"data":6114,"content":6116},{"uri":6115},"https://pushsecurity.com/blog/consentfix-debrief/",[6117],{"nodeType":1639,"value":6118,"marks":6119,"data":6121},"follow-up blog post",[6120],{"type":1652},{},{"nodeType":1639,"value":6123,"marks":6124,"data":6125},") but the most notable contribution came from John Hammond, who took the attacker’s implementation and said “I can do better”. His v2 replaced a somewhat clunky implementation with a slick drag-and-drop function. But now, attackers have taken it one step further.",[],{},{"nodeType":1626,"data":6127,"content":6131},{"target":6128},{"sys":6129},{"id":6130,"type":1631,"linkType":1632},"59tfJDRhGThKD48Wjg7uY2",[],{"nodeType":1626,"data":6133,"content":6137},{"target":6134},{"sys":6135},{"id":6136,"type":1631,"linkType":1632},"6mEpyVD6f13ZttFmaBcxNm",[],{"nodeType":1697,"data":6139,"content":6140},{},[],{"nodeType":1701,"data":6142,"content":6143},{},[6144],{"nodeType":1639,"value":6145,"marks":6146,"data":6148},"Introducing: ConsentFix v3",[6147],{"type":1708},{},{"nodeType":1635,"data":6150,"content":6151},{},[6152,6156,6165],{"nodeType":1639,"value":6153,"marks":6154,"data":6155},"The latest development is that a member of the XSS criminal forum, a site strongly suspected to have ",[],{},{"nodeType":1644,"data":6157,"content":6159},{"uri":6158},"https://flare.io/learn/resources/blog/state-of-the-dark-web-2026",[6160],{"nodeType":1639,"value":6161,"marks":6162,"data":6164},"Russian state involvement",[6163],{"type":1652},{},{"nodeType":1639,"value":6166,"marks":6167,"data":6168},", has released a new tool “ConsentFix v3”, building on the v1 we saw in the wild, and John’s v2. ",[],{},{"nodeType":1626,"data":6170,"content":6174},{"target":6171},{"sys":6172},{"id":6173,"type":1631,"linkType":1632},"4AW0UnBlIaXbIFZjy8ObY1",[],{"nodeType":1626,"data":6176,"content":6180},{"target":6177},{"sys":6178},{"id":6179,"type":1631,"linkType":1632},"1b36XjqBpPx7wteBu6OA6h",[],{"nodeType":1626,"data":6182,"content":6186},{"target":6183},{"sys":6184},{"id":6185,"type":1631,"linkType":1632},"4kbiWA3b096BAFGQuozPaK",[],{"nodeType":1635,"data":6188,"content":6189},{},[6190,6194,6200],{"nodeType":1639,"value":6191,"marks":6192,"data":6193},"It looks like broader cybercriminals are starting to take note of ConsentFix, and with the release of public tools like this one, it could be about to go mainstream — like ",[],{},{"nodeType":1644,"data":6195,"content":6196},{"uri":4920},[6197],{"nodeType":1639,"value":4923,"marks":6198,"data":6199},[],{},{"nodeType":1639,"value":6201,"marks":6202,"data":6203}," has this year. ",[],{},{"nodeType":1635,"data":6205,"content":6206},{},[6207],{"nodeType":1639,"value":6208,"marks":6209,"data":6210},"Let’s take a closer look at some of the more interesting details of the ConsentFix v3 implementation before considering the bigger picture.  ",[],{},{"nodeType":1815,"data":6212,"content":6213},{},[6214],{"nodeType":1639,"value":6215,"marks":6216,"data":6218},"ConsentFix v3 under the hood",[6217],{"type":1708},{},{"nodeType":1635,"data":6220,"content":6221},{},[6222],{"nodeType":1639,"value":6223,"marks":6224,"data":6225},"The first thing that jumps out is just how detailed this forum post is. It reads like a security vendor blog post. It walks through the key technical concepts that the reader needs to know, breaking down OAuth grants, consent phishing, refresh tokens, and FOCI (or 'Family of Client IDs' — basically, the feature that allows attackers to use a refresh token obtained for one Microsoft app to be exchanged for access tokens to other FOCI apps without re-authentication). It then walks through the history of ClickFix and ConsentFix before providing step-by-step guidance for users. ",[],{},{"nodeType":1635,"data":6227,"content":6228},{},[6229],{"nodeType":1639,"value":6230,"marks":6231,"data":6232},"ConsentFix v3 allows users to instrument the entire attack chain, enabling users to spin up ConsentFix infrastructure, create believable personas with which to interact with victims, craft and manage email campaigns, and automate the process of exchanging the captured OAuth token for session and refresh tokens to establish access to the compromised account. ",[],{},{"nodeType":1635,"data":6234,"content":6235},{},[6236],{"nodeType":1639,"value":6237,"marks":6238,"data":6239},"A combination of SaaS and open-source tools are used to perform the attack, including Cloudflare Workers for hosting, ZoomInfo for target identification, Dropbox for PDF hosting, and Pipedream as an exfiltration channel (effectively creating a webhook to automatically exchange the OAuth material in the URL for a refresh token). They also use hacker tools like SpecterPortal for post exploitation activity.",[],{},{"nodeType":1697,"data":6241,"content":6242},{},[],{"nodeType":1701,"data":6244,"content":6245},{},[6246],{"nodeType":1639,"value":6247,"marks":6248,"data":6250},"Why attackers are turning to OAuth-based attacks",[6249],{"type":1708},{},{"nodeType":1635,"data":6252,"content":6253},{},[6254,6258,6265],{"nodeType":1639,"value":6255,"marks":6256,"data":6257},"Attackers are increasingly turning to OAuth based techniques in 2026. Not only are “legit” OAuth connections being abused in supply chain attacks, but attacks targeting OAuth mechanisms have significantly increased with the rise of ",[],{},{"nodeType":1644,"data":6259,"content":6260},{"uri":4920},[6261],{"nodeType":1639,"value":4923,"marks":6262,"data":6264},[6263],{"type":1652},{},{"nodeType":1639,"value":6266,"marks":6267,"data":6268},". This is because:",[],{},{"nodeType":1726,"data":6270,"content":6271},{},[6272,6282],{"nodeType":1730,"data":6273,"content":6274},{},[6275],{"nodeType":1635,"data":6276,"content":6277},{},[6278],{"nodeType":1639,"value":6279,"marks":6280,"data":6281},"OAuth attacks defeat standard access controls (including passkeys)",[],{},{"nodeType":1730,"data":6283,"content":6284},{},[6285],{"nodeType":1635,"data":6286,"content":6287},{},[6288],{"nodeType":1639,"value":6289,"marks":6290,"data":6291},"It’s very low friction, and less likely that users will identify it as phishing (see examples below)",[],{},{"nodeType":1626,"data":6293,"content":6296},{"target":6294},{"sys":6295},{"id":6130,"type":1631,"linkType":1632},[],{"nodeType":1626,"data":6298,"content":6302},{"target":6299},{"sys":6300},{"id":6301,"type":1631,"linkType":1632},"2WPb41lNRajdpt5pogQg8M",[],{"nodeType":1635,"data":6304,"content":6305},{},[6306],{"nodeType":1639,"value":6307,"marks":6308,"data":6309},"From the user’s perspective, these aren’t situations that users are trained to treat as suspicious. In one case, the victim copies a URL (or simply drag-and-drops a box on the page). In another, they enter a short passcode that’s visible on the page. ",[],{},{"nodeType":1635,"data":6311,"content":6312},{},[6313],{"nodeType":1639,"value":6314,"marks":6315,"data":6316},"Both are using pop-up windows that look very convincing — and point to legitimate Microsoft pages/URLs. Even users scrutinizing the domain won’t see anything out of place. And as you can see, if the user is already signed into their Microsoft account in the browser, there’s no credential entry or MFA checks to pass through. Simply select your account from the drop down menu and … that’s it.",[],{},{"nodeType":1635,"data":6318,"content":6319},{},[6320],{"nodeType":1639,"value":6321,"marks":6322,"data":6323},"This unfamiliarity is the same reason that attacks like ClickFix have been so successful. In general, convincing social engineering — well crafted comms, legit-looking pages hosted on trusted sites — combined with unfamiliar payloads makes for a clever attack. And when these attacks play out entirely in the browser (circumventing endpoint controls) and sidestep identity controls, the impact is dialled up even further. ",[],{},{"nodeType":1697,"data":6325,"content":6326},{},[],{"nodeType":1701,"data":6328,"content":6329},{},[6330],{"nodeType":1639,"value":6331,"marks":6332,"data":6334},"How ConsentFix and device code phishing overlap",[6333],{"type":1708},{},{"nodeType":1635,"data":6336,"content":6337},{},[6338,6342,6350],{"nodeType":1639,"value":6339,"marks":6340,"data":6341},"It was only ever going to be a matter of time before ConsentFix was adopted by the mass market. But these things don’t always happen particularly fast. ",[],{},{"nodeType":1644,"data":6343,"content":6344},{"uri":4920},[6345],{"nodeType":1639,"value":6346,"marks":6347,"data":6349},"Device code phishing",[6348],{"type":1652},{},{"nodeType":1639,"value":6351,"marks":6352,"data":6353}," is probably the best example of this — it’s been a known technique since 2021, but it took until this year to enter mainstream adoption. A big part of that has been the availability of criminal toolkits, and also the rise in AI-assisted capabilities for tool creation (clearly at play here too). The similarity with device code phishing doesn’t end there. ",[],{},{"nodeType":1635,"data":6355,"content":6356},{},[6357,6361,6370,6374,6383],{"nodeType":1639,"value":6358,"marks":6359,"data":6360},"Both ConsentFix and device code phishing are OAuth attacks. They both find ways of bypassing the standard login procedure (and controls) by targeting different authorization flows, but with a similar outcome and the same advantages to an attacker. Device code phishing exploits the device authorization grant (",[],{},{"nodeType":1644,"data":6362,"content":6364},{"uri":6363},"https://datatracker.ietf.org/doc/html/rfc8628",[6365],{"nodeType":1639,"value":6366,"marks":6367,"data":6369},"RFC 8628",[6368],{"type":1652},{},{"nodeType":1639,"value":6371,"marks":6372,"data":6373},"). ConsentFix exploits the authorization code grant (",[],{},{"nodeType":1644,"data":6375,"content":6377},{"uri":6376},"https://datatracker.ietf.org/doc/html/rfc6749#section-4.1",[6378],{"nodeType":1639,"value":6379,"marks":6380,"data":6382},"RFC 6749",[6381],{"type":1652},{},{"nodeType":1639,"value":6384,"marks":6385,"data":6386},") as implemented for native/desktop apps with localhost redirects. ",[],{},{"nodeType":1635,"data":6388,"content":6389},{},[6390],{"nodeType":1639,"value":6391,"marks":6392,"data":6393},"The post-compromise paths are essentially identical because the tokens you get are determined by which app you target, what scopes it has, and the victim user’s permissions, not by which OAuth flow you used to obtain them. The authorization code flow and the device code flow are just different front doors into the same token issuance system.",[],{},{"nodeType":1626,"data":6395,"content":6399},{"target":6396},{"sys":6397},{"id":6398,"type":1631,"linkType":1632},"7np3j139dWMP7sLlUQwEFC",[],{"nodeType":1697,"data":6401,"content":6402},{},[],{"nodeType":1701,"data":6404,"content":6405},{},[6406],{"nodeType":1639,"value":6407,"marks":6408,"data":6410},"The verdict: An interesting sign of what’s coming, but maybe not the final form",[6409],{"type":1708},{},{"nodeType":1635,"data":6412,"content":6413},{},[6414],{"nodeType":1639,"value":6415,"marks":6416,"data":6417},"It’s clear that ConsentFix v3 isn’t exactly an industrialized PhaaS-scale offering. It’s probably closer to a red team-esque proof of concept. But it is a good example of how attackers could operationalize ConsentFix campaigns using largely off-the-shelf tooling and legit SaaS tools. And an indicator of what might be coming soon. ",[],{},{"nodeType":1697,"data":6419,"content":6420},{},[],{"nodeType":1701,"data":6422,"content":6423},{},[6424],{"nodeType":1639,"value":6425,"marks":6426,"data":6428},"Security recommendations",[6427],{"type":1708},{},{"nodeType":1635,"data":6430,"content":6431},{},[6432],{"nodeType":1639,"value":6433,"marks":6434,"data":6435},"To be able to tackle modern attacks like ConsentFix that occur entirely within the browser context, it is vital that organizations look to monitor the browser as a detection surface, hunt for signs of malicious activity, and block attacks in real-time — in the same way that you would expect EDR to work for endpoint attacks. We’ll talk about how we do this below, but first here’s some general recommendations. ",[],{},{"nodeType":1815,"data":6437,"content":6438},{},[6439],{"nodeType":1639,"value":6440,"marks":6441,"data":6443},"Microsoft ecosystem",[6442],{"type":1708},{},{"nodeType":1635,"data":6445,"content":6446},{},[6447,6451,6460],{"nodeType":1639,"value":6448,"marks":6449,"data":6450},"Despite the similarity with device code phishing, the ",[],{},{"nodeType":1644,"data":6452,"content":6454},{"uri":6453},"https://techcommunity.microsoft.com/blog/microsoft-entra-blog/new-microsoft-managed-policies-to-raise-your-identity-security-posture/4286758",[6455],{"nodeType":1639,"value":6456,"marks":6457,"data":6459},"primary recommendation from Microsoft for device code attacks",[6458],{"type":1652},{},{"nodeType":1639,"value":6461,"marks":6462,"data":6463}," — disable the device code flow via conditional access — doesn’t apply to ConsentFix (because, as mentioned, it uses a different login flow).",[],{},{"nodeType":1635,"data":6465,"content":6466},{},[6467,6471,6480],{"nodeType":1639,"value":6468,"marks":6469,"data":6470},"For both ConsentFix and device code phishing, the ",[],{},{"nodeType":1644,"data":6472,"content":6474},{"uri":6473},"https://msendpointmgr.com/2026/01/08/consentfix-quickfix/",[6475],{"nodeType":1639,"value":6476,"marks":6477,"data":6479},"strongest recommendation",[6478],{"type":1652},{},{"nodeType":1639,"value":6481,"marks":6482,"data":6483}," is to create Service Principals for each of the vulnerable apps and restrict the users that are authorized to access them to reduce the attack surface of users that can be phished with this method.",[],{},{"nodeType":1635,"data":6485,"content":6486},{},[6487],{"nodeType":1639,"value":6488,"marks":6489,"data":6490},"You should also hunt in logs for relevant application IDs and resource IDs, and look for mismatches in terms of the initial access IP and subsequent activity, because while the initial login is performed by the user, subsequent actions will be performed by the attacker.  ",[],{},{"nodeType":1626,"data":6492,"content":6496},{"target":6493},{"sys":6494},{"id":6495,"type":1631,"linkType":1632},"49Y7NXpnAeAYe9fCp1oyKn",[],{"nodeType":1815,"data":6498,"content":6499},{},[6500],{"nodeType":1639,"value":6501,"marks":6502,"data":6504},"Beyond Microsoft — Google, GitHub, Salesforce, AWS",[6503],{"type":1708},{},{"nodeType":1635,"data":6506,"content":6507},{},[6508],{"nodeType":1639,"value":6509,"marks":6510,"data":6511},"It’s worth calling out that these recommendations are Microsoft specific. While in-the-wild exploitation has focused on Microsoft, GitHub, Salesforce, AWS and others are also impacted by device code phishing, supporting device code flow either as a primary or fallback mechanism (Google less so due to inherent restrictions on scopes authorized in the context of device code logins). ",[],{},{"nodeType":1635,"data":6513,"content":6514},{},[6515],{"nodeType":1639,"value":6516,"marks":6517,"data":6518},"Similarly, ConsentFix principles can be applied beyond Microsoft too. The core requirement is that an OAuth code ends up in a location the victim can manually see and share, e.g. a localhost redirect where no listener is present to complete the handshake. Google Cloud CLI, GitHub CLI, and others support the auth code grant and allow localhost as a redirect URI. ",[],{},{"nodeType":1697,"data":6520,"content":6521},{},[],{"nodeType":1701,"data":6523,"content":6524},{},[6525],{"nodeType":1639,"value":3236,"marks":6526,"data":6528},[6527],{"type":1708},{},{"nodeType":1635,"data":6530,"content":6531},{},[6532],{"nodeType":1639,"value":6533,"marks":6534,"data":6535},"We’re already detecting and blocking both ConsentFix and device code phishing attacks as they target users in their web browser. When a page matches our detections for a device code or ConsentFix phishing kit (not limited to things like known-bad IPs and domains, but DOM-level analysis of the web page) Push detects and blocks it. Unlike an SWG or RBI type solution, Push analyzes every web page in every browser session and tab, in real time, with no latency. ",[],{},{"nodeType":1626,"data":6537,"content":6541},{"target":6538},{"sys":6539},{"id":6540,"type":1631,"linkType":1632},"63EwHbmFZVAlhoXl17Xjfi",[],{"nodeType":1635,"data":6543,"content":6544},{},[6545,6549,6558],{"nodeType":1639,"value":6546,"marks":6547,"data":6548},"Using Push you can also ",[],{},{"nodeType":1644,"data":6550,"content":6552},{"uri":6551},"https://pushsecurity.com/help/can-i-use-push-to-help-protect-against-device-code-phishing-scenarios/",[6553],{"nodeType":1639,"value":6554,"marks":6555,"data":6557},"configure in-browser warnings",[6556],{"type":1652},{},{"nodeType":1639,"value":6559,"marks":6560,"data":6561}," whenever a user accesses a URL used for device code logins, across any app that supports them. This provides universal, last-mile protection against even ‘zero-day’ device code phishing attacks using previously unidentified toolkits.  ",[],{},{"nodeType":1626,"data":6563,"content":6567},{"target":6564},{"sys":6565},{"id":6566,"type":1631,"linkType":1632},"3baS2yqvJd2e4aczw73PTF",[],{"nodeType":1635,"data":6569,"content":6570},{},[6571],{"nodeType":1639,"value":6572,"marks":6573,"data":6574},"When a user visits those URLs, Push will also emit a webhook event that the banner was shown and acknowledged. If a user opts to proceed, you can treat this as a high-fidelity alert for your security team to investigate, providing app-agnostic telemetry that may not already be provided in your logs from that particular vendor. You can also simply use Push to block users from accessing these pages if you’re confident that disruption won’t be caused. ",[],{},{"nodeType":1815,"data":6576,"content":6577},{},[6578],{"nodeType":1639,"value":5938,"marks":6579,"data":6581},[6580],{"type":1708},{},{"nodeType":1635,"data":6583,"content":6584},{},[6585],{"nodeType":1639,"value":6586,"marks":6587,"data":6588},"Push Security's browser-based security platform detects and blocks browser-based attacks like AiTM phishing, credential stuffing, malicious browser extensions, device code phishing, ClickFix, and session hijacking. You don't need to wait until it all goes wrong either — you can use Push to proactively find and fix vulnerabilities across the apps that your employees use, like ghost logins, SSO coverage gaps, MFA gaps, vulnerable passwords, risky OAuth integrations, and more to harden your attack surface.",[],{},{"nodeType":1635,"data":6590,"content":6591},{},[6592,6595,6602,6605,6612,6615,6622],{"nodeType":1639,"value":2470,"marks":6593,"data":6594},[],{},{"nodeType":1644,"data":6596,"content":6597},{"uri":2475},[6598],{"nodeType":1639,"value":2478,"marks":6599,"data":6601},[6600],{"type":1652},{},{"nodeType":1639,"value":1655,"marks":6603,"data":6604},[],{},{"nodeType":1644,"data":6606,"content":6607},{"uri":2486},[6608],{"nodeType":1639,"value":2489,"marks":6609,"data":6611},[6610],{"type":1652},{},{"nodeType":1639,"value":2493,"marks":6613,"data":6614},[],{},{"nodeType":1644,"data":6616,"content":6617},{"uri":2498},[6618],{"nodeType":1639,"value":2501,"marks":6619,"data":6621},[6620],{"type":1652},{},{"nodeType":1639,"value":2291,"marks":6623,"data":6624},[],{},{"entries":6626},{"hyperlink":6627,"inline":6628,"block":6629},[],[],[6630,6636,6661,6668,6708,6715,6721,6726,6732,6797,6823,6829],{"sys":6631,"__typename":1391,"title":6632,"caption":6632,"layoutMode":61,"file":6633},{"id":6091},"ConsentFix attack breakdown: The victim is tricked into copy-and-pasting a URL containing OAuth key material into a phishing page.",{"url":6634,"width":6635,"height":33},"https://images.ctfassets.net/y1cdw1ablpvd/tbetqlx85alVSg3LbHw8m/793ee588bd0347f6d1497b882b4a9f3f/image6.png",1999,{"sys":6637,"__typename":2514,"content":6638,"name":6660,"title":61},{"id":6104},{"json":6639},{"nodeType":1622,"data":6640,"content":6641},{},[6642],{"nodeType":1635,"data":6643,"content":6644},{},[6645,6649,6656],{"nodeType":1639,"value":6646,"marks":6647,"data":6648},"This attack is best understood as post-authentication. If the attacker is already signed in to Microsoft in their browser, they simply need to select their account name from a drop-down menu. There’s almost no friction — no credential entry or MFA checks. This is very similar to ",[],{},{"nodeType":1644,"data":6650,"content":6651},{"uri":4920},[6652],{"nodeType":1639,"value":4923,"marks":6653,"data":6655},[6654],{"type":1652},{},{"nodeType":1639,"value":6657,"marks":6658,"data":6659},", another OAuth-based phishing technique, which we’ve seen increase 37x this year. More on that later. ",[],{},"ConsentFix v3 IB1",{"sys":6662,"__typename":1391,"title":6663,"caption":6663,"layoutMode":61,"file":6664},{"id":6130},"John Hammond showed off a slick new ConsentFix implementation.",{"url":6665,"width":6666,"height":6667},"https://images.ctfassets.net/y1cdw1ablpvd/1bjvJgwJQYYITray4cgquD/056744beab8fd24153b1c42b73090aeb/consentfix_v2.gif",1280,720,{"sys":6669,"__typename":2514,"content":6670,"name":6707,"title":61},{"id":6136},{"json":6671},{"nodeType":1622,"data":6672,"content":6673},{},[6674],{"nodeType":1635,"data":6675,"content":6676},{},[6677,6681,6690,6694,6703],{"nodeType":1639,"value":6678,"marks":6679,"data":6680},"We recently joined forces with John in a webinar where we showed off ConsentFix along with a host of other browser-based attacks. If you joined us, you’ll have already had a quick look at what we’re about to talk about below! ",[],{},{"nodeType":1644,"data":6682,"content":6684},{"uri":6683},"https://pushsecurity.com/resources/browser-attacks-why-browser-new-battleground",[6685],{"nodeType":1639,"value":6686,"marks":6687,"data":6689},"You can watch it on-demand here.",[6688],{"type":1652},{},{"nodeType":1639,"value":6691,"marks":6692,"data":6693}," And you can watch John’s follow up on ",[],{},{"nodeType":1644,"data":6695,"content":6697},{"uri":6696},"https://www.youtube.com/watch?v=T3oVdPCMDJw",[6698],{"nodeType":1639,"value":6699,"marks":6700,"data":6702},"ConsentFix v3",[6701],{"type":1652},{},{"nodeType":1639,"value":6704,"marks":6705,"data":6706}," here — definitely worth a watch as always! ",[],{},"ConsentFix v3 IB2",{"sys":6709,"__typename":1391,"title":6710,"caption":6710,"layoutMode":61,"file":6711},{"id":6173},"XSS forum post on ConsentFix v3",{"url":6712,"width":6713,"height":6714},"https://images.ctfassets.net/y1cdw1ablpvd/KSVQYgv1VDhIF19jUcaOc/81fc5771fd4ce4fbe38d0d138f7970a6/image3.png",1915,1079,{"sys":6716,"__typename":1391,"title":6717,"caption":6717,"layoutMode":61,"file":6718},{"id":6179},"Description of ConsentFix v3 complete with summary video.",{"url":6719,"width":6720,"height":6714},"https://images.ctfassets.net/y1cdw1ablpvd/stbiG200DHN4huH6iaCQg/d1db13d4e04c4c528ce35320b05f4d3d/image12.png",1919,{"sys":6722,"__typename":6723,"title":6699,"arcadeDemoUrl":6724,"playText":6725},{"id":6185},"ArcadeDemo","https://demo.arcade.software/BO6Dc4lxhzlgHHvEeWi9?embed","2 mins",{"sys":6727,"__typename":1391,"title":6728,"caption":6729,"layoutMode":61,"file":6730},{"id":6301},"Device code phishing kit example","Device code phishing kit example.",{"url":6731,"width":6666,"height":6667},"https://images.ctfassets.net/y1cdw1ablpvd/2zbjCCqXRMTvaOr6Xpx2BJ/ccb3000b043b3bbc11a6d2315e66f6f1/Copy_of_Device_code_login_completion.gif",{"sys":6733,"__typename":2514,"content":6734,"name":6796,"title":61},{"id":6398},{"json":6735},{"nodeType":1622,"data":6736,"content":6737},{},[6738,6745],{"nodeType":1635,"data":6739,"content":6740},{},[6741],{"nodeType":1639,"value":6742,"marks":6743,"data":6744},"The different application IDs that attackers can target here vary a little per technique based on the auth flows supported. FOCI apps present the broadest utility (particularly for non-admin targets) and can be targeted via both device code phishing and ConsentFix. In practice, this means an attacker who phishes a token for one app can silently pivot to access Outlook, Teams, OneDrive, SharePoint, and so on via API.",[],{},{"nodeType":1635,"data":6746,"content":6747},{},[6748,6752,6761,6765,6770,6774,6779,6783,6792],{"nodeType":1639,"value":6749,"marks":6750,"data":6751},"If they want to take it even further, they can use the well-known ",[],{},{"nodeType":1644,"data":6753,"content":6755},{"uri":6754},"https://dirkjanm.io/phishing-for-microsoft-entra-primary-refresh-tokens/",[6756],{"nodeType":1639,"value":6757,"marks":6758,"data":6760},"Primary Refresh Token (PRT) escalation technique",[6759],{"type":1652},{},{"nodeType":1639,"value":6762,"marks":6763,"data":6764}," to get seamless SSO across ",[],{},{"nodeType":1639,"value":6766,"marks":6767,"data":6769},"all",[6768],{"type":273},{},{"nodeType":1639,"value":6771,"marks":6772,"data":6773}," Entra ID-connected applications and web services (basically upgrading to normal browser-level access). This requires that you specifically target the ",[],{},{"nodeType":1639,"value":6775,"marks":6776,"data":6778},"Microsoft Authentication Broker",[6777],{"type":1708},{},{"nodeType":1639,"value":6780,"marks":6781,"data":6782}," application, chaining it into a new device registration in the victim's environment. (This is the method that ",[],{},{"nodeType":1644,"data":6784,"content":6786},{"uri":6785},"https://www.microsoft.com/en-us/security/blog/2025/02/13/storm-2372-conducts-device-code-phishing-campaign/",[6787],{"nodeType":1639,"value":6788,"marks":6789,"data":6791},"Storm-2372",[6790],{"type":1652},{},{"nodeType":1639,"value":6793,"marks":6794,"data":6795}," used in a major 2025 device code phishing campaign.)",[],{},"ConsentFix v3 IB3",{"sys":6798,"__typename":2514,"content":6799,"name":6822,"title":61},{"id":6495},{"json":6800},{"data":6801,"content":6802,"nodeType":1622},{},[6803],{"data":6804,"content":6805,"nodeType":1635},{},[6806,6809,6818],{"data":6807,"marks":6808,"value":29,"nodeType":1639},{},[],{"data":6810,"content":6812,"nodeType":1644},{"uri":6811},"https://entrascopes.com/?foci=true",[6813],{"data":6814,"marks":6815,"value":6817,"nodeType":1639},{},[6816],{"type":1652},"This is a great resource",{"data":6819,"marks":6820,"value":6821,"nodeType":1639},{},[]," from Fabian Bader and Dirk-jan Mollema enabling you to search through first-party Microsoft apps, resource IDs, FOCI apps, apps with conditional access exclusions, and those vulnerable to ConsentFix attacks. You’d need to go through the process of creating Service Principals for them and assign specific users based on required access. You’d want to do this for all of the apps that come with pre-consented permissions, conditional access exclusions, FOCI, and so on. But of course if an assigned user gets phished, the attack can still succeed. ","ConsentFix v3 IB4",{"sys":6824,"__typename":1391,"title":6825,"caption":6825,"layoutMode":61,"file":6826},{"id":6540},"When users attempt to visit malicious sites that trigger our detections, they are redirected to a safe URL and shown a customizable block screen.",{"url":6827,"width":2597,"height":6828},"https://images.ctfassets.net/y1cdw1ablpvd/2losZN7HBexdcDRlMGYMA6/0c24a2abdcc154c9faa33750db1eaed0/image4.png",767,{"sys":6830,"__typename":1391,"title":6831,"caption":6831,"layoutMode":61,"file":6832},{"id":6566},"Device code phishing customizable warning banner.",{"url":6833,"width":6834,"height":6835},"https://images.ctfassets.net/y1cdw1ablpvd/21kgdVDgvY6yI4cUzZ5eth/51fbb6782e10e4a23b37b020d8b288de/image10.png",1367,859,{},"Investigating a new criminal toolkit for ConsentFix",{"items":6839},[6840,7711,10305],{"__typename":2613,"sys":6841,"content":6843,"title":7693,"synopsis":7694,"hashTags":61,"publishedDate":7695,"slug":7696,"tagsCollection":7697,"authorsCollection":7703},{"id":6842},"71EaaK7lfl6bQBbkAU0qjv",{"json":6844},{"nodeType":1622,"data":6845,"content":6846},{},[6847,6855,6862,6869,6876,6888,6895,6901,6907,6910,6918,6925,6932,6938,6958,6965,6971,6978,6984,6991,7034,7040,7046,7053,7060,7063,7071,7091,7098,7104,7122,7128,7148,7155,7158,7166,7173,7217,7229,7232,7240,7259,7266,7282,7289,7296,7302,7309,7312,7320,7327,7380,7387,7390,7398,7404,7411,7418,7424,7431,7464,7471,7478,7484,7491,7497,7505,7525,7532,7565,7572,7605,7608,7616,7623,7629,7648,7655,7681,7687],{"nodeType":1701,"data":6848,"content":6849},{},[6850],{"nodeType":1639,"value":6851,"marks":6852,"data":6854},"Introducing “ConsentFix” — a new kind of phishing attack",[6853],{"type":1708},{},{"nodeType":1635,"data":6856,"content":6857},{},[6858],{"nodeType":1639,"value":6859,"marks":6860,"data":6861},"The Push browser agent recently detected and blocked a new attack technique seen targeting several Push customers. ",[],{},{"nodeType":1635,"data":6863,"content":6864},{},[6865],{"nodeType":1639,"value":6866,"marks":6867,"data":6868},"This is a new kind of browser-based attack technique that takes over user accounts with a simple copy and paste. If you’re already logged into the app in your browser, you don’t even need to supply creds, or pass an MFA check — meaning it effectively circumvents phishing-resistant auth like passkeys too.",[],{},{"nodeType":1635,"data":6870,"content":6871},{},[6872],{"nodeType":1639,"value":6873,"marks":6874,"data":6875},"This is so different from the AiTM phish kits we usually come up against that we felt it deserved a new name. ",[],{},{"nodeType":1635,"data":6877,"content":6878},{},[6879,6884],{"nodeType":1639,"value":6880,"marks":6881,"data":6883},"Enter: ConsentFix. ",[6882],{"type":1708},{},{"nodeType":1639,"value":6885,"marks":6886,"data":6887},"This attack shares a lot of similarities with ClickFix/FileFix, AiTM phishing, and OAuth Consent Phishing. You can think of this as a browser-native ClickFix attack that phishes an OAuth token on a target app by getting the victim to copy and paste a URL containing OAuth key material into a phishing page. ",[],{},{"nodeType":1635,"data":6889,"content":6890},{},[6891],{"nodeType":1639,"value":6892,"marks":6893,"data":6894},"The campaign we detected looks to be specifically targeting Microsoft accounts by abusing the Azure CLI OAuth app. Essentially, the attacker tricks the victim into logging into Azure CLI, by generating an OAuth authorization code — visible in a localhost URL — and then pasting that URL (including the code) into an attacker-controlled page. This then creates an OAuth connection between the victim’s Microsoft account and the attacker’s Azure CLI instance. ",[],{},{"nodeType":1626,"data":6896,"content":6900},{"target":6897},{"sys":6898},{"id":6899,"type":1631,"linkType":1632},"5GTnqWIbmraz8HZeHMybrP",[],{"nodeType":1626,"data":6902,"content":6906},{"target":6903},{"sys":6904},{"id":6905,"type":1631,"linkType":1632},"1lcjX5q3b1bsuhyOXKvJpW",[],{"nodeType":1697,"data":6908,"content":6909},{},[],{"nodeType":1701,"data":6911,"content":6912},{},[6913],{"nodeType":1639,"value":6914,"marks":6915,"data":6917},"How ConsentFix works",[6916],{"type":1708},{},{"nodeType":1635,"data":6919,"content":6920},{},[6921],{"nodeType":1639,"value":6922,"marks":6923,"data":6924},"In all of the examples we saw, the victim accessed a malicious or compromised webpage via Google Search. The vast majority of the sites we’ve seen associated with the campaign are legitimate, compromised websites with high domain reputation that are easily findable via search engines.",[],{},{"nodeType":1635,"data":6926,"content":6927},{},[6928],{"nodeType":1639,"value":6929,"marks":6930,"data":6931},"The attacker had injected a fake Cloudflare Turnstile into the compromised websites, requiring an email address to be supplied in order to proceed. ",[],{},{"nodeType":1626,"data":6933,"content":6937},{"target":6934},{"sys":6935},{"id":6936,"type":1631,"linkType":1632},"39jEjeLqOYIkGc4o9w3MuX",[],{"nodeType":1635,"data":6939,"content":6940},{},[6941,6945,6954],{"nodeType":1639,"value":6942,"marks":6943,"data":6944},"This acted as a form of ",[],{},{"nodeType":1644,"data":6946,"content":6948},{"uri":6947},"https://phishing-techniques.pushsecurity.com/techniques/conditional-loading/",[6949],{"nodeType":1639,"value":6950,"marks":6951,"data":6953},"conditional loading",[6952],{"type":1652},{},{"nodeType":1639,"value":6955,"marks":6956,"data":6957}," that would only continue if a valid email address and domain was supplied, designed to prevent the page from being analyzed by security bots, analysts, and low-value accounts that run the risk of exposing the campaign before the intended recipient(s) can be phished. ",[],{},{"nodeType":1635,"data":6959,"content":6960},{},[6961],{"nodeType":1639,"value":6962,"marks":6963,"data":6964},"If a domain not on the target list was provided, the victim was passed back to the original website and the attack did not progress to the next stage. Further, once the check has concluded per IP, the phishing page will no longer activate, even a different email is provided.  ",[],{},{"nodeType":1626,"data":6966,"content":6970},{"target":6967},{"sys":6968},{"id":6969,"type":1631,"linkType":1632},"7ttmGnTzi9j87tBXfyFcOA",[],{"nodeType":1635,"data":6972,"content":6973},{},[6974],{"nodeType":1639,"value":6975,"marks":6976,"data":6977},"After entering an approved email address, the next stage was loaded, prompting the victim to complete a set of instructions on the page to continue.",[],{},{"nodeType":1626,"data":6979,"content":6983},{"target":6980},{"sys":6981},{"id":6982,"type":1631,"linkType":1632},"2oHYNoMgAz6MdgLlcWjbaB",[],{"nodeType":1635,"data":6985,"content":6986},{},[6987],{"nodeType":1639,"value":6988,"marks":6989,"data":6990},"To complete the attack, the victim must:",[],{},{"nodeType":1726,"data":6992,"content":6993},{},[6994,7004,7014,7024],{"nodeType":1730,"data":6995,"content":6996},{},[6997],{"nodeType":1635,"data":6998,"content":6999},{},[7000],{"nodeType":1639,"value":7001,"marks":7002,"data":7003},"Click the “Sign In” button. This opens a new tab that loads a legitimate Microsoft URL associated with the user account/email used to access the page.",[],{},{"nodeType":1730,"data":7005,"content":7006},{},[7007],{"nodeType":1635,"data":7008,"content":7009},{},[7010],{"nodeType":1639,"value":7011,"marks":7012,"data":7013},"If the user is already logged into Microsoft in their browser, they simply need to select their MS account from the dropdown. Otherwise, they will be required to login via the legitimate Microsoft login URL (no phishing takes place at this stage). ",[],{},{"nodeType":1730,"data":7015,"content":7016},{},[7017],{"nodeType":1635,"data":7018,"content":7019},{},[7020],{"nodeType":1639,"value":7021,"marks":7022,"data":7023},"Once logged into legit Microsoft or the account is selected from the dropdown, the user is redirected to localhost, which generates a URL containing a code associated with the user’s Microsoft account. ",[],{},{"nodeType":1730,"data":7025,"content":7026},{},[7027],{"nodeType":1635,"data":7028,"content":7029},{},[7030],{"nodeType":1639,"value":7031,"marks":7032,"data":7033},"To complete the phish, the victim copies the URL and pastes it onto the original page. ",[],{},{"nodeType":1626,"data":7035,"content":7039},{"target":7036},{"sys":7037},{"id":7038,"type":1631,"linkType":1632},"7zendMbmCViGwtEpUQvq6y",[],{"nodeType":1626,"data":7041,"content":7045},{"target":7042},{"sys":7043},{"id":7044,"type":1631,"linkType":1632},"1eZOs7hXi9FzCE92QEP6xh",[],{"nodeType":1635,"data":7047,"content":7048},{},[7049],{"nodeType":1639,"value":7050,"marks":7051,"data":7052},"Once the steps are completed, the victim has granted the attacker access to their Microsoft account via Azure CLI. ",[],{},{"nodeType":1635,"data":7054,"content":7055},{},[7056],{"nodeType":1639,"value":7057,"marks":7058,"data":7059},"At this point, the attacker has effective control of the victim’s Microsoft account, but without ever needing to phish a password, or pass an MFA check. In fact, if the user was already logged in to their Microsoft account (i.e. they had an active session) no login is required at all. ",[],{},{"nodeType":1697,"data":7061,"content":7062},{},[],{"nodeType":1701,"data":7064,"content":7065},{},[7066],{"nodeType":1639,"value":7067,"marks":7068,"data":7070},"The next evolution of ClickFix?",[7069],{"type":1708},{},{"nodeType":1635,"data":7072,"content":7073},{},[7074,7078,7087],{"nodeType":1639,"value":7075,"marks":7076,"data":7077},"When we presented ",[],{},{"nodeType":1644,"data":7079,"content":7081},{"uri":7080},"https://pushsecurity.com/webinar/clickfix",[7082],{"nodeType":1639,"value":7083,"marks":7084,"data":7086},"our last webinar on ClickFix",[7085],{"type":1652},{},{"nodeType":1639,"value":7088,"marks":7089,"data":7090},", we predicted that the next evolution of the attack would happen entirely within the browser context. This is because any attack that touches the endpoint (a traditionally much better protected surface) is way more likely to be detected. And with many ClickFix attacks being used to deliver infostealer malware, these attacks are really trying to get back into the browser anyway — to steal credentials and sessions stored there. ",[],{},{"nodeType":1635,"data":7092,"content":7093},{},[7094],{"nodeType":1639,"value":7095,"marks":7096,"data":7097},"Let’s take a closer look at the page — if you follow Push research, you might be getting déjà vu. ",[],{},{"nodeType":1626,"data":7099,"content":7103},{"target":7100},{"sys":7101},{"id":7102,"type":1631,"linkType":1632},"1vMZCJ92IxFdR1EzzCOOvb",[],{"nodeType":1635,"data":7105,"content":7106},{},[7107,7111,7119],{"nodeType":1639,"value":7108,"marks":7109,"data":7110},"We’ve seen this kind of embedded video player before (albeit a slicker looking one) that we blogged about as ",[],{},{"nodeType":1644,"data":7112,"content":7113},{"uri":4953},[7114],{"nodeType":1639,"value":7115,"marks":7116,"data":7118},"the most advanced ClickFix we’d seen",[7117],{"type":1652},{},{"nodeType":1639,"value":2291,"marks":7120,"data":7121},[],{},{"nodeType":1626,"data":7123,"content":7127},{"target":7124},{"sys":7125},{"id":7126,"type":1631,"linkType":1632},"ID7VKJNOZk729P5zBOBjZ",[],{"nodeType":1635,"data":7129,"content":7130},{},[7131,7135,7144],{"nodeType":1639,"value":7132,"marks":7133,"data":7134},"Another similarity with ClickFix campaigns we’ve investigated is the use of Google Search as a delivery vector. 4 in 5 ClickFix attacks intercepted by Push came via Google Search, with attackers using ",[],{},{"nodeType":1644,"data":7136,"content":7138},{"uri":7137},"https://phishing-techniques.pushsecurity.com/techniques/malvertising/",[7139],{"nodeType":1639,"value":7140,"marks":7141,"data":7143},"malvertising",[7142],{"type":1652},{},{"nodeType":1639,"value":7145,"marks":7146,"data":7147}," and either compromised or custom vibe-coded websites to intercept users as they browse the internet. ",[],{},{"nodeType":1635,"data":7149,"content":7150},{},[7151],{"nodeType":1639,"value":7152,"marks":7153,"data":7154},"So it seems highly likely that this is a kind of browser-native evolution of ClickFix that shares many elements with typical ClickFix attacks, and is probably used by the same groups of attackers.",[],{},{"nodeType":1697,"data":7156,"content":7157},{},[],{"nodeType":1701,"data":7159,"content":7160},{},[7161],{"nodeType":1639,"value":7162,"marks":7163,"data":7165},"OAuth shenanigans via Azure CLI",[7164],{"type":1708},{},{"nodeType":1635,"data":7167,"content":7168},{},[7169],{"nodeType":1639,"value":7170,"marks":7171,"data":7172},"The clever use of Azure CLI and OAuth consent abuse is another clever iteration on previous techniques. ",[],{},{"nodeType":1635,"data":7174,"content":7175},{},[7176,7180,7189,7192,7200,7204,7213],{"nodeType":1639,"value":7177,"marks":7178,"data":7179},"We’ve previously seen ",[],{},{"nodeType":1644,"data":7181,"content":7183},{"uri":7182},"https://phishing-techniques.pushsecurity.com/techniques/consent-phishing/",[7184],{"nodeType":1639,"value":7185,"marks":7186,"data":7188},"consent phishing",[7187],{"type":1652},{},{"nodeType":1639,"value":5688,"marks":7190,"data":7191},[],{},{"nodeType":1644,"data":7193,"content":7195},{"uri":7194},"https://phishing-techniques.pushsecurity.com/techniques/device-code-phishing/",[7196],{"nodeType":1639,"value":4923,"marks":7197,"data":7199},[7198],{"type":1652},{},{"nodeType":1639,"value":7201,"marks":7202,"data":7203}," attacks where attackers have tricked victims into connecting malicious external apps into their tenant via OAuth, but this is becoming increasingly difficult in core enterprise cloud environments like Azure due to ",[],{},{"nodeType":1644,"data":7205,"content":7207},{"uri":7206},"https://learn.microsoft.com/en-us/microsoft-365/admin/misc/user-consent?view=o365-worldwide",[7208],{"nodeType":1639,"value":7209,"marks":7210,"data":7212},"stricter default configs",[7211],{"type":1652},{},{"nodeType":1639,"value":7214,"marks":7215,"data":7216},". However, since Azure CLI is a first-party Microsoft app, it is implicitly trusted in Entra ID, and is excluded from these restrictions. ",[],{},{"nodeType":1635,"data":7218,"content":7219},{},[7220,7224],{"nodeType":1639,"value":7221,"marks":7222,"data":7223},"First-party apps like Azure CLI are trusted by default in all tenants, allowed to request permissions without admin approval, and cannot be deleted or blocked. They can also be granted special permissions, such as tenant-wide service permissions (without needing admin approval), use of legacy or undocumented graph scopes, internal scopes for Microsoft client operations, and permissions for Office/Entra admin functions. ",[],{},{"nodeType":1639,"value":7225,"marks":7226,"data":7228},"This makes Azure CLI a prime target for attackers, and significantly more exploitable than when connecting a third-party app. ",[7227],{"type":1708},{},{"nodeType":1697,"data":7230,"content":7231},{},[],{"nodeType":1701,"data":7233,"content":7234},{},[7235],{"nodeType":1639,"value":7236,"marks":7237,"data":7239},"Advanced detection evasion techniques",[7238],{"type":1708},{},{"nodeType":1635,"data":7241,"content":7242},{},[7243,7247,7255],{"nodeType":1639,"value":7244,"marks":7245,"data":7246},"This campaign features some of the most advanced ",[],{},{"nodeType":1644,"data":7248,"content":7250},{"uri":7249},"https://phishing-techniques.pushsecurity.com/",[7251],{"nodeType":1639,"value":7252,"marks":7253,"data":7254},"detection evasion techniques",[],{},{"nodeType":1639,"value":7256,"marks":7257,"data":7258}," we've seen in the wild. ",[],{},{"nodeType":1635,"data":7260,"content":7261},{},[7262],{"nodeType":1639,"value":7263,"marks":7264,"data":7265},"As well as the use of Google Search to deliver the lure, and bot protection to prevent security tools from analyzing the page, there were multiple layers of anti-analysis techniques to navigate.",[],{},{"nodeType":1635,"data":7267,"content":7268},{},[7269,7273,7278],{"nodeType":1639,"value":7270,"marks":7271,"data":7272},"We already mentioned the use of selective targeting based on email addresses and domain names. But all sites involved in the campaign also have synchronized IP blocking — meaning if you visit one site and are served one of the associated phishing pages, the phish will never be served again, ",[],{},{"nodeType":1639,"value":7274,"marks":7275,"data":7277},"across any of the sites linked to the campaign",[7276],{"type":1708},{},{"nodeType":1639,"value":7279,"marks":7280,"data":7281},". When you visit any of the sites again, the phish won't trigger, and it can be browsed as normal. ",[],{},{"nodeType":1635,"data":7283,"content":7284},{},[7285],{"nodeType":1639,"value":7286,"marks":7287,"data":7288},"On the backend, there are multiple checks based on your IP and identifiers unique to your session. Unless all of the conditions are met, certain JavaScript packages won't be served — preventing full inspection of the page to detect malicious elements. ",[],{},{"nodeType":1635,"data":7290,"content":7291},{},[7292],{"nodeType":1639,"value":7293,"marks":7294,"data":7295},"If the conditions aren't met, the page may not load the Cloudflare Turnstile check at all, or will redirect you back to the site to continue browsing as normal.",[],{},{"nodeType":1626,"data":7297,"content":7301},{"target":7298},{"sys":7299},{"id":7300,"type":1631,"linkType":1632},"5v0zDoscA6pYLBfkXrNtIH",[],{"nodeType":1635,"data":7303,"content":7304},{},[7305],{"nodeType":1639,"value":7306,"marks":7307,"data":7308},"All of these make it incredibly hard to detect and block these attacks ahead of time when relying on URL-based checks and traffic analysis.",[],{},{"nodeType":1697,"data":7310,"content":7311},{},[],{"nodeType":1701,"data":7313,"content":7314},{},[7315],{"nodeType":1639,"value":7316,"marks":7317,"data":7319},"Key takeaways",[7318],{"type":1708},{},{"nodeType":1635,"data":7321,"content":7322},{},[7323],{"nodeType":1639,"value":7324,"marks":7325,"data":7326},"ConsentFix is a dangerous evolution of ClickFix and consent phishing that is incredibly hard for traditional security tools to detect and block, as:",[],{},{"nodeType":1726,"data":7328,"content":7329},{},[7330,7340,7350,7360,7370],{"nodeType":1730,"data":7331,"content":7332},{},[7333],{"nodeType":1635,"data":7334,"content":7335},{},[7336],{"nodeType":1639,"value":7337,"marks":7338,"data":7339},"The attack happens entirely inside the browser context, removing one of the key detection opportunities for ClickFix (because it doesn’t touch the endpoint).",[],{},{"nodeType":1730,"data":7341,"content":7342},{},[7343],{"nodeType":1635,"data":7344,"content":7345},{},[7346],{"nodeType":1639,"value":7347,"marks":7348,"data":7349},"Delivering the lure via a Google Search watering hole attack completely circumvents email-based anti-phishing controls.",[],{},{"nodeType":1730,"data":7351,"content":7352},{},[7353],{"nodeType":1635,"data":7354,"content":7355},{},[7356],{"nodeType":1639,"value":7357,"marks":7358,"data":7359},"Targeting a first-party app like Azure CLI means that many of the mitigating controls available for third-party app integrations do not apply — making this attack way harder to prevent.",[],{},{"nodeType":1730,"data":7361,"content":7362},{},[7363],{"nodeType":1635,"data":7364,"content":7365},{},[7366],{"nodeType":1639,"value":7367,"marks":7368,"data":7369},"Because there’s no login required, phishing-resistant authentication controls like passkeys have no impact on this attack. ",[],{},{"nodeType":1730,"data":7371,"content":7372},{},[7373],{"nodeType":1635,"data":7374,"content":7375},{},[7376],{"nodeType":1639,"value":7377,"marks":7378,"data":7379},"The use of advanced detection evasion techniques makes this attack difficult to investigate, meaning these attacks are going undetected. ",[],{},{"nodeType":1635,"data":7381,"content":7382},{},[7383],{"nodeType":1639,"value":7384,"marks":7385,"data":7386},"We’re sure to see more examples of ConsentFix in future. We’ll be monitoring to see how attackers adapt in terms of integrating these capabilities with common as-a-Service offerings to make them more widespread, and whether the scope extends further beyond Microsoft / Azure CLI targets in the future to target other enterprise cloud ecosystems. ",[],{},{"nodeType":1697,"data":7388,"content":7389},{},[],{"nodeType":1701,"data":7391,"content":7392},{},[7393],{"nodeType":1639,"value":7394,"marks":7395,"data":7397},"Recommendations",[7396],{"type":1708},{},{"nodeType":1626,"data":7399,"content":7403},{"target":7400},{"sys":7401},{"id":7402,"type":1631,"linkType":1632},"3aBCwdB2aNnLRxRN5RrshC",[],{"nodeType":1635,"data":7405,"content":7406},{},[7407],{"nodeType":1639,"value":7408,"marks":7409,"data":7410},"On the backend, exploitation of this attack will lead to login events being observed to the Microsoft Azure CLI app. It’s likely that any legitimate use of this will most likely be limited to system administrators and possibly developers. Therefore, logins outside of these groups will be inherently more suspicious.",[],{},{"nodeType":1635,"data":7412,"content":7413},{},[7414],{"nodeType":1639,"value":7415,"marks":7416,"data":7417},"Additionally, it’s possible that aspects of the logins themselves will be different between legitimate Azure CLI use and exploitation of this attack. For example, see the following logs from a lab environment. The login events with an application of  “Microsoft Azure CLI” and a resource of “Azure Resource Manager” was legitimate use of the Azure CLI using the powershell CLI framework. Conversely, the login event with the Resource of “Windows Azure Active Directory” was produced by logging in using the method used by the phishing kit.",[],{},{"nodeType":1626,"data":7419,"content":7423},{"target":7420},{"sys":7421},{"id":7422,"type":1631,"linkType":1632},"6ie0nkk6XbgwidfwmiGwL4",[],{"nodeType":1635,"data":7425,"content":7426},{},[7427],{"nodeType":1639,"value":7428,"marks":7429,"data":7430},"There is no guarantee this can be used to differentiate between legitimate and malicious examples, but it’s another data point to consider. If searching logs you may wish to use the respective GUIDs for these:",[],{},{"nodeType":1726,"data":7432,"content":7433},{},[7434,7449],{"nodeType":1730,"data":7435,"content":7436},{},[7437],{"nodeType":1635,"data":7438,"content":7439},{},[7440,7445],{"nodeType":1639,"value":7441,"marks":7442,"data":7444},"Application ID",[7443],{"type":1708},{},{"nodeType":1639,"value":7446,"marks":7447,"data":7448}," = 04b07795-8ddb-461a-bbee-02f9e1bf7b46",[],{},{"nodeType":1730,"data":7450,"content":7451},{},[7452],{"nodeType":1635,"data":7453,"content":7454},{},[7455,7460],{"nodeType":1639,"value":7456,"marks":7457,"data":7459},"Resource ID",[7458],{"type":1708},{},{"nodeType":1639,"value":7461,"marks":7462,"data":7463}," = 00000002-0000-0000-c000-000000000000",[],{},{"nodeType":1635,"data":7465,"content":7466},{},[7467],{"nodeType":1639,"value":7468,"marks":7469,"data":7470},"For interactive logins, like above, you cannot rely on looking for logins from suspicious IP addresses or locations. The login itself occurs from the victims browser directly to Microsoft, and so the IP addresses associated with these events will be the legitimate IP used by the target user, not by the threat actor. ",[],{},{"nodeType":1635,"data":7472,"content":7473},{},[7474],{"nodeType":1639,"value":7475,"marks":7476,"data":7477},"However, for non-interactive logins and other audit logs for actions taken, you may be able to uncover unusual IP addresses that differ from the original interactive login. For example, here are some non-interactive logins that were observed immediately after compromise that came from different IP addresses in both the US and Indonesia.",[],{},{"nodeType":1626,"data":7479,"content":7483},{"target":7480},{"sys":7481},{"id":7482,"type":1631,"linkType":1632},"TD3YeWqgGIWIWM8FRHU4o",[],{"nodeType":1635,"data":7485,"content":7486},{},[7487],{"nodeType":1639,"value":7488,"marks":7489,"data":7490},"Interestingly, they differ in which resources they accessed, with one accessing the Windows Azure Active Directory resource ID like the interactive login, but two others accessing the Microsoft Intune Checkin resource ID. ",[],{},{"nodeType":1626,"data":7492,"content":7496},{"target":7493},{"sys":7494},{"id":7495,"type":1631,"linkType":1632},"57PqDQiAiwzqkspVpROQXb",[],{"nodeType":1815,"data":7498,"content":7499},{},[7500],{"nodeType":1639,"value":7501,"marks":7502,"data":7504},"IoCs",[7503],{"type":1708},{},{"nodeType":1635,"data":7506,"content":7507},{},[7508,7512,7521],{"nodeType":1639,"value":7509,"marks":7510,"data":7511},"Short-lived IoCs are of limited value when tackling modern phishing attacks due to the rate at which attackers are able to ",[],{},{"nodeType":1644,"data":7513,"content":7515},{"uri":7514},"https://phishing-techniques.pushsecurity.com/techniques/domain-rotation-redirection/",[7516],{"nodeType":1639,"value":7517,"marks":7518,"data":7520},"quickly spin up and rotate the sites used",[7519],{"type":1652},{},{"nodeType":1639,"value":7522,"marks":7523,"data":7524}," in the attack chain, often dynamically serving different URLs to site visitors. ",[],{},{"nodeType":1635,"data":7526,"content":7527},{},[7528],{"nodeType":1639,"value":7529,"marks":7530,"data":7531},"That said, the domains used to deliver the final phishing payload were:",[],{},{"nodeType":1726,"data":7533,"content":7534},{},[7535,7545,7555],{"nodeType":1730,"data":7536,"content":7537},{},[7538],{"nodeType":1635,"data":7539,"content":7540},{},[7541],{"nodeType":1639,"value":7542,"marks":7543,"data":7544},"hxxps://trustpointassurance.com/",[],{},{"nodeType":1730,"data":7546,"content":7547},{},[7548],{"nodeType":1635,"data":7549,"content":7550},{},[7551],{"nodeType":1639,"value":7552,"marks":7553,"data":7554},"hxxps://fastwaycheck.com/",[],{},{"nodeType":1730,"data":7556,"content":7557},{},[7558],{"nodeType":1635,"data":7559,"content":7560},{},[7561],{"nodeType":1639,"value":7562,"marks":7563,"data":7564},"hxxps://previewcentral.com",[],{},{"nodeType":1635,"data":7566,"content":7567},{},[7568],{"nodeType":1639,"value":7569,"marks":7570,"data":7571},"In addition, we recommend hunting for connections from the following IPs in Azure logs:",[],{},{"nodeType":1726,"data":7573,"content":7574},{},[7575,7585,7595],{"nodeType":1730,"data":7576,"content":7577},{},[7578],{"nodeType":1635,"data":7579,"content":7580},{},[7581],{"nodeType":1639,"value":7582,"marks":7583,"data":7584},"12.75.216.90",[],{},{"nodeType":1730,"data":7586,"content":7587},{},[7588],{"nodeType":1635,"data":7589,"content":7590},{},[7591],{"nodeType":1639,"value":7592,"marks":7593,"data":7594},"182.3.36.223",[],{},{"nodeType":1730,"data":7596,"content":7597},{},[7598],{"nodeType":1635,"data":7599,"content":7600},{},[7601],{"nodeType":1639,"value":7602,"marks":7603,"data":7604},"12.75.116.137",[],{},{"nodeType":1697,"data":7606,"content":7607},{},[],{"nodeType":1701,"data":7609,"content":7610},{},[7611],{"nodeType":1639,"value":7612,"marks":7613,"data":7615},"How Push stopped the attack",[7614],{"type":1708},{},{"nodeType":1635,"data":7617,"content":7618},{},[7619],{"nodeType":1639,"value":7620,"marks":7621,"data":7622},"Even though this was a brand new technique, Push intercepted this attack and shut it down before customers could interact with it. ",[],{},{"nodeType":1626,"data":7624,"content":7628},{"target":7625},{"sys":7626},{"id":7627,"type":1631,"linkType":1632},"5YzpiQH974EYA5iPPZMXkV",[],{"nodeType":1635,"data":7630,"content":7631},{},[7632,7636,7644],{"nodeType":1639,"value":7633,"marks":7634,"data":7635},"Push doesn’t detect the redirect tricks or rely on outdated domain TI feeds. The reason we detect these attacks (which make it through all the other layers of phishing protection) is that Push sees what your users see. It doesn’t matter what ",[],{},{"nodeType":1644,"data":7637,"content":7638},{"uri":7249},[7639],{"nodeType":1639,"value":7640,"marks":7641,"data":7643},"delivery channel or camouflage methods are used",[7642],{"type":1652},{},{"nodeType":1639,"value":7645,"marks":7646,"data":7647},", Push shuts the attack down in real time, as the user loads the malicious page in their web browser.",[],{},{"nodeType":1635,"data":7649,"content":7650},{},[7651],{"nodeType":1639,"value":7652,"marks":7653,"data":7654},"This isn’t all we do: Push’s browser-based security platform provides comprehensive detection and response capabilities against the leading cause of breaches. Push blocks browser-based attacks like AiTM phishing, credential stuffing, malicious browser extensions, ClickFix, and session hijacking. You don’t need to wait until it all goes wrong — you can also use Push to proactively find and fix vulnerabilities across the apps that your employees use, like ghost logins, SSO coverage gaps, MFA gaps, vulnerable passwords, and more to harden your identity attack surface.",[],{},{"nodeType":1635,"data":7656,"content":7657},{},[7658,7661,7668,7671,7678],{"nodeType":1639,"value":2470,"marks":7659,"data":7660},[],{},{"nodeType":1644,"data":7662,"content":7663},{"uri":2475},[7664],{"nodeType":1639,"value":2478,"marks":7665,"data":7667},[7666],{"type":1652},{},{"nodeType":1639,"value":5548,"marks":7669,"data":7670},[],{},{"nodeType":1644,"data":7672,"content":7673},{"uri":2498},[7674],{"nodeType":1639,"value":2501,"marks":7675,"data":7677},[7676],{"type":1652},{},{"nodeType":1639,"value":2291,"marks":7679,"data":7680},[],{},{"nodeType":1626,"data":7682,"content":7686},{"target":7683},{"sys":7684},{"id":7685,"type":1631,"linkType":1632},"6QzB0BlVC5mstXwXHvy2c3",[],{"nodeType":1635,"data":7688,"content":7689},{},[7690],{"nodeType":1639,"value":29,"marks":7691,"data":7692},[],{},"ConsentFix: Analyzing a browser-native ClickFix-style attack that hijacks OAuth consent grants","Analyzing \"ConsentFix\", a new browser-native attack technique we've detected in the wild, combining OAuth consent phishing with a ClickFix-style user prompt. ","2025-12-11T00:00:00.000Z","consentfix",{"items":7698},[7699,7701],{"sys":7700,"name":3379},{"id":3378},{"sys":7702,"name":3383},{"id":3382},{"items":7704},[7705],{"fullName":7706,"firstName":7707,"jobTitle":7708,"profilePicture":7709},"Luke Jennings","Luke","Vice President, R&D",{"url":7710},"https://images.ctfassets.net/y1cdw1ablpvd/4Hosb4zKi1dA0PUyDLMe1h/27e09d894861f2196ba794037986fb08/T016S22KZ96-U02NVQM7ZD4-57761d542d83-512.jpeg",{"__typename":2613,"sys":7712,"content":7714,"title":10291,"synopsis":10292,"hashTags":61,"publishedDate":10293,"slug":10294,"tagsCollection":10295,"authorsCollection":10301},{"id":7713},"5DmCqTU2Tg4adYScA5vT2x",{"json":7715},{"nodeType":1622,"data":7716,"content":7717},{},[7718,7738,7756,7763,7769,7776,7783,7786,7794,7800,7883,7903,7909,7916,8045,8048,8056,8063,8069,8072,8080,8121,8127,8134,8141,8148,8155,8173,8179,8185,8191,8197,8203,8209,8215,8221,8484,8487,8495,8630,8636,8639,8647,8781,8787,8790,8798,8945,8951,8954,8962,9103,9109,9112,9120,9267,9273,9276,9284,9430,9436,9439,9447,9542,9548,9551,9559,9653,9659,9662,9670,9676,9809,9815,9826,9829,9837,9849,9856,9862,9868,9875,9896,9912,9918,9921,9929,9937,9958,9979,9984,9991,9998,10006,10013,10020,10027,10035,10042,10093,10099,10102,10109,10116,10123,10173,10179,10186,10189,10197,10204,10211,10228,10234,10241,10248,10255],{"nodeType":1635,"data":7719,"content":7720},{},[7721,7725,7734],{"nodeType":1639,"value":7722,"marks":7723,"data":7724},"The OAuth 2.0 ",[],{},{"nodeType":1644,"data":7726,"content":7728},{"uri":7727},"https://www.rfc-editor.org/rfc/rfc8628",[7729],{"nodeType":1639,"value":7730,"marks":7731,"data":7733},"device authorization grant",[7732],{"type":1652},{},{"nodeType":1639,"value":7735,"marks":7736,"data":7737}," was designed to enable input-constrained devices to sign-in to apps by asking the user to complete the login on a separate device by entering a code. But today, it’s mainly used when accessing CLI tools, meaning that many users encounter the device code flow daily. ",[],{},{"nodeType":1635,"data":7739,"content":7740},{},[7741,7744,7752],{"nodeType":1639,"value":29,"marks":7742,"data":7743},[],{},{"nodeType":1644,"data":7745,"content":7747},{"uri":7746},"https://github.com/pushsecurity/saas-attacks/blob/main/techniques/device_code_phishing/description.md",[7748],{"nodeType":1639,"value":6346,"marks":7749,"data":7751},[7750],{"type":1652},{},{"nodeType":1639,"value":7753,"marks":7754,"data":7755}," attacks designed to exploit this authorization flow are not new — it was among the first techniques that we added to the SaaS attacks matrix back in 2023. But it’s taken until now for it to really enter mainstream adoption. ",[],{},{"nodeType":1635,"data":7757,"content":7758},{},[7759],{"nodeType":1639,"value":7760,"marks":7761,"data":7762},"The technique tricks a user into issuing access tokens for an attacker-controlled application (not a device, confusingly). Any app that supports device code logins can be a target. Popular examples include Microsoft, Google, Salesforce, GitHub, and AWS. That said, Microsoft is, as always, much more heavily targeted at scale now than any other app.",[],{},{"nodeType":1626,"data":7764,"content":7768},{"target":7765},{"sys":7766},{"id":7767,"type":1631,"linkType":1632},"Al0pGH8vmOYiufDFiAbt0",[],{"nodeType":1635,"data":7770,"content":7771},{},[7772],{"nodeType":1639,"value":7773,"marks":7774,"data":7775},"We’ve always been surprised that attackers haven’t commonly used device code phishing in their standard toolkit, preferring session-stealing AITM phishing and other social engineering attacks like ClickFix. But it’s pretty clear from the recent data that the shift to mainstream adoption has now happened. ",[],{},{"nodeType":1635,"data":7777,"content":7778},{},[7779],{"nodeType":1639,"value":7780,"marks":7781,"data":7782},"In this blog post, we’ll explore the history of device code phishing, what’s changed for it to enter mainstream adoption, how it works under the hood (with recent examples), and what security teams can do about it. ",[],{},{"nodeType":1697,"data":7784,"content":7785},{},[],{"nodeType":1701,"data":7787,"content":7788},{},[7789],{"nodeType":1639,"value":7790,"marks":7791,"data":7793},"A brief history of device code phishing",[7792],{"type":1708},{},{"nodeType":1626,"data":7795,"content":7799},{"target":7796},{"sys":7797},{"id":7798,"type":1631,"linkType":1632},"6u3DgvSGChtTJu7l9I7PG1",[],{"nodeType":1635,"data":7801,"content":7802},{},[7803,7807,7816,7820,7829,7833,7841,7845,7854,7858,7867,7870,7879],{"nodeType":1639,"value":7804,"marks":7805,"data":7806},"The technique was first documented in 2020, before Secureworks released the first tooling framework ",[],{},{"nodeType":1644,"data":7808,"content":7810},{"uri":7809},"https://github.com/secureworks/PhishInSuits",[7811],{"nodeType":1639,"value":7812,"marks":7813,"data":7815},"PhishInSuits",[7814],{"type":1652},{},{"nodeType":1639,"value":7817,"marks":7818,"data":7819}," a year later. A host of research followed, including ",[],{},{"nodeType":1644,"data":7821,"content":7823},{"uri":7822},"https://github.com/secureworks/squarephish",[7824],{"nodeType":1639,"value":7825,"marks":7826,"data":7828},"SquarePhish",[7827],{"type":1652},{},{"nodeType":1639,"value":7830,"marks":7831,"data":7832}," v1 (using QR codes to trigger the 15 minute code expiration window), Dirk-Jan Mollema’s ",[],{},{"nodeType":1644,"data":7834,"content":7835},{"uri":6754},[7836],{"nodeType":1639,"value":7837,"marks":7838,"data":7840},"key research",[7839],{"type":1652},{},{"nodeType":1639,"value":7842,"marks":7843,"data":7844}," (chaining device code phishing via Microsoft apps into Primary Refresh Token (PRT) acquisition to gain full browser-level access) and Dennis Kniep’s ",[],{},{"nodeType":1644,"data":7846,"content":7848},{"uri":7847},"https://github.com/denniskniep/DeviceCodePhishing",[7849],{"nodeType":1639,"value":7850,"marks":7851,"data":7853},"DeviceCodePhishing tool",[7852],{"type":1652},{},{"nodeType":1639,"value":7855,"marks":7856,"data":7857}," which automates the entire flow with a headless browser. (Other recent noteworthy tools include ",[],{},{"nodeType":1644,"data":7859,"content":7861},{"uri":7860},"https://github.com/nromsdahl/squarephish2",[7862],{"nodeType":1639,"value":7863,"marks":7864,"data":7866},"SquarePhish2",[7865],{"type":1652},{},{"nodeType":1639,"value":5688,"marks":7868,"data":7869},[],{},{"nodeType":1644,"data":7871,"content":7873},{"uri":7872},"https://github.com/praetorian-inc/GitPhish",[7874],{"nodeType":1639,"value":7875,"marks":7876,"data":7878},"GitPhish",[7877],{"type":1652},{},{"nodeType":1639,"value":7880,"marks":7881,"data":7882},", so shout out to those too). ",[],{},{"nodeType":1635,"data":7884,"content":7885},{},[7886,7890,7899],{"nodeType":1639,"value":7887,"marks":7888,"data":7889},"It wasn’t until August 2024 that in-the-wild exploitation was first identified, with Russia-linked campaigns then continuing into 2025 before entering mainstream criminal adoption. This trend has continued to gather momentum in 2026 with ",[],{},{"nodeType":1644,"data":7891,"content":7893},{"uri":7892},"https://thehackernews.com/2026/03/device-code-phishing-hits-340-microsoft.html",[7894],{"nodeType":1639,"value":7895,"marks":7896,"data":7898},"EvilTokens",[7897],{"type":1652},{},{"nodeType":1639,"value":7900,"marks":7901,"data":7902},", the first reported criminal PhaaS kit for device code phishing, already powering massive campaigns after launching in February. ",[],{},{"nodeType":1626,"data":7904,"content":7908},{"target":7905},{"sys":7906},{"id":7907,"type":1631,"linkType":1632},"6xsfmbYEzpW7CdDiNzO6cu",[],{"nodeType":1635,"data":7910,"content":7911},{},[7912],{"nodeType":1639,"value":7913,"marks":7914,"data":7915},"Some of the noteworthy in-the-wild campaigns include:",[],{},{"nodeType":1726,"data":7917,"content":7918},{},[7919,7951,7971],{"nodeType":1730,"data":7920,"content":7921},{},[7922],{"nodeType":1635,"data":7923,"content":7924},{},[7925,7929,7936,7939,7947],{"nodeType":1639,"value":7926,"marks":7927,"data":7928},"Storm-2372, tracked by ",[],{},{"nodeType":1644,"data":7930,"content":7931},{"uri":6785},[7932],{"nodeType":1639,"value":7933,"marks":7934,"data":7935},"Microsoft",[],{},{"nodeType":1639,"value":5688,"marks":7937,"data":7938},[],{},{"nodeType":1644,"data":7940,"content":7942},{"uri":7941},"https://www.volexity.com/blog/2025/02/13/multiple-russian-threat-actors-targeting-microsoft-device-code-authentication/",[7943],{"nodeType":1639,"value":7944,"marks":7945,"data":7946},"Volexity",[],{},{"nodeType":1639,"value":7948,"marks":7949,"data":7950},", linked to multiple Russia-aligned clusters, combining spear-phishing and social engineering with device code phishing payloads against strategic intelligence targets.",[],{},{"nodeType":1730,"data":7952,"content":7953},{},[7954],{"nodeType":1635,"data":7955,"content":7956},{},[7957,7961,7967],{"nodeType":1639,"value":7958,"marks":7959,"data":7960},"The massive Salesforce campaign operated by ",[],{},{"nodeType":1644,"data":7962,"content":7963},{"uri":2629},[7964],{"nodeType":1639,"value":3017,"marks":7965,"data":7966},[],{},{"nodeType":1639,"value":7968,"marks":7969,"data":7970}," (SLH) combined vishing with a device code phishing payload targeting Salesforce. The attacks morphed into a broader supply chain campaign using stolen credentials, ultimately resulting in 1000+ organizations being compromised and over 1.5 billion stolen records claimed. ",[],{},{"nodeType":1730,"data":7972,"content":7973},{},[7974],{"nodeType":1635,"data":7975,"content":7976},{},[7977,7981,7989,7993,8002,8006,8015,8019,8028,8032,8041],{"nodeType":1639,"value":7978,"marks":7979,"data":7980},"A massive spike in activity in late 2025 and 2026. This includes ",[],{},{"nodeType":1644,"data":7982,"content":7984},{"uri":7983},"https://www.proofpoint.com/us/blog/threat-insight/access-granted-phishing-device-code-authorization-account-takeover",[7985],{"nodeType":1639,"value":7986,"marks":7987,"data":7988},"multiple threat clusters",[],{},{"nodeType":1639,"value":7990,"marks":7991,"data":7992}," tracked using device code phishing techniques, more ",[],{},{"nodeType":1644,"data":7994,"content":7996},{"uri":7995},"https://www.bleepingcomputer.com/news/security/hackers-target-microsoft-entra-accounts-in-device-code-vishing-attacks/",[7997],{"nodeType":1639,"value":7998,"marks":7999,"data":8001},"criminal operations linked to SLH",[8000],{"type":1652},{},{"nodeType":1639,"value":8003,"marks":8004,"data":8005},", and ",[],{},{"nodeType":1644,"data":8007,"content":8009},{"uri":8008},"https://newtonpaul.com/blog/device-code-phish-update/",[8010],{"nodeType":1639,"value":8011,"marks":8012,"data":8014},"hundreds of organizations being targeted via PhaaS architecture,",[8013],{"type":1652},{},{"nodeType":1639,"value":8016,"marks":8017,"data":8018}," which looks to be the same campaign as the recently uncovered EvilTokens PhaaS reported by ",[],{},{"nodeType":1644,"data":8020,"content":8022},{"uri":8021},"https://www.huntress.com/blog/railway-paas-m365-token-replay-campaign",[8023],{"nodeType":1639,"value":8024,"marks":8025,"data":8027},"Huntress",[8026],{"type":1652},{},{"nodeType":1639,"value":8029,"marks":8030,"data":8031}," (featuring abuse of the Railway PaaS platform). Abnormal has also reported on a closed-source PhaaS kit called ",[],{},{"nodeType":1644,"data":8033,"content":8035},{"uri":8034},"https://abnormal.ai/blog/venom-phishing-campaign-mfa-credential-theft",[8036],{"nodeType":1639,"value":8037,"marks":8038,"data":8040},"Venom",[8039],{"type":1652},{},{"nodeType":1639,"value":8042,"marks":8043,"data":8044}," that offers device code phishing capabilities that appear visually and functionally similar to EvilTokens.   ",[],{},{"nodeType":1697,"data":8046,"content":8047},{},[],{"nodeType":1701,"data":8049,"content":8050},{},[8051],{"nodeType":1639,"value":8052,"marks":8053,"data":8055},"What we’re seeing in the wild",[8054],{"type":1708},{},{"nodeType":1635,"data":8057,"content":8058},{},[8059],{"nodeType":1639,"value":8060,"marks":8061,"data":8062},"As mentioned, we’ve also seen a huge spike in device code phishing activity this year, with multiple kits, page designs, and lure types. We’ve identified 10 distinct kits in circulation in the wild, with EvilTokens being the most prevalent. It’s clear that attackers are both spinning up their own kits and creative derivatives of others — we’ve seen kits that are visually similar to EvilTokens (close enough to be clones or forks) but with very different backends, for example AWS, Digital Ocean, 2cloud, and more. ",[],{},{"nodeType":1626,"data":8064,"content":8068},{"target":8065},{"sys":8066},{"id":8067,"type":1631,"linkType":1632},"nJCbTw85GKXdqrlIkzZwi",[],{"nodeType":1697,"data":8070,"content":8071},{},[],{"nodeType":1815,"data":8073,"content":8074},{},[8075],{"nodeType":1639,"value":8076,"marks":8077,"data":8079},"“ANTIBOT” (EvilTokens)",[8078],{"type":1708},{},{"nodeType":1635,"data":8081,"content":8082},{},[8083,8086,8093,8096,8105,8109,8117],{"nodeType":1639,"value":29,"marks":8084,"data":8085},[],{},{"nodeType":1644,"data":8087,"content":8088},{"uri":8021},[8089],{"nodeType":1639,"value":8024,"marks":8090,"data":8092},[8091],{"type":1652},{},{"nodeType":1639,"value":1655,"marks":8094,"data":8095},[],{},{"nodeType":1644,"data":8097,"content":8099},{"uri":8098},"https://blog.sekoia.io/new-widespread-eviltokens-kit-device-code-phishing-as-a-service-part-1/",[8100],{"nodeType":1639,"value":8101,"marks":8102,"data":8104},"Sekoia",[8103],{"type":1652},{},{"nodeType":1639,"value":8106,"marks":8107,"data":8108},", and researcher ",[],{},{"nodeType":1644,"data":8110,"content":8111},{"uri":8008},[8112],{"nodeType":1639,"value":8113,"marks":8114,"data":8116},"Paul Newton",[8115],{"type":1652},{},{"nodeType":1639,"value":8118,"marks":8119,"data":8120}," have already done a great job of providing IOCs for the recent EvilTokens activity spike, including multiple backend Railway IPs in authentication events. ",[],{},{"nodeType":1626,"data":8122,"content":8126},{"target":8123},{"sys":8124},{"id":8125,"type":1631,"linkType":1632},"1XNviq5OvMf5TEAc59F6g5",[],{"nodeType":1635,"data":8128,"content":8129},{},[8130],{"nodeType":1639,"value":8131,"marks":8132,"data":8133},"Beyond the most widely observed implementation featuring a Cloudflare Workers frontend and Railway backend for authentication, we’ve also tracked additional versions of EvilTokens in circulation since January 2026 (many of which remain live along with the current “production” version of the kit). ",[],{},{"nodeType":1635,"data":8135,"content":8136},{},[8137],{"nodeType":1639,"value":8138,"marks":8139,"data":8140},"You can see an evolution of the kit in the videos and screenshots below, from early precursors seen in mid-January, the first mentions of ANTIBOT in the page code in late-January, the parallel development of a “Courts Access” fork that lacks the ANTIBOT references, and finally production EvilTokens in February. One of the key threads between the versions is the presence of a generateFallbackCode() JS function and use of a /generate-codes API call. ",[],{},{"nodeType":1635,"data":8142,"content":8143},{},[8144],{"nodeType":1639,"value":8145,"marks":8146,"data":8147},"Early implementations were quite different, for example using ScrapingBee to generate the displayed code, and varied hosting on vercel, fastly, edgeone, and others. ",[],{},{"nodeType":1635,"data":8149,"content":8150},{},[8151],{"nodeType":1639,"value":8152,"marks":8153,"data":8154},"After initially appearing on custom domains, the production version is now predominantly hosted on Cloudflare Workers, as per the broader tracking of the campaign. The descriptive HTML comments around ANTIBOT functions have also been removed in later versions. ",[],{},{"nodeType":1635,"data":8156,"content":8157},{},[8158,8162,8169],{"nodeType":1639,"value":8159,"marks":8160,"data":8161},"The production version of EvilTokens showcases common ",[],{},{"nodeType":1644,"data":8163,"content":8164},{"uri":7249},[8165],{"nodeType":1639,"value":7252,"marks":8166,"data":8168},[8167],{"type":1652},{},{"nodeType":1639,"value":8170,"marks":8171,"data":8172}," we've come to associate with PhaaS kits in the AiTM space — using multiple redirects through trusted sites before serving the malicious page, using bot protection to block security tools from analyzing the page, and so on. It also uses a pop-up window for the device code entry rather than a redirect, reducing the friction for the victim (it looks pretty convincing, too).",[],{},{"nodeType":1626,"data":8174,"content":8178},{"target":8175},{"sys":8176},{"id":8177,"type":1631,"linkType":1632},"73rNOIEDPfP5IJwpFaxVc2",[],{"nodeType":1626,"data":8180,"content":8184},{"target":8181},{"sys":8182},{"id":8183,"type":1631,"linkType":1632},"5BJSvOQUW9UpsQtoDNtgTC",[],{"nodeType":1626,"data":8186,"content":8190},{"target":8187},{"sys":8188},{"id":8189,"type":1631,"linkType":1632},"3dbePPxVb4h4SauGg3glIL",[],{"nodeType":1626,"data":8192,"content":8196},{"target":8193},{"sys":8194},{"id":8195,"type":1631,"linkType":1632},"1UOLcmNQvOsL5tdLSVuviq",[],{"nodeType":1626,"data":8198,"content":8202},{"target":8199},{"sys":8200},{"id":8201,"type":1631,"linkType":1632},"55XRqLSwUUi2D4ZVpJboml",[],{"nodeType":1626,"data":8204,"content":8208},{"target":8205},{"sys":8206},{"id":8207,"type":1631,"linkType":1632},"5wg5yr2Lo8t3f72ZV815c",[],{"nodeType":1626,"data":8210,"content":8214},{"target":8211},{"sys":8212},{"id":8213,"type":1631,"linkType":1632},"35cowlL6i3rkGXOGmSxlI1",[],{"nodeType":1635,"data":8216,"content":8217},{},[8218],{"nodeType":1639,"value":29,"marks":8219,"data":8220},[],{},{"nodeType":4764,"data":8222,"content":8223},{},[8224,8248,8331,8383,8407],{"nodeType":4768,"data":8225,"content":8226},{},[8227,8238],{"nodeType":4798,"data":8228,"content":8229},{},[8230],{"nodeType":1635,"data":8231,"content":8232},{},[8233],{"nodeType":1639,"value":8234,"marks":8235,"data":8237},"Frontend infrastructure",[8236],{"type":1708},{},{"nodeType":4798,"data":8239,"content":8240},{},[8241],{"nodeType":1635,"data":8242,"content":8243},{},[8244],{"nodeType":1639,"value":8245,"marks":8246,"data":8247},"Workers.dev, vercel.app, github.io, fastly.net, edgeone.dev",[],{},{"nodeType":4768,"data":8249,"content":8250},{},[8251,8262],{"nodeType":4798,"data":8252,"content":8253},{},[8254],{"nodeType":1635,"data":8255,"content":8256},{},[8257],{"nodeType":1639,"value":8258,"marks":8259,"data":8261},"Backend infrastructure",[8260],{"type":1708},{},{"nodeType":4798,"data":8263,"content":8264},{},[8265,8295],{"nodeType":1635,"data":8266,"content":8267},{},[8268,8273,8277,8282,8286,8291],{"nodeType":1639,"value":8269,"marks":8270,"data":8272},"Example IP: (V3) ",[8271],{"type":1708},{},{"nodeType":1639,"value":8274,"marks":8275,"data":8276},"162.220.232.71 (Railway AS400940) ",[],{},{"nodeType":1639,"value":8278,"marks":8279,"data":8281},"(V2)",[8280],{"type":1708},{},{"nodeType":1639,"value":8283,"marks":8284,"data":8285}," 71.11.42.193 ",[],{},{"nodeType":1639,"value":8287,"marks":8288,"data":8290},"(V1) ",[8289],{"type":1708},{},{"nodeType":1639,"value":8292,"marks":8293,"data":8294},"72.218.25.107",[],{},{"nodeType":1635,"data":8296,"content":8297},{},[8298,8303,8306,8311,8315,8319,8323,8327],{"nodeType":1639,"value":8299,"marks":8300,"data":8302},"Backend User Agent:",[8301],{"type":1708},{},{"nodeType":1639,"value":1755,"marks":8304,"data":8305},[],{},{"nodeType":1639,"value":8307,"marks":8308,"data":8310},"(V3) ",[8309],{"type":1708},{},{"nodeType":1639,"value":8312,"marks":8313,"data":8314},"node, ",[],{},{"nodeType":1639,"value":8278,"marks":8316,"data":8318},[8317],{"type":1708},{},{"nodeType":1639,"value":8320,"marks":8321,"data":8322},", Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_4) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/73.0.3683 Safari/537.36 OPR/57.0.3098.91 ",[],{},{"nodeType":1639,"value":8287,"marks":8324,"data":8326},[8325],{"type":1708},{},{"nodeType":1639,"value":8328,"marks":8329,"data":8330},"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/71.0.3578.98 Safari/537.36 OPR/56.0.3051.52 ",[],{},{"nodeType":4768,"data":8332,"content":8333},{},[8334,8345],{"nodeType":4798,"data":8335,"content":8336},{},[8337],{"nodeType":1635,"data":8338,"content":8339},{},[8340],{"nodeType":1639,"value":8341,"marks":8342,"data":8344},"Network paths",[8343],{"type":1708},{},{"nodeType":4798,"data":8346,"content":8347},{},[8348,8355,8362,8369,8376],{"nodeType":1635,"data":8349,"content":8350},{},[8351],{"nodeType":1639,"value":8352,"marks":8353,"data":8354},"/api/rate-limit ",[],{},{"nodeType":1635,"data":8356,"content":8357},{},[8358],{"nodeType":1639,"value":8359,"marks":8360,"data":8361},"/api/fingerprint ",[],{},{"nodeType":1635,"data":8363,"content":8364},{},[8365],{"nodeType":1639,"value":8366,"marks":8367,"data":8368},"/api/captcha-verify ",[],{},{"nodeType":1635,"data":8370,"content":8371},{},[8372],{"nodeType":1639,"value":8373,"marks":8374,"data":8375},"/api/init /api/generate-code ",[],{},{"nodeType":1635,"data":8377,"content":8378},{},[8379],{"nodeType":1639,"value":8380,"marks":8381,"data":8382},"/api/check-auth",[],{},{"nodeType":4768,"data":8384,"content":8385},{},[8386,8397],{"nodeType":4798,"data":8387,"content":8388},{},[8389],{"nodeType":1635,"data":8390,"content":8391},{},[8392],{"nodeType":1639,"value":8393,"marks":8394,"data":8396},"Lure themes",[8395],{"type":1708},{},{"nodeType":4798,"data":8398,"content":8399},{},[8400],{"nodeType":1635,"data":8401,"content":8402},{},[8403],{"nodeType":1639,"value":8404,"marks":8405,"data":8406},"Various MS lures (e.g. Outlook, SharePoint, Teams) DocuSign, Adobe",[],{},{"nodeType":4768,"data":8408,"content":8409},{},[8410,8421],{"nodeType":4798,"data":8411,"content":8412},{},[8413],{"nodeType":1635,"data":8414,"content":8415},{},[8416],{"nodeType":1639,"value":8417,"marks":8418,"data":8420},"Example Domain",[8419],{"type":1708},{},{"nodeType":4798,"data":8422,"content":8423},{},[8424,8436,8448,8460,8472],{"nodeType":1635,"data":8425,"content":8426},{},[8427,8432],{"nodeType":1639,"value":8428,"marks":8429,"data":8431},"Precursor A:",[8430],{"type":1708},{},{"nodeType":1639,"value":8433,"marks":8434,"data":8435}," teams-zpfvwnpxuc[.]edgeone.dev",[],{},{"nodeType":1635,"data":8437,"content":8438},{},[8439,8444],{"nodeType":1639,"value":8440,"marks":8441,"data":8443},"Precursor B: ",[8442],{"type":1708},{},{"nodeType":1639,"value":8445,"marks":8446,"data":8447},"authenticate-m365-accountsecurity-m-pi[.]vercel.app",[],{},{"nodeType":1635,"data":8449,"content":8450},{},[8451,8456],{"nodeType":1639,"value":8452,"marks":8453,"data":8455},"Courts Access: ",[8454],{"type":1708},{},{"nodeType":1639,"value":8457,"marks":8458,"data":8459},"secure-systems-validations-courts[.]vercel.app",[],{},{"nodeType":1635,"data":8461,"content":8462},{},[8463,8468],{"nodeType":1639,"value":8464,"marks":8465,"data":8467},"Early ANTIBOT:",[8466],{"type":1708},{},{"nodeType":1639,"value":8469,"marks":8470,"data":8471}," interface-auth-en-useast[.]global.ssl.fastly.net",[],{},{"nodeType":1635,"data":8473,"content":8474},{},[8475,8480],{"nodeType":1639,"value":8476,"marks":8477,"data":8479},"Production ANTIBOT: ",[8478],{"type":1708},{},{"nodeType":1639,"value":8481,"marks":8482,"data":8483},"index-z059-document-pending-reviewsign-xlss7994824[.]awalizer[.]workers.dev",[],{},{"nodeType":1697,"data":8485,"content":8486},{},[],{"nodeType":1815,"data":8488,"content":8489},{},[8490],{"nodeType":1639,"value":8491,"marks":8492,"data":8494},"“SHAREFILE”",[8493],{"type":1708},{},{"nodeType":4764,"data":8496,"content":8497},{},[8498,8521,8560,8583,8606],{"nodeType":4768,"data":8499,"content":8500},{},[8501,8511],{"nodeType":4798,"data":8502,"content":8503},{},[8504],{"nodeType":1635,"data":8505,"content":8506},{},[8507],{"nodeType":1639,"value":8234,"marks":8508,"data":8510},[8509],{"type":1708},{},{"nodeType":4798,"data":8512,"content":8513},{},[8514],{"nodeType":1635,"data":8515,"content":8516},{},[8517],{"nodeType":1639,"value":8518,"marks":8519,"data":8520},"No hosting markers visible.",[],{},{"nodeType":4768,"data":8522,"content":8523},{},[8524,8534],{"nodeType":4798,"data":8525,"content":8526},{},[8527],{"nodeType":1635,"data":8528,"content":8529},{},[8530],{"nodeType":1639,"value":8258,"marks":8531,"data":8533},[8532],{"type":1708},{},{"nodeType":4798,"data":8535,"content":8536},{},[8537,8549],{"nodeType":1635,"data":8538,"content":8539},{},[8540,8545],{"nodeType":1639,"value":8541,"marks":8542,"data":8544},"Example IP:",[8543],{"type":1708},{},{"nodeType":1639,"value":8546,"marks":8547,"data":8548}," 147.45.60.47 (Global Connectivity Solutions LLP AS215540)",[],{},{"nodeType":1635,"data":8550,"content":8551},{},[8552,8556],{"nodeType":1639,"value":8299,"marks":8553,"data":8555},[8554],{"type":1708},{},{"nodeType":1639,"value":8557,"marks":8558,"data":8559}," node",[],{},{"nodeType":4768,"data":8561,"content":8562},{},[8563,8573],{"nodeType":4798,"data":8564,"content":8565},{},[8566],{"nodeType":1635,"data":8567,"content":8568},{},[8569],{"nodeType":1639,"value":8341,"marks":8570,"data":8572},[8571],{"type":1708},{},{"nodeType":4798,"data":8574,"content":8575},{},[8576],{"nodeType":1635,"data":8577,"content":8578},{},[8579],{"nodeType":1639,"value":8580,"marks":8581,"data":8582},"POST /api/device/start  POST /api/device/poll",[],{},{"nodeType":4768,"data":8584,"content":8585},{},[8586,8596],{"nodeType":4798,"data":8587,"content":8588},{},[8589],{"nodeType":1635,"data":8590,"content":8591},{},[8592],{"nodeType":1639,"value":8393,"marks":8593,"data":8595},[8594],{"type":1708},{},{"nodeType":4798,"data":8597,"content":8598},{},[8599],{"nodeType":1635,"data":8600,"content":8601},{},[8602],{"nodeType":1639,"value":8603,"marks":8604,"data":8605},"Citrix ShareFile document transfer — file card with sender info, expiry warning, download/preview buttons",[],{},{"nodeType":4768,"data":8607,"content":8608},{},[8609,8620],{"nodeType":4798,"data":8610,"content":8611},{},[8612],{"nodeType":1635,"data":8613,"content":8614},{},[8615],{"nodeType":1639,"value":8616,"marks":8617,"data":8619},"Example domain",[8618],{"type":1708},{},{"nodeType":4798,"data":8621,"content":8622},{},[8623],{"nodeType":1635,"data":8624,"content":8625},{},[8626],{"nodeType":1639,"value":8627,"marks":8628,"data":8629},"cghdfg[.]vbchkioi[.]su",[],{},{"nodeType":1626,"data":8631,"content":8635},{"target":8632},{"sys":8633},{"id":8634,"type":1631,"linkType":1632},"1TtZ6VsMSTlPvy7W996w9E",[],{"nodeType":1697,"data":8637,"content":8638},{},[],{"nodeType":1815,"data":8640,"content":8641},{},[8642],{"nodeType":1639,"value":8643,"marks":8644,"data":8646},"“CLURE”",[8645],{"type":1708},{},{"nodeType":4764,"data":8648,"content":8649},{},[8650,8673,8712,8735,8758],{"nodeType":4768,"data":8651,"content":8652},{},[8653,8663],{"nodeType":4798,"data":8654,"content":8655},{},[8656],{"nodeType":1635,"data":8657,"content":8658},{},[8659],{"nodeType":1639,"value":8234,"marks":8660,"data":8662},[8661],{"type":1708},{},{"nodeType":4798,"data":8664,"content":8665},{},[8666],{"nodeType":1635,"data":8667,"content":8668},{},[8669],{"nodeType":1639,"value":8670,"marks":8671,"data":8672},"API on api.duemineral.uk:8443 and api.loadingdocuments.uk:8443 (rotates). ",[],{},{"nodeType":4768,"data":8674,"content":8675},{},[8676,8686],{"nodeType":4798,"data":8677,"content":8678},{},[8679],{"nodeType":1635,"data":8680,"content":8681},{},[8682],{"nodeType":1639,"value":8258,"marks":8683,"data":8685},[8684],{"type":1708},{},{"nodeType":4798,"data":8687,"content":8688},{},[8689,8701],{"nodeType":1635,"data":8690,"content":8691},{},[8692,8697],{"nodeType":1639,"value":8693,"marks":8694,"data":8696},"Example IP: ",[8695],{"type":1708},{},{"nodeType":1639,"value":8698,"marks":8699,"data":8700},"162.243.166.119 (DigitalOcean AS14061)",[],{},{"nodeType":1635,"data":8702,"content":8703},{},[8704,8708],{"nodeType":1639,"value":8299,"marks":8705,"data":8707},[8706],{"type":1708},{},{"nodeType":1639,"value":8709,"marks":8710,"data":8711}," python-requests/2.32.5",[],{},{"nodeType":4768,"data":8713,"content":8714},{},[8715,8725],{"nodeType":4798,"data":8716,"content":8717},{},[8718],{"nodeType":1635,"data":8719,"content":8720},{},[8721],{"nodeType":1639,"value":8341,"marks":8722,"data":8724},[8723],{"type":1708},{},{"nodeType":4798,"data":8726,"content":8727},{},[8728],{"nodeType":1635,"data":8729,"content":8730},{},[8731],{"nodeType":1639,"value":8732,"marks":8733,"data":8734},"GET /api/status/{numeric_SID} (port :8443)",[],{},{"nodeType":4768,"data":8736,"content":8737},{},[8738,8748],{"nodeType":4798,"data":8739,"content":8740},{},[8741],{"nodeType":1635,"data":8742,"content":8743},{},[8744],{"nodeType":1639,"value":8393,"marks":8745,"data":8747},[8746],{"type":1708},{},{"nodeType":4798,"data":8749,"content":8750},{},[8751],{"nodeType":1635,"data":8752,"content":8753},{},[8754],{"nodeType":1639,"value":8755,"marks":8756,"data":8757},"SharePoint \"Team Site\" doc library, SharePoint \"Shared Document\" individual share",[],{},{"nodeType":4768,"data":8759,"content":8760},{},[8761,8771],{"nodeType":4798,"data":8762,"content":8763},{},[8764],{"nodeType":1635,"data":8765,"content":8766},{},[8767],{"nodeType":1639,"value":8616,"marks":8768,"data":8770},[8769],{"type":1708},{},{"nodeType":4798,"data":8772,"content":8773},{},[8774],{"nodeType":1635,"data":8775,"content":8776},{},[8777],{"nodeType":1639,"value":8778,"marks":8779,"data":8780},"auth[.]duemineral[.]uk",[],{},{"nodeType":1626,"data":8782,"content":8786},{"target":8783},{"sys":8784},{"id":8785,"type":1631,"linkType":1632},"3DAm11OYudNrqbL6pda5S1",[],{"nodeType":1697,"data":8788,"content":8789},{},[],{"nodeType":1815,"data":8791,"content":8792},{},[8793],{"nodeType":1639,"value":8794,"marks":8795,"data":8797},"“LINKID”",[8796],{"type":1708},{},{"nodeType":4764,"data":8799,"content":8800},{},[8801,8824,8869,8899,8922],{"nodeType":4768,"data":8802,"content":8803},{},[8804,8814],{"nodeType":4798,"data":8805,"content":8806},{},[8807],{"nodeType":1635,"data":8808,"content":8809},{},[8810],{"nodeType":1639,"value":8234,"marks":8811,"data":8813},[8812],{"type":1708},{},{"nodeType":4798,"data":8815,"content":8816},{},[8817],{"nodeType":1635,"data":8818,"content":8819},{},[8820],{"nodeType":1639,"value":8821,"marks":8822,"data":8823},"Adobe variant has Cloudflare challenge-platform iframe (CF-protected origin). Relative API paths — self-hosted.",[],{},{"nodeType":4768,"data":8825,"content":8826},{},[8827,8837],{"nodeType":4798,"data":8828,"content":8829},{},[8830],{"nodeType":1635,"data":8831,"content":8832},{},[8833],{"nodeType":1639,"value":8258,"marks":8834,"data":8836},[8835],{"type":1708},{},{"nodeType":4798,"data":8838,"content":8839},{},[8840,8851,8858],{"nodeType":1635,"data":8841,"content":8842},{},[8843,8847],{"nodeType":1639,"value":8693,"marks":8844,"data":8846},[8845],{"type":1708},{},{"nodeType":1639,"value":8848,"marks":8849,"data":8850},"185.176.220.22 (2cloud.eu AS39845)",[],{},{"nodeType":1635,"data":8852,"content":8853},{},[8854],{"nodeType":1639,"value":8855,"marks":8856,"data":8857},"2600:1f10:470d:9a00:1437:ec30:be61:3494 (AWS AS16509)",[],{},{"nodeType":1635,"data":8859,"content":8860},{},[8861,8865],{"nodeType":1639,"value":8299,"marks":8862,"data":8864},[8863],{"type":1708},{},{"nodeType":1639,"value":8866,"marks":8867,"data":8868}," axios/1.10.0 , axios/1.13.6",[],{},{"nodeType":4768,"data":8870,"content":8871},{},[8872,8882],{"nodeType":4798,"data":8873,"content":8874},{},[8875],{"nodeType":1635,"data":8876,"content":8877},{},[8878],{"nodeType":1639,"value":8341,"marks":8879,"data":8881},[8880],{"type":1708},{},{"nodeType":4798,"data":8883,"content":8884},{},[8885,8892],{"nodeType":1635,"data":8886,"content":8887},{},[8888],{"nodeType":1639,"value":8889,"marks":8890,"data":8891},"POST /api/device/start",[],{},{"nodeType":1635,"data":8893,"content":8894},{},[8895],{"nodeType":1639,"value":8896,"marks":8897,"data":8898},"GET /api/device/status/{sessionId}",[],{},{"nodeType":4768,"data":8900,"content":8901},{},[8902,8912],{"nodeType":4798,"data":8903,"content":8904},{},[8905],{"nodeType":1635,"data":8906,"content":8907},{},[8908],{"nodeType":1639,"value":8393,"marks":8909,"data":8911},[8910],{"type":1708},{},{"nodeType":4798,"data":8913,"content":8914},{},[8915],{"nodeType":1635,"data":8916,"content":8917},{},[8918],{"nodeType":1639,"value":8919,"marks":8920,"data":8921},"MS Teams meeting invitation (with interactive date/time picker), Adobe Acrobat Sign document review",[],{},{"nodeType":4768,"data":8923,"content":8924},{},[8925,8935],{"nodeType":4798,"data":8926,"content":8927},{},[8928],{"nodeType":1635,"data":8929,"content":8930},{},[8931],{"nodeType":1639,"value":8616,"marks":8932,"data":8934},[8933],{"type":1708},{},{"nodeType":4798,"data":8936,"content":8937},{},[8938],{"nodeType":1635,"data":8939,"content":8940},{},[8941],{"nodeType":1639,"value":8942,"marks":8943,"data":8944},"sdtr-site[.]cfd",[],{},{"nodeType":1626,"data":8946,"content":8950},{"target":8947},{"sys":8948},{"id":8949,"type":1631,"linkType":1632},"22hsIzlkptC2JTIUtbOuUn",[],{"nodeType":1697,"data":8952,"content":8953},{},[],{"nodeType":1815,"data":8955,"content":8956},{},[8957],{"nodeType":1639,"value":8958,"marks":8959,"data":8961},"“AUTHOV”",[8960],{"type":1708},{},{"nodeType":4764,"data":8963,"content":8964},{},[8965,8988,9034,9057,9080],{"nodeType":4768,"data":8966,"content":8967},{},[8968,8978],{"nodeType":4798,"data":8969,"content":8970},{},[8971],{"nodeType":1635,"data":8972,"content":8973},{},[8974],{"nodeType":1639,"value":8234,"marks":8975,"data":8977},[8976],{"type":1708},{},{"nodeType":4798,"data":8979,"content":8980},{},[8981],{"nodeType":1635,"data":8982,"content":8983},{},[8984],{"nodeType":1639,"value":8985,"marks":8986,"data":8987},"workers.dev",[],{},{"nodeType":4768,"data":8989,"content":8990},{},[8991,9001],{"nodeType":4798,"data":8992,"content":8993},{},[8994],{"nodeType":1635,"data":8995,"content":8996},{},[8997],{"nodeType":1639,"value":8258,"marks":8998,"data":9000},[8999],{"type":1708},{},{"nodeType":4798,"data":9002,"content":9003},{},[9004,9015],{"nodeType":1635,"data":9005,"content":9006},{},[9007,9011],{"nodeType":1639,"value":8693,"marks":9008,"data":9010},[9009],{"type":1708},{},{"nodeType":1639,"value":9012,"marks":9013,"data":9014},"192.3.225.100 (HostPapa / ColoCrossing AS36352)",[],{},{"nodeType":1635,"data":9016,"content":9017},{},[9018,9022,9025,9030],{"nodeType":1639,"value":8299,"marks":9019,"data":9021},[9020],{"type":1708},{},{"nodeType":1639,"value":1755,"marks":9023,"data":9024},[],{},{"nodeType":1639,"value":9026,"marks":9027,"data":9029}," ",[9028],{"type":1708},{},{"nodeType":1639,"value":9031,"marks":9032,"data":9033},"python-httpx/0.28.1",[],{},{"nodeType":4768,"data":9035,"content":9036},{},[9037,9047],{"nodeType":4798,"data":9038,"content":9039},{},[9040],{"nodeType":1635,"data":9041,"content":9042},{},[9043],{"nodeType":1639,"value":8341,"marks":9044,"data":9046},[9045],{"type":1708},{},{"nodeType":4798,"data":9048,"content":9049},{},[9050],{"nodeType":1635,"data":9051,"content":9052},{},[9053],{"nodeType":1639,"value":9054,"marks":9055,"data":9056},"GET /landing/api/session-status?session_id=&token=",[],{},{"nodeType":4768,"data":9058,"content":9059},{},[9060,9070],{"nodeType":4798,"data":9061,"content":9062},{},[9063],{"nodeType":1635,"data":9064,"content":9065},{},[9066],{"nodeType":1639,"value":8393,"marks":9067,"data":9069},[9068],{"type":1708},{},{"nodeType":4798,"data":9071,"content":9072},{},[9073],{"nodeType":1635,"data":9074,"content":9075},{},[9076],{"nodeType":1639,"value":9077,"marks":9078,"data":9079},"Adobe Acrobat document sharing (PDF preview, sender avatar)",[],{},{"nodeType":4768,"data":9081,"content":9082},{},[9083,9093],{"nodeType":4798,"data":9084,"content":9085},{},[9086],{"nodeType":1635,"data":9087,"content":9088},{},[9089],{"nodeType":1639,"value":8616,"marks":9090,"data":9092},[9091],{"type":1708},{},{"nodeType":4798,"data":9094,"content":9095},{},[9096],{"nodeType":1635,"data":9097,"content":9098},{},[9099],{"nodeType":1639,"value":9100,"marks":9101,"data":9102},"milosh-solibella-0dcio[.]sgttommy.workers.dev",[],{},{"nodeType":1626,"data":9104,"content":9108},{"target":9105},{"sys":9106},{"id":9107,"type":1631,"linkType":1632},"6szO6IKJ32usyxIKX1efZy",[],{"nodeType":1697,"data":9110,"content":9111},{},[],{"nodeType":1815,"data":9113,"content":9114},{},[9115],{"nodeType":1639,"value":9116,"marks":9117,"data":9119},"“DOCUPOLL”",[9118],{"type":1708},{},{"nodeType":4764,"data":9121,"content":9122},{},[9123,9146,9184,9221,9244],{"nodeType":4768,"data":9124,"content":9125},{},[9126,9136],{"nodeType":4798,"data":9127,"content":9128},{},[9129],{"nodeType":1635,"data":9130,"content":9131},{},[9132],{"nodeType":1639,"value":8234,"marks":9133,"data":9135},[9134],{"type":1708},{},{"nodeType":4798,"data":9137,"content":9138},{},[9139],{"nodeType":1635,"data":9140,"content":9141},{},[9142],{"nodeType":1639,"value":9143,"marks":9144,"data":9145},"Github.io and workers.dev hosting",[],{},{"nodeType":4768,"data":9147,"content":9148},{},[9149,9159],{"nodeType":4798,"data":9150,"content":9151},{},[9152],{"nodeType":1635,"data":9153,"content":9154},{},[9155],{"nodeType":1639,"value":8258,"marks":9156,"data":9158},[9157],{"type":1708},{},{"nodeType":4798,"data":9160,"content":9161},{},[9162,9173],{"nodeType":1635,"data":9163,"content":9164},{},[9165,9169],{"nodeType":1639,"value":8693,"marks":9166,"data":9168},[9167],{"type":1708},{},{"nodeType":1639,"value":9170,"marks":9171,"data":9172},"144.172.103.240 (FranTech Solutions / RouterHosting / Cloudzy AS14956)",[],{},{"nodeType":1635,"data":9174,"content":9175},{},[9176,9180],{"nodeType":1639,"value":8299,"marks":9177,"data":9179},[9178],{"type":1708},{},{"nodeType":1639,"value":9181,"marks":9182,"data":9183}," Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19042",[],{},{"nodeType":4768,"data":9185,"content":9186},{},[9187,9197],{"nodeType":4798,"data":9188,"content":9189},{},[9190],{"nodeType":1635,"data":9191,"content":9192},{},[9193],{"nodeType":1639,"value":8341,"marks":9194,"data":9196},[9195],{"type":1708},{},{"nodeType":4798,"data":9198,"content":9199},{},[9200,9207,9214],{"nodeType":1635,"data":9201,"content":9202},{},[9203],{"nodeType":1639,"value":9204,"marks":9205,"data":9206},"POST /api/v1/landing-pages/public/{slug}/init",[],{},{"nodeType":1635,"data":9208,"content":9209},{},[9210],{"nodeType":1639,"value":9211,"marks":9212,"data":9213},"POST .../poll",[],{},{"nodeType":1635,"data":9215,"content":9216},{},[9217],{"nodeType":1639,"value":9218,"marks":9219,"data":9220},"POST .../track",[],{},{"nodeType":4768,"data":9222,"content":9223},{},[9224,9234],{"nodeType":4798,"data":9225,"content":9226},{},[9227],{"nodeType":1635,"data":9228,"content":9229},{},[9230],{"nodeType":1639,"value":8393,"marks":9231,"data":9233},[9232],{"type":1708},{},{"nodeType":4798,"data":9235,"content":9236},{},[9237],{"nodeType":1635,"data":9238,"content":9239},{},[9240],{"nodeType":1639,"value":9241,"marks":9242,"data":9243},"DocuSign document signing. One sample is a full scrape of real docusign.com (free-account page) with kit injected.",[],{},{"nodeType":4768,"data":9245,"content":9246},{},[9247,9257],{"nodeType":4798,"data":9248,"content":9249},{},[9250],{"nodeType":1635,"data":9251,"content":9252},{},[9253],{"nodeType":1639,"value":8616,"marks":9254,"data":9256},[9255],{"type":1708},{},{"nodeType":4798,"data":9258,"content":9259},{},[9260],{"nodeType":1635,"data":9261,"content":9262},{},[9263],{"nodeType":1639,"value":9264,"marks":9265,"data":9266},"docufirmar[.]github.io",[],{},{"nodeType":1626,"data":9268,"content":9272},{"target":9269},{"sys":9270},{"id":9271,"type":1631,"linkType":1632},"6Y1XABHnQD82R3MW80HnQZ",[],{"nodeType":1697,"data":9274,"content":9275},{},[],{"nodeType":1815,"data":9277,"content":9278},{},[9279],{"nodeType":1639,"value":9280,"marks":9281,"data":9283},"“FLOW_TOKEN”",[9282],{"type":1708},{},{"nodeType":4764,"data":9285,"content":9286},{},[9287,9309,9354,9384,9407],{"nodeType":4768,"data":9288,"content":9289},{},[9290,9300],{"nodeType":4798,"data":9291,"content":9292},{},[9293],{"nodeType":1635,"data":9294,"content":9295},{},[9296],{"nodeType":1639,"value":8234,"marks":9297,"data":9299},[9298],{"type":1708},{},{"nodeType":4798,"data":9301,"content":9302},{},[9303],{"nodeType":1635,"data":9304,"content":9305},{},[9306],{"nodeType":1639,"value":8985,"marks":9307,"data":9308},[],{},{"nodeType":4768,"data":9310,"content":9311},{},[9312,9322],{"nodeType":4798,"data":9313,"content":9314},{},[9315],{"nodeType":1635,"data":9316,"content":9317},{},[9318],{"nodeType":1639,"value":8258,"marks":9319,"data":9321},[9320],{"type":1708},{},{"nodeType":4798,"data":9323,"content":9324},{},[9325,9336],{"nodeType":1635,"data":9326,"content":9327},{},[9328,9332],{"nodeType":1639,"value":8693,"marks":9329,"data":9331},[9330],{"type":1708},{},{"nodeType":1639,"value":9333,"marks":9334,"data":9335},"43.166.163.163 (Tencent Cloud AS132203)",[],{},{"nodeType":1635,"data":9337,"content":9338},{},[9339,9343,9346,9350],{"nodeType":1639,"value":8299,"marks":9340,"data":9342},[9341],{"type":1708},{},{"nodeType":1639,"value":1755,"marks":9344,"data":9345},[],{},{"nodeType":1639,"value":9026,"marks":9347,"data":9349},[9348],{"type":1708},{},{"nodeType":1639,"value":9351,"marks":9352,"data":9353},"(null)",[],{},{"nodeType":4768,"data":9355,"content":9356},{},[9357,9367],{"nodeType":4798,"data":9358,"content":9359},{},[9360],{"nodeType":1635,"data":9361,"content":9362},{},[9363],{"nodeType":1639,"value":8341,"marks":9364,"data":9366},[9365],{"type":1708},{},{"nodeType":4798,"data":9368,"content":9369},{},[9370,9377],{"nodeType":1635,"data":9371,"content":9372},{},[9373],{"nodeType":1639,"value":9374,"marks":9375,"data":9376},"POST /api/handler.php ",[],{},{"nodeType":1635,"data":9378,"content":9379},{},[9380],{"nodeType":1639,"value":9381,"marks":9382,"data":9383},"(actions: device_code_generate, device_code_poll_public)",[],{},{"nodeType":4768,"data":9385,"content":9386},{},[9387,9397],{"nodeType":4798,"data":9388,"content":9389},{},[9390],{"nodeType":1635,"data":9391,"content":9392},{},[9393],{"nodeType":1639,"value":8393,"marks":9394,"data":9396},[9395],{"type":1708},{},{"nodeType":4798,"data":9398,"content":9399},{},[9400],{"nodeType":1635,"data":9401,"content":9402},{},[9403],{"nodeType":1639,"value":9404,"marks":9405,"data":9406},"DocuSign \"Salary Adjustment Document — 2026\", Microsoft banner · HR Department sender",[],{},{"nodeType":4768,"data":9408,"content":9409},{},[9410,9420],{"nodeType":4798,"data":9411,"content":9412},{},[9413],{"nodeType":1635,"data":9414,"content":9415},{},[9416],{"nodeType":1639,"value":8616,"marks":9417,"data":9419},[9418],{"type":1708},{},{"nodeType":4798,"data":9421,"content":9422},{},[9423],{"nodeType":1635,"data":9424,"content":9425},{},[9426],{"nodeType":1639,"value":9427,"marks":9428,"data":9429},"salaryadjustment-2afb52.pmb6fefc52b3f9aa5c2dbf[.]workers.dev",[],{},{"nodeType":1626,"data":9431,"content":9435},{"target":9432},{"sys":9433},{"id":9434,"type":1631,"linkType":1632},"6xiTDHStbiJh7LMhjAZcPd",[],{"nodeType":1697,"data":9437,"content":9438},{},[],{"nodeType":1815,"data":9440,"content":9441},{},[9442],{"nodeType":1639,"value":9443,"marks":9444,"data":9446},"“PAPRIKA”",[9445],{"type":1708},{},{"nodeType":4764,"data":9448,"content":9449},{},[9450,9473,9496,9519],{"nodeType":4768,"data":9451,"content":9452},{},[9453,9463],{"nodeType":4798,"data":9454,"content":9455},{},[9456],{"nodeType":1635,"data":9457,"content":9458},{},[9459],{"nodeType":1639,"value":8234,"marks":9460,"data":9462},[9461],{"type":1708},{},{"nodeType":4798,"data":9464,"content":9465},{},[9466],{"nodeType":1635,"data":9467,"content":9468},{},[9469],{"nodeType":1639,"value":9470,"marks":9471,"data":9472},"AWS S3 hosting",[],{},{"nodeType":4768,"data":9474,"content":9475},{},[9476,9486],{"nodeType":4798,"data":9477,"content":9478},{},[9479],{"nodeType":1635,"data":9480,"content":9481},{},[9482],{"nodeType":1639,"value":8341,"marks":9483,"data":9485},[9484],{"type":1708},{},{"nodeType":4798,"data":9487,"content":9488},{},[9489],{"nodeType":1635,"data":9490,"content":9491},{},[9492],{"nodeType":1639,"value":9493,"marks":9494,"data":9495},"POST /api/v1/loader",[],{},{"nodeType":4768,"data":9497,"content":9498},{},[9499,9509],{"nodeType":4798,"data":9500,"content":9501},{},[9502],{"nodeType":1635,"data":9503,"content":9504},{},[9505],{"nodeType":1639,"value":8393,"marks":9506,"data":9508},[9507],{"type":1708},{},{"nodeType":4798,"data":9510,"content":9511},{},[9512],{"nodeType":1635,"data":9513,"content":9514},{},[9515],{"nodeType":1639,"value":9516,"marks":9517,"data":9518},"MS login clone (\"Sign in to your account\"), \"Office 365\" branding, fake \"Powered by Okta\" footer",[],{},{"nodeType":4768,"data":9520,"content":9521},{},[9522,9532],{"nodeType":4798,"data":9523,"content":9524},{},[9525],{"nodeType":1635,"data":9526,"content":9527},{},[9528],{"nodeType":1639,"value":8616,"marks":9529,"data":9531},[9530],{"type":1708},{},{"nodeType":4798,"data":9533,"content":9534},{},[9535],{"nodeType":1635,"data":9536,"content":9537},{},[9538],{"nodeType":1639,"value":9539,"marks":9540,"data":9541},"redirect-523346-d95027ec[.]s3.amazonaws.com",[],{},{"nodeType":1626,"data":9543,"content":9547},{"target":9544},{"sys":9545},{"id":9546,"type":1631,"linkType":1632},"6WFXqUDzcJHKWSwVIcDZAf",[],{"nodeType":1697,"data":9549,"content":9550},{},[],{"nodeType":1815,"data":9552,"content":9553},{},[9554],{"nodeType":1639,"value":9555,"marks":9556,"data":9558},"“DCSTATUS”",[9557],{"type":1708},{},{"nodeType":4764,"data":9560,"content":9561},{},[9562,9584,9607,9630],{"nodeType":4768,"data":9563,"content":9564},{},[9565,9575],{"nodeType":4798,"data":9566,"content":9567},{},[9568],{"nodeType":1635,"data":9569,"content":9570},{},[9571],{"nodeType":1639,"value":8234,"marks":9572,"data":9574},[9573],{"type":1708},{},{"nodeType":4798,"data":9576,"content":9577},{},[9578],{"nodeType":1635,"data":9579,"content":9580},{},[9581],{"nodeType":1639,"value":8518,"marks":9582,"data":9583},[],{},{"nodeType":4768,"data":9585,"content":9586},{},[9587,9597],{"nodeType":4798,"data":9588,"content":9589},{},[9590],{"nodeType":1635,"data":9591,"content":9592},{},[9593],{"nodeType":1639,"value":8341,"marks":9594,"data":9596},[9595],{"type":1708},{},{"nodeType":4798,"data":9598,"content":9599},{},[9600],{"nodeType":1635,"data":9601,"content":9602},{},[9603],{"nodeType":1639,"value":9604,"marks":9605,"data":9606},"GET /dc/status/{base64url_sid}",[],{},{"nodeType":4768,"data":9608,"content":9609},{},[9610,9620],{"nodeType":4798,"data":9611,"content":9612},{},[9613],{"nodeType":1635,"data":9614,"content":9615},{},[9616],{"nodeType":1639,"value":8393,"marks":9617,"data":9619},[9618],{"type":1708},{},{"nodeType":4798,"data":9621,"content":9622},{},[9623],{"nodeType":1635,"data":9624,"content":9625},{},[9626],{"nodeType":1639,"value":9627,"marks":9628,"data":9629},"Generic \"Microsoft 365 - Secure Access\" verification page",[],{},{"nodeType":4768,"data":9631,"content":9632},{},[9633,9643],{"nodeType":4798,"data":9634,"content":9635},{},[9636],{"nodeType":1635,"data":9637,"content":9638},{},[9639],{"nodeType":1639,"value":8616,"marks":9640,"data":9642},[9641],{"type":1708},{},{"nodeType":4798,"data":9644,"content":9645},{},[9646],{"nodeType":1635,"data":9647,"content":9648},{},[9649],{"nodeType":1639,"value":9650,"marks":9651,"data":9652},"owa[.]apmmacleans[.]ca",[],{},{"nodeType":1626,"data":9654,"content":9658},{"target":9655},{"sys":9656},{"id":9657,"type":1631,"linkType":1632},"ugYhHeXY1lQdKooALmrIs",[],{"nodeType":1697,"data":9660,"content":9661},{},[],{"nodeType":1815,"data":9663,"content":9664},{},[9665],{"nodeType":1639,"value":9666,"marks":9667,"data":9669},"“DOLCE”",[9668],{"type":1708},{},{"nodeType":1626,"data":9671,"content":9675},{"target":9672},{"sys":9673},{"id":9674,"type":1631,"linkType":1632},"7TzU6kk01Un45NB0buEz2",[],{"nodeType":4764,"data":9677,"content":9678},{},[9679,9702,9740,9763,9786],{"nodeType":4768,"data":9680,"content":9681},{},[9682,9692],{"nodeType":4798,"data":9683,"content":9684},{},[9685],{"nodeType":1635,"data":9686,"content":9687},{},[9688],{"nodeType":1639,"value":8234,"marks":9689,"data":9691},[9690],{"type":1708},{},{"nodeType":4798,"data":9693,"content":9694},{},[9695],{"nodeType":1635,"data":9696,"content":9697},{},[9698],{"nodeType":1639,"value":9699,"marks":9700,"data":9701},"Microsoft PowerApps hosting",[],{},{"nodeType":4768,"data":9703,"content":9704},{},[9705,9715],{"nodeType":4798,"data":9706,"content":9707},{},[9708],{"nodeType":1635,"data":9709,"content":9710},{},[9711],{"nodeType":1639,"value":8258,"marks":9712,"data":9714},[9713],{"type":1708},{},{"nodeType":4798,"data":9716,"content":9717},{},[9718,9729],{"nodeType":1635,"data":9719,"content":9720},{},[9721,9725],{"nodeType":1639,"value":8693,"marks":9722,"data":9724},[9723],{"type":1708},{},{"nodeType":1639,"value":9726,"marks":9727,"data":9728},"34.53.159.84 (Google Cloud AS396982)",[],{},{"nodeType":1635,"data":9730,"content":9731},{},[9732,9736],{"nodeType":1639,"value":8299,"marks":9733,"data":9735},[9734],{"type":1708},{},{"nodeType":1639,"value":9737,"marks":9738,"data":9739}," Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36",[],{},{"nodeType":4768,"data":9741,"content":9742},{},[9743,9753],{"nodeType":4798,"data":9744,"content":9745},{},[9746],{"nodeType":1635,"data":9747,"content":9748},{},[9749],{"nodeType":1639,"value":8341,"marks":9750,"data":9752},[9751],{"type":1708},{},{"nodeType":4798,"data":9754,"content":9755},{},[9756],{"nodeType":1635,"data":9757,"content":9758},{},[9759],{"nodeType":1639,"value":9760,"marks":9761,"data":9762},"GET /api/generatecode (CloudFront)",[],{},{"nodeType":4768,"data":9764,"content":9765},{},[9766,9776],{"nodeType":4798,"data":9767,"content":9768},{},[9769],{"nodeType":1635,"data":9770,"content":9771},{},[9772],{"nodeType":1639,"value":8393,"marks":9773,"data":9775},[9774],{"type":1708},{},{"nodeType":4798,"data":9777,"content":9778},{},[9779],{"nodeType":1635,"data":9780,"content":9781},{},[9782],{"nodeType":1639,"value":9783,"marks":9784,"data":9785},"Dolce & Gabbana branded, Italian language, MS account verification",[],{},{"nodeType":4768,"data":9787,"content":9788},{},[9789,9799],{"nodeType":4798,"data":9790,"content":9791},{},[9792],{"nodeType":1635,"data":9793,"content":9794},{},[9795],{"nodeType":1639,"value":8616,"marks":9796,"data":9798},[9797],{"type":1708},{},{"nodeType":4798,"data":9800,"content":9801},{},[9802],{"nodeType":1635,"data":9803,"content":9804},{},[9805],{"nodeType":1639,"value":9806,"marks":9807,"data":9808},"data-migration-dolcegabbana[.]powerappsportals.com",[],{},{"nodeType":1626,"data":9810,"content":9814},{"target":9811},{"sys":9812},{"id":9813,"type":1631,"linkType":1632},"4ayQDvpf5NNOBrj9wZZRiO",[],{"nodeType":9816,"data":9817,"content":9818},"blockquote",{},[9819],{"nodeType":1635,"data":9820,"content":9821},{},[9822],{"nodeType":1639,"value":9823,"marks":9824,"data":9825},"Clearly, device code phishing has entered mainstream adoption and we should be prepared for a lot more of it in future. So how does it work, and why is it so effective?",[],{},{"nodeType":1697,"data":9827,"content":9828},{},[],{"nodeType":1701,"data":9830,"content":9831},{},[9832],{"nodeType":1639,"value":9833,"marks":9834,"data":9836},"Device code phishing under the hood",[9835],{"type":1708},{},{"nodeType":1635,"data":9838,"content":9839},{},[9840,9844],{"nodeType":1639,"value":9841,"marks":9842,"data":9843},"The attacker POSTs to the authorization server's device authorization endpoint with its client_id (i.e. an application ID) and requested scopes or resources. The server responds with a device_code (used for polling), a user_code, a verification_uri, an expires_in value, and a polling interval. The user visits the URL, enters the code and approves the request. Meanwhile, the device polls the token endpoint. Once approved, the server returns an access token, a refresh token (if offline_access was requested), and an ID token (if openid was included). ",[],{},{"nodeType":1639,"value":9845,"marks":9846,"data":9848},"The attacker now has API access to the victim's account. ",[9847],{"type":1708},{},{"nodeType":1635,"data":9850,"content":9851},{},[9852],{"nodeType":1639,"value":9853,"marks":9854,"data":9855},"Broadly, this gives the attacker a comparable level of control to a “normal” phishing attack (with conditions based on the scopes granted and specific app being targeted) while API access grants additional capabilities beyond standard browser sessions. When combined with other techniques, this access can be exchanged to open normal browser app sessions and access SSO connected apps.",[],{},{"nodeType":1626,"data":9857,"content":9861},{"target":9858},{"sys":9859},{"id":9860,"type":1631,"linkType":1632},"4WtQR2xsE236yoyhSXj58Z",[],{"nodeType":1626,"data":9863,"content":9867},{"target":9864},{"sys":9865},{"id":9866,"type":1631,"linkType":1632},"1x7Lip7JdY2xlHKKurT7qJ",[],{"nodeType":1635,"data":9869,"content":9870},{},[9871],{"nodeType":1639,"value":9872,"marks":9873,"data":9874},"At this point, you can achieve a number of objectives both inside the app ecosystem and across SSO connected apps — e.g. data theft, disruption, and ultimately extortion.",[],{},{"nodeType":1635,"data":9876,"content":9877},{},[9878,9882,9887,9891],{"nodeType":1639,"value":9879,"marks":9880,"data":9881},"Critically, the initial request to generate a device code is typically ",[],{},{"nodeType":1639,"value":9883,"marks":9884,"data":9886},"unauthenticated",[9885],{"type":1708},{},{"nodeType":1639,"value":9888,"marks":9889,"data":9890}," across all providers — ",[],{},{"nodeType":1639,"value":9892,"marks":9893,"data":9895},"anyone can generate one, from any machine, without proving any relationship to the target organization.",[9894],{"type":1708},{},{"nodeType":1635,"data":9897,"content":9898},{},[9899,9903,9908],{"nodeType":1639,"value":9900,"marks":9901,"data":9902},"So, the attacker has to deliver a set of instructions via a phishing channel (e.g. email, social media DM, corp IM platform, and so on) with a device code that they have generated. The victim then enters this code on the ",[],{},{"nodeType":1639,"value":9904,"marks":9905,"data":9907},"legitimate device code login page",[9906],{"type":1708},{},{"nodeType":1639,"value":9909,"marks":9910,"data":9911}," for that app and issues the tokens to the attacker.",[],{},{"nodeType":1626,"data":9913,"content":9917},{"target":9914},{"sys":9915},{"id":9916,"type":1631,"linkType":1632},"1txUYuQjH9FlbDGTo8AbZB",[],{"nodeType":1697,"data":9919,"content":9920},{},[],{"nodeType":1701,"data":9922,"content":9923},{},[9924],{"nodeType":1639,"value":9925,"marks":9926,"data":9928},"Why device code phishing is so dangerous",[9927],{"type":1708},{},{"nodeType":1815,"data":9930,"content":9931},{},[9932],{"nodeType":1639,"value":9933,"marks":9934,"data":9936},"Device code phishing bypasses authentication controls (including passkeys)",[9935],{"type":1708},{},{"nodeType":1635,"data":9938,"content":9939},{},[9940,9944,9949,9953],{"nodeType":1639,"value":9941,"marks":9942,"data":9943},"A device code phishing attack ",[],{},{"nodeType":1639,"value":9945,"marks":9946,"data":9948},"cannot be prevented with authentication controls",[9947],{"type":1708},{},{"nodeType":1639,"value":9950,"marks":9951,"data":9952},". This includes all forms of MFA and ",[],{},{"nodeType":1639,"value":9954,"marks":9955,"data":9957},"even “phishing-resistant” authentication methods such as passkeys. ",[9956],{"type":1708},{},{"nodeType":1635,"data":9959,"content":9960},{},[9961,9966,9970,9975],{"nodeType":1639,"value":9962,"marks":9963,"data":9965},"The device code authorization is effectively performed post-authentication. ",[9964],{"type":1708},{},{"nodeType":1639,"value":9967,"marks":9968,"data":9969},"If you already have an active session in your browser, entering the device code and selecting your account from a drop-down menu is all that's needed. ",[],{},{"nodeType":1639,"value":9971,"marks":9972,"data":9974},"No password or MFA required. ",[9973],{"type":1708},{},{"nodeType":1639,"value":9976,"marks":9977,"data":9978},"You can see an example in the video below.",[],{},{"nodeType":1626,"data":9980,"content":9983},{"target":9981},{"sys":9982},{"id":9271,"type":1631,"linkType":1632},[],{"nodeType":1635,"data":9985,"content":9986},{},[9987],{"nodeType":1639,"value":9988,"marks":9989,"data":9990},"Even if you do have to sign in again (because you're not already signed in for some reason), the attack still works because it isn't targeting the login — it's targeting the authorization layer instead.",[],{},{"nodeType":1635,"data":9992,"content":9993},{},[9994],{"nodeType":1639,"value":9995,"marks":9996,"data":9997},"This is what makes device code phishing different to other standard phishing methods like AiTM phishing (and arguably even more effective in environments with strict identity control enforcement). ",[],{},{"nodeType":1815,"data":9999,"content":10000},{},[10001],{"nodeType":1639,"value":10002,"marks":10003,"data":10005},"Device code logins are a feature, not a vulnerability, making attacks difficult to block",[10004],{"type":1708},{},{"nodeType":1635,"data":10007,"content":10008},{},[10009],{"nodeType":1639,"value":10010,"marks":10011,"data":10012},"Device code authorization is a legitimate mechanism regularly used in enterprise environments, particularly for CLI logins. Tools like Azure CLI, GitHub CLI, and AWS CLI all use (or have used) the device code flow as a primary or fallback authentication method. This creates a dual problem for defenders. ",[],{},{"nodeType":1635,"data":10014,"content":10015},{},[10016],{"nodeType":1639,"value":10017,"marks":10018,"data":10019},"First, the phishing attack happens entirely on a legitimate site — there's no fake login page, no malicious payload to scan for, and the URL in the browser is genuine. Since there's no traditional phishing content being delivered, these attacks are more resistant to detection by email and network security tools.",[],{},{"nodeType":1635,"data":10021,"content":10022},{},[10023],{"nodeType":1639,"value":10024,"marks":10025,"data":10026},"Second, the widespread legitimate use of device code flow — particularly among developers and technical users — normalizes the experience of entering device codes. A phishing lure asking them to do the same thing is indistinguishable from a legitimate IT request. And for non-technical users, this experience isn't much different to, for example, entering a code sent via email or authenticator app. ",[],{},{"nodeType":1815,"data":10028,"content":10029},{},[10030],{"nodeType":1639,"value":10031,"marks":10032,"data":10034},"Multiple apps are vulnerable, with different risk profiles",[10033],{"type":1708},{},{"nodeType":1635,"data":10036,"content":10037},{},[10038],{"nodeType":1639,"value":10039,"marks":10040,"data":10041},"Various apps implement the device code flow, each with different levels of control and default security, but the risk is not uniform across platforms. ",[],{},{"nodeType":1726,"data":10043,"content":10044},{},[10045,10060,10074],{"nodeType":1730,"data":10046,"content":10047},{},[10048],{"nodeType":1635,"data":10049,"content":10050},{},[10051,10056],{"nodeType":1639,"value":10052,"marks":10053,"data":10055},"Google Workspace ",[10054],{"type":1708},{},{"nodeType":1639,"value":10057,"marks":10058,"data":10059},"is a significantly lower-risk target because Google explicitly limits which scopes are available to the device code flow — Gmail, Calendar, and most Workspace APIs are simply unavailable through this mechanism. ",[],{},{"nodeType":1730,"data":10061,"content":10062},{},[10063],{"nodeType":1635,"data":10064,"content":10065},{},[10066,10070],{"nodeType":1639,"value":7933,"marks":10067,"data":10069},[10068],{"type":1708},{},{"nodeType":1639,"value":10071,"marks":10072,"data":10073}," offers the broadest attack surface due to unrestricted scopes, reusable first-party client IDs, and the FOCI/PRT escalation paths. ",[],{},{"nodeType":1730,"data":10075,"content":10076},{},[10077],{"nodeType":1635,"data":10078,"content":10079},{},[10080,10084,10089],{"nodeType":1639,"value":10081,"marks":10082,"data":10083},"Apps like ",[],{},{"nodeType":1639,"value":10085,"marks":10086,"data":10088},"GitHub",[10087],{"type":1708},{},{"nodeType":1639,"value":10090,"marks":10091,"data":10092}," sit in between — broad scopes are available (including full repository access), but the attacker must control their own OAuth app and the victim sees an explicit consent screen. ",[],{},{"nodeType":1626,"data":10094,"content":10098},{"target":10095},{"sys":10096},{"id":10097,"type":1631,"linkType":1632},"ejNSC76jge1p1zzz9wwiG",[],{"nodeType":1697,"data":10100,"content":10101},{},[],{"nodeType":1701,"data":10103,"content":10104},{},[10105],{"nodeType":1639,"value":6425,"marks":10106,"data":10108},[10107],{"type":1708},{},{"nodeType":1635,"data":10110,"content":10111},{},[10112],{"nodeType":1639,"value":10113,"marks":10114,"data":10115},"Security teams need to consider the risk posed by device code phishing across multiple apps where device code authorization grants are common, particularly for developers and technical users. ",[],{},{"nodeType":1635,"data":10117,"content":10118},{},[10119],{"nodeType":1639,"value":10120,"marks":10121,"data":10122},"In an ideal world, you would simply block device code logins. But this can’t be done without causing serious disruption in some environments, while some apps simply don’t provide the tools required to do so. For example, device code is the default CLI sign-in method for GitHub. Developer-heavy organizations are likely to encounter higher levels of legitimate use.",[],{},{"nodeType":1635,"data":10124,"content":10125},{},[10126,10130,10138,10142,10147,10151,10156,10160,10165,10169],{"nodeType":1639,"value":10127,"marks":10128,"data":10129},"Microsoft arguably offers the strongest control options (other than Google, who negate it right out of the gate), though they do require a fair amount of work. ",[],{},{"nodeType":1644,"data":10131,"content":10132},{"uri":6453},[10133],{"nodeType":1639,"value":10134,"marks":10135,"data":10137},"Microsoft now explicitly recommends",[10136],{"type":1652},{},{"nodeType":1639,"value":10139,"marks":10140,"data":10141}," blocking device code flow for tenants that haven't used it in the past 25 days. Their guidance is to create a custom CA policy: target relevant users, set the ",[],{},{"nodeType":1639,"value":10143,"marks":10144,"data":10146},"Authentication Flows",[10145],{"type":1708},{},{"nodeType":1639,"value":10148,"marks":10149,"data":10150}," condition to block ",[],{},{"nodeType":1639,"value":10152,"marks":10153,"data":10155},"Device Code Flow",[10154],{"type":1708},{},{"nodeType":1639,"value":10157,"marks":10158,"data":10159},", and set the grant control to ",[],{},{"nodeType":1639,"value":10161,"marks":10162,"data":10164},"Block Access",[10163],{"type":1708},{},{"nodeType":1639,"value":10166,"marks":10167,"data":10168},". Deploy in report-only mode first to identify any legitimate device code usage, ",[],{},{"nodeType":1639,"value":10170,"marks":10171,"data":10172},"then enforce with narrow exceptions.",[],{},{"nodeType":1626,"data":10174,"content":10178},{"target":10175},{"sys":10176},{"id":10177,"type":1631,"linkType":1632},"mQIj2o9xRzkZYKNmanB25",[],{"nodeType":1635,"data":10180,"content":10181},{},[10182],{"nodeType":1639,"value":10183,"marks":10184,"data":10185},"For other apps, you’re mainly limited to monitoring and response. Ensuring you’re getting authentication logs for these apps is vital, and searching for unusual access patterns (e.g. unusual login protocols, having different IPs for the authorization grant and subsequent account activity). ",[],{},{"nodeType":1697,"data":10187,"content":10188},{},[],{"nodeType":1701,"data":10190,"content":10191},{},[10192],{"nodeType":1639,"value":10193,"marks":10194,"data":10196},"How Push Security can help",[10195],{"type":1708},{},{"nodeType":1635,"data":10198,"content":10199},{},[10200],{"nodeType":1639,"value":10201,"marks":10202,"data":10203},"Push customers can use our browser-based capabilities to overcome the limitations of app-level controls and detect, intercept, and shut down attacks in real time. ",[],{},{"nodeType":1635,"data":10205,"content":10206},{},[10207],{"nodeType":1639,"value":10208,"marks":10209,"data":10210},"Our research team is already tracking multiple device code phishing campaigns and toolkits, including the EvilTokens kit. Blocking controls are already in place to prevent customers from interacting with malicious pages that match our detections for these new toolkits, ensuring that these pages can be identified and blocked in real time regardless of the infrastructure. ",[],{},{"nodeType":1635,"data":10212,"content":10213},{},[10214,10217,10224],{"nodeType":1639,"value":6546,"marks":10215,"data":10216},[],{},{"nodeType":1644,"data":10218,"content":10219},{"uri":6551},[10220],{"nodeType":1639,"value":6554,"marks":10221,"data":10223},[10222],{"type":1652},{},{"nodeType":1639,"value":10225,"marks":10226,"data":10227}," whenever a user accesses a URL used for device code logins. This provides universal, last-mile protection against even ‘zero-day’ device code phishing attacks using previously unidentified toolkits.  ",[],{},{"nodeType":1626,"data":10229,"content":10233},{"target":10230},{"sys":10231},{"id":10232,"type":1631,"linkType":1632},"3JsbGaOKSS3INzBUJpoh1W",[],{"nodeType":1635,"data":10235,"content":10236},{},[10237],{"nodeType":1639,"value":10238,"marks":10239,"data":10240},"When a user visits those URLs, Push will also emit a webhook event that the banner was shown and acknowledged. If a user opts to proceed, you can treat this as a high-fidelity alert for your security team to investigate, providing app-agnostic telemetry that may not already be provided in your logs from that particular vendor. You can also simply use Push to block users from accessing device login pages if you’re confident that disruption won’t be caused. ",[],{},{"nodeType":1815,"data":10242,"content":10243},{},[10244],{"nodeType":1639,"value":5938,"marks":10245,"data":10247},[10246],{"type":1708},{},{"nodeType":1635,"data":10249,"content":10250},{},[10251],{"nodeType":1639,"value":10252,"marks":10253,"data":10254},"Push Security's browser-based security platform detects and blocks browser-based attacks like AiTM phishing, credential stuffing, malicious browser extensions, ClickFix, and session hijacking. You don't need to wait until it all goes wrong either — you can use Push to proactively find and fix vulnerabilities across the apps that your employees use, like ghost logins, SSO coverage gaps, MFA gaps, vulnerable passwords, and more to harden your attack surface.",[],{},{"nodeType":1635,"data":10256,"content":10257},{},[10258,10261,10268,10271,10278,10281,10288],{"nodeType":1639,"value":2470,"marks":10259,"data":10260},[],{},{"nodeType":1644,"data":10262,"content":10263},{"uri":2475},[10264],{"nodeType":1639,"value":2478,"marks":10265,"data":10267},[10266],{"type":1652},{},{"nodeType":1639,"value":1655,"marks":10269,"data":10270},[],{},{"nodeType":1644,"data":10272,"content":10273},{"uri":2486},[10274],{"nodeType":1639,"value":2489,"marks":10275,"data":10277},[10276],{"type":1652},{},{"nodeType":1639,"value":2493,"marks":10279,"data":10280},[],{},{"nodeType":1644,"data":10282,"content":10283},{"uri":2498},[10284],{"nodeType":1639,"value":2501,"marks":10285,"data":10287},[10286],{"type":1652},{},{"nodeType":1639,"value":2291,"marks":10289,"data":10290},[],{},"Device code phishing attacks have skyrocketed: here’s what you need to know","Device code phishing is seeing a huge spike in adoption in 2026, enabling attackers to steal access tokens while bypassing standard access controls.","2026-04-04T00:00:00.000Z","device-code-phishing",{"items":10296},[10297,10299],{"sys":10298,"name":3379},{"id":3378},{"sys":10300,"name":3383},{"id":3382},{"items":10302},[10303],{"fullName":7706,"firstName":7707,"jobTitle":7708,"profilePicture":10304},{"url":7710},{"__typename":2613,"sys":10306,"content":10308,"title":11255,"synopsis":11256,"hashTags":61,"publishedDate":11257,"slug":11258,"tagsCollection":11259,"authorsCollection":11265},{"id":10307},"2sFCww9xnI8okIxhtOaiY1",{"json":10309},{"nodeType":1622,"data":10310,"content":10311},{},[10312,10319,10326,10333,10336,10344,10351,10358,10364,10371,10377,10396,10403,10415,10418,10426,10433,10449,10456,10468,10474,10477,10485,10493,10499,10508,10528,10537,10544,10553,10572,10581,10588,10597,10630,10639,10646,10655,10673,10679,10688,10695,10704,10746,10749,10757,10766,10786,10795,10802,10811,10844,10850,10859,10866,10872,10875,10883,10892,10899,10958,10964,10967,10974,10983,10990,10996,10999,11007,11014,11021,11090,11097,11160,11167,11170,11178,11185,11192,11198,11201,11208,11215,11222,11229],{"nodeType":1635,"data":10313,"content":10314},{},[10315],{"nodeType":1639,"value":10316,"marks":10317,"data":10318},"The biggest cybersecurity story this year (so far) has been the emergence of “Scattered Lapsus$ Hunters” and their record-breaking worldwide hacking spree. ",[],{},{"nodeType":1635,"data":10320,"content":10321},{},[10322],{"nodeType":1639,"value":10323,"marks":10324,"data":10325},"Scattered Lapsus$ Hunters is part of “The Com”, the name for the broad community of English-speaking cybercriminals with international criminal connections — including with nation-state sponsored groups. They are also known to collaborate with a range of cybercrime “as-a-Service” organizations for phishing, initial access, ransomware, and more. ",[],{},{"nodeType":1635,"data":10327,"content":10328},{},[10329],{"nodeType":1639,"value":10330,"marks":10331,"data":10332},"It’s difficult to pin down exactly who the individuals are that make up this criminal collective. But what is known is their MO — making money through extortion by means of account takeover, mass data theft, and ransomware deployment. ",[],{},{"nodeType":1697,"data":10334,"content":10335},{},[],{"nodeType":1701,"data":10337,"content":10338},{},[10339],{"nodeType":1639,"value":10340,"marks":10341,"data":10343},"How did we get here? ",[10342],{"type":1708},{},{"nodeType":1635,"data":10345,"content":10346},{},[10347],{"nodeType":1639,"value":10348,"marks":10349,"data":10350},"Earlier this year, the threat group known to most analysts as Scattered Spider (also tracked as 0ktapus, Octo Tempest, Scatter Swine, Muddled Libra, and UNC3944) re-emerged after a series of arrests in late 2024. ",[],{},{"nodeType":1635,"data":10352,"content":10353},{},[10354],{"nodeType":1639,"value":10355,"marks":10356,"data":10357},"This group has been active in peaks and troughs over the years, but are mainly known for high-profile ransomware attacks on Caesars and MGM Resorts in 2024. ",[],{},{"nodeType":1626,"data":10359,"content":10363},{"target":10360},{"sys":10361},{"id":10362,"type":1631,"linkType":1632},"1Vt269d7n6IGMzOrJs1FDx",[],{"nodeType":1635,"data":10365,"content":10366},{},[10367],{"nodeType":1639,"value":10368,"marks":10369,"data":10370},"Scattered Spider hit the headlines again in April 2025 with attacks on UK retailers Marks & Spencer and Co-op, which resulted in significant, prolonged disruption, and a serious downstream impact on the retail supply chain. ",[],{},{"nodeType":1626,"data":10372,"content":10376},{"target":10373},{"sys":10374},{"id":10375,"type":1631,"linkType":1632},"3kvcGV2zZZUPnM8IK04Y1O",[],{"nodeType":1635,"data":10378,"content":10379},{},[10380,10384,10392],{"nodeType":1639,"value":10381,"marks":10382,"data":10383},"It didn’t stop there, though. What followed was a wide-scale campaign targeting Salesforce customers, with the attackers claiming to have stolen ",[],{},{"nodeType":1644,"data":10385,"content":10386},{"uri":3027},[10387],{"nodeType":1639,"value":10388,"marks":10389,"data":10391},"over 1.5 billion records from 1000+ companies",[10390],{"type":1652},{},{"nodeType":1639,"value":10393,"marks":10394,"data":10395}," across multiple verticals, including heavyweights like Google, Cloudflare, Workday, Adidas, FedEx, Disney, LVMH, and many more.",[],{},{"nodeType":1635,"data":10397,"content":10398},{},[10399],{"nodeType":1639,"value":10400,"marks":10401,"data":10402},"Around this time, the attackers began to refer to themselves as part of a wider collective, assuming the moniker “Scattered Lapsus$ Hunters” (a mash-up of names given by analysts and self-adopted by attackers — Scattered Spider, ShinyHunters, and Lapsus$).",[],{},{"nodeType":1635,"data":10404,"content":10405},{},[10406,10410],{"nodeType":1639,"value":10407,"marks":10408,"data":10409},"The most significant breach this year to-date impacted Jaguar Land Rover. A ransomware attack resulted in months of disruption that directly impacted the UK’s GDP, with the government underwriting a $1.5B loan to alleviate the supply chain impact. ",[],{},{"nodeType":1639,"value":10411,"marks":10412,"data":10414},"In fact, this was the most economically consequential cyber attack yet recorded in a G7 economy. ",[10413],{"type":1708},{},{"nodeType":1697,"data":10416,"content":10417},{},[],{"nodeType":1701,"data":10419,"content":10420},{},[10421],{"nodeType":1639,"value":10422,"marks":10423,"data":10425},"2025 wasn’t a one-off",[10424],{"type":1708},{},{"nodeType":1635,"data":10427,"content":10428},{},[10429],{"nodeType":1639,"value":10430,"marks":10431,"data":10432},"The developments through 2025 have presented a stronger picture than ever before that cybercriminal operations are heavily interlinked. Groups overlap considerably, and individuals freely move between different cells. ",[],{},{"nodeType":1635,"data":10434,"content":10435},{},[10436,10440,10445],{"nodeType":1639,"value":10437,"marks":10438,"data":10439},"When we scratch beneath the surface, this is evident in the tactics, techniques and procedures (TTPs) used by these attackers — even stretching as far back as 2021 with the initial rise of Lapsus$. This is not an accident. ",[],{},{"nodeType":1639,"value":10441,"marks":10442,"data":10444},"The TTPs used show a conscious move by attackers to move away from environments that are well-protected by traditional security tools. ",[10443],{"type":1708},{},{"nodeType":1639,"value":10446,"marks":10447,"data":10448},"This means avoiding targeting endpoints with malware, and not relying on software-based exploits. Instead, these attackers look to take over apps and services directly over the internet. ",[],{},{"nodeType":1635,"data":10450,"content":10451},{},[10452],{"nodeType":1639,"value":10453,"marks":10454,"data":10455},"Most of the time, this is as simple as logging in to a SaaS app, or an enterprise SSO account (e.g. Microsoft, Okta, or Google) and dumping the data. For attackers that want to take it further, they can abuse the sprawl of interconnected apps that make up modern business IT, seeking out specific data or exploitable functionality. Or, they can leverage internet-accessible management portals to chart a path back to your on-premise assets, giving them everything they need to pivot toward more conventional methods such as ransomware deployment. ",[],{},{"nodeType":1635,"data":10457,"content":10458},{},[10459,10463],{"nodeType":1639,"value":10460,"marks":10461,"data":10462},"When we look at historical breaches, the pattern is clear. ",[],{},{"nodeType":1639,"value":10464,"marks":10465,"data":10467},"Not one of the attacks attributed to Scattered Lapsus$ Hunters, or its predecessors, started with an endpoint or network attack — they all began with account takeover. ",[10466],{"type":1708},{},{"nodeType":1626,"data":10469,"content":10473},{"target":10470},{"sys":10471},{"id":10472,"type":1631,"linkType":1632},"6poP5VM2ARrEvwKEG42HgK",[],{"nodeType":1697,"data":10475,"content":10476},{},[],{"nodeType":1701,"data":10478,"content":10479},{},[10480],{"nodeType":1639,"value":10481,"marks":10482,"data":10484},"TTP breakdown: Analyzing the top “Scattered Lapsus$ Hunters” breaches since 2021",[10483],{"type":1708},{},{"nodeType":1815,"data":10486,"content":10487},{},[10488],{"nodeType":1639,"value":10489,"marks":10490,"data":10492},"Phishing and stolen credentials",[10491],{"type":1708},{},{"nodeType":1626,"data":10494,"content":10498},{"target":10495},{"sys":10496},{"id":10497,"type":1631,"linkType":1632},"4SNOanDIdGZsvRRnMYQVSo",[],{"nodeType":1635,"data":10500,"content":10501},{},[10502],{"nodeType":1639,"value":10503,"marks":10504,"data":10507},"EA Games (2021)",[10505,10506],{"type":1708},{"type":1652},{},{"nodeType":1635,"data":10509,"content":10510},{},[10511,10515,10524],{"nodeType":1639,"value":10512,"marks":10513,"data":10514},"Attackers used stolen session cookies to log into EA’s Slack instance, purchased on a criminal forum. Combined with ",[],{},{"nodeType":1644,"data":10516,"content":10518},{"uri":10517},"https://pushsecurity.com/blog/phishing-slack-persistence/",[10519],{"nodeType":1639,"value":10520,"marks":10521,"data":10523},"social engineering via Slack",[10522],{"type":1652},{},{"nodeType":1639,"value":10525,"marks":10526,"data":10527},", this was used to steal 750GB of data, including video game source code. ",[],{},{"nodeType":1635,"data":10529,"content":10530},{},[10531],{"nodeType":1639,"value":10532,"marks":10533,"data":10536},"Nvidia (2022)",[10534,10535],{"type":1708},{"type":1652},{},{"nodeType":1635,"data":10538,"content":10539},{},[10540],{"nodeType":1639,"value":10541,"marks":10542,"data":10543},"Attackers used stolen credentials to steal 1TB of data from Nvidia’s internal shares, including a significant amount of sensitive information about the designs of Nvidia graphics cards, source code, and the usernames and passwords of more than 71,000 Nvidia employees.",[],{},{"nodeType":1635,"data":10545,"content":10546},{},[10547],{"nodeType":1639,"value":10548,"marks":10549,"data":10552},"Microsoft (2022)",[10550,10551],{"type":1708},{"type":1652},{},{"nodeType":1635,"data":10554,"content":10555},{},[10556,10560,10568],{"nodeType":1639,"value":10557,"marks":10558,"data":10559},"Attackers used stolen credentials combined with SIM swapping and ",[],{},{"nodeType":1644,"data":10561,"content":10563},{"uri":10562},"https://github.com/pushsecurity/saas-attacks/blob/main/techniques/mfa_fatigue/description.md",[10564],{"nodeType":1639,"value":10565,"marks":10566,"data":10567},"MFA fatigue",[],{},{"nodeType":1639,"value":10569,"marks":10570,"data":10571}," attacks to steal Azure DevOps source code — leaked a 9GB archive of Microsoft source code – including ~90% of Bing and 45% of Cortana code. ",[],{},{"nodeType":1635,"data":10573,"content":10574},{},[10575],{"nodeType":1639,"value":10576,"marks":10577,"data":10580},"T-Mobile (2022)",[10578,10579],{"type":1708},{"type":1652},{},{"nodeType":1635,"data":10582,"content":10583},{},[10584],{"nodeType":1639,"value":10585,"marks":10586,"data":10587},"Attackers used stolen credentials to establish initial access, coupled with social engineering T-Mobile staff into approving the attacker’s device for VPN access. This resulted in source code being stolen from over 30,000 repositories. ",[],{},{"nodeType":1635,"data":10589,"content":10590},{},[10591],{"nodeType":1639,"value":10592,"marks":10593,"data":10596},"Snowflake (165 customers) (2024)",[10594,10595],{"type":1708},{"type":1652},{},{"nodeType":1635,"data":10598,"content":10599},{},[10600,10604,10613,10617,10626],{"nodeType":1639,"value":10601,"marks":10602,"data":10603},"Attackers targeted ",[],{},{"nodeType":1644,"data":10605,"content":10607},{"uri":10606},"https://pushsecurity.com/blog/snowflake-retro/",[10608],{"nodeType":1639,"value":10609,"marks":10610,"data":10612},"165 Snowflake customers",[10611],{"type":1652},{},{"nodeType":1639,"value":10614,"marks":10615,"data":10616}," using stolen credentials from credential breaches dating back as far as 2020. Due to widespread MFA gaps and the presence of ",[],{},{"nodeType":1644,"data":10618,"content":10620},{"uri":10619},"https://github.com/pushsecurity/saas-attacks/blob/main/techniques/ghost_logins/description.md",[10621],{"nodeType":1639,"value":10622,"marks":10623,"data":10625},"ghost logins",[10624],{"type":1652},{},{"nodeType":1639,"value":10627,"marks":10628,"data":10629},", attackers were able to simply log in to individual customer tenants, dump the data, and use it to extort the companies. In total, 9 public victims were named following the breach, with over 1B breached customer records. ",[],{},{"nodeType":1635,"data":10631,"content":10632},{},[10633],{"nodeType":1639,"value":10634,"marks":10635,"data":10638},"PowerSchool (2024)",[10636,10637],{"type":1708},{"type":1652},{},{"nodeType":1635,"data":10640,"content":10641},{},[10642],{"nodeType":1639,"value":10643,"marks":10644,"data":10645},"Attackers gained access to a community-focused customer support portal, PowerSource, using compromised credentials and stole data using an \"export data manager\" customer support tool, stealing the data of 62.4 million students and 9.5 million teachers. PowerSchool paid an undisclosed ransom fee, but hackers returned later to extort schools and individuals separately anyway.",[],{},{"nodeType":1635,"data":10647,"content":10648},{},[10649],{"nodeType":1639,"value":10650,"marks":10651,"data":10654},"Red Hat (2025)",[10652,10653],{"type":1708},{"type":1652},{},{"nodeType":1635,"data":10656,"content":10657},{},[10658,10662,10669],{"nodeType":1639,"value":10659,"marks":10660,"data":10661},"Attackers breached Red Hat’s GitLab instance via a compromised account — the result of ",[],{},{"nodeType":1644,"data":10663,"content":10664},{"uri":10619},[10665],{"nodeType":1639,"value":10622,"marks":10666,"data":10668},[10667],{"type":1652},{},{"nodeType":1639,"value":10670,"marks":10671,"data":10672}," providing a backdoor to access an otherwise secure, SSO-connected account. Stolen data included approximately 800 Customer Engagement Reports (CERs), authentication tokens, full database URIs, and other private information in Red Hat code and CERs, which they claimed to use to gain access to downstream customer infrastructure. ",[],{},{"nodeType":1626,"data":10674,"content":10678},{"target":10675},{"sys":10676},{"id":10677,"type":1631,"linkType":1632},"G1V7d5Dvevmr9p0YXElPX",[],{"nodeType":1635,"data":10680,"content":10681},{},[10682],{"nodeType":1639,"value":10683,"marks":10684,"data":10687},"Discord (2025)",[10685,10686],{"type":1708},{"type":1652},{},{"nodeType":1635,"data":10689,"content":10690},{},[10691],{"nodeType":1639,"value":10692,"marks":10693,"data":10694},"Attackers compromised a Zendesk customer support account, stealing 1.6TB of data. The hackers say this consisted of roughly 8.4 million tickets affecting 5.5 million unique users, and that about 580,000 users contained payment information.",[],{},{"nodeType":1635,"data":10696,"content":10697},{},[10698],{"nodeType":1639,"value":10699,"marks":10700,"data":10703},"SoundCloud, MatchGroup, Crunchbase, Betterment... (2026)",[10701,10702],{"type":1708},{"type":1652},{},{"nodeType":1635,"data":10705,"content":10706},{},[10707,10711,10719,10722,10730,10734,10742],{"nodeType":1639,"value":10708,"marks":10709,"data":10710},"Scattered Lapsus$ Hunters have already claimed several public victims in 2026, with over 60 million breached records. ",[],{},{"nodeType":1644,"data":10712,"content":10714},{"uri":10713},"https://www.bleepingcomputer.com/news/security/shinyhunters-claim-to-be-behind-sso-account-data-theft-attacks/",[10715],{"nodeType":1639,"value":10716,"marks":10717,"data":10718},"SoundCloud, Betterment, Crunchbase",[],{},{"nodeType":1639,"value":5688,"marks":10720,"data":10721},[],{},{"nodeType":1644,"data":10723,"content":10725},{"uri":10724},"https://www.bleepingcomputer.com/news/security/match-group-breach-exposes-data-from-hinge-tinder-okcupid-and-match/",[10726],{"nodeType":1639,"value":10727,"marks":10728,"data":10729},"MatchGroup",[],{},{"nodeType":1639,"value":10731,"marks":10732,"data":10733}," have all reported breaches this month, powered by a brand ",[],{},{"nodeType":1644,"data":10735,"content":10737},{"uri":10736},"https://pushsecurity.com/blog/unpacking-the-latest-slh-campaign/",[10738],{"nodeType":1639,"value":10739,"marks":10740,"data":10741},"new real-time-operated AiTM phishing kit",[],{},{"nodeType":1639,"value":10743,"marks":10744,"data":10745}," targeting Okta, Entra, and Google SSO accounts. This is a developing situation, with more victims expected to be announced publicly soon.",[],{},{"nodeType":1697,"data":10747,"content":10748},{},[],{"nodeType":1815,"data":10750,"content":10751},{},[10752],{"nodeType":1639,"value":10753,"marks":10754,"data":10756},"Vishing and help desk scams",[10755],{"type":1708},{},{"nodeType":1635,"data":10758,"content":10759},{},[10760],{"nodeType":1639,"value":10761,"marks":10762,"data":10765},"MGM Resorts & Caesars (2023)",[10763,10764],{"type":1708},{"type":1652},{},{"nodeType":1635,"data":10767,"content":10768},{},[10769,10773,10782],{"nodeType":1639,"value":10770,"marks":10771,"data":10772},"MGM Resorts and Caesars were hit with twin breaches in 2023. Attackers socially engineered help desk personnel to take over accounts with Super Administrator privileges within MGM Resorts’ Okta tenant, which they then used to register a second, attacker-controlled IdP via ",[],{},{"nodeType":1644,"data":10774,"content":10776},{"uri":10775},"https://github.com/pushsecurity/saas-attacks/blob/main/techniques/inbound_federation/description.md",[10777],{"nodeType":1639,"value":10778,"marks":10779,"data":10781},"inbound federation",[10780],{"type":1652},{},{"nodeType":1639,"value":10783,"marks":10784,"data":10785}," — granting comprehensive access that was used to deploy ransomware. ",[],{},{"nodeType":1635,"data":10787,"content":10788},{},[10789],{"nodeType":1639,"value":10790,"marks":10791,"data":10794},"Transport for London (2024)",[10792,10793],{"type":1708},{"type":1652},{},{"nodeType":1635,"data":10796,"content":10797},{},[10798],{"nodeType":1639,"value":10799,"marks":10800,"data":10801},"Attackers socially engineered the Transport for London help desk to gain privileged access to the IT environment, resulting in prolonged disruption to key online services underpinning London’s public transport network, theft of 5,000 users bank details, and all 30,000 staff members having to reset their online credentials in person.",[],{},{"nodeType":1635,"data":10803,"content":10804},{},[10805],{"nodeType":1639,"value":10806,"marks":10807,"data":10810},"Marks & Spencer (2025)",[10808,10809],{"type":1708},{"type":1652},{},{"nodeType":1635,"data":10812,"content":10813},{},[10814,10818,10827,10831,10840],{"nodeType":1639,"value":10815,"marks":10816,"data":10817},"Attackers compromised a Microsoft Entra account belonging to a privileged user via a ",[],{},{"nodeType":1644,"data":10819,"content":10821},{"uri":10820},"https://pushsecurity.com/blog/scattered-spider-defending-against-help-desk-scams/",[10822],{"nodeType":1639,"value":10823,"marks":10824,"data":10826},"help desk scam",[10825],{"type":1652},{},{"nodeType":1639,"value":10828,"marks":10829,"data":10830},", which enabled them to steal sensitive data from cloud environments, as well as pivot to deploy ransomware via the ",[],{},{"nodeType":1644,"data":10832,"content":10834},{"uri":10833},"https://cloud.google.com/blog/topics/threat-intelligence/vsphere-active-directory-integration-risks",[10835],{"nodeType":1639,"value":10836,"marks":10837,"data":10839},"VMware admin console",[10838],{"type":1652},{},{"nodeType":1639,"value":10841,"marks":10842,"data":10843},". This enabled ransomware to be deployed at the hypervisor layer, evading host-based protections like EDR. ",[],{},{"nodeType":1626,"data":10845,"content":10849},{"target":10846},{"sys":10847},{"id":10848,"type":1631,"linkType":1632},"7hBdHG74NaA3bQfOMpYA9o",[],{"nodeType":1635,"data":10851,"content":10852},{},[10853],{"nodeType":1639,"value":10854,"marks":10855,"data":10858},"Jaguar Land Rover (2025)",[10856,10857],{"type":1708},{"type":1652},{},{"nodeType":1635,"data":10860,"content":10861},{},[10862],{"nodeType":1639,"value":10863,"marks":10864,"data":10865},"Attackers compromised highly privileged admin accounts via a help desk scam, which they leveraged to access and deploy ransomware to all aspects of Jaguar’s business, from CAD and engineering software, to payments tracking, to customer car delivery, using similar techniques to the Marks & Spencer breach. ",[],{},{"nodeType":1626,"data":10867,"content":10871},{"target":10868},{"sys":10869},{"id":10870,"type":1631,"linkType":1632},"6s1X2fo4K9EeVLBmHm4YXb",[],{"nodeType":1697,"data":10873,"content":10874},{},[],{"nodeType":1815,"data":10876,"content":10877},{},[10878],{"nodeType":1639,"value":10879,"marks":10880,"data":10882},"Malicious OAuth integrations",[10881],{"type":1708},{},{"nodeType":1635,"data":10884,"content":10885},{},[10886],{"nodeType":1639,"value":10887,"marks":10888,"data":10891},"Salesforce & Salesloft (1000+ customers) (2025)",[10889,10890],{"type":1708},{"type":1652},{},{"nodeType":1635,"data":10893,"content":10894},{},[10895],{"nodeType":1639,"value":10896,"marks":10897,"data":10898},"A vast campaign against Salesforce customers resulted in the compromise of 1000+ Salesforce tenants (according to the attacker) with more than 1.5 billion records stolen. This campaign can consisted of three phases:",[],{},{"nodeType":1726,"data":10900,"content":10901},{},[10902,10917,10932],{"nodeType":1730,"data":10903,"content":10904},{},[10905],{"nodeType":1635,"data":10906,"content":10907},{},[10908,10913],{"nodeType":1639,"value":10909,"marks":10910,"data":10912},"Phase 1:",[10911],{"type":1708},{},{"nodeType":1639,"value":10914,"marks":10915,"data":10916}," The attacker conducted a large-scale vishing campaign against Salesforce customers, calling up users and socially engineering them into connecting a malicious version of the “Data Loader” app into their tenant. This was in fact an attacker-controlled app that enabled data to be mass-exfiltrated via API. ",[],{},{"nodeType":1730,"data":10918,"content":10919},{},[10920],{"nodeType":1635,"data":10921,"content":10922},{},[10923,10928],{"nodeType":1639,"value":10924,"marks":10925,"data":10927},"Phase 2: ",[10926],{"type":1708},{},{"nodeType":1639,"value":10929,"marks":10930,"data":10931},"The attacker conducted a supply-chain compromise against customers of Salesloft. Users of Salesloft’s “Drift” integration were impacted by attackers stealing access tokens from Salesloft’s AWS environment. This integration allowed the attacker to steal data from customers that had deployed Drift to connected environments — namely, Salesforce, and Google Workspace. ",[],{},{"nodeType":1730,"data":10933,"content":10934},{},[10935],{"nodeType":1635,"data":10936,"content":10937},{},[10938,10943,10947,10954],{"nodeType":1639,"value":10939,"marks":10940,"data":10942},"Phase 3:",[10941],{"type":1708},{},{"nodeType":1639,"value":10944,"marks":10945,"data":10946}," The attacker then conducted a separate supply-chain compromise involving Gainsight (allegedly using OAuth tokens stolen in the Salesloft attack) which enabled them to ",[],{},{"nodeType":1644,"data":10948,"content":10949},{"uri":3040},[10950],{"nodeType":1639,"value":10951,"marks":10952,"data":10953},"breach a further 285 Salesforce instances",[],{},{"nodeType":1639,"value":10955,"marks":10956,"data":10957}," using stolen OAuth tokens from Gainsight's integrations. ",[],{},{"nodeType":1626,"data":10959,"content":10963},{"target":10960},{"sys":10961},{"id":10962,"type":1631,"linkType":1632},"3TwjpVKQ42SwQRhvGFbZdn",[],{"nodeType":1697,"data":10965,"content":10966},{},[],{"nodeType":1815,"data":10968,"content":10969},{},[10970],{"nodeType":1639,"value":5308,"marks":10971,"data":10973},[10972],{"type":1708},{},{"nodeType":1635,"data":10975,"content":10976},{},[10977],{"nodeType":1639,"value":10978,"marks":10979,"data":10982},"CyberHaven (2024)",[10980,10981],{"type":1708},{"type":1652},{},{"nodeType":1635,"data":10984,"content":10985},{},[10986],{"nodeType":1639,"value":10987,"marks":10988,"data":10989},"Hackers phished a CyberHaven extension developer and uploaded a malicious version of the CyberHaven extension to the Chrome Web Store, leading to customer data breaches where installed in user browsers, impacting CyberHaven’s estimated ~400 business customers. This was part of a broader campaign that targeted 35 Chrome extensions, collectively impacting over 2.5 million users.",[],{},{"nodeType":1626,"data":10991,"content":10995},{"target":10992},{"sys":10993},{"id":10994,"type":1631,"linkType":1632},"4ErDI0xi0Vj2Zrk8Qsb2NB",[],{"nodeType":1697,"data":10997,"content":10998},{},[],{"nodeType":1701,"data":11000,"content":11001},{},[11002],{"nodeType":1639,"value":11003,"marks":11004,"data":11006},"The bigger picture",[11005],{"type":1708},{},{"nodeType":1635,"data":11008,"content":11009},{},[11010],{"nodeType":1639,"value":11011,"marks":11012,"data":11013},"Scattered Lapsus$ Hunters are dominating the headlines right now, but they aren’t the only attackers using these modern techniques and consciously evading established security controls. ",[],{},{"nodeType":1635,"data":11015,"content":11016},{},[11017],{"nodeType":1639,"value":11018,"marks":11019,"data":11020},"Threat reports agree that attackers are steering away from traditional exploit and malware-driven breaches towards identities:",[],{},{"nodeType":1726,"data":11022,"content":11023},{},[11024,11046,11068],{"nodeType":1730,"data":11025,"content":11026},{},[11027],{"nodeType":1635,"data":11028,"content":11029},{},[11030,11034,11042],{"nodeType":1639,"value":11031,"marks":11032,"data":11033},"Identity-based attacks surged 32% in the last year, while 97% of identity attacks are password-based, driven by credential leaks and infostealer malware. (",[],{},{"nodeType":1644,"data":11035,"content":11037},{"uri":11036},"https://cdn-dynmedia-1.microsoft.com/is/content/microsoftcorp/microsoft/msc/documents/presentations/CSR/Microsoft-Digital-Defense-Report-2025.pdf#page=1",[11038],{"nodeType":1639,"value":7933,"marks":11039,"data":11041},[11040],{"type":1652},{},{"nodeType":1639,"value":11043,"marks":11044,"data":11045},")",[],{},{"nodeType":1730,"data":11047,"content":11048},{},[11049],{"nodeType":1635,"data":11050,"content":11051},{},[11052,11056,11065],{"nodeType":1639,"value":11053,"marks":11054,"data":11055},"79% of detections were malware-free in the last year, up from 40% in 2019. (",[],{},{"nodeType":1644,"data":11057,"content":11059},{"uri":11058},"https://www.crowdstrike.com/en-gb/global-threat-report/",[11060],{"nodeType":1639,"value":11061,"marks":11062,"data":11064},"CrowdStrike",[11063],{"type":1652},{},{"nodeType":1639,"value":11043,"marks":11066,"data":11067},[],{},{"nodeType":1730,"data":11069,"content":11070},{},[11071],{"nodeType":1635,"data":11072,"content":11073},{},[11074,11078,11087],{"nodeType":1639,"value":11075,"marks":11076,"data":11077},"Credential abuse and phishing combined accounted for 38% of breaches, making identity the primary breach vector observed. (",[],{},{"nodeType":1644,"data":11079,"content":11081},{"uri":11080},"https://www.verizon.com/business/resources/reports/dbir/",[11082],{"nodeType":1639,"value":11083,"marks":11084,"data":11086},"Verizon",[11085],{"type":1652},{},{"nodeType":1639,"value":11043,"marks":11088,"data":11089},[],{},{"nodeType":1635,"data":11091,"content":11092},{},[11093],{"nodeType":1639,"value":11094,"marks":11095,"data":11096},"And other public breaches from this year alone demonstrate similar TTPs from outside of the Scattered Lapsus$ Hunters orbit:",[],{},{"nodeType":1726,"data":11098,"content":11099},{},[11100,11115,11130,11145],{"nodeType":1730,"data":11101,"content":11102},{},[11103],{"nodeType":1635,"data":11104,"content":11105},{},[11106,11111],{"nodeType":1639,"value":11107,"marks":11108,"data":11110},"Nikkei",[11109],{"type":1708},{},{"nodeType":1639,"value":11112,"marks":11113,"data":11114},": Japanese publishing giant Nikkei’s Slack messaging platform was compromised using stolen credentials, leaking the names, email addresses, and chat histories for 17,368 individuals registered on Slack.",[],{},{"nodeType":1730,"data":11116,"content":11117},{},[11118],{"nodeType":1635,"data":11119,"content":11120},{},[11121,11126],{"nodeType":1639,"value":11122,"marks":11123,"data":11125},"Evertec",[11124],{"type":1708},{},{"nodeType":1639,"value":11127,"marks":11128,"data":11129},": Hackers tried to steal $130 million from Evertec’s Brazilian subsidiary Sinqia S.A.after gaining unauthorized access to its environment on the central bank’s real-time payment system (Pix) using stolen credentials.",[],{},{"nodeType":1730,"data":11131,"content":11132},{},[11133],{"nodeType":1635,"data":11134,"content":11135},{},[11136,11141],{"nodeType":1639,"value":11137,"marks":11138,"data":11140},"Hy-Vee:",[11139],{"type":1708},{},{"nodeType":1639,"value":11142,"marks":11143,"data":11144}," Was hit with a data breach after hackers logged in with stolen credentials, exposing 53GB of sensitive data.",[],{},{"nodeType":1730,"data":11146,"content":11147},{},[11148],{"nodeType":1635,"data":11149,"content":11150},{},[11151,11156],{"nodeType":1639,"value":11152,"marks":11153,"data":11155},"Scania: ",[11154],{"type":1708},{},{"nodeType":1639,"value":11157,"marks":11158,"data":11159},"Automotive giant Scania confirmed it suffered a cybersecurity incident where threat actors used compromised credentials to breach its Financial Services systems and steal insurance claim documents.",[],{},{"nodeType":1635,"data":11161,"content":11162},{},[11163],{"nodeType":1639,"value":11164,"marks":11165,"data":11166},"Scattered Lapsus$ Hunters may be grabbing the headlines — but this a huge movement in a vast and flexible community of attackers. And criminals around the world are learning from their success. ",[],{},{"nodeType":1697,"data":11168,"content":11169},{},[],{"nodeType":1701,"data":11171,"content":11172},{},[11173],{"nodeType":1639,"value":11174,"marks":11175,"data":11177},"Lessons learned",[11176],{"type":1708},{},{"nodeType":1635,"data":11179,"content":11180},{},[11181],{"nodeType":1639,"value":11182,"marks":11183,"data":11184},"The common thread with all of these attacks is that they are evading established security controls by targeting applications directly, over the internet, via account takeover.",[],{},{"nodeType":1635,"data":11186,"content":11187},{},[11188],{"nodeType":1639,"value":11189,"marks":11190,"data":11191},"Clearly, the success of these attacks shows the limitations of multiple control layers. Endpoint and network layer controls have no visibility of this attack surface. Identity-focused controls are being undermined by ghost logins and shadow IT. And the limitations of cloud security controls in their ability to encompass all apps, and detect and stop malicious actions in real-time (that often blend in seamlessly with normal user activity). ",[],{},{"nodeType":1626,"data":11193,"content":11197},{"target":11194},{"sys":11195},{"id":11196,"type":1631,"linkType":1632},"4Dg3fZEGf7ShyQJ8jlNDME",[],{"nodeType":1697,"data":11199,"content":11200},{},[],{"nodeType":1701,"data":11202,"content":11203},{},[11204],{"nodeType":1639,"value":3236,"marks":11205,"data":11207},[11206],{"type":1708},{},{"nodeType":1635,"data":11209,"content":11210},{},[11211],{"nodeType":1639,"value":11212,"marks":11213,"data":11214},"Stopping attacks that are designed to evade established controls is in our DNA — it’s the reason Push was founded. ",[],{},{"nodeType":1635,"data":11216,"content":11217},{},[11218],{"nodeType":1639,"value":11219,"marks":11220,"data":11221},"The browser is the gateway to to the apps and identities that attackers are now targeting, with many attacks taking place inside the user’s browser — whether that’s entering credentials onto a phishing page, approving a malicious OAuth grant, installing a risky browser extension, or insecurely accessing an app with a weak password and no MFA. ",[],{},{"nodeType":1635,"data":11223,"content":11224},{},[11225],{"nodeType":1639,"value":11226,"marks":11227,"data":11228},"Push’s browser-based security platform provides comprehensive detection and response capabilities against attacks like AiTM phishing, credential stuffing, malicious browser extensions, malicious OAuth grants, ClickFix, and session hijacking. You don’t need to wait until it all goes wrong either — you can use Push to proactively find and fix vulnerabilities across the apps that your employees use, like ghost logins, SSO coverage gaps, MFA gaps, vulnerable passwords, and more to harden your attack surface.",[],{},{"nodeType":1635,"data":11230,"content":11231},{},[11232,11235,11242,11245,11252],{"nodeType":1639,"value":2470,"marks":11233,"data":11234},[],{},{"nodeType":1644,"data":11236,"content":11237},{"uri":2475},[11238],{"nodeType":1639,"value":2478,"marks":11239,"data":11241},[11240],{"type":1652},{},{"nodeType":1639,"value":5548,"marks":11243,"data":11244},[],{},{"nodeType":1644,"data":11246,"content":11247},{"uri":2498},[11248],{"nodeType":1639,"value":2501,"marks":11249,"data":11251},[11250],{"type":1652},{},{"nodeType":1639,"value":2291,"marks":11253,"data":11254},[],{},"\"Scattered Lapsus$ Hunters\" — how modern attackers exploit the gaps in your security stack ","How Scattered Lapsus$ Hunters breaches demonstrate the evolution of attacker TTPs, shaping the future of cyber attacks.","2025-11-13T00:00:00.000Z","scattered-lapsus-hunters",{"items":11260},[11261,11263],{"sys":11262,"name":3379},{"id":3378},{"sys":11264,"name":3383},{"id":3382},{"items":11266},[11267],{"fullName":1615,"firstName":1616,"jobTitle":1617,"profilePicture":11268},{"url":1619},"consentfix-v3-analyzing-a-new-toolkit","blog/consentfix-v3-analyzing-a-new-toolkit",{"json":11272},{"data":11273,"content":11274,"nodeType":1622},{},[11275,11282],{"data":11276,"content":11277,"nodeType":1635},{},[11278],{"data":11279,"marks":11280,"value":11281,"nodeType":1639},{},[],"Investigating a new criminal toolkit for ConsentFix being promoted on criminal forums. ",{"data":11283,"content":11284,"nodeType":1635},{},[11285],{"data":11286,"marks":11287,"value":29,"nodeType":1639},{},[],{"id":11289,"publishedAt":11290},"27Z1JlNtpGTPyarh393sHK","2026-04-23T15:29:24.010Z",{"items":11292},[11293,11295],{"sys":11294,"name":3379},{"id":3378},{"sys":11296,"name":3383},{"id":3382},"K9YX4UY5vZlCvOwwtkosvB1Fn1TbaUXcuv9gjunS_8Y",{"id":11299,"title":3370,"authorsCollection":11300,"content":11304,"extension":2606,"hashTags":61,"meta":12129,"metaTitle":12130,"ogImage":61,"publishedDate":3372,"relatedBlogPostsCollection":12131,"slug":3373,"stem":16471,"subtitle":61,"summary":16472,"synopsis":3371,"sys":16483,"tagsCollection":16485,"__hash__":16491},"blog/blog/unpacking-the-vercel-breach.json",{"items":11301},[11302],{"fullName":1615,"firstName":1616,"jobTitle":1617,"profilePicture":11303},{"url":1619},{"json":11305,"links":11945},{"nodeType":1622,"data":11306,"content":11307},{},[11308,11331,11357,11363,11368,11371,11378,11384,11389,11404,11410,11417,11433,11446,11452,11458,11461,11468,11474,11480,11535,11541,11546,11553,11563,11569,11575,11580,11587,11593,11599,11605,11611,11616,11623,11629,11700,11705,11708,11715,11721,11734,11740,11746,11751,11767,11770,11777,11783,11788,11804,11810,11816,11821,11824,11831,11837,11843,11848,11854,11859,11864,11884,11889,11899,11905,11911],{"nodeType":1635,"data":11309,"content":11310},{},[11311,11314,11321,11324,11328],{"nodeType":1639,"value":2624,"marks":11312,"data":11313},[],{},{"nodeType":1644,"data":11315,"content":11316},{"uri":2629},[11317],{"nodeType":1639,"value":2632,"marks":11318,"data":11320},[11319],{"type":1652},{},{"nodeType":1639,"value":2637,"marks":11322,"data":11323},[],{},{"nodeType":1639,"value":2641,"marks":11325,"data":11327},[11326],{"type":1708},{},{"nodeType":1639,"value":1851,"marks":11329,"data":11330},[],{},{"nodeType":1635,"data":11332,"content":11333},{},[11334,11337,11344,11347,11354],{"nodeType":1639,"value":2652,"marks":11335,"data":11336},[],{},{"nodeType":1644,"data":11338,"content":11339},{"uri":2657},[11340],{"nodeType":1639,"value":2660,"marks":11341,"data":11343},[11342],{"type":1652},{},{"nodeType":1639,"value":2665,"marks":11345,"data":11346},[],{},{"nodeType":1644,"data":11348,"content":11349},{"uri":2670},[11350],{"nodeType":1639,"value":2673,"marks":11351,"data":11353},[11352],{"type":1652},{},{"nodeType":1639,"value":2678,"marks":11355,"data":11356},[],{},{"nodeType":1635,"data":11358,"content":11359},{},[11360],{"nodeType":1639,"value":2685,"marks":11361,"data":11362},[],{},{"nodeType":1626,"data":11364,"content":11367},{"target":11365},{"sys":11366},{"id":2692,"type":1631,"linkType":1632},[],{"nodeType":1697,"data":11369,"content":11370},{},[],{"nodeType":1701,"data":11372,"content":11373},{},[11374],{"nodeType":1639,"value":2701,"marks":11375,"data":11377},[11376],{"type":1708},{},{"nodeType":1635,"data":11379,"content":11380},{},[11381],{"nodeType":1639,"value":2709,"marks":11382,"data":11383},[],{},{"nodeType":1626,"data":11385,"content":11388},{"target":11386},{"sys":11387},{"id":2716,"type":1631,"linkType":1632},[],{"nodeType":1635,"data":11390,"content":11391},{},[11392,11395,11401],{"nodeType":1639,"value":2722,"marks":11393,"data":11394},[],{},{"nodeType":1644,"data":11396,"content":11397},{"uri":2727},[11398],{"nodeType":1639,"value":2730,"marks":11399,"data":11400},[],{},{"nodeType":1639,"value":2734,"marks":11402,"data":11403},[],{},{"nodeType":1635,"data":11405,"content":11406},{},[11407],{"nodeType":1639,"value":2741,"marks":11408,"data":11409},[],{},{"nodeType":1815,"data":11411,"content":11412},{},[11413],{"nodeType":1639,"value":2748,"marks":11414,"data":11416},[11415],{"type":1708},{},{"nodeType":1635,"data":11418,"content":11419},{},[11420,11423,11430],{"nodeType":1639,"value":2756,"marks":11421,"data":11422},[],{},{"nodeType":1644,"data":11424,"content":11425},{"uri":2761},[11426],{"nodeType":1639,"value":2764,"marks":11427,"data":11429},[11428],{"type":1652},{},{"nodeType":1639,"value":2769,"marks":11431,"data":11432},[],{},{"nodeType":1635,"data":11434,"content":11435},{},[11436,11439,11443],{"nodeType":1639,"value":2776,"marks":11437,"data":11438},[],{},{"nodeType":1639,"value":2780,"marks":11440,"data":11442},[11441],{"type":273},{},{"nodeType":1639,"value":2785,"marks":11444,"data":11445},[],{},{"nodeType":1635,"data":11447,"content":11448},{},[11449],{"nodeType":1639,"value":2792,"marks":11450,"data":11451},[],{},{"nodeType":1635,"data":11453,"content":11454},{},[11455],{"nodeType":1639,"value":2799,"marks":11456,"data":11457},[],{},{"nodeType":1697,"data":11459,"content":11460},{},[],{"nodeType":1701,"data":11462,"content":11463},{},[11464],{"nodeType":1639,"value":2809,"marks":11465,"data":11467},[11466],{"type":1708},{},{"nodeType":1635,"data":11469,"content":11470},{},[11471],{"nodeType":1639,"value":2817,"marks":11472,"data":11473},[],{},{"nodeType":1635,"data":11475,"content":11476},{},[11477],{"nodeType":1639,"value":2824,"marks":11478,"data":11479},[],{},{"nodeType":1726,"data":11481,"content":11482},{},[11483,11496,11509,11522],{"nodeType":1730,"data":11484,"content":11485},{},[11486],{"nodeType":1635,"data":11487,"content":11488},{},[11489,11493],{"nodeType":1639,"value":2837,"marks":11490,"data":11492},[11491],{"type":1708},{},{"nodeType":1639,"value":2842,"marks":11494,"data":11495},[],{},{"nodeType":1730,"data":11497,"content":11498},{},[11499],{"nodeType":1635,"data":11500,"content":11501},{},[11502,11506],{"nodeType":1639,"value":2852,"marks":11503,"data":11505},[11504],{"type":1708},{},{"nodeType":1639,"value":2857,"marks":11507,"data":11508},[],{},{"nodeType":1730,"data":11510,"content":11511},{},[11512],{"nodeType":1635,"data":11513,"content":11514},{},[11515,11519],{"nodeType":1639,"value":2867,"marks":11516,"data":11518},[11517],{"type":1708},{},{"nodeType":1639,"value":2872,"marks":11520,"data":11521},[],{},{"nodeType":1730,"data":11523,"content":11524},{},[11525],{"nodeType":1635,"data":11526,"content":11527},{},[11528,11532],{"nodeType":1639,"value":2882,"marks":11529,"data":11531},[11530],{"type":1708},{},{"nodeType":1639,"value":2887,"marks":11533,"data":11534},[],{},{"nodeType":1635,"data":11536,"content":11537},{},[11538],{"nodeType":1639,"value":2894,"marks":11539,"data":11540},[],{},{"nodeType":1626,"data":11542,"content":11545},{"target":11543},{"sys":11544},{"id":2901,"type":1631,"linkType":1632},[],{"nodeType":1815,"data":11547,"content":11548},{},[11549],{"nodeType":1639,"value":2907,"marks":11550,"data":11552},[11551],{"type":1708},{},{"nodeType":1635,"data":11554,"content":11555},{},[11556,11560],{"nodeType":1639,"value":2915,"marks":11557,"data":11559},[11558],{"type":1708},{},{"nodeType":1639,"value":2920,"marks":11561,"data":11562},[],{},{"nodeType":1635,"data":11564,"content":11565},{},[11566],{"nodeType":1639,"value":2927,"marks":11567,"data":11568},[],{},{"nodeType":1635,"data":11570,"content":11571},{},[11572],{"nodeType":1639,"value":2934,"marks":11573,"data":11574},[],{},{"nodeType":1626,"data":11576,"content":11579},{"target":11577},{"sys":11578},{"id":2941,"type":1631,"linkType":1632},[],{"nodeType":1815,"data":11581,"content":11582},{},[11583],{"nodeType":1639,"value":2947,"marks":11584,"data":11586},[11585],{"type":1708},{},{"nodeType":1635,"data":11588,"content":11589},{},[11590],{"nodeType":1639,"value":2955,"marks":11591,"data":11592},[],{},{"nodeType":1635,"data":11594,"content":11595},{},[11596],{"nodeType":1639,"value":2962,"marks":11597,"data":11598},[],{},{"nodeType":1635,"data":11600,"content":11601},{},[11602],{"nodeType":1639,"value":2969,"marks":11603,"data":11604},[],{},{"nodeType":1635,"data":11606,"content":11607},{},[11608],{"nodeType":1639,"value":2976,"marks":11609,"data":11610},[],{},{"nodeType":1626,"data":11612,"content":11615},{"target":11613},{"sys":11614},{"id":2983,"type":1631,"linkType":1632},[],{"nodeType":1815,"data":11617,"content":11618},{},[11619],{"nodeType":1639,"value":2989,"marks":11620,"data":11622},[11621],{"type":1708},{},{"nodeType":1635,"data":11624,"content":11625},{},[11626],{"nodeType":1639,"value":2997,"marks":11627,"data":11628},[],{},{"nodeType":1726,"data":11630,"content":11631},{},[11632,11671],{"nodeType":1730,"data":11633,"content":11634},{},[11635],{"nodeType":1635,"data":11636,"content":11637},{},[11638,11641,11648,11651,11658,11661,11668],{"nodeType":1639,"value":3010,"marks":11639,"data":11640},[],{},{"nodeType":1644,"data":11642,"content":11643},{"uri":2629},[11644],{"nodeType":1639,"value":3017,"marks":11645,"data":11647},[11646],{"type":1652},{},{"nodeType":1639,"value":3022,"marks":11649,"data":11650},[],{},{"nodeType":1644,"data":11652,"content":11653},{"uri":3027},[11654],{"nodeType":1639,"value":3030,"marks":11655,"data":11657},[11656],{"type":1652},{},{"nodeType":1639,"value":3035,"marks":11659,"data":11660},[],{},{"nodeType":1644,"data":11662,"content":11663},{"uri":3040},[11664],{"nodeType":1639,"value":3043,"marks":11665,"data":11667},[11666],{"type":1652},{},{"nodeType":1639,"value":3048,"marks":11669,"data":11670},[],{},{"nodeType":1730,"data":11672,"content":11673},{},[11674],{"nodeType":1635,"data":11675,"content":11676},{},[11677,11680,11687,11690,11697],{"nodeType":1639,"value":3058,"marks":11678,"data":11679},[],{},{"nodeType":1644,"data":11681,"content":11682},{"uri":3063},[11683],{"nodeType":1639,"value":3066,"marks":11684,"data":11686},[11685],{"type":1652},{},{"nodeType":1639,"value":3071,"marks":11688,"data":11689},[],{},{"nodeType":1644,"data":11691,"content":11692},{"uri":3076},[11693],{"nodeType":1639,"value":3079,"marks":11694,"data":11696},[11695],{"type":1652},{},{"nodeType":1639,"value":3084,"marks":11698,"data":11699},[],{},{"nodeType":1626,"data":11701,"content":11704},{"target":11702},{"sys":11703},{"id":3091,"type":1631,"linkType":1632},[],{"nodeType":1697,"data":11706,"content":11707},{},[],{"nodeType":1701,"data":11709,"content":11710},{},[11711],{"nodeType":1639,"value":3100,"marks":11712,"data":11714},[11713],{"type":1708},{},{"nodeType":1635,"data":11716,"content":11717},{},[11718],{"nodeType":1639,"value":3108,"marks":11719,"data":11720},[],{},{"nodeType":1635,"data":11722,"content":11723},{},[11724,11727,11731],{"nodeType":1639,"value":3115,"marks":11725,"data":11726},[],{},{"nodeType":1639,"value":3119,"marks":11728,"data":11730},[11729],{"type":1708},{},{"nodeType":1639,"value":3124,"marks":11732,"data":11733},[],{},{"nodeType":1635,"data":11735,"content":11736},{},[11737],{"nodeType":1639,"value":3131,"marks":11738,"data":11739},[],{},{"nodeType":1635,"data":11741,"content":11742},{},[11743],{"nodeType":1639,"value":3138,"marks":11744,"data":11745},[],{},{"nodeType":1626,"data":11747,"content":11750},{"target":11748},{"sys":11749},{"id":3145,"type":1631,"linkType":1632},[],{"nodeType":1635,"data":11752,"content":11753},{},[11754,11757,11764],{"nodeType":1639,"value":3151,"marks":11755,"data":11756},[],{},{"nodeType":1644,"data":11758,"content":11759},{"uri":3156},[11760],{"nodeType":1639,"value":3159,"marks":11761,"data":11763},[11762],{"type":1652},{},{"nodeType":1639,"value":3164,"marks":11765,"data":11766},[],{},{"nodeType":1697,"data":11768,"content":11769},{},[],{"nodeType":1701,"data":11771,"content":11772},{},[11773],{"nodeType":1639,"value":3174,"marks":11774,"data":11776},[11775],{"type":1708},{},{"nodeType":1635,"data":11778,"content":11779},{},[11780],{"nodeType":1639,"value":3182,"marks":11781,"data":11782},[],{},{"nodeType":1626,"data":11784,"content":11787},{"target":11785},{"sys":11786},{"id":3189,"type":1631,"linkType":1632},[],{"nodeType":1635,"data":11789,"content":11790},{},[11791,11794,11801],{"nodeType":1639,"value":3195,"marks":11792,"data":11793},[],{},{"nodeType":1644,"data":11795,"content":11796},{"uri":2192},[11797],{"nodeType":1639,"value":3202,"marks":11798,"data":11800},[11799],{"type":1652},{},{"nodeType":1639,"value":1851,"marks":11802,"data":11803},[],{},{"nodeType":1635,"data":11805,"content":11806},{},[11807],{"nodeType":1639,"value":3213,"marks":11808,"data":11809},[],{},{"nodeType":1635,"data":11811,"content":11812},{},[11813],{"nodeType":1639,"value":3220,"marks":11814,"data":11815},[],{},{"nodeType":1626,"data":11817,"content":11820},{"target":11818},{"sys":11819},{"id":3227,"type":1631,"linkType":1632},[],{"nodeType":1697,"data":11822,"content":11823},{},[],{"nodeType":1701,"data":11825,"content":11826},{},[11827],{"nodeType":1639,"value":3236,"marks":11828,"data":11830},[11829],{"type":1708},{},{"nodeType":1635,"data":11832,"content":11833},{},[11834],{"nodeType":1639,"value":3244,"marks":11835,"data":11836},[],{},{"nodeType":1635,"data":11838,"content":11839},{},[11840],{"nodeType":1639,"value":3251,"marks":11841,"data":11842},[],{},{"nodeType":1626,"data":11844,"content":11847},{"target":11845},{"sys":11846},{"id":3258,"type":1631,"linkType":1632},[],{"nodeType":1635,"data":11849,"content":11850},{},[11851],{"nodeType":1639,"value":3264,"marks":11852,"data":11853},[],{},{"nodeType":1626,"data":11855,"content":11858},{"target":11856},{"sys":11857},{"id":3271,"type":1631,"linkType":1632},[],{"nodeType":1626,"data":11860,"content":11863},{"target":11861},{"sys":11862},{"id":3277,"type":1631,"linkType":1632},[],{"nodeType":1635,"data":11865,"content":11866},{},[11867,11870,11874,11877,11881],{"nodeType":1639,"value":3283,"marks":11868,"data":11869},[],{},{"nodeType":1639,"value":3287,"marks":11871,"data":11873},[11872],{"type":1708},{},{"nodeType":1639,"value":3292,"marks":11875,"data":11876},[],{},{"nodeType":1639,"value":3296,"marks":11878,"data":11880},[11879],{"type":1708},{},{"nodeType":1639,"value":3301,"marks":11882,"data":11883},[],{},{"nodeType":1626,"data":11885,"content":11888},{"target":11886},{"sys":11887},{"id":3308,"type":1631,"linkType":1632},[],{"nodeType":1815,"data":11890,"content":11891},{},[11892,11895],{"nodeType":1639,"value":3314,"marks":11893,"data":11894},[],{},{"nodeType":1639,"value":3318,"marks":11896,"data":11898},[11897],{"type":1708},{},{"nodeType":1635,"data":11900,"content":11901},{},[11902],{"nodeType":1639,"value":3326,"marks":11903,"data":11904},[],{},{"nodeType":1635,"data":11906,"content":11907},{},[11908],{"nodeType":1639,"value":3333,"marks":11909,"data":11910},[],{},{"nodeType":1635,"data":11912,"content":11913},{},[11914,11917,11923,11926,11933,11936,11942],{"nodeType":1639,"value":2470,"marks":11915,"data":11916},[],{},{"nodeType":1644,"data":11918,"content":11919},{"uri":2475},[11920],{"nodeType":1639,"value":2478,"marks":11921,"data":11922},[],{},{"nodeType":1639,"value":1655,"marks":11924,"data":11925},[],{},{"nodeType":1644,"data":11927,"content":11928},{"uri":2486},[11929],{"nodeType":1639,"value":2489,"marks":11930,"data":11932},[11931],{"type":1652},{},{"nodeType":1639,"value":2493,"marks":11934,"data":11935},[],{},{"nodeType":1644,"data":11937,"content":11938},{"uri":2498},[11939],{"nodeType":1639,"value":2501,"marks":11940,"data":11941},[],{},{"nodeType":1639,"value":2291,"marks":11943,"data":11944},[],{},{"entries":11946},{"hyperlink":11947,"inline":11948,"block":11949},[],[],[11950,11958,11972,11980,11988,11995,12020,12058,12077,12104,12110,12116,12123],{"sys":11951,"__typename":1391,"title":11952,"caption":11953,"layoutMode":61,"file":11954},{"id":2692},"Vercel breach summary","Overview of the breach and Vercel's response. ",{"url":11955,"width":11956,"height":11957},"https://images.ctfassets.net/y1cdw1ablpvd/63DxqlpuTD1qIjsSh2gXI2/f1da745b30082c52362c4eb875737548/Screenshot_2026-04-28_at_09.07.41.png",2912,912,{"sys":11959,"__typename":2514,"content":11960,"name":11971,"title":61},{"id":2716},{"json":11961},{"data":11962,"content":11963,"nodeType":1622},{},[11964],{"data":11965,"content":11966,"nodeType":1635},{},[11967],{"data":11968,"marks":11969,"value":11970,"nodeType":1639},{},[],"An all-too-common tale in the modern enterprise is the SaaS app that was trialled by a single employee, lightly used, integrated with core app tenants, and forgotten about — adding an invisible node to the organization’s attack surface.","Vercel IB 4",{"sys":11973,"__typename":1391,"title":11974,"caption":11975,"layoutMode":61,"file":11976},{"id":2901},"ai-sprawl-infographic","AI sprawl is worse than most organizations realize. ",{"url":11977,"width":11978,"height":11979},"https://images.ctfassets.net/y1cdw1ablpvd/7vCbQdyRkjLs5EmsjBBAQp/f373e97898c7f5ee33b269f342eccf61/ai-sprawl-infographic_2x.png",1800,1400,{"sys":11981,"__typename":1391,"title":11982,"caption":11983,"layoutMode":61,"file":11984},{"id":2941},"Illustrative example of SaaS OAuth sprawl. AI apps are highlighted orange.","Illustrative example of SaaS OAuth sprawl, from primary enterprise cloud, to core apps, to wider SaaS. AI apps are highlighted orange.",{"url":11985,"width":11986,"height":11987},"https://images.ctfassets.net/y1cdw1ablpvd/6u0rnGPxUjcFSxdbsIcNz0/b093fbd09053a6a764b03af9ba56e5df/Screenshot_2026-04-23_at_20.41.29.png",2516,2086,{"sys":11989,"__typename":1391,"title":11990,"caption":11990,"layoutMode":61,"file":11991},{"id":2983},"A normal employee in a poorly governed org can expose as much or more data than a developer in a well-governed one.",{"url":11992,"width":11993,"height":11994},"https://images.ctfassets.net/y1cdw1ablpvd/R2st9zXI0vB5Mu9Co2pA1/dc1843bc5be5da60252c9c7ea7caf677/oauth-blast-radius-push_1__4_.png",2880,2040,{"sys":11996,"__typename":2514,"content":11997,"name":12019,"title":61},{"id":3091},{"json":11998},{"nodeType":1622,"data":11999,"content":12000},{},[12001],{"nodeType":1635,"data":12002,"content":12003},{},[12004,12008,12015],{"nodeType":1639,"value":12005,"marks":12006,"data":12007},"Not only are attackers abusing existing (legitimate) OAuth connections as part of supply chain attacks, but they’re using OAuth-focused phishing as the front door to victim environments. Last year’s Salesforce campaign began with ",[],{},{"nodeType":1644,"data":12009,"content":12010},{"uri":4920},[12011],{"nodeType":1639,"value":4923,"marks":12012,"data":12014},[12013],{"type":1652},{},{"nodeType":1639,"value":12016,"marks":12017,"data":12018},", where attackers tricked victims into registering an attacker-controlled app into their Salesforce tenant, granting full API access for mass data exfiltration.",[],{},"Vercel IB 1",{"sys":12021,"__typename":2514,"content":12022,"name":12057,"title":61},{"id":3145},{"json":12023},{"nodeType":1622,"data":12024,"content":12025},{},[12026,12045],{"nodeType":1635,"data":12027,"content":12028},{},[12029,12033,12041],{"nodeType":1639,"value":12030,"marks":12031,"data":12032},"If you’re wondering how a personal device could result in corporate credential leakage, browser syncing (",[],{},{"nodeType":1644,"data":12034,"content":12035},{"uri":2670},[12036],{"nodeType":1639,"value":12037,"marks":12038,"data":12040},"where users sign into their personal account in a corporate browser",[12039],{"type":1652},{},{"nodeType":1639,"value":12042,"marks":12043,"data":12044},") can lead to this exact scenario. And given Vercel’s potentially lacking controls around OAuth integrations in their Workspace, it’s also possible that browser syncing had not been identified as a security risk and disabled. ",[],{},{"nodeType":1635,"data":12046,"content":12047},{},[12048,12052],{"nodeType":1639,"value":12049,"marks":12050,"data":12051},"The 2025 Verizon DBIR reported that 54% of all ransomware attacks traced back to infostealer-enabled credential theft. ",[],{},{"nodeType":1639,"value":12053,"marks":12054,"data":12056},"46% of systems with compromised corporate credentials were non-managed devices. ",[12055],{"type":1708},{},"Vercel IB 2",{"sys":12059,"__typename":2514,"content":12060,"name":12076,"title":61},{"id":3189},{"json":12061},{"nodeType":1622,"data":12062,"content":12063},{},[12064],{"nodeType":1635,"data":12065,"content":12066},{},[12067,12072],{"nodeType":1639,"value":12068,"marks":12069,"data":12071},"OAuth App:",[12070],{"type":1708},{},{"nodeType":1639,"value":12073,"marks":12074,"data":12075}," 110671459871-30f1spbu0hptbs60cb4vsmv79i7bbvqj.apps.googleusercontent.com",[],{},"Vercel IB 5",{"sys":12078,"__typename":2514,"content":12079,"name":12103,"title":61},{"id":3227},{"json":12080},{"nodeType":1622,"data":12081,"content":12082},{},[12083],{"nodeType":1635,"data":12084,"content":12085},{},[12086,12090,12099],{"nodeType":1639,"value":12087,"marks":12088,"data":12089},"Since the breach was initially reported, ",[],{},{"nodeType":1644,"data":12091,"content":12093},{"uri":12092},"https://thehackernews.com/2026/04/vercel-breach-tied-to-context-ai-hack.html",[12094],{"nodeType":1639,"value":12095,"marks":12096,"data":12098},"it has also emerged that",[12097],{"type":1652},{},{"nodeType":1639,"value":12100,"marks":12101,"data":12102}," Context.ai’s browser extension has also been pulled from the Chrome store. It’s unclear whether attackers were able to publish a malicious extension update too, whether the extension was removed at Context.ai’s request (because the app has been deprecated), or Google pulled it down as a precaution in light of the incident. ",[],{},"Vercel IB 3",{"sys":12105,"__typename":1391,"title":12106,"caption":12106,"layoutMode":61,"file":12107},{"id":3258},"Inspect apps and identities to uncover and remediate vulnerabilities.",{"url":12108,"width":6635,"height":12109},"https://images.ctfassets.net/y1cdw1ablpvd/4rfQX7ICFP2tiio0Ra9r0f/ef6cdc27bc3dde03127105189523e405/image5.png",1074,{"sys":12111,"__typename":1391,"title":12112,"caption":12112,"layoutMode":61,"file":12113},{"id":3271},"Analyse OAuth integrations, including permissions, user count, and other useful metadata. ",{"url":12114,"width":6635,"height":12115},"https://images.ctfassets.net/y1cdw1ablpvd/6srKhXfs62Ql2vIUc0QszJ/58ae9672ed3e79bfef1fb65a6cd7450a/image3.png",1091,{"sys":12117,"__typename":1391,"title":12118,"caption":12118,"layoutMode":61,"file":12119},{"id":3277},"Easily delete unwanted integrations. ",{"url":12120,"width":12121,"height":12122},"https://images.ctfassets.net/y1cdw1ablpvd/8BTe7GRIl7aLnwcmkRQkb/eb26d8d0ecb0165d4ab3c4d4a3ac6111/image1.png",567,213,{"sys":12124,"__typename":1391,"title":12125,"caption":12126,"layoutMode":61,"file":12127},{"id":3308},"Block OAuth connection attempts as they transit the browser using Push.","Block OAuth connection attempts as they transit the browser using Push. Example shows blocking Claude connectors. ",{"url":12128,"width":6666,"height":6667},"https://images.ctfassets.net/y1cdw1ablpvd/4TIl7F28Qd1Mk5M4vrFUF7/1b983ddc567ea7130cc76c3397d8fb69/OAuth_blocking.gif",{},"Unpacking the Vercel breach: Shadow AI and OAuth sprawl",{"items":12132},[12133,14469,15297],{"__typename":2613,"sys":12134,"content":12135,"title":10291,"synopsis":10292,"hashTags":61,"publishedDate":10293,"slug":10294,"tagsCollection":14459,"authorsCollection":14465},{"id":7713},{"json":12136},{"nodeType":1622,"data":12137,"content":12138},{},[12139,12155,12171,12177,12182,12188,12194,12197,12204,12209,12275,12291,12296,12302,12408,12411,12418,12424,12429,12432,12439,12475,12480,12486,12492,12498,12504,12520,12525,12530,12535,12540,12545,12550,12555,12561,12791,12794,12801,12928,12933,12936,12943,13070,13075,13078,13085,13224,13229,13232,13239,13373,13378,13381,13388,13527,13532,13535,13542,13682,13687,13690,13697,13788,13793,13796,13803,13894,13899,13902,13909,13914,14041,14046,14055,14058,14065,14075,14081,14086,14091,14097,14114,14127,14132,14135,14142,14149,14166,14183,14188,14194,14200,14207,14213,14219,14225,14232,14238,14283,14288,14291,14298,14304,14310,14350,14355,14361,14364,14371,14377,14383,14399,14404,14410,14417,14423],{"nodeType":1635,"data":12140,"content":12141},{},[12142,12145,12152],{"nodeType":1639,"value":7722,"marks":12143,"data":12144},[],{},{"nodeType":1644,"data":12146,"content":12147},{"uri":7727},[12148],{"nodeType":1639,"value":7730,"marks":12149,"data":12151},[12150],{"type":1652},{},{"nodeType":1639,"value":7735,"marks":12153,"data":12154},[],{},{"nodeType":1635,"data":12156,"content":12157},{},[12158,12161,12168],{"nodeType":1639,"value":29,"marks":12159,"data":12160},[],{},{"nodeType":1644,"data":12162,"content":12163},{"uri":7746},[12164],{"nodeType":1639,"value":6346,"marks":12165,"data":12167},[12166],{"type":1652},{},{"nodeType":1639,"value":7753,"marks":12169,"data":12170},[],{},{"nodeType":1635,"data":12172,"content":12173},{},[12174],{"nodeType":1639,"value":7760,"marks":12175,"data":12176},[],{},{"nodeType":1626,"data":12178,"content":12181},{"target":12179},{"sys":12180},{"id":7767,"type":1631,"linkType":1632},[],{"nodeType":1635,"data":12183,"content":12184},{},[12185],{"nodeType":1639,"value":7773,"marks":12186,"data":12187},[],{},{"nodeType":1635,"data":12189,"content":12190},{},[12191],{"nodeType":1639,"value":7780,"marks":12192,"data":12193},[],{},{"nodeType":1697,"data":12195,"content":12196},{},[],{"nodeType":1701,"data":12198,"content":12199},{},[12200],{"nodeType":1639,"value":7790,"marks":12201,"data":12203},[12202],{"type":1708},{},{"nodeType":1626,"data":12205,"content":12208},{"target":12206},{"sys":12207},{"id":7798,"type":1631,"linkType":1632},[],{"nodeType":1635,"data":12210,"content":12211},{},[12212,12215,12222,12225,12232,12235,12242,12245,12252,12255,12262,12265,12272],{"nodeType":1639,"value":7804,"marks":12213,"data":12214},[],{},{"nodeType":1644,"data":12216,"content":12217},{"uri":7809},[12218],{"nodeType":1639,"value":7812,"marks":12219,"data":12221},[12220],{"type":1652},{},{"nodeType":1639,"value":7817,"marks":12223,"data":12224},[],{},{"nodeType":1644,"data":12226,"content":12227},{"uri":7822},[12228],{"nodeType":1639,"value":7825,"marks":12229,"data":12231},[12230],{"type":1652},{},{"nodeType":1639,"value":7830,"marks":12233,"data":12234},[],{},{"nodeType":1644,"data":12236,"content":12237},{"uri":6754},[12238],{"nodeType":1639,"value":7837,"marks":12239,"data":12241},[12240],{"type":1652},{},{"nodeType":1639,"value":7842,"marks":12243,"data":12244},[],{},{"nodeType":1644,"data":12246,"content":12247},{"uri":7847},[12248],{"nodeType":1639,"value":7850,"marks":12249,"data":12251},[12250],{"type":1652},{},{"nodeType":1639,"value":7855,"marks":12253,"data":12254},[],{},{"nodeType":1644,"data":12256,"content":12257},{"uri":7860},[12258],{"nodeType":1639,"value":7863,"marks":12259,"data":12261},[12260],{"type":1652},{},{"nodeType":1639,"value":5688,"marks":12263,"data":12264},[],{},{"nodeType":1644,"data":12266,"content":12267},{"uri":7872},[12268],{"nodeType":1639,"value":7875,"marks":12269,"data":12271},[12270],{"type":1652},{},{"nodeType":1639,"value":7880,"marks":12273,"data":12274},[],{},{"nodeType":1635,"data":12276,"content":12277},{},[12278,12281,12288],{"nodeType":1639,"value":7887,"marks":12279,"data":12280},[],{},{"nodeType":1644,"data":12282,"content":12283},{"uri":7892},[12284],{"nodeType":1639,"value":7895,"marks":12285,"data":12287},[12286],{"type":1652},{},{"nodeType":1639,"value":7900,"marks":12289,"data":12290},[],{},{"nodeType":1626,"data":12292,"content":12295},{"target":12293},{"sys":12294},{"id":7907,"type":1631,"linkType":1632},[],{"nodeType":1635,"data":12297,"content":12298},{},[12299],{"nodeType":1639,"value":7913,"marks":12300,"data":12301},[],{},{"nodeType":1726,"data":12303,"content":12304},{},[12305,12332,12350],{"nodeType":1730,"data":12306,"content":12307},{},[12308],{"nodeType":1635,"data":12309,"content":12310},{},[12311,12314,12320,12323,12329],{"nodeType":1639,"value":7926,"marks":12312,"data":12313},[],{},{"nodeType":1644,"data":12315,"content":12316},{"uri":6785},[12317],{"nodeType":1639,"value":7933,"marks":12318,"data":12319},[],{},{"nodeType":1639,"value":5688,"marks":12321,"data":12322},[],{},{"nodeType":1644,"data":12324,"content":12325},{"uri":7941},[12326],{"nodeType":1639,"value":7944,"marks":12327,"data":12328},[],{},{"nodeType":1639,"value":7948,"marks":12330,"data":12331},[],{},{"nodeType":1730,"data":12333,"content":12334},{},[12335],{"nodeType":1635,"data":12336,"content":12337},{},[12338,12341,12347],{"nodeType":1639,"value":7958,"marks":12339,"data":12340},[],{},{"nodeType":1644,"data":12342,"content":12343},{"uri":2629},[12344],{"nodeType":1639,"value":3017,"marks":12345,"data":12346},[],{},{"nodeType":1639,"value":7968,"marks":12348,"data":12349},[],{},{"nodeType":1730,"data":12351,"content":12352},{},[12353],{"nodeType":1635,"data":12354,"content":12355},{},[12356,12359,12365,12368,12375,12378,12385,12388,12395,12398,12405],{"nodeType":1639,"value":7978,"marks":12357,"data":12358},[],{},{"nodeType":1644,"data":12360,"content":12361},{"uri":7983},[12362],{"nodeType":1639,"value":7986,"marks":12363,"data":12364},[],{},{"nodeType":1639,"value":7990,"marks":12366,"data":12367},[],{},{"nodeType":1644,"data":12369,"content":12370},{"uri":7995},[12371],{"nodeType":1639,"value":7998,"marks":12372,"data":12374},[12373],{"type":1652},{},{"nodeType":1639,"value":8003,"marks":12376,"data":12377},[],{},{"nodeType":1644,"data":12379,"content":12380},{"uri":8008},[12381],{"nodeType":1639,"value":8011,"marks":12382,"data":12384},[12383],{"type":1652},{},{"nodeType":1639,"value":8016,"marks":12386,"data":12387},[],{},{"nodeType":1644,"data":12389,"content":12390},{"uri":8021},[12391],{"nodeType":1639,"value":8024,"marks":12392,"data":12394},[12393],{"type":1652},{},{"nodeType":1639,"value":8029,"marks":12396,"data":12397},[],{},{"nodeType":1644,"data":12399,"content":12400},{"uri":8034},[12401],{"nodeType":1639,"value":8037,"marks":12402,"data":12404},[12403],{"type":1652},{},{"nodeType":1639,"value":8042,"marks":12406,"data":12407},[],{},{"nodeType":1697,"data":12409,"content":12410},{},[],{"nodeType":1701,"data":12412,"content":12413},{},[12414],{"nodeType":1639,"value":8052,"marks":12415,"data":12417},[12416],{"type":1708},{},{"nodeType":1635,"data":12419,"content":12420},{},[12421],{"nodeType":1639,"value":8060,"marks":12422,"data":12423},[],{},{"nodeType":1626,"data":12425,"content":12428},{"target":12426},{"sys":12427},{"id":8067,"type":1631,"linkType":1632},[],{"nodeType":1697,"data":12430,"content":12431},{},[],{"nodeType":1815,"data":12433,"content":12434},{},[12435],{"nodeType":1639,"value":8076,"marks":12436,"data":12438},[12437],{"type":1708},{},{"nodeType":1635,"data":12440,"content":12441},{},[12442,12445,12452,12455,12462,12465,12472],{"nodeType":1639,"value":29,"marks":12443,"data":12444},[],{},{"nodeType":1644,"data":12446,"content":12447},{"uri":8021},[12448],{"nodeType":1639,"value":8024,"marks":12449,"data":12451},[12450],{"type":1652},{},{"nodeType":1639,"value":1655,"marks":12453,"data":12454},[],{},{"nodeType":1644,"data":12456,"content":12457},{"uri":8098},[12458],{"nodeType":1639,"value":8101,"marks":12459,"data":12461},[12460],{"type":1652},{},{"nodeType":1639,"value":8106,"marks":12463,"data":12464},[],{},{"nodeType":1644,"data":12466,"content":12467},{"uri":8008},[12468],{"nodeType":1639,"value":8113,"marks":12469,"data":12471},[12470],{"type":1652},{},{"nodeType":1639,"value":8118,"marks":12473,"data":12474},[],{},{"nodeType":1626,"data":12476,"content":12479},{"target":12477},{"sys":12478},{"id":8125,"type":1631,"linkType":1632},[],{"nodeType":1635,"data":12481,"content":12482},{},[12483],{"nodeType":1639,"value":8131,"marks":12484,"data":12485},[],{},{"nodeType":1635,"data":12487,"content":12488},{},[12489],{"nodeType":1639,"value":8138,"marks":12490,"data":12491},[],{},{"nodeType":1635,"data":12493,"content":12494},{},[12495],{"nodeType":1639,"value":8145,"marks":12496,"data":12497},[],{},{"nodeType":1635,"data":12499,"content":12500},{},[12501],{"nodeType":1639,"value":8152,"marks":12502,"data":12503},[],{},{"nodeType":1635,"data":12505,"content":12506},{},[12507,12510,12517],{"nodeType":1639,"value":8159,"marks":12508,"data":12509},[],{},{"nodeType":1644,"data":12511,"content":12512},{"uri":7249},[12513],{"nodeType":1639,"value":7252,"marks":12514,"data":12516},[12515],{"type":1652},{},{"nodeType":1639,"value":8170,"marks":12518,"data":12519},[],{},{"nodeType":1626,"data":12521,"content":12524},{"target":12522},{"sys":12523},{"id":8177,"type":1631,"linkType":1632},[],{"nodeType":1626,"data":12526,"content":12529},{"target":12527},{"sys":12528},{"id":8183,"type":1631,"linkType":1632},[],{"nodeType":1626,"data":12531,"content":12534},{"target":12532},{"sys":12533},{"id":8189,"type":1631,"linkType":1632},[],{"nodeType":1626,"data":12536,"content":12539},{"target":12537},{"sys":12538},{"id":8195,"type":1631,"linkType":1632},[],{"nodeType":1626,"data":12541,"content":12544},{"target":12542},{"sys":12543},{"id":8201,"type":1631,"linkType":1632},[],{"nodeType":1626,"data":12546,"content":12549},{"target":12547},{"sys":12548},{"id":8207,"type":1631,"linkType":1632},[],{"nodeType":1626,"data":12551,"content":12554},{"target":12552},{"sys":12553},{"id":8213,"type":1631,"linkType":1632},[],{"nodeType":1635,"data":12556,"content":12557},{},[12558],{"nodeType":1639,"value":29,"marks":12559,"data":12560},[],{},{"nodeType":4764,"data":12562,"content":12563},{},[12564,12586,12657,12703,12725],{"nodeType":4768,"data":12565,"content":12566},{},[12567,12577],{"nodeType":4798,"data":12568,"content":12569},{},[12570],{"nodeType":1635,"data":12571,"content":12572},{},[12573],{"nodeType":1639,"value":8234,"marks":12574,"data":12576},[12575],{"type":1708},{},{"nodeType":4798,"data":12578,"content":12579},{},[12580],{"nodeType":1635,"data":12581,"content":12582},{},[12583],{"nodeType":1639,"value":8245,"marks":12584,"data":12585},[],{},{"nodeType":4768,"data":12587,"content":12588},{},[12589,12599],{"nodeType":4798,"data":12590,"content":12591},{},[12592],{"nodeType":1635,"data":12593,"content":12594},{},[12595],{"nodeType":1639,"value":8258,"marks":12596,"data":12598},[12597],{"type":1708},{},{"nodeType":4798,"data":12600,"content":12601},{},[12602,12626],{"nodeType":1635,"data":12603,"content":12604},{},[12605,12609,12612,12616,12619,12623],{"nodeType":1639,"value":8269,"marks":12606,"data":12608},[12607],{"type":1708},{},{"nodeType":1639,"value":8274,"marks":12610,"data":12611},[],{},{"nodeType":1639,"value":8278,"marks":12613,"data":12615},[12614],{"type":1708},{},{"nodeType":1639,"value":8283,"marks":12617,"data":12618},[],{},{"nodeType":1639,"value":8287,"marks":12620,"data":12622},[12621],{"type":1708},{},{"nodeType":1639,"value":8292,"marks":12624,"data":12625},[],{},{"nodeType":1635,"data":12627,"content":12628},{},[12629,12633,12636,12640,12643,12647,12650,12654],{"nodeType":1639,"value":8299,"marks":12630,"data":12632},[12631],{"type":1708},{},{"nodeType":1639,"value":1755,"marks":12634,"data":12635},[],{},{"nodeType":1639,"value":8307,"marks":12637,"data":12639},[12638],{"type":1708},{},{"nodeType":1639,"value":8312,"marks":12641,"data":12642},[],{},{"nodeType":1639,"value":8278,"marks":12644,"data":12646},[12645],{"type":1708},{},{"nodeType":1639,"value":8320,"marks":12648,"data":12649},[],{},{"nodeType":1639,"value":8287,"marks":12651,"data":12653},[12652],{"type":1708},{},{"nodeType":1639,"value":8328,"marks":12655,"data":12656},[],{},{"nodeType":4768,"data":12658,"content":12659},{},[12660,12670],{"nodeType":4798,"data":12661,"content":12662},{},[12663],{"nodeType":1635,"data":12664,"content":12665},{},[12666],{"nodeType":1639,"value":8341,"marks":12667,"data":12669},[12668],{"type":1708},{},{"nodeType":4798,"data":12671,"content":12672},{},[12673,12679,12685,12691,12697],{"nodeType":1635,"data":12674,"content":12675},{},[12676],{"nodeType":1639,"value":8352,"marks":12677,"data":12678},[],{},{"nodeType":1635,"data":12680,"content":12681},{},[12682],{"nodeType":1639,"value":8359,"marks":12683,"data":12684},[],{},{"nodeType":1635,"data":12686,"content":12687},{},[12688],{"nodeType":1639,"value":8366,"marks":12689,"data":12690},[],{},{"nodeType":1635,"data":12692,"content":12693},{},[12694],{"nodeType":1639,"value":8373,"marks":12695,"data":12696},[],{},{"nodeType":1635,"data":12698,"content":12699},{},[12700],{"nodeType":1639,"value":8380,"marks":12701,"data":12702},[],{},{"nodeType":4768,"data":12704,"content":12705},{},[12706,12716],{"nodeType":4798,"data":12707,"content":12708},{},[12709],{"nodeType":1635,"data":12710,"content":12711},{},[12712],{"nodeType":1639,"value":8393,"marks":12713,"data":12715},[12714],{"type":1708},{},{"nodeType":4798,"data":12717,"content":12718},{},[12719],{"nodeType":1635,"data":12720,"content":12721},{},[12722],{"nodeType":1639,"value":8404,"marks":12723,"data":12724},[],{},{"nodeType":4768,"data":12726,"content":12727},{},[12728,12738],{"nodeType":4798,"data":12729,"content":12730},{},[12731],{"nodeType":1635,"data":12732,"content":12733},{},[12734],{"nodeType":1639,"value":8417,"marks":12735,"data":12737},[12736],{"type":1708},{},{"nodeType":4798,"data":12739,"content":12740},{},[12741,12751,12761,12771,12781],{"nodeType":1635,"data":12742,"content":12743},{},[12744,12748],{"nodeType":1639,"value":8428,"marks":12745,"data":12747},[12746],{"type":1708},{},{"nodeType":1639,"value":8433,"marks":12749,"data":12750},[],{},{"nodeType":1635,"data":12752,"content":12753},{},[12754,12758],{"nodeType":1639,"value":8440,"marks":12755,"data":12757},[12756],{"type":1708},{},{"nodeType":1639,"value":8445,"marks":12759,"data":12760},[],{},{"nodeType":1635,"data":12762,"content":12763},{},[12764,12768],{"nodeType":1639,"value":8452,"marks":12765,"data":12767},[12766],{"type":1708},{},{"nodeType":1639,"value":8457,"marks":12769,"data":12770},[],{},{"nodeType":1635,"data":12772,"content":12773},{},[12774,12778],{"nodeType":1639,"value":8464,"marks":12775,"data":12777},[12776],{"type":1708},{},{"nodeType":1639,"value":8469,"marks":12779,"data":12780},[],{},{"nodeType":1635,"data":12782,"content":12783},{},[12784,12788],{"nodeType":1639,"value":8476,"marks":12785,"data":12787},[12786],{"type":1708},{},{"nodeType":1639,"value":8481,"marks":12789,"data":12790},[],{},{"nodeType":1697,"data":12792,"content":12793},{},[],{"nodeType":1815,"data":12795,"content":12796},{},[12797],{"nodeType":1639,"value":8491,"marks":12798,"data":12800},[12799],{"type":1708},{},{"nodeType":4764,"data":12802,"content":12803},{},[12804,12826,12862,12884,12906],{"nodeType":4768,"data":12805,"content":12806},{},[12807,12817],{"nodeType":4798,"data":12808,"content":12809},{},[12810],{"nodeType":1635,"data":12811,"content":12812},{},[12813],{"nodeType":1639,"value":8234,"marks":12814,"data":12816},[12815],{"type":1708},{},{"nodeType":4798,"data":12818,"content":12819},{},[12820],{"nodeType":1635,"data":12821,"content":12822},{},[12823],{"nodeType":1639,"value":8518,"marks":12824,"data":12825},[],{},{"nodeType":4768,"data":12827,"content":12828},{},[12829,12839],{"nodeType":4798,"data":12830,"content":12831},{},[12832],{"nodeType":1635,"data":12833,"content":12834},{},[12835],{"nodeType":1639,"value":8258,"marks":12836,"data":12838},[12837],{"type":1708},{},{"nodeType":4798,"data":12840,"content":12841},{},[12842,12852],{"nodeType":1635,"data":12843,"content":12844},{},[12845,12849],{"nodeType":1639,"value":8541,"marks":12846,"data":12848},[12847],{"type":1708},{},{"nodeType":1639,"value":8546,"marks":12850,"data":12851},[],{},{"nodeType":1635,"data":12853,"content":12854},{},[12855,12859],{"nodeType":1639,"value":8299,"marks":12856,"data":12858},[12857],{"type":1708},{},{"nodeType":1639,"value":8557,"marks":12860,"data":12861},[],{},{"nodeType":4768,"data":12863,"content":12864},{},[12865,12875],{"nodeType":4798,"data":12866,"content":12867},{},[12868],{"nodeType":1635,"data":12869,"content":12870},{},[12871],{"nodeType":1639,"value":8341,"marks":12872,"data":12874},[12873],{"type":1708},{},{"nodeType":4798,"data":12876,"content":12877},{},[12878],{"nodeType":1635,"data":12879,"content":12880},{},[12881],{"nodeType":1639,"value":8580,"marks":12882,"data":12883},[],{},{"nodeType":4768,"data":12885,"content":12886},{},[12887,12897],{"nodeType":4798,"data":12888,"content":12889},{},[12890],{"nodeType":1635,"data":12891,"content":12892},{},[12893],{"nodeType":1639,"value":8393,"marks":12894,"data":12896},[12895],{"type":1708},{},{"nodeType":4798,"data":12898,"content":12899},{},[12900],{"nodeType":1635,"data":12901,"content":12902},{},[12903],{"nodeType":1639,"value":8603,"marks":12904,"data":12905},[],{},{"nodeType":4768,"data":12907,"content":12908},{},[12909,12919],{"nodeType":4798,"data":12910,"content":12911},{},[12912],{"nodeType":1635,"data":12913,"content":12914},{},[12915],{"nodeType":1639,"value":8616,"marks":12916,"data":12918},[12917],{"type":1708},{},{"nodeType":4798,"data":12920,"content":12921},{},[12922],{"nodeType":1635,"data":12923,"content":12924},{},[12925],{"nodeType":1639,"value":8627,"marks":12926,"data":12927},[],{},{"nodeType":1626,"data":12929,"content":12932},{"target":12930},{"sys":12931},{"id":8634,"type":1631,"linkType":1632},[],{"nodeType":1697,"data":12934,"content":12935},{},[],{"nodeType":1815,"data":12937,"content":12938},{},[12939],{"nodeType":1639,"value":8643,"marks":12940,"data":12942},[12941],{"type":1708},{},{"nodeType":4764,"data":12944,"content":12945},{},[12946,12968,13004,13026,13048],{"nodeType":4768,"data":12947,"content":12948},{},[12949,12959],{"nodeType":4798,"data":12950,"content":12951},{},[12952],{"nodeType":1635,"data":12953,"content":12954},{},[12955],{"nodeType":1639,"value":8234,"marks":12956,"data":12958},[12957],{"type":1708},{},{"nodeType":4798,"data":12960,"content":12961},{},[12962],{"nodeType":1635,"data":12963,"content":12964},{},[12965],{"nodeType":1639,"value":8670,"marks":12966,"data":12967},[],{},{"nodeType":4768,"data":12969,"content":12970},{},[12971,12981],{"nodeType":4798,"data":12972,"content":12973},{},[12974],{"nodeType":1635,"data":12975,"content":12976},{},[12977],{"nodeType":1639,"value":8258,"marks":12978,"data":12980},[12979],{"type":1708},{},{"nodeType":4798,"data":12982,"content":12983},{},[12984,12994],{"nodeType":1635,"data":12985,"content":12986},{},[12987,12991],{"nodeType":1639,"value":8693,"marks":12988,"data":12990},[12989],{"type":1708},{},{"nodeType":1639,"value":8698,"marks":12992,"data":12993},[],{},{"nodeType":1635,"data":12995,"content":12996},{},[12997,13001],{"nodeType":1639,"value":8299,"marks":12998,"data":13000},[12999],{"type":1708},{},{"nodeType":1639,"value":8709,"marks":13002,"data":13003},[],{},{"nodeType":4768,"data":13005,"content":13006},{},[13007,13017],{"nodeType":4798,"data":13008,"content":13009},{},[13010],{"nodeType":1635,"data":13011,"content":13012},{},[13013],{"nodeType":1639,"value":8341,"marks":13014,"data":13016},[13015],{"type":1708},{},{"nodeType":4798,"data":13018,"content":13019},{},[13020],{"nodeType":1635,"data":13021,"content":13022},{},[13023],{"nodeType":1639,"value":8732,"marks":13024,"data":13025},[],{},{"nodeType":4768,"data":13027,"content":13028},{},[13029,13039],{"nodeType":4798,"data":13030,"content":13031},{},[13032],{"nodeType":1635,"data":13033,"content":13034},{},[13035],{"nodeType":1639,"value":8393,"marks":13036,"data":13038},[13037],{"type":1708},{},{"nodeType":4798,"data":13040,"content":13041},{},[13042],{"nodeType":1635,"data":13043,"content":13044},{},[13045],{"nodeType":1639,"value":8755,"marks":13046,"data":13047},[],{},{"nodeType":4768,"data":13049,"content":13050},{},[13051,13061],{"nodeType":4798,"data":13052,"content":13053},{},[13054],{"nodeType":1635,"data":13055,"content":13056},{},[13057],{"nodeType":1639,"value":8616,"marks":13058,"data":13060},[13059],{"type":1708},{},{"nodeType":4798,"data":13062,"content":13063},{},[13064],{"nodeType":1635,"data":13065,"content":13066},{},[13067],{"nodeType":1639,"value":8778,"marks":13068,"data":13069},[],{},{"nodeType":1626,"data":13071,"content":13074},{"target":13072},{"sys":13073},{"id":8785,"type":1631,"linkType":1632},[],{"nodeType":1697,"data":13076,"content":13077},{},[],{"nodeType":1815,"data":13079,"content":13080},{},[13081],{"nodeType":1639,"value":8794,"marks":13082,"data":13084},[13083],{"type":1708},{},{"nodeType":4764,"data":13086,"content":13087},{},[13088,13110,13152,13180,13202],{"nodeType":4768,"data":13089,"content":13090},{},[13091,13101],{"nodeType":4798,"data":13092,"content":13093},{},[13094],{"nodeType":1635,"data":13095,"content":13096},{},[13097],{"nodeType":1639,"value":8234,"marks":13098,"data":13100},[13099],{"type":1708},{},{"nodeType":4798,"data":13102,"content":13103},{},[13104],{"nodeType":1635,"data":13105,"content":13106},{},[13107],{"nodeType":1639,"value":8821,"marks":13108,"data":13109},[],{},{"nodeType":4768,"data":13111,"content":13112},{},[13113,13123],{"nodeType":4798,"data":13114,"content":13115},{},[13116],{"nodeType":1635,"data":13117,"content":13118},{},[13119],{"nodeType":1639,"value":8258,"marks":13120,"data":13122},[13121],{"type":1708},{},{"nodeType":4798,"data":13124,"content":13125},{},[13126,13136,13142],{"nodeType":1635,"data":13127,"content":13128},{},[13129,13133],{"nodeType":1639,"value":8693,"marks":13130,"data":13132},[13131],{"type":1708},{},{"nodeType":1639,"value":8848,"marks":13134,"data":13135},[],{},{"nodeType":1635,"data":13137,"content":13138},{},[13139],{"nodeType":1639,"value":8855,"marks":13140,"data":13141},[],{},{"nodeType":1635,"data":13143,"content":13144},{},[13145,13149],{"nodeType":1639,"value":8299,"marks":13146,"data":13148},[13147],{"type":1708},{},{"nodeType":1639,"value":8866,"marks":13150,"data":13151},[],{},{"nodeType":4768,"data":13153,"content":13154},{},[13155,13165],{"nodeType":4798,"data":13156,"content":13157},{},[13158],{"nodeType":1635,"data":13159,"content":13160},{},[13161],{"nodeType":1639,"value":8341,"marks":13162,"data":13164},[13163],{"type":1708},{},{"nodeType":4798,"data":13166,"content":13167},{},[13168,13174],{"nodeType":1635,"data":13169,"content":13170},{},[13171],{"nodeType":1639,"value":8889,"marks":13172,"data":13173},[],{},{"nodeType":1635,"data":13175,"content":13176},{},[13177],{"nodeType":1639,"value":8896,"marks":13178,"data":13179},[],{},{"nodeType":4768,"data":13181,"content":13182},{},[13183,13193],{"nodeType":4798,"data":13184,"content":13185},{},[13186],{"nodeType":1635,"data":13187,"content":13188},{},[13189],{"nodeType":1639,"value":8393,"marks":13190,"data":13192},[13191],{"type":1708},{},{"nodeType":4798,"data":13194,"content":13195},{},[13196],{"nodeType":1635,"data":13197,"content":13198},{},[13199],{"nodeType":1639,"value":8919,"marks":13200,"data":13201},[],{},{"nodeType":4768,"data":13203,"content":13204},{},[13205,13215],{"nodeType":4798,"data":13206,"content":13207},{},[13208],{"nodeType":1635,"data":13209,"content":13210},{},[13211],{"nodeType":1639,"value":8616,"marks":13212,"data":13214},[13213],{"type":1708},{},{"nodeType":4798,"data":13216,"content":13217},{},[13218],{"nodeType":1635,"data":13219,"content":13220},{},[13221],{"nodeType":1639,"value":8942,"marks":13222,"data":13223},[],{},{"nodeType":1626,"data":13225,"content":13228},{"target":13226},{"sys":13227},{"id":8949,"type":1631,"linkType":1632},[],{"nodeType":1697,"data":13230,"content":13231},{},[],{"nodeType":1815,"data":13233,"content":13234},{},[13235],{"nodeType":1639,"value":8958,"marks":13236,"data":13238},[13237],{"type":1708},{},{"nodeType":4764,"data":13240,"content":13241},{},[13242,13264,13307,13329,13351],{"nodeType":4768,"data":13243,"content":13244},{},[13245,13255],{"nodeType":4798,"data":13246,"content":13247},{},[13248],{"nodeType":1635,"data":13249,"content":13250},{},[13251],{"nodeType":1639,"value":8234,"marks":13252,"data":13254},[13253],{"type":1708},{},{"nodeType":4798,"data":13256,"content":13257},{},[13258],{"nodeType":1635,"data":13259,"content":13260},{},[13261],{"nodeType":1639,"value":8985,"marks":13262,"data":13263},[],{},{"nodeType":4768,"data":13265,"content":13266},{},[13267,13277],{"nodeType":4798,"data":13268,"content":13269},{},[13270],{"nodeType":1635,"data":13271,"content":13272},{},[13273],{"nodeType":1639,"value":8258,"marks":13274,"data":13276},[13275],{"type":1708},{},{"nodeType":4798,"data":13278,"content":13279},{},[13280,13290],{"nodeType":1635,"data":13281,"content":13282},{},[13283,13287],{"nodeType":1639,"value":8693,"marks":13284,"data":13286},[13285],{"type":1708},{},{"nodeType":1639,"value":9012,"marks":13288,"data":13289},[],{},{"nodeType":1635,"data":13291,"content":13292},{},[13293,13297,13300,13304],{"nodeType":1639,"value":8299,"marks":13294,"data":13296},[13295],{"type":1708},{},{"nodeType":1639,"value":1755,"marks":13298,"data":13299},[],{},{"nodeType":1639,"value":9026,"marks":13301,"data":13303},[13302],{"type":1708},{},{"nodeType":1639,"value":9031,"marks":13305,"data":13306},[],{},{"nodeType":4768,"data":13308,"content":13309},{},[13310,13320],{"nodeType":4798,"data":13311,"content":13312},{},[13313],{"nodeType":1635,"data":13314,"content":13315},{},[13316],{"nodeType":1639,"value":8341,"marks":13317,"data":13319},[13318],{"type":1708},{},{"nodeType":4798,"data":13321,"content":13322},{},[13323],{"nodeType":1635,"data":13324,"content":13325},{},[13326],{"nodeType":1639,"value":9054,"marks":13327,"data":13328},[],{},{"nodeType":4768,"data":13330,"content":13331},{},[13332,13342],{"nodeType":4798,"data":13333,"content":13334},{},[13335],{"nodeType":1635,"data":13336,"content":13337},{},[13338],{"nodeType":1639,"value":8393,"marks":13339,"data":13341},[13340],{"type":1708},{},{"nodeType":4798,"data":13343,"content":13344},{},[13345],{"nodeType":1635,"data":13346,"content":13347},{},[13348],{"nodeType":1639,"value":9077,"marks":13349,"data":13350},[],{},{"nodeType":4768,"data":13352,"content":13353},{},[13354,13364],{"nodeType":4798,"data":13355,"content":13356},{},[13357],{"nodeType":1635,"data":13358,"content":13359},{},[13360],{"nodeType":1639,"value":8616,"marks":13361,"data":13363},[13362],{"type":1708},{},{"nodeType":4798,"data":13365,"content":13366},{},[13367],{"nodeType":1635,"data":13368,"content":13369},{},[13370],{"nodeType":1639,"value":9100,"marks":13371,"data":13372},[],{},{"nodeType":1626,"data":13374,"content":13377},{"target":13375},{"sys":13376},{"id":9107,"type":1631,"linkType":1632},[],{"nodeType":1697,"data":13379,"content":13380},{},[],{"nodeType":1815,"data":13382,"content":13383},{},[13384],{"nodeType":1639,"value":9116,"marks":13385,"data":13387},[13386],{"type":1708},{},{"nodeType":4764,"data":13389,"content":13390},{},[13391,13413,13449,13483,13505],{"nodeType":4768,"data":13392,"content":13393},{},[13394,13404],{"nodeType":4798,"data":13395,"content":13396},{},[13397],{"nodeType":1635,"data":13398,"content":13399},{},[13400],{"nodeType":1639,"value":8234,"marks":13401,"data":13403},[13402],{"type":1708},{},{"nodeType":4798,"data":13405,"content":13406},{},[13407],{"nodeType":1635,"data":13408,"content":13409},{},[13410],{"nodeType":1639,"value":9143,"marks":13411,"data":13412},[],{},{"nodeType":4768,"data":13414,"content":13415},{},[13416,13426],{"nodeType":4798,"data":13417,"content":13418},{},[13419],{"nodeType":1635,"data":13420,"content":13421},{},[13422],{"nodeType":1639,"value":8258,"marks":13423,"data":13425},[13424],{"type":1708},{},{"nodeType":4798,"data":13427,"content":13428},{},[13429,13439],{"nodeType":1635,"data":13430,"content":13431},{},[13432,13436],{"nodeType":1639,"value":8693,"marks":13433,"data":13435},[13434],{"type":1708},{},{"nodeType":1639,"value":9170,"marks":13437,"data":13438},[],{},{"nodeType":1635,"data":13440,"content":13441},{},[13442,13446],{"nodeType":1639,"value":8299,"marks":13443,"data":13445},[13444],{"type":1708},{},{"nodeType":1639,"value":9181,"marks":13447,"data":13448},[],{},{"nodeType":4768,"data":13450,"content":13451},{},[13452,13462],{"nodeType":4798,"data":13453,"content":13454},{},[13455],{"nodeType":1635,"data":13456,"content":13457},{},[13458],{"nodeType":1639,"value":8341,"marks":13459,"data":13461},[13460],{"type":1708},{},{"nodeType":4798,"data":13463,"content":13464},{},[13465,13471,13477],{"nodeType":1635,"data":13466,"content":13467},{},[13468],{"nodeType":1639,"value":9204,"marks":13469,"data":13470},[],{},{"nodeType":1635,"data":13472,"content":13473},{},[13474],{"nodeType":1639,"value":9211,"marks":13475,"data":13476},[],{},{"nodeType":1635,"data":13478,"content":13479},{},[13480],{"nodeType":1639,"value":9218,"marks":13481,"data":13482},[],{},{"nodeType":4768,"data":13484,"content":13485},{},[13486,13496],{"nodeType":4798,"data":13487,"content":13488},{},[13489],{"nodeType":1635,"data":13490,"content":13491},{},[13492],{"nodeType":1639,"value":8393,"marks":13493,"data":13495},[13494],{"type":1708},{},{"nodeType":4798,"data":13497,"content":13498},{},[13499],{"nodeType":1635,"data":13500,"content":13501},{},[13502],{"nodeType":1639,"value":9241,"marks":13503,"data":13504},[],{},{"nodeType":4768,"data":13506,"content":13507},{},[13508,13518],{"nodeType":4798,"data":13509,"content":13510},{},[13511],{"nodeType":1635,"data":13512,"content":13513},{},[13514],{"nodeType":1639,"value":8616,"marks":13515,"data":13517},[13516],{"type":1708},{},{"nodeType":4798,"data":13519,"content":13520},{},[13521],{"nodeType":1635,"data":13522,"content":13523},{},[13524],{"nodeType":1639,"value":9264,"marks":13525,"data":13526},[],{},{"nodeType":1626,"data":13528,"content":13531},{"target":13529},{"sys":13530},{"id":9271,"type":1631,"linkType":1632},[],{"nodeType":1697,"data":13533,"content":13534},{},[],{"nodeType":1815,"data":13536,"content":13537},{},[13538],{"nodeType":1639,"value":9280,"marks":13539,"data":13541},[13540],{"type":1708},{},{"nodeType":4764,"data":13543,"content":13544},{},[13545,13567,13610,13638,13660],{"nodeType":4768,"data":13546,"content":13547},{},[13548,13558],{"nodeType":4798,"data":13549,"content":13550},{},[13551],{"nodeType":1635,"data":13552,"content":13553},{},[13554],{"nodeType":1639,"value":8234,"marks":13555,"data":13557},[13556],{"type":1708},{},{"nodeType":4798,"data":13559,"content":13560},{},[13561],{"nodeType":1635,"data":13562,"content":13563},{},[13564],{"nodeType":1639,"value":8985,"marks":13565,"data":13566},[],{},{"nodeType":4768,"data":13568,"content":13569},{},[13570,13580],{"nodeType":4798,"data":13571,"content":13572},{},[13573],{"nodeType":1635,"data":13574,"content":13575},{},[13576],{"nodeType":1639,"value":8258,"marks":13577,"data":13579},[13578],{"type":1708},{},{"nodeType":4798,"data":13581,"content":13582},{},[13583,13593],{"nodeType":1635,"data":13584,"content":13585},{},[13586,13590],{"nodeType":1639,"value":8693,"marks":13587,"data":13589},[13588],{"type":1708},{},{"nodeType":1639,"value":9333,"marks":13591,"data":13592},[],{},{"nodeType":1635,"data":13594,"content":13595},{},[13596,13600,13603,13607],{"nodeType":1639,"value":8299,"marks":13597,"data":13599},[13598],{"type":1708},{},{"nodeType":1639,"value":1755,"marks":13601,"data":13602},[],{},{"nodeType":1639,"value":9026,"marks":13604,"data":13606},[13605],{"type":1708},{},{"nodeType":1639,"value":9351,"marks":13608,"data":13609},[],{},{"nodeType":4768,"data":13611,"content":13612},{},[13613,13623],{"nodeType":4798,"data":13614,"content":13615},{},[13616],{"nodeType":1635,"data":13617,"content":13618},{},[13619],{"nodeType":1639,"value":8341,"marks":13620,"data":13622},[13621],{"type":1708},{},{"nodeType":4798,"data":13624,"content":13625},{},[13626,13632],{"nodeType":1635,"data":13627,"content":13628},{},[13629],{"nodeType":1639,"value":9374,"marks":13630,"data":13631},[],{},{"nodeType":1635,"data":13633,"content":13634},{},[13635],{"nodeType":1639,"value":9381,"marks":13636,"data":13637},[],{},{"nodeType":4768,"data":13639,"content":13640},{},[13641,13651],{"nodeType":4798,"data":13642,"content":13643},{},[13644],{"nodeType":1635,"data":13645,"content":13646},{},[13647],{"nodeType":1639,"value":8393,"marks":13648,"data":13650},[13649],{"type":1708},{},{"nodeType":4798,"data":13652,"content":13653},{},[13654],{"nodeType":1635,"data":13655,"content":13656},{},[13657],{"nodeType":1639,"value":9404,"marks":13658,"data":13659},[],{},{"nodeType":4768,"data":13661,"content":13662},{},[13663,13673],{"nodeType":4798,"data":13664,"content":13665},{},[13666],{"nodeType":1635,"data":13667,"content":13668},{},[13669],{"nodeType":1639,"value":8616,"marks":13670,"data":13672},[13671],{"type":1708},{},{"nodeType":4798,"data":13674,"content":13675},{},[13676],{"nodeType":1635,"data":13677,"content":13678},{},[13679],{"nodeType":1639,"value":9427,"marks":13680,"data":13681},[],{},{"nodeType":1626,"data":13683,"content":13686},{"target":13684},{"sys":13685},{"id":9434,"type":1631,"linkType":1632},[],{"nodeType":1697,"data":13688,"content":13689},{},[],{"nodeType":1815,"data":13691,"content":13692},{},[13693],{"nodeType":1639,"value":9443,"marks":13694,"data":13696},[13695],{"type":1708},{},{"nodeType":4764,"data":13698,"content":13699},{},[13700,13722,13744,13766],{"nodeType":4768,"data":13701,"content":13702},{},[13703,13713],{"nodeType":4798,"data":13704,"content":13705},{},[13706],{"nodeType":1635,"data":13707,"content":13708},{},[13709],{"nodeType":1639,"value":8234,"marks":13710,"data":13712},[13711],{"type":1708},{},{"nodeType":4798,"data":13714,"content":13715},{},[13716],{"nodeType":1635,"data":13717,"content":13718},{},[13719],{"nodeType":1639,"value":9470,"marks":13720,"data":13721},[],{},{"nodeType":4768,"data":13723,"content":13724},{},[13725,13735],{"nodeType":4798,"data":13726,"content":13727},{},[13728],{"nodeType":1635,"data":13729,"content":13730},{},[13731],{"nodeType":1639,"value":8341,"marks":13732,"data":13734},[13733],{"type":1708},{},{"nodeType":4798,"data":13736,"content":13737},{},[13738],{"nodeType":1635,"data":13739,"content":13740},{},[13741],{"nodeType":1639,"value":9493,"marks":13742,"data":13743},[],{},{"nodeType":4768,"data":13745,"content":13746},{},[13747,13757],{"nodeType":4798,"data":13748,"content":13749},{},[13750],{"nodeType":1635,"data":13751,"content":13752},{},[13753],{"nodeType":1639,"value":8393,"marks":13754,"data":13756},[13755],{"type":1708},{},{"nodeType":4798,"data":13758,"content":13759},{},[13760],{"nodeType":1635,"data":13761,"content":13762},{},[13763],{"nodeType":1639,"value":9516,"marks":13764,"data":13765},[],{},{"nodeType":4768,"data":13767,"content":13768},{},[13769,13779],{"nodeType":4798,"data":13770,"content":13771},{},[13772],{"nodeType":1635,"data":13773,"content":13774},{},[13775],{"nodeType":1639,"value":8616,"marks":13776,"data":13778},[13777],{"type":1708},{},{"nodeType":4798,"data":13780,"content":13781},{},[13782],{"nodeType":1635,"data":13783,"content":13784},{},[13785],{"nodeType":1639,"value":9539,"marks":13786,"data":13787},[],{},{"nodeType":1626,"data":13789,"content":13792},{"target":13790},{"sys":13791},{"id":9546,"type":1631,"linkType":1632},[],{"nodeType":1697,"data":13794,"content":13795},{},[],{"nodeType":1815,"data":13797,"content":13798},{},[13799],{"nodeType":1639,"value":9555,"marks":13800,"data":13802},[13801],{"type":1708},{},{"nodeType":4764,"data":13804,"content":13805},{},[13806,13828,13850,13872],{"nodeType":4768,"data":13807,"content":13808},{},[13809,13819],{"nodeType":4798,"data":13810,"content":13811},{},[13812],{"nodeType":1635,"data":13813,"content":13814},{},[13815],{"nodeType":1639,"value":8234,"marks":13816,"data":13818},[13817],{"type":1708},{},{"nodeType":4798,"data":13820,"content":13821},{},[13822],{"nodeType":1635,"data":13823,"content":13824},{},[13825],{"nodeType":1639,"value":8518,"marks":13826,"data":13827},[],{},{"nodeType":4768,"data":13829,"content":13830},{},[13831,13841],{"nodeType":4798,"data":13832,"content":13833},{},[13834],{"nodeType":1635,"data":13835,"content":13836},{},[13837],{"nodeType":1639,"value":8341,"marks":13838,"data":13840},[13839],{"type":1708},{},{"nodeType":4798,"data":13842,"content":13843},{},[13844],{"nodeType":1635,"data":13845,"content":13846},{},[13847],{"nodeType":1639,"value":9604,"marks":13848,"data":13849},[],{},{"nodeType":4768,"data":13851,"content":13852},{},[13853,13863],{"nodeType":4798,"data":13854,"content":13855},{},[13856],{"nodeType":1635,"data":13857,"content":13858},{},[13859],{"nodeType":1639,"value":8393,"marks":13860,"data":13862},[13861],{"type":1708},{},{"nodeType":4798,"data":13864,"content":13865},{},[13866],{"nodeType":1635,"data":13867,"content":13868},{},[13869],{"nodeType":1639,"value":9627,"marks":13870,"data":13871},[],{},{"nodeType":4768,"data":13873,"content":13874},{},[13875,13885],{"nodeType":4798,"data":13876,"content":13877},{},[13878],{"nodeType":1635,"data":13879,"content":13880},{},[13881],{"nodeType":1639,"value":8616,"marks":13882,"data":13884},[13883],{"type":1708},{},{"nodeType":4798,"data":13886,"content":13887},{},[13888],{"nodeType":1635,"data":13889,"content":13890},{},[13891],{"nodeType":1639,"value":9650,"marks":13892,"data":13893},[],{},{"nodeType":1626,"data":13895,"content":13898},{"target":13896},{"sys":13897},{"id":9657,"type":1631,"linkType":1632},[],{"nodeType":1697,"data":13900,"content":13901},{},[],{"nodeType":1815,"data":13903,"content":13904},{},[13905],{"nodeType":1639,"value":9666,"marks":13906,"data":13908},[13907],{"type":1708},{},{"nodeType":1626,"data":13910,"content":13913},{"target":13911},{"sys":13912},{"id":9674,"type":1631,"linkType":1632},[],{"nodeType":4764,"data":13915,"content":13916},{},[13917,13939,13975,13997,14019],{"nodeType":4768,"data":13918,"content":13919},{},[13920,13930],{"nodeType":4798,"data":13921,"content":13922},{},[13923],{"nodeType":1635,"data":13924,"content":13925},{},[13926],{"nodeType":1639,"value":8234,"marks":13927,"data":13929},[13928],{"type":1708},{},{"nodeType":4798,"data":13931,"content":13932},{},[13933],{"nodeType":1635,"data":13934,"content":13935},{},[13936],{"nodeType":1639,"value":9699,"marks":13937,"data":13938},[],{},{"nodeType":4768,"data":13940,"content":13941},{},[13942,13952],{"nodeType":4798,"data":13943,"content":13944},{},[13945],{"nodeType":1635,"data":13946,"content":13947},{},[13948],{"nodeType":1639,"value":8258,"marks":13949,"data":13951},[13950],{"type":1708},{},{"nodeType":4798,"data":13953,"content":13954},{},[13955,13965],{"nodeType":1635,"data":13956,"content":13957},{},[13958,13962],{"nodeType":1639,"value":8693,"marks":13959,"data":13961},[13960],{"type":1708},{},{"nodeType":1639,"value":9726,"marks":13963,"data":13964},[],{},{"nodeType":1635,"data":13966,"content":13967},{},[13968,13972],{"nodeType":1639,"value":8299,"marks":13969,"data":13971},[13970],{"type":1708},{},{"nodeType":1639,"value":9737,"marks":13973,"data":13974},[],{},{"nodeType":4768,"data":13976,"content":13977},{},[13978,13988],{"nodeType":4798,"data":13979,"content":13980},{},[13981],{"nodeType":1635,"data":13982,"content":13983},{},[13984],{"nodeType":1639,"value":8341,"marks":13985,"data":13987},[13986],{"type":1708},{},{"nodeType":4798,"data":13989,"content":13990},{},[13991],{"nodeType":1635,"data":13992,"content":13993},{},[13994],{"nodeType":1639,"value":9760,"marks":13995,"data":13996},[],{},{"nodeType":4768,"data":13998,"content":13999},{},[14000,14010],{"nodeType":4798,"data":14001,"content":14002},{},[14003],{"nodeType":1635,"data":14004,"content":14005},{},[14006],{"nodeType":1639,"value":8393,"marks":14007,"data":14009},[14008],{"type":1708},{},{"nodeType":4798,"data":14011,"content":14012},{},[14013],{"nodeType":1635,"data":14014,"content":14015},{},[14016],{"nodeType":1639,"value":9783,"marks":14017,"data":14018},[],{},{"nodeType":4768,"data":14020,"content":14021},{},[14022,14032],{"nodeType":4798,"data":14023,"content":14024},{},[14025],{"nodeType":1635,"data":14026,"content":14027},{},[14028],{"nodeType":1639,"value":8616,"marks":14029,"data":14031},[14030],{"type":1708},{},{"nodeType":4798,"data":14033,"content":14034},{},[14035],{"nodeType":1635,"data":14036,"content":14037},{},[14038],{"nodeType":1639,"value":9806,"marks":14039,"data":14040},[],{},{"nodeType":1626,"data":14042,"content":14045},{"target":14043},{"sys":14044},{"id":9813,"type":1631,"linkType":1632},[],{"nodeType":9816,"data":14047,"content":14048},{},[14049],{"nodeType":1635,"data":14050,"content":14051},{},[14052],{"nodeType":1639,"value":9823,"marks":14053,"data":14054},[],{},{"nodeType":1697,"data":14056,"content":14057},{},[],{"nodeType":1701,"data":14059,"content":14060},{},[14061],{"nodeType":1639,"value":9833,"marks":14062,"data":14064},[14063],{"type":1708},{},{"nodeType":1635,"data":14066,"content":14067},{},[14068,14071],{"nodeType":1639,"value":9841,"marks":14069,"data":14070},[],{},{"nodeType":1639,"value":9845,"marks":14072,"data":14074},[14073],{"type":1708},{},{"nodeType":1635,"data":14076,"content":14077},{},[14078],{"nodeType":1639,"value":9853,"marks":14079,"data":14080},[],{},{"nodeType":1626,"data":14082,"content":14085},{"target":14083},{"sys":14084},{"id":9860,"type":1631,"linkType":1632},[],{"nodeType":1626,"data":14087,"content":14090},{"target":14088},{"sys":14089},{"id":9866,"type":1631,"linkType":1632},[],{"nodeType":1635,"data":14092,"content":14093},{},[14094],{"nodeType":1639,"value":9872,"marks":14095,"data":14096},[],{},{"nodeType":1635,"data":14098,"content":14099},{},[14100,14103,14107,14110],{"nodeType":1639,"value":9879,"marks":14101,"data":14102},[],{},{"nodeType":1639,"value":9883,"marks":14104,"data":14106},[14105],{"type":1708},{},{"nodeType":1639,"value":9888,"marks":14108,"data":14109},[],{},{"nodeType":1639,"value":9892,"marks":14111,"data":14113},[14112],{"type":1708},{},{"nodeType":1635,"data":14115,"content":14116},{},[14117,14120,14124],{"nodeType":1639,"value":9900,"marks":14118,"data":14119},[],{},{"nodeType":1639,"value":9904,"marks":14121,"data":14123},[14122],{"type":1708},{},{"nodeType":1639,"value":9909,"marks":14125,"data":14126},[],{},{"nodeType":1626,"data":14128,"content":14131},{"target":14129},{"sys":14130},{"id":9916,"type":1631,"linkType":1632},[],{"nodeType":1697,"data":14133,"content":14134},{},[],{"nodeType":1701,"data":14136,"content":14137},{},[14138],{"nodeType":1639,"value":9925,"marks":14139,"data":14141},[14140],{"type":1708},{},{"nodeType":1815,"data":14143,"content":14144},{},[14145],{"nodeType":1639,"value":9933,"marks":14146,"data":14148},[14147],{"type":1708},{},{"nodeType":1635,"data":14150,"content":14151},{},[14152,14155,14159,14162],{"nodeType":1639,"value":9941,"marks":14153,"data":14154},[],{},{"nodeType":1639,"value":9945,"marks":14156,"data":14158},[14157],{"type":1708},{},{"nodeType":1639,"value":9950,"marks":14160,"data":14161},[],{},{"nodeType":1639,"value":9954,"marks":14163,"data":14165},[14164],{"type":1708},{},{"nodeType":1635,"data":14167,"content":14168},{},[14169,14173,14176,14180],{"nodeType":1639,"value":9962,"marks":14170,"data":14172},[14171],{"type":1708},{},{"nodeType":1639,"value":9967,"marks":14174,"data":14175},[],{},{"nodeType":1639,"value":9971,"marks":14177,"data":14179},[14178],{"type":1708},{},{"nodeType":1639,"value":9976,"marks":14181,"data":14182},[],{},{"nodeType":1626,"data":14184,"content":14187},{"target":14185},{"sys":14186},{"id":9271,"type":1631,"linkType":1632},[],{"nodeType":1635,"data":14189,"content":14190},{},[14191],{"nodeType":1639,"value":9988,"marks":14192,"data":14193},[],{},{"nodeType":1635,"data":14195,"content":14196},{},[14197],{"nodeType":1639,"value":9995,"marks":14198,"data":14199},[],{},{"nodeType":1815,"data":14201,"content":14202},{},[14203],{"nodeType":1639,"value":10002,"marks":14204,"data":14206},[14205],{"type":1708},{},{"nodeType":1635,"data":14208,"content":14209},{},[14210],{"nodeType":1639,"value":10010,"marks":14211,"data":14212},[],{},{"nodeType":1635,"data":14214,"content":14215},{},[14216],{"nodeType":1639,"value":10017,"marks":14217,"data":14218},[],{},{"nodeType":1635,"data":14220,"content":14221},{},[14222],{"nodeType":1639,"value":10024,"marks":14223,"data":14224},[],{},{"nodeType":1815,"data":14226,"content":14227},{},[14228],{"nodeType":1639,"value":10031,"marks":14229,"data":14231},[14230],{"type":1708},{},{"nodeType":1635,"data":14233,"content":14234},{},[14235],{"nodeType":1639,"value":10039,"marks":14236,"data":14237},[],{},{"nodeType":1726,"data":14239,"content":14240},{},[14241,14254,14267],{"nodeType":1730,"data":14242,"content":14243},{},[14244],{"nodeType":1635,"data":14245,"content":14246},{},[14247,14251],{"nodeType":1639,"value":10052,"marks":14248,"data":14250},[14249],{"type":1708},{},{"nodeType":1639,"value":10057,"marks":14252,"data":14253},[],{},{"nodeType":1730,"data":14255,"content":14256},{},[14257],{"nodeType":1635,"data":14258,"content":14259},{},[14260,14264],{"nodeType":1639,"value":7933,"marks":14261,"data":14263},[14262],{"type":1708},{},{"nodeType":1639,"value":10071,"marks":14265,"data":14266},[],{},{"nodeType":1730,"data":14268,"content":14269},{},[14270],{"nodeType":1635,"data":14271,"content":14272},{},[14273,14276,14280],{"nodeType":1639,"value":10081,"marks":14274,"data":14275},[],{},{"nodeType":1639,"value":10085,"marks":14277,"data":14279},[14278],{"type":1708},{},{"nodeType":1639,"value":10090,"marks":14281,"data":14282},[],{},{"nodeType":1626,"data":14284,"content":14287},{"target":14285},{"sys":14286},{"id":10097,"type":1631,"linkType":1632},[],{"nodeType":1697,"data":14289,"content":14290},{},[],{"nodeType":1701,"data":14292,"content":14293},{},[14294],{"nodeType":1639,"value":6425,"marks":14295,"data":14297},[14296],{"type":1708},{},{"nodeType":1635,"data":14299,"content":14300},{},[14301],{"nodeType":1639,"value":10113,"marks":14302,"data":14303},[],{},{"nodeType":1635,"data":14305,"content":14306},{},[14307],{"nodeType":1639,"value":10120,"marks":14308,"data":14309},[],{},{"nodeType":1635,"data":14311,"content":14312},{},[14313,14316,14323,14326,14330,14333,14337,14340,14344,14347],{"nodeType":1639,"value":10127,"marks":14314,"data":14315},[],{},{"nodeType":1644,"data":14317,"content":14318},{"uri":6453},[14319],{"nodeType":1639,"value":10134,"marks":14320,"data":14322},[14321],{"type":1652},{},{"nodeType":1639,"value":10139,"marks":14324,"data":14325},[],{},{"nodeType":1639,"value":10143,"marks":14327,"data":14329},[14328],{"type":1708},{},{"nodeType":1639,"value":10148,"marks":14331,"data":14332},[],{},{"nodeType":1639,"value":10152,"marks":14334,"data":14336},[14335],{"type":1708},{},{"nodeType":1639,"value":10157,"marks":14338,"data":14339},[],{},{"nodeType":1639,"value":10161,"marks":14341,"data":14343},[14342],{"type":1708},{},{"nodeType":1639,"value":10166,"marks":14345,"data":14346},[],{},{"nodeType":1639,"value":10170,"marks":14348,"data":14349},[],{},{"nodeType":1626,"data":14351,"content":14354},{"target":14352},{"sys":14353},{"id":10177,"type":1631,"linkType":1632},[],{"nodeType":1635,"data":14356,"content":14357},{},[14358],{"nodeType":1639,"value":10183,"marks":14359,"data":14360},[],{},{"nodeType":1697,"data":14362,"content":14363},{},[],{"nodeType":1701,"data":14365,"content":14366},{},[14367],{"nodeType":1639,"value":10193,"marks":14368,"data":14370},[14369],{"type":1708},{},{"nodeType":1635,"data":14372,"content":14373},{},[14374],{"nodeType":1639,"value":10201,"marks":14375,"data":14376},[],{},{"nodeType":1635,"data":14378,"content":14379},{},[14380],{"nodeType":1639,"value":10208,"marks":14381,"data":14382},[],{},{"nodeType":1635,"data":14384,"content":14385},{},[14386,14389,14396],{"nodeType":1639,"value":6546,"marks":14387,"data":14388},[],{},{"nodeType":1644,"data":14390,"content":14391},{"uri":6551},[14392],{"nodeType":1639,"value":6554,"marks":14393,"data":14395},[14394],{"type":1652},{},{"nodeType":1639,"value":10225,"marks":14397,"data":14398},[],{},{"nodeType":1626,"data":14400,"content":14403},{"target":14401},{"sys":14402},{"id":10232,"type":1631,"linkType":1632},[],{"nodeType":1635,"data":14405,"content":14406},{},[14407],{"nodeType":1639,"value":10238,"marks":14408,"data":14409},[],{},{"nodeType":1815,"data":14411,"content":14412},{},[14413],{"nodeType":1639,"value":5938,"marks":14414,"data":14416},[14415],{"type":1708},{},{"nodeType":1635,"data":14418,"content":14419},{},[14420],{"nodeType":1639,"value":10252,"marks":14421,"data":14422},[],{},{"nodeType":1635,"data":14424,"content":14425},{},[14426,14429,14436,14439,14446,14449,14456],{"nodeType":1639,"value":2470,"marks":14427,"data":14428},[],{},{"nodeType":1644,"data":14430,"content":14431},{"uri":2475},[14432],{"nodeType":1639,"value":2478,"marks":14433,"data":14435},[14434],{"type":1652},{},{"nodeType":1639,"value":1655,"marks":14437,"data":14438},[],{},{"nodeType":1644,"data":14440,"content":14441},{"uri":2486},[14442],{"nodeType":1639,"value":2489,"marks":14443,"data":14445},[14444],{"type":1652},{},{"nodeType":1639,"value":2493,"marks":14447,"data":14448},[],{},{"nodeType":1644,"data":14450,"content":14451},{"uri":2498},[14452],{"nodeType":1639,"value":2501,"marks":14453,"data":14455},[14454],{"type":1652},{},{"nodeType":1639,"value":2291,"marks":14457,"data":14458},[],{},{"items":14460},[14461,14463],{"sys":14462,"name":3379},{"id":3378},{"sys":14464,"name":3383},{"id":3382},{"items":14466},[14467],{"fullName":7706,"firstName":7707,"jobTitle":7708,"profilePicture":14468},{"url":7710},{"__typename":2613,"sys":14470,"content":14471,"title":11255,"synopsis":11256,"hashTags":61,"publishedDate":11257,"slug":11258,"tagsCollection":15287,"authorsCollection":15293},{"id":10307},{"json":14472},{"nodeType":1622,"data":14473,"content":14474},{},[14475,14481,14487,14493,14496,14503,14509,14515,14520,14526,14531,14547,14553,14563,14566,14573,14579,14592,14598,14608,14613,14616,14623,14630,14635,14643,14659,14667,14673,14681,14696,14704,14710,14718,14744,14752,14758,14766,14782,14787,14795,14801,14809,14842,14845,14852,14860,14876,14884,14890,14898,14924,14929,14937,14943,14948,14951,14958,14966,14972,15023,15028,15031,15038,15046,15052,15057,15060,15067,15073,15079,15139,15145,15200,15206,15209,15216,15222,15228,15233,15236,15243,15249,15255,15261],{"nodeType":1635,"data":14476,"content":14477},{},[14478],{"nodeType":1639,"value":10316,"marks":14479,"data":14480},[],{},{"nodeType":1635,"data":14482,"content":14483},{},[14484],{"nodeType":1639,"value":10323,"marks":14485,"data":14486},[],{},{"nodeType":1635,"data":14488,"content":14489},{},[14490],{"nodeType":1639,"value":10330,"marks":14491,"data":14492},[],{},{"nodeType":1697,"data":14494,"content":14495},{},[],{"nodeType":1701,"data":14497,"content":14498},{},[14499],{"nodeType":1639,"value":10340,"marks":14500,"data":14502},[14501],{"type":1708},{},{"nodeType":1635,"data":14504,"content":14505},{},[14506],{"nodeType":1639,"value":10348,"marks":14507,"data":14508},[],{},{"nodeType":1635,"data":14510,"content":14511},{},[14512],{"nodeType":1639,"value":10355,"marks":14513,"data":14514},[],{},{"nodeType":1626,"data":14516,"content":14519},{"target":14517},{"sys":14518},{"id":10362,"type":1631,"linkType":1632},[],{"nodeType":1635,"data":14521,"content":14522},{},[14523],{"nodeType":1639,"value":10368,"marks":14524,"data":14525},[],{},{"nodeType":1626,"data":14527,"content":14530},{"target":14528},{"sys":14529},{"id":10375,"type":1631,"linkType":1632},[],{"nodeType":1635,"data":14532,"content":14533},{},[14534,14537,14544],{"nodeType":1639,"value":10381,"marks":14535,"data":14536},[],{},{"nodeType":1644,"data":14538,"content":14539},{"uri":3027},[14540],{"nodeType":1639,"value":10388,"marks":14541,"data":14543},[14542],{"type":1652},{},{"nodeType":1639,"value":10393,"marks":14545,"data":14546},[],{},{"nodeType":1635,"data":14548,"content":14549},{},[14550],{"nodeType":1639,"value":10400,"marks":14551,"data":14552},[],{},{"nodeType":1635,"data":14554,"content":14555},{},[14556,14559],{"nodeType":1639,"value":10407,"marks":14557,"data":14558},[],{},{"nodeType":1639,"value":10411,"marks":14560,"data":14562},[14561],{"type":1708},{},{"nodeType":1697,"data":14564,"content":14565},{},[],{"nodeType":1701,"data":14567,"content":14568},{},[14569],{"nodeType":1639,"value":10422,"marks":14570,"data":14572},[14571],{"type":1708},{},{"nodeType":1635,"data":14574,"content":14575},{},[14576],{"nodeType":1639,"value":10430,"marks":14577,"data":14578},[],{},{"nodeType":1635,"data":14580,"content":14581},{},[14582,14585,14589],{"nodeType":1639,"value":10437,"marks":14583,"data":14584},[],{},{"nodeType":1639,"value":10441,"marks":14586,"data":14588},[14587],{"type":1708},{},{"nodeType":1639,"value":10446,"marks":14590,"data":14591},[],{},{"nodeType":1635,"data":14593,"content":14594},{},[14595],{"nodeType":1639,"value":10453,"marks":14596,"data":14597},[],{},{"nodeType":1635,"data":14599,"content":14600},{},[14601,14604],{"nodeType":1639,"value":10460,"marks":14602,"data":14603},[],{},{"nodeType":1639,"value":10464,"marks":14605,"data":14607},[14606],{"type":1708},{},{"nodeType":1626,"data":14609,"content":14612},{"target":14610},{"sys":14611},{"id":10472,"type":1631,"linkType":1632},[],{"nodeType":1697,"data":14614,"content":14615},{},[],{"nodeType":1701,"data":14617,"content":14618},{},[14619],{"nodeType":1639,"value":10481,"marks":14620,"data":14622},[14621],{"type":1708},{},{"nodeType":1815,"data":14624,"content":14625},{},[14626],{"nodeType":1639,"value":10489,"marks":14627,"data":14629},[14628],{"type":1708},{},{"nodeType":1626,"data":14631,"content":14634},{"target":14632},{"sys":14633},{"id":10497,"type":1631,"linkType":1632},[],{"nodeType":1635,"data":14636,"content":14637},{},[14638],{"nodeType":1639,"value":10503,"marks":14639,"data":14642},[14640,14641],{"type":1708},{"type":1652},{},{"nodeType":1635,"data":14644,"content":14645},{},[14646,14649,14656],{"nodeType":1639,"value":10512,"marks":14647,"data":14648},[],{},{"nodeType":1644,"data":14650,"content":14651},{"uri":10517},[14652],{"nodeType":1639,"value":10520,"marks":14653,"data":14655},[14654],{"type":1652},{},{"nodeType":1639,"value":10525,"marks":14657,"data":14658},[],{},{"nodeType":1635,"data":14660,"content":14661},{},[14662],{"nodeType":1639,"value":10532,"marks":14663,"data":14666},[14664,14665],{"type":1708},{"type":1652},{},{"nodeType":1635,"data":14668,"content":14669},{},[14670],{"nodeType":1639,"value":10541,"marks":14671,"data":14672},[],{},{"nodeType":1635,"data":14674,"content":14675},{},[14676],{"nodeType":1639,"value":10548,"marks":14677,"data":14680},[14678,14679],{"type":1708},{"type":1652},{},{"nodeType":1635,"data":14682,"content":14683},{},[14684,14687,14693],{"nodeType":1639,"value":10557,"marks":14685,"data":14686},[],{},{"nodeType":1644,"data":14688,"content":14689},{"uri":10562},[14690],{"nodeType":1639,"value":10565,"marks":14691,"data":14692},[],{},{"nodeType":1639,"value":10569,"marks":14694,"data":14695},[],{},{"nodeType":1635,"data":14697,"content":14698},{},[14699],{"nodeType":1639,"value":10576,"marks":14700,"data":14703},[14701,14702],{"type":1708},{"type":1652},{},{"nodeType":1635,"data":14705,"content":14706},{},[14707],{"nodeType":1639,"value":10585,"marks":14708,"data":14709},[],{},{"nodeType":1635,"data":14711,"content":14712},{},[14713],{"nodeType":1639,"value":10592,"marks":14714,"data":14717},[14715,14716],{"type":1708},{"type":1652},{},{"nodeType":1635,"data":14719,"content":14720},{},[14721,14724,14731,14734,14741],{"nodeType":1639,"value":10601,"marks":14722,"data":14723},[],{},{"nodeType":1644,"data":14725,"content":14726},{"uri":10606},[14727],{"nodeType":1639,"value":10609,"marks":14728,"data":14730},[14729],{"type":1652},{},{"nodeType":1639,"value":10614,"marks":14732,"data":14733},[],{},{"nodeType":1644,"data":14735,"content":14736},{"uri":10619},[14737],{"nodeType":1639,"value":10622,"marks":14738,"data":14740},[14739],{"type":1652},{},{"nodeType":1639,"value":10627,"marks":14742,"data":14743},[],{},{"nodeType":1635,"data":14745,"content":14746},{},[14747],{"nodeType":1639,"value":10634,"marks":14748,"data":14751},[14749,14750],{"type":1708},{"type":1652},{},{"nodeType":1635,"data":14753,"content":14754},{},[14755],{"nodeType":1639,"value":10643,"marks":14756,"data":14757},[],{},{"nodeType":1635,"data":14759,"content":14760},{},[14761],{"nodeType":1639,"value":10650,"marks":14762,"data":14765},[14763,14764],{"type":1708},{"type":1652},{},{"nodeType":1635,"data":14767,"content":14768},{},[14769,14772,14779],{"nodeType":1639,"value":10659,"marks":14770,"data":14771},[],{},{"nodeType":1644,"data":14773,"content":14774},{"uri":10619},[14775],{"nodeType":1639,"value":10622,"marks":14776,"data":14778},[14777],{"type":1652},{},{"nodeType":1639,"value":10670,"marks":14780,"data":14781},[],{},{"nodeType":1626,"data":14783,"content":14786},{"target":14784},{"sys":14785},{"id":10677,"type":1631,"linkType":1632},[],{"nodeType":1635,"data":14788,"content":14789},{},[14790],{"nodeType":1639,"value":10683,"marks":14791,"data":14794},[14792,14793],{"type":1708},{"type":1652},{},{"nodeType":1635,"data":14796,"content":14797},{},[14798],{"nodeType":1639,"value":10692,"marks":14799,"data":14800},[],{},{"nodeType":1635,"data":14802,"content":14803},{},[14804],{"nodeType":1639,"value":10699,"marks":14805,"data":14808},[14806,14807],{"type":1708},{"type":1652},{},{"nodeType":1635,"data":14810,"content":14811},{},[14812,14815,14821,14824,14830,14833,14839],{"nodeType":1639,"value":10708,"marks":14813,"data":14814},[],{},{"nodeType":1644,"data":14816,"content":14817},{"uri":10713},[14818],{"nodeType":1639,"value":10716,"marks":14819,"data":14820},[],{},{"nodeType":1639,"value":5688,"marks":14822,"data":14823},[],{},{"nodeType":1644,"data":14825,"content":14826},{"uri":10724},[14827],{"nodeType":1639,"value":10727,"marks":14828,"data":14829},[],{},{"nodeType":1639,"value":10731,"marks":14831,"data":14832},[],{},{"nodeType":1644,"data":14834,"content":14835},{"uri":10736},[14836],{"nodeType":1639,"value":10739,"marks":14837,"data":14838},[],{},{"nodeType":1639,"value":10743,"marks":14840,"data":14841},[],{},{"nodeType":1697,"data":14843,"content":14844},{},[],{"nodeType":1815,"data":14846,"content":14847},{},[14848],{"nodeType":1639,"value":10753,"marks":14849,"data":14851},[14850],{"type":1708},{},{"nodeType":1635,"data":14853,"content":14854},{},[14855],{"nodeType":1639,"value":10761,"marks":14856,"data":14859},[14857,14858],{"type":1708},{"type":1652},{},{"nodeType":1635,"data":14861,"content":14862},{},[14863,14866,14873],{"nodeType":1639,"value":10770,"marks":14864,"data":14865},[],{},{"nodeType":1644,"data":14867,"content":14868},{"uri":10775},[14869],{"nodeType":1639,"value":10778,"marks":14870,"data":14872},[14871],{"type":1652},{},{"nodeType":1639,"value":10783,"marks":14874,"data":14875},[],{},{"nodeType":1635,"data":14877,"content":14878},{},[14879],{"nodeType":1639,"value":10790,"marks":14880,"data":14883},[14881,14882],{"type":1708},{"type":1652},{},{"nodeType":1635,"data":14885,"content":14886},{},[14887],{"nodeType":1639,"value":10799,"marks":14888,"data":14889},[],{},{"nodeType":1635,"data":14891,"content":14892},{},[14893],{"nodeType":1639,"value":10806,"marks":14894,"data":14897},[14895,14896],{"type":1708},{"type":1652},{},{"nodeType":1635,"data":14899,"content":14900},{},[14901,14904,14911,14914,14921],{"nodeType":1639,"value":10815,"marks":14902,"data":14903},[],{},{"nodeType":1644,"data":14905,"content":14906},{"uri":10820},[14907],{"nodeType":1639,"value":10823,"marks":14908,"data":14910},[14909],{"type":1652},{},{"nodeType":1639,"value":10828,"marks":14912,"data":14913},[],{},{"nodeType":1644,"data":14915,"content":14916},{"uri":10833},[14917],{"nodeType":1639,"value":10836,"marks":14918,"data":14920},[14919],{"type":1652},{},{"nodeType":1639,"value":10841,"marks":14922,"data":14923},[],{},{"nodeType":1626,"data":14925,"content":14928},{"target":14926},{"sys":14927},{"id":10848,"type":1631,"linkType":1632},[],{"nodeType":1635,"data":14930,"content":14931},{},[14932],{"nodeType":1639,"value":10854,"marks":14933,"data":14936},[14934,14935],{"type":1708},{"type":1652},{},{"nodeType":1635,"data":14938,"content":14939},{},[14940],{"nodeType":1639,"value":10863,"marks":14941,"data":14942},[],{},{"nodeType":1626,"data":14944,"content":14947},{"target":14945},{"sys":14946},{"id":10870,"type":1631,"linkType":1632},[],{"nodeType":1697,"data":14949,"content":14950},{},[],{"nodeType":1815,"data":14952,"content":14953},{},[14954],{"nodeType":1639,"value":10879,"marks":14955,"data":14957},[14956],{"type":1708},{},{"nodeType":1635,"data":14959,"content":14960},{},[14961],{"nodeType":1639,"value":10887,"marks":14962,"data":14965},[14963,14964],{"type":1708},{"type":1652},{},{"nodeType":1635,"data":14967,"content":14968},{},[14969],{"nodeType":1639,"value":10896,"marks":14970,"data":14971},[],{},{"nodeType":1726,"data":14973,"content":14974},{},[14975,14988,15001],{"nodeType":1730,"data":14976,"content":14977},{},[14978],{"nodeType":1635,"data":14979,"content":14980},{},[14981,14985],{"nodeType":1639,"value":10909,"marks":14982,"data":14984},[14983],{"type":1708},{},{"nodeType":1639,"value":10914,"marks":14986,"data":14987},[],{},{"nodeType":1730,"data":14989,"content":14990},{},[14991],{"nodeType":1635,"data":14992,"content":14993},{},[14994,14998],{"nodeType":1639,"value":10924,"marks":14995,"data":14997},[14996],{"type":1708},{},{"nodeType":1639,"value":10929,"marks":14999,"data":15000},[],{},{"nodeType":1730,"data":15002,"content":15003},{},[15004],{"nodeType":1635,"data":15005,"content":15006},{},[15007,15011,15014,15020],{"nodeType":1639,"value":10939,"marks":15008,"data":15010},[15009],{"type":1708},{},{"nodeType":1639,"value":10944,"marks":15012,"data":15013},[],{},{"nodeType":1644,"data":15015,"content":15016},{"uri":3040},[15017],{"nodeType":1639,"value":10951,"marks":15018,"data":15019},[],{},{"nodeType":1639,"value":10955,"marks":15021,"data":15022},[],{},{"nodeType":1626,"data":15024,"content":15027},{"target":15025},{"sys":15026},{"id":10962,"type":1631,"linkType":1632},[],{"nodeType":1697,"data":15029,"content":15030},{},[],{"nodeType":1815,"data":15032,"content":15033},{},[15034],{"nodeType":1639,"value":5308,"marks":15035,"data":15037},[15036],{"type":1708},{},{"nodeType":1635,"data":15039,"content":15040},{},[15041],{"nodeType":1639,"value":10978,"marks":15042,"data":15045},[15043,15044],{"type":1708},{"type":1652},{},{"nodeType":1635,"data":15047,"content":15048},{},[15049],{"nodeType":1639,"value":10987,"marks":15050,"data":15051},[],{},{"nodeType":1626,"data":15053,"content":15056},{"target":15054},{"sys":15055},{"id":10994,"type":1631,"linkType":1632},[],{"nodeType":1697,"data":15058,"content":15059},{},[],{"nodeType":1701,"data":15061,"content":15062},{},[15063],{"nodeType":1639,"value":11003,"marks":15064,"data":15066},[15065],{"type":1708},{},{"nodeType":1635,"data":15068,"content":15069},{},[15070],{"nodeType":1639,"value":11011,"marks":15071,"data":15072},[],{},{"nodeType":1635,"data":15074,"content":15075},{},[15076],{"nodeType":1639,"value":11018,"marks":15077,"data":15078},[],{},{"nodeType":1726,"data":15080,"content":15081},{},[15082,15101,15120],{"nodeType":1730,"data":15083,"content":15084},{},[15085],{"nodeType":1635,"data":15086,"content":15087},{},[15088,15091,15098],{"nodeType":1639,"value":11031,"marks":15089,"data":15090},[],{},{"nodeType":1644,"data":15092,"content":15093},{"uri":11036},[15094],{"nodeType":1639,"value":7933,"marks":15095,"data":15097},[15096],{"type":1652},{},{"nodeType":1639,"value":11043,"marks":15099,"data":15100},[],{},{"nodeType":1730,"data":15102,"content":15103},{},[15104],{"nodeType":1635,"data":15105,"content":15106},{},[15107,15110,15117],{"nodeType":1639,"value":11053,"marks":15108,"data":15109},[],{},{"nodeType":1644,"data":15111,"content":15112},{"uri":11058},[15113],{"nodeType":1639,"value":11061,"marks":15114,"data":15116},[15115],{"type":1652},{},{"nodeType":1639,"value":11043,"marks":15118,"data":15119},[],{},{"nodeType":1730,"data":15121,"content":15122},{},[15123],{"nodeType":1635,"data":15124,"content":15125},{},[15126,15129,15136],{"nodeType":1639,"value":11075,"marks":15127,"data":15128},[],{},{"nodeType":1644,"data":15130,"content":15131},{"uri":11080},[15132],{"nodeType":1639,"value":11083,"marks":15133,"data":15135},[15134],{"type":1652},{},{"nodeType":1639,"value":11043,"marks":15137,"data":15138},[],{},{"nodeType":1635,"data":15140,"content":15141},{},[15142],{"nodeType":1639,"value":11094,"marks":15143,"data":15144},[],{},{"nodeType":1726,"data":15146,"content":15147},{},[15148,15161,15174,15187],{"nodeType":1730,"data":15149,"content":15150},{},[15151],{"nodeType":1635,"data":15152,"content":15153},{},[15154,15158],{"nodeType":1639,"value":11107,"marks":15155,"data":15157},[15156],{"type":1708},{},{"nodeType":1639,"value":11112,"marks":15159,"data":15160},[],{},{"nodeType":1730,"data":15162,"content":15163},{},[15164],{"nodeType":1635,"data":15165,"content":15166},{},[15167,15171],{"nodeType":1639,"value":11122,"marks":15168,"data":15170},[15169],{"type":1708},{},{"nodeType":1639,"value":11127,"marks":15172,"data":15173},[],{},{"nodeType":1730,"data":15175,"content":15176},{},[15177],{"nodeType":1635,"data":15178,"content":15179},{},[15180,15184],{"nodeType":1639,"value":11137,"marks":15181,"data":15183},[15182],{"type":1708},{},{"nodeType":1639,"value":11142,"marks":15185,"data":15186},[],{},{"nodeType":1730,"data":15188,"content":15189},{},[15190],{"nodeType":1635,"data":15191,"content":15192},{},[15193,15197],{"nodeType":1639,"value":11152,"marks":15194,"data":15196},[15195],{"type":1708},{},{"nodeType":1639,"value":11157,"marks":15198,"data":15199},[],{},{"nodeType":1635,"data":15201,"content":15202},{},[15203],{"nodeType":1639,"value":11164,"marks":15204,"data":15205},[],{},{"nodeType":1697,"data":15207,"content":15208},{},[],{"nodeType":1701,"data":15210,"content":15211},{},[15212],{"nodeType":1639,"value":11174,"marks":15213,"data":15215},[15214],{"type":1708},{},{"nodeType":1635,"data":15217,"content":15218},{},[15219],{"nodeType":1639,"value":11182,"marks":15220,"data":15221},[],{},{"nodeType":1635,"data":15223,"content":15224},{},[15225],{"nodeType":1639,"value":11189,"marks":15226,"data":15227},[],{},{"nodeType":1626,"data":15229,"content":15232},{"target":15230},{"sys":15231},{"id":11196,"type":1631,"linkType":1632},[],{"nodeType":1697,"data":15234,"content":15235},{},[],{"nodeType":1701,"data":15237,"content":15238},{},[15239],{"nodeType":1639,"value":3236,"marks":15240,"data":15242},[15241],{"type":1708},{},{"nodeType":1635,"data":15244,"content":15245},{},[15246],{"nodeType":1639,"value":11212,"marks":15247,"data":15248},[],{},{"nodeType":1635,"data":15250,"content":15251},{},[15252],{"nodeType":1639,"value":11219,"marks":15253,"data":15254},[],{},{"nodeType":1635,"data":15256,"content":15257},{},[15258],{"nodeType":1639,"value":11226,"marks":15259,"data":15260},[],{},{"nodeType":1635,"data":15262,"content":15263},{},[15264,15267,15274,15277,15284],{"nodeType":1639,"value":2470,"marks":15265,"data":15266},[],{},{"nodeType":1644,"data":15268,"content":15269},{"uri":2475},[15270],{"nodeType":1639,"value":2478,"marks":15271,"data":15273},[15272],{"type":1652},{},{"nodeType":1639,"value":5548,"marks":15275,"data":15276},[],{},{"nodeType":1644,"data":15278,"content":15279},{"uri":2498},[15280],{"nodeType":1639,"value":2501,"marks":15281,"data":15283},[15282],{"type":1652},{},{"nodeType":1639,"value":2291,"marks":15285,"data":15286},[],{},{"items":15288},[15289,15291],{"sys":15290,"name":3379},{"id":3378},{"sys":15292,"name":3383},{"id":3382},{"items":15294},[15295],{"fullName":1615,"firstName":1616,"jobTitle":1617,"profilePicture":15296},{"url":1619},{"__typename":2613,"sys":15298,"content":15299,"title":6009,"synopsis":6010,"hashTags":61,"publishedDate":6011,"slug":6012,"tagsCollection":16461,"authorsCollection":16467},{"id":4642},{"json":15300},{"nodeType":1622,"data":15301,"content":15302},{},[15303,15309,15330,15336,15341,15347,15353,15359,15364,15367,15374,15380,15385,15390,15403,15584,15594,15601,15607,15613,15619,15635,15640,15646,15649,15656,15662,15691,15697,15710,15727,15755,15760,15766,15781,15787,15793,15796,15803,15809,15892,15898,15904,15911,15917,15923,15929,15934,15941,15947,15953,15959,15964,15970,15977,15992,15999,16005,16010,16013,16020,16026,16032,16126,16132,16139,16145,16151,16157,16163,16170,16176,16182,16202,16207,16220,16233,16246,16251,16258,16264,16271,16277,16280,16287,16293,16320,16325,16345,16351,16354,16361,16367,16380,16385,16391,16397,16400,16407,16422,16428],{"nodeType":1635,"data":15304,"content":15305},{},[15306],{"nodeType":1639,"value":4651,"marks":15307,"data":15308},[],{},{"nodeType":1726,"data":15310,"content":15311},{},[15312,15321],{"nodeType":1730,"data":15313,"content":15314},{},[15315],{"nodeType":1635,"data":15316,"content":15317},{},[15318],{"nodeType":1639,"value":4664,"marks":15319,"data":15320},[],{},{"nodeType":1730,"data":15322,"content":15323},{},[15324],{"nodeType":1635,"data":15325,"content":15326},{},[15327],{"nodeType":1639,"value":4674,"marks":15328,"data":15329},[],{},{"nodeType":1635,"data":15331,"content":15332},{},[15333],{"nodeType":1639,"value":4681,"marks":15334,"data":15335},[],{},{"nodeType":1626,"data":15337,"content":15340},{"target":15338},{"sys":15339},{"id":4688,"type":1631,"linkType":1632},[],{"nodeType":1635,"data":15342,"content":15343},{},[15344],{"nodeType":1639,"value":4694,"marks":15345,"data":15346},[],{},{"nodeType":1635,"data":15348,"content":15349},{},[15350],{"nodeType":1639,"value":4701,"marks":15351,"data":15352},[],{},{"nodeType":1635,"data":15354,"content":15355},{},[15356],{"nodeType":1639,"value":4708,"marks":15357,"data":15358},[],{},{"nodeType":1626,"data":15360,"content":15363},{"target":15361},{"sys":15362},{"id":4715,"type":1631,"linkType":1632},[],{"nodeType":1697,"data":15365,"content":15366},{},[],{"nodeType":1701,"data":15368,"content":15369},{},[15370],{"nodeType":1639,"value":4724,"marks":15371,"data":15373},[15372],{"type":1708},{},{"nodeType":1635,"data":15375,"content":15376},{},[15377],{"nodeType":1639,"value":4732,"marks":15378,"data":15379},[],{},{"nodeType":1626,"data":15381,"content":15384},{"target":15382},{"sys":15383},{"id":4739,"type":1631,"linkType":1632},[],{"nodeType":1626,"data":15386,"content":15389},{"target":15387},{"sys":15388},{"id":4745,"type":1631,"linkType":1632},[],{"nodeType":1635,"data":15391,"content":15392},{},[15393,15396,15400],{"nodeType":1639,"value":4751,"marks":15394,"data":15395},[],{},{"nodeType":1639,"value":4755,"marks":15397,"data":15399},[15398],{"type":273},{},{"nodeType":1639,"value":4760,"marks":15401,"data":15402},[],{},{"nodeType":4764,"data":15404,"content":15405},{},[15406,15429,15464,15485,15515,15545],{"nodeType":4768,"data":15407,"content":15408},{},[15409,15419],{"nodeType":4772,"data":15410,"content":15411},{},[15412],{"nodeType":1635,"data":15413,"content":15414},{},[15415],{"nodeType":1639,"value":4779,"marks":15416,"data":15418},[15417],{"type":1708},{},{"nodeType":4772,"data":15420,"content":15421},{},[15422],{"nodeType":1635,"data":15423,"content":15424},{},[15425],{"nodeType":1639,"value":4790,"marks":15426,"data":15428},[15427],{"type":1708},{},{"nodeType":4768,"data":15430,"content":15431},{},[15432,15452],{"nodeType":4798,"data":15433,"content":15434},{},[15435],{"nodeType":1635,"data":15436,"content":15437},{},[15438,15441,15449],{"nodeType":1639,"value":4805,"marks":15439,"data":15440},[],{},{"nodeType":4809,"data":15442,"content":15445},{"target":15443},{"sys":15444},{"id":4813,"type":1631,"linkType":1632},[15446],{"nodeType":1639,"value":4816,"marks":15447,"data":15448},[],{},{"nodeType":1639,"value":4820,"marks":15450,"data":15451},[],{},{"nodeType":4798,"data":15453,"content":15454},{},[15455],{"nodeType":1635,"data":15456,"content":15457},{},[15458,15461],{"nodeType":1639,"value":4830,"marks":15459,"data":15460},[],{},{"nodeType":1639,"value":4834,"marks":15462,"data":15463},[],{},{"nodeType":4768,"data":15465,"content":15466},{},[15467,15476],{"nodeType":4798,"data":15468,"content":15469},{},[15470],{"nodeType":1635,"data":15471,"content":15472},{},[15473],{"nodeType":1639,"value":4847,"marks":15474,"data":15475},[],{},{"nodeType":4798,"data":15477,"content":15478},{},[15479],{"nodeType":1635,"data":15480,"content":15481},{},[15482],{"nodeType":1639,"value":4857,"marks":15483,"data":15484},[],{},{"nodeType":4768,"data":15486,"content":15487},{},[15488,15506],{"nodeType":4798,"data":15489,"content":15490},{},[15491],{"nodeType":1635,"data":15492,"content":15493},{},[15494,15497,15503],{"nodeType":1639,"value":4870,"marks":15495,"data":15496},[],{},{"nodeType":1644,"data":15498,"content":15499},{"uri":4875},[15500],{"nodeType":1639,"value":4878,"marks":15501,"data":15502},[],{},{"nodeType":1639,"value":4882,"marks":15504,"data":15505},[],{},{"nodeType":4798,"data":15507,"content":15508},{},[15509],{"nodeType":1635,"data":15510,"content":15511},{},[15512],{"nodeType":1639,"value":4892,"marks":15513,"data":15514},[],{},{"nodeType":4768,"data":15516,"content":15517},{},[15518,15527],{"nodeType":4798,"data":15519,"content":15520},{},[15521],{"nodeType":1635,"data":15522,"content":15523},{},[15524],{"nodeType":1639,"value":4905,"marks":15525,"data":15526},[],{},{"nodeType":4798,"data":15528,"content":15529},{},[15530],{"nodeType":1635,"data":15531,"content":15532},{},[15533,15536,15542],{"nodeType":1639,"value":4915,"marks":15534,"data":15535},[],{},{"nodeType":1644,"data":15537,"content":15538},{"uri":4920},[15539],{"nodeType":1639,"value":4923,"marks":15540,"data":15541},[],{},{"nodeType":1639,"value":2291,"marks":15543,"data":15544},[],{},{"nodeType":4768,"data":15546,"content":15547},{},[15548,15557],{"nodeType":4798,"data":15549,"content":15550},{},[15551],{"nodeType":1635,"data":15552,"content":15553},{},[15554],{"nodeType":1639,"value":4939,"marks":15555,"data":15556},[],{},{"nodeType":4798,"data":15558,"content":15559},{},[15560],{"nodeType":1635,"data":15561,"content":15562},{},[15563,15566,15572,15575,15581],{"nodeType":1639,"value":29,"marks":15564,"data":15565},[],{},{"nodeType":1644,"data":15567,"content":15568},{"uri":4953},[15569],{"nodeType":1639,"value":4956,"marks":15570,"data":15571},[],{},{"nodeType":1639,"value":4960,"marks":15573,"data":15574},[],{},{"nodeType":1644,"data":15576,"content":15577},{"uri":4965},[15578],{"nodeType":1639,"value":4968,"marks":15579,"data":15580},[],{},{"nodeType":1639,"value":4972,"marks":15582,"data":15583},[],{},{"nodeType":1635,"data":15585,"content":15586},{},[15587,15590],{"nodeType":1639,"value":4979,"marks":15588,"data":15589},[],{},{"nodeType":1639,"value":4983,"marks":15591,"data":15593},[15592],{"type":1708},{},{"nodeType":1815,"data":15595,"content":15596},{},[15597],{"nodeType":1639,"value":4991,"marks":15598,"data":15600},[15599],{"type":1708},{},{"nodeType":1635,"data":15602,"content":15603},{},[15604],{"nodeType":1639,"value":4999,"marks":15605,"data":15606},[],{},{"nodeType":1635,"data":15608,"content":15609},{},[15610],{"nodeType":1639,"value":5006,"marks":15611,"data":15612},[],{},{"nodeType":1635,"data":15614,"content":15615},{},[15616],{"nodeType":1639,"value":5013,"marks":15617,"data":15618},[],{},{"nodeType":1635,"data":15620,"content":15621},{},[15622,15625,15628,15632],{"nodeType":1639,"value":5020,"marks":15623,"data":15624},[],{},{"nodeType":1639,"value":5024,"marks":15626,"data":15627},[],{},{"nodeType":1639,"value":5028,"marks":15629,"data":15631},[15630],{"type":1708},{},{"nodeType":1639,"value":5033,"marks":15633,"data":15634},[],{},{"nodeType":1626,"data":15636,"content":15639},{"target":15637},{"sys":15638},{"id":5040,"type":1631,"linkType":1632},[],{"nodeType":1635,"data":15641,"content":15642},{},[15643],{"nodeType":1639,"value":5046,"marks":15644,"data":15645},[],{},{"nodeType":1697,"data":15647,"content":15648},{},[],{"nodeType":1701,"data":15650,"content":15651},{},[15652],{"nodeType":1639,"value":5056,"marks":15653,"data":15655},[15654],{"type":1708},{},{"nodeType":1635,"data":15657,"content":15658},{},[15659],{"nodeType":1639,"value":5064,"marks":15660,"data":15661},[],{},{"nodeType":1726,"data":15663,"content":15664},{},[15665,15678],{"nodeType":1730,"data":15666,"content":15667},{},[15668],{"nodeType":1635,"data":15669,"content":15670},{},[15671,15675],{"nodeType":1639,"value":5077,"marks":15672,"data":15674},[15673],{"type":1708},{},{"nodeType":1639,"value":5082,"marks":15676,"data":15677},[],{},{"nodeType":1730,"data":15679,"content":15680},{},[15681],{"nodeType":1635,"data":15682,"content":15683},{},[15684,15688],{"nodeType":1639,"value":5092,"marks":15685,"data":15687},[15686],{"type":1708},{},{"nodeType":1639,"value":5097,"marks":15689,"data":15690},[],{},{"nodeType":1815,"data":15692,"content":15693},{},[15694],{"nodeType":1639,"value":5104,"marks":15695,"data":15696},[],{},{"nodeType":1635,"data":15698,"content":15699},{},[15700,15703,15707],{"nodeType":1639,"value":5111,"marks":15701,"data":15702},[],{},{"nodeType":1639,"value":5115,"marks":15704,"data":15706},[15705],{"type":273},{},{"nodeType":1639,"value":5120,"marks":15708,"data":15709},[],{},{"nodeType":1635,"data":15711,"content":15712},{},[15713,15716,15724],{"nodeType":1639,"value":5127,"marks":15714,"data":15715},[],{},{"nodeType":4809,"data":15717,"content":15720},{"target":15718},{"sys":15719},{"id":5134,"type":1631,"linkType":1632},[15721],{"nodeType":1639,"value":5137,"marks":15722,"data":15723},[],{},{"nodeType":1639,"value":5141,"marks":15725,"data":15726},[],{},{"nodeType":1635,"data":15728,"content":15729},{},[15730,15733,15741,15744,15752],{"nodeType":1639,"value":5148,"marks":15731,"data":15732},[],{},{"nodeType":4809,"data":15734,"content":15737},{"target":15735},{"sys":15736},{"id":5155,"type":1631,"linkType":1632},[15738],{"nodeType":1639,"value":5158,"marks":15739,"data":15740},[],{},{"nodeType":1639,"value":5162,"marks":15742,"data":15743},[],{},{"nodeType":4809,"data":15745,"content":15748},{"target":15746},{"sys":15747},{"id":5169,"type":1631,"linkType":1632},[15749],{"nodeType":1639,"value":5172,"marks":15750,"data":15751},[],{},{"nodeType":1639,"value":5176,"marks":15753,"data":15754},[],{},{"nodeType":1626,"data":15756,"content":15759},{"target":15757},{"sys":15758},{"id":5183,"type":1631,"linkType":1632},[],{"nodeType":1815,"data":15761,"content":15762},{},[15763],{"nodeType":1639,"value":5189,"marks":15764,"data":15765},[],{},{"nodeType":1635,"data":15767,"content":15768},{},[15769,15772,15778],{"nodeType":1639,"value":5196,"marks":15770,"data":15771},[],{},{"nodeType":1644,"data":15773,"content":15774},{"uri":5201},[15775],{"nodeType":1639,"value":5204,"marks":15776,"data":15777},[],{},{"nodeType":1639,"value":5208,"marks":15779,"data":15780},[],{},{"nodeType":1635,"data":15782,"content":15783},{},[15784],{"nodeType":1639,"value":5215,"marks":15785,"data":15786},[],{},{"nodeType":1635,"data":15788,"content":15789},{},[15790],{"nodeType":1639,"value":5222,"marks":15791,"data":15792},[],{},{"nodeType":1697,"data":15794,"content":15795},{},[],{"nodeType":1701,"data":15797,"content":15798},{},[15799],{"nodeType":1639,"value":5232,"marks":15800,"data":15802},[15801],{"type":1708},{},{"nodeType":1635,"data":15804,"content":15805},{},[15806],{"nodeType":1639,"value":5240,"marks":15807,"data":15808},[],{},{"nodeType":1726,"data":15810,"content":15811},{},[15812,15832,15852,15872],{"nodeType":1730,"data":15813,"content":15814},{},[15815],{"nodeType":1635,"data":15816,"content":15817},{},[15818,15821,15829],{"nodeType":1639,"value":29,"marks":15819,"data":15820},[],{},{"nodeType":4809,"data":15822,"content":15825},{"target":15823},{"sys":15824},{"id":5259,"type":1631,"linkType":1632},[15826],{"nodeType":1639,"value":5262,"marks":15827,"data":15828},[],{},{"nodeType":1639,"value":5266,"marks":15830,"data":15831},[],{},{"nodeType":1730,"data":15833,"content":15834},{},[15835],{"nodeType":1635,"data":15836,"content":15837},{},[15838,15841,15849],{"nodeType":1639,"value":29,"marks":15839,"data":15840},[],{},{"nodeType":4809,"data":15842,"content":15845},{"target":15843},{"sys":15844},{"id":5282,"type":1631,"linkType":1632},[15846],{"nodeType":1639,"value":5285,"marks":15847,"data":15848},[],{},{"nodeType":1639,"value":5289,"marks":15850,"data":15851},[],{},{"nodeType":1730,"data":15853,"content":15854},{},[15855],{"nodeType":1635,"data":15856,"content":15857},{},[15858,15861,15869],{"nodeType":1639,"value":29,"marks":15859,"data":15860},[],{},{"nodeType":4809,"data":15862,"content":15865},{"target":15863},{"sys":15864},{"id":5305,"type":1631,"linkType":1632},[15866],{"nodeType":1639,"value":5308,"marks":15867,"data":15868},[],{},{"nodeType":1639,"value":29,"marks":15870,"data":15871},[],{},{"nodeType":1730,"data":15873,"content":15874},{},[15875],{"nodeType":1635,"data":15876,"content":15877},{},[15878,15881,15889],{"nodeType":1639,"value":29,"marks":15879,"data":15880},[],{},{"nodeType":4809,"data":15882,"content":15885},{"target":15883},{"sys":15884},{"id":5327,"type":1631,"linkType":1632},[15886],{"nodeType":1639,"value":5330,"marks":15887,"data":15888},[],{},{"nodeType":1639,"value":5334,"marks":15890,"data":15891},[],{},{"nodeType":1635,"data":15893,"content":15894},{},[15895],{"nodeType":1639,"value":5341,"marks":15896,"data":15897},[],{},{"nodeType":1635,"data":15899,"content":15900},{},[15901],{"nodeType":1639,"value":5348,"marks":15902,"data":15903},[],{},{"nodeType":1815,"data":15905,"content":15906},{},[15907],{"nodeType":1639,"value":5355,"marks":15908,"data":15910},[15909],{"type":1708},{},{"nodeType":1635,"data":15912,"content":15913},{},[15914],{"nodeType":1639,"value":5363,"marks":15915,"data":15916},[],{},{"nodeType":1635,"data":15918,"content":15919},{},[15920],{"nodeType":1639,"value":5370,"marks":15921,"data":15922},[],{},{"nodeType":1635,"data":15924,"content":15925},{},[15926],{"nodeType":1639,"value":5377,"marks":15927,"data":15928},[],{},{"nodeType":1626,"data":15930,"content":15933},{"target":15931},{"sys":15932},{"id":5384,"type":1631,"linkType":1632},[],{"nodeType":1815,"data":15935,"content":15936},{},[15937],{"nodeType":1639,"value":5390,"marks":15938,"data":15940},[15939],{"type":1708},{},{"nodeType":1635,"data":15942,"content":15943},{},[15944],{"nodeType":1639,"value":5398,"marks":15945,"data":15946},[],{},{"nodeType":1635,"data":15948,"content":15949},{},[15950],{"nodeType":1639,"value":5405,"marks":15951,"data":15952},[],{},{"nodeType":1635,"data":15954,"content":15955},{},[15956],{"nodeType":1639,"value":5412,"marks":15957,"data":15958},[],{},{"nodeType":1626,"data":15960,"content":15963},{"target":15961},{"sys":15962},{"id":5419,"type":1631,"linkType":1632},[],{"nodeType":1635,"data":15965,"content":15966},{},[15967],{"nodeType":1639,"value":5425,"marks":15968,"data":15969},[],{},{"nodeType":1815,"data":15971,"content":15972},{},[15973],{"nodeType":1639,"value":5432,"marks":15974,"data":15976},[15975],{"type":1708},{},{"nodeType":1635,"data":15978,"content":15979},{},[15980,15983,15989],{"nodeType":1639,"value":5440,"marks":15981,"data":15982},[],{},{"nodeType":1644,"data":15984,"content":15985},{"uri":5445},[15986],{"nodeType":1639,"value":5448,"marks":15987,"data":15988},[],{},{"nodeType":1639,"value":5452,"marks":15990,"data":15991},[],{},{"nodeType":1815,"data":15993,"content":15994},{},[15995],{"nodeType":1639,"value":5459,"marks":15996,"data":15998},[15997],{"type":1708},{},{"nodeType":1635,"data":16000,"content":16001},{},[16002],{"nodeType":1639,"value":5467,"marks":16003,"data":16004},[],{},{"nodeType":1626,"data":16006,"content":16009},{"target":16007},{"sys":16008},{"id":5474,"type":1631,"linkType":1632},[],{"nodeType":1697,"data":16011,"content":16012},{},[],{"nodeType":1701,"data":16014,"content":16015},{},[16016],{"nodeType":1639,"value":5483,"marks":16017,"data":16019},[16018],{"type":1708},{},{"nodeType":1635,"data":16021,"content":16022},{},[16023],{"nodeType":1639,"value":5491,"marks":16024,"data":16025},[],{},{"nodeType":1635,"data":16027,"content":16028},{},[16029],{"nodeType":1639,"value":5498,"marks":16030,"data":16031},[],{},{"nodeType":1726,"data":16033,"content":16034},{},[16035,16055,16086,16106],{"nodeType":1730,"data":16036,"content":16037},{},[16038],{"nodeType":1635,"data":16039,"content":16040},{},[16041,16044,16052],{"nodeType":1639,"value":29,"marks":16042,"data":16043},[],{},{"nodeType":4809,"data":16045,"content":16048},{"target":16046},{"sys":16047},{"id":5517,"type":1631,"linkType":1632},[16049],{"nodeType":1639,"value":5520,"marks":16050,"data":16051},[],{},{"nodeType":1639,"value":5524,"marks":16053,"data":16054},[],{},{"nodeType":1730,"data":16056,"content":16057},{},[16058],{"nodeType":1635,"data":16059,"content":16060},{},[16061,16064,16072,16075,16083],{"nodeType":1639,"value":5534,"marks":16062,"data":16063},[],{},{"nodeType":4809,"data":16065,"content":16068},{"target":16066},{"sys":16067},{"id":5541,"type":1631,"linkType":1632},[16069],{"nodeType":1639,"value":5544,"marks":16070,"data":16071},[],{},{"nodeType":1639,"value":5548,"marks":16073,"data":16074},[],{},{"nodeType":4809,"data":16076,"content":16079},{"target":16077},{"sys":16078},{"id":5555,"type":1631,"linkType":1632},[16080],{"nodeType":1639,"value":5558,"marks":16081,"data":16082},[],{},{"nodeType":1639,"value":5562,"marks":16084,"data":16085},[],{},{"nodeType":1730,"data":16087,"content":16088},{},[16089],{"nodeType":1635,"data":16090,"content":16091},{},[16092,16095,16103],{"nodeType":1639,"value":5572,"marks":16093,"data":16094},[],{},{"nodeType":4809,"data":16096,"content":16099},{"target":16097},{"sys":16098},{"id":5579,"type":1631,"linkType":1632},[16100],{"nodeType":1639,"value":5582,"marks":16101,"data":16102},[],{},{"nodeType":1639,"value":5586,"marks":16104,"data":16105},[],{},{"nodeType":1730,"data":16107,"content":16108},{},[16109],{"nodeType":1635,"data":16110,"content":16111},{},[16112,16115,16123],{"nodeType":1639,"value":29,"marks":16113,"data":16114},[],{},{"nodeType":4809,"data":16116,"content":16119},{"target":16117},{"sys":16118},{"id":5602,"type":1631,"linkType":1632},[16120],{"nodeType":1639,"value":5605,"marks":16121,"data":16122},[],{},{"nodeType":1639,"value":5609,"marks":16124,"data":16125},[],{},{"nodeType":1635,"data":16127,"content":16128},{},[16129],{"nodeType":1639,"value":5348,"marks":16130,"data":16131},[],{},{"nodeType":1815,"data":16133,"content":16134},{},[16135],{"nodeType":1639,"value":5355,"marks":16136,"data":16138},[16137],{"type":1708},{},{"nodeType":1635,"data":16140,"content":16141},{},[16142],{"nodeType":1639,"value":5629,"marks":16143,"data":16144},[],{},{"nodeType":1635,"data":16146,"content":16147},{},[16148],{"nodeType":1639,"value":5636,"marks":16149,"data":16150},[],{},{"nodeType":1635,"data":16152,"content":16153},{},[16154],{"nodeType":1639,"value":5643,"marks":16155,"data":16156},[],{},{"nodeType":1635,"data":16158,"content":16159},{},[16160],{"nodeType":1639,"value":5650,"marks":16161,"data":16162},[],{},{"nodeType":1815,"data":16164,"content":16165},{},[16166],{"nodeType":1639,"value":5657,"marks":16167,"data":16169},[16168],{"type":1708},{},{"nodeType":1635,"data":16171,"content":16172},{},[16173],{"nodeType":1639,"value":5665,"marks":16174,"data":16175},[],{},{"nodeType":1635,"data":16177,"content":16178},{},[16179],{"nodeType":1639,"value":5672,"marks":16180,"data":16181},[],{},{"nodeType":1635,"data":16183,"content":16184},{},[16185,16188,16192,16195,16199],{"nodeType":1639,"value":5679,"marks":16186,"data":16187},[],{},{"nodeType":1639,"value":5683,"marks":16189,"data":16191},[16190],{"type":1708},{},{"nodeType":1639,"value":5688,"marks":16193,"data":16194},[],{},{"nodeType":1639,"value":5692,"marks":16196,"data":16198},[16197],{"type":1708},{},{"nodeType":1639,"value":5697,"marks":16200,"data":16201},[],{},{"nodeType":1626,"data":16203,"content":16206},{"target":16204},{"sys":16205},{"id":5704,"type":1631,"linkType":1632},[],{"nodeType":1635,"data":16208,"content":16209},{},[16210,16213,16217],{"nodeType":1639,"value":5710,"marks":16211,"data":16212},[],{},{"nodeType":1639,"value":5714,"marks":16214,"data":16216},[16215],{"type":1708},{},{"nodeType":1639,"value":5719,"marks":16218,"data":16219},[],{},{"nodeType":1635,"data":16221,"content":16222},{},[16223,16226,16230],{"nodeType":1639,"value":5710,"marks":16224,"data":16225},[],{},{"nodeType":1639,"value":5729,"marks":16227,"data":16229},[16228],{"type":1708},{},{"nodeType":1639,"value":5734,"marks":16231,"data":16232},[],{},{"nodeType":1635,"data":16234,"content":16235},{},[16236,16239,16243],{"nodeType":1639,"value":5741,"marks":16237,"data":16238},[],{},{"nodeType":1639,"value":5745,"marks":16240,"data":16242},[16241],{"type":1708},{},{"nodeType":1639,"value":5750,"marks":16244,"data":16245},[],{},{"nodeType":1626,"data":16247,"content":16250},{"target":16248},{"sys":16249},{"id":5757,"type":1631,"linkType":1632},[],{"nodeType":1815,"data":16252,"content":16253},{},[16254],{"nodeType":1639,"value":5763,"marks":16255,"data":16257},[16256],{"type":1708},{},{"nodeType":1635,"data":16259,"content":16260},{},[16261],{"nodeType":1639,"value":5771,"marks":16262,"data":16263},[],{},{"nodeType":1815,"data":16265,"content":16266},{},[16267],{"nodeType":1639,"value":5778,"marks":16268,"data":16270},[16269],{"type":1708},{},{"nodeType":1635,"data":16272,"content":16273},{},[16274],{"nodeType":1639,"value":5786,"marks":16275,"data":16276},[],{},{"nodeType":1697,"data":16278,"content":16279},{},[],{"nodeType":1701,"data":16281,"content":16282},{},[16283],{"nodeType":1639,"value":5796,"marks":16284,"data":16286},[16285],{"type":1708},{},{"nodeType":1635,"data":16288,"content":16289},{},[16290],{"nodeType":1639,"value":5804,"marks":16291,"data":16292},[],{},{"nodeType":1635,"data":16294,"content":16295},{},[16296,16299,16303,16306,16310,16313,16317],{"nodeType":1639,"value":5811,"marks":16297,"data":16298},[],{},{"nodeType":1639,"value":5815,"marks":16300,"data":16302},[16301],{"type":1708},{},{"nodeType":1639,"value":5820,"marks":16304,"data":16305},[],{},{"nodeType":1639,"value":5692,"marks":16307,"data":16309},[16308],{"type":1708},{},{"nodeType":1639,"value":5828,"marks":16311,"data":16312},[],{},{"nodeType":1639,"value":5832,"marks":16314,"data":16316},[16315],{"type":1708},{},{"nodeType":1639,"value":5837,"marks":16318,"data":16319},[],{},{"nodeType":1626,"data":16321,"content":16324},{"target":16322},{"sys":16323},{"id":5844,"type":1631,"linkType":1632},[],{"nodeType":1635,"data":16326,"content":16327},{},[16328,16331,16335,16338,16342],{"nodeType":1639,"value":5850,"marks":16329,"data":16330},[],{},{"nodeType":1639,"value":5854,"marks":16332,"data":16334},[16333],{"type":1708},{},{"nodeType":1639,"value":5548,"marks":16336,"data":16337},[],{},{"nodeType":1639,"value":5862,"marks":16339,"data":16341},[16340],{"type":1708},{},{"nodeType":1639,"value":5867,"marks":16343,"data":16344},[],{},{"nodeType":1635,"data":16346,"content":16347},{},[16348],{"nodeType":1639,"value":5874,"marks":16349,"data":16350},[],{},{"nodeType":1697,"data":16352,"content":16353},{},[],{"nodeType":1701,"data":16355,"content":16356},{},[16357],{"nodeType":1639,"value":5884,"marks":16358,"data":16360},[16359],{"type":1708},{},{"nodeType":1635,"data":16362,"content":16363},{},[16364],{"nodeType":1639,"value":5892,"marks":16365,"data":16366},[],{},{"nodeType":1635,"data":16368,"content":16369},{},[16370,16373,16377],{"nodeType":1639,"value":5899,"marks":16371,"data":16372},[],{},{"nodeType":1639,"value":5903,"marks":16374,"data":16376},[16375],{"type":1708},{},{"nodeType":1639,"value":5908,"marks":16378,"data":16379},[],{},{"nodeType":1626,"data":16381,"content":16384},{"target":16382},{"sys":16383},{"id":5915,"type":1631,"linkType":1632},[],{"nodeType":1635,"data":16386,"content":16387},{},[16388],{"nodeType":1639,"value":5921,"marks":16389,"data":16390},[],{},{"nodeType":1635,"data":16392,"content":16393},{},[16394],{"nodeType":1639,"value":5928,"marks":16395,"data":16396},[],{},{"nodeType":1697,"data":16398,"content":16399},{},[],{"nodeType":1701,"data":16401,"content":16402},{},[16403],{"nodeType":1639,"value":5938,"marks":16404,"data":16406},[16405],{"type":1708},{},{"nodeType":1635,"data":16408,"content":16409},{},[16410,16413,16419],{"nodeType":1639,"value":5946,"marks":16411,"data":16412},[],{},{"nodeType":1644,"data":16414,"content":16415},{"uri":165},[16416],{"nodeType":1639,"value":5953,"marks":16417,"data":16418},[],{},{"nodeType":1639,"value":5957,"marks":16420,"data":16421},[],{},{"nodeType":1635,"data":16423,"content":16424},{},[16425],{"nodeType":1639,"value":5964,"marks":16426,"data":16427},[],{},{"nodeType":1635,"data":16429,"content":16430},{},[16431,16434,16440,16443,16449,16452,16458],{"nodeType":1639,"value":5971,"marks":16432,"data":16433},[],{},{"nodeType":1644,"data":16435,"content":16436},{"uri":5976},[16437],{"nodeType":1639,"value":5979,"marks":16438,"data":16439},[],{},{"nodeType":1639,"value":5983,"marks":16441,"data":16442},[],{},{"nodeType":1644,"data":16444,"content":16445},{"uri":5988},[16446],{"nodeType":1639,"value":5991,"marks":16447,"data":16448},[],{},{"nodeType":1639,"value":5995,"marks":16450,"data":16451},[],{},{"nodeType":1644,"data":16453,"content":16454},{"uri":6000},[16455],{"nodeType":1639,"value":6003,"marks":16456,"data":16457},[],{},{"nodeType":1639,"value":2291,"marks":16459,"data":16460},[],{},{"items":16462},[16463,16465],{"sys":16464,"name":3379},{"id":3378},{"sys":16466,"name":3383},{"id":3382},{"items":16468},[16469],{"fullName":6022,"firstName":6023,"jobTitle":6024,"profilePicture":16470},{"url":6026},"blog/unpacking-the-vercel-breach",{"json":16473},{"data":16474,"content":16475,"nodeType":1622},{},[16476],{"data":16477,"content":16478,"nodeType":1635},{},[16479],{"data":16480,"marks":16481,"value":16482,"nodeType":1639},{},[],"In April 2026, Vercel was compromised via an OAuth app integrated into their Google Workspace tenant stemming from a compromised third-party AI SaaS provider. Here’s what you need to know. ",{"id":2615,"publishedAt":16484},"2026-04-28T17:57:45.991Z",{"items":16486},[16487,16489],{"sys":16488,"name":3379},{"id":3378},{"sys":16490,"name":3383},{"id":3382},"Rgq0nKbHV1iieApquUiopxxQNjndlo2xHduohQRr4vY",{"id":16493,"title":16494,"authorsCollection":16495,"content":16499,"extension":2606,"hashTags":61,"meta":17135,"metaTitle":17136,"ogImage":61,"publishedDate":17137,"relatedBlogPostsCollection":17138,"slug":20179,"stem":20180,"subtitle":61,"summary":20181,"synopsis":20191,"sys":20192,"tagsCollection":20195,"__hash__":20201},"blog/blog/browser-sync-attacks-where-personal-account-hacks-lead-to-corporate-breaches.json","Browser sync attacks: Where personal account hacks lead to corporate breaches",{"items":16496},[16497],{"fullName":1615,"firstName":1616,"jobTitle":1617,"profilePicture":16498},{"url":1619},{"json":16500,"links":17008},{"nodeType":1622,"data":16501,"content":16502},{},[16503,16521,16537,16543,16555,16562,16565,16573,16580,16587,16608,16620,16626,16638,16650,16656,16663,16670,16673,16681,16689,16720,16727,16734,16742,16761,16768,16775,16782,16789,16797,16815,16822,16829,16836,16843,16846,16854,16861,16867,16874,16877,16884,16891,16898,16904,16911,16917,16924,16930,16937,16943,16949,16955,16958,16966,16972],{"nodeType":1635,"data":16504,"content":16505},{},[16506,16510,16518],{"nodeType":1639,"value":16507,"marks":16508,"data":16509},"One of the breakaway stories of 2026 has been the rise in attacks powered by ",[],{},{"nodeType":1644,"data":16511,"content":16512},{"uri":2192},[16513],{"nodeType":1639,"value":16514,"marks":16515,"data":16517},"malicious browser extensions",[16516],{"type":1652},{},{"nodeType":1639,"value":1851,"marks":16519,"data":16520},[],{},{"nodeType":1635,"data":16522,"content":16523},{},[16524,16528,16533],{"nodeType":1639,"value":16525,"marks":16526,"data":16527},"Most browser extension attacks are really targeting the apps your users are accessing ",[],{},{"nodeType":1639,"value":16529,"marks":16530,"data":16532},"inside",[16531],{"type":273},{},{"nodeType":1639,"value":16534,"marks":16535,"data":16536}," the browser. They do this by intercepting credentials (passwords, session cookies, and so on) as you browse the internet. ",[],{},{"nodeType":1626,"data":16538,"content":16542},{"target":16539},{"sys":16540},{"id":16541,"type":1631,"linkType":1632},"1nUMc1L69zkD3MmmdqbYm0",[],{"nodeType":1635,"data":16544,"content":16545},{},[16546,16551],{"nodeType":1639,"value":16547,"marks":16548,"data":16550},"But there’s an often overlooked vector that leads to the same outcome — synced browser profiles. ",[16549],{"type":1708},{},{"nodeType":1639,"value":16552,"marks":16553,"data":16554},"And the most dangerous part of this attack is that it often stems from personal device compromises — naturally, outside the scope of your corporate security software. ",[],{},{"nodeType":1635,"data":16556,"content":16557},{},[16558],{"nodeType":1639,"value":16559,"marks":16560,"data":16561},"Sign into Chrome or Edge with a Google or Microsoft account, and your passwords, bookmarks, history, and extensions follow you seamlessly across every device. For individual users, it's a quality-of-life improvement. But for organizations, it links corporate accounts to personal ones with far weaker security controls. ",[],{},{"nodeType":1697,"data":16563,"content":16564},{},[],{"nodeType":1701,"data":16566,"content":16567},{},[16568],{"nodeType":1639,"value":16569,"marks":16570,"data":16572},"How browser sync attacks work",[16571],{"type":1708},{},{"nodeType":1635,"data":16574,"content":16575},{},[16576],{"nodeType":1639,"value":16577,"marks":16578,"data":16579},"When an employee signs into a personal browser profile on a work device (or saves work credentials on a personal device), the browser's sync mechanism copies those credentials into a cloud account outside the organization's control. That cloud account — typically a personal Google or Microsoft account — becomes the weakest link in the chain.",[],{},{"nodeType":1635,"data":16581,"content":16582},{},[16583],{"nodeType":1639,"value":16584,"marks":16585,"data":16586},"The typical sequence looks like this:",[],{},{"nodeType":1635,"data":16588,"content":16589},{},[16590,16595,16599,16604],{"nodeType":1639,"value":16591,"marks":16592,"data":16594},"An employee signs into Chrome with their personal Google account on a corporate laptop. ",[16593],{"type":1708},{},{"nodeType":1639,"value":16596,"marks":16597,"data":16598},"During the course of their work, the browser prompts them to save passwords — for a VPN, an internal tool, a support system, a cloud platform. They click \"Save.\" The credential is now stored locally in the browser ",[],{},{"nodeType":1639,"value":16600,"marks":16601,"data":16603},"and",[16602],{"type":273},{},{"nodeType":1639,"value":16605,"marks":16606,"data":16607}," synced to their personal Google account in the cloud.",[],{},{"nodeType":1635,"data":16609,"content":16610},{},[16611,16616],{"nodeType":1639,"value":16612,"marks":16613,"data":16615},"The personal account is compromised. ",[16614],{"type":1708},{},{"nodeType":1639,"value":16617,"marks":16618,"data":16619},"This can happen in a lot of ways, and is made easier by the less secure nature of personal accounts. They are typically accessed from devices with less or no security protection, while MFA and other identity-layer controls are less common. Once the personal device or account is breached, every synced password — including corporate ones — is in the hands of the attacker. ",[],{},{"nodeType":1626,"data":16621,"content":16625},{"target":16622},{"sys":16623},{"id":16624,"type":1631,"linkType":1632},"2GQ4TVJQWS9VJB5W6fBeLS",[],{"nodeType":1635,"data":16627,"content":16628},{},[16629,16634],{"nodeType":1639,"value":16630,"marks":16631,"data":16633},"With the harvested corporate credentials, the attacker authenticates to the organization's systems.",[16632],{"type":1708},{},{"nodeType":1639,"value":16635,"marks":16636,"data":16637}," If MFA is absent or bypassable (via fatigue attacks, social engineering, or session token reuse), they're in.",[],{},{"nodeType":1635,"data":16639,"content":16640},{},[16641,16646],{"nodeType":1639,"value":16642,"marks":16643,"data":16645},"From here, it's a conventional intrusion — privilege escalation, reconnaissance, and exfiltration. ",[16644],{"type":1708},{},{"nodeType":1639,"value":16647,"marks":16648,"data":16649},"But the initial access was entirely outside the defender's visibility. No phishing email hit the corporate mail gateway. No exploit was fired at a corporate asset. The compromise happened in a personal context that security teams had no control over.",[],{},{"nodeType":1626,"data":16651,"content":16655},{"target":16652},{"sys":16653},{"id":16654,"type":1631,"linkType":1632},"5llxwUFxBOjuXTyr5LXOyy",[],{"nodeType":1635,"data":16657,"content":16658},{},[16659],{"nodeType":1639,"value":16660,"marks":16661,"data":16662},"What makes this attack so effective is that it entirely bypasses the corporate security stack. Endpoint detection, email filtering, network monitoring — none of it sees the initial compromise because it happens on a personal device or in a personal cloud account.",[],{},{"nodeType":1635,"data":16664,"content":16665},{},[16666],{"nodeType":1639,"value":16667,"marks":16668,"data":16669},"The scope isn’t limited to “personal” devices either. BYOD and contractor machines suffer from the same security limitations in that they are a place where personal and corporate use converges, and/or they sit outside of the scope of your security tooling. ",[],{},{"nodeType":1697,"data":16671,"content":16672},{},[],{"nodeType":1701,"data":16674,"content":16675},{},[16676],{"nodeType":1639,"value":16677,"marks":16678,"data":16680},"Real-world incidents",[16679],{"type":1708},{},{"nodeType":1815,"data":16682,"content":16683},{},[16684],{"nodeType":1639,"value":16685,"marks":16686,"data":16688},"Cisco (2022)",[16687],{"type":1708},{},{"nodeType":1635,"data":16690,"content":16691},{},[16692,16695,16704,16708,16716],{"nodeType":1639,"value":29,"marks":16693,"data":16694},[],{},{"nodeType":1644,"data":16696,"content":16698},{"uri":16697},"https://thehackernews.com/2022/08/cisco-confirms-its-been-hacked-by.html",[16699],{"nodeType":1639,"value":16700,"marks":16701,"data":16703},"Cisco",[16702],{"type":1652},{},{"nodeType":1639,"value":16705,"marks":16706,"data":16707}," was breached by an initial access broker with ties to the Yanluowang ransomware group, UNC2447, and the ",[],{},{"nodeType":1644,"data":16709,"content":16710},{"uri":2629},[16711],{"nodeType":1639,"value":16712,"marks":16713,"data":16715},"Lapsus$",[16714],{"type":1652},{},{"nodeType":1639,"value":16717,"marks":16718,"data":16719}," threat actor group. ",[],{},{"nodeType":1635,"data":16721,"content":16722},{},[16723],{"nodeType":1639,"value":16724,"marks":16725,"data":16726},"A Cisco employee had enabled Chrome's password syncing feature and had stored their Cisco VPN credentials in the browser. Those credentials were synchronized to their personal Google account. The attacker compromised the personal Google account, obtained the VPN credentials, and then used a combination of voice phishing and MFA fatigue — repeatedly sending push notifications until the employee accepted one — to bypass multi-factor authentication and gain VPN access.",[],{},{"nodeType":1635,"data":16728,"content":16729},{},[16730],{"nodeType":1639,"value":16731,"marks":16732,"data":16733},"Once inside the network, the attacker escalated privileges, moved laterally to Citrix servers and domain controllers, and deployed offensive tooling consistent with pre-ransomware activity. Cisco's security team ultimately detected and removed the attacker before ransomware was deployed, but the adversary made repeated attempts to regain access in the following weeks, including targeting accounts where employees had only made single-character password changes after the company-wide reset.",[],{},{"nodeType":1815,"data":16735,"content":16736},{},[16737],{"nodeType":1639,"value":16738,"marks":16739,"data":16741},"Okta (2023)",[16740],{"type":1708},{},{"nodeType":1635,"data":16743,"content":16744},{},[16745,16748,16757],{"nodeType":1639,"value":1951,"marks":16746,"data":16747},[],{},{"nodeType":1644,"data":16749,"content":16751},{"uri":16750},"https://sec.okta.com/articles/2023/11/unauthorized-access-oktas-support-case-management-system-root-cause/",[16752],{"nodeType":1639,"value":16753,"marks":16754,"data":16756},"Okta breach",[16755],{"type":1652},{},{"nodeType":1639,"value":16758,"marks":16759,"data":16760}," followed an almost identical pattern to Cisco, but with more severe downstream consequences.",[],{},{"nodeType":1635,"data":16762,"content":16763},{},[16764],{"nodeType":1639,"value":16765,"marks":16766,"data":16767},"Between September 28 and October 17, 2023, an attacker gained unauthorized access to Okta's customer support case management system. The root cause: an Okta employee had signed into their personal Google profile on Chrome on their Okta-managed laptop. While signed into that personal profile, they accessed a service account for the support system. The service account's username and password were saved by Chrome and synced to the employee's personal Google account.",[],{},{"nodeType":1635,"data":16769,"content":16770},{},[16771],{"nodeType":1639,"value":16772,"marks":16773,"data":16774},"The attacker — having compromised either the personal Google account or a personal device — obtained these service account credentials and used them to access the support system. The compromised service account had permissions to view and update customer support cases, which contained HAR (HTTP Archive) files uploaded by customers for troubleshooting. Some of these HAR files contained session tokens.",[],{},{"nodeType":1635,"data":16776,"content":16777},{},[16778],{"nodeType":1639,"value":16779,"marks":16780,"data":16781},"The attacker used the stolen session tokens to hijack the legitimate Okta sessions of five customers, including 1Password, BeyondTrust, and Cloudflare — three security companies that independently detected the suspicious activity and reported it to Okta. In total, files associated with 134 Okta customers were accessed.",[],{},{"nodeType":1635,"data":16783,"content":16784},{},[16785],{"nodeType":1639,"value":16786,"marks":16787,"data":16788},"What made this breach particularly notable was the detection gap. Okta's security team was unable to identify suspicious file downloads in their logs for 14 days. The attacker navigated directly to the Files tab in the support system rather than opening files through individual support cases, which generated a different log event type that wasn't part of the initial investigation scope. It wasn't until BeyondTrust provided a suspicious IP address on October 13 that Okta was able to correlate the activity.",[],{},{"nodeType":1815,"data":16790,"content":16791},{},[16792],{"nodeType":1639,"value":16793,"marks":16794,"data":16796},"Snowflake (customers) (2024)",[16795],{"type":1708},{},{"nodeType":1635,"data":16798,"content":16799},{},[16800,16803,16811],{"nodeType":1639,"value":1951,"marks":16801,"data":16802},[],{},{"nodeType":1644,"data":16804,"content":16805},{"uri":10606},[16806],{"nodeType":1639,"value":16807,"marks":16808,"data":16810},"Snowflake campaign",[16809],{"type":1652},{},{"nodeType":1639,"value":16812,"marks":16813,"data":16814}," represents what happens when the browser-credential-sync problem meets infostealer malware at scale. ",[],{},{"nodeType":1635,"data":16816,"content":16817},{},[16818],{"nodeType":1639,"value":16819,"marks":16820,"data":16821},"In 2024, a financially motivated threat actor tracked as UNC5537 (associated with the ShinyHunters group) systematically compromised approximately 165 Snowflake customer environments. The attackers didn't exploit any vulnerability in Snowflake itself. They logged in with valid credentials.",[],{},{"nodeType":1635,"data":16823,"content":16824},{},[16825],{"nodeType":1639,"value":16826,"marks":16827,"data":16828},"Those credentials had been harvested by infostealer malware — including Vidar, RedLine, Lumma, RisePro, Raccoon Stealer, and MetaStealer — from employee and contractor devices over a period stretching back to 2020. Mandiant's investigation found that over 80% of the compromised accounts had prior credential exposure, and critically, the stolen credentials had never been rotated.",[],{},{"nodeType":1635,"data":16830,"content":16831},{},[16832],{"nodeType":1639,"value":16833,"marks":16834,"data":16835},"The personal/corporate boundary failure was central to the campaign. Mandiant specifically noted that in several cases, the initial infostealer infections occurred on contractor systems that were also used for personal activities, including gaming and downloads of pirated software. These were personal or unmonitored laptops where corporate credentials had been saved in the browser alongside everything else.",[],{},{"nodeType":1635,"data":16837,"content":16838},{},[16839],{"nodeType":1639,"value":16840,"marks":16841,"data":16842},"The impacted Snowflake accounts lacked MFA (which Snowflake did not enforce by default at the time), and the attackers used a custom tool to automate SQL-based reconnaissance and data exfiltration across customer instances. The stolen data encompassed hundreds of millions of customer records, and at least one victim paid an undisclosed ransom.",[],{},{"nodeType":1697,"data":16844,"content":16845},{},[],{"nodeType":1701,"data":16847,"content":16848},{},[16849],{"nodeType":1639,"value":16850,"marks":16851,"data":16853},"What security teams can do about it",[16852],{"type":1708},{},{"nodeType":1635,"data":16855,"content":16856},{},[16857],{"nodeType":1639,"value":16858,"marks":16859,"data":16860},"Chrome Enterprise and Microsoft Edge for Business both support policies that prevent employees from signing into personal accounts on corporate-managed browsers. This is the most direct control. It doesn't prevent all credential leakage scenarios, but it closes the sync-to-personal-cloud path.",[],{},{"nodeType":1626,"data":16862,"content":16866},{"target":16863},{"sys":16864},{"id":16865,"type":1631,"linkType":1632},"CmrOdYVVW6wz9kdRqxOmX",[],{"nodeType":1635,"data":16868,"content":16869},{},[16870],{"nodeType":1639,"value":16871,"marks":16872,"data":16873},"Every incident described above was enabled or worsened by the absence of MFA on the target system. MFA should be mandatory for all human user accounts, and organizations should audit for \"ghost logins\" — local username/password accounts that persist alongside SSO and bypass its MFA enforcement.",[],{},{"nodeType":1697,"data":16875,"content":16876},{},[],{"nodeType":1701,"data":16878,"content":16879},{},[16880],{"nodeType":1639,"value":3236,"marks":16881,"data":16883},[16882],{"type":1708},{},{"nodeType":1635,"data":16885,"content":16886},{},[16887],{"nodeType":1639,"value":16888,"marks":16889,"data":16890},"Push makes browser security easier than ever, particularly when dealing with complex environments running different browsers and operating systems. ",[],{},{"nodeType":1635,"data":16892,"content":16893},{},[16894],{"nodeType":1639,"value":16895,"marks":16896,"data":16897},"You can use Push to surface which users are logged into their browser using a non-work profile and whether the profile is synced across devices. Push captures this information for every browser that your employees are using, including Chrome, Edge, Firefox, Safari, Brave, Opera, Arc, Island, and Prisma (and we’re always adding support for new ones). ",[],{},{"nodeType":1626,"data":16899,"content":16903},{"target":16900},{"sys":16901},{"id":16902,"type":1631,"linkType":1632},"67sSoSW136TeBZzYIEXggP",[],{"nodeType":1635,"data":16905,"content":16906},{},[16907],{"nodeType":1639,"value":16908,"marks":16909,"data":16910},"Sync attacks can impact both saved credentials and browser extensions. This means that even if your employees aren’t saving credentials to their browser profile, you can still be at risk if they’ve installed any extensions in another browser where they’re signed in. ",[],{},{"nodeType":1626,"data":16912,"content":16916},{"target":16913},{"sys":16914},{"id":16915,"type":1631,"linkType":1632},"1MzuYaPlUpYfTnBJRqUBtO",[],{"nodeType":1635,"data":16918,"content":16919},{},[16920],{"nodeType":1639,"value":16921,"marks":16922,"data":16923},"You can use Push to identify where credentials are being saved — for example, are employees using your company-approved password manager, or copying credentials from unsanctioned apps or locations? This includes where users are manually copying passwords from a password manager app rather than auto-populating (this increases the chance of them entering these passwords into phishing pages).",[],{},{"nodeType":1626,"data":16925,"content":16929},{"target":16926},{"sys":16927},{"id":16928,"type":1631,"linkType":1632},"7gNX2RXqB2NIf1tNnJBIFD",[],{"nodeType":1635,"data":16931,"content":16932},{},[16933],{"nodeType":1639,"value":16934,"marks":16935,"data":16936},"You can also see where those credentials have a vulnerability, such as a weak, breached, or reused password. In this scenario, we’re looking for credentials that have been leaked online, where an employee is signed into their work browser with a personal account, and profile sync is enabled. This could indicate that the user has been the victim of an infostealer compromise or malicious extension on their personal device.",[],{},{"nodeType":1626,"data":16938,"content":16942},{"target":16939},{"sys":16940},{"id":16941,"type":1631,"linkType":1632},"1CBezYXZtlIVbReROF7QpK",[],{"nodeType":1626,"data":16944,"content":16948},{"target":16945},{"sys":16946},{"id":16947,"type":1631,"linkType":1632},"4xs0WNCijnwnIVc0xqpUu9",[],{"nodeType":1626,"data":16950,"content":16954},{"target":16951},{"sys":16952},{"id":16953,"type":1631,"linkType":1632},"8gVeg0IBB5EV17iBk6XP8",[],{"nodeType":1697,"data":16956,"content":16957},{},[],{"nodeType":1701,"data":16959,"content":16960},{},[16961],{"nodeType":1639,"value":16962,"marks":16963,"data":16965},"Stop browser-based attacks with Push",[16964],{"type":1708},{},{"nodeType":1635,"data":16967,"content":16968},{},[16969],{"nodeType":1639,"value":10252,"marks":16970,"data":16971},[],{},{"nodeType":1635,"data":16973,"content":16974},{},[16975,16978,16985,16988,16995,16998,17005],{"nodeType":1639,"value":2470,"marks":16976,"data":16977},[],{},{"nodeType":1644,"data":16979,"content":16980},{"uri":2475},[16981],{"nodeType":1639,"value":2478,"marks":16982,"data":16984},[16983],{"type":1652},{},{"nodeType":1639,"value":1655,"marks":16986,"data":16987},[],{},{"nodeType":1644,"data":16989,"content":16990},{"uri":2486},[16991],{"nodeType":1639,"value":2489,"marks":16992,"data":16994},[16993],{"type":1652},{},{"nodeType":1639,"value":2493,"marks":16996,"data":16997},[],{},{"nodeType":1644,"data":16999,"content":17000},{"uri":2498},[17001],{"nodeType":1639,"value":2501,"marks":17002,"data":17004},[17003],{"type":1652},{},{"nodeType":1639,"value":2291,"marks":17006,"data":17007},[],{},{"entries":17009},{"hyperlink":17010,"inline":17011,"block":17012},[],[],[17013,17027,17046,17054,17061,17068,17094,17100,17105,17131],{"sys":17014,"__typename":2514,"content":17015,"name":17026,"title":61},{"id":16541},{"json":17016},{"data":17017,"content":17018,"nodeType":1622},{},[17019],{"data":17020,"content":17021,"nodeType":1635},{},[17022],{"data":17023,"marks":17024,"value":17025,"nodeType":1639},{},[],"This is the same for most browser-based attacks, like phishing (of multiple varieties, with AITM phishing and device code phishing being the most common in 2026), and even hybrid attacks like ClickFix (trick victim into installing an infostealer on their device > steal credentials and cookies > log into apps). ","Browser Sync Blog IB1",{"sys":17028,"__typename":2514,"content":17029,"name":17045,"title":61},{"id":16624},{"json":17030},{"nodeType":1622,"data":17031,"content":17032},{},[17033],{"nodeType":1635,"data":17034,"content":17035},{},[17036,17040],{"nodeType":1639,"value":17037,"marks":17038,"data":17039},"Personal devices are far softer targets than corporate endpoints. They typically have no EDR agent, no centrally managed antivirus, no hardened configuration baselines, and no security operations team watching for alerts. And personal browsing habits are way more likely to lead to infostealer deployment, which are often distributed through malicious advertisements on all manner of platforms — search results, social media ads, gaming forums, and so on. ",[],{},{"nodeType":1639,"value":17041,"marks":17042,"data":17044},"Notably, the 2025 Verizon DBIR found that 46% of infostealer-infected systems with compromised corporate credentials were non-managed devices. ",[17043],{"type":1708},{},"Browser Sync Blog IB2",{"sys":17047,"__typename":1391,"title":17048,"caption":17049,"layoutMode":61,"file":17050},{"id":16654},"Browser sync attack diagram","How a personal account compromise can lead to a corporate breach.",{"url":17051,"width":17052,"height":17053},"https://images.ctfassets.net/y1cdw1ablpvd/7KIXnq2SeCTN2zA7DoIOj4/f2b7c37c47d28ac110cd2769c35652ae/Browser_sync_attack_diagram.png",3922,1636,{"sys":17055,"__typename":1391,"title":17056,"caption":17057,"layoutMode":61,"file":17058},{"id":16865},"Preventing browser profile syncing in Chrome","Preventing browser profile syncing in Chrome.",{"url":17059,"width":6635,"height":17060},"https://images.ctfassets.net/y1cdw1ablpvd/54OsAScfL5a896m3n0is80/ee84ec32221be0a6342eb6792c8b6dca/image1.png",1054,{"sys":17062,"__typename":1391,"title":17063,"caption":17063,"layoutMode":61,"file":17064},{"id":16902},"Identify profile syncing using Push.",{"url":17065,"width":17066,"height":17067},"https://images.ctfassets.net/y1cdw1ablpvd/7Gmo7lSxoyLpmRyeEbXz4H/10e82ddfcba7a390ee5a25c931f730ff/image3.png",1380,465,{"sys":17069,"__typename":2514,"content":17070,"name":17093,"title":61},{"id":16915},{"json":17071},{"data":17072,"content":17073,"nodeType":1622},{},[17074],{"data":17075,"content":17076,"nodeType":1635},{},[17077,17081,17089],{"data":17078,"marks":17079,"value":17080,"nodeType":1639},{},[],"To learn more about how you can use Push to lock down extension use and block malicious extensions from running across every browser, check out our ",{"data":17082,"content":17083,"nodeType":1644},{"uri":2192},[17084],{"data":17085,"marks":17086,"value":17088,"nodeType":1639},{},[17087],{"type":1652},"guide",{"data":17090,"marks":17091,"value":17092,"nodeType":1639},{},[]," here. ","Browser Sync Blog IB3",{"sys":17095,"__typename":1391,"title":17096,"caption":17097,"layoutMode":61,"file":17098},{"id":16928},"Get detailed visibility of password manager use and password entry behavior.","Get deep visibility of password manager use and password entry behavior.",{"url":17099,"width":6666,"height":6667},"https://images.ctfassets.net/y1cdw1ablpvd/74hJdhrMBMXv0enE2Qs5VD/2cdff9be14f70d2ae2283b88da0f3eeb/Push_Password_Manager.gif",{"sys":17101,"__typename":1391,"title":17102,"caption":17102,"layoutMode":61,"file":17103},{"id":16941},"Identify browser profile syncing and whether the user has active credentials that have been leaked online.",{"url":17104,"width":6666,"height":6667},"https://images.ctfassets.net/y1cdw1ablpvd/3BIn8peNvp8EXo1TWqZqXO/0c3f849f24d60fa546603d12abd4c349/Browser_Profile_Sync.gif",{"sys":17106,"__typename":2514,"content":17107,"name":17130,"title":61},{"id":16947},{"json":17108},{"data":17109,"content":17110,"nodeType":1622},{},[17111],{"data":17112,"content":17113,"nodeType":1635},{},[17114,17118,17126],{"data":17115,"marks":17116,"value":17117,"nodeType":1639},{},[],"As well as identifying password vulnerabilities, you can also use Push to harden accounts by detecting MFA gaps and enforcing MFA (even on apps where this isn’t natively possible). Check out our ",{"data":17119,"content":17121,"nodeType":1644},{"uri":17120},"https://pushsecurity.com/blog/guide-how-to-use-push-controls-to-protect-your-users-from-modern-attacks/",[17122],{"data":17123,"marks":17124,"value":17088,"nodeType":1639},{},[17125],{"type":1652},{"data":17127,"marks":17128,"value":17129,"nodeType":1639},{},[]," for more information.","Browser Sync Blog IB4",{"sys":17132,"__typename":6723,"title":17133,"arcadeDemoUrl":17134,"playText":6725},{"id":16953},"Find and fix vulnerabilities using Push to harden attack paths.","https://demo.arcade.software/3gsvKeVcdatDBiW7oC9g?embed",{},"Analyzing browser sync attacks and how to stop them","2026-04-15T00:00:00.000Z",{"items":17139},[17140,18314,19370],{"__typename":2613,"sys":17141,"content":17142,"title":6009,"synopsis":6010,"hashTags":61,"publishedDate":6011,"slug":6012,"tagsCollection":18304,"authorsCollection":18310},{"id":4642},{"json":17143},{"nodeType":1622,"data":17144,"content":17145},{},[17146,17152,17173,17179,17184,17190,17196,17202,17207,17210,17217,17223,17228,17233,17246,17427,17437,17444,17450,17456,17462,17478,17483,17489,17492,17499,17505,17534,17540,17553,17570,17598,17603,17609,17624,17630,17636,17639,17646,17652,17735,17741,17747,17754,17760,17766,17772,17777,17784,17790,17796,17802,17807,17813,17820,17835,17842,17848,17853,17856,17863,17869,17875,17969,17975,17982,17988,17994,18000,18006,18013,18019,18025,18045,18050,18063,18076,18089,18094,18101,18107,18114,18120,18123,18130,18136,18163,18168,18188,18194,18197,18204,18210,18223,18228,18234,18240,18243,18250,18265,18271],{"nodeType":1635,"data":17147,"content":17148},{},[17149],{"nodeType":1639,"value":4651,"marks":17150,"data":17151},[],{},{"nodeType":1726,"data":17153,"content":17154},{},[17155,17164],{"nodeType":1730,"data":17156,"content":17157},{},[17158],{"nodeType":1635,"data":17159,"content":17160},{},[17161],{"nodeType":1639,"value":4664,"marks":17162,"data":17163},[],{},{"nodeType":1730,"data":17165,"content":17166},{},[17167],{"nodeType":1635,"data":17168,"content":17169},{},[17170],{"nodeType":1639,"value":4674,"marks":17171,"data":17172},[],{},{"nodeType":1635,"data":17174,"content":17175},{},[17176],{"nodeType":1639,"value":4681,"marks":17177,"data":17178},[],{},{"nodeType":1626,"data":17180,"content":17183},{"target":17181},{"sys":17182},{"id":4688,"type":1631,"linkType":1632},[],{"nodeType":1635,"data":17185,"content":17186},{},[17187],{"nodeType":1639,"value":4694,"marks":17188,"data":17189},[],{},{"nodeType":1635,"data":17191,"content":17192},{},[17193],{"nodeType":1639,"value":4701,"marks":17194,"data":17195},[],{},{"nodeType":1635,"data":17197,"content":17198},{},[17199],{"nodeType":1639,"value":4708,"marks":17200,"data":17201},[],{},{"nodeType":1626,"data":17203,"content":17206},{"target":17204},{"sys":17205},{"id":4715,"type":1631,"linkType":1632},[],{"nodeType":1697,"data":17208,"content":17209},{},[],{"nodeType":1701,"data":17211,"content":17212},{},[17213],{"nodeType":1639,"value":4724,"marks":17214,"data":17216},[17215],{"type":1708},{},{"nodeType":1635,"data":17218,"content":17219},{},[17220],{"nodeType":1639,"value":4732,"marks":17221,"data":17222},[],{},{"nodeType":1626,"data":17224,"content":17227},{"target":17225},{"sys":17226},{"id":4739,"type":1631,"linkType":1632},[],{"nodeType":1626,"data":17229,"content":17232},{"target":17230},{"sys":17231},{"id":4745,"type":1631,"linkType":1632},[],{"nodeType":1635,"data":17234,"content":17235},{},[17236,17239,17243],{"nodeType":1639,"value":4751,"marks":17237,"data":17238},[],{},{"nodeType":1639,"value":4755,"marks":17240,"data":17242},[17241],{"type":273},{},{"nodeType":1639,"value":4760,"marks":17244,"data":17245},[],{},{"nodeType":4764,"data":17247,"content":17248},{},[17249,17272,17307,17328,17358,17388],{"nodeType":4768,"data":17250,"content":17251},{},[17252,17262],{"nodeType":4772,"data":17253,"content":17254},{},[17255],{"nodeType":1635,"data":17256,"content":17257},{},[17258],{"nodeType":1639,"value":4779,"marks":17259,"data":17261},[17260],{"type":1708},{},{"nodeType":4772,"data":17263,"content":17264},{},[17265],{"nodeType":1635,"data":17266,"content":17267},{},[17268],{"nodeType":1639,"value":4790,"marks":17269,"data":17271},[17270],{"type":1708},{},{"nodeType":4768,"data":17273,"content":17274},{},[17275,17295],{"nodeType":4798,"data":17276,"content":17277},{},[17278],{"nodeType":1635,"data":17279,"content":17280},{},[17281,17284,17292],{"nodeType":1639,"value":4805,"marks":17282,"data":17283},[],{},{"nodeType":4809,"data":17285,"content":17288},{"target":17286},{"sys":17287},{"id":4813,"type":1631,"linkType":1632},[17289],{"nodeType":1639,"value":4816,"marks":17290,"data":17291},[],{},{"nodeType":1639,"value":4820,"marks":17293,"data":17294},[],{},{"nodeType":4798,"data":17296,"content":17297},{},[17298],{"nodeType":1635,"data":17299,"content":17300},{},[17301,17304],{"nodeType":1639,"value":4830,"marks":17302,"data":17303},[],{},{"nodeType":1639,"value":4834,"marks":17305,"data":17306},[],{},{"nodeType":4768,"data":17308,"content":17309},{},[17310,17319],{"nodeType":4798,"data":17311,"content":17312},{},[17313],{"nodeType":1635,"data":17314,"content":17315},{},[17316],{"nodeType":1639,"value":4847,"marks":17317,"data":17318},[],{},{"nodeType":4798,"data":17320,"content":17321},{},[17322],{"nodeType":1635,"data":17323,"content":17324},{},[17325],{"nodeType":1639,"value":4857,"marks":17326,"data":17327},[],{},{"nodeType":4768,"data":17329,"content":17330},{},[17331,17349],{"nodeType":4798,"data":17332,"content":17333},{},[17334],{"nodeType":1635,"data":17335,"content":17336},{},[17337,17340,17346],{"nodeType":1639,"value":4870,"marks":17338,"data":17339},[],{},{"nodeType":1644,"data":17341,"content":17342},{"uri":4875},[17343],{"nodeType":1639,"value":4878,"marks":17344,"data":17345},[],{},{"nodeType":1639,"value":4882,"marks":17347,"data":17348},[],{},{"nodeType":4798,"data":17350,"content":17351},{},[17352],{"nodeType":1635,"data":17353,"content":17354},{},[17355],{"nodeType":1639,"value":4892,"marks":17356,"data":17357},[],{},{"nodeType":4768,"data":17359,"content":17360},{},[17361,17370],{"nodeType":4798,"data":17362,"content":17363},{},[17364],{"nodeType":1635,"data":17365,"content":17366},{},[17367],{"nodeType":1639,"value":4905,"marks":17368,"data":17369},[],{},{"nodeType":4798,"data":17371,"content":17372},{},[17373],{"nodeType":1635,"data":17374,"content":17375},{},[17376,17379,17385],{"nodeType":1639,"value":4915,"marks":17377,"data":17378},[],{},{"nodeType":1644,"data":17380,"content":17381},{"uri":4920},[17382],{"nodeType":1639,"value":4923,"marks":17383,"data":17384},[],{},{"nodeType":1639,"value":2291,"marks":17386,"data":17387},[],{},{"nodeType":4768,"data":17389,"content":17390},{},[17391,17400],{"nodeType":4798,"data":17392,"content":17393},{},[17394],{"nodeType":1635,"data":17395,"content":17396},{},[17397],{"nodeType":1639,"value":4939,"marks":17398,"data":17399},[],{},{"nodeType":4798,"data":17401,"content":17402},{},[17403],{"nodeType":1635,"data":17404,"content":17405},{},[17406,17409,17415,17418,17424],{"nodeType":1639,"value":29,"marks":17407,"data":17408},[],{},{"nodeType":1644,"data":17410,"content":17411},{"uri":4953},[17412],{"nodeType":1639,"value":4956,"marks":17413,"data":17414},[],{},{"nodeType":1639,"value":4960,"marks":17416,"data":17417},[],{},{"nodeType":1644,"data":17419,"content":17420},{"uri":4965},[17421],{"nodeType":1639,"value":4968,"marks":17422,"data":17423},[],{},{"nodeType":1639,"value":4972,"marks":17425,"data":17426},[],{},{"nodeType":1635,"data":17428,"content":17429},{},[17430,17433],{"nodeType":1639,"value":4979,"marks":17431,"data":17432},[],{},{"nodeType":1639,"value":4983,"marks":17434,"data":17436},[17435],{"type":1708},{},{"nodeType":1815,"data":17438,"content":17439},{},[17440],{"nodeType":1639,"value":4991,"marks":17441,"data":17443},[17442],{"type":1708},{},{"nodeType":1635,"data":17445,"content":17446},{},[17447],{"nodeType":1639,"value":4999,"marks":17448,"data":17449},[],{},{"nodeType":1635,"data":17451,"content":17452},{},[17453],{"nodeType":1639,"value":5006,"marks":17454,"data":17455},[],{},{"nodeType":1635,"data":17457,"content":17458},{},[17459],{"nodeType":1639,"value":5013,"marks":17460,"data":17461},[],{},{"nodeType":1635,"data":17463,"content":17464},{},[17465,17468,17471,17475],{"nodeType":1639,"value":5020,"marks":17466,"data":17467},[],{},{"nodeType":1639,"value":5024,"marks":17469,"data":17470},[],{},{"nodeType":1639,"value":5028,"marks":17472,"data":17474},[17473],{"type":1708},{},{"nodeType":1639,"value":5033,"marks":17476,"data":17477},[],{},{"nodeType":1626,"data":17479,"content":17482},{"target":17480},{"sys":17481},{"id":5040,"type":1631,"linkType":1632},[],{"nodeType":1635,"data":17484,"content":17485},{},[17486],{"nodeType":1639,"value":5046,"marks":17487,"data":17488},[],{},{"nodeType":1697,"data":17490,"content":17491},{},[],{"nodeType":1701,"data":17493,"content":17494},{},[17495],{"nodeType":1639,"value":5056,"marks":17496,"data":17498},[17497],{"type":1708},{},{"nodeType":1635,"data":17500,"content":17501},{},[17502],{"nodeType":1639,"value":5064,"marks":17503,"data":17504},[],{},{"nodeType":1726,"data":17506,"content":17507},{},[17508,17521],{"nodeType":1730,"data":17509,"content":17510},{},[17511],{"nodeType":1635,"data":17512,"content":17513},{},[17514,17518],{"nodeType":1639,"value":5077,"marks":17515,"data":17517},[17516],{"type":1708},{},{"nodeType":1639,"value":5082,"marks":17519,"data":17520},[],{},{"nodeType":1730,"data":17522,"content":17523},{},[17524],{"nodeType":1635,"data":17525,"content":17526},{},[17527,17531],{"nodeType":1639,"value":5092,"marks":17528,"data":17530},[17529],{"type":1708},{},{"nodeType":1639,"value":5097,"marks":17532,"data":17533},[],{},{"nodeType":1815,"data":17535,"content":17536},{},[17537],{"nodeType":1639,"value":5104,"marks":17538,"data":17539},[],{},{"nodeType":1635,"data":17541,"content":17542},{},[17543,17546,17550],{"nodeType":1639,"value":5111,"marks":17544,"data":17545},[],{},{"nodeType":1639,"value":5115,"marks":17547,"data":17549},[17548],{"type":273},{},{"nodeType":1639,"value":5120,"marks":17551,"data":17552},[],{},{"nodeType":1635,"data":17554,"content":17555},{},[17556,17559,17567],{"nodeType":1639,"value":5127,"marks":17557,"data":17558},[],{},{"nodeType":4809,"data":17560,"content":17563},{"target":17561},{"sys":17562},{"id":5134,"type":1631,"linkType":1632},[17564],{"nodeType":1639,"value":5137,"marks":17565,"data":17566},[],{},{"nodeType":1639,"value":5141,"marks":17568,"data":17569},[],{},{"nodeType":1635,"data":17571,"content":17572},{},[17573,17576,17584,17587,17595],{"nodeType":1639,"value":5148,"marks":17574,"data":17575},[],{},{"nodeType":4809,"data":17577,"content":17580},{"target":17578},{"sys":17579},{"id":5155,"type":1631,"linkType":1632},[17581],{"nodeType":1639,"value":5158,"marks":17582,"data":17583},[],{},{"nodeType":1639,"value":5162,"marks":17585,"data":17586},[],{},{"nodeType":4809,"data":17588,"content":17591},{"target":17589},{"sys":17590},{"id":5169,"type":1631,"linkType":1632},[17592],{"nodeType":1639,"value":5172,"marks":17593,"data":17594},[],{},{"nodeType":1639,"value":5176,"marks":17596,"data":17597},[],{},{"nodeType":1626,"data":17599,"content":17602},{"target":17600},{"sys":17601},{"id":5183,"type":1631,"linkType":1632},[],{"nodeType":1815,"data":17604,"content":17605},{},[17606],{"nodeType":1639,"value":5189,"marks":17607,"data":17608},[],{},{"nodeType":1635,"data":17610,"content":17611},{},[17612,17615,17621],{"nodeType":1639,"value":5196,"marks":17613,"data":17614},[],{},{"nodeType":1644,"data":17616,"content":17617},{"uri":5201},[17618],{"nodeType":1639,"value":5204,"marks":17619,"data":17620},[],{},{"nodeType":1639,"value":5208,"marks":17622,"data":17623},[],{},{"nodeType":1635,"data":17625,"content":17626},{},[17627],{"nodeType":1639,"value":5215,"marks":17628,"data":17629},[],{},{"nodeType":1635,"data":17631,"content":17632},{},[17633],{"nodeType":1639,"value":5222,"marks":17634,"data":17635},[],{},{"nodeType":1697,"data":17637,"content":17638},{},[],{"nodeType":1701,"data":17640,"content":17641},{},[17642],{"nodeType":1639,"value":5232,"marks":17643,"data":17645},[17644],{"type":1708},{},{"nodeType":1635,"data":17647,"content":17648},{},[17649],{"nodeType":1639,"value":5240,"marks":17650,"data":17651},[],{},{"nodeType":1726,"data":17653,"content":17654},{},[17655,17675,17695,17715],{"nodeType":1730,"data":17656,"content":17657},{},[17658],{"nodeType":1635,"data":17659,"content":17660},{},[17661,17664,17672],{"nodeType":1639,"value":29,"marks":17662,"data":17663},[],{},{"nodeType":4809,"data":17665,"content":17668},{"target":17666},{"sys":17667},{"id":5259,"type":1631,"linkType":1632},[17669],{"nodeType":1639,"value":5262,"marks":17670,"data":17671},[],{},{"nodeType":1639,"value":5266,"marks":17673,"data":17674},[],{},{"nodeType":1730,"data":17676,"content":17677},{},[17678],{"nodeType":1635,"data":17679,"content":17680},{},[17681,17684,17692],{"nodeType":1639,"value":29,"marks":17682,"data":17683},[],{},{"nodeType":4809,"data":17685,"content":17688},{"target":17686},{"sys":17687},{"id":5282,"type":1631,"linkType":1632},[17689],{"nodeType":1639,"value":5285,"marks":17690,"data":17691},[],{},{"nodeType":1639,"value":5289,"marks":17693,"data":17694},[],{},{"nodeType":1730,"data":17696,"content":17697},{},[17698],{"nodeType":1635,"data":17699,"content":17700},{},[17701,17704,17712],{"nodeType":1639,"value":29,"marks":17702,"data":17703},[],{},{"nodeType":4809,"data":17705,"content":17708},{"target":17706},{"sys":17707},{"id":5305,"type":1631,"linkType":1632},[17709],{"nodeType":1639,"value":5308,"marks":17710,"data":17711},[],{},{"nodeType":1639,"value":29,"marks":17713,"data":17714},[],{},{"nodeType":1730,"data":17716,"content":17717},{},[17718],{"nodeType":1635,"data":17719,"content":17720},{},[17721,17724,17732],{"nodeType":1639,"value":29,"marks":17722,"data":17723},[],{},{"nodeType":4809,"data":17725,"content":17728},{"target":17726},{"sys":17727},{"id":5327,"type":1631,"linkType":1632},[17729],{"nodeType":1639,"value":5330,"marks":17730,"data":17731},[],{},{"nodeType":1639,"value":5334,"marks":17733,"data":17734},[],{},{"nodeType":1635,"data":17736,"content":17737},{},[17738],{"nodeType":1639,"value":5341,"marks":17739,"data":17740},[],{},{"nodeType":1635,"data":17742,"content":17743},{},[17744],{"nodeType":1639,"value":5348,"marks":17745,"data":17746},[],{},{"nodeType":1815,"data":17748,"content":17749},{},[17750],{"nodeType":1639,"value":5355,"marks":17751,"data":17753},[17752],{"type":1708},{},{"nodeType":1635,"data":17755,"content":17756},{},[17757],{"nodeType":1639,"value":5363,"marks":17758,"data":17759},[],{},{"nodeType":1635,"data":17761,"content":17762},{},[17763],{"nodeType":1639,"value":5370,"marks":17764,"data":17765},[],{},{"nodeType":1635,"data":17767,"content":17768},{},[17769],{"nodeType":1639,"value":5377,"marks":17770,"data":17771},[],{},{"nodeType":1626,"data":17773,"content":17776},{"target":17774},{"sys":17775},{"id":5384,"type":1631,"linkType":1632},[],{"nodeType":1815,"data":17778,"content":17779},{},[17780],{"nodeType":1639,"value":5390,"marks":17781,"data":17783},[17782],{"type":1708},{},{"nodeType":1635,"data":17785,"content":17786},{},[17787],{"nodeType":1639,"value":5398,"marks":17788,"data":17789},[],{},{"nodeType":1635,"data":17791,"content":17792},{},[17793],{"nodeType":1639,"value":5405,"marks":17794,"data":17795},[],{},{"nodeType":1635,"data":17797,"content":17798},{},[17799],{"nodeType":1639,"value":5412,"marks":17800,"data":17801},[],{},{"nodeType":1626,"data":17803,"content":17806},{"target":17804},{"sys":17805},{"id":5419,"type":1631,"linkType":1632},[],{"nodeType":1635,"data":17808,"content":17809},{},[17810],{"nodeType":1639,"value":5425,"marks":17811,"data":17812},[],{},{"nodeType":1815,"data":17814,"content":17815},{},[17816],{"nodeType":1639,"value":5432,"marks":17817,"data":17819},[17818],{"type":1708},{},{"nodeType":1635,"data":17821,"content":17822},{},[17823,17826,17832],{"nodeType":1639,"value":5440,"marks":17824,"data":17825},[],{},{"nodeType":1644,"data":17827,"content":17828},{"uri":5445},[17829],{"nodeType":1639,"value":5448,"marks":17830,"data":17831},[],{},{"nodeType":1639,"value":5452,"marks":17833,"data":17834},[],{},{"nodeType":1815,"data":17836,"content":17837},{},[17838],{"nodeType":1639,"value":5459,"marks":17839,"data":17841},[17840],{"type":1708},{},{"nodeType":1635,"data":17843,"content":17844},{},[17845],{"nodeType":1639,"value":5467,"marks":17846,"data":17847},[],{},{"nodeType":1626,"data":17849,"content":17852},{"target":17850},{"sys":17851},{"id":5474,"type":1631,"linkType":1632},[],{"nodeType":1697,"data":17854,"content":17855},{},[],{"nodeType":1701,"data":17857,"content":17858},{},[17859],{"nodeType":1639,"value":5483,"marks":17860,"data":17862},[17861],{"type":1708},{},{"nodeType":1635,"data":17864,"content":17865},{},[17866],{"nodeType":1639,"value":5491,"marks":17867,"data":17868},[],{},{"nodeType":1635,"data":17870,"content":17871},{},[17872],{"nodeType":1639,"value":5498,"marks":17873,"data":17874},[],{},{"nodeType":1726,"data":17876,"content":17877},{},[17878,17898,17929,17949],{"nodeType":1730,"data":17879,"content":17880},{},[17881],{"nodeType":1635,"data":17882,"content":17883},{},[17884,17887,17895],{"nodeType":1639,"value":29,"marks":17885,"data":17886},[],{},{"nodeType":4809,"data":17888,"content":17891},{"target":17889},{"sys":17890},{"id":5517,"type":1631,"linkType":1632},[17892],{"nodeType":1639,"value":5520,"marks":17893,"data":17894},[],{},{"nodeType":1639,"value":5524,"marks":17896,"data":17897},[],{},{"nodeType":1730,"data":17899,"content":17900},{},[17901],{"nodeType":1635,"data":17902,"content":17903},{},[17904,17907,17915,17918,17926],{"nodeType":1639,"value":5534,"marks":17905,"data":17906},[],{},{"nodeType":4809,"data":17908,"content":17911},{"target":17909},{"sys":17910},{"id":5541,"type":1631,"linkType":1632},[17912],{"nodeType":1639,"value":5544,"marks":17913,"data":17914},[],{},{"nodeType":1639,"value":5548,"marks":17916,"data":17917},[],{},{"nodeType":4809,"data":17919,"content":17922},{"target":17920},{"sys":17921},{"id":5555,"type":1631,"linkType":1632},[17923],{"nodeType":1639,"value":5558,"marks":17924,"data":17925},[],{},{"nodeType":1639,"value":5562,"marks":17927,"data":17928},[],{},{"nodeType":1730,"data":17930,"content":17931},{},[17932],{"nodeType":1635,"data":17933,"content":17934},{},[17935,17938,17946],{"nodeType":1639,"value":5572,"marks":17936,"data":17937},[],{},{"nodeType":4809,"data":17939,"content":17942},{"target":17940},{"sys":17941},{"id":5579,"type":1631,"linkType":1632},[17943],{"nodeType":1639,"value":5582,"marks":17944,"data":17945},[],{},{"nodeType":1639,"value":5586,"marks":17947,"data":17948},[],{},{"nodeType":1730,"data":17950,"content":17951},{},[17952],{"nodeType":1635,"data":17953,"content":17954},{},[17955,17958,17966],{"nodeType":1639,"value":29,"marks":17956,"data":17957},[],{},{"nodeType":4809,"data":17959,"content":17962},{"target":17960},{"sys":17961},{"id":5602,"type":1631,"linkType":1632},[17963],{"nodeType":1639,"value":5605,"marks":17964,"data":17965},[],{},{"nodeType":1639,"value":5609,"marks":17967,"data":17968},[],{},{"nodeType":1635,"data":17970,"content":17971},{},[17972],{"nodeType":1639,"value":5348,"marks":17973,"data":17974},[],{},{"nodeType":1815,"data":17976,"content":17977},{},[17978],{"nodeType":1639,"value":5355,"marks":17979,"data":17981},[17980],{"type":1708},{},{"nodeType":1635,"data":17983,"content":17984},{},[17985],{"nodeType":1639,"value":5629,"marks":17986,"data":17987},[],{},{"nodeType":1635,"data":17989,"content":17990},{},[17991],{"nodeType":1639,"value":5636,"marks":17992,"data":17993},[],{},{"nodeType":1635,"data":17995,"content":17996},{},[17997],{"nodeType":1639,"value":5643,"marks":17998,"data":17999},[],{},{"nodeType":1635,"data":18001,"content":18002},{},[18003],{"nodeType":1639,"value":5650,"marks":18004,"data":18005},[],{},{"nodeType":1815,"data":18007,"content":18008},{},[18009],{"nodeType":1639,"value":5657,"marks":18010,"data":18012},[18011],{"type":1708},{},{"nodeType":1635,"data":18014,"content":18015},{},[18016],{"nodeType":1639,"value":5665,"marks":18017,"data":18018},[],{},{"nodeType":1635,"data":18020,"content":18021},{},[18022],{"nodeType":1639,"value":5672,"marks":18023,"data":18024},[],{},{"nodeType":1635,"data":18026,"content":18027},{},[18028,18031,18035,18038,18042],{"nodeType":1639,"value":5679,"marks":18029,"data":18030},[],{},{"nodeType":1639,"value":5683,"marks":18032,"data":18034},[18033],{"type":1708},{},{"nodeType":1639,"value":5688,"marks":18036,"data":18037},[],{},{"nodeType":1639,"value":5692,"marks":18039,"data":18041},[18040],{"type":1708},{},{"nodeType":1639,"value":5697,"marks":18043,"data":18044},[],{},{"nodeType":1626,"data":18046,"content":18049},{"target":18047},{"sys":18048},{"id":5704,"type":1631,"linkType":1632},[],{"nodeType":1635,"data":18051,"content":18052},{},[18053,18056,18060],{"nodeType":1639,"value":5710,"marks":18054,"data":18055},[],{},{"nodeType":1639,"value":5714,"marks":18057,"data":18059},[18058],{"type":1708},{},{"nodeType":1639,"value":5719,"marks":18061,"data":18062},[],{},{"nodeType":1635,"data":18064,"content":18065},{},[18066,18069,18073],{"nodeType":1639,"value":5710,"marks":18067,"data":18068},[],{},{"nodeType":1639,"value":5729,"marks":18070,"data":18072},[18071],{"type":1708},{},{"nodeType":1639,"value":5734,"marks":18074,"data":18075},[],{},{"nodeType":1635,"data":18077,"content":18078},{},[18079,18082,18086],{"nodeType":1639,"value":5741,"marks":18080,"data":18081},[],{},{"nodeType":1639,"value":5745,"marks":18083,"data":18085},[18084],{"type":1708},{},{"nodeType":1639,"value":5750,"marks":18087,"data":18088},[],{},{"nodeType":1626,"data":18090,"content":18093},{"target":18091},{"sys":18092},{"id":5757,"type":1631,"linkType":1632},[],{"nodeType":1815,"data":18095,"content":18096},{},[18097],{"nodeType":1639,"value":5763,"marks":18098,"data":18100},[18099],{"type":1708},{},{"nodeType":1635,"data":18102,"content":18103},{},[18104],{"nodeType":1639,"value":5771,"marks":18105,"data":18106},[],{},{"nodeType":1815,"data":18108,"content":18109},{},[18110],{"nodeType":1639,"value":5778,"marks":18111,"data":18113},[18112],{"type":1708},{},{"nodeType":1635,"data":18115,"content":18116},{},[18117],{"nodeType":1639,"value":5786,"marks":18118,"data":18119},[],{},{"nodeType":1697,"data":18121,"content":18122},{},[],{"nodeType":1701,"data":18124,"content":18125},{},[18126],{"nodeType":1639,"value":5796,"marks":18127,"data":18129},[18128],{"type":1708},{},{"nodeType":1635,"data":18131,"content":18132},{},[18133],{"nodeType":1639,"value":5804,"marks":18134,"data":18135},[],{},{"nodeType":1635,"data":18137,"content":18138},{},[18139,18142,18146,18149,18153,18156,18160],{"nodeType":1639,"value":5811,"marks":18140,"data":18141},[],{},{"nodeType":1639,"value":5815,"marks":18143,"data":18145},[18144],{"type":1708},{},{"nodeType":1639,"value":5820,"marks":18147,"data":18148},[],{},{"nodeType":1639,"value":5692,"marks":18150,"data":18152},[18151],{"type":1708},{},{"nodeType":1639,"value":5828,"marks":18154,"data":18155},[],{},{"nodeType":1639,"value":5832,"marks":18157,"data":18159},[18158],{"type":1708},{},{"nodeType":1639,"value":5837,"marks":18161,"data":18162},[],{},{"nodeType":1626,"data":18164,"content":18167},{"target":18165},{"sys":18166},{"id":5844,"type":1631,"linkType":1632},[],{"nodeType":1635,"data":18169,"content":18170},{},[18171,18174,18178,18181,18185],{"nodeType":1639,"value":5850,"marks":18172,"data":18173},[],{},{"nodeType":1639,"value":5854,"marks":18175,"data":18177},[18176],{"type":1708},{},{"nodeType":1639,"value":5548,"marks":18179,"data":18180},[],{},{"nodeType":1639,"value":5862,"marks":18182,"data":18184},[18183],{"type":1708},{},{"nodeType":1639,"value":5867,"marks":18186,"data":18187},[],{},{"nodeType":1635,"data":18189,"content":18190},{},[18191],{"nodeType":1639,"value":5874,"marks":18192,"data":18193},[],{},{"nodeType":1697,"data":18195,"content":18196},{},[],{"nodeType":1701,"data":18198,"content":18199},{},[18200],{"nodeType":1639,"value":5884,"marks":18201,"data":18203},[18202],{"type":1708},{},{"nodeType":1635,"data":18205,"content":18206},{},[18207],{"nodeType":1639,"value":5892,"marks":18208,"data":18209},[],{},{"nodeType":1635,"data":18211,"content":18212},{},[18213,18216,18220],{"nodeType":1639,"value":5899,"marks":18214,"data":18215},[],{},{"nodeType":1639,"value":5903,"marks":18217,"data":18219},[18218],{"type":1708},{},{"nodeType":1639,"value":5908,"marks":18221,"data":18222},[],{},{"nodeType":1626,"data":18224,"content":18227},{"target":18225},{"sys":18226},{"id":5915,"type":1631,"linkType":1632},[],{"nodeType":1635,"data":18229,"content":18230},{},[18231],{"nodeType":1639,"value":5921,"marks":18232,"data":18233},[],{},{"nodeType":1635,"data":18235,"content":18236},{},[18237],{"nodeType":1639,"value":5928,"marks":18238,"data":18239},[],{},{"nodeType":1697,"data":18241,"content":18242},{},[],{"nodeType":1701,"data":18244,"content":18245},{},[18246],{"nodeType":1639,"value":5938,"marks":18247,"data":18249},[18248],{"type":1708},{},{"nodeType":1635,"data":18251,"content":18252},{},[18253,18256,18262],{"nodeType":1639,"value":5946,"marks":18254,"data":18255},[],{},{"nodeType":1644,"data":18257,"content":18258},{"uri":165},[18259],{"nodeType":1639,"value":5953,"marks":18260,"data":18261},[],{},{"nodeType":1639,"value":5957,"marks":18263,"data":18264},[],{},{"nodeType":1635,"data":18266,"content":18267},{},[18268],{"nodeType":1639,"value":5964,"marks":18269,"data":18270},[],{},{"nodeType":1635,"data":18272,"content":18273},{},[18274,18277,18283,18286,18292,18295,18301],{"nodeType":1639,"value":5971,"marks":18275,"data":18276},[],{},{"nodeType":1644,"data":18278,"content":18279},{"uri":5976},[18280],{"nodeType":1639,"value":5979,"marks":18281,"data":18282},[],{},{"nodeType":1639,"value":5983,"marks":18284,"data":18285},[],{},{"nodeType":1644,"data":18287,"content":18288},{"uri":5988},[18289],{"nodeType":1639,"value":5991,"marks":18290,"data":18291},[],{},{"nodeType":1639,"value":5995,"marks":18293,"data":18294},[],{},{"nodeType":1644,"data":18296,"content":18297},{"uri":6000},[18298],{"nodeType":1639,"value":6003,"marks":18299,"data":18300},[],{},{"nodeType":1639,"value":2291,"marks":18302,"data":18303},[],{},{"items":18305},[18306,18308],{"sys":18307,"name":3379},{"id":3378},{"sys":18309,"name":3383},{"id":3382},{"items":18311},[18312],{"fullName":6022,"firstName":6023,"jobTitle":6024,"profilePicture":18313},{"url":6026},{"__typename":2613,"sys":18315,"content":18317,"title":19356,"synopsis":19357,"hashTags":61,"publishedDate":19358,"slug":19359,"tagsCollection":19360,"authorsCollection":19366},{"id":18316},"4DqTwJKeCSPnJUc6YPFC5A",{"json":18318},{"nodeType":1622,"data":18319,"content":18320},{},[18321,18388,18395,18401,18404,18412,18419,18426,18434,18441,18497,18513,18520,18527,18530,18538,18545,18607,18615,18622,18628,18634,18641,18648,18666,18673,18721,18727,18735,18756,18763,18770,18863,18870,18886,18892,18899,18906,18913,18920,18981,18987,18993,19001,19008,19015,19038,19045,19051,19073,19078,19085,19092,19099,19106,19139,19158,19165,19176,19179,19187,19194,19200,19203,19211,19219,19226,19245,19252,19259,19265,19272,19279,19285,19288,19295,19311,19317],{"nodeType":1635,"data":18322,"content":18323},{},[18324,18328,18337,18340,18349,18352,18361,18365,18373,18376,18384],{"nodeType":1639,"value":18325,"marks":18326,"data":18327},"Attackers are doubling down on malicious browser extensions as their method of choice. Recent campaigns like ",[],{},{"nodeType":1644,"data":18329,"content":18331},{"uri":18330},"https://www.bleepingcomputer.com/news/security/shadypanda-browser-extensions-amass-43m-installs-in-malicious-campaign/",[18332],{"nodeType":1639,"value":18333,"marks":18334,"data":18336},"ShadyPanda",[18335],{"type":1652},{},{"nodeType":1639,"value":1655,"marks":18338,"data":18339},[],{},{"nodeType":1644,"data":18341,"content":18343},{"uri":18342},"https://www.bleepingcomputer.com/news/security/zoom-stealer-browser-extensions-harvest-corporate-meeting-intelligence/",[18344],{"nodeType":1639,"value":18345,"marks":18346,"data":18348},"ZoomStealer",[18347],{"type":1652},{},{"nodeType":1639,"value":1655,"marks":18350,"data":18351},[],{},{"nodeType":1644,"data":18353,"content":18355},{"uri":18354},"https://www.bleepingcomputer.com/news/security/malicious-ghostposter-browser-extensions-found-with-840-000-installs/",[18356],{"nodeType":1639,"value":18357,"marks":18358,"data":18360},"GhostPoster",[18359],{"type":1652},{},{"nodeType":1639,"value":18362,"marks":18363,"data":18364},", and the breaches impacting vendors like ",[],{},{"nodeType":1644,"data":18366,"content":18368},{"uri":18367},"https://www.bleepingcomputer.com/news/security/cybersecurity-firms-chrome-extension-hijacked-to-steal-users-data/",[18369],{"nodeType":1639,"value":1649,"marks":18370,"data":18372},[18371],{"type":1652},{},{"nodeType":1639,"value":5688,"marks":18374,"data":18375},[],{},{"nodeType":1644,"data":18377,"content":18379},{"uri":18378},"https://www.bleepingcomputer.com/news/security/trust-wallet-confirms-extension-hack-led-to-7-million-crypto-theft/",[18380],{"nodeType":1639,"value":1674,"marks":18381,"data":18383},[18382],{"type":1652},{},{"nodeType":1639,"value":18385,"marks":18386,"data":18387},", all highlight the threat posed by malicious extensions. ",[],{},{"nodeType":1635,"data":18389,"content":18390},{},[18391],{"nodeType":1639,"value":18392,"marks":18393,"data":18394},"Most malicious extensions didn’t start that way. Attackers often begin with a legitimate extension — either by creating something that is initially benign, purchasing an extension that already exists and has a large number of installs, or by phishing an extension developer’s account to publish a malicious version. Then, they bide their time, waiting for the right moment to flip the switch and deploy a malicious update, compromising every browser that they’re deployed to. ",[],{},{"nodeType":1626,"data":18396,"content":18400},{"target":18397},{"sys":18398},{"id":18399,"type":1631,"linkType":1632},"7eTmqh5jqYA3l1Xk4GikVO",[],{"nodeType":1697,"data":18402,"content":18403},{},[],{"nodeType":1701,"data":18405,"content":18406},{},[18407],{"nodeType":1639,"value":18408,"marks":18409,"data":18411},"Why tackling malicious extensions is a hard problem for security teams",[18410],{"type":1708},{},{"nodeType":1635,"data":18413,"content":18414},{},[18415],{"nodeType":1639,"value":18416,"marks":18417,"data":18418},"The Chrome extension store alone has in excess of 100k extensions with a wide range of use cases. Pretty much every major app today has an extension counterpart, and there are countless smaller extensions — from AI overlays, to screen recording, spell checking, and color matching. AI-assisted development has further increased the rate at which new extensions are created and added to the marketplace (for both legit developers and malicious ones). ",[],{},{"nodeType":1635,"data":18420,"content":18421},{},[18422],{"nodeType":1639,"value":18423,"marks":18424,"data":18425},"For organizations just beginning to think about extension management, this isn’t an easy problem to get a handle on. If you’ve allowed your employees to freely install extensions without restriction, then there could be hundreds, if not thousands, of different extensions in use across your business. ",[],{},{"nodeType":1815,"data":18427,"content":18428},{},[18429],{"nodeType":1639,"value":18430,"marks":18431,"data":18433},"Malicious extensions are good at hiding bad code",[18432],{"type":1708},{},{"nodeType":1635,"data":18435,"content":18436},{},[18437],{"nodeType":1639,"value":18438,"marks":18439,"data":18440},"Right now, extension stores are fighting a losing battle against attackers. ",[],{},{"nodeType":1726,"data":18442,"content":18443},{},[18444,18467,18477,18487],{"nodeType":1730,"data":18445,"content":18446},{},[18447],{"nodeType":1635,"data":18448,"content":18449},{},[18450,18454,18463],{"nodeType":1639,"value":18451,"marks":18452,"data":18453},"Malicious extensions are being regularly uploaded, bypassing code analysis checks, and even achieving ",[],{},{"nodeType":1644,"data":18455,"content":18457},{"uri":18456},"https://thehackernews.com/2026/02/malicious-chrome-extensions-caught.html",[18458],{"nodeType":1639,"value":18459,"marks":18460,"data":18462},"“Featured” or “Verified” status",[18461],{"type":1652},{},{"nodeType":1639,"value":18464,"marks":18465,"data":18466}," in the app stores. This is because attackers are using dynamically compiled, stealthily smuggled code that can’t be reliably spotted through static code checks or sandbox analysis. ",[],{},{"nodeType":1730,"data":18468,"content":18469},{},[18470],{"nodeType":1635,"data":18471,"content":18472},{},[18473],{"nodeType":1639,"value":18474,"marks":18475,"data":18476},"Bad isn't detected until an extension is observed doing malicious things in the wild. Most of the time, this is because there’s been a breach. ",[],{},{"nodeType":1730,"data":18478,"content":18479},{},[18480],{"nodeType":1635,"data":18481,"content":18482},{},[18483],{"nodeType":1639,"value":18484,"marks":18485,"data":18486},"When an extension is reported as bad, it enters a lengthy review process. Unless there’s pressure to act quickly (e.g. there’s a large amount of reporting), it won’t get prioritized. ",[],{},{"nodeType":1730,"data":18488,"content":18489},{},[18490],{"nodeType":1635,"data":18491,"content":18492},{},[18493],{"nodeType":1639,"value":18494,"marks":18495,"data":18496},"Just because an extension is removed from the store doesn’t mean that it’s automatically removed from browsers where it is installed. ",[],{},{"nodeType":1635,"data":18498,"content":18499},{},[18500,18505,18508],{"nodeType":1639,"value":18501,"marks":18502,"data":18504},"The bottom line:",[18503],{"type":1708},{},{"nodeType":1639,"value":1755,"marks":18506,"data":18507},[],{},{"nodeType":1639,"value":18509,"marks":18510,"data":18512},"The security teams at Google and Microsoft analyse and manually approve every single extension upload and code change that enters their store, and even they aren’t detecting bad before malware executes in the victim’s browser. ",[18511],{"type":1708},{},{"nodeType":1635,"data":18514,"content":18515},{},[18516],{"nodeType":1639,"value":18517,"marks":18518,"data":18519},"Today, there’s no single magic bullet tool or control that organizations can use — unless you simply want to disable browser extensions altogether, which might not be the best option for users and their productivity.",[],{},{"nodeType":1635,"data":18521,"content":18522},{},[18523],{"nodeType":1639,"value":18524,"marks":18525,"data":18526},"Fortunately, Push is in a good position to help, with its ability to inventory all your browser extensions and help you find and block malicious ones.",[],{},{"nodeType":1697,"data":18528,"content":18529},{},[],{"nodeType":1701,"data":18531,"content":18532},{},[18533],{"nodeType":1639,"value":18534,"marks":18535,"data":18537},"How to securely manage browser extensions (and how Push can help)",[18536],{"type":1708},{},{"nodeType":1635,"data":18539,"content":18540},{},[18541],{"nodeType":1639,"value":18542,"marks":18543,"data":18544},"Here’s our step-by-step guide to securely using browser extensions in your organization.",[],{},{"nodeType":1726,"data":18546,"content":18547},{},[18548,18567,18577,18587,18597],{"nodeType":1730,"data":18549,"content":18550},{},[18551],{"nodeType":1635,"data":18552,"content":18553},{},[18554,18558,18563],{"nodeType":1639,"value":18555,"marks":18556,"data":18557},"Step 0: Enable ",[],{},{"nodeType":1639,"value":18559,"marks":18560,"data":18562},"malicious browser extension detection",[18561],{"type":1708},{},{"nodeType":1639,"value":18564,"marks":18565,"data":18566}," to stop known-bad extensions from running in your environment. ",[],{},{"nodeType":1730,"data":18568,"content":18569},{},[18570],{"nodeType":1635,"data":18571,"content":18572},{},[18573],{"nodeType":1639,"value":18574,"marks":18575,"data":18576},"Step 1: Establish an inventory of extensions currently in use across your users and their browsers. ",[],{},{"nodeType":1730,"data":18578,"content":18579},{},[18580],{"nodeType":1635,"data":18581,"content":18582},{},[18583],{"nodeType":1639,"value":18584,"marks":18585,"data":18586},"Step 2: Risk-assess the extensions running in your environment using Push data.",[],{},{"nodeType":1730,"data":18588,"content":18589},{},[18590],{"nodeType":1635,"data":18591,"content":18592},{},[18593],{"nodeType":1639,"value":18594,"marks":18595,"data":18596},"Step 3: Create an allowlist or blocklist to control the extensions active in your environment.",[],{},{"nodeType":1730,"data":18598,"content":18599},{},[18600],{"nodeType":1635,"data":18601,"content":18602},{},[18603],{"nodeType":1639,"value":18604,"marks":18605,"data":18606},"Step 4: Monitor for risky changes.",[],{},{"nodeType":1815,"data":18608,"content":18609},{},[18610],{"nodeType":1639,"value":18611,"marks":18612,"data":18614},"Step 0: Enable malicious browser extension detection in the Push platform",[18613],{"type":1708},{},{"nodeType":1635,"data":18616,"content":18617},{},[18618],{"nodeType":1639,"value":18619,"marks":18620,"data":18621},"First, we recommend you take action to ensure that extensions reported as suspicious or malicious are blocked from running in your environment. ",[],{},{"nodeType":1626,"data":18623,"content":18627},{"target":18624},{"sys":18625},{"id":18626,"type":1631,"linkType":1632},"yniMglSNypgyxmdGVcFxJ",[],{"nodeType":1626,"data":18629,"content":18633},{"target":18630},{"sys":18631},{"id":18632,"type":1631,"linkType":1632},"37bID8AChVgerAnD6q8NPZ",[],{"nodeType":1635,"data":18635,"content":18636},{},[18637],{"nodeType":1639,"value":18638,"marks":18639,"data":18640},"If you’re a Push customer, you can ensure that any extension that is reported as malicious is automatically blocked in your environment. This means that the extension gets disabled and cannot run in any browser with the Push extension installed. ",[],{},{"nodeType":1635,"data":18642,"content":18643},{},[18644],{"nodeType":1639,"value":18645,"marks":18646,"data":18647},"The Push Security research team maintains a global list of known-bad extensions based on threat intelligence reporting. This list is continuously updated and ensures that as soon as an extension is reported as malicious, it is blocked. ",[],{},{"nodeType":1635,"data":18649,"content":18650},{},[18651,18655,18663],{"nodeType":1639,"value":18652,"marks":18653,"data":18654},"You can enable the control via the Controls page in the Push admin console. Admins can configure rules in Off, Monitor, or Block mode. Block mode is recommended, meaning that extensions are disabled and web store access is blocked. You can read more about this in our ",[],{},{"nodeType":1644,"data":18656,"content":18658},{"uri":18657},"https://pushsecurity.com/help/how-does-push-detect-malicious-browser-extensions",[18659],{"nodeType":1639,"value":18660,"marks":18661,"data":18662},"Help Center",[],{},{"nodeType":1639,"value":5452,"marks":18664,"data":18665},[],{},{"nodeType":1635,"data":18667,"content":18668},{},[18669],{"nodeType":1639,"value":18670,"marks":18671,"data":18672},"When an extension is flagged as malicious, a detection event will be generated and appear on the Detections page in the Push admin console. The severity of these detections is classified as follows:",[],{},{"nodeType":1726,"data":18674,"content":18675},{},[18676,18691,18706],{"nodeType":1730,"data":18677,"content":18678},{},[18679],{"nodeType":1635,"data":18680,"content":18681},{},[18682,18687],{"nodeType":1639,"value":18683,"marks":18684,"data":18686},"Low",[18685],{"type":1708},{},{"nodeType":1639,"value":18688,"marks":18689,"data":18690}," for an extension that has never been enabled. The control prevented either the installation or the extension from being enabled.",[],{},{"nodeType":1730,"data":18692,"content":18693},{},[18694],{"nodeType":1635,"data":18695,"content":18696},{},[18697,18702],{"nodeType":1639,"value":18698,"marks":18699,"data":18701},"Medium",[18700],{"type":1708},{},{"nodeType":1639,"value":18703,"marks":18704,"data":18705}," for an extension that was installed and enabled, but has been disabled by the control. ",[],{},{"nodeType":1730,"data":18707,"content":18708},{},[18709],{"nodeType":1635,"data":18710,"content":18711},{},[18712,18717],{"nodeType":1639,"value":18713,"marks":18714,"data":18716},"High",[18715],{"type":1708},{},{"nodeType":1639,"value":18718,"marks":18719,"data":18720}," if the extension was enabled and is still active (i.e. the control was in monitor mode).",[],{},{"nodeType":1626,"data":18722,"content":18726},{"target":18723},{"sys":18724},{"id":18725,"type":1631,"linkType":1632},"1yOPlBKtLGYyN80OCJ9qMn",[],{"nodeType":1815,"data":18728,"content":18729},{},[18730],{"nodeType":1639,"value":18731,"marks":18732,"data":18734},"Step 1: Establish an inventory of existing extensions.",[18733],{"type":1708},{},{"nodeType":1635,"data":18736,"content":18737},{},[18738,18742,18747,18751],{"nodeType":1639,"value":18739,"marks":18740,"data":18741},"Next, we recommend you take stock of what’s already running in your environment so you can begin to make risk-based decisions about what you allow, and what you don’t. This means building an inventory of ",[],{},{"nodeType":1639,"value":18743,"marks":18744,"data":18746},"every extension ",[18745],{"type":1708},{},{"nodeType":1639,"value":18748,"marks":18749,"data":18750},"running in ",[],{},{"nodeType":1639,"value":18752,"marks":18753,"data":18755},"every browser. ",[18754],{"type":1708},{},{"nodeType":1635,"data":18757,"content":18758},{},[18759],{"nodeType":1639,"value":18760,"marks":18761,"data":18762},"Push provides real-time visibility of extensions installed in every browser across your workforce. ",[],{},{"nodeType":1635,"data":18764,"content":18765},{},[18766],{"nodeType":1639,"value":18767,"marks":18768,"data":18769},"Push tracks several key data points, including: ",[],{},{"nodeType":1726,"data":18771,"content":18772},{},[18773,18783,18793,18803,18813,18823,18833,18843,18853],{"nodeType":1730,"data":18774,"content":18775},{},[18776],{"nodeType":1635,"data":18777,"content":18778},{},[18779],{"nodeType":1639,"value":18780,"marks":18781,"data":18782},"Extension name, ID, and version number",[],{},{"nodeType":1730,"data":18784,"content":18785},{},[18786],{"nodeType":1635,"data":18787,"content":18788},{},[18789],{"nodeType":1639,"value":18790,"marks":18791,"data":18792},"Update & homepage URL",[],{},{"nodeType":1730,"data":18794,"content":18795},{},[18796],{"nodeType":1635,"data":18797,"content":18798},{},[18799],{"nodeType":1639,"value":18800,"marks":18801,"data":18802},"Extension permissions",[],{},{"nodeType":1730,"data":18804,"content":18805},{},[18806],{"nodeType":1635,"data":18807,"content":18808},{},[18809],{"nodeType":1639,"value":18810,"marks":18811,"data":18812},"Host permissions (where applicable)",[],{},{"nodeType":1730,"data":18814,"content":18815},{},[18816],{"nodeType":1635,"data":18817,"content":18818},{},[18819],{"nodeType":1639,"value":18820,"marks":18821,"data":18822},"Deployment method (e.g. managed, manual, sideloaded or development)",[],{},{"nodeType":1730,"data":18824,"content":18825},{},[18826],{"nodeType":1635,"data":18827,"content":18828},{},[18829],{"nodeType":1639,"value":18830,"marks":18831,"data":18832},"Which employees use the extension",[],{},{"nodeType":1730,"data":18834,"content":18835},{},[18836],{"nodeType":1635,"data":18837,"content":18838},{},[18839],{"nodeType":1639,"value":18840,"marks":18841,"data":18842},"Which browsers have the extension installed",[],{},{"nodeType":1730,"data":18844,"content":18845},{},[18846],{"nodeType":1635,"data":18847,"content":18848},{},[18849],{"nodeType":1639,"value":18850,"marks":18851,"data":18852},"Whether the extension is enabled or disabled",[],{},{"nodeType":1730,"data":18854,"content":18855},{},[18856],{"nodeType":1635,"data":18857,"content":18858},{},[18859],{"nodeType":1639,"value":18860,"marks":18861,"data":18862},"Useful metadata like install count, ownership history, update history, and whether the extension has been unlisted from the web store.",[],{},{"nodeType":1635,"data":18864,"content":18865},{},[18866],{"nodeType":1639,"value":18867,"marks":18868,"data":18869},"This information is critical for assessing risk, as well as providing an early warning of future malicious intent. ",[],{},{"nodeType":1635,"data":18871,"content":18872},{},[18873,18877,18882],{"nodeType":1639,"value":18874,"marks":18875,"data":18876},"You can enable browser extension visibility in the Push platform by going to ",[],{},{"nodeType":1639,"value":18878,"marks":18879,"data":18881},"Settings > Organization > Browser extension visibility",[18880],{"type":1708},{},{"nodeType":1639,"value":18883,"marks":18884,"data":18885}," and toggling on the feature.",[],{},{"nodeType":1626,"data":18887,"content":18891},{"target":18888},{"sys":18889},{"id":18890,"type":1631,"linkType":1632},"2LCwZNbSazYGIEfWHZKJRU",[],{"nodeType":1815,"data":18893,"content":18894},{},[18895],{"nodeType":1639,"value":18584,"marks":18896,"data":18898},[18897],{"type":1708},{},{"nodeType":1635,"data":18900,"content":18901},{},[18902],{"nodeType":1639,"value":18903,"marks":18904,"data":18905},"Now that you’ve built a real-time inventory, you can start to analyse the data to find risky extensions. ",[],{},{"nodeType":1635,"data":18907,"content":18908},{},[18909],{"nodeType":1639,"value":18910,"marks":18911,"data":18912},"Every extension that is running in your environment expands your potential attack surface, representing another node that can be compromised by an attacker. So it makes sense to only allow those that are absolutely necessary in order to sensibly control the risk. ",[],{},{"nodeType":1635,"data":18914,"content":18915},{},[18916],{"nodeType":1639,"value":18917,"marks":18918,"data":18919},"You can start to investigate and prune extensions based on the properties tracked in the Push platform. For example:",[],{},{"nodeType":1726,"data":18921,"content":18922},{},[18923,18933,18961,18971],{"nodeType":1730,"data":18924,"content":18925},{},[18926],{"nodeType":1635,"data":18927,"content":18928},{},[18929],{"nodeType":1639,"value":18930,"marks":18931,"data":18932},"Extensions with a low install count from an unverified publisher. ",[],{},{"nodeType":1730,"data":18934,"content":18935},{},[18936],{"nodeType":1635,"data":18937,"content":18938},{},[18939,18943,18948,18952,18957],{"nodeType":1639,"value":18940,"marks":18941,"data":18942},"Extensions that have been ",[],{},{"nodeType":1639,"value":18944,"marks":18945,"data":18947},"sideloaded",[18946],{"type":1708},{},{"nodeType":1639,"value":18949,"marks":18950,"data":18951}," (installed by software on the machine) or are ",[],{},{"nodeType":1639,"value":18953,"marks":18954,"data":18956},"development",[18955],{"type":1708},{},{"nodeType":1639,"value":18958,"marks":18959,"data":18960}," (installed from a folder off-disk when Developer mode is turned on)",[],{},{"nodeType":1730,"data":18962,"content":18963},{},[18964],{"nodeType":1635,"data":18965,"content":18966},{},[18967],{"nodeType":1639,"value":18968,"marks":18969,"data":18970},"Extensions that are used by a small number of employees for niche / non-critical functions. ",[],{},{"nodeType":1730,"data":18972,"content":18973},{},[18974],{"nodeType":1635,"data":18975,"content":18976},{},[18977],{"nodeType":1639,"value":18978,"marks":18979,"data":18980},"Extensions with risky permissions.",[],{},{"nodeType":1626,"data":18982,"content":18986},{"target":18983},{"sys":18984},{"id":18985,"type":1631,"linkType":1632},"FpGNvFgEGj6eAGihoWEUi",[],{"nodeType":1626,"data":18988,"content":18992},{"target":18989},{"sys":18990},{"id":18991,"type":1631,"linkType":1632},"5JccSPh103QIQJxIh9pk4x",[],{"nodeType":1815,"data":18994,"content":18995},{},[18996],{"nodeType":1639,"value":18997,"marks":18998,"data":19000},"Step 3: Create an allowlist to control the extensions active in your environment.",[18999],{"type":1708},{},{"nodeType":1635,"data":19002,"content":19003},{},[19004],{"nodeType":1639,"value":19005,"marks":19006,"data":19007},"Using the output of your risk assessment and the data provided by the Push platform, you can control the extensions that you allow your employees to use.",[],{},{"nodeType":1635,"data":19009,"content":19010},{},[19011],{"nodeType":1639,"value":19012,"marks":19013,"data":19014},"To do this, you need to allowlist the extensions you’re happy for employees to use (and block everything else). That way, you remove the ability for employees to add new extensions unless approved by an admin. This means you either:",[],{},{"nodeType":1726,"data":19016,"content":19017},{},[19018,19028],{"nodeType":1730,"data":19019,"content":19020},{},[19021],{"nodeType":1635,"data":19022,"content":19023},{},[19024],{"nodeType":1639,"value":19025,"marks":19026,"data":19027},"Add every extension you currently have running in your environment to an allowlist, block everything else, and then start to prune extensions from that list. ",[],{},{"nodeType":1730,"data":19029,"content":19030},{},[19031],{"nodeType":1635,"data":19032,"content":19033},{},[19034],{"nodeType":1639,"value":19035,"marks":19036,"data":19037},"Create a shortened allowlist from the outset. ",[],{},{"nodeType":1635,"data":19039,"content":19040},{},[19041],{"nodeType":1639,"value":19042,"marks":19043,"data":19044},"Both are valid ways of solving the problem, with the first option being the least potentially disruptive (i.e. you’re not switching off a load of extensions in one go). That said, this might not be a viable solution depending on your company size. ",[],{},{"nodeType":1626,"data":19046,"content":19050},{"target":19047},{"sys":19048},{"id":19049,"type":1631,"linkType":1632},"6wQW4VqLeLXMXdPPWLhQAF",[],{"nodeType":1635,"data":19052,"content":19053},{},[19054,19059,19069],{"nodeType":1639,"value":19055,"marks":19056,"data":19058},"You can do this in lots of different ways depending on the OS and browsers used across your workforce. This can get messy depending on the complexity of your environment. But you can do it in a streamlined, browser-agnostic way ",[19057],{"type":1708},{},{"nodeType":1644,"data":19060,"content":19062},{"uri":19061},"https://pushsecurity.com/help/10138/#start",[19063],{"nodeType":1639,"value":19064,"marks":19065,"data":19068},"using Push",[19066,19067],{"type":1652},{"type":1708},{},{"nodeType":1639,"value":1851,"marks":19070,"data":19072},[19071],{"type":1708},{},{"nodeType":1626,"data":19074,"content":19077},{"target":19075},{"sys":19076},{"id":2207,"type":1631,"linkType":1632},[],{"nodeType":1635,"data":19079,"content":19080},{},[19081],{"nodeType":1639,"value":19082,"marks":19083,"data":19084},"Managing which extensions you’ve opted to allow is a continuous process that will change as user behavior changes and new extensions are added. It’s important that you regularly review whether your current allowlist is fit for purpose. ",[],{},{"nodeType":1815,"data":19086,"content":19087},{},[19088],{"nodeType":1639,"value":18604,"marks":19089,"data":19091},[19090],{"type":1708},{},{"nodeType":1635,"data":19093,"content":19094},{},[19095],{"nodeType":1639,"value":19096,"marks":19097,"data":19098},"Finally, once you’ve begun the process of pruning the extensions in your environment and you’ve reached a baseline you’re happy with, it’s now about reviewing and approving any new extension requests, and monitoring for risky changes. ",[],{},{"nodeType":1635,"data":19100,"content":19101},{},[19102],{"nodeType":1639,"value":19103,"marks":19104,"data":19105},"We recommend monitoring for things like:",[],{},{"nodeType":1726,"data":19107,"content":19108},{},[19109,19119,19129],{"nodeType":1730,"data":19110,"content":19111},{},[19112],{"nodeType":1635,"data":19113,"content":19114},{},[19115],{"nodeType":1639,"value":19116,"marks":19117,"data":19118},"Regularly reviewing changes in extension ownership + recent updates",[],{},{"nodeType":1730,"data":19120,"content":19121},{},[19122],{"nodeType":1635,"data":19123,"content":19124},{},[19125],{"nodeType":1639,"value":19126,"marks":19127,"data":19128},"Monitoring for updates to extensions to track risky permissions being added ",[],{},{"nodeType":1730,"data":19130,"content":19131},{},[19132],{"nodeType":1635,"data":19133,"content":19134},{},[19135],{"nodeType":1639,"value":19136,"marks":19137,"data":19138},"Monitoring for new malicious browser extension detections",[],{},{"nodeType":1635,"data":19140,"content":19141},{},[19142,19146,19155],{"nodeType":1639,"value":19143,"marks":19144,"data":19145},"It’s super simple to use Push data to create alerts and feed your detection and response workflows. ",[],{},{"nodeType":1644,"data":19147,"content":19149},{"uri":19148},"https://pushsecurity.com/help/audience/administrators/docs/connect-to-siem-or-soar/#start",[19150],{"nodeType":1639,"value":19151,"marks":19152,"data":19154},"See how to connect Push to your SIEM/SOAR and learn more about the Push REST API and webhooks. ",[19153],{"type":1652},{},{"nodeType":1639,"value":29,"marks":19156,"data":19157},[],{},{"nodeType":1635,"data":19159,"content":19160},{},[19161],{"nodeType":1639,"value":19162,"marks":19163,"data":19164},"At this point, you can then triage and investigate further to see whether additional action is required. ",[],{},{"nodeType":9816,"data":19166,"content":19167},{},[19168],{"nodeType":1635,"data":19169,"content":19170},{},[19171],{"nodeType":1639,"value":19172,"marks":19173,"data":19175},"And there you have it! You’ve secured browser extension use across your organization using Push. ",[19174],{"type":1708},{},{"nodeType":1697,"data":19177,"content":19178},{},[],{"nodeType":1815,"data":19180,"content":19181},{},[19182],{"nodeType":1639,"value":19183,"marks":19184,"data":19186},"Don’t take our word for it …",[19185],{"type":1708},{},{"nodeType":1635,"data":19188,"content":19189},{},[19190],{"nodeType":1639,"value":19191,"marks":19192,"data":19193},"Our friends at GitLab echo our thoughts on browser extensions and the value of tools like Push that help them to solve this problem.",[],{},{"nodeType":1626,"data":19195,"content":19199},{"target":19196},{"sys":19197},{"id":19198,"type":1631,"linkType":1632},"1m0x2Q6MmOn7ANqCtpYptu",[],{"nodeType":1697,"data":19201,"content":19202},{},[],{"nodeType":1701,"data":19204,"content":19205},{},[19206],{"nodeType":1639,"value":19207,"marks":19208,"data":19210},"Additional tips",[19209],{"type":1708},{},{"nodeType":1815,"data":19212,"content":19213},{},[19214],{"nodeType":1639,"value":19215,"marks":19216,"data":19218},"Disable browser syncing",[19217],{"type":1708},{},{"nodeType":1635,"data":19220,"content":19221},{},[19222],{"nodeType":1639,"value":19223,"marks":19224,"data":19225},"If you’re in the early stages of your extension management process, an extra step you might want to consider is disabling browser syncing for extensions. ",[],{},{"nodeType":1635,"data":19227,"content":19228},{},[19229,19233,19242],{"nodeType":1639,"value":19230,"marks":19231,"data":19232},"When we deploy Push, we find it’s not unusual for people to sign into their work browser with a personal email profile. There’s a significant risk here — if you end up saving and syncing credentials across devices, a compromise on a (usually less secure) personal device can lead to business accounts being compromised. Notably, this was exploited in a ",[],{},{"nodeType":1644,"data":19234,"content":19236},{"uri":19235},"https://sec.okta.com/articles/harfiles/",[19237],{"nodeType":1639,"value":19238,"marks":19239,"data":19241},"2023 Okta security breach",[19240],{"type":1652},{},{"nodeType":1639,"value":2291,"marks":19243,"data":19244},[],{},{"nodeType":1635,"data":19246,"content":19247},{},[19248],{"nodeType":1639,"value":19249,"marks":19250,"data":19251},"The same model applies to browser extensions. By default, any extension installed from the web store is synced across devices where a profile is logged in and syncing is enabled. ",[],{},{"nodeType":1635,"data":19253,"content":19254},{},[19255],{"nodeType":1639,"value":19256,"marks":19257,"data":19258},"As an example, you can see how to disable browser extension syncing if you manage Chrome in Google Workspace.",[],{},{"nodeType":1626,"data":19260,"content":19264},{"target":19261},{"sys":19262},{"id":19263,"type":1631,"linkType":1632},"23gbN24WiOzszvwP9zy2MM",[],{"nodeType":1635,"data":19266,"content":19267},{},[19268],{"nodeType":1639,"value":19269,"marks":19270,"data":19271},"This only applies if you haven’t yet created an allowlist for extensions in your environment, in which case any extensions not on the list will be blocked. ",[],{},{"nodeType":1635,"data":19273,"content":19274},{},[19275],{"nodeType":1639,"value":19276,"marks":19277,"data":19278},"You can also use Push to surface which users are logged into their browser using a non-work profile and whether the profile is synced across devices. ",[],{},{"nodeType":1626,"data":19280,"content":19284},{"target":19281},{"sys":19282},{"id":19283,"type":1631,"linkType":1632},"421C3CL6Sfa8gmn56X7lRI",[],{"nodeType":1697,"data":19286,"content":19287},{},[],{"nodeType":1701,"data":19289,"content":19290},{},[19291],{"nodeType":1639,"value":5938,"marks":19292,"data":19294},[19293],{"type":1708},{},{"nodeType":1635,"data":19296,"content":19297},{},[19298,19301,19308],{"nodeType":1639,"value":5946,"marks":19299,"data":19300},[],{},{"nodeType":1644,"data":19302,"content":19303},{"uri":17},[19304],{"nodeType":1639,"value":19305,"marks":19306,"data":19307},"modern attack techniques that are the leading cause of breaches today",[],{},{"nodeType":1639,"value":2291,"marks":19309,"data":19310},[],{},{"nodeType":1635,"data":19312,"content":19313},{},[19314],{"nodeType":1639,"value":5964,"marks":19315,"data":19316},[],{},{"nodeType":1635,"data":19318,"content":19319},{},[19320,19324,19332,19335,19343,19346,19353],{"nodeType":1639,"value":19321,"marks":19322,"data":19323},"Want to learn more about Push? ",[],{},{"nodeType":1644,"data":19325,"content":19326},{"uri":2475},[19327],{"nodeType":1639,"value":19328,"marks":19329,"data":19331},"Check out our latest product overview",[19330],{"type":1652},{},{"nodeType":1639,"value":1655,"marks":19333,"data":19334},[],{},{"nodeType":1644,"data":19336,"content":19337},{"uri":2486},[19338],{"nodeType":1639,"value":19339,"marks":19340,"data":19342},"visit our demo library",[19341],{"type":1652},{},{"nodeType":1639,"value":2493,"marks":19344,"data":19345},[],{},{"nodeType":1644,"data":19347,"content":19348},{"uri":2498},[19349],{"nodeType":1639,"value":2501,"marks":19350,"data":19352},[19351],{"type":1652},{},{"nodeType":1639,"value":2291,"marks":19354,"data":19355},[],{},"Guide: How to manage and block browser extensions using Push","How to detect risky and malicious extensions and block them from running in employee browsers. ","2026-03-04T00:00:00.000Z","browser-extension-management-guide",{"items":19361},[19362,19364],{"sys":19363,"name":3379},{"id":3378},{"sys":19365,"name":3383},{"id":3382},{"items":19367},[19368],{"fullName":1615,"firstName":1616,"jobTitle":1617,"profilePicture":19369},{"url":1619},{"__typename":2613,"sys":19371,"content":19373,"title":20167,"synopsis":20168,"hashTags":61,"publishedDate":20169,"slug":20170,"tagsCollection":20171,"authorsCollection":20175},{"id":19372},"PAPJPr3CIB6J20udYyy1r",{"json":19374},{"data":19375,"content":19376,"nodeType":1622},{},[19377,19383,19403,19410,19417,19423,19426,19434,19441,19460,19471,19478,19485,19492,19585,19588,19596,19679,19685,19688,19696,19704,19711,19718,19726,19744,19751,19759,19766,19773,19781,19788,19795,19815,19821,19824,19832,19840,19847,19952,19959,19967,19974,19981,19987,19995,20002,20009,20016,20024,20031,20038,20045,20052,20058,20061,20069,20076,20109,20116,20135,20155,20161],{"data":19378,"content":19382,"nodeType":1626},{"target":19379},{"sys":19380},{"id":19381,"type":1631,"linkType":1632},"1eBClNW4NOR66F0tl9h6lD",[],{"data":19384,"content":19385,"nodeType":1635},{},[19386,19390,19399],{"data":19387,"marks":19388,"value":19389,"nodeType":1639},{},[],"The attacks on Snowflake customers in 2024 collectively constituted the biggest cyber security event of the year in terms of the number of organizations and individuals affected (at least, if you exclude CrowdStrike causing a worldwide outage in July) — certainly, it was the largest perpetrated by a criminal group against commercial enterprises. It has been touted by some news outlets as ‘",{"data":19391,"content":19393,"nodeType":1644},{"uri":19392},"https://www.wired.com/story/snowflake-breach-advanced-auto-parts-lendingtree/",[19394],{"data":19395,"marks":19396,"value":19398,"nodeType":1639},{},[19397],{"type":1652},"one of the biggest breaches ever",{"data":19400,"marks":19401,"value":19402,"nodeType":1639},{},[],"’.  ",{"data":19404,"content":19405,"nodeType":1635},{},[19406],{"data":19407,"marks":19408,"value":19409,"nodeType":1639},{},[],"Snowflake was a watershed moment that signalled the significant opportunity presented by identity attacks on cloud services. It demonstrated how comparatively unsophisticated methods (logging in to user accounts with stolen credentials and dumping the data) can have the same or greater impact as a traditional network or endpoint based cyber attack involving vulnerability exploitation, malware deployment, ransomware, etc. ",{"data":19411,"content":19412,"nodeType":1635},{},[19413],{"data":19414,"marks":19415,"value":19416,"nodeType":1639},{},[],"Here’s everything you need to know about the Snowflake attacks — and what you can do to protect yourself against the next Snowflake in the future.",{"data":19418,"content":19422,"nodeType":1626},{"target":19419},{"sys":19420},{"id":19421,"type":1631,"linkType":1632},"4QoPUiP5q6Mwj1eWUZT15Q",[],{"data":19424,"content":19425,"nodeType":1697},{},[],{"data":19427,"content":19428,"nodeType":1701},{},[19429],{"data":19430,"marks":19431,"value":19433,"nodeType":1639},{},[19432],{"type":1708},"Snowflake: The facts",{"data":19435,"content":19436,"nodeType":1635},{},[19437],{"data":19438,"marks":19439,"value":19440,"nodeType":1639},{},[],"Cyber criminals associated with the threat group known as ShinyHunters claimed responsibility for breaching multiple organizations using Snowflake, a cloud-based data warehousing and analytics platform. ",{"data":19442,"content":19443,"nodeType":1635},{},[19444,19448,19457],{"data":19445,"marks":19446,"value":19447,"nodeType":1639},{},[],"ShinyHunters associates targeted ~165 organizations that were subjected to account takeover attacks using stolen credentials harvested from historical infostealer infections dating back as far as 2020, ",{"data":19449,"content":19451,"nodeType":1644},{"uri":19450},"https://cloud.google.com/blog/topics/threat-intelligence/unc5537-snowflake-data-theft-extortion",[19452],{"data":19453,"marks":19454,"value":19456,"nodeType":1639},{},[19455],{"type":1652},"according to Mandiant’s investigation",{"data":19458,"marks":19459,"value":1851,"nodeType":1639},{},[],{"data":19461,"content":19462,"nodeType":9816},{},[19463],{"data":19464,"content":19465,"nodeType":1635},{},[19466],{"data":19467,"marks":19468,"value":19470,"nodeType":1639},{},[19469],{"type":1708},">80% of the compromised accounts belonging to Snowflake customers had prior credential exposure. ",{"data":19472,"content":19473,"nodeType":1635},{},[19474],{"data":19475,"marks":19476,"value":19477,"nodeType":1639},{},[],"The impacted accounts lacked MFA, meaning successful authentication only required a valid username and password. As the Snowflake credentials found in infostealer malware credential dumps had not been rotated or updated, they remained valid and could be used to authenticate to user accounts on Snowflake tenants belonging to various customers.",{"data":19479,"content":19480,"nodeType":1635},{},[19481],{"data":19482,"marks":19483,"value":19484,"nodeType":1639},{},[],"As a data warehousing platform integrated with a range of connected cloud services, access to a customer’s Snowflake tenant provided attackers with large quantities of sensitive commercial and personal data that could be stolen and monetized by attackers in a variety of ways — such as by ransoming the victim organization, extorting individual end-customers, and selling the data on to other criminal organizations. ",{"data":19486,"content":19487,"nodeType":1635},{},[19488],{"data":19489,"marks":19490,"value":19491,"nodeType":1639},{},[],"In total, 9 public victims were named following the breach, collectively impacting hundreds of millions of people. ",{"data":19493,"content":19494,"nodeType":1726},{},[19495,19505,19515,19525,19535,19545,19555,19565,19575],{"data":19496,"content":19497,"nodeType":1730},{},[19498],{"data":19499,"content":19500,"nodeType":1635},{},[19501],{"data":19502,"marks":19503,"value":19504,"nodeType":1639},{},[],"Lending Tree: Sensitive data for over 190 million people available online including customer details, partial credit card numbers, insurance quotes and other information, being sold for $2m.",{"data":19506,"content":19507,"nodeType":1730},{},[19508],{"data":19509,"content":19510,"nodeType":1635},{},[19511],{"data":19512,"marks":19513,"value":19514,"nodeType":1639},{},[],"Truist Bank: Information belonging to 65,000 employees being sold online for $1m",{"data":19516,"content":19517,"nodeType":1730},{},[19518],{"data":19519,"content":19520,"nodeType":1635},{},[19521],{"data":19522,"marks":19523,"value":19524,"nodeType":1639},{},[],"Advance Auto Parts: 3TB of data for sale for $1.5 million. Affected 2.3 million people, as well as current and former employees and job applicants.",{"data":19526,"content":19527,"nodeType":1730},{},[19528],{"data":19529,"content":19530,"nodeType":1635},{},[19531],{"data":19532,"marks":19533,"value":19534,"nodeType":1639},{},[],"Pure Storage: Workspace with 11k customer records including company, email, LDAP username and software version numbers.",{"data":19536,"content":19537,"nodeType":1730},{},[19538],{"data":19539,"content":19540,"nodeType":1635},{},[19541],{"data":19542,"marks":19543,"value":19544,"nodeType":1639},{},[],"Los Angeles Unified: Student data, disability information, discipline details, and parent information, being sold online for $150k.",{"data":19546,"content":19547,"nodeType":1730},{},[19548],{"data":19549,"content":19550,"nodeType":1635},{},[19551],{"data":19552,"marks":19553,"value":19554,"nodeType":1639},{},[],"Neiman Marcus: 31m email addresses exposed alongside various personal information.",{"data":19556,"content":19557,"nodeType":1730},{},[19558],{"data":19559,"content":19560,"nodeType":1635},{},[19561],{"data":19562,"marks":19563,"value":19564,"nodeType":1639},{},[],"Santander: 30 million customer details for sale relating to customers of Santander Chile, Spain, and Uruguay.",{"data":19566,"content":19567,"nodeType":1730},{},[19568],{"data":19569,"content":19570,"nodeType":1635},{},[19571],{"data":19572,"marks":19573,"value":19574,"nodeType":1639},{},[],"Ticketmaster: 560 million customer details for sale, disruption to events and ticketing worldwide, increasing in scam ticket production.",{"data":19576,"content":19577,"nodeType":1730},{},[19578],{"data":19579,"content":19580,"nodeType":1635},{},[19581],{"data":19582,"marks":19583,"value":19584,"nodeType":1639},{},[],"AT&T: Call logs stolen for approximately 109 million customers (nearly all of its mobile customers). AT&T paid an undisclosed ransom fee. ",{"data":19586,"content":19587,"nodeType":1697},{},[],{"data":19589,"content":19590,"nodeType":1701},{},[19591],{"data":19592,"marks":19593,"value":19595,"nodeType":1639},{},[19594],{"type":1708},"The Snowflake attacks step-by-step",{"data":19597,"content":19598,"nodeType":1726},{},[19599,19609,19619,19629,19639,19649,19659,19669],{"data":19600,"content":19601,"nodeType":1730},{},[19602],{"data":19603,"content":19604,"nodeType":1635},{},[19605],{"data":19606,"marks":19607,"value":19608,"nodeType":1639},{},[],"Snowflake users were infected with infostealer malware that harvested credentials from user devices over an extended period via several infostealer malware variants, including; VIDAR, RISEPRO, REDLINE, RACOON STEALER, LUMMA and METASTEALER.",{"data":19610,"content":19611,"nodeType":1730},{},[19612],{"data":19613,"content":19614,"nodeType":1635},{},[19615],{"data":19616,"marks":19617,"value":19618,"nodeType":1639},{},[],"Credentials appeared on criminal marketplaces e.g. dark web forums and Telegram channels.",{"data":19620,"content":19621,"nodeType":1730},{},[19622],{"data":19623,"content":19624,"nodeType":1635},{},[19625],{"data":19626,"marks":19627,"value":19628,"nodeType":1639},{},[],"ShinyHunters saw the potential in targeting Snowflake users, based on the availability of credentials, number of customer organizations, and the value of the data that can be accessed in Snowflake. ",{"data":19630,"content":19631,"nodeType":1730},{},[19632],{"data":19633,"content":19634,"nodeType":1635},{},[19635],{"data":19636,"marks":19637,"value":19638,"nodeType":1639},{},[],"ShinyHunters embarked on a large-scale campaign targeting Snowflake customer accounts using previously breached credentials. ",{"data":19640,"content":19641,"nodeType":1730},{},[19642],{"data":19643,"content":19644,"nodeType":1635},{},[19645],{"data":19646,"marks":19647,"value":19648,"nodeType":1639},{},[],"ShinyHunters accessed user accounts that lacked MFA, belonging to approximately 165 Snowflake customers. ",{"data":19650,"content":19651,"nodeType":1730},{},[19652],{"data":19653,"content":19654,"nodeType":1635},{},[19655],{"data":19656,"marks":19657,"value":19658,"nodeType":1639},{},[],"ShinyHunters used SQL-based reconnaissance, staging, and data exfiltration techniques, expedited by custom hacker tooling developed specifically for Snowflake, to conduct attacks at scale.",{"data":19660,"content":19661,"nodeType":1730},{},[19662],{"data":19663,"content":19664,"nodeType":1635},{},[19665],{"data":19666,"marks":19667,"value":19668,"nodeType":1639},{},[],"ShinyHunters acquired massive quantities of Snowflake data based on the information that each customer stored in Snowflake or connected apps. ",{"data":19670,"content":19671,"nodeType":1730},{},[19672],{"data":19673,"content":19674,"nodeType":1635},{},[19675],{"data":19676,"marks":19677,"value":19678,"nodeType":1639},{},[],"ShinyHunters began attempts to extort Snowflake and end-customers using the data acquired.",{"data":19680,"content":19684,"nodeType":1626},{"target":19681},{"sys":19682},{"id":19683,"type":1631,"linkType":1632},"2J92gFLs1wAAGC4nQTaiWu",[],{"data":19686,"content":19687,"nodeType":1697},{},[],{"data":19689,"content":19690,"nodeType":1701},{},[19691],{"data":19692,"marks":19693,"value":19695,"nodeType":1639},{},[19694],{"type":1708},"Why did the Snowflake breaches happen?",{"data":19697,"content":19698,"nodeType":1815},{},[19699],{"data":19700,"marks":19701,"value":19703,"nodeType":1639},{},[19702],{"type":1708},"Stolen credentials remained valid for years",{"data":19705,"content":19706,"nodeType":1635},{},[19707],{"data":19708,"marks":19709,"value":19710,"nodeType":1639},{},[],"The credentials used to access Snowflake accounts from historical infostealer infections had not been changed or rotated despite dating back as far as 2020, and remained valid. ",{"data":19712,"content":19713,"nodeType":1635},{},[19714],{"data":19715,"marks":19716,"value":19717,"nodeType":1639},{},[],"This highlights the potential risk of breached credentials already in the public domain, particularly in the case of cloud services like Snowflake that may not be subject to the same levels of credential hygiene as other traditional enterprise domain accounts. ",{"data":19719,"content":19720,"nodeType":1815},{},[19721],{"data":19722,"marks":19723,"value":19725,"nodeType":1639},{},[19724],{"type":1708},"Local logins lacked MFA ",{"data":19727,"content":19728,"nodeType":1635},{},[19729,19733,19741],{"data":19730,"marks":19731,"value":19732,"nodeType":1639},{},[],"Even where organizations were primarily encouraging employees to use SSO to access their Snowflake tenant, previously created local logins with a username and password continue to exist even after introducing SSO-based logins. Further, MFA was not globally enforceable at the application level, meaning that MFA was only set when logging into an IdP account for SSO, but not for local logins. We call this problem ",{"data":19734,"content":19736,"nodeType":1644},{"uri":19735},"https://pushsecurity.com/blog/ghost-logins-when-forgotten-identities-come-back-to-haunt-you/",[19737],{"data":19738,"marks":19739,"value":10622,"nodeType":1639},{},[19740],{"type":1652},{"data":19742,"marks":19743,"value":1851,"nodeType":1639},{},[],{"data":19745,"content":19746,"nodeType":1635},{},[19747],{"data":19748,"marks":19749,"value":19750,"nodeType":1639},{},[],"This meant that attackers were able to take over Snowflake accounts with only a single authentication factor (username & password). ",{"data":19752,"content":19753,"nodeType":1815},{},[19754],{"data":19755,"marks":19756,"value":19758,"nodeType":1639},{},[19757],{"type":1708},"Snowflake was a high-value target used by many organizations",{"data":19760,"content":19761,"nodeType":1635},{},[19762],{"data":19763,"marks":19764,"value":19765,"nodeType":1639},{},[],"As a data warehousing platform used by a vast number of organizations, Snowflake represented a high-value target based on the data typically stored within it, and the repeatable way in which Snowflake users could be targeted. ",{"data":19767,"content":19768,"nodeType":1635},{},[19769],{"data":19770,"marks":19771,"value":19772,"nodeType":1639},{},[],"The attacker followed a near identical process when targeting Snowflake victims, meaning it could be scripted and executed at scale, with attacks taking a matter of minutes. ",{"data":19774,"content":19775,"nodeType":1815},{},[19776],{"data":19777,"marks":19778,"value":19780,"nodeType":1639},{},[19779],{"type":1708},"Infostealer infections are driving credential availability",{"data":19782,"content":19783,"nodeType":1635},{},[19784],{"data":19785,"marks":19786,"value":19787,"nodeType":1639},{},[],"Infostealers are often seen as a low-priority issue, but are the primary source of stolen credentials used in campaigns like this one. ",{"data":19789,"content":19790,"nodeType":1635},{},[19791],{"data":19792,"marks":19793,"value":19794,"nodeType":1639},{},[],"EDR is a strong protection but is often bypassed by infostealers as attackers continually modify them to bypass security controls. Further, unmanaged devices such as those used by third-party contractors or BYOD employees often lack the robust controls applied to company-managed devices and are naturally more susceptible to infostealer attacks. And since browser profiles can be synced across devices, even personal device compromises can result in the capture of corporate credentials.  ",{"data":19796,"content":19797,"nodeType":1635},{},[19798,19802,19811],{"data":19799,"marks":19800,"value":19801,"nodeType":1639},{},[],"There is some suggestion that targeting key third-party suppliers – ",{"data":19803,"content":19805,"nodeType":1644},{"uri":19804},"https://www.wired.com/story/epam-snowflake-ticketmaster-breach-shinyhunters/",[19806],{"data":19807,"marks":19808,"value":19810,"nodeType":1639},{},[19809],{"type":1652},"such as EPAM Systems, a software engineering firm and Snowflake ‘Elite Tier Partner’",{"data":19812,"marks":19813,"value":19814,"nodeType":1639},{},[]," – provided some of the access to Snowflake customers needed. It’s unclear what came first, but it’s possible (likely, even) that EPAM was identified as a target specifically because of its lucrative customer base and Snowflake credentials — adding another indicator that Snowflake was potentially a premeditated attack inspired by the availability of Snowflake credentials online.",{"data":19816,"content":19820,"nodeType":1626},{"target":19817},{"sys":19818},{"id":19819,"type":1631,"linkType":1632},"4D0gjt5oJLNKJH8GzjP8Je",[],{"data":19822,"content":19823,"nodeType":1697},{},[],{"data":19825,"content":19826,"nodeType":1701},{},[19827],{"data":19828,"marks":19829,"value":19831,"nodeType":1639},{},[19830],{"type":1708},"Key takeaways from the Snowflake attacks",{"data":19833,"content":19834,"nodeType":1815},{},[19835],{"data":19836,"marks":19837,"value":19839,"nodeType":1639},{},[19838],{"type":1708},"Securing your IdP accounts is not enough",{"data":19841,"content":19842,"nodeType":1635},{},[19843],{"data":19844,"marks":19845,"value":19846,"nodeType":1639},{},[],"SSO can help reduce your identity attack surface, but it's not feasible to get every workforce identity behind it.",{"data":19848,"content":19849,"nodeType":1726},{},[19850,19873,19895,19930],{"data":19851,"content":19852,"nodeType":1730},{},[19853],{"data":19854,"content":19855,"nodeType":1635},{},[19856,19860,19869],{"data":19857,"marks":19858,"value":19859,"nodeType":1639},{},[],"Only 1 in 3 apps support SAML SSO, and those that offer it often charge more for it; the “",{"data":19861,"content":19863,"nodeType":1644},{"uri":19862},"https://ssotax.org/",[19864],{"data":19865,"marks":19866,"value":19868,"nodeType":1639},{},[19867],{"type":1652},"SSO tax",{"data":19870,"marks":19871,"value":19872,"nodeType":1639},{},[],"”.",{"data":19874,"content":19875,"nodeType":1730},{},[19876],{"data":19877,"content":19878,"nodeType":1635},{},[19879,19883,19892],{"data":19880,"marks":19881,"value":19882,"nodeType":1639},{},[],"Many apps are self-adopted by employees, leaving security teams unaware and unable to enforce SSO.  The typical organization has ",{"data":19884,"content":19886,"nodeType":1644},{"uri":19885},"https://pushsecurity.com/blog/how-many-vulnerable-identities-do-you-have/",[19887],{"data":19888,"marks":19889,"value":19891,"nodeType":1639},{},[19890],{"type":1652},"hundreds of apps and thousands of unmanaged identities outside of SSO",{"data":19893,"marks":19894,"value":2291,"nodeType":1639},{},[],{"data":19896,"content":19897,"nodeType":1730},{},[19898],{"data":19899,"content":19900,"nodeType":1635},{},[19901,19905,19913,19917,19926],{"data":19902,"marks":19903,"value":19904,"nodeType":1639},{},[],"Most apps do not prevent users from creating additional \"",{"data":19906,"content":19907,"nodeType":1644},{"uri":19735},[19908],{"data":19909,"marks":19910,"value":19912,"nodeType":1639},{},[19911],{"type":1652},"ghost login",{"data":19914,"marks":19915,"value":19916,"nodeType":1639},{},[],"\" methods outside of SSO (especially by default), accounting for around ",{"data":19918,"content":19920,"nodeType":1644},{"uri":19919},"https://pushsecurity.com/blog/how-many-vulnerable-identities-do-you-have/#id-identity-configurations-and-how-they-can-be-exploited_id-many-accounts-lack-the-most-basic-protections",[19921],{"data":19922,"marks":19923,"value":19925,"nodeType":1639},{},[19924],{"type":1652},"10% of all identities",{"data":19927,"marks":19928,"value":19929,"nodeType":1639},{},[]," observed by Push. ",{"data":19931,"content":19932,"nodeType":1730},{},[19933],{"data":19934,"content":19935,"nodeType":1635},{},[19936,19940,19948],{"data":19937,"marks":19938,"value":19939,"nodeType":1639},{},[],"In total, we identified that ",{"data":19941,"content":19942,"nodeType":1644},{"uri":19885},[19943],{"data":19944,"marks":19945,"value":19947,"nodeType":1639},{},[19946],{"type":1652},"37% (2 in 5) accounts have a password login set with no MFA",{"data":19949,"marks":19950,"value":19951,"nodeType":1639},{},[],", while 9% have no MFA AND a weak, breached, or reused password.",{"data":19953,"content":19954,"nodeType":1635},{},[19955],{"data":19956,"marks":19957,"value":19958,"nodeType":1639},{},[],"So, relying on locked-down IdP accounts and maximising the use of SSO is an important pillar of an effective identity security strategy, but there will always be gaps. Unless you recognize this, you may be blindsided by attackers finding them before you do. ",{"data":19960,"content":19961,"nodeType":1815},{},[19962],{"data":19963,"marks":19964,"value":19966,"nodeType":1639},{},[19965],{"type":1708},"The threat of infostealers and stolen credentials needs to be taken seriously",{"data":19968,"content":19969,"nodeType":1635},{},[19970],{"data":19971,"marks":19972,"value":19973,"nodeType":1639},{},[],"Breached credentials appearing online is not always seen as a top priority for security teams, particularly when there’s so much noise from all of the outdated or simply erroneous findings (anyone that’s ever subscribed to a credential TI feed knows the pain of this). ",{"data":19975,"content":19976,"nodeType":1635},{},[19977],{"data":19978,"marks":19979,"value":19980,"nodeType":1639},{},[],"But Snowflake serves as a stark reminder that despite all the false positives, stolen credentials are sometimes valid — and when weaponized at-scale they can be a powerful tool for attackers. ",{"data":19982,"content":19986,"nodeType":1626},{"target":19983},{"sys":19984},{"id":19985,"type":1631,"linkType":1632},"4EODpwKsqNivpvP2yMtZCd",[],{"data":19988,"content":19989,"nodeType":1815},{},[19990],{"data":19991,"marks":19992,"value":19994,"nodeType":1639},{},[19993],{"type":1708},"Don’t rely on third-parties to protect your identities for you",{"data":19996,"content":19997,"nodeType":1635},{},[19998],{"data":19999,"marks":20000,"value":20001,"nodeType":1639},{},[],"Snowflake came under fire following the attacks for not enabling MFA by default, or giving security teams sufficient tools to deal with the incident. ",{"data":20003,"content":20004,"nodeType":1635},{},[20005],{"data":20006,"marks":20007,"value":20008,"nodeType":1639},{},[],"This is perhaps justifiable, but is hardly the exception. Very few apps enforce MFA by default or provide a global MFA enforcement mechanism. Most don’t even provide audit logs (and when they do, the scope of logging is pretty limited). And we regularly encounter apps that don’t give you any information about account configuration as an admin — like which accounts have MFA, or the login methods that they’re using (e.g. SSO via SAML, SSO via OIDC, password, which IdPs are being used…) which is essential information to be able to secure your identity attack surface. ",{"data":20010,"content":20011,"nodeType":1635},{},[20012],{"data":20013,"marks":20014,"value":20015,"nodeType":1639},{},[],"Yes, it would be great if app vendors put security first and made controls available by default, for all customers (not just the premium ones). But in the absence of an industrywide shift toward security-first product development, it’s important that organizations don’t just point the finger at service providers — and take matters into their own hands when it comes to securing their user identities. ",{"data":20017,"content":20018,"nodeType":1815},{},[20019],{"data":20020,"marks":20021,"value":20023,"nodeType":1639},{},[20022],{"type":1708},"This isn’t a specific Snowflake problem — it could have been any application",{"data":20025,"content":20026,"nodeType":1635},{},[20027],{"data":20028,"marks":20029,"value":20030,"nodeType":1639},{},[],"While Snowflake was admittedly a high-value target because of the data it collected, apps with sensitive data (or with integrations connecting them to data collected in adjacent apps) are not in short supply. ",{"data":20032,"content":20033,"nodeType":1635},{},[20034],{"data":20035,"marks":20036,"value":20037,"nodeType":1639},{},[],"If we accept that many other apps are similarly desirable targets, then we should also consider that it’s unlikely that Snowflake is the only app that has valid credentials sitting around on the internet, waiting to be weaponized by criminals. Equally, it’s not the only app that doesn’t require mandatory MFA for user accounts, as we discussed above. The next Snowflake is likely to lurk in the same breached datasets, possibly even using the same credentials.",{"data":20039,"content":20040,"nodeType":1635},{},[20041],{"data":20042,"marks":20043,"value":20044,"nodeType":1639},{},[],"There’s been a clear increase in the number of infostealer and stolen credential related breaches and news stories since Snowflake as attackers wise up to the potential opportunity and start seeing the dollar signs. It would be naive to think that this was a one off event — the next Snowflake is probably not too far away. ",{"data":20046,"content":20047,"nodeType":1635},{},[20048],{"data":20049,"marks":20050,"value":20051,"nodeType":1639},{},[],"For a deep-dive analysis of the impact of Snowflake, check out our on-demand webinar from earlier this year.",{"data":20053,"content":20057,"nodeType":1626},{"target":20054},{"sys":20055},{"id":20056,"type":1631,"linkType":1632},"7LkU5DqE9HJ1PQu9BTg6Mw",[],{"data":20059,"content":20060,"nodeType":1697},{},[],{"data":20062,"content":20063,"nodeType":1701},{},[20064],{"data":20065,"marks":20066,"value":20068,"nodeType":1639},{},[20067],{"type":1708},"How to protect yourself from the next Snowflake using Push",{"data":20070,"content":20071,"nodeType":1635},{},[20072],{"data":20073,"marks":20074,"value":20075,"nodeType":1639},{},[],"Organizations looking to reduce their exposure to account takeover using stolen credentials should look to:",{"data":20077,"content":20078,"nodeType":1726},{},[20079,20089,20099],{"data":20080,"content":20081,"nodeType":1730},{},[20082],{"data":20083,"content":20084,"nodeType":1635},{},[20085],{"data":20086,"marks":20087,"value":20088,"nodeType":1639},{},[],"Identify the apps being used across the business and locate vulnerable workforce identities using weak, breached, or reused credentials, and missing MFA. Where SSO is the preferred login method, local username & password logins should ideally be removed. ",{"data":20090,"content":20091,"nodeType":1730},{},[20092],{"data":20093,"content":20094,"nodeType":1635},{},[20095],{"data":20096,"marks":20097,"value":20098,"nodeType":1639},{},[],"Where credentials appear in third-party data breaches, verify where they are still valid and ensure that the credentials are changed. ",{"data":20100,"content":20101,"nodeType":1730},{},[20102],{"data":20103,"content":20104,"nodeType":1635},{},[20105],{"data":20106,"marks":20107,"value":20108,"nodeType":1639},{},[],"Detect unauthorized access to workforce identities where sessions are initiated or resumed from unusual or unexpected locations. It should be noted that while this is a fairly common feature for larger enterprise cloud platforms with configurable access control policies, this is not typically possible for most SaaS applications.  ",{"data":20110,"content":20111,"nodeType":1635},{},[20112],{"data":20113,"marks":20114,"value":20115,"nodeType":1639},{},[],"All of these use cases can be achieved using Push. The Push browser extension detects all logins performed in employee browsers, capturing granular information about the login method and MFA types used, and enriching this data by integrating with your preferred IdP.",{"data":20117,"content":20118,"nodeType":1635},{},[20119,20123,20131],{"data":20120,"marks":20121,"value":20122,"nodeType":1639},{},[],"Push’s ",{"data":20124,"content":20126,"nodeType":1644},{"uri":20125},"https://pushsecurity.com/blog/verified-stolen-credential-detection",[20127],{"data":20128,"marks":20129,"value":20130,"nodeType":1639},{},[],"verified stolen credential detection feature",{"data":20132,"marks":20133,"value":20134,"nodeType":1639},{},[]," compares a k-anonymized hash of user passwords observed with stolen credential TI feeds to cut through the noise and identify where stolen credentials appearing online represent a genuine vulnerability.   ",{"data":20136,"content":20137,"nodeType":1635},{},[20138,20142,20151],{"data":20139,"marks":20140,"value":20141,"nodeType":1639},{},[],"On top of this, all logins made in browsers protected by the Push extension, across every app, are verified by ",{"data":20143,"content":20145,"nodeType":1644},{"uri":20144},"https://pushsecurity.com/blog/introducing-session-token-theft-detection-why-browser-is-best/",[20146],{"data":20147,"marks":20148,"value":20150,"nodeType":1639},{},[20149],{"type":1652},"adding a unique marker to the user agent string of the session",{"data":20152,"marks":20153,"value":20154,"nodeType":1639},{},[],", which will then appear in your IdP logs. This means that any session occurring outside of the Push-protected estate can be flagged to your security team via SIEM alert — including where an attacker uses stolen credentials to log into an app from a browser without the Push extension running. ",{"data":20156,"content":20160,"nodeType":1626},{"target":20157},{"sys":20158},{"id":20159,"type":1631,"linkType":1632},"3tqVk7Vr7pYLOEVukIJM2g",[],{"data":20162,"content":20163,"nodeType":1635},{},[20164],{"data":20165,"marks":20166,"value":29,"nodeType":1639},{},[],"Snowflake: Looking back on 2024’s landmark security event","165 Snowflake customers were targeted by criminals using stolen credentials from infostealer infections, impacting hundreds of millions of people. ","2024-11-29T00:00:00.000Z","snowflake-retro",{"items":20172},[20173],{"sys":20174,"name":3379},{"id":3378},{"items":20176},[20177],{"fullName":1615,"firstName":1616,"jobTitle":1617,"profilePicture":20178},{"url":1619},"browser-sync-attacks-where-personal-account-hacks-lead-to-corporate-breaches","blog/browser-sync-attacks-where-personal-account-hacks-lead-to-corporate-breaches",{"json":20182},{"data":20183,"content":20184,"nodeType":1622},{},[20185],{"data":20186,"content":20187,"nodeType":1635},{},[20188],{"data":20189,"marks":20190,"value":20191,"nodeType":1639},{},[],"Browser sync attacks result in business credentials being compromised via personal account and device breaches. Here's what you need to know. ",{"id":20193,"publishedAt":20194},"4Mq5IZ2E0h9HRT3YkkHaLU","2026-04-20T13:31:20.897Z",{"items":20196},[20197,20199],{"sys":20198,"name":3383},{"id":3382},{"sys":20200,"name":3379},{"id":3378},"sujPxFDEdUJb2W3GlQQzBQBtI-mhxAIHXeZsuH6s2mU",[20203,20217,20229,20241,20253,20265,20277,20289,20301,20314,20326,20338],{"createdDate":20204,"id":20205,"name":1531,"modelId":20206,"published":13,"stageModifiedSincePublish":6,"query":20207,"data":20208,"variations":20210,"lastUpdated":20211,"firstPublished":20212,"testRatio":23,"createdBy":635,"lastUpdatedBy":635,"folders":20213,"meta":20214,"rev":20216},1776681500281,"d26d8066e0564bcf8611d41ba8747b9c","d5eb8d93a45c4789a2ebe115a7dd3982",[],{"logo":20209,"name":1531},"https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F231753a2ff9e44bc9387148fb5964312",{},1776681871344,1776681871336,[],{"breakpoints":20215,"lastPreviewUrl":29,"kind":28,"hasAutosaves":6},{"xsmall":31,"small":32,"medium":33},"04b6ftzc2dhf",{"createdDate":20218,"id":20219,"name":1534,"modelId":20206,"published":13,"stageModifiedSincePublish":6,"query":20220,"data":20221,"variations":20223,"lastUpdated":20224,"firstPublished":20225,"testRatio":23,"createdBy":635,"lastUpdatedBy":635,"folders":20226,"meta":20227,"rev":20216},1776681878113,"437349a9569348d8a7739807e80e4f1b",[],{"logo":20222,"name":1534},"https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F3efce7134be64f7d8b1dc44d21c30af6",{},1776681916356,1776681916351,[],{"breakpoints":20228,"kind":28,"lastPreviewUrl":29,"hasAutosaves":6},{"xsmall":31,"small":32,"medium":33},{"createdDate":20230,"id":20231,"name":1537,"modelId":20206,"published":13,"stageModifiedSincePublish":6,"query":20232,"data":20233,"variations":20235,"lastUpdated":20236,"firstPublished":20237,"testRatio":23,"createdBy":635,"lastUpdatedBy":635,"folders":20238,"meta":20239,"rev":20216},1776681924268,"b8c80da43f1846d49fe867b5232f24ed",[],{"logo":20234,"name":1537},"https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Fc5e0ab73233a4cd4876c63d4d333831c",{},1776681943760,1776681943748,[],{"breakpoints":20240,"kind":28,"lastPreviewUrl":29,"hasAutosaves":6},{"xsmall":31,"small":32,"medium":33},{"createdDate":20242,"id":20243,"name":1540,"modelId":20206,"published":13,"stageModifiedSincePublish":6,"query":20244,"data":20245,"variations":20247,"lastUpdated":20248,"firstPublished":20249,"testRatio":23,"createdBy":635,"lastUpdatedBy":635,"folders":20250,"meta":20251,"rev":20216},1776681949450,"4d4067846ae3485099b65f572ecd991c",[],{"logo":20246,"name":1540},"https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F5396e62554134be5a7d95b8457bd3ec5",{},1776681966025,1776681966014,[],{"breakpoints":20252,"kind":28,"lastPreviewUrl":29,"hasAutosaves":6},{"xsmall":31,"small":32,"medium":33},{"createdDate":20254,"id":20255,"name":1543,"modelId":20206,"published":13,"stageModifiedSincePublish":6,"query":20256,"data":20257,"variations":20259,"lastUpdated":20260,"firstPublished":20261,"testRatio":23,"createdBy":635,"lastUpdatedBy":635,"folders":20262,"meta":20263,"rev":20216},1776682851376,"0ba9e157d3844407ad9dc3bde2ff556d",[],{"logo":20258,"name":1543},"https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F8faa192caa2d4967bc9a021a0f8b6504",{},1776682870568,1776682870560,[],{"breakpoints":20264,"kind":28,"lastPreviewUrl":29,"hasAutosaves":6},{"xsmall":31,"small":32,"medium":33},{"createdDate":20266,"id":20267,"name":1546,"modelId":20206,"published":13,"stageModifiedSincePublish":6,"query":20268,"data":20269,"variations":20271,"lastUpdated":20272,"firstPublished":20273,"testRatio":23,"createdBy":635,"lastUpdatedBy":635,"folders":20274,"meta":20275,"rev":20216},1776682798974,"69297faa8c4b46318df0672edcc23bec",[],{"logo":20270,"name":1546},"https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F83776ad5a4b14ff4ad1a5a4dd61e7784",{},1776682824163,1776682824150,[],{"breakpoints":20276,"kind":28,"lastPreviewUrl":29,"hasAutosaves":6},{"xsmall":31,"small":32,"medium":33},{"createdDate":20278,"id":20279,"name":1549,"modelId":20206,"published":13,"meta":20280,"stageModifiedSincePublish":6,"query":20282,"data":20283,"variations":20285,"lastUpdated":20286,"firstPublished":20287,"testRatio":23,"createdBy":635,"lastUpdatedBy":635,"folders":20288,"rev":20216},1776682830652,"f1e4cf91458244539e57bc7d48648604",{"breakpoints":20281,"kind":28,"lastPreviewUrl":29,"hasAutosaves":6},{"xsmall":31,"small":32,"medium":33},[],{"logo":20284,"name":1549},"https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Fb0be4ce85bdd4f1790c3a803d998451d",{},1776682846658,1776682846646,[],{"createdDate":20290,"id":20291,"name":1552,"modelId":20206,"published":13,"stageModifiedSincePublish":6,"query":20292,"data":20293,"variations":20295,"lastUpdated":20296,"firstPublished":20297,"testRatio":23,"createdBy":635,"lastUpdatedBy":635,"folders":20298,"meta":20299,"rev":20216},1776683656830,"71d968ff26484b7da4dabce09787d5d4",[],{"logo":20294,"name":1552},"https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Fd1d48c2f29e349f9a44cf9dd41e3aa3f",{},1776683678333,1776683678326,[],{"breakpoints":20300,"kind":28,"lastPreviewUrl":29,"hasAutosaves":6},{"xsmall":31,"small":32,"medium":33},{"createdDate":20302,"id":20303,"name":20304,"modelId":20206,"published":13,"meta":20305,"stageModifiedSincePublish":6,"query":20307,"data":20308,"variations":20310,"lastUpdated":20311,"firstPublished":20312,"testRatio":23,"createdBy":635,"lastUpdatedBy":635,"folders":20313,"rev":20216},1776683166686,"9917c83d08ca44c8a10eb4cb635b0b3a","Prisma",{"breakpoints":20306,"kind":28,"lastPreviewUrl":29,"hasAutosaves":6},{"xsmall":31,"small":32,"medium":33},[],{"logo":20309,"name":20304},"https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Feeec82a6131b4541ab9c4cd301d97826",{},1776683638417,1776683638409,[],{"createdDate":20315,"id":20316,"name":1557,"modelId":20206,"published":13,"stageModifiedSincePublish":6,"query":20317,"data":20318,"variations":20320,"lastUpdated":20321,"firstPublished":20322,"testRatio":23,"createdBy":635,"lastUpdatedBy":635,"folders":20323,"meta":20324,"rev":20216},1776683074270,"82f8212bd2bf4742b8856fb475962aeb",[],{"logo":20319,"name":1557},"https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Ffb19fee733714841aa257e136c6e63bb",{},1776688072106,1776683094870,[],{"lastPreviewUrl":29,"kind":28,"breakpoints":20325,"hasAutosaves":6},{"xsmall":31,"small":32,"medium":33},{"createdDate":20327,"id":20328,"name":1560,"modelId":20206,"published":13,"stageModifiedSincePublish":6,"query":20329,"data":20330,"variations":20332,"lastUpdated":20333,"firstPublished":20334,"testRatio":23,"createdBy":635,"lastUpdatedBy":635,"folders":20335,"meta":20336,"rev":20216},1776683099975,"121f9af86eb4498ea2df14538da49dca",[],{"name":1560,"logo":20331},"https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Fc75973e9c80c47a587eaa2e8eb6cbdcb",{},1776687761189,1776683130400,[],{"lastPreviewUrl":29,"kind":28,"breakpoints":20337,"hasAutosaves":6},{"xsmall":31,"small":32,"medium":33},{"createdDate":20339,"id":20340,"name":1563,"modelId":20206,"published":13,"stageModifiedSincePublish":6,"query":20341,"data":20342,"variations":20344,"lastUpdated":20345,"firstPublished":20346,"testRatio":23,"createdBy":635,"lastUpdatedBy":635,"folders":20347,"meta":20348,"rev":20216},1776682875814,"5f3ee7d8cd2d4f109ffde7b33f68697e",[],{"logo":20343,"name":1563},"https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F80b09a41a7914a55a4075f9c91c08143",{},1776687856072,1776682898401,[],{"lastPreviewUrl":29,"kind":28,"breakpoints":20349,"hasAutosaves":6},{"xsmall":31,"small":32,"medium":33},[20351,20367,20382,20396,20410,20423,20437,20451,20465,20479,20493,20507,20521,20535,20549,20563,20577,20591,20605],{"createdDate":20352,"id":20353,"name":20354,"modelId":20355,"published":13,"query":20356,"data":20357,"variations":20360,"lastUpdated":20361,"firstPublished":20362,"testRatio":23,"createdBy":92,"lastUpdatedBy":92,"folders":20363,"meta":20364,"rev":20366},1762986845344,"0d68029bb7e5460b82b89e7db78035e2","SpecterOps Bloodhound","6e0aa39f1f534f48ac5ed2ab6fa144c5",[],{"name":20354,"link":20358,"image":20359},"https://specterops.io/","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Ff21ebeaef1904f618fc30e32a7625e9c",{},1762987070904,1762987070893,[],{"breakpoints":20365,"kind":28,"lastPreviewUrl":29,"hasAutosaves":6},{"xsmall":31,"small":32,"medium":33},"y1daspn4xba",{"createdDate":20368,"id":20369,"name":20370,"modelId":20355,"published":13,"meta":20371,"query":20373,"data":20374,"variations":20377,"lastUpdated":20378,"firstPublished":20379,"testRatio":23,"createdBy":20380,"lastUpdatedBy":20380,"folders":20381,"rev":20366},1756230565361,"a843202c1c304e7ba860f7a82e84050d","Softcat",{"lastPreviewUrl":29,"breakpoints":20372,"kind":28},{"xsmall":31,"small":32,"medium":33},[],{"link":20375,"name":20370,"image":20376},"https://www.softcat.com/","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F6fb577a17bd14cbeb19166583dd1162a",{},1756407116714,1756230629965,"FdqW0cntfvUDN2PtmLkvxDNY6rj1",[],{"createdDate":20383,"id":20384,"name":20385,"modelId":20355,"published":13,"meta":20386,"query":20388,"data":20389,"variations":20392,"lastUpdated":20393,"firstPublished":20394,"testRatio":23,"createdBy":24,"lastUpdatedBy":24,"folders":20395,"rev":20366},1752222480647,"2e25daca5f4847ac981bd289a313a8de","Vega",{"breakpoints":20387,"kind":28,"lastPreviewUrl":29},{"xsmall":31,"small":32,"medium":33},[],{"image":20390,"link":20391,"name":20385},"https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F21f36d006e5a4d988510ede1b8a896e7","https://blog.vega.io/",{},1752500897053,1752500897043,[],{"createdDate":20397,"id":20398,"name":20399,"modelId":20355,"published":13,"meta":20400,"query":20402,"data":20403,"variations":20406,"lastUpdated":20407,"firstPublished":20408,"testRatio":23,"createdBy":24,"lastUpdatedBy":24,"folders":20409,"rev":20366},1752068182722,"c2d15af470274d51bfe9edf06fd3a839","mazehq",{"breakpoints":20401,"kind":28,"lastPreviewUrl":29},{"xsmall":31,"small":32,"medium":33},[],{"image":20404,"link":20405,"name":20399},"https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Fe9003fe210264a968250bf60f0aa3435","https://mazehq.com/",{},1752068907758,1752068907744,[],{"createdDate":20411,"id":20412,"name":20413,"modelId":20355,"published":13,"meta":20414,"query":20416,"data":20417,"variations":20419,"lastUpdated":20420,"firstPublished":20421,"testRatio":23,"createdBy":24,"lastUpdatedBy":24,"folders":20422,"rev":20366},1752048964782,"9de50cbd2c4842aa8c719e0ebc688949","Specterops",{"breakpoints":20415,"kind":28,"lastPreviewUrl":29},{"xsmall":31,"small":32,"medium":33},[],{"link":20358,"name":20413,"image":20418},"https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Faa00dec1110844109cfbf5fbce3e3a58",{},1752049162616,1752049162602,[],{"createdDate":20424,"id":20425,"name":20426,"modelId":20355,"published":13,"query":20427,"data":20428,"variations":20431,"lastUpdated":20432,"firstPublished":20433,"testRatio":23,"createdBy":24,"lastUpdatedBy":24,"folders":20434,"meta":20435,"rev":20366},1750929354932,"4b1615c90308499c87d31ae6b796c47f","Dropzone ",[],{"image":20429,"name":20426,"link":20430},"https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Fbf026cd58b284b48bc34352009a808ce","https://www.dropzone.ai/",{},1750933253077,1750930508235,[],{"breakpoints":20436,"lastPreviewUrl":29,"kind":28,"hasAutosaves":34},{"xsmall":31,"small":32,"medium":33},{"createdDate":20438,"id":20439,"name":20440,"modelId":20355,"published":13,"meta":20441,"query":20443,"data":20444,"variations":20447,"lastUpdated":20448,"firstPublished":20449,"testRatio":23,"createdBy":24,"lastUpdatedBy":24,"folders":20450,"rev":20366},1750857786473,"8e9a93b6f01c42909f01ec9a7bc9311d","Sublime security",{"lastPreviewUrl":29,"breakpoints":20442,"kind":28},{"xsmall":31,"small":32,"medium":33},[],{"name":20440,"image":20445,"link":20446},"https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Fd3de6790ce4a47bea6d011873425452a","https://sublime.security/",{},1750931875973,1750857818558,[],{"createdDate":20452,"id":20453,"name":20454,"modelId":20355,"published":13,"meta":20455,"query":20457,"data":20458,"variations":20461,"lastUpdated":20462,"firstPublished":20463,"testRatio":23,"createdBy":24,"lastUpdatedBy":24,"folders":20464,"rev":20366},1750857712433,"43c9386ac7fc424c8fa8863635f9b9ed","Seemplicity",{"lastPreviewUrl":29,"breakpoints":20456,"kind":28},{"xsmall":31,"small":32,"medium":33},[],{"image":20459,"link":20460,"name":20454},"https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F5515c17986334630ac1eadd21b9e102e","https://seemplicity.io/",{},1750933248256,1750857782372,[],{"createdDate":20466,"id":20467,"name":20468,"modelId":20355,"published":13,"meta":20469,"query":20471,"data":20472,"variations":20475,"lastUpdated":20476,"firstPublished":20477,"testRatio":23,"createdBy":24,"lastUpdatedBy":24,"folders":20478,"rev":20366},1750857643997,"ce7daaf6e56846e793cdcfe8d4049672","Run Zero",{"breakpoints":20470,"lastPreviewUrl":29,"kind":28},{"xsmall":31,"small":32,"medium":33},[],{"link":20473,"image":20474,"name":20468},"https://www.runzero.com/","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F3e477edb4bcf4a9a9d701a6562994480",{},1750933258353,1750857704996,[],{"createdDate":20480,"id":20481,"name":20482,"modelId":20355,"published":13,"meta":20483,"query":20485,"data":20486,"variations":20489,"lastUpdated":20490,"firstPublished":20491,"testRatio":23,"createdBy":24,"lastUpdatedBy":24,"folders":20492,"rev":20366},1750856967417,"698c03d8e1a24305afa23537b5a26412","Kodem",{"breakpoints":20484,"kind":28,"lastPreviewUrl":29},{"xsmall":31,"small":32,"medium":33},[],{"image":20487,"link":20488,"name":20482},"https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Fda3bd934c2754fd39469611672c83b0b","https://www.kodemsecurity.com/",{},1750933262397,1750857210494,[],{"lastUpdatedBy":91,"folders":20494,"data":20495,"modelId":20355,"query":20499,"published":13,"firstPublished":20500,"testRatio":23,"lastUpdated":20501,"createdDate":20502,"createdBy":91,"meta":20503,"variations":20504,"name":20505,"id":20506,"rev":20366},[],{"image":20496,"name":20497,"link":20498},"https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F6e3d8212521f4c2b890634c886b7eaa8","Sophos","https://sophos.com/",[],1728054150614,1728054150622,1728054083810,{"kind":28,"lastPreviewUrl":29},{},"sophos","548de6421552411085112240e67a230f",{"createdDate":20508,"id":20509,"name":20510,"modelId":20355,"published":13,"meta":20511,"query":20513,"data":20514,"variations":20517,"lastUpdated":20518,"firstPublished":20519,"testRatio":23,"createdBy":91,"lastUpdatedBy":91,"folders":20520,"rev":20366},1728054020158,"8b22dd146ec549b1a7283610478a3946","Gitlab",{"lastPreviewUrl":29,"kind":28,"breakpoints":20512},{"xsmall":31,"small":32,"medium":33},[],{"image":20515,"link":20516,"name":20510,"showInGlobalList":34},"https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Fbecdf8927c6a406ca0d7614e005dce03","https://gitlab.com/",{},1750854836105,1728054205998,[],{"createdDate":20522,"id":20523,"name":20524,"modelId":20355,"published":13,"meta":20525,"query":20527,"data":20528,"variations":20531,"lastUpdated":20532,"firstPublished":20533,"testRatio":23,"createdBy":91,"lastUpdatedBy":91,"folders":20534,"rev":20366},1728054279189,"861f0e5dc1d744b592db4e3eb4c6c92b","Cribl",{"lastPreviewUrl":29,"kind":28,"breakpoints":20526},{"xsmall":31,"small":32,"medium":33},[],{"name":20524,"image":20529,"link":20530,"showInGlobalList":34},"https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F1e9e8d388bc14597968d404fa0dd7f99","https://cribl.io/",{},1750854842979,1728054315303,[],{"createdDate":20536,"id":20537,"name":20538,"modelId":20355,"published":13,"meta":20539,"query":20541,"data":20542,"variations":20545,"lastUpdated":20546,"firstPublished":20547,"testRatio":23,"createdBy":25,"lastUpdatedBy":91,"folders":20548,"rev":20366},1731417861051,"b5cb3b0fc4d94c4781dd9a7990326d47","greynoise",{"kind":28,"breakpoints":20540,"lastPreviewUrl":29},{"xsmall":31,"small":32,"medium":33},[],{"image":20543,"name":20538,"link":20544,"showInGlobalList":34},"https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Fb99292e4117247a18ccaa247d0e834f3","https://www.greynoise.io/",{},1750854853280,1731417987334,[],{"createdDate":20550,"id":20551,"name":20552,"modelId":20355,"published":13,"query":20553,"data":20554,"variations":20557,"lastUpdated":20558,"firstPublished":20559,"testRatio":23,"createdBy":92,"lastUpdatedBy":25,"folders":20560,"meta":20561,"rev":20366},1762360849887,"d6ad52fc61ec4cd69a99ce0654e761d9","Ramp",[],{"image":20555,"name":20552,"link":20556,"showInGlobalList":34},"https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F321fc32cbac54856af4aeb4e4ec5ebe0","https://ramp.com/",{},1762957426946,1762360924931,[],{"lastPreviewUrl":29,"kind":28,"breakpoints":20562,"hasAutosaves":6},{"xsmall":31,"small":32,"medium":33},{"createdDate":20564,"id":20565,"name":20566,"modelId":20355,"published":13,"query":20567,"data":20568,"variations":20571,"lastUpdated":20572,"firstPublished":20573,"testRatio":23,"createdBy":25,"lastUpdatedBy":25,"folders":20574,"meta":20575,"rev":20366},1731418000864,"51c6261d939a4549b4ad871c886a4f43","Riskledger",[],{"link":20569,"showInGlobalList":6,"image":20570,"name":20566},"https://riskledger.com/","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F0aa25eddafa0421ea6b7834d3eeecb58",{},1763020144174,1731418028971,[],{"kind":28,"lastPreviewUrl":29,"breakpoints":20576,"hasAutosaves":6},{"xsmall":31,"small":32,"medium":33},{"createdDate":20578,"id":20579,"name":20580,"modelId":20355,"published":13,"meta":20581,"query":20583,"data":20584,"variations":20587,"lastUpdated":20588,"firstPublished":20589,"testRatio":23,"createdBy":91,"lastUpdatedBy":91,"folders":20590,"rev":20366},1728563630527,"388c99a4e6c542979bb75e0446cd1b6e","upvest",{"breakpoints":20582,"lastPreviewUrl":29,"kind":28},{"xsmall":31,"small":32,"medium":33},[],{"image":20585,"link":20586,"name":20580,"showInGlobalList":34},"https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F7019b2161662442e80e83c8a32cf5ca7","https://upvest.co/",{},1750854868363,1728563705239,[],{"createdDate":20592,"id":20593,"name":20594,"modelId":20355,"published":13,"meta":20595,"query":20597,"data":20598,"variations":20601,"lastUpdated":20602,"firstPublished":20603,"testRatio":23,"createdBy":91,"lastUpdatedBy":91,"folders":20604,"rev":20366},1728054217478,"9a1849dd3ae649d8ab912ee95e94ad62","Thinkst",{"kind":28,"lastPreviewUrl":29,"breakpoints":20596},{"xsmall":31,"small":32,"medium":33},[],{"image":20599,"name":20594,"link":20600,"showInGlobalList":34},"https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F1ee4bf9428a04d23807c37149c65c242","https://thinkst.com/",{},1750854874682,1728054257265,[],{"createdDate":20606,"id":20607,"name":20608,"modelId":20355,"published":13,"meta":20609,"query":20611,"data":20612,"variations":20615,"lastUpdated":20616,"firstPublished":20617,"testRatio":23,"createdBy":25,"lastUpdatedBy":91,"folders":20618,"rev":20366},1731659785528,"1aa9970baca241609af62334a9191957","Portswigger",{"kind":28,"lastPreviewUrl":29,"breakpoints":20610},{"xsmall":31,"small":32,"medium":33},[],{"image":20613,"name":20608,"link":20614,"showInGlobalList":34},"https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Fd063a13264454d3ebcc9b8d91220cf5f","https://portswigger.net/",{},1750854882899,1731659822109,[],[20620,20636,20650,20664,20678,20692,20706],{"createdDate":20621,"id":20622,"name":20623,"modelId":20624,"published":13,"query":20625,"data":20626,"variations":20629,"lastUpdated":20630,"firstPublished":20631,"testRatio":23,"createdBy":635,"lastUpdatedBy":635,"folders":20632,"meta":20633,"rev":20635},1770121473555,"7b46ec38932042babc107295c1508721","Stop Phishing","1920c5ecc9964c5597d80ecefeaac570",[],{"subtext":20627,"heading":20623,"link":20628},"\u003Cp>Detect phishing and fake logins in real time to keep valuable credentials out of attacker hands.\u003C/p>\n",{"url":228},{},1770123727367,1770121632251,[],{"lastPreviewUrl":29,"breakpoints":20634,"kind":28,"hasAutosaves":6},{"xsmall":31,"small":32,"medium":33},"t6iilp4sr1",{"createdDate":20637,"id":20638,"name":20639,"modelId":20624,"published":13,"query":20640,"data":20641,"variations":20644,"lastUpdated":20645,"firstPublished":20646,"testRatio":23,"createdBy":635,"lastUpdatedBy":635,"folders":20647,"meta":20648,"rev":20635},1770121644587,"30bd7080d64a4532b594fdfd20a255fa","Find hidden apps",[],{"subtext":20642,"heading":20639,"link":20643},"\u003Cp>Surface shadow SaaS, unmanaged accounts, and duplicate logins to control your SaaS footprint.\u003C/p>\n",{"url":1004},{},1770123740241,1770121680524,[],{"lastPreviewUrl":29,"breakpoints":20649,"kind":28,"hasAutosaves":6},{"xsmall":31,"small":32,"medium":33},{"createdDate":20651,"id":20652,"name":20653,"modelId":20624,"published":13,"query":20654,"data":20655,"variations":20658,"lastUpdated":20659,"firstPublished":20660,"testRatio":23,"createdBy":635,"lastUpdatedBy":635,"folders":20661,"meta":20662,"rev":20635},1770121696534,"d00fd3238a6845fda35a50549fc7f62c","Accelerate response",[],{"heading":20653,"link":20656,"subtext":20657},{"url":884},"\u003Cp>See in-browser activity instantly to understand what happened, limit blast radius, and contain breaches faster.\u003C/p>\n",{},1770123754401,1770121744739,[],{"kind":28,"lastPreviewUrl":29,"breakpoints":20663,"hasAutosaves":6},{"xsmall":31,"small":32,"medium":33},{"createdDate":20665,"id":20666,"name":20667,"modelId":20624,"published":13,"query":20668,"data":20669,"variations":20672,"lastUpdated":20673,"firstPublished":20674,"testRatio":23,"createdBy":635,"lastUpdatedBy":635,"folders":20675,"meta":20676,"rev":20635},1770121753694,"2f2e1aa7e4e64f03b07532e3a0f16300","Block risky extensions",[],{"subtext":20670,"heading":20667,"link":20671},"\u003Cp>Gain visibility into risky or malicious add-ons across your workforce.\u003C/p>\n",{"url":408},{},1770123765023,1770121810644,[],{"kind":28,"lastPreviewUrl":29,"breakpoints":20677,"hasAutosaves":6},{"xsmall":31,"small":32,"medium":33},{"createdDate":20679,"id":20680,"name":20681,"modelId":20624,"published":13,"query":20682,"data":20683,"variations":20686,"lastUpdated":20687,"firstPublished":20688,"testRatio":23,"createdBy":635,"lastUpdatedBy":635,"folders":20689,"meta":20690,"rev":20635},1770121838291,"ce0507dc8c0b43f38937a16ab9727520","Prevent takeovers",[],{"heading":20681,"link":20684,"subtext":20685},{"url":527},"\u003Cp>Stop ATO with stolen credential and compromised token detection.\u003C/p>\n",{},1770123775906,1770121877597,[],{"kind":28,"lastPreviewUrl":29,"breakpoints":20691,"hasAutosaves":6},{"xsmall":31,"small":32,"medium":33},{"createdDate":20693,"id":20694,"name":20695,"modelId":20624,"published":13,"query":20696,"data":20697,"variations":20700,"lastUpdated":20701,"firstPublished":20702,"testRatio":23,"createdBy":635,"lastUpdatedBy":635,"folders":20703,"meta":20704,"rev":20635},1770121901807,"68b72bbe3c704e4aaa25bf8f274953f1","Harden attack paths",[],{"heading":20695,"link":20698,"subtext":20699},{"url":646},"\u003Cp>Eliminate weak passwords, ghost logins, and missing MFA at scale.\u003C/p>\n",{},1770123788957,1770121921966,[],{"lastPreviewUrl":29,"kind":28,"breakpoints":20705,"hasAutosaves":6},{"xsmall":31,"small":32,"medium":33},{"createdDate":20707,"id":20708,"name":20709,"modelId":20624,"published":13,"query":20710,"data":20711,"variations":20714,"lastUpdated":20715,"firstPublished":20716,"testRatio":23,"createdBy":635,"lastUpdatedBy":635,"folders":20717,"meta":20718,"rev":20635},1770121948403,"7ca42a8088c2408b8ce52c58970c4d3c","Secure shadow AI",[],{"link":20712,"subtext":20713,"heading":20709},{"url":1124},"\u003Cp>Map, review, and classify AI applications across your environment to enforce AI usage policies.\u003C/p>\n",{},1770123799454,1770121968041,[],{"kind":28,"lastPreviewUrl":29,"breakpoints":20719,"hasAutosaves":6},{"xsmall":31,"small":32,"medium":33},1777540335174]