[{"data":1,"prerenderedAt":3509},["ShallowReactive",2],{"application-flags":3,"navbar":7,"always-visible-banner":36,"navbar-about-highlight":108,"navbar-resource-highlight":182,"blog/2025-top-phishing-trends":226},[4],{"name":5,"enabled":6},"maintenanceMode",false,[8],{"createdDate":9,"id":10,"name":11,"modelId":12,"published":13,"query":14,"data":15,"variations":20,"lastUpdated":21,"firstPublished":22,"testRatio":23,"createdBy":24,"lastUpdatedBy":25,"folders":26,"meta":27,"rev":35},1742208588866,"1c7a4e423bf54ac1a328bb4063459ef2","Banner","1c6207a5f24948ab82d4a0b17f251193","published",[],{"type":16,"url":17,"text":18,"link":19},"web-banner","https://pushsecurity.com/resources/browser-attacks-report","Get our latest report analyzing browser attack techniques in 2026",{},{},1774258294825,1742208637545,1,"CydmZnOWU1XuAaLhEDCoYNM4Z8W2","jKjF9r5jcvXU8tzZEfFQm31Iyvr2",[],{"kind":28,"lastPreviewUrl":29,"breakpoints":30,"hasAutosaves":34},"data","",{"xsmall":31,"small":32,"medium":33},320,640,768,true,"ga0kpxjhh76",{"createdDate":37,"id":38,"name":39,"modelId":40,"published":13,"stageModifiedSincePublish":6,"query":41,"data":42,"variations":97,"lastUpdated":98,"firstPublished":99,"testRatio":23,"createdBy":100,"lastUpdatedBy":101,"folders":102,"meta":103,"rev":107},1774965361051,"fd266d0172cc47429be7ad10f48c99ad","always visible banner","0678d178ec8b41efb8a23c09dba7874d",[],{"ctaText":43,"text":44,"url":29,"blocks":45,"state":93},"ewrererw","testrfesssssssssss",[46,73,81],{"@type":47,"@version":48,"id":49,"component":50,"responsiveStyles":63},"@builder.io/sdk:Element",2,"builder-ca12c06a52de41d7b8743da53118cd38",{"name":51,"tag":51,"options":52,"isRSC":62},"TopBannerContent",{"text":53,"ctaText":54,"url":55,"mainText":56,"cta":59},"New Webinar Series: Join John Hammond, Troy Hunt, and Matt Johansen for the State of Browser Attacks","Save Your Spot","https://pushsecurity.com/webinar/state-of-browser-security",{"content":57,"fontSize":58},"\u003Cp>Meet Push's browser security experts at BlackHat 2026.\u003C/p>","text-base",{"content":60,"fontSize":58,"url":61},"\u003Cp>Book a meeting →\u003C/p>","https://pushsecurity.com/events/blackhat-2026-meeting",null,{"large":64},{"display":65,"flexDirection":66,"position":67,"flexShrink":68,"boxSizing":69,"marginTop":70,"marginBottom":70,"fontSize":71,"fontWeight":72},"flex","column","relative","0","border-box",".56rem","1.125rem","700",{"@type":47,"@version":48,"id":74,"component":75,"responsiveStyles":79},"builder-a2e1f4b9f30b464bb814d7f5de5b0aa7",{"name":76,"options":77,"isRSC":62},"Custom Code",{"code":78,"scriptsClientOnly":6},"\u003Cstyle>\n  .top-banner.bg-web-orange{background:rgb(114, 79, 255);}\n\u003C/style>\n",{"large":80},{"display":65,"flexDirection":66,"position":67,"flexShrink":68,"boxSizing":69},{"id":82,"@type":47,"tagName":83,"properties":84,"responsiveStyles":88},"builder-pixel-o503s4fpvk","img",{"src":85,"aria-hidden":86,"alt":29,"role":87,"width":68,"height":68},"https://cdn.builder.io/api/v1/pixel?apiKey=f3a1111ff5be48cdbb123cd9f5795a05","true","presentation",{"large":89},{"height":68,"width":68,"display":90,"opacity":68,"overflow":91,"pointerEvents":92},"block","hidden","none",{"deviceSize":94,"location":95},"large",{"path":29,"query":96},{},{},1783541846936,1774968080803,"ST0tXQM8slWpFrmioqKHmENB2qe2","kYgMv6WsbvfmlOUYqR2SFwGzw6e2",[],{"kind":104,"lastPreviewUrl":105,"hasLinks":6,"breakpoints":106,"hasErrors":6,"hasAutosaves":6},"component","https://pushsecurity.com/?builder.space=f3a1111ff5be48cdbb123cd9f5795a05&builder.user.permissions=read%2Ccreate%2Cpublish%2CeditDesigns%2CeditLayouts%2CeditLayers%2CeditContentPriority%2CeditFolders%2CcreateProjects%2CsendPullRequests&builder.user.role.name=Designer&builder.user.role.id=creator&builder.cachebust=true&builder.preview=always-visible-banner&builder.noCache=true&builder.allowTextEdit=true&__builder_editing__=true&builder.overrides.always-visible-banner=fd266d0172cc47429be7ad10f48c99ad&builder.overrides.fd266d0172cc47429be7ad10f48c99ad=fd266d0172cc47429be7ad10f48c99ad&builder.options.locale=Default",{"xsmall":31,"small":32,"medium":33},"kyujw1aptq",[109,145],{"createdDate":110,"id":111,"name":112,"modelId":113,"published":13,"stageModifiedSincePublish":6,"query":114,"data":115,"variations":138,"lastUpdated":139,"firstPublished":140,"testRatio":23,"createdBy":24,"lastUpdatedBy":24,"folders":141,"meta":142,"rev":144},1776247359804,"9136a8f18b3b4a6ba29b8653a99372b1","testimonial-inductive-automation","20d9eaa352304613b3d1a794b400703d",[],{"link":116,"type":117,"testimonialLink":118,"testimonial":119},{},"testimonial","/customer-stories/inductive-automation",{"@type":120,"id":121,"model":117,"value":122},"@builder.io/core:Reference","f028f2b685bb47cd8bf9e82a26dd5a79",{"query":123,"folders":124,"createdDate":125,"id":121,"name":126,"modelId":127,"published":13,"data":128,"variations":132,"lastUpdated":133,"firstPublished":134,"testRatio":23,"createdBy":100,"lastUpdatedBy":100,"meta":135,"rev":137},[],[],1735823466309,"We found Push to be more accurate when compared to competitors and the browser agent offered features that others couldn’t match.","42035571a56940ac98bff4544aa79aa5",{"author":129,"jobTitle":130,"quote":126,"image":131},"Jason Waits","\u003Cp>CISO at Inductive Automation\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Ff04c0c0689ce4a89ac0f0708d78c0a07",{},1735910703862,1735823501152,{"kind":28,"lastPreviewUrl":29,"breakpoints":136,"hasAutosaves":34},{"small":32,"medium":33},"e8bsg4qrgtu",{},1776247404986,1776247404973,[],{"breakpoints":143,"kind":28,"lastPreviewUrl":29,"hasAutosaves":6},{"xsmall":31,"small":32,"medium":33},"g9lqcuxphw7",{"createdDate":146,"id":147,"name":148,"modelId":113,"published":13,"meta":149,"stageModifiedSincePublish":6,"query":151,"data":152,"variations":178,"lastUpdated":179,"firstPublished":180,"testRatio":23,"createdBy":24,"lastUpdatedBy":24,"folders":181,"rev":144},1776255761419,"05a9322735fc427db12e2740e4302300","Report: 2026 Browser Attack Techniques",{"breakpoints":150,"kind":28,"lastPreviewUrl":29,"hasAutosaves":6},{"xsmall":31,"small":32,"medium":33},[],{"testimonial":153,"link":172,"type":175,"title":148,"description":176,"image":177},{"@type":120,"id":154,"model":117,"value":155},"192acbb1f9ca4cac918c0ec435a8bae3",{"query":156,"folders":157,"createdDate":158,"id":154,"name":159,"modelId":127,"published":13,"data":160,"variations":166,"lastUpdated":167,"firstPublished":168,"testRatio":23,"createdBy":100,"lastUpdatedBy":24,"meta":169,"rev":171},[],[],1728981467463,"Push does for identity what CrowdStrike did for the endpoint",{"video":161,"jobTitle":162,"author":163,"qoute":29,"quote":164,"image":165},"https://cdn.builder.io/o/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F8b30e8ca50064058bbaef0f3c6164575%2Fcompressed?apiKey=f3a1111ff5be48cdbb123cd9f5795a05&token=8b30e8ca50064058bbaef0f3c6164575&alt=media&optimized=true","\u003Cp>Deputy CISO at Microsoft\u003C/p>\u003Cp>Former LinkedIn, Slack, Palantir\u003C/p>","Geoff Belknap","Push does for identity what CrowdStrike did for the endpoint.","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F748f0ad0a5064a00a13f4721fcc8dea1",{},1742902158597,1728981782923,{"kind":28,"lastPreviewUrl":29,"breakpoints":170,"hasAutosaves":34},{"small":32,"medium":33},"ulhc0im1hfo",{"text":173,"url":174},"Download now","/resources/browser-attacks-report","resource","Learn about the latest techniques being used in the wild.","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F7b4a5ebf81d64e8c9d7fc35f6c96c4a9",{},1776255810913,1776255810900,[],[183,205],{"createdDate":184,"id":185,"name":148,"modelId":186,"published":13,"meta":187,"stageModifiedSincePublish":6,"query":189,"data":190,"variations":200,"lastUpdated":201,"firstPublished":202,"testRatio":23,"createdBy":24,"lastUpdatedBy":24,"folders":203,"rev":204},1776256900280,"1f429607996e4e5fae8fe3f9b9610e55","4829faa81e7c4ee8bd2d000e160e8d3c",{"breakpoints":188,"kind":28,"lastPreviewUrl":29,"hasAutosaves":6},{"xsmall":31,"small":32,"medium":33},[],{"testimonial":191,"link":199,"type":175,"title":148,"description":176,"image":177},{"@type":120,"id":154,"model":117,"value":192},{"query":193,"folders":194,"createdDate":158,"id":154,"name":159,"modelId":127,"published":13,"data":195,"variations":196,"lastUpdated":167,"firstPublished":168,"testRatio":23,"createdBy":100,"lastUpdatedBy":24,"meta":197,"rev":171},[],[],{"video":161,"jobTitle":162,"author":163,"qoute":29,"quote":164,"image":165},{},{"kind":28,"lastPreviewUrl":29,"breakpoints":198,"hasAutosaves":34},{"small":32,"medium":33},{"text":173,"url":174},{},1776256937553,1776256937540,[],"xggsv10v1q9",{"createdDate":206,"id":207,"name":208,"modelId":186,"published":13,"stageModifiedSincePublish":6,"query":209,"data":210,"variations":220,"lastUpdated":221,"firstPublished":222,"testRatio":23,"createdBy":24,"lastUpdatedBy":24,"folders":223,"meta":224,"rev":204},1776256949234,"ce043785b71b4ece98eac811ecf4ba10","inductive-automation",[],{"link":211,"type":117,"testimonial":212,"testimonialLink":118},{},{"@type":120,"id":121,"model":117,"value":213},{"query":214,"folders":215,"createdDate":125,"id":121,"name":126,"modelId":127,"published":13,"data":216,"variations":217,"lastUpdated":133,"firstPublished":134,"testRatio":23,"createdBy":100,"lastUpdatedBy":100,"meta":218,"rev":137},[],[],{"author":129,"jobTitle":130,"quote":126,"image":131},{},{"kind":28,"lastPreviewUrl":29,"breakpoints":219,"hasAutosaves":34},{"small":32,"medium":33},{},1776256974140,1776256974130,[],{"breakpoints":225,"kind":28,"lastPreviewUrl":29,"hasAutosaves":6},{"xsmall":31,"small":32,"medium":33},{"id":227,"title":228,"authorsCollection":229,"content":237,"extension":1032,"faqItemsCollection":1033,"faqTitle":62,"featured":6,"hashTags":62,"meta":1035,"metaTitle":1036,"ogImage":62,"publishedDate":1037,"relatedBlogPostsCollection":1038,"slug":3485,"stem":3486,"subtitle":62,"summary":3487,"synopsis":3498,"sys":3499,"tagsCollection":3502,"__hash__":3508},"blog/blog/2025-top-phishing-trends.json","2025’s top phishing trends — and what they mean for your 2026 security strategy",{"items":230},[231],{"fullName":232,"firstName":233,"jobTitle":234,"profilePicture":235},"Dan Green","Dan","Threat Research",{"url":236},"https://images.ctfassets.net/y1cdw1ablpvd/7jik1VhFgA3kgzXBXTm2Vw/fcd8c171da644903d0827eafcfbcaad0/Dan_Headshot_2025.png",{"json":238,"links":936},{"nodeType":239,"data":240,"content":241},"document",{},[242,251,260,267,271,281,288,295,302,402,408,414,420,427,434,454,457,465,472,479,486,532,539,585,591,598,605,608,616,623,630,637,711,717,723,756,762,782,788,795,802,808,811,819,826,859,866,869,877,884,891,924,930],{"nodeType":243,"data":244,"content":250},"embedded-entry-block",{"target":245},{"sys":246},{"id":247,"type":248,"linkType":249},"1axcGwWxeKxDMk8jOWhYT6","Link","Entry",[],{"nodeType":252,"data":253,"content":254},"paragraph",{},[255],{"nodeType":256,"value":257,"marks":258,"data":259},"text","2025 saw a huge amount of attacker innovation when it comes to phishing attacks, as attackers continue to double down on identity-based techniques. The continual evolution of phishing means it remains one of the most effective methods available to attackers today — in fact, it’s arguably more effective than ever. ",[],{},{"nodeType":252,"data":261,"content":262},{},[263],{"nodeType":256,"value":264,"marks":265,"data":266},"Let’s take a closer look at the key trends that defined phishing attacks in 2025, and what these changes mean for security teams heading into 2026. ",[],{},{"nodeType":268,"data":269,"content":270},"hr",{},[],{"nodeType":272,"data":273,"content":274},"heading-1",{},[275],{"nodeType":256,"value":276,"marks":277,"data":280},"#1: Phishing goes omni-channel",[278],{"type":279},"bold",{},{"nodeType":252,"data":282,"content":283},{},[284],{"nodeType":256,"value":285,"marks":286,"data":287},"We’ve been talking about the rise of non-email phishing for some time now, but 2025 was the year phishing truly went omni-channel. ",[],{},{"nodeType":252,"data":289,"content":290},{},[291],{"nodeType":256,"value":292,"marks":293,"data":294},"Although most of the industry’s data on phishing still comes from email security vendors and tools, the picture is starting to change. Roughly 1 in 3 phishing attacks detected by Push Security were delivered outside of email. ",[],{},{"nodeType":252,"data":296,"content":297},{},[298],{"nodeType":256,"value":299,"marks":300,"data":301},"There are many examples of phishing campaigns operated outside of email, with LinkedIn DMs and Google Search being the top channels we identified. Notable campaigns include:",[],{},{"nodeType":303,"data":304,"content":305},"unordered-list",{},[306,331,353],{"nodeType":307,"data":308,"content":309},"list-item",{},[310],{"nodeType":252,"data":311,"content":312},{},[313,316,327],{"nodeType":256,"value":29,"marks":314,"data":315},[],{},{"nodeType":317,"data":318,"content":320},"hyperlink",{"uri":319},"https://pushsecurity.com/blog/how-push-stopped-a-high-risk-linkedin-spear-phishing-attack",[321],{"nodeType":256,"value":322,"marks":323,"data":326},"A targeted campaign against tech company Exec’s",[324],{"type":325},"underline",{},{"nodeType":256,"value":328,"marks":329,"data":330}," delivered via compromised accounts on LinkedIn from other employees of the same organization, framed as an investment opportunity.",[],{},{"nodeType":307,"data":332,"content":333},{},[334],{"nodeType":252,"data":335,"content":336},{},[337,340,349],{"nodeType":256,"value":29,"marks":338,"data":339},[],{},{"nodeType":317,"data":341,"content":343},{"uri":342},"https://pushsecurity.com/blog/new-phishing-campaign-identified-targeting-linkedin-users",[344],{"nodeType":256,"value":345,"marks":346,"data":348},"A campaign posing as a South American investment fund",[347],{"type":325},{},{"nodeType":256,"value":350,"marks":351,"data":352}," offering the opportunity to join the fund. ",[],{},{"nodeType":307,"data":354,"content":355},{},[356],{"nodeType":252,"data":357,"content":358},{},[359,363,372,376,385,389,398],{"nodeType":256,"value":360,"marks":361,"data":362},"Several malvertising campaigns capturing users searching for key search terms such as “",[],{},{"nodeType":317,"data":364,"content":366},{"uri":365},"https://pushsecurity.com/blog/analysing-a-malvertising-attack-targeting-business-google-accounts",[367],{"nodeType":256,"value":368,"marks":369,"data":371},"Google Ads",[370],{"type":325},{},{"nodeType":256,"value":373,"marks":374,"data":375},"”, “",[],{},{"nodeType":317,"data":377,"content":379},{"uri":378},"https://pushsecurity.com/blog/analysing-a-sophisticated-google-malvertising-attack",[380],{"nodeType":256,"value":381,"marks":382,"data":384},"TradingView",[383],{"type":325},{},{"nodeType":256,"value":386,"marks":387,"data":388},"” and “",[],{},{"nodeType":317,"data":390,"content":392},{"uri":391},"https://pushsecurity.com/blog/investigating-a-recent-malvertising-campaign-targeting-onfido-customers",[393],{"nodeType":256,"value":394,"marks":395,"data":397},"Onfido",[396],{"type":325},{},{"nodeType":256,"value":399,"marks":400,"data":401},"”. ",[],{},{"nodeType":243,"data":403,"content":407},{"target":404},{"sys":405},{"id":406,"type":248,"linkType":249},"3LjyZooaJQ83eJt8DRX9bP",[],{"nodeType":243,"data":409,"content":413},{"target":410},{"sys":411},{"id":412,"type":248,"linkType":249},"644LdQYjRHerpKU5pCGv1n",[],{"nodeType":243,"data":415,"content":419},{"target":416},{"sys":417},{"id":418,"type":248,"linkType":249},"3anCGk5A4AOVH1t9dr1xKp",[],{"nodeType":252,"data":421,"content":422},{},[423],{"nodeType":256,"value":424,"marks":425,"data":426},"Phishing via non-email channels has a number of advantages. With email being the best protected phishing vector, it sidesteps these controls entirely. There’s no need to build up your sender reputation, find ways to trick content analysis engines, or hope your message doesn’t end up in the spam folder.",[],{},{"nodeType":252,"data":428,"content":429},{},[430],{"nodeType":256,"value":431,"marks":432,"data":433},"In comparison, non-email vectors have practically no screening, your security team has no visibility, and users are less likely to anticipate possible phishing. It’s arguable that a company Exec is more likely to engage with a LinkedIn DM from a reputable account than a cold email. And social media apps do nothing to analyse messages for phishing links. (And because of the limitations of URL-based checks when it comes to today’s multi-stage phishing attacks, this would be extremely difficult even if they tried). ",[],{},{"nodeType":252,"data":435,"content":436},{},[437,441,450],{"nodeType":256,"value":438,"marks":439,"data":440},"Search engines also present a huge opportunity for attackers, whether they’re compromising existing, high reputation sites, spinning up malicious ads, or simply vibe coding their own SEO-optimized websites. This is an effective way to launch “watering hole” style attacks, casting a wide net to harvest credentials and account access that can be re-sold to other criminals for a fee, or leveraged by partners in the cybercriminal ecosystem as part of major cyber breaches (such as the recent attacks by the “",[],{},{"nodeType":317,"data":442,"content":444},{"uri":443},"https://pushsecurity.com/blog/scattered-lapsus-hunters",[445],{"nodeType":256,"value":446,"marks":447,"data":449},"Scattered Lapsus$ Hunters",[448],{"type":325},{},{"nodeType":256,"value":451,"marks":452,"data":453},"” criminal collective, all of which began with identity-based initial access). ",[],{},{"nodeType":268,"data":455,"content":456},{},[],{"nodeType":272,"data":458,"content":459},{},[460],{"nodeType":256,"value":461,"marks":462,"data":464},"#2: Criminal PhaaS kits dominate",[463],{"type":279},{},{"nodeType":252,"data":466,"content":467},{},[468],{"nodeType":256,"value":469,"marks":470,"data":471},"The vast majority of phishing attacks today use a reverse proxy. This means they are capable of bypassing most forms of MFA because a session is created and stolen in real time as part of the attack. There is no downside to this approach compared to the basic credential phishing that was the norm more than a decade ago.",[],{},{"nodeType":252,"data":473,"content":474},{},[475],{"nodeType":256,"value":476,"marks":477,"data":478},"These Attacker-in-the-Middle attacks are powered by criminal Phishing-as-a-Service (PhaaS) kits such as Tycoon, NakedPages, Sneaky2FA, Flowerstorm, Salty2FA, along with various Evilginx variations (nominally a tool for red teamers, but widely used by attackers). ",[],{},{"nodeType":252,"data":480,"content":481},{},[482],{"nodeType":256,"value":483,"marks":484,"data":485},"PhaaS kits are incredibly important to cybercrime because they make sophisticated and continuously evolving capabilities available to the criminal marketplace, lowering the barrier to entry for criminals running advanced phishing campaigns. This is not unique to phishing: Ransomware-as-a-Service, Credential Stuffing-as-a-Service, and many more for-hire tools and services exist for criminals to use for a fee. ",[],{},{"nodeType":252,"data":487,"content":488},{},[489,493,502,506,515,519,528],{"nodeType":256,"value":490,"marks":491,"data":492},"This competitive environment has fueled attacker innovation, resulting in an environment in which MFA-bypass is table stakes, phishing-resistant authentication is being circumvented through ",[],{},{"nodeType":317,"data":494,"content":496},{"uri":495},"https://pushsecurity.com/blog/mfa-downgrade-attacks",[497],{"nodeType":256,"value":498,"marks":499,"data":501},"downgrade attacks",[500],{"type":325},{},{"nodeType":256,"value":503,"marks":504,"data":505},", and ",[],{},{"nodeType":317,"data":507,"content":509},{"uri":508},"https://phishing-techniques.pushsecurity.com/",[510],{"nodeType":256,"value":511,"marks":512,"data":514},"detection evasion techniques",[513],{"type":325},{},{"nodeType":256,"value":516,"marks":517,"data":518}," are being used to circumvent security tools — from email scanners, to web-crawling security tools, to web proxies analyzing network traffic. It also means that when new capabilities emerge — such as ",[],{},{"nodeType":317,"data":520,"content":522},{"uri":521},"https://pushsecurity.com/blog/analyzing-the-latest-sneaky2fa-phishing-page",[523],{"nodeType":256,"value":524,"marks":525,"data":527},"Browser-in-the-Browser",[526],{"type":325},{},{"nodeType":256,"value":529,"marks":530,"data":531}," — these are quickly integrated into a range of phishing kits. ",[],{},{"nodeType":252,"data":533,"content":534},{},[535],{"nodeType":256,"value":536,"marks":537,"data":538},"Some of the most prevalent detection evasion methods we’ve seen this year are:",[],{},{"nodeType":303,"data":540,"content":541},{},[542,552,562],{"nodeType":307,"data":543,"content":544},{},[545],{"nodeType":252,"data":546,"content":547},{},[548],{"nodeType":256,"value":549,"marks":550,"data":551},"Widespread use of bot protection. Every phishing page today comes with either a custom CAPTCHA or Cloudflare Turnstile (legitimate and fake versions) designed to block web-crawling security bots from being able to analyse phishing pages. ",[],{},{"nodeType":307,"data":553,"content":554},{},[555],{"nodeType":252,"data":556,"content":557},{},[558],{"nodeType":256,"value":559,"marks":560,"data":561},"Extensive redirect chains between the initial link seeded out to the victim, and the actual malicious page hosting phishing content, designed to bury phishing sites among several legitimate pages. ",[],{},{"nodeType":307,"data":563,"content":564},{},[565],{"nodeType":252,"data":566,"content":567},{},[568,572,581],{"nodeType":256,"value":569,"marks":570,"data":571},"Multi-stage page loading performed client-side via JavaScript. This means that pages are ",[],{},{"nodeType":317,"data":573,"content":575},{"uri":574},"https://phishing-techniques.pushsecurity.com/techniques/conditional-loading/",[576],{"nodeType":256,"value":577,"marks":578,"data":580},"conditionally loaded",[579],{"type":325},{},{"nodeType":256,"value":582,"marks":583,"data":584},", and if conditions aren’t met, malicious content isn’t served — so the page looks clean. This also means that most of the malicious activity is happening locally, without creating web requests that can be analysed by network traffic analysis tools (e.g. web proxies). ",[],{},{"nodeType":243,"data":586,"content":590},{"target":587},{"sys":588},{"id":589,"type":248,"linkType":249},"5LLgjhCexTYd5OlHuptv3n",[],{"nodeType":252,"data":592,"content":593},{},[594],{"nodeType":256,"value":595,"marks":596,"data":597},"This contributes to an environment where phishing is going undetected for extended periods of time. Even when a page is flagged, it’s trivial for attackers to dynamically serve up different phishing pages from the same benign chain of URLs used in the attack. ",[],{},{"nodeType":252,"data":599,"content":600},{},[601],{"nodeType":256,"value":602,"marks":603,"data":604},"This is all to say that the old-school approach to URL blocking bad sites is becoming much harder and leaves you two steps behind attackers at all times.",[],{},{"nodeType":268,"data":606,"content":607},{},[],{"nodeType":272,"data":609,"content":610},{},[611],{"nodeType":256,"value":612,"marks":613,"data":615},"#3: Attackers find ways around phishing-resistant authentication (and other security controls)",[614],{"type":279},{},{"nodeType":252,"data":617,"content":618},{},[619],{"nodeType":256,"value":620,"marks":621,"data":622},"We already mentioned that MFA downgrade has been an area of focus for security researchers and attackers. But phishing-resistant authentication methods (i.e. passkeys) remain effective so long as the phishing-resistant factor is the only possible login factor, and there are no backup methods enabled for the account. (Though because of the logistical issues of having just one factor, this is fairly uncommon.) ",[],{},{"nodeType":252,"data":624,"content":625},{},[626],{"nodeType":256,"value":627,"marks":628,"data":629},"Equally, access control policies can be applied on larger enterprise apps and cloud platforms to reduce the risk of unauthorized access (although these can be tricky to implement and maintain without error).",[],{},{"nodeType":252,"data":631,"content":632},{},[633],{"nodeType":256,"value":634,"marks":635,"data":636},"In any case, attackers are considering all eventualities and looking for alternative ways into accounts that are less well protected. This mainly involves attackers circumventing the standard authentication process, through techniques such as:",[],{},{"nodeType":303,"data":638,"content":639},{},[640,668,696],{"nodeType":307,"data":641,"content":642},{},[643],{"nodeType":252,"data":644,"content":645},{},[646,649,659,664],{"nodeType":256,"value":29,"marks":647,"data":648},[],{},{"nodeType":317,"data":650,"content":652},{"uri":651},"https://github.com/pushsecurity/saas-attacks/blob/main/techniques/consent_phishing/description.md",[653],{"nodeType":256,"value":654,"marks":655,"data":658},"Consent phishing",[656,657],{"type":325},{"type":279},{},{"nodeType":256,"value":660,"marks":661,"data":663},":",[662],{"type":279},{},{"nodeType":256,"value":665,"marks":666,"data":667}," Tricking victims into connecting malicious OAuth apps into their app tenant.",[],{},{"nodeType":307,"data":669,"content":670},{},[671],{"nodeType":252,"data":672,"content":673},{},[674,677,687,692],{"nodeType":256,"value":29,"marks":675,"data":676},[],{},{"nodeType":317,"data":678,"content":680},{"uri":679},"https://github.com/pushsecurity/saas-attacks/blob/main/techniques/device_code_phishing/description.md",[681],{"nodeType":256,"value":682,"marks":683,"data":686},"Device code phishing",[684,685],{"type":325},{"type":279},{},{"nodeType":256,"value":688,"marks":689,"data":691},": ",[690],{"type":279},{},{"nodeType":256,"value":693,"marks":694,"data":695},"The same as consent phishing, but authorizing through the device code flow designed for device logins that cannot support OAuth, by providing a substitute passcode. ",[],{},{"nodeType":307,"data":697,"content":698},{},[699],{"nodeType":252,"data":700,"content":701},{},[702,707],{"nodeType":256,"value":703,"marks":704,"data":706},"Malicious browser extensions: ",[705],{"type":279},{},{"nodeType":256,"value":708,"marks":709,"data":710},"Tricking victims into installing a malicious extension (or hijacking an existing one) to steal credentials and cookies from the browser. ",[],{},{"nodeType":243,"data":712,"content":716},{"target":713},{"sys":714},{"id":715,"type":248,"linkType":249},"75lMjdJtq9APebTaF2hQ1b",[],{"nodeType":243,"data":718,"content":722},{"target":719},{"sys":720},{"id":721,"type":248,"linkType":249},"4KWwlg8PsuyAud8i5tpWfH",[],{"nodeType":252,"data":724,"content":725},{},[726,730,739,743,752],{"nodeType":256,"value":727,"marks":728,"data":729},"Another technique that attackers are using to steal credentials and sessions is ",[],{},{"nodeType":317,"data":731,"content":733},{"uri":732},"https://pushsecurity.com/blog/the-most-advanced-clickfix-yet",[734],{"nodeType":256,"value":735,"marks":736,"data":738},"ClickFix",[737],{"type":325},{},{"nodeType":256,"value":740,"marks":741,"data":742},". ClickFix was the ",[],{},{"nodeType":317,"data":744,"content":746},{"uri":745},"https://cdn-dynmedia-1.microsoft.com/is/content/microsoftcorp/microsoft/msc/documents/presentations/CSR/Microsoft-Digital-Defense-Report-2025.pdf#page=36",[747],{"nodeType":256,"value":748,"marks":749,"data":751},"top initial access vector detected by Microsoft last year",[750],{"type":325},{},{"nodeType":256,"value":753,"marks":754,"data":755},", involved in 47% of attacks. While not a traditional phishing attack, this sees attackers socially engineer users into running malicious code on their machine, typically deploying remote access tools and infostealer malware. Infostealers are then used to harvest credentials and cookies for initial access to various apps and services. ",[],{},{"nodeType":243,"data":757,"content":761},{"target":758},{"sys":759},{"id":760,"type":248,"linkType":249},"4cC9GbPoKFmYUJgbkbeOLs",[],{"nodeType":252,"data":763,"content":764},{},[765,769,778],{"nodeType":256,"value":766,"marks":767,"data":768},"Push Security researchers have also discovered a brand new technique dubbed ",[],{},{"nodeType":317,"data":770,"content":772},{"uri":771},"https://pushsecurity.com/blog/consentfix",[773],{"nodeType":256,"value":774,"marks":775,"data":777},"ConsentFix",[776],{"type":325},{},{"nodeType":256,"value":779,"marks":780,"data":781}," — a browser-native version of ClickFix that results in an OAuth connection being established to the target app, simply by copying and pasting a legitimate URL containing OAuth key material. ",[],{},{"nodeType":243,"data":783,"content":787},{"target":784},{"sys":785},{"id":786,"type":248,"linkType":249},"4bdqleePd53oK5v5uEUFbr",[],{"nodeType":252,"data":789,"content":790},{},[791],{"nodeType":256,"value":792,"marks":793,"data":794},"This is even more dangerous than ClickFix as it is entirely browser-native — removing the endpoint detection surface (and strong security controls like EDR) from the equation entirely. And in the particular case spotted by Push, the attackers targeted Azure CLI — a first-party Microsoft app that has special permissions and can’t be restricted like third-party apps. ",[],{},{"nodeType":252,"data":796,"content":797},{},[798],{"nodeType":256,"value":799,"marks":800,"data":801},"Really, there are lots of different techniques attackers can use to take over accounts on key business applications — it’s outdated to think of phishing as being locked in to passwords, MFA, and the standard authentication flow. ",[],{},{"nodeType":243,"data":803,"content":807},{"target":804},{"sys":805},{"id":806,"type":248,"linkType":249},"74S97KkuFzI48UwXw3msTq",[],{"nodeType":268,"data":809,"content":810},{},[],{"nodeType":272,"data":812,"content":813},{},[814],{"nodeType":256,"value":815,"marks":816,"data":818},"Guidance for security teams in 2026",[817],{"type":279},{},{"nodeType":252,"data":820,"content":821},{},[822],{"nodeType":256,"value":823,"marks":824,"data":825},"To tackle phishing in 2026, security teams need to change their threat model for phishing, and acknowledge that:",[],{},{"nodeType":303,"data":827,"content":828},{},[829,839,849],{"nodeType":307,"data":830,"content":831},{},[832],{"nodeType":252,"data":833,"content":834},{},[835],{"nodeType":256,"value":836,"marks":837,"data":838},"It’s not enough to protect email as your main anti-phishing surface",[],{},{"nodeType":307,"data":840,"content":841},{},[842],{"nodeType":252,"data":843,"content":844},{},[845],{"nodeType":256,"value":846,"marks":847,"data":848},"Network and traffic monitoring tools aren’t keeping up with modern phishing pages",[],{},{"nodeType":307,"data":850,"content":851},{},[852],{"nodeType":252,"data":853,"content":854},{},[855],{"nodeType":256,"value":856,"marks":857,"data":858},"Phishing-resistant authentication, even if perfectly implemented, doesn’t make you immune",[],{},{"nodeType":252,"data":860,"content":861},{},[862],{"nodeType":256,"value":863,"marks":864,"data":865},"Detection and response is key. But most organizations have significant visibility gaps.",[],{},{"nodeType":268,"data":867,"content":868},{},[],{"nodeType":272,"data":870,"content":871},{},[872],{"nodeType":256,"value":873,"marks":874,"data":876},"Solving the detection gap in the browser",[875],{"type":279},{},{"nodeType":252,"data":878,"content":879},{},[880],{"nodeType":256,"value":881,"marks":882,"data":883},"One thing that these attacks have in common is that they all take place in the web browser, targeting users as they go about their work on the internet. That makes it the perfect place to detect and respond to these attacks. But right now, the browser is a blind-spot for most security teams.",[],{},{"nodeType":252,"data":885,"content":886},{},[887],{"nodeType":256,"value":888,"marks":889,"data":890},"Push Security’s browser-based security platform provides comprehensive detection and response capabilities against the leading cause of breaches. Push blocks browser-based attacks like AiTM phishing, credential stuffing, malicious browser extensions, ClickFix, and session hijacking. You don’t need to wait until it all goes wrong — you can also use Push to proactively find and fix vulnerabilities across the apps that your employees use, like ghost logins, SSO coverage gaps, MFA gaps, vulnerable passwords, and more to harden your identity attack surface.",[],{},{"nodeType":252,"data":892,"content":893},{},[894,898,907,911,920],{"nodeType":256,"value":895,"marks":896,"data":897},"To learn more about Push, ",[],{},{"nodeType":317,"data":899,"content":901},{"uri":900},"https://pushsecurity.com/resources/product-brochure",[902],{"nodeType":256,"value":903,"marks":904,"data":906},"check out our latest product overview",[905],{"type":325},{},{"nodeType":256,"value":908,"marks":909,"data":910}," or ",[],{},{"nodeType":317,"data":912,"content":914},{"uri":913},"https://pushsecurity.com/demo",[915],{"nodeType":256,"value":916,"marks":917,"data":919},"book some time with one of our team for a live demo",[918],{"type":325},{},{"nodeType":256,"value":921,"marks":922,"data":923},".",[],{},{"nodeType":243,"data":925,"content":929},{"target":926},{"sys":927},{"id":928,"type":248,"linkType":249},"6QzB0BlVC5mstXwXHvy2c3",[],{"nodeType":252,"data":931,"content":932},{},[933],{"nodeType":256,"value":29,"marks":934,"data":935},[],{},{"entries":937},{"hyperlink":938,"inline":939,"block":940},[],[],[941,967,975,981,987,993,999,1006,1012,1019,1025],{"sys":942,"__typename":943,"content":944,"name":966,"title":62},{"id":247},"InsightTextBlockComponent",{"json":945},{"nodeType":239,"data":946,"content":947},{},[948],{"nodeType":252,"data":949,"content":950},{},[951,955,963],{"nodeType":256,"value":952,"marks":953,"data":954},"We recently ran a webinar packed full of attack demo's, showcasing some of the most interesting attacks intercepted by Push in 2025. ",[],{},{"nodeType":317,"data":956,"content":958},{"uri":957},"https://pushsecurity.com/webinar/phishing-2025-review",[959],{"nodeType":256,"value":960,"marks":961,"data":962},"You can now watch it on demand here!",[],{},{"nodeType":256,"value":29,"marks":964,"data":965},[],{},"Top phishing trends insight box 1",{"sys":968,"__typename":969,"title":970,"caption":970,"layoutMode":62,"file":971},{"id":406},"Image","Fake private equity fund page hosted on Google Sites. ",{"url":972,"width":973,"height":974},"https://images.ctfassets.net/y1cdw1ablpvd/2DbF1Lj4h5HVGrqDhlVlTF/9efa11f318206eb913d83c254746efb1/1.png",1999,1200,{"sys":976,"__typename":969,"title":977,"caption":977,"layoutMode":62,"file":978},{"id":412},"Custom investment fund landing page hosted on Firebase.",{"url":979,"width":973,"height":980},"https://images.ctfassets.net/y1cdw1ablpvd/2NH9muR2eBEPEybqQ8o0yu/ef66b40c7428790c9017181e17b33558/2.png",1080,{"sys":982,"__typename":969,"title":983,"caption":983,"layoutMode":62,"file":984},{"id":418},"Malvertising link for “Google Ads” taking the top Sponsored Results spot.",{"url":985,"width":973,"height":986},"https://images.ctfassets.net/y1cdw1ablpvd/2gQcwHSyUKIoqlW1upRSzK/5ead4c9e6c1e6659be7d781ad85ed9ea/3.png",1205,{"sys":988,"__typename":969,"title":989,"caption":989,"layoutMode":62,"file":990},{"id":589},"Example of a typical phishing link chain incorporating legitimate websites before serving up a phishing page, as shown in the Push Security “Timelines” detection feature.",{"url":991,"width":992,"height":973},"https://images.ctfassets.net/y1cdw1ablpvd/3WZkEAVsAH7PWtcoQJfDG1/03826279b5dd2bc11fbbf34f82c59136/4.png",1743,{"sys":994,"__typename":969,"title":995,"caption":995,"layoutMode":62,"file":996},{"id":715},"Consent phishing examples where an attacker tricks the victim into authorizing an attacker-controlled app with risky permissions.",{"url":997,"width":973,"height":998},"https://images.ctfassets.net/y1cdw1ablpvd/2ZgY3mMKcE6IGpH55kOuL4/2a7e78e97654faa61cf8e8b002789b96/5.png",1367,{"sys":1000,"__typename":969,"title":1001,"caption":1001,"layoutMode":62,"file":1002},{"id":721},"Device code phishing targeting Salesforce, as seen in the Scattered Lapsus$ Hunters campaign. ",{"url":1003,"width":1004,"height":1005},"https://images.ctfassets.net/y1cdw1ablpvd/7uvYjRiqG4E7qj3PTmTZzW/3d3ed52d3157bf12a630e35eb2ae08d1/6.png",1488,950,{"sys":1007,"__typename":969,"title":1008,"caption":1008,"layoutMode":62,"file":1009},{"id":760},"ClickFix attacks prompt the victim to “fix” an issue on the webpage by running code locally on their machine.",{"url":1010,"width":973,"height":1011},"https://images.ctfassets.net/y1cdw1ablpvd/1LXv96rhy5Sv6SBlJP0bJS/6fb6b49dcd2bdc003c2aa60ed271708f/7.png",1117,{"sys":1013,"__typename":969,"title":1014,"caption":1014,"layoutMode":62,"file":1015},{"id":786},"ConsentFix prompts victims to paste a URL containing an OAuth code, authorising a connection to the attacker’s OAuth app tenant. ",{"url":1016,"width":1017,"height":1018},"https://images.ctfassets.net/y1cdw1ablpvd/7IfG43sz0jRnrNiKsMwN8j/1373b7cd86fe969acad27ad956612ca0/8.png",1225,1135,{"sys":1020,"__typename":969,"title":1021,"caption":1021,"layoutMode":62,"file":1022},{"id":806},"There are lots of ways that attackers can achieve account takeover today via phishing / social engineering.",{"url":1023,"width":973,"height":1024},"https://images.ctfassets.net/y1cdw1ablpvd/4Wz7gAJLWDyaGjj030ypH2/7a07f1e5c46cdebd2e395d0ceb412387/9.png",969,{"sys":1026,"__typename":1027,"type":1028,"ctaText":1029,"buttonLabel":1030,"buttonColour":1031,"buttonUrl":957},{"id":928},"CtaWidget","Custom","Learn how phishing evolved in 2025, showcasing the most sophisticated attacks and key trends uncovered by Push researchers","Register Now","sunny orange","json",{"items":1034},[],{},"Analyzing 2025's top phishing trends","2025-12-15T00:00:00.000Z",{"items":1039},[1040,1916,2517],{"__typename":1041,"sys":1042,"content":1044,"title":1894,"synopsis":1895,"hashTags":62,"publishedDate":1896,"slug":1897,"tagsCollection":1898,"authorsCollection":1908},"BlogPosts",{"id":1043},"71EaaK7lfl6bQBbkAU0qjv",{"json":1045},{"nodeType":239,"data":1046,"content":1047},{},[1048,1056,1063,1070,1077,1089,1096,1102,1108,1111,1119,1126,1133,1139,1158,1165,1171,1178,1184,1191,1234,1240,1246,1253,1260,1263,1271,1291,1298,1304,1323,1329,1349,1356,1359,1367,1374,1420,1432,1435,1443,1460,1467,1483,1490,1497,1503,1510,1513,1521,1528,1581,1588,1591,1599,1605,1612,1619,1625,1632,1665,1672,1679,1685,1692,1698,1707,1727,1734,1767,1774,1807,1810,1818,1825,1831,1850,1857,1883,1888],{"nodeType":272,"data":1049,"content":1050},{},[1051],{"nodeType":256,"value":1052,"marks":1053,"data":1055},"Introducing “ConsentFix” — a new kind of phishing attack",[1054],{"type":279},{},{"nodeType":252,"data":1057,"content":1058},{},[1059],{"nodeType":256,"value":1060,"marks":1061,"data":1062},"The Push browser agent recently detected and blocked a new attack technique seen targeting several Push customers. ",[],{},{"nodeType":252,"data":1064,"content":1065},{},[1066],{"nodeType":256,"value":1067,"marks":1068,"data":1069},"This is a new kind of browser-based attack technique that takes over user accounts with a simple copy and paste. If you’re already logged into the app in your browser, you don’t even need to supply creds, or pass an MFA check — meaning it effectively circumvents phishing-resistant auth like passkeys too.",[],{},{"nodeType":252,"data":1071,"content":1072},{},[1073],{"nodeType":256,"value":1074,"marks":1075,"data":1076},"This is so different from the AiTM phish kits we usually come up against that we felt it deserved a new name. ",[],{},{"nodeType":252,"data":1078,"content":1079},{},[1080,1085],{"nodeType":256,"value":1081,"marks":1082,"data":1084},"Enter: ConsentFix. ",[1083],{"type":279},{},{"nodeType":256,"value":1086,"marks":1087,"data":1088},"This attack shares a lot of similarities with ClickFix/FileFix, AiTM phishing, and OAuth Consent Phishing. You can think of this as a browser-native ClickFix attack that phishes an OAuth token on a target app by getting the victim to copy and paste a URL containing OAuth key material into a phishing page. ",[],{},{"nodeType":252,"data":1090,"content":1091},{},[1092],{"nodeType":256,"value":1093,"marks":1094,"data":1095},"The campaign we detected looks to be specifically targeting Microsoft accounts by abusing the Azure CLI OAuth app. Essentially, the attacker tricks the victim into logging into Azure CLI, by generating an OAuth authorization code — visible in a localhost URL — and then pasting that URL (including the code) into an attacker-controlled page. This then creates an OAuth connection between the victim’s Microsoft account and the attacker’s Azure CLI instance. ",[],{},{"nodeType":243,"data":1097,"content":1101},{"target":1098},{"sys":1099},{"id":1100,"type":248,"linkType":249},"5GTnqWIbmraz8HZeHMybrP",[],{"nodeType":243,"data":1103,"content":1107},{"target":1104},{"sys":1105},{"id":1106,"type":248,"linkType":249},"1lcjX5q3b1bsuhyOXKvJpW",[],{"nodeType":268,"data":1109,"content":1110},{},[],{"nodeType":272,"data":1112,"content":1113},{},[1114],{"nodeType":256,"value":1115,"marks":1116,"data":1118},"How ConsentFix works",[1117],{"type":279},{},{"nodeType":252,"data":1120,"content":1121},{},[1122],{"nodeType":256,"value":1123,"marks":1124,"data":1125},"In all of the examples we saw, the victim accessed a malicious or compromised webpage via Google Search. The vast majority of the sites we’ve seen associated with the campaign are legitimate, compromised websites with high domain reputation that are easily findable via search engines.",[],{},{"nodeType":252,"data":1127,"content":1128},{},[1129],{"nodeType":256,"value":1130,"marks":1131,"data":1132},"The attacker had injected a fake Cloudflare Turnstile into the compromised websites, requiring an email address to be supplied in order to proceed. ",[],{},{"nodeType":243,"data":1134,"content":1138},{"target":1135},{"sys":1136},{"id":1137,"type":248,"linkType":249},"39jEjeLqOYIkGc4o9w3MuX",[],{"nodeType":252,"data":1140,"content":1141},{},[1142,1146,1154],{"nodeType":256,"value":1143,"marks":1144,"data":1145},"This acted as a form of ",[],{},{"nodeType":317,"data":1147,"content":1148},{"uri":574},[1149],{"nodeType":256,"value":1150,"marks":1151,"data":1153},"conditional loading",[1152],{"type":325},{},{"nodeType":256,"value":1155,"marks":1156,"data":1157}," that would only continue if a valid email address and domain was supplied, designed to prevent the page from being analyzed by security bots, analysts, and low-value accounts that run the risk of exposing the campaign before the intended recipient(s) can be phished. ",[],{},{"nodeType":252,"data":1159,"content":1160},{},[1161],{"nodeType":256,"value":1162,"marks":1163,"data":1164},"If a domain not on the target list was provided, the victim was passed back to the original website and the attack did not progress to the next stage. Further, once the check has concluded per IP, the phishing page will no longer activate, even a different email is provided.  ",[],{},{"nodeType":243,"data":1166,"content":1170},{"target":1167},{"sys":1168},{"id":1169,"type":248,"linkType":249},"7ttmGnTzi9j87tBXfyFcOA",[],{"nodeType":252,"data":1172,"content":1173},{},[1174],{"nodeType":256,"value":1175,"marks":1176,"data":1177},"After entering an approved email address, the next stage was loaded, prompting the victim to complete a set of instructions on the page to continue.",[],{},{"nodeType":243,"data":1179,"content":1183},{"target":1180},{"sys":1181},{"id":1182,"type":248,"linkType":249},"2oHYNoMgAz6MdgLlcWjbaB",[],{"nodeType":252,"data":1185,"content":1186},{},[1187],{"nodeType":256,"value":1188,"marks":1189,"data":1190},"To complete the attack, the victim must:",[],{},{"nodeType":303,"data":1192,"content":1193},{},[1194,1204,1214,1224],{"nodeType":307,"data":1195,"content":1196},{},[1197],{"nodeType":252,"data":1198,"content":1199},{},[1200],{"nodeType":256,"value":1201,"marks":1202,"data":1203},"Click the “Sign In” button. This opens a new tab that loads a legitimate Microsoft URL associated with the user account/email used to access the page.",[],{},{"nodeType":307,"data":1205,"content":1206},{},[1207],{"nodeType":252,"data":1208,"content":1209},{},[1210],{"nodeType":256,"value":1211,"marks":1212,"data":1213},"If the user is already logged into Microsoft in their browser, they simply need to select their MS account from the dropdown. Otherwise, they will be required to login via the legitimate Microsoft login URL (no phishing takes place at this stage). ",[],{},{"nodeType":307,"data":1215,"content":1216},{},[1217],{"nodeType":252,"data":1218,"content":1219},{},[1220],{"nodeType":256,"value":1221,"marks":1222,"data":1223},"Once logged into legit Microsoft or the account is selected from the dropdown, the user is redirected to localhost, which generates a URL containing a code associated with the user’s Microsoft account. ",[],{},{"nodeType":307,"data":1225,"content":1226},{},[1227],{"nodeType":252,"data":1228,"content":1229},{},[1230],{"nodeType":256,"value":1231,"marks":1232,"data":1233},"To complete the phish, the victim copies the URL and pastes it onto the original page. ",[],{},{"nodeType":243,"data":1235,"content":1239},{"target":1236},{"sys":1237},{"id":1238,"type":248,"linkType":249},"7zendMbmCViGwtEpUQvq6y",[],{"nodeType":243,"data":1241,"content":1245},{"target":1242},{"sys":1243},{"id":1244,"type":248,"linkType":249},"1eZOs7hXi9FzCE92QEP6xh",[],{"nodeType":252,"data":1247,"content":1248},{},[1249],{"nodeType":256,"value":1250,"marks":1251,"data":1252},"Once the steps are completed, the victim has granted the attacker access to their Microsoft account via Azure CLI. ",[],{},{"nodeType":252,"data":1254,"content":1255},{},[1256],{"nodeType":256,"value":1257,"marks":1258,"data":1259},"At this point, the attacker has effective control of the victim’s Microsoft account, but without ever needing to phish a password, or pass an MFA check. In fact, if the user was already logged in to their Microsoft account (i.e. they had an active session) no login is required at all. ",[],{},{"nodeType":268,"data":1261,"content":1262},{},[],{"nodeType":272,"data":1264,"content":1265},{},[1266],{"nodeType":256,"value":1267,"marks":1268,"data":1270},"The next evolution of ClickFix?",[1269],{"type":279},{},{"nodeType":252,"data":1272,"content":1273},{},[1274,1278,1287],{"nodeType":256,"value":1275,"marks":1276,"data":1277},"When we presented ",[],{},{"nodeType":317,"data":1279,"content":1281},{"uri":1280},"https://pushsecurity.com/webinar/clickfix",[1282],{"nodeType":256,"value":1283,"marks":1284,"data":1286},"our last webinar on ClickFix",[1285],{"type":325},{},{"nodeType":256,"value":1288,"marks":1289,"data":1290},", we predicted that the next evolution of the attack would happen entirely within the browser context. This is because any attack that touches the endpoint (a traditionally much better protected surface) is way more likely to be detected. And with many ClickFix attacks being used to deliver infostealer malware, these attacks are really trying to get back into the browser anyway — to steal credentials and sessions stored there. ",[],{},{"nodeType":252,"data":1292,"content":1293},{},[1294],{"nodeType":256,"value":1295,"marks":1296,"data":1297},"Let’s take a closer look at the page — if you follow Push research, you might be getting déjà vu. ",[],{},{"nodeType":243,"data":1299,"content":1303},{"target":1300},{"sys":1301},{"id":1302,"type":248,"linkType":249},"1vMZCJ92IxFdR1EzzCOOvb",[],{"nodeType":252,"data":1305,"content":1306},{},[1307,1311,1320],{"nodeType":256,"value":1308,"marks":1309,"data":1310},"We’ve seen this kind of embedded video player before (albeit a slicker looking one) that we blogged about as ",[],{},{"nodeType":317,"data":1312,"content":1314},{"uri":1313},"https://pushsecurity.com/blog/the-most-advanced-clickfix-yet/",[1315],{"nodeType":256,"value":1316,"marks":1317,"data":1319},"the most advanced ClickFix we’d seen",[1318],{"type":325},{},{"nodeType":256,"value":921,"marks":1321,"data":1322},[],{},{"nodeType":243,"data":1324,"content":1328},{"target":1325},{"sys":1326},{"id":1327,"type":248,"linkType":249},"ID7VKJNOZk729P5zBOBjZ",[],{"nodeType":252,"data":1330,"content":1331},{},[1332,1336,1345],{"nodeType":256,"value":1333,"marks":1334,"data":1335},"Another similarity with ClickFix campaigns we’ve investigated is the use of Google Search as a delivery vector. 4 in 5 ClickFix attacks intercepted by Push came via Google Search, with attackers using ",[],{},{"nodeType":317,"data":1337,"content":1339},{"uri":1338},"https://phishing-techniques.pushsecurity.com/techniques/malvertising/",[1340],{"nodeType":256,"value":1341,"marks":1342,"data":1344},"malvertising",[1343],{"type":325},{},{"nodeType":256,"value":1346,"marks":1347,"data":1348}," and either compromised or custom vibe-coded websites to intercept users as they browse the internet. ",[],{},{"nodeType":252,"data":1350,"content":1351},{},[1352],{"nodeType":256,"value":1353,"marks":1354,"data":1355},"So it seems highly likely that this is a kind of browser-native evolution of ClickFix that shares many elements with typical ClickFix attacks, and is probably used by the same groups of attackers.",[],{},{"nodeType":268,"data":1357,"content":1358},{},[],{"nodeType":272,"data":1360,"content":1361},{},[1362],{"nodeType":256,"value":1363,"marks":1364,"data":1366},"OAuth shenanigans via Azure CLI",[1365],{"type":279},{},{"nodeType":252,"data":1368,"content":1369},{},[1370],{"nodeType":256,"value":1371,"marks":1372,"data":1373},"The clever use of Azure CLI and OAuth consent abuse is another clever iteration on previous techniques. ",[],{},{"nodeType":252,"data":1375,"content":1376},{},[1377,1381,1390,1394,1403,1407,1416],{"nodeType":256,"value":1378,"marks":1379,"data":1380},"We’ve previously seen ",[],{},{"nodeType":317,"data":1382,"content":1384},{"uri":1383},"https://phishing-techniques.pushsecurity.com/techniques/consent-phishing/",[1385],{"nodeType":256,"value":1386,"marks":1387,"data":1389},"consent phishing",[1388],{"type":325},{},{"nodeType":256,"value":1391,"marks":1392,"data":1393}," and ",[],{},{"nodeType":317,"data":1395,"content":1397},{"uri":1396},"https://phishing-techniques.pushsecurity.com/techniques/device-code-phishing/",[1398],{"nodeType":256,"value":1399,"marks":1400,"data":1402},"device code phishing",[1401],{"type":325},{},{"nodeType":256,"value":1404,"marks":1405,"data":1406}," attacks where attackers have tricked victims into connecting malicious external apps into their tenant via OAuth, but this is becoming increasingly difficult in core enterprise cloud environments like Azure due to ",[],{},{"nodeType":317,"data":1408,"content":1410},{"uri":1409},"https://learn.microsoft.com/en-us/microsoft-365/admin/misc/user-consent?view=o365-worldwide",[1411],{"nodeType":256,"value":1412,"marks":1413,"data":1415},"stricter default configs",[1414],{"type":325},{},{"nodeType":256,"value":1417,"marks":1418,"data":1419},". However, since Azure CLI is a first-party Microsoft app, it is implicitly trusted in Entra ID, and is excluded from these restrictions. ",[],{},{"nodeType":252,"data":1421,"content":1422},{},[1423,1427],{"nodeType":256,"value":1424,"marks":1425,"data":1426},"First-party apps like Azure CLI are trusted by default in all tenants, allowed to request permissions without admin approval, and cannot be deleted or blocked. They can also be granted special permissions, such as tenant-wide service permissions (without needing admin approval), use of legacy or undocumented graph scopes, internal scopes for Microsoft client operations, and permissions for Office/Entra admin functions. ",[],{},{"nodeType":256,"value":1428,"marks":1429,"data":1431},"This makes Azure CLI a prime target for attackers, and significantly more exploitable than when connecting a third-party app. ",[1430],{"type":279},{},{"nodeType":268,"data":1433,"content":1434},{},[],{"nodeType":272,"data":1436,"content":1437},{},[1438],{"nodeType":256,"value":1439,"marks":1440,"data":1442},"Advanced detection evasion techniques",[1441],{"type":279},{},{"nodeType":252,"data":1444,"content":1445},{},[1446,1450,1456],{"nodeType":256,"value":1447,"marks":1448,"data":1449},"This campaign features some of the most advanced ",[],{},{"nodeType":317,"data":1451,"content":1452},{"uri":508},[1453],{"nodeType":256,"value":511,"marks":1454,"data":1455},[],{},{"nodeType":256,"value":1457,"marks":1458,"data":1459}," we've seen in the wild. ",[],{},{"nodeType":252,"data":1461,"content":1462},{},[1463],{"nodeType":256,"value":1464,"marks":1465,"data":1466},"As well as the use of Google Search to deliver the lure, and bot protection to prevent security tools from analyzing the page, there were multiple layers of anti-analysis techniques to navigate.",[],{},{"nodeType":252,"data":1468,"content":1469},{},[1470,1474,1479],{"nodeType":256,"value":1471,"marks":1472,"data":1473},"We already mentioned the use of selective targeting based on email addresses and domain names. But all sites involved in the campaign also have synchronized IP blocking — meaning if you visit one site and are served one of the associated phishing pages, the phish will never be served again, ",[],{},{"nodeType":256,"value":1475,"marks":1476,"data":1478},"across any of the sites linked to the campaign",[1477],{"type":279},{},{"nodeType":256,"value":1480,"marks":1481,"data":1482},". When you visit any of the sites again, the phish won't trigger, and it can be browsed as normal. ",[],{},{"nodeType":252,"data":1484,"content":1485},{},[1486],{"nodeType":256,"value":1487,"marks":1488,"data":1489},"On the backend, there are multiple checks based on your IP and identifiers unique to your session. Unless all of the conditions are met, certain JavaScript packages won't be served — preventing full inspection of the page to detect malicious elements. ",[],{},{"nodeType":252,"data":1491,"content":1492},{},[1493],{"nodeType":256,"value":1494,"marks":1495,"data":1496},"If the conditions aren't met, the page may not load the Cloudflare Turnstile check at all, or will redirect you back to the site to continue browsing as normal.",[],{},{"nodeType":243,"data":1498,"content":1502},{"target":1499},{"sys":1500},{"id":1501,"type":248,"linkType":249},"5v0zDoscA6pYLBfkXrNtIH",[],{"nodeType":252,"data":1504,"content":1505},{},[1506],{"nodeType":256,"value":1507,"marks":1508,"data":1509},"All of these make it incredibly hard to detect and block these attacks ahead of time when relying on URL-based checks and traffic analysis.",[],{},{"nodeType":268,"data":1511,"content":1512},{},[],{"nodeType":272,"data":1514,"content":1515},{},[1516],{"nodeType":256,"value":1517,"marks":1518,"data":1520},"Key takeaways",[1519],{"type":279},{},{"nodeType":252,"data":1522,"content":1523},{},[1524],{"nodeType":256,"value":1525,"marks":1526,"data":1527},"ConsentFix is a dangerous evolution of ClickFix and consent phishing that is incredibly hard for traditional security tools to detect and block, as:",[],{},{"nodeType":303,"data":1529,"content":1530},{},[1531,1541,1551,1561,1571],{"nodeType":307,"data":1532,"content":1533},{},[1534],{"nodeType":252,"data":1535,"content":1536},{},[1537],{"nodeType":256,"value":1538,"marks":1539,"data":1540},"The attack happens entirely inside the browser context, removing one of the key detection opportunities for ClickFix (because it doesn’t touch the endpoint).",[],{},{"nodeType":307,"data":1542,"content":1543},{},[1544],{"nodeType":252,"data":1545,"content":1546},{},[1547],{"nodeType":256,"value":1548,"marks":1549,"data":1550},"Delivering the lure via a Google Search watering hole attack completely circumvents email-based anti-phishing controls.",[],{},{"nodeType":307,"data":1552,"content":1553},{},[1554],{"nodeType":252,"data":1555,"content":1556},{},[1557],{"nodeType":256,"value":1558,"marks":1559,"data":1560},"Targeting a first-party app like Azure CLI means that many of the mitigating controls available for third-party app integrations do not apply — making this attack way harder to prevent.",[],{},{"nodeType":307,"data":1562,"content":1563},{},[1564],{"nodeType":252,"data":1565,"content":1566},{},[1567],{"nodeType":256,"value":1568,"marks":1569,"data":1570},"Because there’s no login required, phishing-resistant authentication controls like passkeys have no impact on this attack. ",[],{},{"nodeType":307,"data":1572,"content":1573},{},[1574],{"nodeType":252,"data":1575,"content":1576},{},[1577],{"nodeType":256,"value":1578,"marks":1579,"data":1580},"The use of advanced detection evasion techniques makes this attack difficult to investigate, meaning these attacks are going undetected. ",[],{},{"nodeType":252,"data":1582,"content":1583},{},[1584],{"nodeType":256,"value":1585,"marks":1586,"data":1587},"We’re sure to see more examples of ConsentFix in future. We’ll be monitoring to see how attackers adapt in terms of integrating these capabilities with common as-a-Service offerings to make them more widespread, and whether the scope extends further beyond Microsoft / Azure CLI targets in the future to target other enterprise cloud ecosystems. ",[],{},{"nodeType":268,"data":1589,"content":1590},{},[],{"nodeType":272,"data":1592,"content":1593},{},[1594],{"nodeType":256,"value":1595,"marks":1596,"data":1598},"Recommendations",[1597],{"type":279},{},{"nodeType":243,"data":1600,"content":1604},{"target":1601},{"sys":1602},{"id":1603,"type":248,"linkType":249},"3aBCwdB2aNnLRxRN5RrshC",[],{"nodeType":252,"data":1606,"content":1607},{},[1608],{"nodeType":256,"value":1609,"marks":1610,"data":1611},"On the backend, exploitation of this attack will lead to login events being observed to the Microsoft Azure CLI app. It’s likely that any legitimate use of this will most likely be limited to system administrators and possibly developers. Therefore, logins outside of these groups will be inherently more suspicious.",[],{},{"nodeType":252,"data":1613,"content":1614},{},[1615],{"nodeType":256,"value":1616,"marks":1617,"data":1618},"Additionally, it’s possible that aspects of the logins themselves will be different between legitimate Azure CLI use and exploitation of this attack. For example, see the following logs from a lab environment. The login events with an application of  “Microsoft Azure CLI” and a resource of “Azure Resource Manager” was legitimate use of the Azure CLI using the powershell CLI framework. Conversely, the login event with the Resource of “Windows Azure Active Directory” was produced by logging in using the method used by the phishing kit.",[],{},{"nodeType":243,"data":1620,"content":1624},{"target":1621},{"sys":1622},{"id":1623,"type":248,"linkType":249},"6ie0nkk6XbgwidfwmiGwL4",[],{"nodeType":252,"data":1626,"content":1627},{},[1628],{"nodeType":256,"value":1629,"marks":1630,"data":1631},"There is no guarantee this can be used to differentiate between legitimate and malicious examples, but it’s another data point to consider. If searching logs you may wish to use the respective GUIDs for these:",[],{},{"nodeType":303,"data":1633,"content":1634},{},[1635,1650],{"nodeType":307,"data":1636,"content":1637},{},[1638],{"nodeType":252,"data":1639,"content":1640},{},[1641,1646],{"nodeType":256,"value":1642,"marks":1643,"data":1645},"Application ID",[1644],{"type":279},{},{"nodeType":256,"value":1647,"marks":1648,"data":1649}," = 04b07795-8ddb-461a-bbee-02f9e1bf7b46",[],{},{"nodeType":307,"data":1651,"content":1652},{},[1653],{"nodeType":252,"data":1654,"content":1655},{},[1656,1661],{"nodeType":256,"value":1657,"marks":1658,"data":1660},"Resource ID",[1659],{"type":279},{},{"nodeType":256,"value":1662,"marks":1663,"data":1664}," = 00000002-0000-0000-c000-000000000000",[],{},{"nodeType":252,"data":1666,"content":1667},{},[1668],{"nodeType":256,"value":1669,"marks":1670,"data":1671},"For interactive logins, like above, you cannot rely on looking for logins from suspicious IP addresses or locations. The login itself occurs from the victims browser directly to Microsoft, and so the IP addresses associated with these events will be the legitimate IP used by the target user, not by the threat actor. ",[],{},{"nodeType":252,"data":1673,"content":1674},{},[1675],{"nodeType":256,"value":1676,"marks":1677,"data":1678},"However, for non-interactive logins and other audit logs for actions taken, you may be able to uncover unusual IP addresses that differ from the original interactive login. For example, here are some non-interactive logins that were observed immediately after compromise that came from different IP addresses in both the US and Indonesia.",[],{},{"nodeType":243,"data":1680,"content":1684},{"target":1681},{"sys":1682},{"id":1683,"type":248,"linkType":249},"TD3YeWqgGIWIWM8FRHU4o",[],{"nodeType":252,"data":1686,"content":1687},{},[1688],{"nodeType":256,"value":1689,"marks":1690,"data":1691},"Interestingly, they differ in which resources they accessed, with one accessing the Windows Azure Active Directory resource ID like the interactive login, but two others accessing the Microsoft Intune Checkin resource ID. ",[],{},{"nodeType":243,"data":1693,"content":1697},{"target":1694},{"sys":1695},{"id":1696,"type":248,"linkType":249},"57PqDQiAiwzqkspVpROQXb",[],{"nodeType":1699,"data":1700,"content":1701},"heading-2",{},[1702],{"nodeType":256,"value":1703,"marks":1704,"data":1706},"IoCs",[1705],{"type":279},{},{"nodeType":252,"data":1708,"content":1709},{},[1710,1714,1723],{"nodeType":256,"value":1711,"marks":1712,"data":1713},"Short-lived IoCs are of limited value when tackling modern phishing attacks due to the rate at which attackers are able to ",[],{},{"nodeType":317,"data":1715,"content":1717},{"uri":1716},"https://phishing-techniques.pushsecurity.com/techniques/domain-rotation-redirection/",[1718],{"nodeType":256,"value":1719,"marks":1720,"data":1722},"quickly spin up and rotate the sites used",[1721],{"type":325},{},{"nodeType":256,"value":1724,"marks":1725,"data":1726}," in the attack chain, often dynamically serving different URLs to site visitors. ",[],{},{"nodeType":252,"data":1728,"content":1729},{},[1730],{"nodeType":256,"value":1731,"marks":1732,"data":1733},"That said, the domains used to deliver the final phishing payload were:",[],{},{"nodeType":303,"data":1735,"content":1736},{},[1737,1747,1757],{"nodeType":307,"data":1738,"content":1739},{},[1740],{"nodeType":252,"data":1741,"content":1742},{},[1743],{"nodeType":256,"value":1744,"marks":1745,"data":1746},"hxxps://trustpointassurance.com/",[],{},{"nodeType":307,"data":1748,"content":1749},{},[1750],{"nodeType":252,"data":1751,"content":1752},{},[1753],{"nodeType":256,"value":1754,"marks":1755,"data":1756},"hxxps://fastwaycheck.com/",[],{},{"nodeType":307,"data":1758,"content":1759},{},[1760],{"nodeType":252,"data":1761,"content":1762},{},[1763],{"nodeType":256,"value":1764,"marks":1765,"data":1766},"hxxps://previewcentral.com",[],{},{"nodeType":252,"data":1768,"content":1769},{},[1770],{"nodeType":256,"value":1771,"marks":1772,"data":1773},"In addition, we recommend hunting for connections from the following IPs in Azure logs:",[],{},{"nodeType":303,"data":1775,"content":1776},{},[1777,1787,1797],{"nodeType":307,"data":1778,"content":1779},{},[1780],{"nodeType":252,"data":1781,"content":1782},{},[1783],{"nodeType":256,"value":1784,"marks":1785,"data":1786},"12.75.216.90",[],{},{"nodeType":307,"data":1788,"content":1789},{},[1790],{"nodeType":252,"data":1791,"content":1792},{},[1793],{"nodeType":256,"value":1794,"marks":1795,"data":1796},"182.3.36.223",[],{},{"nodeType":307,"data":1798,"content":1799},{},[1800],{"nodeType":252,"data":1801,"content":1802},{},[1803],{"nodeType":256,"value":1804,"marks":1805,"data":1806},"12.75.116.137",[],{},{"nodeType":268,"data":1808,"content":1809},{},[],{"nodeType":272,"data":1811,"content":1812},{},[1813],{"nodeType":256,"value":1814,"marks":1815,"data":1817},"How Push stopped the attack",[1816],{"type":279},{},{"nodeType":252,"data":1819,"content":1820},{},[1821],{"nodeType":256,"value":1822,"marks":1823,"data":1824},"Even though this was a brand new technique, Push intercepted this attack and shut it down before customers could interact with it. ",[],{},{"nodeType":243,"data":1826,"content":1830},{"target":1827},{"sys":1828},{"id":1829,"type":248,"linkType":249},"5YzpiQH974EYA5iPPZMXkV",[],{"nodeType":252,"data":1832,"content":1833},{},[1834,1838,1846],{"nodeType":256,"value":1835,"marks":1836,"data":1837},"Push doesn’t detect the redirect tricks or rely on outdated domain TI feeds. The reason we detect these attacks (which make it through all the other layers of phishing protection) is that Push sees what your users see. It doesn’t matter what ",[],{},{"nodeType":317,"data":1839,"content":1840},{"uri":508},[1841],{"nodeType":256,"value":1842,"marks":1843,"data":1845},"delivery channel or camouflage methods are used",[1844],{"type":325},{},{"nodeType":256,"value":1847,"marks":1848,"data":1849},", Push shuts the attack down in real time, as the user loads the malicious page in their web browser.",[],{},{"nodeType":252,"data":1851,"content":1852},{},[1853],{"nodeType":256,"value":1854,"marks":1855,"data":1856},"This isn’t all we do: Push’s browser-based security platform provides comprehensive detection and response capabilities against the leading cause of breaches. Push blocks browser-based attacks like AiTM phishing, credential stuffing, malicious browser extensions, ClickFix, and session hijacking. You don’t need to wait until it all goes wrong — you can also use Push to proactively find and fix vulnerabilities across the apps that your employees use, like ghost logins, SSO coverage gaps, MFA gaps, vulnerable passwords, and more to harden your identity attack surface.",[],{},{"nodeType":252,"data":1858,"content":1859},{},[1860,1863,1870,1873,1880],{"nodeType":256,"value":895,"marks":1861,"data":1862},[],{},{"nodeType":317,"data":1864,"content":1865},{"uri":900},[1866],{"nodeType":256,"value":903,"marks":1867,"data":1869},[1868],{"type":325},{},{"nodeType":256,"value":908,"marks":1871,"data":1872},[],{},{"nodeType":317,"data":1874,"content":1875},{"uri":913},[1876],{"nodeType":256,"value":916,"marks":1877,"data":1879},[1878],{"type":325},{},{"nodeType":256,"value":921,"marks":1881,"data":1882},[],{},{"nodeType":243,"data":1884,"content":1887},{"target":1885},{"sys":1886},{"id":928,"type":248,"linkType":249},[],{"nodeType":252,"data":1889,"content":1890},{},[1891],{"nodeType":256,"value":29,"marks":1892,"data":1893},[],{},"ConsentFix: Analyzing a browser-native ClickFix-style attack that hijacks OAuth consent grants","Analyzing \"ConsentFix\", a new browser-native attack technique we've detected in the wild, combining OAuth consent phishing with a ClickFix-style user prompt. ","2025-12-11T00:00:00.000Z","consentfix",{"items":1899},[1900,1904],{"sys":1901,"name":1903},{"id":1902},"6A5RXS31ZQx3PwryGb1IMy","Browser-based attacks",{"sys":1905,"name":1907},{"id":1906},"4ksQNCFeBf8H4QIORqpRLw","Detection & response",{"items":1909},[1910],{"fullName":1911,"firstName":1912,"jobTitle":1913,"profilePicture":1914},"Luke Jennings","Luke","Vice President, R&D",{"url":1915},"https://images.ctfassets.net/y1cdw1ablpvd/4Hosb4zKi1dA0PUyDLMe1h/27e09d894861f2196ba794037986fb08/T016S22KZ96-U02NVQM7ZD4-57761d542d83-512.jpeg",{"__typename":1041,"sys":1917,"content":1919,"title":2503,"synopsis":2504,"hashTags":62,"publishedDate":2505,"slug":2506,"tagsCollection":2507,"authorsCollection":2513},{"id":1918},"6Zosy4SU0LpjlaSWX75peb",{"json":1920},{"data":1921,"content":1922,"nodeType":239},{},[1923,1930,1937,1944,1950,1957,1960,1968,1975,1982,1989,1995,2002,2008,2015,2021,2028,2034,2065,2072,2078,2085,2091,2098,2104,2111,2154,2157,2165,2172,2179,2186,2192,2195,2203,2210,2230,2236,2242,2248,2255,2261,2267,2287,2290,2298,2317,2323,2330,2348,2356,2363,2370,2377,2396,2404,2411,2417,2420,2427,2434,2441,2444,2452,2459,2466,2492,2497],{"data":1924,"content":1925,"nodeType":252},{},[1926],{"data":1927,"marks":1928,"value":1929,"nodeType":256},{},[],"We recently investigated a sophisticated phishing campaign targeting Google Workspace and Facebook Business accounts with Calendly-themed phishing lures, based around a fake job opportunity. ",{"data":1931,"content":1932,"nodeType":252},{},[1933],{"data":1934,"marks":1935,"value":1936,"nodeType":256},{},[],"We were first alerted to the campaign when a Push customer was hit with a highly targeted email-based attack, where the attacker used an Attacker-in-the-Middle (AiTM) phishing toolkit to target the customer’s Google Workspace account. ",{"data":1938,"content":1939,"nodeType":252},{},[1940],{"data":1941,"marks":1942,"value":1943,"nodeType":256},{},[],"In this case, Google was the customer’s primary enterprise IdP account, used to access native Google suite apps as well as SSO to downstream apps — effectively, the front door to their business IT stack. Despite this, the attacker’s MO was specifically the takeover of accounts used for the management of digital ads. ",{"data":1945,"content":1949,"nodeType":243},{"target":1946},{"sys":1947},{"id":1948,"type":248,"linkType":249},"5oivBCf1Fqvnq0GNCSko8f",[],{"data":1951,"content":1952,"nodeType":252},{},[1953],{"data":1954,"marks":1955,"value":1956,"nodeType":256},{},[],"In this blog post, we break down the various TTPs used by the attacker across the campaign, and consider why ad management platforms are being specifically targeted.  ",{"data":1958,"content":1959,"nodeType":268},{},[],{"data":1961,"content":1962,"nodeType":272},{},[1963],{"data":1964,"marks":1965,"value":1967,"nodeType":256},{},[1966],{"type":279},"Variant 1: Targeting Google Workspace with a sophisticated email phish ",{"data":1969,"content":1970,"nodeType":252},{},[1971],{"data":1972,"marks":1973,"value":1974,"nodeType":256},{},[],"The first phishing variant we analyzed began with a multi-stage phishing email lure, framed as a job opportunity for LVMH (Louis Vuitton Moët Hennessy), which oversees more than 75 brands across sectors like fashion, cosmetics, watches, and spirits. The specific delivery address is impersonating “Inside LVMH”, the talent acquisition and training arm of LVMH.  ",{"data":1976,"content":1977,"nodeType":252},{},[1978],{"data":1979,"marks":1980,"value":1981,"nodeType":256},{},[],"This lure is notable for multiple reasons. It is highly targeted, well-written, populated with information from the victim, and coming from what appears to be a legitimate employee of LVMH. Even if the victim was initially suspicious, searching for the recruiter’s name would appear to confirm their identity.  ",{"data":1983,"content":1984,"nodeType":252},{},[1985],{"data":1986,"marks":1987,"value":1988,"nodeType":256},{},[],"It is possible, even likely, that this interaction was operated using AI, using information scraped from the internet — but in any case, the outcome achieved is highly convincing. ",{"data":1990,"content":1994,"nodeType":243},{"target":1991},{"sys":1992},{"id":1993,"type":248,"linkType":249},"46BYpquURERbkhWc6C2Lpc",[],{"data":1996,"content":1997,"nodeType":252},{},[1998],{"data":1999,"marks":2000,"value":2001,"nodeType":256},{},[],"Only after the victim has responded to an initial email was the phishing link delivered under the guise of a Calendly link to book time for a call. ",{"data":2003,"content":2007,"nodeType":243},{"target":2004},{"sys":2005},{"id":2006,"type":248,"linkType":249},"37GBkfXGEdWvdQbMq65sad",[],{"data":2009,"content":2010,"nodeType":252},{},[2011],{"data":2012,"marks":2013,"value":2014,"nodeType":256},{},[],"Clicking the link takes the victim to an authentic-looking page impersonating a Calendly landing page.",{"data":2016,"content":2020,"nodeType":243},{"target":2017},{"sys":2018},{"id":2019,"type":248,"linkType":249},"1DwOPzK7mxsoJlEBp8cMpr",[],{"data":2022,"content":2023,"nodeType":252},{},[2024],{"data":2025,"marks":2026,"value":2027,"nodeType":256},{},[],"After completing the CAPTCHA check and selecting \"Continue with Google” the victim is redirected to an AiTM phishing page designed to capture Google Workspace credentials, with specific branding impersonating Calendly — making this visually distinct from most common Google-themed phishing pages. ",{"data":2029,"content":2033,"nodeType":243},{"target":2030},{"sys":2031},{"id":2032,"type":248,"linkType":249},"u1SY1uUX23sxfBYLpyaKb",[],{"data":2035,"content":2036,"nodeType":252},{},[2037,2041,2049,2053,2061],{"data":2038,"marks":2039,"value":2040,"nodeType":256},{},[],"This page uses ",{"data":2042,"content":2043,"nodeType":317},{"uri":574},[2044],{"data":2045,"marks":2046,"value":2048,"nodeType":256},{},[2047],{"type":325},"specific targeting parameters",{"data":2050,"marks":2051,"value":2052,"nodeType":256},{},[]," to ensure that only the intended recipient is able to access the page’s malicious functionality — a well-known ",{"data":2054,"content":2055,"nodeType":317},{"uri":508},[2056],{"data":2057,"marks":2058,"value":2060,"nodeType":256},{},[2059],{"type":325},"detection evasion technique",{"data":2062,"marks":2063,"value":2064,"nodeType":256},{},[]," to prevent security analysts from being able to fully analyse the page (as malicious elements are not rendered until this check is completed). ",{"data":2066,"content":2067,"nodeType":252},{},[2068],{"data":2069,"marks":2070,"value":2071,"nodeType":256},{},[],"As you can see in the example below, attempts to use any email other than the intended victim’s email domain are blocked.   ",{"data":2073,"content":2077,"nodeType":243},{"target":2074},{"sys":2075},{"id":2076,"type":248,"linkType":249},"5m8LvVYjXz0zrITgTWqxio",[],{"data":2079,"content":2080,"nodeType":252},{},[2081],{"data":2082,"marks":2083,"value":2084,"nodeType":256},{},[],"Only entering an allowed email domain loads the password entry field. ",{"data":2086,"content":2090,"nodeType":243},{"target":2087},{"sys":2088},{"id":2089,"type":248,"linkType":249},"6KFRJSsgk2pB6x67kWdpws",[],{"data":2092,"content":2093,"nodeType":252},{},[2094],{"data":2095,"marks":2096,"value":2097,"nodeType":256},{},[],"We identified a number of pages that appear to be part of the same campaign. All these pages have the same visual style, Calendly-themed lure targeting Google Workspace accounts, and appear to match real employees of the respective companies being impersonated. ",{"data":2099,"content":2103,"nodeType":243},{"target":2100},{"sys":2101},{"id":2102,"type":248,"linkType":249},"zMkN1U5QlvIEcfOGmhBBf",[],{"data":2105,"content":2106,"nodeType":252},{},[2107],{"data":2108,"marks":2109,"value":2110,"nodeType":256},{},[],"The different pages include:",{"data":2112,"content":2113,"nodeType":303},{},[2114,2124,2134,2144],{"data":2115,"content":2116,"nodeType":307},{},[2117],{"data":2118,"content":2119,"nodeType":252},{},[2120],{"data":2121,"marks":2122,"value":2123,"nodeType":256},{},[],"A different visual match for the LVMH page.",{"data":2125,"content":2126,"nodeType":307},{},[2127],{"data":2128,"content":2129,"nodeType":252},{},[2130],{"data":2131,"marks":2132,"value":2133,"nodeType":256},{},[],"A Lego recruitment themed page.",{"data":2135,"content":2136,"nodeType":307},{},[2137],{"data":2138,"content":2139,"nodeType":252},{},[2140],{"data":2141,"marks":2142,"value":2143,"nodeType":256},{},[],"A Mastercard HR themed page.",{"data":2145,"content":2146,"nodeType":307},{},[2147],{"data":2148,"content":2149,"nodeType":252},{},[2150],{"data":2151,"marks":2152,"value":2153,"nodeType":256},{},[],"An Uber recruitment themed page.",{"data":2155,"content":2156,"nodeType":268},{},[],{"data":2158,"content":2159,"nodeType":272},{},[2160],{"data":2161,"marks":2162,"value":2164,"nodeType":256},{},[2163],{"type":279},"Variant 2: Targeting Facebook Business accounts",{"data":2166,"content":2167,"nodeType":252},{},[2168],{"data":2169,"marks":2170,"value":2171,"nodeType":256},{},[],"Upon further investigation, we found links to a second phishing page style that appears to be part of a longer campaign targeting Facebook accounts, dating back more than two years. ",{"data":2173,"content":2174,"nodeType":252},{},[2175],{"data":2176,"marks":2177,"value":2178,"nodeType":256},{},[],"In total, we identified 31 unique URLs associated with the same campaign, many of which were recycled over time to impersonate different brands. ",{"data":2180,"content":2181,"nodeType":252},{},[2182],{"data":2183,"marks":2184,"value":2185,"nodeType":256},{},[],"Since most of these pages appeared to be older (and no longer live) they could not be analysed further, beyond giving an indication of how the phishing campaign has evolved over time. ",{"data":2187,"content":2191,"nodeType":243},{"target":2188},{"sys":2189},{"id":2190,"type":248,"linkType":249},"5PFRI9XtNVdkpYiRoIYpF",[],{"data":2193,"content":2194,"nodeType":268},{},[],{"data":2196,"content":2197,"nodeType":272},{},[2198],{"data":2199,"marks":2200,"value":2202,"nodeType":256},{},[2201],{"type":279},"Variant 3: Targeting both Google and Facebook accounts",{"data":2204,"content":2205,"nodeType":252},{},[2206],{"data":2207,"marks":2208,"value":2209,"nodeType":256},{},[],"We also discovered a third, more recent variant targeting both Google and Facebook accounts with Calendly-styled pages.",{"data":2211,"content":2212,"nodeType":252},{},[2213,2217,2226],{"data":2214,"marks":2215,"value":2216,"nodeType":256},{},[],"This variant looks to leverage a Browser-in-the-Browser style pop-up window similar to the ",{"data":2218,"content":2220,"nodeType":317},{"uri":2219},"https://pushsecurity.com/blog/analyzing-the-latest-sneaky2fa-phishing-page/",[2221],{"data":2222,"marks":2223,"value":2225,"nodeType":256},{},[2224],{"type":325},"Sneaky2FA attacks we reported on recently",{"data":2227,"marks":2228,"value":2229,"nodeType":256},{},[],". BITB allows the attacker to mask the phishing page URL by presenting a fake URL set by the attacker, inside a pop-up login window. ",{"data":2231,"content":2235,"nodeType":243},{"target":2232},{"sys":2233},{"id":2234,"type":248,"linkType":249},"7w4cmyqPvhxAFrokaK9CE1",[],{"data":2237,"content":2241,"nodeType":243},{"target":2238},{"sys":2239},{"id":2240,"type":248,"linkType":249},"6FUSNecz0BXLxJxoJTsALD",[],{"data":2243,"content":2247,"nodeType":243},{"target":2244},{"sys":2245},{"id":2246,"type":248,"linkType":249},"2zwFDrgsLuxi4Xv2q0nPFK",[],{"data":2249,"content":2250,"nodeType":252},{},[2251],{"data":2252,"marks":2253,"value":2254,"nodeType":256},{},[],"The attacker also implemented additional anti-analysis functionality, beyond the specific domain targeting we observed in the first page variant — the result of which meant the page IP blocked us from interacting with it further. ",{"data":2256,"content":2260,"nodeType":243},{"target":2257},{"sys":2258},{"id":2259,"type":248,"linkType":249},"3ZPdxi5cGZcn5hF1ISIUa7",[],{"data":2262,"content":2266,"nodeType":243},{"target":2263},{"sys":2264},{"id":2265,"type":248,"linkType":249},"3J5pmgNL9LevE1FdX4oksf",[],{"data":2268,"content":2269,"nodeType":252},{},[2270,2274,2283],{"data":2271,"marks":2272,"value":2273,"nodeType":256},{},[],"Often ",{"data":2275,"content":2277,"nodeType":317},{"uri":2276},"https://phishing-techniques.pushsecurity.com/techniques/anti-sandbox/",[2278],{"data":2279,"marks":2280,"value":2282,"nodeType":256},{},[2281],{"type":325},"accessing dev tools",{"data":2284,"marks":2285,"value":2286,"nodeType":256},{},[]," on a page is enough to trigger this, specifically targeting security analysts and web-crawling security bots/tools. ",{"data":2288,"content":2289,"nodeType":268},{},[],{"data":2291,"content":2292,"nodeType":272},{},[2293],{"data":2294,"marks":2295,"value":2297,"nodeType":256},{},[2296],{"type":279},"Why are attackers targeting business ad management accounts?",{"data":2299,"content":2300,"nodeType":252},{},[2301,2305,2313],{"data":2302,"marks":2303,"value":2304,"nodeType":256},{},[],"The campaign shows signs of being a long-running, targeted initiative focused on compromising accounts responsible for managing digital ads on behalf of businesses. The attackers have demonstrated that they are continuing to iterate on their TTPs, introducing new page styles with increased sophistication, and new ",{"data":2306,"content":2308,"nodeType":317},{"uri":2307},"https://phishing-techniques.pushsecurity.com/#techniques-table",[2309],{"data":2310,"marks":2311,"value":511,"nodeType":256},{},[2312],{"type":325},{"data":2314,"marks":2315,"value":2316,"nodeType":256},{},[]," to defeat security analysis tools.  ",{"data":2318,"content":2322,"nodeType":243},{"target":2319},{"sys":2320},{"id":2321,"type":248,"linkType":249},"m5GsTsDb55T70MU2m72B1",[],{"data":2324,"content":2325,"nodeType":252},{},[2326],{"data":2327,"marks":2328,"value":2329,"nodeType":256},{},[],"We also discovered that Google recently issued a security warning specifically for agency organizations managing ads for a number of businesses, urging them to create security alerts whenever a new account is added to a Manager Account (MCC) used to view and manage multiple Google Ads accounts from a single view. ",{"data":2331,"content":2332,"nodeType":252},{},[2333,2337,2344],{"data":2334,"marks":2335,"value":2336,"nodeType":256},{},[],"With malvertising on the rise as an increasingly popular attack vector for the delivery of AITM phishing, malware downloads, and ",{"data":2338,"content":2339,"nodeType":317},{"uri":1313},[2340],{"data":2341,"marks":2342,"value":735,"nodeType":256},{},[2343],{"type":325},{"data":2345,"marks":2346,"value":2347,"nodeType":256},{},[]," (4 in 5 ClickFix attacks intercepted by Push were delivered via Google Search), it makes sense that attackers are looking to increase their web of accounts from which to launch malicious ads. ",{"data":2349,"content":2350,"nodeType":1699},{},[2351],{"data":2352,"marks":2353,"value":2355,"nodeType":256},{},[2354],{"type":279},"Why are attackers turning to malvertising?",{"data":2357,"content":2358,"nodeType":252},{},[2359],{"data":2360,"marks":2361,"value":2362,"nodeType":256},{},[],"Malvertising attacks delivered over search engines (e.g. Google Search) and social media apps (Facebook, LinkedIn, etc.) are a great way to catch victims unawares while also evading typically email-based anti-phishing controls. ",{"data":2364,"content":2365,"nodeType":252},{},[2366],{"data":2367,"marks":2368,"value":2369,"nodeType":256},{},[],"The flipside of this is that malvertising attacks are less likely to be targeted than phishing delivered directly to the victim via a direct message (i.e. email, social media DM, instant messenger app, SMS, etc.). ",{"data":2371,"content":2372,"nodeType":252},{},[2373],{"data":2374,"marks":2375,"value":2376,"nodeType":256},{},[],"However, that isn’t to say that malvertising attacks can’t be targeted. For example, Google Ads can be targeted to searches coming from specific geographic locations, tailored to specific email domain matches, or specific device types (e.g. desktop, mobile, etc.). If you know where your target organization is located, you can tailor the ad to that location. Even more precise ad targeting can be achieved on social media platforms. ",{"data":2378,"content":2379,"nodeType":252},{},[2380,2384,2392],{"data":2381,"marks":2382,"value":2383,"nodeType":256},{},[],"Malvertising is an effective way to launch “watering hole” style attacks, casting a wide net to harvest credentials and account access that can be re-sold to other criminals for a fee, or leveraged by partners in the cybercriminal ecosystem as part of major cyber breaches (such as the recent attacks by the “",{"data":2385,"content":2387,"nodeType":317},{"uri":2386},"https://pushsecurity.com/blog/scattered-lapsus-hunters/",[2388],{"data":2389,"marks":2390,"value":446,"nodeType":256},{},[2391],{"type":325},{"data":2393,"marks":2394,"value":2395,"nodeType":256},{},[],"” criminal collective, all of which began with identity-based initial access). For this reason, credentials and access are an increasingly profitable commodity for cyber criminals. ",{"data":2397,"content":2398,"nodeType":1699},{},[2399],{"data":2400,"marks":2401,"value":2403,"nodeType":256},{},[2402],{"type":279},"Additional considerations",{"data":2405,"content":2406,"nodeType":252},{},[2407],{"data":2408,"marks":2409,"value":2410,"nodeType":256},{},[],"As previously mentioned, compromising a Google Workspace account (particularly where it is the primary enterprise cloud platform used by the organization) provides comprehensive access to business apps, data, and functionality that can be exploited by attackers — effectively, it’s the access point to modern business IT. There’s a good chance that attackers establishing a foothold in this way would look to leverage this access further, or at least sell on that access to a criminal group looking to take the attack further. ",{"data":2412,"content":2416,"nodeType":243},{"target":2413},{"sys":2414},{"id":2415,"type":248,"linkType":249},"7jnQqRk0JuqEtrQ3HXy3f8",[],{"data":2418,"content":2419,"nodeType":268},{},[],{"data":2421,"content":2422,"nodeType":272},{},[2423],{"data":2424,"marks":2425,"value":1703,"nodeType":256},{},[2426],{"type":279},{"data":2428,"content":2429,"nodeType":252},{},[2430],{"data":2431,"marks":2432,"value":2433,"nodeType":256},{},[],"We have opted not to provide the domains associated with that campaign to preserve the privacy of the individuals being impersonated by the attacker. In many cases, their full name was included in the URL for the phishing page, while their name and profile picture (most likely scraped from LinkedIn) are also visible on the landing page. ",{"data":2435,"content":2436,"nodeType":252},{},[2437],{"data":2438,"marks":2439,"value":2440,"nodeType":256},{},[],"However, with the rate at which these domains were spun up and subsequently taken down (by the attacker or the site hosting the links) IoC-based detections for campaigns such as this are of limited value. ",{"data":2442,"content":2443,"nodeType":268},{},[],{"data":2445,"content":2446,"nodeType":272},{},[2447],{"data":2448,"marks":2449,"value":2451,"nodeType":256},{},[2450],{"type":279},"Learn more about Push",{"data":2453,"content":2454,"nodeType":252},{},[2455],{"data":2456,"marks":2457,"value":2458,"nodeType":256},{},[],"Push researchers are continuously analysing and developing new detections based on the latest phishing kits and TTPs which enables us to stay two steps ahead of attackers.",{"data":2460,"content":2461,"nodeType":252},{},[2462],{"data":2463,"marks":2464,"value":2465,"nodeType":256},{},[],"Push’s browser-based security platform provides comprehensive detection and response capabilities against attacks like AiTM phishing, credential stuffing, malicious browser extensions, malicious OAuth grants, ClickFix, and session hijacking. You don’t need to wait until it all goes wrong either — you can use Push to proactively find and fix vulnerabilities across the apps that your employees use, like ghost logins, SSO coverage gaps, MFA gaps, vulnerable passwords, and more to harden your attack surface.",{"data":2467,"content":2468,"nodeType":252},{},[2469,2472,2479,2482,2489],{"data":2470,"marks":2471,"value":895,"nodeType":256},{},[],{"data":2473,"content":2474,"nodeType":317},{"uri":900},[2475],{"data":2476,"marks":2477,"value":903,"nodeType":256},{},[2478],{"type":325},{"data":2480,"marks":2481,"value":908,"nodeType":256},{},[],{"data":2483,"content":2484,"nodeType":317},{"uri":913},[2485],{"data":2486,"marks":2487,"value":916,"nodeType":256},{},[2488],{"type":325},{"data":2490,"marks":2491,"value":921,"nodeType":256},{},[],{"data":2493,"content":2496,"nodeType":243},{"target":2494},{"sys":2495},{"id":928,"type":248,"linkType":249},[],{"data":2498,"content":2499,"nodeType":252},{},[2500],{"data":2501,"marks":2502,"value":29,"nodeType":256},{},[],"Uncovering a Calendly-themed phishing campaign targeting business ad manager accounts","Investigating a phishing campaign targeting Google Ads Manager MCC accounts to propagate malvertising lures. ","2025-12-02T00:00:00.000Z","uncovering-a-calendly-themed-phishing-campaign",{"items":2508},[2509,2511],{"sys":2510,"name":1903},{"id":1902},{"sys":2512,"name":1907},{"id":1906},{"items":2514},[2515],{"fullName":1911,"firstName":1912,"jobTitle":1913,"profilePicture":2516},{"url":1915},{"__typename":1041,"sys":2518,"content":2520,"title":3471,"synopsis":3472,"hashTags":62,"publishedDate":3473,"slug":3474,"tagsCollection":3475,"authorsCollection":3481},{"id":2519},"2sFCww9xnI8okIxhtOaiY1",{"json":2521},{"nodeType":239,"data":2522,"content":2523},{},[2524,2531,2538,2545,2548,2556,2563,2570,2576,2583,2589,2609,2616,2628,2631,2639,2646,2662,2669,2681,2687,2690,2698,2706,2712,2721,2741,2750,2757,2766,2785,2794,2801,2810,2843,2852,2859,2868,2886,2892,2901,2908,2917,2959,2962,2970,2979,2999,3008,3015,3024,3057,3063,3072,3079,3085,3088,3096,3105,3112,3172,3178,3181,3189,3198,3205,3211,3214,3222,3229,3236,3306,3313,3376,3383,3386,3394,3401,3408,3414,3417,3425,3432,3439,3445],{"nodeType":252,"data":2525,"content":2526},{},[2527],{"nodeType":256,"value":2528,"marks":2529,"data":2530},"The biggest cybersecurity story this year (so far) has been the emergence of “Scattered Lapsus$ Hunters” and their record-breaking worldwide hacking spree. ",[],{},{"nodeType":252,"data":2532,"content":2533},{},[2534],{"nodeType":256,"value":2535,"marks":2536,"data":2537},"Scattered Lapsus$ Hunters is part of “The Com”, the name for the broad community of English-speaking cybercriminals with international criminal connections — including with nation-state sponsored groups. They are also known to collaborate with a range of cybercrime “as-a-Service” organizations for phishing, initial access, ransomware, and more. ",[],{},{"nodeType":252,"data":2539,"content":2540},{},[2541],{"nodeType":256,"value":2542,"marks":2543,"data":2544},"It’s difficult to pin down exactly who the individuals are that make up this criminal collective. But what is known is their MO — making money through extortion by means of account takeover, mass data theft, and ransomware deployment. ",[],{},{"nodeType":268,"data":2546,"content":2547},{},[],{"nodeType":272,"data":2549,"content":2550},{},[2551],{"nodeType":256,"value":2552,"marks":2553,"data":2555},"How did we get here? ",[2554],{"type":279},{},{"nodeType":252,"data":2557,"content":2558},{},[2559],{"nodeType":256,"value":2560,"marks":2561,"data":2562},"Earlier this year, the threat group known to most analysts as Scattered Spider (also tracked as 0ktapus, Octo Tempest, Scatter Swine, Muddled Libra, and UNC3944) re-emerged after a series of arrests in late 2024. ",[],{},{"nodeType":252,"data":2564,"content":2565},{},[2566],{"nodeType":256,"value":2567,"marks":2568,"data":2569},"This group has been active in peaks and troughs over the years, but are mainly known for high-profile ransomware attacks on Caesars and MGM Resorts in 2024. ",[],{},{"nodeType":243,"data":2571,"content":2575},{"target":2572},{"sys":2573},{"id":2574,"type":248,"linkType":249},"1Vt269d7n6IGMzOrJs1FDx",[],{"nodeType":252,"data":2577,"content":2578},{},[2579],{"nodeType":256,"value":2580,"marks":2581,"data":2582},"Scattered Spider hit the headlines again in April 2025 with attacks on UK retailers Marks & Spencer and Co-op, which resulted in significant, prolonged disruption, and a serious downstream impact on the retail supply chain. ",[],{},{"nodeType":243,"data":2584,"content":2588},{"target":2585},{"sys":2586},{"id":2587,"type":248,"linkType":249},"3kvcGV2zZZUPnM8IK04Y1O",[],{"nodeType":252,"data":2590,"content":2591},{},[2592,2596,2605],{"nodeType":256,"value":2593,"marks":2594,"data":2595},"It didn’t stop there, though. What followed was a wide-scale campaign targeting Salesforce customers, with the attackers claiming to have stolen ",[],{},{"nodeType":317,"data":2597,"content":2599},{"uri":2598},"https://www.bleepingcomputer.com/news/security/shinyhunters-claims-15-billion-salesforce-records-stolen-in-drift-hacks/",[2600],{"nodeType":256,"value":2601,"marks":2602,"data":2604},"over 1.5 billion records from 1000+ companies",[2603],{"type":325},{},{"nodeType":256,"value":2606,"marks":2607,"data":2608}," across multiple verticals, including heavyweights like Google, Cloudflare, Workday, Adidas, FedEx, Disney, LVMH, and many more.",[],{},{"nodeType":252,"data":2610,"content":2611},{},[2612],{"nodeType":256,"value":2613,"marks":2614,"data":2615},"Around this time, the attackers began to refer to themselves as part of a wider collective, assuming the moniker “Scattered Lapsus$ Hunters” (a mash-up of names given by analysts and self-adopted by attackers — Scattered Spider, ShinyHunters, and Lapsus$).",[],{},{"nodeType":252,"data":2617,"content":2618},{},[2619,2623],{"nodeType":256,"value":2620,"marks":2621,"data":2622},"The most significant breach this year to-date impacted Jaguar Land Rover. A ransomware attack resulted in months of disruption that directly impacted the UK’s GDP, with the government underwriting a $1.5B loan to alleviate the supply chain impact. ",[],{},{"nodeType":256,"value":2624,"marks":2625,"data":2627},"In fact, this was the most economically consequential cyber attack yet recorded in a G7 economy. ",[2626],{"type":279},{},{"nodeType":268,"data":2629,"content":2630},{},[],{"nodeType":272,"data":2632,"content":2633},{},[2634],{"nodeType":256,"value":2635,"marks":2636,"data":2638},"2025 wasn’t a one-off",[2637],{"type":279},{},{"nodeType":252,"data":2640,"content":2641},{},[2642],{"nodeType":256,"value":2643,"marks":2644,"data":2645},"The developments through 2025 have presented a stronger picture than ever before that cybercriminal operations are heavily interlinked. Groups overlap considerably, and individuals freely move between different cells. ",[],{},{"nodeType":252,"data":2647,"content":2648},{},[2649,2653,2658],{"nodeType":256,"value":2650,"marks":2651,"data":2652},"When we scratch beneath the surface, this is evident in the tactics, techniques and procedures (TTPs) used by these attackers — even stretching as far back as 2021 with the initial rise of Lapsus$. This is not an accident. ",[],{},{"nodeType":256,"value":2654,"marks":2655,"data":2657},"The TTPs used show a conscious move by attackers to move away from environments that are well-protected by traditional security tools. ",[2656],{"type":279},{},{"nodeType":256,"value":2659,"marks":2660,"data":2661},"This means avoiding targeting endpoints with malware, and not relying on software-based exploits. Instead, these attackers look to take over apps and services directly over the internet. ",[],{},{"nodeType":252,"data":2663,"content":2664},{},[2665],{"nodeType":256,"value":2666,"marks":2667,"data":2668},"Most of the time, this is as simple as logging in to a SaaS app, or an enterprise SSO account (e.g. Microsoft, Okta, or Google) and dumping the data. For attackers that want to take it further, they can abuse the sprawl of interconnected apps that make up modern business IT, seeking out specific data or exploitable functionality. Or, they can leverage internet-accessible management portals to chart a path back to your on-premise assets, giving them everything they need to pivot toward more conventional methods such as ransomware deployment. ",[],{},{"nodeType":252,"data":2670,"content":2671},{},[2672,2676],{"nodeType":256,"value":2673,"marks":2674,"data":2675},"When we look at historical breaches, the pattern is clear. ",[],{},{"nodeType":256,"value":2677,"marks":2678,"data":2680},"Not one of the attacks attributed to Scattered Lapsus$ Hunters, or its predecessors, started with an endpoint or network attack — they all began with account takeover. ",[2679],{"type":279},{},{"nodeType":243,"data":2682,"content":2686},{"target":2683},{"sys":2684},{"id":2685,"type":248,"linkType":249},"6poP5VM2ARrEvwKEG42HgK",[],{"nodeType":268,"data":2688,"content":2689},{},[],{"nodeType":272,"data":2691,"content":2692},{},[2693],{"nodeType":256,"value":2694,"marks":2695,"data":2697},"TTP breakdown: Analyzing the top “Scattered Lapsus$ Hunters” breaches since 2021",[2696],{"type":279},{},{"nodeType":1699,"data":2699,"content":2700},{},[2701],{"nodeType":256,"value":2702,"marks":2703,"data":2705},"Phishing and stolen credentials",[2704],{"type":279},{},{"nodeType":243,"data":2707,"content":2711},{"target":2708},{"sys":2709},{"id":2710,"type":248,"linkType":249},"4SNOanDIdGZsvRRnMYQVSo",[],{"nodeType":252,"data":2713,"content":2714},{},[2715],{"nodeType":256,"value":2716,"marks":2717,"data":2720},"EA Games (2021)",[2718,2719],{"type":279},{"type":325},{},{"nodeType":252,"data":2722,"content":2723},{},[2724,2728,2737],{"nodeType":256,"value":2725,"marks":2726,"data":2727},"Attackers used stolen session cookies to log into EA’s Slack instance, purchased on a criminal forum. Combined with ",[],{},{"nodeType":317,"data":2729,"content":2731},{"uri":2730},"https://pushsecurity.com/blog/phishing-slack-persistence/",[2732],{"nodeType":256,"value":2733,"marks":2734,"data":2736},"social engineering via Slack",[2735],{"type":325},{},{"nodeType":256,"value":2738,"marks":2739,"data":2740},", this was used to steal 750GB of data, including video game source code. ",[],{},{"nodeType":252,"data":2742,"content":2743},{},[2744],{"nodeType":256,"value":2745,"marks":2746,"data":2749},"Nvidia (2022)",[2747,2748],{"type":279},{"type":325},{},{"nodeType":252,"data":2751,"content":2752},{},[2753],{"nodeType":256,"value":2754,"marks":2755,"data":2756},"Attackers used stolen credentials to steal 1TB of data from Nvidia’s internal shares, including a significant amount of sensitive information about the designs of Nvidia graphics cards, source code, and the usernames and passwords of more than 71,000 Nvidia employees.",[],{},{"nodeType":252,"data":2758,"content":2759},{},[2760],{"nodeType":256,"value":2761,"marks":2762,"data":2765},"Microsoft (2022)",[2763,2764],{"type":279},{"type":325},{},{"nodeType":252,"data":2767,"content":2768},{},[2769,2773,2781],{"nodeType":256,"value":2770,"marks":2771,"data":2772},"Attackers used stolen credentials combined with SIM swapping and ",[],{},{"nodeType":317,"data":2774,"content":2776},{"uri":2775},"https://github.com/pushsecurity/saas-attacks/blob/main/techniques/mfa_fatigue/description.md",[2777],{"nodeType":256,"value":2778,"marks":2779,"data":2780},"MFA fatigue",[],{},{"nodeType":256,"value":2782,"marks":2783,"data":2784}," attacks to steal Azure DevOps source code — leaked a 9GB archive of Microsoft source code – including ~90% of Bing and 45% of Cortana code. ",[],{},{"nodeType":252,"data":2786,"content":2787},{},[2788],{"nodeType":256,"value":2789,"marks":2790,"data":2793},"T-Mobile (2022)",[2791,2792],{"type":279},{"type":325},{},{"nodeType":252,"data":2795,"content":2796},{},[2797],{"nodeType":256,"value":2798,"marks":2799,"data":2800},"Attackers used stolen credentials to establish initial access, coupled with social engineering T-Mobile staff into approving the attacker’s device for VPN access. This resulted in source code being stolen from over 30,000 repositories. ",[],{},{"nodeType":252,"data":2802,"content":2803},{},[2804],{"nodeType":256,"value":2805,"marks":2806,"data":2809},"Snowflake (165 customers) (2024)",[2807,2808],{"type":279},{"type":325},{},{"nodeType":252,"data":2811,"content":2812},{},[2813,2817,2826,2830,2839],{"nodeType":256,"value":2814,"marks":2815,"data":2816},"Attackers targeted ",[],{},{"nodeType":317,"data":2818,"content":2820},{"uri":2819},"https://pushsecurity.com/blog/snowflake-retro/",[2821],{"nodeType":256,"value":2822,"marks":2823,"data":2825},"165 Snowflake customers",[2824],{"type":325},{},{"nodeType":256,"value":2827,"marks":2828,"data":2829}," using stolen credentials from credential breaches dating back as far as 2020. Due to widespread MFA gaps and the presence of ",[],{},{"nodeType":317,"data":2831,"content":2833},{"uri":2832},"https://github.com/pushsecurity/saas-attacks/blob/main/techniques/ghost_logins/description.md",[2834],{"nodeType":256,"value":2835,"marks":2836,"data":2838},"ghost logins",[2837],{"type":325},{},{"nodeType":256,"value":2840,"marks":2841,"data":2842},", attackers were able to simply log in to individual customer tenants, dump the data, and use it to extort the companies. In total, 9 public victims were named following the breach, with over 1B breached customer records. ",[],{},{"nodeType":252,"data":2844,"content":2845},{},[2846],{"nodeType":256,"value":2847,"marks":2848,"data":2851},"PowerSchool (2024)",[2849,2850],{"type":279},{"type":325},{},{"nodeType":252,"data":2853,"content":2854},{},[2855],{"nodeType":256,"value":2856,"marks":2857,"data":2858},"Attackers gained access to a community-focused customer support portal, PowerSource, using compromised credentials and stole data using an \"export data manager\" customer support tool, stealing the data of 62.4 million students and 9.5 million teachers. PowerSchool paid an undisclosed ransom fee, but hackers returned later to extort schools and individuals separately anyway.",[],{},{"nodeType":252,"data":2860,"content":2861},{},[2862],{"nodeType":256,"value":2863,"marks":2864,"data":2867},"Red Hat (2025)",[2865,2866],{"type":279},{"type":325},{},{"nodeType":252,"data":2869,"content":2870},{},[2871,2875,2882],{"nodeType":256,"value":2872,"marks":2873,"data":2874},"Attackers breached Red Hat’s GitLab instance via a compromised account — the result of ",[],{},{"nodeType":317,"data":2876,"content":2877},{"uri":2832},[2878],{"nodeType":256,"value":2835,"marks":2879,"data":2881},[2880],{"type":325},{},{"nodeType":256,"value":2883,"marks":2884,"data":2885}," providing a backdoor to access an otherwise secure, SSO-connected account. Stolen data included approximately 800 Customer Engagement Reports (CERs), authentication tokens, full database URIs, and other private information in Red Hat code and CERs, which they claimed to use to gain access to downstream customer infrastructure. ",[],{},{"nodeType":243,"data":2887,"content":2891},{"target":2888},{"sys":2889},{"id":2890,"type":248,"linkType":249},"G1V7d5Dvevmr9p0YXElPX",[],{"nodeType":252,"data":2893,"content":2894},{},[2895],{"nodeType":256,"value":2896,"marks":2897,"data":2900},"Discord (2025)",[2898,2899],{"type":279},{"type":325},{},{"nodeType":252,"data":2902,"content":2903},{},[2904],{"nodeType":256,"value":2905,"marks":2906,"data":2907},"Attackers compromised a Zendesk customer support account, stealing 1.6TB of data. The hackers say this consisted of roughly 8.4 million tickets affecting 5.5 million unique users, and that about 580,000 users contained payment information.",[],{},{"nodeType":252,"data":2909,"content":2910},{},[2911],{"nodeType":256,"value":2912,"marks":2913,"data":2916},"SoundCloud, MatchGroup, Crunchbase, Betterment... (2026)",[2914,2915],{"type":279},{"type":325},{},{"nodeType":252,"data":2918,"content":2919},{},[2920,2924,2932,2935,2943,2947,2955],{"nodeType":256,"value":2921,"marks":2922,"data":2923},"Scattered Lapsus$ Hunters have already claimed several public victims in 2026, with over 60 million breached records. ",[],{},{"nodeType":317,"data":2925,"content":2927},{"uri":2926},"https://www.bleepingcomputer.com/news/security/shinyhunters-claim-to-be-behind-sso-account-data-theft-attacks/",[2928],{"nodeType":256,"value":2929,"marks":2930,"data":2931},"SoundCloud, Betterment, Crunchbase",[],{},{"nodeType":256,"value":1391,"marks":2933,"data":2934},[],{},{"nodeType":317,"data":2936,"content":2938},{"uri":2937},"https://www.bleepingcomputer.com/news/security/match-group-breach-exposes-data-from-hinge-tinder-okcupid-and-match/",[2939],{"nodeType":256,"value":2940,"marks":2941,"data":2942},"MatchGroup",[],{},{"nodeType":256,"value":2944,"marks":2945,"data":2946}," have all reported breaches this month, powered by a brand ",[],{},{"nodeType":317,"data":2948,"content":2950},{"uri":2949},"https://pushsecurity.com/blog/unpacking-the-latest-slh-campaign/",[2951],{"nodeType":256,"value":2952,"marks":2953,"data":2954},"new real-time-operated AiTM phishing kit",[],{},{"nodeType":256,"value":2956,"marks":2957,"data":2958}," targeting Okta, Entra, and Google SSO accounts. This is a developing situation, with more victims expected to be announced publicly soon.",[],{},{"nodeType":268,"data":2960,"content":2961},{},[],{"nodeType":1699,"data":2963,"content":2964},{},[2965],{"nodeType":256,"value":2966,"marks":2967,"data":2969},"Vishing and help desk scams",[2968],{"type":279},{},{"nodeType":252,"data":2971,"content":2972},{},[2973],{"nodeType":256,"value":2974,"marks":2975,"data":2978},"MGM Resorts & Caesars (2023)",[2976,2977],{"type":279},{"type":325},{},{"nodeType":252,"data":2980,"content":2981},{},[2982,2986,2995],{"nodeType":256,"value":2983,"marks":2984,"data":2985},"MGM Resorts and Caesars were hit with twin breaches in 2023. Attackers socially engineered help desk personnel to take over accounts with Super Administrator privileges within MGM Resorts’ Okta tenant, which they then used to register a second, attacker-controlled IdP via ",[],{},{"nodeType":317,"data":2987,"content":2989},{"uri":2988},"https://github.com/pushsecurity/saas-attacks/blob/main/techniques/inbound_federation/description.md",[2990],{"nodeType":256,"value":2991,"marks":2992,"data":2994},"inbound federation",[2993],{"type":325},{},{"nodeType":256,"value":2996,"marks":2997,"data":2998}," — granting comprehensive access that was used to deploy ransomware. ",[],{},{"nodeType":252,"data":3000,"content":3001},{},[3002],{"nodeType":256,"value":3003,"marks":3004,"data":3007},"Transport for London (2024)",[3005,3006],{"type":279},{"type":325},{},{"nodeType":252,"data":3009,"content":3010},{},[3011],{"nodeType":256,"value":3012,"marks":3013,"data":3014},"Attackers socially engineered the Transport for London help desk to gain privileged access to the IT environment, resulting in prolonged disruption to key online services underpinning London’s public transport network, theft of 5,000 users bank details, and all 30,000 staff members having to reset their online credentials in person.",[],{},{"nodeType":252,"data":3016,"content":3017},{},[3018],{"nodeType":256,"value":3019,"marks":3020,"data":3023},"Marks & Spencer (2025)",[3021,3022],{"type":279},{"type":325},{},{"nodeType":252,"data":3025,"content":3026},{},[3027,3031,3040,3044,3053],{"nodeType":256,"value":3028,"marks":3029,"data":3030},"Attackers compromised a Microsoft Entra account belonging to a privileged user via a ",[],{},{"nodeType":317,"data":3032,"content":3034},{"uri":3033},"https://pushsecurity.com/blog/scattered-spider-defending-against-help-desk-scams/",[3035],{"nodeType":256,"value":3036,"marks":3037,"data":3039},"help desk scam",[3038],{"type":325},{},{"nodeType":256,"value":3041,"marks":3042,"data":3043},", which enabled them to steal sensitive data from cloud environments, as well as pivot to deploy ransomware via the ",[],{},{"nodeType":317,"data":3045,"content":3047},{"uri":3046},"https://cloud.google.com/blog/topics/threat-intelligence/vsphere-active-directory-integration-risks",[3048],{"nodeType":256,"value":3049,"marks":3050,"data":3052},"VMware admin console",[3051],{"type":325},{},{"nodeType":256,"value":3054,"marks":3055,"data":3056},". This enabled ransomware to be deployed at the hypervisor layer, evading host-based protections like EDR. ",[],{},{"nodeType":243,"data":3058,"content":3062},{"target":3059},{"sys":3060},{"id":3061,"type":248,"linkType":249},"7hBdHG74NaA3bQfOMpYA9o",[],{"nodeType":252,"data":3064,"content":3065},{},[3066],{"nodeType":256,"value":3067,"marks":3068,"data":3071},"Jaguar Land Rover (2025)",[3069,3070],{"type":279},{"type":325},{},{"nodeType":252,"data":3073,"content":3074},{},[3075],{"nodeType":256,"value":3076,"marks":3077,"data":3078},"Attackers compromised highly privileged admin accounts via a help desk scam, which they leveraged to access and deploy ransomware to all aspects of Jaguar’s business, from CAD and engineering software, to payments tracking, to customer car delivery, using similar techniques to the Marks & Spencer breach. ",[],{},{"nodeType":243,"data":3080,"content":3084},{"target":3081},{"sys":3082},{"id":3083,"type":248,"linkType":249},"6s1X2fo4K9EeVLBmHm4YXb",[],{"nodeType":268,"data":3086,"content":3087},{},[],{"nodeType":1699,"data":3089,"content":3090},{},[3091],{"nodeType":256,"value":3092,"marks":3093,"data":3095},"Malicious OAuth integrations",[3094],{"type":279},{},{"nodeType":252,"data":3097,"content":3098},{},[3099],{"nodeType":256,"value":3100,"marks":3101,"data":3104},"Salesforce & Salesloft (1000+ customers) (2025)",[3102,3103],{"type":279},{"type":325},{},{"nodeType":252,"data":3106,"content":3107},{},[3108],{"nodeType":256,"value":3109,"marks":3110,"data":3111},"A vast campaign against Salesforce customers resulted in the compromise of 1000+ Salesforce tenants (according to the attacker) with more than 1.5 billion records stolen. This campaign can consisted of three phases:",[],{},{"nodeType":303,"data":3113,"content":3114},{},[3115,3130,3145],{"nodeType":307,"data":3116,"content":3117},{},[3118],{"nodeType":252,"data":3119,"content":3120},{},[3121,3126],{"nodeType":256,"value":3122,"marks":3123,"data":3125},"Phase 1:",[3124],{"type":279},{},{"nodeType":256,"value":3127,"marks":3128,"data":3129}," The attacker conducted a large-scale vishing campaign against Salesforce customers, calling up users and socially engineering them into connecting a malicious version of the “Data Loader” app into their tenant. This was in fact an attacker-controlled app that enabled data to be mass-exfiltrated via API. ",[],{},{"nodeType":307,"data":3131,"content":3132},{},[3133],{"nodeType":252,"data":3134,"content":3135},{},[3136,3141],{"nodeType":256,"value":3137,"marks":3138,"data":3140},"Phase 2: ",[3139],{"type":279},{},{"nodeType":256,"value":3142,"marks":3143,"data":3144},"The attacker conducted a supply-chain compromise against customers of Salesloft. Users of Salesloft’s “Drift” integration were impacted by attackers stealing access tokens from Salesloft’s AWS environment. This integration allowed the attacker to steal data from customers that had deployed Drift to connected environments — namely, Salesforce, and Google Workspace. ",[],{},{"nodeType":307,"data":3146,"content":3147},{},[3148],{"nodeType":252,"data":3149,"content":3150},{},[3151,3156,3160,3168],{"nodeType":256,"value":3152,"marks":3153,"data":3155},"Phase 3:",[3154],{"type":279},{},{"nodeType":256,"value":3157,"marks":3158,"data":3159}," The attacker then conducted a separate supply-chain compromise involving Gainsight (allegedly using OAuth tokens stolen in the Salesloft attack) which enabled them to ",[],{},{"nodeType":317,"data":3161,"content":3163},{"uri":3162},"https://www.bleepingcomputer.com/news/security/salesforce-investigates-customer-data-theft-via-gainsight-breach/",[3164],{"nodeType":256,"value":3165,"marks":3166,"data":3167},"breach a further 285 Salesforce instances",[],{},{"nodeType":256,"value":3169,"marks":3170,"data":3171}," using stolen OAuth tokens from Gainsight's integrations. ",[],{},{"nodeType":243,"data":3173,"content":3177},{"target":3174},{"sys":3175},{"id":3176,"type":248,"linkType":249},"3TwjpVKQ42SwQRhvGFbZdn",[],{"nodeType":268,"data":3179,"content":3180},{},[],{"nodeType":1699,"data":3182,"content":3183},{},[3184],{"nodeType":256,"value":3185,"marks":3186,"data":3188},"Malicious browser extensions",[3187],{"type":279},{},{"nodeType":252,"data":3190,"content":3191},{},[3192],{"nodeType":256,"value":3193,"marks":3194,"data":3197},"CyberHaven (2024)",[3195,3196],{"type":279},{"type":325},{},{"nodeType":252,"data":3199,"content":3200},{},[3201],{"nodeType":256,"value":3202,"marks":3203,"data":3204},"Hackers phished a CyberHaven extension developer and uploaded a malicious version of the CyberHaven extension to the Chrome Web Store, leading to customer data breaches where installed in user browsers, impacting CyberHaven’s estimated ~400 business customers. This was part of a broader campaign that targeted 35 Chrome extensions, collectively impacting over 2.5 million users.",[],{},{"nodeType":243,"data":3206,"content":3210},{"target":3207},{"sys":3208},{"id":3209,"type":248,"linkType":249},"4ErDI0xi0Vj2Zrk8Qsb2NB",[],{"nodeType":268,"data":3212,"content":3213},{},[],{"nodeType":272,"data":3215,"content":3216},{},[3217],{"nodeType":256,"value":3218,"marks":3219,"data":3221},"The bigger picture",[3220],{"type":279},{},{"nodeType":252,"data":3223,"content":3224},{},[3225],{"nodeType":256,"value":3226,"marks":3227,"data":3228},"Scattered Lapsus$ Hunters are dominating the headlines right now, but they aren’t the only attackers using these modern techniques and consciously evading established security controls. ",[],{},{"nodeType":252,"data":3230,"content":3231},{},[3232],{"nodeType":256,"value":3233,"marks":3234,"data":3235},"Threat reports agree that attackers are steering away from traditional exploit and malware-driven breaches towards identities:",[],{},{"nodeType":303,"data":3237,"content":3238},{},[3239,3262,3284],{"nodeType":307,"data":3240,"content":3241},{},[3242],{"nodeType":252,"data":3243,"content":3244},{},[3245,3249,3258],{"nodeType":256,"value":3246,"marks":3247,"data":3248},"Identity-based attacks surged 32% in the last year, while 97% of identity attacks are password-based, driven by credential leaks and infostealer malware. (",[],{},{"nodeType":317,"data":3250,"content":3252},{"uri":3251},"https://cdn-dynmedia-1.microsoft.com/is/content/microsoftcorp/microsoft/msc/documents/presentations/CSR/Microsoft-Digital-Defense-Report-2025.pdf#page=1",[3253],{"nodeType":256,"value":3254,"marks":3255,"data":3257},"Microsoft",[3256],{"type":325},{},{"nodeType":256,"value":3259,"marks":3260,"data":3261},")",[],{},{"nodeType":307,"data":3263,"content":3264},{},[3265],{"nodeType":252,"data":3266,"content":3267},{},[3268,3272,3281],{"nodeType":256,"value":3269,"marks":3270,"data":3271},"79% of detections were malware-free in the last year, up from 40% in 2019. (",[],{},{"nodeType":317,"data":3273,"content":3275},{"uri":3274},"https://www.crowdstrike.com/en-gb/global-threat-report/",[3276],{"nodeType":256,"value":3277,"marks":3278,"data":3280},"CrowdStrike",[3279],{"type":325},{},{"nodeType":256,"value":3259,"marks":3282,"data":3283},[],{},{"nodeType":307,"data":3285,"content":3286},{},[3287],{"nodeType":252,"data":3288,"content":3289},{},[3290,3294,3303],{"nodeType":256,"value":3291,"marks":3292,"data":3293},"Credential abuse and phishing combined accounted for 38% of breaches, making identity the primary breach vector observed. (",[],{},{"nodeType":317,"data":3295,"content":3297},{"uri":3296},"https://www.verizon.com/business/resources/reports/dbir/",[3298],{"nodeType":256,"value":3299,"marks":3300,"data":3302},"Verizon",[3301],{"type":325},{},{"nodeType":256,"value":3259,"marks":3304,"data":3305},[],{},{"nodeType":252,"data":3307,"content":3308},{},[3309],{"nodeType":256,"value":3310,"marks":3311,"data":3312},"And other public breaches from this year alone demonstrate similar TTPs from outside of the Scattered Lapsus$ Hunters orbit:",[],{},{"nodeType":303,"data":3314,"content":3315},{},[3316,3331,3346,3361],{"nodeType":307,"data":3317,"content":3318},{},[3319],{"nodeType":252,"data":3320,"content":3321},{},[3322,3327],{"nodeType":256,"value":3323,"marks":3324,"data":3326},"Nikkei",[3325],{"type":279},{},{"nodeType":256,"value":3328,"marks":3329,"data":3330},": Japanese publishing giant Nikkei’s Slack messaging platform was compromised using stolen credentials, leaking the names, email addresses, and chat histories for 17,368 individuals registered on Slack.",[],{},{"nodeType":307,"data":3332,"content":3333},{},[3334],{"nodeType":252,"data":3335,"content":3336},{},[3337,3342],{"nodeType":256,"value":3338,"marks":3339,"data":3341},"Evertec",[3340],{"type":279},{},{"nodeType":256,"value":3343,"marks":3344,"data":3345},": Hackers tried to steal $130 million from Evertec’s Brazilian subsidiary Sinqia S.A.after gaining unauthorized access to its environment on the central bank’s real-time payment system (Pix) using stolen credentials.",[],{},{"nodeType":307,"data":3347,"content":3348},{},[3349],{"nodeType":252,"data":3350,"content":3351},{},[3352,3357],{"nodeType":256,"value":3353,"marks":3354,"data":3356},"Hy-Vee:",[3355],{"type":279},{},{"nodeType":256,"value":3358,"marks":3359,"data":3360}," Was hit with a data breach after hackers logged in with stolen credentials, exposing 53GB of sensitive data.",[],{},{"nodeType":307,"data":3362,"content":3363},{},[3364],{"nodeType":252,"data":3365,"content":3366},{},[3367,3372],{"nodeType":256,"value":3368,"marks":3369,"data":3371},"Scania: ",[3370],{"type":279},{},{"nodeType":256,"value":3373,"marks":3374,"data":3375},"Automotive giant Scania confirmed it suffered a cybersecurity incident where threat actors used compromised credentials to breach its Financial Services systems and steal insurance claim documents.",[],{},{"nodeType":252,"data":3377,"content":3378},{},[3379],{"nodeType":256,"value":3380,"marks":3381,"data":3382},"Scattered Lapsus$ Hunters may be grabbing the headlines — but this a huge movement in a vast and flexible community of attackers. And criminals around the world are learning from their success. ",[],{},{"nodeType":268,"data":3384,"content":3385},{},[],{"nodeType":272,"data":3387,"content":3388},{},[3389],{"nodeType":256,"value":3390,"marks":3391,"data":3393},"Lessons learned",[3392],{"type":279},{},{"nodeType":252,"data":3395,"content":3396},{},[3397],{"nodeType":256,"value":3398,"marks":3399,"data":3400},"The common thread with all of these attacks is that they are evading established security controls by targeting applications directly, over the internet, via account takeover.",[],{},{"nodeType":252,"data":3402,"content":3403},{},[3404],{"nodeType":256,"value":3405,"marks":3406,"data":3407},"Clearly, the success of these attacks shows the limitations of multiple control layers. Endpoint and network layer controls have no visibility of this attack surface. Identity-focused controls are being undermined by ghost logins and shadow IT. And the limitations of cloud security controls in their ability to encompass all apps, and detect and stop malicious actions in real-time (that often blend in seamlessly with normal user activity). ",[],{},{"nodeType":243,"data":3409,"content":3413},{"target":3410},{"sys":3411},{"id":3412,"type":248,"linkType":249},"4Dg3fZEGf7ShyQJ8jlNDME",[],{"nodeType":268,"data":3415,"content":3416},{},[],{"nodeType":272,"data":3418,"content":3419},{},[3420],{"nodeType":256,"value":3421,"marks":3422,"data":3424},"How Push can help",[3423],{"type":279},{},{"nodeType":252,"data":3426,"content":3427},{},[3428],{"nodeType":256,"value":3429,"marks":3430,"data":3431},"Stopping attacks that are designed to evade established controls is in our DNA — it’s the reason Push was founded. ",[],{},{"nodeType":252,"data":3433,"content":3434},{},[3435],{"nodeType":256,"value":3436,"marks":3437,"data":3438},"The browser is the gateway to to the apps and identities that attackers are now targeting, with many attacks taking place inside the user’s browser — whether that’s entering credentials onto a phishing page, approving a malicious OAuth grant, installing a risky browser extension, or insecurely accessing an app with a weak password and no MFA. ",[],{},{"nodeType":252,"data":3440,"content":3441},{},[3442],{"nodeType":256,"value":2465,"marks":3443,"data":3444},[],{},{"nodeType":252,"data":3446,"content":3447},{},[3448,3451,3458,3461,3468],{"nodeType":256,"value":895,"marks":3449,"data":3450},[],{},{"nodeType":317,"data":3452,"content":3453},{"uri":900},[3454],{"nodeType":256,"value":903,"marks":3455,"data":3457},[3456],{"type":325},{},{"nodeType":256,"value":908,"marks":3459,"data":3460},[],{},{"nodeType":317,"data":3462,"content":3463},{"uri":913},[3464],{"nodeType":256,"value":916,"marks":3465,"data":3467},[3466],{"type":325},{},{"nodeType":256,"value":921,"marks":3469,"data":3470},[],{},"\"Scattered Lapsus$ Hunters\" — how modern attackers exploit the gaps in your security stack ","How Scattered Lapsus$ Hunters breaches demonstrate the evolution of attacker TTPs, shaping the future of cyber attacks.","2025-11-13T00:00:00.000Z","scattered-lapsus-hunters",{"items":3476},[3477,3479],{"sys":3478,"name":1903},{"id":1902},{"sys":3480,"name":1907},{"id":1906},{"items":3482},[3483],{"fullName":232,"firstName":233,"jobTitle":234,"profilePicture":3484},{"url":236},"2025-top-phishing-trends","blog/2025-top-phishing-trends",{"json":3488},{"data":3489,"content":3490,"nodeType":239},{},[3491],{"data":3492,"content":3493,"nodeType":252},{},[3494],{"data":3495,"marks":3496,"value":3497,"nodeType":256},{},[],"Phishing attacks changed a lot through 2025. Here's the top trends from this year and what they mean for security teams heading into 2026. \n","Analyzing the key trends that defined phishing attacks in 2025, and what these changes mean for security teams heading into 2026. ",{"id":3500,"publishedAt":3501},"5CqV6e5wfHsfEVczkWSerZ","2026-04-20T13:45:24.547Z",{"items":3503},[3504,3506],{"sys":3505,"name":1907},{"id":1906},{"sys":3507,"name":1903},{"id":1902},"CAGUz-3dEVTq6i1deurwrJsgcWQqHFyZU0apjJXa-rU",1784196723493]