[{"data":1,"prerenderedAt":5993},["ShallowReactive",2],{"application-flags":3,"navbar":7,"always-visible-banner":36,"navbar-about-highlight":108,"navbar-resource-highlight":182,"blog/7-things-we-learned-from-matt-johansen":226},[4],{"name":5,"enabled":6},"maintenanceMode",false,[8],{"createdDate":9,"id":10,"name":11,"modelId":12,"published":13,"query":14,"data":15,"variations":20,"lastUpdated":21,"firstPublished":22,"testRatio":23,"createdBy":24,"lastUpdatedBy":25,"folders":26,"meta":27,"rev":35},1742208588866,"1c7a4e423bf54ac1a328bb4063459ef2","Banner","1c6207a5f24948ab82d4a0b17f251193","published",[],{"type":16,"url":17,"text":18,"link":19},"web-banner","https://pushsecurity.com/resources/browser-attacks-report","Get our latest report analyzing browser attack techniques in 2026",{},{},1774258294825,1742208637545,1,"CydmZnOWU1XuAaLhEDCoYNM4Z8W2","jKjF9r5jcvXU8tzZEfFQm31Iyvr2",[],{"kind":28,"lastPreviewUrl":29,"breakpoints":30,"hasAutosaves":34},"data","",{"xsmall":31,"small":32,"medium":33},320,640,768,true,"ga0kpxjhh76",{"createdDate":37,"id":38,"name":39,"modelId":40,"published":13,"stageModifiedSincePublish":6,"query":41,"data":42,"variations":97,"lastUpdated":98,"firstPublished":99,"testRatio":23,"createdBy":100,"lastUpdatedBy":101,"folders":102,"meta":103,"rev":107},1774965361051,"fd266d0172cc47429be7ad10f48c99ad","always visible banner","0678d178ec8b41efb8a23c09dba7874d",[],{"ctaText":43,"text":44,"url":29,"blocks":45,"state":93},"ewrererw","testrfesssssssssss",[46,73,81],{"@type":47,"@version":48,"id":49,"component":50,"responsiveStyles":63},"@builder.io/sdk:Element",2,"builder-ca12c06a52de41d7b8743da53118cd38",{"name":51,"tag":51,"options":52,"isRSC":62},"TopBannerContent",{"text":53,"ctaText":54,"url":55,"mainText":56,"cta":59},"New Webinar Series: Join John Hammond, Troy Hunt, and Matt Johansen for the State of Browser Attacks","Save Your Spot","https://pushsecurity.com/webinar/state-of-browser-security",{"content":57,"fontSize":58},"\u003Cp>Meet Push's browser security experts at BlackHat 2026.\u003C/p>","text-base",{"content":60,"fontSize":58,"url":61},"\u003Cp>Book a meeting →\u003C/p>","https://pushsecurity.com/events/blackhat-2026-meeting",null,{"large":64},{"display":65,"flexDirection":66,"position":67,"flexShrink":68,"boxSizing":69,"marginTop":70,"marginBottom":70,"fontSize":71,"fontWeight":72},"flex","column","relative","0","border-box",".56rem","1.125rem","700",{"@type":47,"@version":48,"id":74,"component":75,"responsiveStyles":79},"builder-a2e1f4b9f30b464bb814d7f5de5b0aa7",{"name":76,"options":77,"isRSC":62},"Custom Code",{"code":78,"scriptsClientOnly":6},"\u003Cstyle>\n  .top-banner.bg-web-orange{background:rgb(114, 79, 255);}\n\u003C/style>\n",{"large":80},{"display":65,"flexDirection":66,"position":67,"flexShrink":68,"boxSizing":69},{"id":82,"@type":47,"tagName":83,"properties":84,"responsiveStyles":88},"builder-pixel-o503s4fpvk","img",{"src":85,"aria-hidden":86,"alt":29,"role":87,"width":68,"height":68},"https://cdn.builder.io/api/v1/pixel?apiKey=f3a1111ff5be48cdbb123cd9f5795a05","true","presentation",{"large":89},{"height":68,"width":68,"display":90,"opacity":68,"overflow":91,"pointerEvents":92},"block","hidden","none",{"deviceSize":94,"location":95},"large",{"path":29,"query":96},{},{},1783541846936,1774968080803,"ST0tXQM8slWpFrmioqKHmENB2qe2","kYgMv6WsbvfmlOUYqR2SFwGzw6e2",[],{"kind":104,"lastPreviewUrl":105,"hasLinks":6,"breakpoints":106,"hasErrors":6,"hasAutosaves":6},"component","https://pushsecurity.com/?builder.space=f3a1111ff5be48cdbb123cd9f5795a05&builder.user.permissions=read%2Ccreate%2Cpublish%2CeditDesigns%2CeditLayouts%2CeditLayers%2CeditContentPriority%2CeditFolders%2CcreateProjects%2CsendPullRequests&builder.user.role.name=Designer&builder.user.role.id=creator&builder.cachebust=true&builder.preview=always-visible-banner&builder.noCache=true&builder.allowTextEdit=true&__builder_editing__=true&builder.overrides.always-visible-banner=fd266d0172cc47429be7ad10f48c99ad&builder.overrides.fd266d0172cc47429be7ad10f48c99ad=fd266d0172cc47429be7ad10f48c99ad&builder.options.locale=Default",{"xsmall":31,"small":32,"medium":33},"kyujw1aptq",[109,145],{"createdDate":110,"id":111,"name":112,"modelId":113,"published":13,"stageModifiedSincePublish":6,"query":114,"data":115,"variations":138,"lastUpdated":139,"firstPublished":140,"testRatio":23,"createdBy":24,"lastUpdatedBy":24,"folders":141,"meta":142,"rev":144},1776247359804,"9136a8f18b3b4a6ba29b8653a99372b1","testimonial-inductive-automation","20d9eaa352304613b3d1a794b400703d",[],{"link":116,"type":117,"testimonialLink":118,"testimonial":119},{},"testimonial","/customer-stories/inductive-automation",{"@type":120,"id":121,"model":117,"value":122},"@builder.io/core:Reference","f028f2b685bb47cd8bf9e82a26dd5a79",{"query":123,"folders":124,"createdDate":125,"id":121,"name":126,"modelId":127,"published":13,"data":128,"variations":132,"lastUpdated":133,"firstPublished":134,"testRatio":23,"createdBy":100,"lastUpdatedBy":100,"meta":135,"rev":137},[],[],1735823466309,"We found Push to be more accurate when compared to competitors and the browser agent offered features that others couldn’t match.","42035571a56940ac98bff4544aa79aa5",{"author":129,"jobTitle":130,"quote":126,"image":131},"Jason Waits","\u003Cp>CISO at Inductive Automation\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Ff04c0c0689ce4a89ac0f0708d78c0a07",{},1735910703862,1735823501152,{"kind":28,"lastPreviewUrl":29,"breakpoints":136,"hasAutosaves":34},{"small":32,"medium":33},"e8bsg4qrgtu",{},1776247404986,1776247404973,[],{"breakpoints":143,"kind":28,"lastPreviewUrl":29,"hasAutosaves":6},{"xsmall":31,"small":32,"medium":33},"g9lqcuxphw7",{"createdDate":146,"id":147,"name":148,"modelId":113,"published":13,"meta":149,"stageModifiedSincePublish":6,"query":151,"data":152,"variations":178,"lastUpdated":179,"firstPublished":180,"testRatio":23,"createdBy":24,"lastUpdatedBy":24,"folders":181,"rev":144},1776255761419,"05a9322735fc427db12e2740e4302300","Report: 2026 Browser Attack Techniques",{"breakpoints":150,"kind":28,"lastPreviewUrl":29,"hasAutosaves":6},{"xsmall":31,"small":32,"medium":33},[],{"testimonial":153,"link":172,"type":175,"title":148,"description":176,"image":177},{"@type":120,"id":154,"model":117,"value":155},"192acbb1f9ca4cac918c0ec435a8bae3",{"query":156,"folders":157,"createdDate":158,"id":154,"name":159,"modelId":127,"published":13,"data":160,"variations":166,"lastUpdated":167,"firstPublished":168,"testRatio":23,"createdBy":100,"lastUpdatedBy":24,"meta":169,"rev":171},[],[],1728981467463,"Push does for identity what CrowdStrike did for the endpoint",{"video":161,"jobTitle":162,"author":163,"qoute":29,"quote":164,"image":165},"https://cdn.builder.io/o/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F8b30e8ca50064058bbaef0f3c6164575%2Fcompressed?apiKey=f3a1111ff5be48cdbb123cd9f5795a05&token=8b30e8ca50064058bbaef0f3c6164575&alt=media&optimized=true","\u003Cp>Deputy CISO at Microsoft\u003C/p>\u003Cp>Former LinkedIn, Slack, Palantir\u003C/p>","Geoff Belknap","Push does for identity what CrowdStrike did for the endpoint.","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F748f0ad0a5064a00a13f4721fcc8dea1",{},1742902158597,1728981782923,{"kind":28,"lastPreviewUrl":29,"breakpoints":170,"hasAutosaves":34},{"small":32,"medium":33},"ulhc0im1hfo",{"text":173,"url":174},"Download now","/resources/browser-attacks-report","resource","Learn about the latest techniques being used in the wild.","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F7b4a5ebf81d64e8c9d7fc35f6c96c4a9",{},1776255810913,1776255810900,[],[183,205],{"createdDate":184,"id":185,"name":148,"modelId":186,"published":13,"meta":187,"stageModifiedSincePublish":6,"query":189,"data":190,"variations":200,"lastUpdated":201,"firstPublished":202,"testRatio":23,"createdBy":24,"lastUpdatedBy":24,"folders":203,"rev":204},1776256900280,"1f429607996e4e5fae8fe3f9b9610e55","4829faa81e7c4ee8bd2d000e160e8d3c",{"breakpoints":188,"kind":28,"lastPreviewUrl":29,"hasAutosaves":6},{"xsmall":31,"small":32,"medium":33},[],{"testimonial":191,"link":199,"type":175,"title":148,"description":176,"image":177},{"@type":120,"id":154,"model":117,"value":192},{"query":193,"folders":194,"createdDate":158,"id":154,"name":159,"modelId":127,"published":13,"data":195,"variations":196,"lastUpdated":167,"firstPublished":168,"testRatio":23,"createdBy":100,"lastUpdatedBy":24,"meta":197,"rev":171},[],[],{"video":161,"jobTitle":162,"author":163,"qoute":29,"quote":164,"image":165},{},{"kind":28,"lastPreviewUrl":29,"breakpoints":198,"hasAutosaves":34},{"small":32,"medium":33},{"text":173,"url":174},{},1776256937553,1776256937540,[],"xggsv10v1q9",{"createdDate":206,"id":207,"name":208,"modelId":186,"published":13,"stageModifiedSincePublish":6,"query":209,"data":210,"variations":220,"lastUpdated":221,"firstPublished":222,"testRatio":23,"createdBy":24,"lastUpdatedBy":24,"folders":223,"meta":224,"rev":204},1776256949234,"ce043785b71b4ece98eac811ecf4ba10","inductive-automation",[],{"link":211,"type":117,"testimonial":212,"testimonialLink":118},{},{"@type":120,"id":121,"model":117,"value":213},{"query":214,"folders":215,"createdDate":125,"id":121,"name":126,"modelId":127,"published":13,"data":216,"variations":217,"lastUpdated":133,"firstPublished":134,"testRatio":23,"createdBy":100,"lastUpdatedBy":100,"meta":218,"rev":137},[],[],{"author":129,"jobTitle":130,"quote":126,"image":131},{},{"kind":28,"lastPreviewUrl":29,"breakpoints":219,"hasAutosaves":34},{"small":32,"medium":33},{},1776256974140,1776256974130,[],{"breakpoints":225,"kind":28,"lastPreviewUrl":29,"hasAutosaves":6},{"xsmall":31,"small":32,"medium":33},{"id":227,"title":228,"authorsCollection":229,"content":237,"extension":799,"faqItemsCollection":800,"faqTitle":62,"featured":6,"hashTags":62,"meta":802,"metaTitle":803,"ogImage":62,"publishedDate":804,"relatedBlogPostsCollection":805,"slug":5958,"stem":5959,"subtitle":62,"summary":5960,"synopsis":5982,"sys":5983,"tagsCollection":5986,"__hash__":5992},"blog/blog/7-things-we-learned-from-matt-johansen.json","What we learned from 'Security Theater vs. Security That Works' with Matt Johansen",{"items":230},[231],{"fullName":232,"firstName":233,"jobTitle":234,"profilePicture":235},"Daniel Park","Daniel","Technical Content",{"url":236},"https://images.ctfassets.net/y1cdw1ablpvd/6Cwg1xVeCdzUvxBIMfnDO5/6b18ed126b53611e7b521da34f900d29/254-0-2.jpg",{"json":238,"links":777},{"nodeType":239,"data":240,"content":241},"document",{},[242,253,261,290,297,304,308,316,323,342,349,368,371,379,386,405,424,443,446,455,461,464,472,479,495,502,505,513,557,564,571,578,586,605,624,631,638,645,664,667,675,682,701,708,715,718,741,744,751,758],{"nodeType":243,"data":244,"content":245},"heading-1",{},[246],{"nodeType":247,"value":248,"marks":249,"data":252},"text","1. Hackers don't hack in, they log in",[250],{"type":251},"bold",{},{"nodeType":254,"data":255,"content":256},"paragraph",{},[257],{"nodeType":247,"value":258,"marks":259,"data":260},"Matt made the point early on that \"the modern web frameworks that have come out have done more to shift application security than any security vendor ever did.\" It's measurably harder to write exploitable code in 2026 than it was even five years ago, and the data reflects that — as Matt put it, \"most hacks that we read about these days are actually logins, not actually hacks in terms of vulnerabilities.\" Attackers aren't breaking in — they're logging in.",[],{},{"nodeType":254,"data":262,"content":263},{},[264,268,273,277,286],{"nodeType":247,"value":265,"marks":266,"data":267},"The data backs this up across the board. CrowdStrike's 2026 Global Threat Report found that ",[],{},{"nodeType":247,"value":269,"marks":270,"data":272},"82% of attack detections are now malware-free",[271],{"type":251},{},{"nodeType":247,"value":274,"marks":275,"data":276}," — no exploit, no payload, just access and legitimate functionality being abused. ",[],{},{"nodeType":278,"data":279,"content":281},"hyperlink",{"uri":280},"https://services.google.com/fh/files/misc/cloud_threat_horizons_report_h12026.pdf",[282],{"nodeType":247,"value":283,"marks":284,"data":285},"Google/Mandiant",[],{},{"nodeType":247,"value":287,"marks":288,"data":289}," recently reported that identity issues were the initial access vector in 83% of cloud-related incidents.",[],{},{"nodeType":254,"data":291,"content":292},{},[293],{"nodeType":247,"value":294,"marks":295,"data":296},"And when you look at the economics, the shift makes obvious sense: a browser RCE goes for around $250,000, while a PhaaS kit rental runs about $1,000 per year and a bulk stolen credential list costs $15. For a rational attacker, identity abuse isn't just easier — it's orders of magnitude cheaper.",[],{},{"nodeType":254,"data":298,"content":299},{},[300],{"nodeType":247,"value":301,"marks":302,"data":303},"This isn't a new observation, but it's one that still hasn't fully landed in how most organizations allocate their security budgets. The bulk of enterprise security spending is still pointed at the endpoint and the network — tooling built for an era when the primary threat was malware and exploitation. The threat model has moved, and for a lot of organizations, the stack hasn't moved with it.",[],{},{"nodeType":305,"data":306,"content":307},"hr",{},[],{"nodeType":243,"data":309,"content":310},{},[311],{"nodeType":247,"value":312,"marks":313,"data":315},"2. AI is a force multiplier, but it isn't a super hacker",[314],{"type":251},{},{"nodeType":254,"data":317,"content":318},{},[319],{"nodeType":247,"value":320,"marks":321,"data":322},"The Mythos discourse has been hard to escape. As Matt put it, the view that \"the AI super hacker has escaped the lab\" is \"not actually what's going on.\" What's actually happening is that AI models trained to understand code are turning out to be very good at finding specific types of vulnerabilities in predominantly legacy codebases — but defenders stand to gain a lot too.",[],{},{"nodeType":254,"data":324,"content":325},{},[326,330,338],{"nodeType":247,"value":327,"marks":328,"data":329},"As Matt referenced, Google's CISO Heather Adkins said on stage at the Unprompted conference that Google's stated goal is \"to eliminate all software vulnerabilities, period.\" And browser zero-days already hit a ",[],{},{"nodeType":278,"data":331,"content":333},{"uri":332},"https://cloud.google.com/blog/topics/threat-intelligence/2025-zero-day-review",[334],{"nodeType":247,"value":335,"marks":336,"data":337},"historic low at just 9% of all zero-days reported to Google in 2025",[],{},{"nodeType":247,"value":339,"marks":340,"data":341},".",[],{},{"nodeType":254,"data":343,"content":344},{},[345],{"nodeType":247,"value":346,"marks":347,"data":348},"But won't AI-assisted vulnerability discovery eventually make browser exploits cheaper for attackers too? Perhaps — but it will simultaneously make them easier for browser vendors to find and patch, and vendors like Google and Microsoft have the engineering capacity and financial incentive to scale AI-driven remediation far faster than attackers can scale exploit development.",[],{},{"nodeType":254,"data":350,"content":351},{},[352,356,364],{"nodeType":247,"value":353,"marks":354,"data":355},"As Matt noted, \"they didn't train these models to be good at cybersecurity — they just trained them to get better and better at code,\" and big tech vendors like Google have the resources to really invest in these tools. The rational play for attackers is the same one it's been for years: skip the exploit development entirely and ",[],{},{"nodeType":278,"data":357,"content":359},{"uri":358},"https://pushsecurity.com/blog/introducing-the-browser-and-identity-attacks-matrix/",[360],{"nodeType":247,"value":361,"marks":362,"data":363},"steal identities and sessions in the browser",[],{},{"nodeType":247,"value":365,"marks":366,"data":367}," instead.",[],{},{"nodeType":305,"data":369,"content":370},{},[],{"nodeType":243,"data":372,"content":373},{},[374],{"nodeType":247,"value":375,"marks":376,"data":378},"3. MFA is essential — but it isn't a silver bullet",[377],{"type":251},{},{"nodeType":254,"data":380,"content":381},{},[382],{"nodeType":247,"value":383,"marks":384,"data":385},"Nobody's arguing against MFA. It's one of the most important security controls any organization can deploy, and both Matt and Mark were clear about that. But the conversation surfaced something that doesn't get enough attention: there are always gaps in coverage, and attackers have consistently found ways under, over, or through it.",[],{},{"nodeType":254,"data":387,"content":388},{},[389,393,401],{"nodeType":247,"value":390,"marks":391,"data":392},"Mark observed that every organization he talks to says they're in the process of \"rolling out\" MFA. It's always in progress, never complete — there's always an app that doesn't support it, a legacy system that can't handle it, a user population that hasn't been migrated, or a SaaS vendor charging extra for the privilege (the ",[],{},{"nodeType":278,"data":394,"content":396},{"uri":395},"https://pushsecurity.com/blog/minimum-viable-identity-security/",[397],{"nodeType":247,"value":398,"marks":399,"data":400},"security tax",[],{},{"nodeType":247,"value":402,"marks":403,"data":404},"). Coverage gaps are the norm, not the exception.",[],{},{"nodeType":254,"data":406,"content":407},{},[408,412,420],{"nodeType":247,"value":409,"marks":410,"data":411},"Then there's the bypass evolution. Matt walked through the history — SMS and SIM swapping, push notifications and push fatigue, and now ",[],{},{"nodeType":278,"data":413,"content":415},{"uri":414},"https://pushsecurity.com/blog/2025-top-phishing-trends/",[416],{"nodeType":247,"value":417,"marks":418,"data":419},"AiTM kits ",[],{},{"nodeType":247,"value":421,"marks":422,"data":423},"that proxy the entire authentication flow, capturing both the password and the MFA token in a single attack. Every step up the MFA ladder, attackers have found a way around. Phishing-resistant methods like hardware tokens and passkeys are a meaningful improvement, but rollout is slow and uneven.",[],{},{"nodeType":254,"data":425,"content":426},{},[427,431,439],{"nodeType":247,"value":428,"marks":429,"data":430},"And then there's the class of attacks that sidestep authentication entirely. Consent phishing, ",[],{},{"nodeType":278,"data":432,"content":434},{"uri":433},"https://pushsecurity.com/blog/device-code-phishing/",[435],{"nodeType":247,"value":436,"marks":437,"data":438},"device code phishing",[],{},{"nodeType":247,"value":440,"marks":441,"data":442},", session hijacking — these are all post-authentication attacks. The user has already authenticated successfully, the MFA did its job, and the attacker is going after what comes after: OAuth tokens, session cookies, consent grants. Matt compared these to zero days for identity — they bypass the entire front end of your defensive stack. MFA is absolutely something you should be rolling out and strengthening, but it's one layer in what needs to be a deeper defense.",[],{},{"nodeType":305,"data":444,"content":445},{},[],{"nodeType":447,"data":448,"content":454},"embedded-entry-block",{"target":449},{"sys":450},{"id":451,"type":452,"linkType":453},"7upGHPt7eVNji6v22h124t","Link","Entry",[],{"nodeType":447,"data":456,"content":460},{"target":457},{"sys":458},{"id":459,"type":452,"linkType":453},"53U3LHhhHFYnEpShdLmDqs",[],{"nodeType":305,"data":462,"content":463},{},[],{"nodeType":243,"data":465,"content":466},{},[467],{"nodeType":247,"value":468,"marks":469,"data":471},"4. User training is not enough: better technical controls are required",[470],{"type":251},{},{"nodeType":254,"data":473,"content":474},{},[475],{"nodeType":247,"value":476,"marks":477,"data":478},"Matt was blunt on this one: \"If those tips worked, cybersecurity as a profession would be out of business.\" 20+ years of user awareness training, and phishing is arguably more effective than ever. The standard advice — hover over links, check the sender, look for typos — assumes a level of sustained vigilance that no human can maintain across every interaction, every day.",[],{},{"nodeType":254,"data":480,"content":481},{},[482,486,491],{"nodeType":247,"value":483,"marks":484,"data":485},"What made his point land was the contrast between the comment sections on his ClickFix content — \"Who the hell would fall for this?\" — and the reality that ",[],{},{"nodeType":247,"value":487,"marks":488,"data":490},"every incident response professional he knows is currently working a ClickFix case. ",[489],{"type":251},{},{"nodeType":247,"value":492,"marks":493,"data":494},"The people saying nobody would fall for it are not the people cleaning up after it.",[],{},{"nodeType":254,"data":496,"content":497},{},[498],{"nodeType":247,"value":499,"marks":500,"data":501},"Matt also brought the recent Lazarus group fake job scams: threat actors spending six months building trust with a target — meeting in person at conferences, multiple times — before eventually getting them to install a malicious browser extension during a Zoom call. All of the social engineering that precedes the actual compromise is just trust-building, and the sophistication of that trust-building is increasing faster than any training program can keep up with. You need defensive layers that don't depend on the user making the right call every single time.",[],{},{"nodeType":305,"data":503,"content":504},{},[],{"nodeType":243,"data":506,"content":507},{},[508],{"nodeType":247,"value":509,"marks":510,"data":512},"5. Every IR pro you know is working a ClickFix case",[511],{"type":251},{},{"nodeType":254,"data":514,"content":515},{},[516,520,527,531,541,545,553],{"nodeType":247,"value":517,"marks":518,"data":519},"ClickFix came up repeatedly, and for good reason — it's one of the ",[],{},{"nodeType":278,"data":521,"content":522},{"uri":358},[523],{"nodeType":247,"value":524,"marks":525,"data":526},"most common initial access vectors",[],{},{"nodeType":247,"value":528,"marks":529,"data":530}," being reported right now. Matt said he doesn't know a single IR professional in his network who \"isn't actively working a ClickFix-related case.\" The technique, which tricks users into copying and pasting malicious commands, has spawned an entire family of variants (",[],{},{"nodeType":278,"data":532,"content":534},{"uri":533},"https://pushsecurity.com/blog/installfix/",[535],{"nodeType":247,"value":536,"marks":537,"data":540},"InstallFix",[538],{"type":539},"underline",{},{"nodeType":247,"value":542,"marks":543,"data":544},", ",[],{},{"nodeType":278,"data":546,"content":548},{"uri":547},"https://pushsecurity.com/blog/consentfix/",[549],{"nodeType":247,"value":550,"marks":551,"data":552},"ConsentFix",[],{},{"nodeType":247,"value":554,"marks":555,"data":556},", and others), and they're evolving fast.",[],{},{"nodeType":254,"data":558,"content":559},{},[560],{"nodeType":247,"value":561,"marks":562,"data":563},"Matt shared a particularly good example of why the \"just don't fall for it\" advice falls apart. Attackers were paying for ads promoting ChatGPT chat history links on technical search queries — things like \"how to clean up disk space on Mac.\" The top result was a legitimate-looking ChatGPT interface with what appeared to be helpful terminal commands.",[],{},{"nodeType":254,"data":565,"content":566},{},[567],{"nodeType":247,"value":568,"marks":569,"data":570},"The user was already looking for commands to copy and paste into their terminal. The attack didn't need to trick them into doing something unusual — it just showed up in the exact context where copy-pasting commands was the expected behavior.",[],{},{"nodeType":254,"data":572,"content":573},{},[574],{"nodeType":247,"value":575,"marks":576,"data":577},"The new variants keep appearing because the underlying technique is modular — the trust-building wrapper changes (fake CAPTCHAs, fake error messages, fake install instructions, fake AI chat interfaces), but the core mechanic is the same. What makes it dangerous is that each new wrapper goes quasi-viral among attackers when it proves successful, which means the window between a new variant appearing and widespread adoption is very short.",[],{},{"nodeType":243,"data":579,"content":580},{},[581],{"nodeType":247,"value":582,"marks":583,"data":585},"6. Browser extensions are the threat that never went away (and it's a bigger problem than ever)",[584],{"type":251},{},{"nodeType":254,"data":587,"content":588},{},[589,593,601],{"nodeType":247,"value":590,"marks":591,"data":592},"Browser extensions are a topic we've ",[],{},{"nodeType":278,"data":594,"content":596},{"uri":595},"https://pushsecurity.com/resources/browser-extensions-webinar",[597],{"nodeType":247,"value":598,"marks":599,"data":600},"covered in depth before",[],{},{"nodeType":247,"value":602,"marks":603,"data":604},", and Matt's perspective reinforced why. His first conference talk — Black Hat and DEF CON in 2011 — was about Chrome extension security. As he put it: \"I could give that talk right now with very few changes to the slides and it would still be extremely relevant.\"",[],{},{"nodeType":254,"data":606,"content":607},{},[608,612,620],{"nodeType":247,"value":609,"marks":610,"data":611},"The core problem hasn't moved: ",[],{},{"nodeType":278,"data":613,"content":615},{"uri":614},"https://pushsecurity.com/blog/why-browser-extension-risk-scoring-wont-predict-your-next-breach/",[616],{"nodeType":247,"value":617,"marks":618,"data":619},"extensions need broad permissions to function",[],{},{"nodeType":247,"value":621,"marks":622,"data":623},", even for completely legitimate use cases. A password manager needs to read login forms on every website. A dark mode extension needs to modify the DOM on every page. An RSS reader needs access to arbitrary sites. These aren't excessive permissions — they're the minimum required for the extension to do what it advertises.",[],{},{"nodeType":254,"data":625,"content":626},{},[627],{"nodeType":247,"value":628,"marks":629,"data":630},"What's making it worse is the AI adoption wave. Many AI tools ship with browser extension counterparts, and employees are installing them alongside the apps themselves — often without approval. The broader rush to adopt AI tooling is acting as a force multiplier for the shadow SaaS problem that security teams have been struggling with for years, and extensions are a big part of that.",[],{},{"nodeType":254,"data":632,"content":633},{},[634],{"nodeType":247,"value":635,"marks":636,"data":637},"The ways extensions get compromised vary. Users still get tricked into installing something malicious from the start, but legitimate extensions also turn malicious after the fact. Matt outlined several mechanisms: developer accounts getting compromised and attackers pushing malicious updates to the existing user base; extension developers accepting monetization deals that turn out to be data-harvesting operations; and threat actors outright purchasing extensions with established user bases and then pushing malware to them.",[],{},{"nodeType":254,"data":639,"content":640},{},[641],{"nodeType":247,"value":642,"marks":643,"data":644},"The Chrome Web Store doesn't solve this. Matt noted that he uploaded a proof-of-concept extension literally called \"Malicious Extension\" and it made it onto the store. There's some review process, but it's not real-time, it's not continuous, and it doesn't cover updates after initial submission.",[],{},{"nodeType":254,"data":646,"content":647},{},[648,652,660],{"nodeType":247,"value":649,"marks":650,"data":651},"Even organizations with a formal extension approval process typically only look at the extension once — at install time. Nobody's reviewing every update to every approved extension. And the risk assessment? \"It's mostly based on vibes. There's very little science here.\" Even at organizations with mature security programs, Matt hasn't seen many that have ",[],{},{"nodeType":278,"data":653,"content":655},{"uri":654},"https://pushsecurity.com/blog/browser-extension-management-guide/",[656],{"nodeType":247,"value":657,"marks":658,"data":659},"real-time, ongoing visibility",[],{},{"nodeType":247,"value":661,"marks":662,"data":663}," into what's happening inside their employees' browser extensions.",[],{},{"nodeType":305,"data":665,"content":666},{},[],{"nodeType":243,"data":668,"content":669},{},[670],{"nodeType":247,"value":671,"marks":672,"data":674},"7. You have 30 minutes to respond to a cloud intrusion — and revoking the token isn't enough",[673],{"type":251},{},{"nodeType":254,"data":676,"content":677},{},[678],{"nodeType":247,"value":679,"marks":680,"data":681},"Matt was direct about the speed benchmark practitioners should be targeting: meaningful containment and eradication within about 30 minutes, because attackers are partially achieving their objectives in 20 to 40 minutes and significantly past the point of no return within an hour.",[],{},{"nodeType":254,"data":683,"content":684},{},[685,689,697],{"nodeType":247,"value":686,"marks":687,"data":688},"The data supports this picture. CrowdStrike reports that the average e-crime \"breakout time\" (moving from initial access to high-value assets) is now just 29 minutes, while Google reports that the median time between initial access and hand-off to a secondary group has collapsed from ",[],{},{"nodeType":278,"data":690,"content":692},{"uri":691},"https://cloud.google.com/blog/topics/threat-intelligence/m-trends-2026",[693],{"nodeType":247,"value":694,"marks":695,"data":696},"over 8 hours in 2022 to just 22 seconds in 2025",[],{},{"nodeType":247,"value":698,"marks":699,"data":700}," — pointing to a highly automated, interconnected, and professionalized threat actor ecosystem.",[],{},{"nodeType":254,"data":702,"content":703},{},[704],{"nodeType":247,"value":705,"marks":706,"data":707},"But speed alone isn't the problem Matt emphasized — it's that the containment actions practitioners think they have don't actually work the way they expect. His anecdote about revoking an IdP OAuth token and assuming the session was killed, only to discover that the 200 downstream SaaS session tokens were still live, will resonate with anyone who has worked an identity-based incident.",[],{},{"nodeType":254,"data":709,"content":710},{},[711],{"nodeType":247,"value":712,"marks":713,"data":714},"You can't move that fast if you're figuring out what your tools can and can't do during the incident. The teams that handle these situations well are the ones that have taken stock of their actual capabilities beforehand — what their IdP revokes, what it doesn't, which SaaS apps have independent session management, where the gaps are. The teams that don't are the ones at \"1 AM with a pager in hand going, 'What the hell do I do now?'\" as Matt described it. \"Ask me how I know.\"",[],{},{"nodeType":305,"data":716,"content":717},{},[],{"nodeType":719,"data":720,"content":721},"blockquote",{},[722],{"nodeType":254,"data":723,"content":724},{},[725,729,737],{"nodeType":247,"value":726,"marks":727,"data":728},"This post is a recap of ",[],{},{"nodeType":278,"data":730,"content":732},{"uri":731},"https://pushsecurity.com/resources/security-theatre-vs-security-works",[733],{"nodeType":247,"value":734,"marks":735,"data":736},"Security theatre vs. security that works",[],{},{"nodeType":247,"value":738,"marks":739,"data":740},", the third episode in Push Security's webcast series on the state of browser attacks. Watch the full recording for the complete conversation, including live Q&A with Mark and Matt.",[],{},{"nodeType":305,"data":742,"content":743},{},[],{"nodeType":254,"data":745,"content":746},{},[747],{"nodeType":247,"value":748,"marks":749,"data":750},"Push Security is the most powerful AI-native security tool in the browser. Think EDR, but for the browser — high-fidelity telemetry and real-time control across every session, on every device, with no browser migration required.",[],{},{"nodeType":254,"data":752,"content":753},{},[754],{"nodeType":247,"value":755,"marks":756,"data":757},"Security teams use Push to detect and stop advanced browser-based attacks like AiTM phishing, ClickFix, and session hijacking; gain visibility and control over AI tool usage across their workforce; harden identities by surfacing credential reuse, SSO gaps, and shadow IT; and support data loss and insider investigations with browser-layer telemetry that other tools can't see.",[],{},{"nodeType":254,"data":759,"content":760},{},[761,764,773],{"nodeType":247,"value":29,"marks":762,"data":763},[],{},{"nodeType":278,"data":765,"content":767},{"uri":766},"https://pushsecurity.com/demo",[768],{"nodeType":247,"value":769,"marks":770,"data":772},"Book a live demo",[771],{"type":539},{},{"nodeType":247,"value":774,"marks":775,"data":776}," to learn more.",[],{},{"entries":778},{"hyperlink":779,"inline":780,"block":781},[],[],[782,790],{"sys":783,"__typename":784,"type":785,"ctaText":786,"buttonLabel":787,"buttonColour":788,"buttonUrl":789},{"id":451},"CtaWidget","Custom","Check out our browser and identity attacks matrix for a comprehensive overview of attack techniques using a MITRE-inspired mapping.","Check it out","sunny orange","https://pushsecurity.com/resources/browser-identity-attacks-matrix/",{"sys":791,"__typename":792,"title":793,"caption":794,"layoutMode":62,"file":795},{"id":459},"Image","Browser & Identity Attacks Matrix","Browser and identity-based techniques have exploded since we first launched our attack matrix",{"url":796,"width":797,"height":798},"https://images.ctfassets.net/y1cdw1ablpvd/L0Yc77y9vzrKVD72BQGX2/4ffe0bf61bd62f025262b8efd74394b7/Browser___Identity_Attacks_Matrix__1_.png",6160,4432,"json",{"items":801},[],{},"7 things we learned from our conversation with Matt Johansen","2026-05-21T00:00:00.000Z",{"items":806},[807,3845,5107],{"__typename":808,"sys":809,"content":811,"title":3823,"synopsis":3824,"hashTags":62,"publishedDate":3825,"slug":3826,"tagsCollection":3827,"authorsCollection":3837},"BlogPosts",{"id":810},"5DmCqTU2Tg4adYScA5vT2x",{"json":812},{"nodeType":239,"data":813,"content":814},{},[815,821,841,860,867,873,880,887,890,898,904,989,1009,1015,1022,1143,1149,1152,1160,1167,1173,1176,1185,1226,1232,1239,1246,1253,1260,1280,1286,1292,1298,1304,1310,1316,1322,1328,1595,1598,1606,1741,1747,1750,1758,1798,1932,1938,1941,1949,2096,2102,2105,2113,2119,2260,2266,2272,2275,2283,2430,2436,2439,2447,2593,2599,2602,2610,2705,2711,2714,2722,2816,2822,2825,2833,2839,2972,2978,2981,2989,3038,3044,3047,3055,3194,3200,3203,3211,3343,3349,3352,3360,3372,3379,3385,3391,3398,3419,3435,3441,3444,3452,3460,3481,3502,3507,3514,3521,3529,3536,3543,3550,3558,3565,3616,3622,3625,3633,3640,3647,3694,3700,3707,3710,3718,3725,3732,3752,3758,3765,3773,3780],{"nodeType":447,"data":816,"content":820},{"target":817},{"sys":818},{"id":819,"type":452,"linkType":453},"XOFOeNqmRHeiRbkPOJrP1",[],{"nodeType":254,"data":822,"content":823},{},[824,828,837],{"nodeType":247,"value":825,"marks":826,"data":827},"The OAuth 2.0 ",[],{},{"nodeType":278,"data":829,"content":831},{"uri":830},"https://www.rfc-editor.org/rfc/rfc8628",[832],{"nodeType":247,"value":833,"marks":834,"data":836},"device authorization grant",[835],{"type":539},{},{"nodeType":247,"value":838,"marks":839,"data":840}," was designed to enable input-constrained devices to sign-in to apps by asking the user to complete the login on a separate device by entering a code. But today, it’s mainly used when accessing CLI tools, meaning that many users encounter the device code flow daily. ",[],{},{"nodeType":254,"data":842,"content":843},{},[844,847,856],{"nodeType":247,"value":29,"marks":845,"data":846},[],{},{"nodeType":278,"data":848,"content":850},{"uri":849},"https://github.com/pushsecurity/saas-attacks/blob/main/techniques/device_code_phishing/description.md",[851],{"nodeType":247,"value":852,"marks":853,"data":855},"Device code phishing",[854],{"type":539},{},{"nodeType":247,"value":857,"marks":858,"data":859}," attacks designed to exploit this authorization flow are not new — it was among the first techniques that we added to the SaaS attacks matrix back in 2023. But it’s taken until now for it to really enter mainstream adoption. ",[],{},{"nodeType":254,"data":861,"content":862},{},[863],{"nodeType":247,"value":864,"marks":865,"data":866},"The technique tricks a user into issuing access tokens for an attacker-controlled application (not a device, confusingly). Any app that supports device code logins can be a target. Popular examples include Microsoft, Google, Salesforce, GitHub, and AWS. That said, Microsoft is, as always, much more heavily targeted at scale now than any other app.",[],{},{"nodeType":447,"data":868,"content":872},{"target":869},{"sys":870},{"id":871,"type":452,"linkType":453},"Al0pGH8vmOYiufDFiAbt0",[],{"nodeType":254,"data":874,"content":875},{},[876],{"nodeType":247,"value":877,"marks":878,"data":879},"We’ve always been surprised that attackers haven’t commonly used device code phishing in their standard toolkit, preferring session-stealing AITM phishing and other social engineering attacks like ClickFix. But it’s pretty clear from the recent data that the shift to mainstream adoption has now happened. ",[],{},{"nodeType":254,"data":881,"content":882},{},[883],{"nodeType":247,"value":884,"marks":885,"data":886},"In this blog post, we’ll explore the history of device code phishing, what’s changed for it to enter mainstream adoption, how it works under the hood (with recent examples), and what security teams can do about it. ",[],{},{"nodeType":305,"data":888,"content":889},{},[],{"nodeType":243,"data":891,"content":892},{},[893],{"nodeType":247,"value":894,"marks":895,"data":897},"A brief history of device code phishing",[896],{"type":251},{},{"nodeType":447,"data":899,"content":903},{"target":900},{"sys":901},{"id":902,"type":452,"linkType":453},"6u3DgvSGChtTJu7l9I7PG1",[],{"nodeType":254,"data":905,"content":906},{},[907,911,920,924,933,937,946,950,959,963,972,976,985],{"nodeType":247,"value":908,"marks":909,"data":910},"The technique was first documented in 2020, before Secureworks released the first tooling framework ",[],{},{"nodeType":278,"data":912,"content":914},{"uri":913},"https://github.com/secureworks/PhishInSuits",[915],{"nodeType":247,"value":916,"marks":917,"data":919},"PhishInSuits",[918],{"type":539},{},{"nodeType":247,"value":921,"marks":922,"data":923}," a year later. A host of research followed, including ",[],{},{"nodeType":278,"data":925,"content":927},{"uri":926},"https://github.com/secureworks/squarephish",[928],{"nodeType":247,"value":929,"marks":930,"data":932},"SquarePhish",[931],{"type":539},{},{"nodeType":247,"value":934,"marks":935,"data":936}," v1 (using QR codes to trigger the 15 minute code expiration window), Dirk-Jan Mollema’s ",[],{},{"nodeType":278,"data":938,"content":940},{"uri":939},"https://dirkjanm.io/phishing-for-microsoft-entra-primary-refresh-tokens/",[941],{"nodeType":247,"value":942,"marks":943,"data":945},"key research",[944],{"type":539},{},{"nodeType":247,"value":947,"marks":948,"data":949}," (chaining device code phishing via Microsoft apps into Primary Refresh Token (PRT) acquisition to gain full browser-level access) and Dennis Kniep’s ",[],{},{"nodeType":278,"data":951,"content":953},{"uri":952},"https://github.com/denniskniep/DeviceCodePhishing",[954],{"nodeType":247,"value":955,"marks":956,"data":958},"DeviceCodePhishing tool",[957],{"type":539},{},{"nodeType":247,"value":960,"marks":961,"data":962}," which automates the entire flow with a headless browser. (Other recent noteworthy tools include ",[],{},{"nodeType":278,"data":964,"content":966},{"uri":965},"https://github.com/nromsdahl/squarephish2",[967],{"nodeType":247,"value":968,"marks":969,"data":971},"SquarePhish2",[970],{"type":539},{},{"nodeType":247,"value":973,"marks":974,"data":975}," and ",[],{},{"nodeType":278,"data":977,"content":979},{"uri":978},"https://github.com/praetorian-inc/GitPhish",[980],{"nodeType":247,"value":981,"marks":982,"data":984},"GitPhish",[983],{"type":539},{},{"nodeType":247,"value":986,"marks":987,"data":988},", so shout out to those too). ",[],{},{"nodeType":254,"data":990,"content":991},{},[992,996,1005],{"nodeType":247,"value":993,"marks":994,"data":995},"It wasn’t until August 2024 that in-the-wild exploitation was first identified, with Russia-linked campaigns then continuing into 2025 before entering mainstream criminal adoption. This trend has continued to gather momentum in 2026 with ",[],{},{"nodeType":278,"data":997,"content":999},{"uri":998},"https://thehackernews.com/2026/03/device-code-phishing-hits-340-microsoft.html",[1000],{"nodeType":247,"value":1001,"marks":1002,"data":1004},"EvilTokens",[1003],{"type":539},{},{"nodeType":247,"value":1006,"marks":1007,"data":1008},", the first reported criminal PhaaS kit for device code phishing, already powering massive campaigns after launching in February. ",[],{},{"nodeType":447,"data":1010,"content":1014},{"target":1011},{"sys":1012},{"id":1013,"type":452,"linkType":453},"6xsfmbYEzpW7CdDiNzO6cu",[],{"nodeType":254,"data":1016,"content":1017},{},[1018],{"nodeType":247,"value":1019,"marks":1020,"data":1021},"Some of the noteworthy in-the-wild campaigns include:",[],{},{"nodeType":1023,"data":1024,"content":1025},"unordered-list",{},[1026,1060,1082],{"nodeType":1027,"data":1028,"content":1029},"list-item",{},[1030],{"nodeType":254,"data":1031,"content":1032},{},[1033,1037,1045,1048,1056],{"nodeType":247,"value":1034,"marks":1035,"data":1036},"Storm-2372, tracked by ",[],{},{"nodeType":278,"data":1038,"content":1040},{"uri":1039},"https://www.microsoft.com/en-us/security/blog/2025/02/13/storm-2372-conducts-device-code-phishing-campaign/",[1041],{"nodeType":247,"value":1042,"marks":1043,"data":1044},"Microsoft",[],{},{"nodeType":247,"value":973,"marks":1046,"data":1047},[],{},{"nodeType":278,"data":1049,"content":1051},{"uri":1050},"https://www.volexity.com/blog/2025/02/13/multiple-russian-threat-actors-targeting-microsoft-device-code-authentication/",[1052],{"nodeType":247,"value":1053,"marks":1054,"data":1055},"Volexity",[],{},{"nodeType":247,"value":1057,"marks":1058,"data":1059},", linked to multiple Russia-aligned clusters, combining spear-phishing and social engineering with device code phishing payloads against strategic intelligence targets.",[],{},{"nodeType":1027,"data":1061,"content":1062},{},[1063],{"nodeType":254,"data":1064,"content":1065},{},[1066,1070,1078],{"nodeType":247,"value":1067,"marks":1068,"data":1069},"The massive Salesforce campaign operated by ",[],{},{"nodeType":278,"data":1071,"content":1073},{"uri":1072},"https://pushsecurity.com/blog/scattered-lapsus-hunters/",[1074],{"nodeType":247,"value":1075,"marks":1076,"data":1077},"Scattered Lapsus$ Hunters",[],{},{"nodeType":247,"value":1079,"marks":1080,"data":1081}," (SLH) combined vishing with a device code phishing payload targeting Salesforce. The attacks morphed into a broader supply chain campaign using stolen credentials, ultimately resulting in 1000+ organizations being compromised and over 1.5 billion stolen records claimed. ",[],{},{"nodeType":1027,"data":1083,"content":1084},{},[1085],{"nodeType":254,"data":1086,"content":1087},{},[1088,1092,1100,1104,1113,1117,1126,1130,1139],{"nodeType":247,"value":1089,"marks":1090,"data":1091},"A massive spike in activity in late 2025 and 2026. This includes ",[],{},{"nodeType":278,"data":1093,"content":1095},{"uri":1094},"https://www.proofpoint.com/us/blog/threat-insight/access-granted-phishing-device-code-authorization-account-takeover",[1096],{"nodeType":247,"value":1097,"marks":1098,"data":1099},"multiple threat clusters",[],{},{"nodeType":247,"value":1101,"marks":1102,"data":1103}," tracked using device code phishing techniques, more ",[],{},{"nodeType":278,"data":1105,"content":1107},{"uri":1106},"https://www.bleepingcomputer.com/news/security/hackers-target-microsoft-entra-accounts-in-device-code-vishing-attacks/",[1108],{"nodeType":247,"value":1109,"marks":1110,"data":1112},"criminal operations linked to SLH",[1111],{"type":539},{},{"nodeType":247,"value":1114,"marks":1115,"data":1116},", and ",[],{},{"nodeType":278,"data":1118,"content":1120},{"uri":1119},"https://newtonpaul.com/blog/device-code-phish-update/",[1121],{"nodeType":247,"value":1122,"marks":1123,"data":1125},"hundreds of organizations being targeted via PhaaS architecture,",[1124],{"type":539},{},{"nodeType":247,"value":1127,"marks":1128,"data":1129}," which looks to be the same campaign as the recently uncovered EvilTokens PhaaS reported by ",[],{},{"nodeType":278,"data":1131,"content":1133},{"uri":1132},"https://www.huntress.com/blog/railway-paas-m365-token-replay-campaign",[1134],{"nodeType":247,"value":1135,"marks":1136,"data":1138},"Huntress",[1137],{"type":539},{},{"nodeType":247,"value":1140,"marks":1141,"data":1142}," (featuring abuse of the Railway PaaS platform). ",[],{},{"nodeType":447,"data":1144,"content":1148},{"target":1145},{"sys":1146},{"id":1147,"type":452,"linkType":453},"3WLt6qLCK8CSwr0QZxZiMv",[],{"nodeType":305,"data":1150,"content":1151},{},[],{"nodeType":243,"data":1153,"content":1154},{},[1155],{"nodeType":247,"value":1156,"marks":1157,"data":1159},"What we’re seeing in the wild",[1158],{"type":251},{},{"nodeType":254,"data":1161,"content":1162},{},[1163],{"nodeType":247,"value":1164,"marks":1165,"data":1166},"As mentioned, we’ve also seen a huge spike in device code phishing activity this year, with multiple kits, page designs, and lure types. We’ve now identified 14+ distinct kits in circulation in the wild, with EvilTokens being the most prevalent. It’s clear that attackers are both spinning up their own kits and creative derivatives of others — we’ve seen kits that are visually similar to EvilTokens (close enough to be clones or forks) but with very different backends, for example AWS, Digital Ocean, 2cloud, and more. ",[],{},{"nodeType":447,"data":1168,"content":1172},{"target":1169},{"sys":1170},{"id":1171,"type":452,"linkType":453},"nJCbTw85GKXdqrlIkzZwi",[],{"nodeType":305,"data":1174,"content":1175},{},[],{"nodeType":1177,"data":1178,"content":1179},"heading-2",{},[1180],{"nodeType":247,"value":1181,"marks":1182,"data":1184},"“ANTIBOT” (EvilTokens)",[1183],{"type":251},{},{"nodeType":254,"data":1186,"content":1187},{},[1188,1191,1198,1201,1210,1214,1222],{"nodeType":247,"value":29,"marks":1189,"data":1190},[],{},{"nodeType":278,"data":1192,"content":1193},{"uri":1132},[1194],{"nodeType":247,"value":1135,"marks":1195,"data":1197},[1196],{"type":539},{},{"nodeType":247,"value":542,"marks":1199,"data":1200},[],{},{"nodeType":278,"data":1202,"content":1204},{"uri":1203},"https://blog.sekoia.io/new-widespread-eviltokens-kit-device-code-phishing-as-a-service-part-1/",[1205],{"nodeType":247,"value":1206,"marks":1207,"data":1209},"Sekoia",[1208],{"type":539},{},{"nodeType":247,"value":1211,"marks":1212,"data":1213},", and researcher ",[],{},{"nodeType":278,"data":1215,"content":1216},{"uri":1119},[1217],{"nodeType":247,"value":1218,"marks":1219,"data":1221},"Paul Newton",[1220],{"type":539},{},{"nodeType":247,"value":1223,"marks":1224,"data":1225}," have already done a great job of providing IOCs for the recent EvilTokens activity spike, including multiple backend Railway IPs in authentication events. ",[],{},{"nodeType":447,"data":1227,"content":1231},{"target":1228},{"sys":1229},{"id":1230,"type":452,"linkType":453},"1XNviq5OvMf5TEAc59F6g5",[],{"nodeType":254,"data":1233,"content":1234},{},[1235],{"nodeType":247,"value":1236,"marks":1237,"data":1238},"Beyond the most widely observed implementation featuring a Cloudflare Workers frontend and Railway backend for authentication, we’ve also tracked additional versions of EvilTokens in circulation since January 2026 (many of which remain live along with the current “production” version of the kit). ",[],{},{"nodeType":254,"data":1240,"content":1241},{},[1242],{"nodeType":247,"value":1243,"marks":1244,"data":1245},"You can see an evolution of the kit in the videos and screenshots below, from early precursors seen in mid-January, the first mentions of ANTIBOT in the page code in late-January, the parallel development of a “Courts Access” fork that lacks the ANTIBOT references, and finally production EvilTokens in February. One of the key threads between the versions is the presence of a generateFallbackCode() JS function and use of a /generate-codes API call. ",[],{},{"nodeType":254,"data":1247,"content":1248},{},[1249],{"nodeType":247,"value":1250,"marks":1251,"data":1252},"Early implementations were quite different, for example using ScrapingBee to generate the displayed code, and varied hosting on vercel, fastly, edgeone, and others. ",[],{},{"nodeType":254,"data":1254,"content":1255},{},[1256],{"nodeType":247,"value":1257,"marks":1258,"data":1259},"After initially appearing on custom domains, the production version is now predominantly hosted on Cloudflare Workers, as per the broader tracking of the campaign. The descriptive HTML comments around ANTIBOT functions have also been removed in later versions. ",[],{},{"nodeType":254,"data":1261,"content":1262},{},[1263,1267,1276],{"nodeType":247,"value":1264,"marks":1265,"data":1266},"The production version of EvilTokens showcases common ",[],{},{"nodeType":278,"data":1268,"content":1270},{"uri":1269},"https://phishing-techniques.pushsecurity.com/",[1271],{"nodeType":247,"value":1272,"marks":1273,"data":1275},"detection evasion techniques",[1274],{"type":539},{},{"nodeType":247,"value":1277,"marks":1278,"data":1279}," we've come to associate with PhaaS kits in the AiTM space — using multiple redirects through trusted sites before serving the malicious page, using bot protection to block security tools from analyzing the page, and so on. It also uses a pop-up window for the device code entry rather than a redirect, reducing the friction for the victim (it looks pretty convincing, too).",[],{},{"nodeType":447,"data":1281,"content":1285},{"target":1282},{"sys":1283},{"id":1284,"type":452,"linkType":453},"73rNOIEDPfP5IJwpFaxVc2",[],{"nodeType":447,"data":1287,"content":1291},{"target":1288},{"sys":1289},{"id":1290,"type":452,"linkType":453},"5BJSvOQUW9UpsQtoDNtgTC",[],{"nodeType":447,"data":1293,"content":1297},{"target":1294},{"sys":1295},{"id":1296,"type":452,"linkType":453},"3dbePPxVb4h4SauGg3glIL",[],{"nodeType":447,"data":1299,"content":1303},{"target":1300},{"sys":1301},{"id":1302,"type":452,"linkType":453},"1UOLcmNQvOsL5tdLSVuviq",[],{"nodeType":447,"data":1305,"content":1309},{"target":1306},{"sys":1307},{"id":1308,"type":452,"linkType":453},"55XRqLSwUUi2D4ZVpJboml",[],{"nodeType":447,"data":1311,"content":1315},{"target":1312},{"sys":1313},{"id":1314,"type":452,"linkType":453},"5wg5yr2Lo8t3f72ZV815c",[],{"nodeType":447,"data":1317,"content":1321},{"target":1318},{"sys":1319},{"id":1320,"type":452,"linkType":453},"35cowlL6i3rkGXOGmSxlI1",[],{"nodeType":254,"data":1323,"content":1324},{},[1325],{"nodeType":247,"value":29,"marks":1326,"data":1327},[],{},{"nodeType":1329,"data":1330,"content":1331},"table",{},[1332,1358,1442,1494,1518],{"nodeType":1333,"data":1334,"content":1335},"table-row",{},[1336,1348],{"nodeType":1337,"data":1338,"content":1339},"table-cell",{},[1340],{"nodeType":254,"data":1341,"content":1342},{},[1343],{"nodeType":247,"value":1344,"marks":1345,"data":1347},"Frontend infrastructure",[1346],{"type":251},{},{"nodeType":1337,"data":1349,"content":1350},{},[1351],{"nodeType":254,"data":1352,"content":1353},{},[1354],{"nodeType":247,"value":1355,"marks":1356,"data":1357},"Workers.dev, vercel.app, github.io, fastly.net, edgeone.dev",[],{},{"nodeType":1333,"data":1359,"content":1360},{},[1361,1372],{"nodeType":1337,"data":1362,"content":1363},{},[1364],{"nodeType":254,"data":1365,"content":1366},{},[1367],{"nodeType":247,"value":1368,"marks":1369,"data":1371},"Backend infrastructure",[1370],{"type":251},{},{"nodeType":1337,"data":1373,"content":1374},{},[1375,1405],{"nodeType":254,"data":1376,"content":1377},{},[1378,1383,1387,1392,1396,1401],{"nodeType":247,"value":1379,"marks":1380,"data":1382},"Example IP: (V3) ",[1381],{"type":251},{},{"nodeType":247,"value":1384,"marks":1385,"data":1386},"162.220.232.71 (Railway AS400940) ",[],{},{"nodeType":247,"value":1388,"marks":1389,"data":1391},"(V2)",[1390],{"type":251},{},{"nodeType":247,"value":1393,"marks":1394,"data":1395}," 71.11.42.193 ",[],{},{"nodeType":247,"value":1397,"marks":1398,"data":1400},"(V1) ",[1399],{"type":251},{},{"nodeType":247,"value":1402,"marks":1403,"data":1404},"72.218.25.107",[],{},{"nodeType":254,"data":1406,"content":1407},{},[1408,1413,1417,1422,1426,1430,1434,1438],{"nodeType":247,"value":1409,"marks":1410,"data":1412},"Backend User Agent:",[1411],{"type":251},{},{"nodeType":247,"value":1414,"marks":1415,"data":1416}," ",[],{},{"nodeType":247,"value":1418,"marks":1419,"data":1421},"(V3) ",[1420],{"type":251},{},{"nodeType":247,"value":1423,"marks":1424,"data":1425},"node, ",[],{},{"nodeType":247,"value":1388,"marks":1427,"data":1429},[1428],{"type":251},{},{"nodeType":247,"value":1431,"marks":1432,"data":1433},", Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_4) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/73.0.3683 Safari/537.36 OPR/57.0.3098.91 ",[],{},{"nodeType":247,"value":1397,"marks":1435,"data":1437},[1436],{"type":251},{},{"nodeType":247,"value":1439,"marks":1440,"data":1441},"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/71.0.3578.98 Safari/537.36 OPR/56.0.3051.52 ",[],{},{"nodeType":1333,"data":1443,"content":1444},{},[1445,1456],{"nodeType":1337,"data":1446,"content":1447},{},[1448],{"nodeType":254,"data":1449,"content":1450},{},[1451],{"nodeType":247,"value":1452,"marks":1453,"data":1455},"Network paths",[1454],{"type":251},{},{"nodeType":1337,"data":1457,"content":1458},{},[1459,1466,1473,1480,1487],{"nodeType":254,"data":1460,"content":1461},{},[1462],{"nodeType":247,"value":1463,"marks":1464,"data":1465},"/api/rate-limit ",[],{},{"nodeType":254,"data":1467,"content":1468},{},[1469],{"nodeType":247,"value":1470,"marks":1471,"data":1472},"/api/fingerprint ",[],{},{"nodeType":254,"data":1474,"content":1475},{},[1476],{"nodeType":247,"value":1477,"marks":1478,"data":1479},"/api/captcha-verify ",[],{},{"nodeType":254,"data":1481,"content":1482},{},[1483],{"nodeType":247,"value":1484,"marks":1485,"data":1486},"/api/init /api/generate-code ",[],{},{"nodeType":254,"data":1488,"content":1489},{},[1490],{"nodeType":247,"value":1491,"marks":1492,"data":1493},"/api/check-auth",[],{},{"nodeType":1333,"data":1495,"content":1496},{},[1497,1508],{"nodeType":1337,"data":1498,"content":1499},{},[1500],{"nodeType":254,"data":1501,"content":1502},{},[1503],{"nodeType":247,"value":1504,"marks":1505,"data":1507},"Lure themes",[1506],{"type":251},{},{"nodeType":1337,"data":1509,"content":1510},{},[1511],{"nodeType":254,"data":1512,"content":1513},{},[1514],{"nodeType":247,"value":1515,"marks":1516,"data":1517},"Various MS lures (e.g. Outlook, SharePoint, Teams) DocuSign, Adobe",[],{},{"nodeType":1333,"data":1519,"content":1520},{},[1521,1532],{"nodeType":1337,"data":1522,"content":1523},{},[1524],{"nodeType":254,"data":1525,"content":1526},{},[1527],{"nodeType":247,"value":1528,"marks":1529,"data":1531},"Example Domain",[1530],{"type":251},{},{"nodeType":1337,"data":1533,"content":1534},{},[1535,1547,1559,1571,1583],{"nodeType":254,"data":1536,"content":1537},{},[1538,1543],{"nodeType":247,"value":1539,"marks":1540,"data":1542},"Precursor A:",[1541],{"type":251},{},{"nodeType":247,"value":1544,"marks":1545,"data":1546}," teams-zpfvwnpxuc[.]edgeone.dev",[],{},{"nodeType":254,"data":1548,"content":1549},{},[1550,1555],{"nodeType":247,"value":1551,"marks":1552,"data":1554},"Precursor B: ",[1553],{"type":251},{},{"nodeType":247,"value":1556,"marks":1557,"data":1558},"authenticate-m365-accountsecurity-m-pi[.]vercel.app",[],{},{"nodeType":254,"data":1560,"content":1561},{},[1562,1567],{"nodeType":247,"value":1563,"marks":1564,"data":1566},"Courts Access: ",[1565],{"type":251},{},{"nodeType":247,"value":1568,"marks":1569,"data":1570},"secure-systems-validations-courts[.]vercel.app",[],{},{"nodeType":254,"data":1572,"content":1573},{},[1574,1579],{"nodeType":247,"value":1575,"marks":1576,"data":1578},"Early ANTIBOT:",[1577],{"type":251},{},{"nodeType":247,"value":1580,"marks":1581,"data":1582}," interface-auth-en-useast[.]global.ssl.fastly.net",[],{},{"nodeType":254,"data":1584,"content":1585},{},[1586,1591],{"nodeType":247,"value":1587,"marks":1588,"data":1590},"Production ANTIBOT: ",[1589],{"type":251},{},{"nodeType":247,"value":1592,"marks":1593,"data":1594},"index-z059-document-pending-reviewsign-xlss7994824[.]awalizer[.]workers.dev",[],{},{"nodeType":305,"data":1596,"content":1597},{},[],{"nodeType":1177,"data":1599,"content":1600},{},[1601],{"nodeType":247,"value":1602,"marks":1603,"data":1605},"“SHAREFILE”",[1604],{"type":251},{},{"nodeType":1329,"data":1607,"content":1608},{},[1609,1632,1671,1694,1717],{"nodeType":1333,"data":1610,"content":1611},{},[1612,1622],{"nodeType":1337,"data":1613,"content":1614},{},[1615],{"nodeType":254,"data":1616,"content":1617},{},[1618],{"nodeType":247,"value":1344,"marks":1619,"data":1621},[1620],{"type":251},{},{"nodeType":1337,"data":1623,"content":1624},{},[1625],{"nodeType":254,"data":1626,"content":1627},{},[1628],{"nodeType":247,"value":1629,"marks":1630,"data":1631},"No hosting markers visible.",[],{},{"nodeType":1333,"data":1633,"content":1634},{},[1635,1645],{"nodeType":1337,"data":1636,"content":1637},{},[1638],{"nodeType":254,"data":1639,"content":1640},{},[1641],{"nodeType":247,"value":1368,"marks":1642,"data":1644},[1643],{"type":251},{},{"nodeType":1337,"data":1646,"content":1647},{},[1648,1660],{"nodeType":254,"data":1649,"content":1650},{},[1651,1656],{"nodeType":247,"value":1652,"marks":1653,"data":1655},"Example IP:",[1654],{"type":251},{},{"nodeType":247,"value":1657,"marks":1658,"data":1659}," 147.45.60.47 (Global Connectivity Solutions LLP AS215540)",[],{},{"nodeType":254,"data":1661,"content":1662},{},[1663,1667],{"nodeType":247,"value":1409,"marks":1664,"data":1666},[1665],{"type":251},{},{"nodeType":247,"value":1668,"marks":1669,"data":1670}," node",[],{},{"nodeType":1333,"data":1672,"content":1673},{},[1674,1684],{"nodeType":1337,"data":1675,"content":1676},{},[1677],{"nodeType":254,"data":1678,"content":1679},{},[1680],{"nodeType":247,"value":1452,"marks":1681,"data":1683},[1682],{"type":251},{},{"nodeType":1337,"data":1685,"content":1686},{},[1687],{"nodeType":254,"data":1688,"content":1689},{},[1690],{"nodeType":247,"value":1691,"marks":1692,"data":1693},"POST /api/device/start  POST /api/device/poll",[],{},{"nodeType":1333,"data":1695,"content":1696},{},[1697,1707],{"nodeType":1337,"data":1698,"content":1699},{},[1700],{"nodeType":254,"data":1701,"content":1702},{},[1703],{"nodeType":247,"value":1504,"marks":1704,"data":1706},[1705],{"type":251},{},{"nodeType":1337,"data":1708,"content":1709},{},[1710],{"nodeType":254,"data":1711,"content":1712},{},[1713],{"nodeType":247,"value":1714,"marks":1715,"data":1716},"Citrix ShareFile document transfer — file card with sender info, expiry warning, download/preview buttons",[],{},{"nodeType":1333,"data":1718,"content":1719},{},[1720,1731],{"nodeType":1337,"data":1721,"content":1722},{},[1723],{"nodeType":254,"data":1724,"content":1725},{},[1726],{"nodeType":247,"value":1727,"marks":1728,"data":1730},"Example domain",[1729],{"type":251},{},{"nodeType":1337,"data":1732,"content":1733},{},[1734],{"nodeType":254,"data":1735,"content":1736},{},[1737],{"nodeType":247,"value":1738,"marks":1739,"data":1740},"cghdfg[.]vbchkioi[.]su",[],{},{"nodeType":447,"data":1742,"content":1746},{"target":1743},{"sys":1744},{"id":1745,"type":452,"linkType":453},"1TtZ6VsMSTlPvy7W996w9E",[],{"nodeType":305,"data":1748,"content":1749},{},[],{"nodeType":1177,"data":1751,"content":1752},{},[1753],{"nodeType":247,"value":1754,"marks":1755,"data":1757},"Kali365 (internal name “CLURE”)",[1756],{"type":251},{},{"nodeType":254,"data":1759,"content":1760},{},[1761,1765,1770,1774,1782,1786,1794],{"nodeType":247,"value":1762,"marks":1763,"data":1764},"Clure was recently linked to the ",[],{},{"nodeType":247,"value":1766,"marks":1767,"data":1769},"Kali365",[1768],{"type":251},{},{"nodeType":247,"value":1771,"marks":1772,"data":1773}," PhaaS platform based on an ",[],{},{"nodeType":278,"data":1775,"content":1777},{"uri":1776},"https://www.ic3.gov/PSA/2026/PSA260521",[1778],{"nodeType":247,"value":1779,"marks":1780,"data":1781},"FBI advisory",[],{},{"nodeType":247,"value":1783,"marks":1784,"data":1785}," and additional research from ",[],{},{"nodeType":278,"data":1787,"content":1789},{"uri":1788},"https://arcticwolf.com/resources/blog/token-bingo-dont-let-your-code-be-the-winner/",[1790],{"nodeType":247,"value":1791,"marks":1792,"data":1793},"Arctic Wolf",[],{},{"nodeType":247,"value":1795,"marks":1796,"data":1797},". This is yet another example of Device Code Phishing and AiTM phishing capabilities being integrated into unified phishing platforms. ",[],{},{"nodeType":1329,"data":1799,"content":1800},{},[1801,1824,1863,1886,1909],{"nodeType":1333,"data":1802,"content":1803},{},[1804,1814],{"nodeType":1337,"data":1805,"content":1806},{},[1807],{"nodeType":254,"data":1808,"content":1809},{},[1810],{"nodeType":247,"value":1344,"marks":1811,"data":1813},[1812],{"type":251},{},{"nodeType":1337,"data":1815,"content":1816},{},[1817],{"nodeType":254,"data":1818,"content":1819},{},[1820],{"nodeType":247,"value":1821,"marks":1822,"data":1823},"API on api.duemineral.uk:8443 and api.loadingdocuments.uk:8443 (rotates). ",[],{},{"nodeType":1333,"data":1825,"content":1826},{},[1827,1837],{"nodeType":1337,"data":1828,"content":1829},{},[1830],{"nodeType":254,"data":1831,"content":1832},{},[1833],{"nodeType":247,"value":1368,"marks":1834,"data":1836},[1835],{"type":251},{},{"nodeType":1337,"data":1838,"content":1839},{},[1840,1852],{"nodeType":254,"data":1841,"content":1842},{},[1843,1848],{"nodeType":247,"value":1844,"marks":1845,"data":1847},"Example IP: ",[1846],{"type":251},{},{"nodeType":247,"value":1849,"marks":1850,"data":1851},"162.243.166.119 (DigitalOcean AS14061)",[],{},{"nodeType":254,"data":1853,"content":1854},{},[1855,1859],{"nodeType":247,"value":1409,"marks":1856,"data":1858},[1857],{"type":251},{},{"nodeType":247,"value":1860,"marks":1861,"data":1862}," python-requests/2.32.5",[],{},{"nodeType":1333,"data":1864,"content":1865},{},[1866,1876],{"nodeType":1337,"data":1867,"content":1868},{},[1869],{"nodeType":254,"data":1870,"content":1871},{},[1872],{"nodeType":247,"value":1452,"marks":1873,"data":1875},[1874],{"type":251},{},{"nodeType":1337,"data":1877,"content":1878},{},[1879],{"nodeType":254,"data":1880,"content":1881},{},[1882],{"nodeType":247,"value":1883,"marks":1884,"data":1885},"GET /api/status/{numeric_SID} (port :8443)",[],{},{"nodeType":1333,"data":1887,"content":1888},{},[1889,1899],{"nodeType":1337,"data":1890,"content":1891},{},[1892],{"nodeType":254,"data":1893,"content":1894},{},[1895],{"nodeType":247,"value":1504,"marks":1896,"data":1898},[1897],{"type":251},{},{"nodeType":1337,"data":1900,"content":1901},{},[1902],{"nodeType":254,"data":1903,"content":1904},{},[1905],{"nodeType":247,"value":1906,"marks":1907,"data":1908},"SharePoint \"Team Site\" doc library, SharePoint \"Shared Document\" individual share",[],{},{"nodeType":1333,"data":1910,"content":1911},{},[1912,1922],{"nodeType":1337,"data":1913,"content":1914},{},[1915],{"nodeType":254,"data":1916,"content":1917},{},[1918],{"nodeType":247,"value":1727,"marks":1919,"data":1921},[1920],{"type":251},{},{"nodeType":1337,"data":1923,"content":1924},{},[1925],{"nodeType":254,"data":1926,"content":1927},{},[1928],{"nodeType":247,"value":1929,"marks":1930,"data":1931},"auth[.]duemineral[.]uk",[],{},{"nodeType":447,"data":1933,"content":1937},{"target":1934},{"sys":1935},{"id":1936,"type":452,"linkType":453},"Y1AiT3dJRTXz64pb68kca",[],{"nodeType":305,"data":1939,"content":1940},{},[],{"nodeType":1177,"data":1942,"content":1943},{},[1944],{"nodeType":247,"value":1945,"marks":1946,"data":1948},"“LINKID”",[1947],{"type":251},{},{"nodeType":1329,"data":1950,"content":1951},{},[1952,1975,2020,2050,2073],{"nodeType":1333,"data":1953,"content":1954},{},[1955,1965],{"nodeType":1337,"data":1956,"content":1957},{},[1958],{"nodeType":254,"data":1959,"content":1960},{},[1961],{"nodeType":247,"value":1344,"marks":1962,"data":1964},[1963],{"type":251},{},{"nodeType":1337,"data":1966,"content":1967},{},[1968],{"nodeType":254,"data":1969,"content":1970},{},[1971],{"nodeType":247,"value":1972,"marks":1973,"data":1974},"Adobe variant has Cloudflare challenge-platform iframe (CF-protected origin). Relative API paths — self-hosted.",[],{},{"nodeType":1333,"data":1976,"content":1977},{},[1978,1988],{"nodeType":1337,"data":1979,"content":1980},{},[1981],{"nodeType":254,"data":1982,"content":1983},{},[1984],{"nodeType":247,"value":1368,"marks":1985,"data":1987},[1986],{"type":251},{},{"nodeType":1337,"data":1989,"content":1990},{},[1991,2002,2009],{"nodeType":254,"data":1992,"content":1993},{},[1994,1998],{"nodeType":247,"value":1844,"marks":1995,"data":1997},[1996],{"type":251},{},{"nodeType":247,"value":1999,"marks":2000,"data":2001},"185.176.220.22 (2cloud.eu AS39845)",[],{},{"nodeType":254,"data":2003,"content":2004},{},[2005],{"nodeType":247,"value":2006,"marks":2007,"data":2008},"2600:1f10:470d:9a00:1437:ec30:be61:3494 (AWS AS16509)",[],{},{"nodeType":254,"data":2010,"content":2011},{},[2012,2016],{"nodeType":247,"value":1409,"marks":2013,"data":2015},[2014],{"type":251},{},{"nodeType":247,"value":2017,"marks":2018,"data":2019}," axios/1.10.0 , axios/1.13.6",[],{},{"nodeType":1333,"data":2021,"content":2022},{},[2023,2033],{"nodeType":1337,"data":2024,"content":2025},{},[2026],{"nodeType":254,"data":2027,"content":2028},{},[2029],{"nodeType":247,"value":1452,"marks":2030,"data":2032},[2031],{"type":251},{},{"nodeType":1337,"data":2034,"content":2035},{},[2036,2043],{"nodeType":254,"data":2037,"content":2038},{},[2039],{"nodeType":247,"value":2040,"marks":2041,"data":2042},"POST /api/device/start",[],{},{"nodeType":254,"data":2044,"content":2045},{},[2046],{"nodeType":247,"value":2047,"marks":2048,"data":2049},"GET /api/device/status/{sessionId}",[],{},{"nodeType":1333,"data":2051,"content":2052},{},[2053,2063],{"nodeType":1337,"data":2054,"content":2055},{},[2056],{"nodeType":254,"data":2057,"content":2058},{},[2059],{"nodeType":247,"value":1504,"marks":2060,"data":2062},[2061],{"type":251},{},{"nodeType":1337,"data":2064,"content":2065},{},[2066],{"nodeType":254,"data":2067,"content":2068},{},[2069],{"nodeType":247,"value":2070,"marks":2071,"data":2072},"MS Teams meeting invitation (with interactive date/time picker), Adobe Acrobat Sign document review",[],{},{"nodeType":1333,"data":2074,"content":2075},{},[2076,2086],{"nodeType":1337,"data":2077,"content":2078},{},[2079],{"nodeType":254,"data":2080,"content":2081},{},[2082],{"nodeType":247,"value":1727,"marks":2083,"data":2085},[2084],{"type":251},{},{"nodeType":1337,"data":2087,"content":2088},{},[2089],{"nodeType":254,"data":2090,"content":2091},{},[2092],{"nodeType":247,"value":2093,"marks":2094,"data":2095},"sdtr-site[.]cfd",[],{},{"nodeType":447,"data":2097,"content":2101},{"target":2098},{"sys":2099},{"id":2100,"type":452,"linkType":453},"22hsIzlkptC2JTIUtbOuUn",[],{"nodeType":305,"data":2103,"content":2104},{},[],{"nodeType":1177,"data":2106,"content":2107},{},[2108],{"nodeType":247,"value":2109,"marks":2110,"data":2112},"Device Code Lab (formerly codename \"AUTHOV”)",[2111],{"type":251},{},{"nodeType":447,"data":2114,"content":2118},{"target":2115},{"sys":2116},{"id":2117,"type":452,"linkType":453},"5vllVaa0Ry0wKs46ssrZLC",[],{"nodeType":1329,"data":2120,"content":2121},{},[2122,2145,2191,2214,2237],{"nodeType":1333,"data":2123,"content":2124},{},[2125,2135],{"nodeType":1337,"data":2126,"content":2127},{},[2128],{"nodeType":254,"data":2129,"content":2130},{},[2131],{"nodeType":247,"value":1344,"marks":2132,"data":2134},[2133],{"type":251},{},{"nodeType":1337,"data":2136,"content":2137},{},[2138],{"nodeType":254,"data":2139,"content":2140},{},[2141],{"nodeType":247,"value":2142,"marks":2143,"data":2144},"workers.dev",[],{},{"nodeType":1333,"data":2146,"content":2147},{},[2148,2158],{"nodeType":1337,"data":2149,"content":2150},{},[2151],{"nodeType":254,"data":2152,"content":2153},{},[2154],{"nodeType":247,"value":1368,"marks":2155,"data":2157},[2156],{"type":251},{},{"nodeType":1337,"data":2159,"content":2160},{},[2161,2172],{"nodeType":254,"data":2162,"content":2163},{},[2164,2168],{"nodeType":247,"value":1844,"marks":2165,"data":2167},[2166],{"type":251},{},{"nodeType":247,"value":2169,"marks":2170,"data":2171},"192.3.225.100 (HostPapa / ColoCrossing AS36352)",[],{},{"nodeType":254,"data":2173,"content":2174},{},[2175,2179,2182,2187],{"nodeType":247,"value":1409,"marks":2176,"data":2178},[2177],{"type":251},{},{"nodeType":247,"value":1414,"marks":2180,"data":2181},[],{},{"nodeType":247,"value":2183,"marks":2184,"data":2186}," ",[2185],{"type":251},{},{"nodeType":247,"value":2188,"marks":2189,"data":2190},"python-httpx/0.28.1",[],{},{"nodeType":1333,"data":2192,"content":2193},{},[2194,2204],{"nodeType":1337,"data":2195,"content":2196},{},[2197],{"nodeType":254,"data":2198,"content":2199},{},[2200],{"nodeType":247,"value":1452,"marks":2201,"data":2203},[2202],{"type":251},{},{"nodeType":1337,"data":2205,"content":2206},{},[2207],{"nodeType":254,"data":2208,"content":2209},{},[2210],{"nodeType":247,"value":2211,"marks":2212,"data":2213},"GET /landing/api/session-status?session_id=&token=",[],{},{"nodeType":1333,"data":2215,"content":2216},{},[2217,2227],{"nodeType":1337,"data":2218,"content":2219},{},[2220],{"nodeType":254,"data":2221,"content":2222},{},[2223],{"nodeType":247,"value":1504,"marks":2224,"data":2226},[2225],{"type":251},{},{"nodeType":1337,"data":2228,"content":2229},{},[2230],{"nodeType":254,"data":2231,"content":2232},{},[2233],{"nodeType":247,"value":2234,"marks":2235,"data":2236},"Adobe Acrobat document sharing (PDF preview, sender avatar)",[],{},{"nodeType":1333,"data":2238,"content":2239},{},[2240,2250],{"nodeType":1337,"data":2241,"content":2242},{},[2243],{"nodeType":254,"data":2244,"content":2245},{},[2246],{"nodeType":247,"value":1727,"marks":2247,"data":2249},[2248],{"type":251},{},{"nodeType":1337,"data":2251,"content":2252},{},[2253],{"nodeType":254,"data":2254,"content":2255},{},[2256],{"nodeType":247,"value":2257,"marks":2258,"data":2259},"milosh-solibella-0dcio[.]sgttommy.workers.dev",[],{},{"nodeType":447,"data":2261,"content":2265},{"target":2262},{"sys":2263},{"id":2264,"type":452,"linkType":453},"6szO6IKJ32usyxIKX1efZy",[],{"nodeType":447,"data":2267,"content":2271},{"target":2268},{"sys":2269},{"id":2270,"type":452,"linkType":453},"lEqV3RTMIY8y011lnhX7P",[],{"nodeType":305,"data":2273,"content":2274},{},[],{"nodeType":1177,"data":2276,"content":2277},{},[2278],{"nodeType":247,"value":2279,"marks":2280,"data":2282},"“DOCUPOLL”",[2281],{"type":251},{},{"nodeType":1329,"data":2284,"content":2285},{},[2286,2309,2347,2384,2407],{"nodeType":1333,"data":2287,"content":2288},{},[2289,2299],{"nodeType":1337,"data":2290,"content":2291},{},[2292],{"nodeType":254,"data":2293,"content":2294},{},[2295],{"nodeType":247,"value":1344,"marks":2296,"data":2298},[2297],{"type":251},{},{"nodeType":1337,"data":2300,"content":2301},{},[2302],{"nodeType":254,"data":2303,"content":2304},{},[2305],{"nodeType":247,"value":2306,"marks":2307,"data":2308},"Github.io and workers.dev hosting",[],{},{"nodeType":1333,"data":2310,"content":2311},{},[2312,2322],{"nodeType":1337,"data":2313,"content":2314},{},[2315],{"nodeType":254,"data":2316,"content":2317},{},[2318],{"nodeType":247,"value":1368,"marks":2319,"data":2321},[2320],{"type":251},{},{"nodeType":1337,"data":2323,"content":2324},{},[2325,2336],{"nodeType":254,"data":2326,"content":2327},{},[2328,2332],{"nodeType":247,"value":1844,"marks":2329,"data":2331},[2330],{"type":251},{},{"nodeType":247,"value":2333,"marks":2334,"data":2335},"144.172.103.240 (FranTech Solutions / RouterHosting / Cloudzy AS14956)",[],{},{"nodeType":254,"data":2337,"content":2338},{},[2339,2343],{"nodeType":247,"value":1409,"marks":2340,"data":2342},[2341],{"type":251},{},{"nodeType":247,"value":2344,"marks":2345,"data":2346}," Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19042",[],{},{"nodeType":1333,"data":2348,"content":2349},{},[2350,2360],{"nodeType":1337,"data":2351,"content":2352},{},[2353],{"nodeType":254,"data":2354,"content":2355},{},[2356],{"nodeType":247,"value":1452,"marks":2357,"data":2359},[2358],{"type":251},{},{"nodeType":1337,"data":2361,"content":2362},{},[2363,2370,2377],{"nodeType":254,"data":2364,"content":2365},{},[2366],{"nodeType":247,"value":2367,"marks":2368,"data":2369},"POST /api/v1/landing-pages/public/{slug}/init",[],{},{"nodeType":254,"data":2371,"content":2372},{},[2373],{"nodeType":247,"value":2374,"marks":2375,"data":2376},"POST .../poll",[],{},{"nodeType":254,"data":2378,"content":2379},{},[2380],{"nodeType":247,"value":2381,"marks":2382,"data":2383},"POST .../track",[],{},{"nodeType":1333,"data":2385,"content":2386},{},[2387,2397],{"nodeType":1337,"data":2388,"content":2389},{},[2390],{"nodeType":254,"data":2391,"content":2392},{},[2393],{"nodeType":247,"value":1504,"marks":2394,"data":2396},[2395],{"type":251},{},{"nodeType":1337,"data":2398,"content":2399},{},[2400],{"nodeType":254,"data":2401,"content":2402},{},[2403],{"nodeType":247,"value":2404,"marks":2405,"data":2406},"DocuSign document signing. One sample is a full scrape of real docusign.com (free-account page) with kit injected.",[],{},{"nodeType":1333,"data":2408,"content":2409},{},[2410,2420],{"nodeType":1337,"data":2411,"content":2412},{},[2413],{"nodeType":254,"data":2414,"content":2415},{},[2416],{"nodeType":247,"value":1727,"marks":2417,"data":2419},[2418],{"type":251},{},{"nodeType":1337,"data":2421,"content":2422},{},[2423],{"nodeType":254,"data":2424,"content":2425},{},[2426],{"nodeType":247,"value":2427,"marks":2428,"data":2429},"docufirmar[.]github.io",[],{},{"nodeType":447,"data":2431,"content":2435},{"target":2432},{"sys":2433},{"id":2434,"type":452,"linkType":453},"6Y1XABHnQD82R3MW80HnQZ",[],{"nodeType":305,"data":2437,"content":2438},{},[],{"nodeType":1177,"data":2440,"content":2441},{},[2442],{"nodeType":247,"value":2443,"marks":2444,"data":2446},"“FLOW_TOKEN”",[2445],{"type":251},{},{"nodeType":1329,"data":2448,"content":2449},{},[2450,2472,2517,2547,2570],{"nodeType":1333,"data":2451,"content":2452},{},[2453,2463],{"nodeType":1337,"data":2454,"content":2455},{},[2456],{"nodeType":254,"data":2457,"content":2458},{},[2459],{"nodeType":247,"value":1344,"marks":2460,"data":2462},[2461],{"type":251},{},{"nodeType":1337,"data":2464,"content":2465},{},[2466],{"nodeType":254,"data":2467,"content":2468},{},[2469],{"nodeType":247,"value":2142,"marks":2470,"data":2471},[],{},{"nodeType":1333,"data":2473,"content":2474},{},[2475,2485],{"nodeType":1337,"data":2476,"content":2477},{},[2478],{"nodeType":254,"data":2479,"content":2480},{},[2481],{"nodeType":247,"value":1368,"marks":2482,"data":2484},[2483],{"type":251},{},{"nodeType":1337,"data":2486,"content":2487},{},[2488,2499],{"nodeType":254,"data":2489,"content":2490},{},[2491,2495],{"nodeType":247,"value":1844,"marks":2492,"data":2494},[2493],{"type":251},{},{"nodeType":247,"value":2496,"marks":2497,"data":2498},"43.166.163.163 (Tencent Cloud AS132203)",[],{},{"nodeType":254,"data":2500,"content":2501},{},[2502,2506,2509,2513],{"nodeType":247,"value":1409,"marks":2503,"data":2505},[2504],{"type":251},{},{"nodeType":247,"value":1414,"marks":2507,"data":2508},[],{},{"nodeType":247,"value":2183,"marks":2510,"data":2512},[2511],{"type":251},{},{"nodeType":247,"value":2514,"marks":2515,"data":2516},"(null)",[],{},{"nodeType":1333,"data":2518,"content":2519},{},[2520,2530],{"nodeType":1337,"data":2521,"content":2522},{},[2523],{"nodeType":254,"data":2524,"content":2525},{},[2526],{"nodeType":247,"value":1452,"marks":2527,"data":2529},[2528],{"type":251},{},{"nodeType":1337,"data":2531,"content":2532},{},[2533,2540],{"nodeType":254,"data":2534,"content":2535},{},[2536],{"nodeType":247,"value":2537,"marks":2538,"data":2539},"POST /api/handler.php ",[],{},{"nodeType":254,"data":2541,"content":2542},{},[2543],{"nodeType":247,"value":2544,"marks":2545,"data":2546},"(actions: device_code_generate, device_code_poll_public)",[],{},{"nodeType":1333,"data":2548,"content":2549},{},[2550,2560],{"nodeType":1337,"data":2551,"content":2552},{},[2553],{"nodeType":254,"data":2554,"content":2555},{},[2556],{"nodeType":247,"value":1504,"marks":2557,"data":2559},[2558],{"type":251},{},{"nodeType":1337,"data":2561,"content":2562},{},[2563],{"nodeType":254,"data":2564,"content":2565},{},[2566],{"nodeType":247,"value":2567,"marks":2568,"data":2569},"DocuSign \"Salary Adjustment Document — 2026\", Microsoft banner · HR Department sender",[],{},{"nodeType":1333,"data":2571,"content":2572},{},[2573,2583],{"nodeType":1337,"data":2574,"content":2575},{},[2576],{"nodeType":254,"data":2577,"content":2578},{},[2579],{"nodeType":247,"value":1727,"marks":2580,"data":2582},[2581],{"type":251},{},{"nodeType":1337,"data":2584,"content":2585},{},[2586],{"nodeType":254,"data":2587,"content":2588},{},[2589],{"nodeType":247,"value":2590,"marks":2591,"data":2592},"salaryadjustment-2afb52.pmb6fefc52b3f9aa5c2dbf[.]workers.dev",[],{},{"nodeType":447,"data":2594,"content":2598},{"target":2595},{"sys":2596},{"id":2597,"type":452,"linkType":453},"6xiTDHStbiJh7LMhjAZcPd",[],{"nodeType":305,"data":2600,"content":2601},{},[],{"nodeType":1177,"data":2603,"content":2604},{},[2605],{"nodeType":247,"value":2606,"marks":2607,"data":2609},"“PAPRIKA”",[2608],{"type":251},{},{"nodeType":1329,"data":2611,"content":2612},{},[2613,2636,2659,2682],{"nodeType":1333,"data":2614,"content":2615},{},[2616,2626],{"nodeType":1337,"data":2617,"content":2618},{},[2619],{"nodeType":254,"data":2620,"content":2621},{},[2622],{"nodeType":247,"value":1344,"marks":2623,"data":2625},[2624],{"type":251},{},{"nodeType":1337,"data":2627,"content":2628},{},[2629],{"nodeType":254,"data":2630,"content":2631},{},[2632],{"nodeType":247,"value":2633,"marks":2634,"data":2635},"AWS S3 hosting",[],{},{"nodeType":1333,"data":2637,"content":2638},{},[2639,2649],{"nodeType":1337,"data":2640,"content":2641},{},[2642],{"nodeType":254,"data":2643,"content":2644},{},[2645],{"nodeType":247,"value":1452,"marks":2646,"data":2648},[2647],{"type":251},{},{"nodeType":1337,"data":2650,"content":2651},{},[2652],{"nodeType":254,"data":2653,"content":2654},{},[2655],{"nodeType":247,"value":2656,"marks":2657,"data":2658},"POST /api/v1/loader",[],{},{"nodeType":1333,"data":2660,"content":2661},{},[2662,2672],{"nodeType":1337,"data":2663,"content":2664},{},[2665],{"nodeType":254,"data":2666,"content":2667},{},[2668],{"nodeType":247,"value":1504,"marks":2669,"data":2671},[2670],{"type":251},{},{"nodeType":1337,"data":2673,"content":2674},{},[2675],{"nodeType":254,"data":2676,"content":2677},{},[2678],{"nodeType":247,"value":2679,"marks":2680,"data":2681},"MS login clone (\"Sign in to your account\"), \"Office 365\" branding, fake \"Powered by Okta\" footer",[],{},{"nodeType":1333,"data":2683,"content":2684},{},[2685,2695],{"nodeType":1337,"data":2686,"content":2687},{},[2688],{"nodeType":254,"data":2689,"content":2690},{},[2691],{"nodeType":247,"value":1727,"marks":2692,"data":2694},[2693],{"type":251},{},{"nodeType":1337,"data":2696,"content":2697},{},[2698],{"nodeType":254,"data":2699,"content":2700},{},[2701],{"nodeType":247,"value":2702,"marks":2703,"data":2704},"redirect-523346-d95027ec[.]s3.amazonaws.com",[],{},{"nodeType":447,"data":2706,"content":2710},{"target":2707},{"sys":2708},{"id":2709,"type":452,"linkType":453},"6WFXqUDzcJHKWSwVIcDZAf",[],{"nodeType":305,"data":2712,"content":2713},{},[],{"nodeType":1177,"data":2715,"content":2716},{},[2717],{"nodeType":247,"value":2718,"marks":2719,"data":2721},"“DCSTATUS”",[2720],{"type":251},{},{"nodeType":1329,"data":2723,"content":2724},{},[2725,2747,2770,2793],{"nodeType":1333,"data":2726,"content":2727},{},[2728,2738],{"nodeType":1337,"data":2729,"content":2730},{},[2731],{"nodeType":254,"data":2732,"content":2733},{},[2734],{"nodeType":247,"value":1344,"marks":2735,"data":2737},[2736],{"type":251},{},{"nodeType":1337,"data":2739,"content":2740},{},[2741],{"nodeType":254,"data":2742,"content":2743},{},[2744],{"nodeType":247,"value":1629,"marks":2745,"data":2746},[],{},{"nodeType":1333,"data":2748,"content":2749},{},[2750,2760],{"nodeType":1337,"data":2751,"content":2752},{},[2753],{"nodeType":254,"data":2754,"content":2755},{},[2756],{"nodeType":247,"value":1452,"marks":2757,"data":2759},[2758],{"type":251},{},{"nodeType":1337,"data":2761,"content":2762},{},[2763],{"nodeType":254,"data":2764,"content":2765},{},[2766],{"nodeType":247,"value":2767,"marks":2768,"data":2769},"GET /dc/status/{base64url_sid}",[],{},{"nodeType":1333,"data":2771,"content":2772},{},[2773,2783],{"nodeType":1337,"data":2774,"content":2775},{},[2776],{"nodeType":254,"data":2777,"content":2778},{},[2779],{"nodeType":247,"value":1504,"marks":2780,"data":2782},[2781],{"type":251},{},{"nodeType":1337,"data":2784,"content":2785},{},[2786],{"nodeType":254,"data":2787,"content":2788},{},[2789],{"nodeType":247,"value":2790,"marks":2791,"data":2792},"Generic \"Microsoft 365 - Secure Access\" verification page",[],{},{"nodeType":1333,"data":2794,"content":2795},{},[2796,2806],{"nodeType":1337,"data":2797,"content":2798},{},[2799],{"nodeType":254,"data":2800,"content":2801},{},[2802],{"nodeType":247,"value":1727,"marks":2803,"data":2805},[2804],{"type":251},{},{"nodeType":1337,"data":2807,"content":2808},{},[2809],{"nodeType":254,"data":2810,"content":2811},{},[2812],{"nodeType":247,"value":2813,"marks":2814,"data":2815},"owa[.]apmmacleans[.]ca",[],{},{"nodeType":447,"data":2817,"content":2821},{"target":2818},{"sys":2819},{"id":2820,"type":452,"linkType":453},"ugYhHeXY1lQdKooALmrIs",[],{"nodeType":305,"data":2823,"content":2824},{},[],{"nodeType":1177,"data":2826,"content":2827},{},[2828],{"nodeType":247,"value":2829,"marks":2830,"data":2832},"“DOLCE”",[2831],{"type":251},{},{"nodeType":447,"data":2834,"content":2838},{"target":2835},{"sys":2836},{"id":2837,"type":452,"linkType":453},"7TzU6kk01Un45NB0buEz2",[],{"nodeType":1329,"data":2840,"content":2841},{},[2842,2865,2903,2926,2949],{"nodeType":1333,"data":2843,"content":2844},{},[2845,2855],{"nodeType":1337,"data":2846,"content":2847},{},[2848],{"nodeType":254,"data":2849,"content":2850},{},[2851],{"nodeType":247,"value":1344,"marks":2852,"data":2854},[2853],{"type":251},{},{"nodeType":1337,"data":2856,"content":2857},{},[2858],{"nodeType":254,"data":2859,"content":2860},{},[2861],{"nodeType":247,"value":2862,"marks":2863,"data":2864},"Microsoft PowerApps hosting",[],{},{"nodeType":1333,"data":2866,"content":2867},{},[2868,2878],{"nodeType":1337,"data":2869,"content":2870},{},[2871],{"nodeType":254,"data":2872,"content":2873},{},[2874],{"nodeType":247,"value":1368,"marks":2875,"data":2877},[2876],{"type":251},{},{"nodeType":1337,"data":2879,"content":2880},{},[2881,2892],{"nodeType":254,"data":2882,"content":2883},{},[2884,2888],{"nodeType":247,"value":1844,"marks":2885,"data":2887},[2886],{"type":251},{},{"nodeType":247,"value":2889,"marks":2890,"data":2891},"34.53.159.84 (Google Cloud AS396982)",[],{},{"nodeType":254,"data":2893,"content":2894},{},[2895,2899],{"nodeType":247,"value":1409,"marks":2896,"data":2898},[2897],{"type":251},{},{"nodeType":247,"value":2900,"marks":2901,"data":2902}," Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36",[],{},{"nodeType":1333,"data":2904,"content":2905},{},[2906,2916],{"nodeType":1337,"data":2907,"content":2908},{},[2909],{"nodeType":254,"data":2910,"content":2911},{},[2912],{"nodeType":247,"value":1452,"marks":2913,"data":2915},[2914],{"type":251},{},{"nodeType":1337,"data":2917,"content":2918},{},[2919],{"nodeType":254,"data":2920,"content":2921},{},[2922],{"nodeType":247,"value":2923,"marks":2924,"data":2925},"GET /api/generatecode (CloudFront)",[],{},{"nodeType":1333,"data":2927,"content":2928},{},[2929,2939],{"nodeType":1337,"data":2930,"content":2931},{},[2932],{"nodeType":254,"data":2933,"content":2934},{},[2935],{"nodeType":247,"value":1504,"marks":2936,"data":2938},[2937],{"type":251},{},{"nodeType":1337,"data":2940,"content":2941},{},[2942],{"nodeType":254,"data":2943,"content":2944},{},[2945],{"nodeType":247,"value":2946,"marks":2947,"data":2948},"Dolce & Gabbana branded, Italian language, MS account verification",[],{},{"nodeType":1333,"data":2950,"content":2951},{},[2952,2962],{"nodeType":1337,"data":2953,"content":2954},{},[2955],{"nodeType":254,"data":2956,"content":2957},{},[2958],{"nodeType":247,"value":1727,"marks":2959,"data":2961},[2960],{"type":251},{},{"nodeType":1337,"data":2963,"content":2964},{},[2965],{"nodeType":254,"data":2966,"content":2967},{},[2968],{"nodeType":247,"value":2969,"marks":2970,"data":2971},"data-migration-dolcegabbana[.]powerappsportals.com",[],{},{"nodeType":447,"data":2973,"content":2977},{"target":2974},{"sys":2975},{"id":2976,"type":452,"linkType":453},"4ayQDvpf5NNOBrj9wZZRiO",[],{"nodeType":305,"data":2979,"content":2980},{},[],{"nodeType":1177,"data":2982,"content":2983},{},[2984],{"nodeType":247,"value":2985,"marks":2986,"data":2988},"Venom",[2987],{"type":251},{},{"nodeType":1329,"data":2990,"content":2991},{},[2992,3015],{"nodeType":1333,"data":2993,"content":2994},{},[2995,3005],{"nodeType":1337,"data":2996,"content":2997},{},[2998],{"nodeType":254,"data":2999,"content":3000},{},[3001],{"nodeType":247,"value":1452,"marks":3002,"data":3004},[3003],{"type":251},{},{"nodeType":1337,"data":3006,"content":3007},{},[3008],{"nodeType":254,"data":3009,"content":3010},{},[3011],{"nodeType":247,"value":3012,"marks":3013,"data":3014},"POST /token/api/device/start\nGET /token/api/device/status/{sessionId}",[],{},{"nodeType":1333,"data":3016,"content":3017},{},[3018,3028],{"nodeType":1337,"data":3019,"content":3020},{},[3021],{"nodeType":254,"data":3022,"content":3023},{},[3024],{"nodeType":247,"value":1504,"marks":3025,"data":3027},[3026],{"type":251},{},{"nodeType":1337,"data":3029,"content":3030},{},[3031],{"nodeType":254,"data":3032,"content":3033},{},[3034],{"nodeType":247,"value":3035,"marks":3036,"data":3037},"Various: examples include DocuSign \"Verification\" (Microsoft sign-in pretext); DHL \"Delivery Checkpoint\" package shipment pretext",[],{},{"nodeType":447,"data":3039,"content":3043},{"target":3040},{"sys":3041},{"id":3042,"type":452,"linkType":453},"79C3fces0hgTdf3G68cIrf",[],{"nodeType":305,"data":3045,"content":3046},{},[],{"nodeType":1177,"data":3048,"content":3049},{},[3050],{"nodeType":247,"value":3051,"marks":3052,"data":3054},"Tycoon2FA",[3053],{"type":251},{},{"nodeType":1329,"data":3056,"content":3057},{},[3058,3088,3125,3148,3171],{"nodeType":1333,"data":3059,"content":3060},{},[3061,3071],{"nodeType":1337,"data":3062,"content":3063},{},[3064],{"nodeType":254,"data":3065,"content":3066},{},[3067],{"nodeType":247,"value":1344,"marks":3068,"data":3070},[3069],{"type":251},{},{"nodeType":1337,"data":3072,"content":3073},{},[3074,3081],{"nodeType":254,"data":3075,"content":3076},{},[3077],{"nodeType":247,"value":3078,"marks":3079,"data":3080},"Github.io and Cloudflare Workers (workers.dev) hosting",[],{},{"nodeType":254,"data":3082,"content":3083},{},[3084],{"nodeType":247,"value":3085,"marks":3086,"data":3087},"Compromised-site landing pages and CF Workers (*.workers.dev) used as frontends; victim email passed in URL as last path segment ($base64) or ?acct/?encoded query",[],{},{"nodeType":1333,"data":3089,"content":3090},{},[3091,3101],{"nodeType":1337,"data":3092,"content":3093},{},[3094],{"nodeType":254,"data":3095,"content":3096},{},[3097],{"nodeType":247,"value":1368,"marks":3098,"data":3100},[3099],{"type":251},{},{"nodeType":1337,"data":3102,"content":3103},{},[3104,3115],{"nodeType":254,"data":3105,"content":3106},{},[3107,3111],{"nodeType":247,"value":1844,"marks":3108,"data":3110},[3109],{"type":251},{},{"nodeType":247,"value":3112,"marks":3113,"data":3114},"47.253.5.88 (Alibaba Cloud)",[],{},{"nodeType":254,"data":3116,"content":3117},{},[3118,3122],{"nodeType":247,"value":1409,"marks":3119,"data":3121},[3120],{"type":251},{},{"nodeType":247,"value":1668,"marks":3123,"data":3124},[],{},{"nodeType":1333,"data":3126,"content":3127},{},[3128,3138],{"nodeType":1337,"data":3129,"content":3130},{},[3131],{"nodeType":254,"data":3132,"content":3133},{},[3134],{"nodeType":247,"value":1452,"marks":3135,"data":3137},[3136],{"type":251},{},{"nodeType":1337,"data":3139,"content":3140},{},[3141],{"nodeType":254,"data":3142,"content":3143},{},[3144],{"nodeType":247,"value":3145,"marks":3146,"data":3147},"GET /api/session/{UUIDv4} polled with header X-API-Key: \u003Cprefix>_\u003C64-hex> (key materialised at runtime via atob(window.__cyb3r.k)) \nPOST /api/device-code with body {\"prt_foci_session_id\": \"\u003CUUID>\"} (second-stage code retrieval after initial session error)",[],{},{"nodeType":1333,"data":3149,"content":3150},{},[3151,3161],{"nodeType":1337,"data":3152,"content":3153},{},[3154],{"nodeType":254,"data":3155,"content":3156},{},[3157],{"nodeType":247,"value":1504,"marks":3158,"data":3160},[3159],{"type":251},{},{"nodeType":1337,"data":3162,"content":3163},{},[3164],{"nodeType":254,"data":3165,"content":3166},{},[3167],{"nodeType":247,"value":3168,"marks":3169,"data":3170},"Various: SharePoint \"Remittance Advice\"; Microsoft 365 generic sign-in; Microsoft 365 Voicemail (.mp3 attachment); OneDrive \"Shared file\"; German \"Sicheres Dokumentenportal\" PDF lure",[],{},{"nodeType":1333,"data":3172,"content":3173},{},[3174,3184],{"nodeType":1337,"data":3175,"content":3176},{},[3177],{"nodeType":254,"data":3178,"content":3179},{},[3180],{"nodeType":247,"value":1727,"marks":3181,"data":3183},[3182],{"type":251},{},{"nodeType":1337,"data":3185,"content":3186},{},[3187],{"nodeType":254,"data":3188,"content":3189},{},[3190],{"nodeType":247,"value":3191,"marks":3192,"data":3193},"afriqbeauglobal[.]com/homepage/index[.]html",[],{},{"nodeType":447,"data":3195,"content":3199},{"target":3196},{"sys":3197},{"id":3198,"type":452,"linkType":453},"3UDzUCCizPJhXp3SsoZuSK",[],{"nodeType":305,"data":3201,"content":3202},{},[],{"nodeType":1177,"data":3204,"content":3205},{},[3206],{"nodeType":247,"value":3207,"marks":3208,"data":3210},"\"CYB3R\"",[3209],{"type":251},{},{"nodeType":1329,"data":3212,"content":3213},{},[3214,3237,3275,3297,3320],{"nodeType":1333,"data":3215,"content":3216},{},[3217,3227],{"nodeType":1337,"data":3218,"content":3219},{},[3220],{"nodeType":254,"data":3221,"content":3222},{},[3223],{"nodeType":247,"value":1344,"marks":3224,"data":3226},[3225],{"type":251},{},{"nodeType":1337,"data":3228,"content":3229},{},[3230],{"nodeType":254,"data":3231,"content":3232},{},[3233],{"nodeType":247,"value":3234,"marks":3235,"data":3236},"Cloudflare Workers (workers.dev) hosting",[],{},{"nodeType":1333,"data":3238,"content":3239},{},[3240,3250],{"nodeType":1337,"data":3241,"content":3242},{},[3243],{"nodeType":254,"data":3244,"content":3245},{},[3246],{"nodeType":247,"value":1368,"marks":3247,"data":3249},[3248],{"type":251},{},{"nodeType":1337,"data":3251,"content":3252},{},[3253,3264],{"nodeType":254,"data":3254,"content":3255},{},[3256,3260],{"nodeType":247,"value":1844,"marks":3257,"data":3259},[3258],{"type":251},{},{"nodeType":247,"value":3261,"marks":3262,"data":3263},"2400:8d60:2::1:c116:843e (Evoxt VPS)",[],{},{"nodeType":254,"data":3265,"content":3266},{},[3267,3271],{"nodeType":247,"value":1409,"marks":3268,"data":3270},[3269],{"type":251},{},{"nodeType":247,"value":3272,"marks":3273,"data":3274}," axios/1.13.6",[],{},{"nodeType":1333,"data":3276,"content":3277},{},[3278,3288],{"nodeType":1337,"data":3279,"content":3280},{},[3281],{"nodeType":254,"data":3282,"content":3283},{},[3284],{"nodeType":247,"value":1452,"marks":3285,"data":3287},[3286],{"type":251},{},{"nodeType":1337,"data":3289,"content":3290},{},[3291],{"nodeType":254,"data":3292,"content":3293},{},[3294],{"nodeType":247,"value":3145,"marks":3295,"data":3296},[],{},{"nodeType":1333,"data":3298,"content":3299},{},[3300,3310],{"nodeType":1337,"data":3301,"content":3302},{},[3303],{"nodeType":254,"data":3304,"content":3305},{},[3306],{"nodeType":247,"value":1504,"marks":3307,"data":3309},[3308],{"type":251},{},{"nodeType":1337,"data":3311,"content":3312},{},[3313],{"nodeType":254,"data":3314,"content":3315},{},[3316],{"nodeType":247,"value":3317,"marks":3318,"data":3319},"DocuSign in Spanish (\"Documento Firmar — COTIZACIÓN/ESTIMACIÓN.pdf\", \"Complete su firma\", \"Verifique su identidad\", \"Continuar a Microsoft\").",[],{},{"nodeType":1333,"data":3321,"content":3322},{},[3323,3333],{"nodeType":1337,"data":3324,"content":3325},{},[3326],{"nodeType":254,"data":3327,"content":3328},{},[3329],{"nodeType":247,"value":1727,"marks":3330,"data":3332},[3331],{"type":251},{},{"nodeType":1337,"data":3334,"content":3335},{},[3336],{"nodeType":254,"data":3337,"content":3338},{},[3339],{"nodeType":247,"value":3340,"marks":3341,"data":3342},"muzagestion[.]secure-share[.]workers.dev",[],{},{"nodeType":447,"data":3344,"content":3348},{"target":3345},{"sys":3346},{"id":3347,"type":452,"linkType":453},"5EU0QNteiQcYybKG1W1cS3",[],{"nodeType":305,"data":3350,"content":3351},{},[],{"nodeType":243,"data":3353,"content":3354},{},[3355],{"nodeType":247,"value":3356,"marks":3357,"data":3359},"Device code phishing under the hood",[3358],{"type":251},{},{"nodeType":254,"data":3361,"content":3362},{},[3363,3367],{"nodeType":247,"value":3364,"marks":3365,"data":3366},"The attacker POSTs to the authorization server's device authorization endpoint with its client_id (i.e. an application ID) and requested scopes or resources. The server responds with a device_code (used for polling), a user_code, a verification_uri, an expires_in value, and a polling interval. The user visits the URL, enters the code and approves the request. Meanwhile, the device polls the token endpoint. Once approved, the server returns an access token, a refresh token (if offline_access was requested), and an ID token (if openid was included). ",[],{},{"nodeType":247,"value":3368,"marks":3369,"data":3371},"The attacker now has API access to the victim's account. ",[3370],{"type":251},{},{"nodeType":254,"data":3373,"content":3374},{},[3375],{"nodeType":247,"value":3376,"marks":3377,"data":3378},"Broadly, this gives the attacker a comparable level of control to a “normal” phishing attack (with conditions based on the scopes granted and specific app being targeted) while API access grants additional capabilities beyond standard browser sessions. When combined with other techniques, this access can be exchanged to open normal browser app sessions and access SSO connected apps.",[],{},{"nodeType":447,"data":3380,"content":3384},{"target":3381},{"sys":3382},{"id":3383,"type":452,"linkType":453},"4WtQR2xsE236yoyhSXj58Z",[],{"nodeType":447,"data":3386,"content":3390},{"target":3387},{"sys":3388},{"id":3389,"type":452,"linkType":453},"1x7Lip7JdY2xlHKKurT7qJ",[],{"nodeType":254,"data":3392,"content":3393},{},[3394],{"nodeType":247,"value":3395,"marks":3396,"data":3397},"At this point, you can achieve a number of objectives both inside the app ecosystem and across SSO connected apps — e.g. data theft, disruption, and ultimately extortion.",[],{},{"nodeType":254,"data":3399,"content":3400},{},[3401,3405,3410,3414],{"nodeType":247,"value":3402,"marks":3403,"data":3404},"Critically, the initial request to generate a device code is typically ",[],{},{"nodeType":247,"value":3406,"marks":3407,"data":3409},"unauthenticated",[3408],{"type":251},{},{"nodeType":247,"value":3411,"marks":3412,"data":3413}," across all providers — ",[],{},{"nodeType":247,"value":3415,"marks":3416,"data":3418},"anyone can generate one, from any machine, without proving any relationship to the target organization.",[3417],{"type":251},{},{"nodeType":254,"data":3420,"content":3421},{},[3422,3426,3431],{"nodeType":247,"value":3423,"marks":3424,"data":3425},"So, the attacker has to deliver a set of instructions via a phishing channel (e.g. email, social media DM, corp IM platform, and so on) with a device code that they have generated. The victim then enters this code on the ",[],{},{"nodeType":247,"value":3427,"marks":3428,"data":3430},"legitimate device code login page",[3429],{"type":251},{},{"nodeType":247,"value":3432,"marks":3433,"data":3434}," for that app and issues the tokens to the attacker.",[],{},{"nodeType":447,"data":3436,"content":3440},{"target":3437},{"sys":3438},{"id":3439,"type":452,"linkType":453},"1txUYuQjH9FlbDGTo8AbZB",[],{"nodeType":305,"data":3442,"content":3443},{},[],{"nodeType":243,"data":3445,"content":3446},{},[3447],{"nodeType":247,"value":3448,"marks":3449,"data":3451},"Why device code phishing is so dangerous",[3450],{"type":251},{},{"nodeType":1177,"data":3453,"content":3454},{},[3455],{"nodeType":247,"value":3456,"marks":3457,"data":3459},"Device code phishing bypasses authentication controls (including passkeys)",[3458],{"type":251},{},{"nodeType":254,"data":3461,"content":3462},{},[3463,3467,3472,3476],{"nodeType":247,"value":3464,"marks":3465,"data":3466},"A device code phishing attack ",[],{},{"nodeType":247,"value":3468,"marks":3469,"data":3471},"cannot be prevented with authentication controls",[3470],{"type":251},{},{"nodeType":247,"value":3473,"marks":3474,"data":3475},". This includes all forms of MFA and ",[],{},{"nodeType":247,"value":3477,"marks":3478,"data":3480},"even “phishing-resistant” authentication methods such as passkeys. ",[3479],{"type":251},{},{"nodeType":254,"data":3482,"content":3483},{},[3484,3489,3493,3498],{"nodeType":247,"value":3485,"marks":3486,"data":3488},"The device code authorization is effectively performed post-authentication. ",[3487],{"type":251},{},{"nodeType":247,"value":3490,"marks":3491,"data":3492},"If you already have an active session in your browser, entering the device code and selecting your account from a drop-down menu is all that's needed. ",[],{},{"nodeType":247,"value":3494,"marks":3495,"data":3497},"No password or MFA required. ",[3496],{"type":251},{},{"nodeType":247,"value":3499,"marks":3500,"data":3501},"You can see an example in the video below.",[],{},{"nodeType":447,"data":3503,"content":3506},{"target":3504},{"sys":3505},{"id":2434,"type":452,"linkType":453},[],{"nodeType":254,"data":3508,"content":3509},{},[3510],{"nodeType":247,"value":3511,"marks":3512,"data":3513},"Even if you do have to sign in again (because you're not already signed in for some reason), the attack still works because it isn't targeting the login — it's targeting the authorization layer instead.",[],{},{"nodeType":254,"data":3515,"content":3516},{},[3517],{"nodeType":247,"value":3518,"marks":3519,"data":3520},"This is what makes device code phishing different to other standard phishing methods like AiTM phishing (and arguably even more effective in environments with strict identity control enforcement). ",[],{},{"nodeType":1177,"data":3522,"content":3523},{},[3524],{"nodeType":247,"value":3525,"marks":3526,"data":3528},"Device code logins are a feature, not a vulnerability, making attacks difficult to block",[3527],{"type":251},{},{"nodeType":254,"data":3530,"content":3531},{},[3532],{"nodeType":247,"value":3533,"marks":3534,"data":3535},"Device code authorization is a legitimate mechanism regularly used in enterprise environments, particularly for CLI logins. Tools like Azure CLI, GitHub CLI, and AWS CLI all use (or have used) the device code flow as a primary or fallback authentication method. This creates a dual problem for defenders. ",[],{},{"nodeType":254,"data":3537,"content":3538},{},[3539],{"nodeType":247,"value":3540,"marks":3541,"data":3542},"First, the phishing attack happens entirely on a legitimate site — there's no fake login page, no malicious payload to scan for, and the URL in the browser is genuine. Since there's no traditional phishing content being delivered, these attacks are more resistant to detection by email and network security tools.",[],{},{"nodeType":254,"data":3544,"content":3545},{},[3546],{"nodeType":247,"value":3547,"marks":3548,"data":3549},"Second, the widespread legitimate use of device code flow — particularly among developers and technical users — normalizes the experience of entering device codes. A phishing lure asking them to do the same thing is indistinguishable from a legitimate IT request. And for non-technical users, this experience isn't much different to, for example, entering a code sent via email or authenticator app. ",[],{},{"nodeType":1177,"data":3551,"content":3552},{},[3553],{"nodeType":247,"value":3554,"marks":3555,"data":3557},"Multiple apps are vulnerable, with different risk profiles",[3556],{"type":251},{},{"nodeType":254,"data":3559,"content":3560},{},[3561],{"nodeType":247,"value":3562,"marks":3563,"data":3564},"Various apps implement the device code flow, each with different levels of control and default security, but the risk is not uniform across platforms. ",[],{},{"nodeType":1023,"data":3566,"content":3567},{},[3568,3583,3597],{"nodeType":1027,"data":3569,"content":3570},{},[3571],{"nodeType":254,"data":3572,"content":3573},{},[3574,3579],{"nodeType":247,"value":3575,"marks":3576,"data":3578},"Google Workspace ",[3577],{"type":251},{},{"nodeType":247,"value":3580,"marks":3581,"data":3582},"is a significantly lower-risk target because Google explicitly limits which scopes are available to the device code flow — Gmail, Calendar, and most Workspace APIs are simply unavailable through this mechanism. ",[],{},{"nodeType":1027,"data":3584,"content":3585},{},[3586],{"nodeType":254,"data":3587,"content":3588},{},[3589,3593],{"nodeType":247,"value":1042,"marks":3590,"data":3592},[3591],{"type":251},{},{"nodeType":247,"value":3594,"marks":3595,"data":3596}," offers the broadest attack surface due to unrestricted scopes, reusable first-party client IDs, and the FOCI/PRT escalation paths. ",[],{},{"nodeType":1027,"data":3598,"content":3599},{},[3600],{"nodeType":254,"data":3601,"content":3602},{},[3603,3607,3612],{"nodeType":247,"value":3604,"marks":3605,"data":3606},"Apps like ",[],{},{"nodeType":247,"value":3608,"marks":3609,"data":3611},"GitHub",[3610],{"type":251},{},{"nodeType":247,"value":3613,"marks":3614,"data":3615}," sit in between — broad scopes are available (including full repository access), but the attacker must control their own OAuth app and the victim sees an explicit consent screen. ",[],{},{"nodeType":447,"data":3617,"content":3621},{"target":3618},{"sys":3619},{"id":3620,"type":452,"linkType":453},"ejNSC76jge1p1zzz9wwiG",[],{"nodeType":305,"data":3623,"content":3624},{},[],{"nodeType":243,"data":3626,"content":3627},{},[3628],{"nodeType":247,"value":3629,"marks":3630,"data":3632},"Security recommendations",[3631],{"type":251},{},{"nodeType":254,"data":3634,"content":3635},{},[3636],{"nodeType":247,"value":3637,"marks":3638,"data":3639},"Security teams need to consider the risk posed by device code phishing across multiple apps where device code authorization grants are common, particularly for developers and technical users. ",[],{},{"nodeType":254,"data":3641,"content":3642},{},[3643],{"nodeType":247,"value":3644,"marks":3645,"data":3646},"In an ideal world, you would simply block device code logins. But this can’t be done without causing serious disruption in some environments, while some apps simply don’t provide the tools required to do so. For example, device code is the default CLI sign-in method for GitHub. Developer-heavy organizations are likely to encounter higher levels of legitimate use.",[],{},{"nodeType":254,"data":3648,"content":3649},{},[3650,3654,3663,3667,3672,3676,3681,3685,3690],{"nodeType":247,"value":3651,"marks":3652,"data":3653},"Microsoft arguably offers the strongest control options (other than Google, who negate it right out of the gate), though they do require a fair amount of work. ",[],{},{"nodeType":278,"data":3655,"content":3657},{"uri":3656},"https://techcommunity.microsoft.com/blog/microsoft-entra-blog/new-microsoft-managed-policies-to-raise-your-identity-security-posture/4286758",[3658],{"nodeType":247,"value":3659,"marks":3660,"data":3662},"Microsoft now explicitly recommends",[3661],{"type":539},{},{"nodeType":247,"value":3664,"marks":3665,"data":3666}," blocking device code flow for tenants that haven't used it in the past 25 days. Their guidance is to create a custom CA policy: target relevant users, set the ",[],{},{"nodeType":247,"value":3668,"marks":3669,"data":3671},"Authentication Flows",[3670],{"type":251},{},{"nodeType":247,"value":3673,"marks":3674,"data":3675}," condition to block ",[],{},{"nodeType":247,"value":3677,"marks":3678,"data":3680},"Device Code Flow",[3679],{"type":251},{},{"nodeType":247,"value":3682,"marks":3683,"data":3684},", and set the grant control to ",[],{},{"nodeType":247,"value":3686,"marks":3687,"data":3689},"Block Access",[3688],{"type":251},{},{"nodeType":247,"value":3691,"marks":3692,"data":3693},". Deploy in report-only mode first to identify any legitimate device code usage, then enforce with narrow exceptions.",[],{},{"nodeType":447,"data":3695,"content":3699},{"target":3696},{"sys":3697},{"id":3698,"type":452,"linkType":453},"mQIj2o9xRzkZYKNmanB25",[],{"nodeType":254,"data":3701,"content":3702},{},[3703],{"nodeType":247,"value":3704,"marks":3705,"data":3706},"For other apps, you’re mainly limited to monitoring and response. Ensuring you’re getting authentication logs for these apps is vital, and searching for unusual access patterns (e.g. unusual login protocols, having different IPs for the authorization grant and subsequent account activity). ",[],{},{"nodeType":305,"data":3708,"content":3709},{},[],{"nodeType":243,"data":3711,"content":3712},{},[3713],{"nodeType":247,"value":3714,"marks":3715,"data":3717},"How Push Security can help",[3716],{"type":251},{},{"nodeType":254,"data":3719,"content":3720},{},[3721],{"nodeType":247,"value":3722,"marks":3723,"data":3724},"Push customers can use our browser-based capabilities to overcome the limitations of app-level controls and detect, intercept, and shut down attacks in real time. ",[],{},{"nodeType":254,"data":3726,"content":3727},{},[3728],{"nodeType":247,"value":3729,"marks":3730,"data":3731},"Our research team is already tracking multiple device code phishing campaigns and toolkits, including the EvilTokens kit. Blocking controls are already in place to prevent customers from interacting with malicious pages that match our detections for these new toolkits, ensuring that these pages can be identified and blocked in real time regardless of the infrastructure. ",[],{},{"nodeType":254,"data":3733,"content":3734},{},[3735,3739,3748],{"nodeType":247,"value":3736,"marks":3737,"data":3738},"Using Push you can also ",[],{},{"nodeType":278,"data":3740,"content":3742},{"uri":3741},"https://pushsecurity.com/help/can-i-use-push-to-help-protect-against-device-code-phishing-scenarios/",[3743],{"nodeType":247,"value":3744,"marks":3745,"data":3747},"configure in-browser warnings",[3746],{"type":539},{},{"nodeType":247,"value":3749,"marks":3750,"data":3751}," whenever a user accesses a URL used for device code logins. This provides universal, last-mile protection against even ‘zero-day’ device code phishing attacks using previously unidentified toolkits.  ",[],{},{"nodeType":447,"data":3753,"content":3757},{"target":3754},{"sys":3755},{"id":3756,"type":452,"linkType":453},"3JsbGaOKSS3INzBUJpoh1W",[],{"nodeType":254,"data":3759,"content":3760},{},[3761],{"nodeType":247,"value":3762,"marks":3763,"data":3764},"When a user visits those URLs, Push will also emit a webhook event that the banner was shown and acknowledged. If a user opts to proceed, you can treat this as a high-fidelity alert for your security team to investigate, providing app-agnostic telemetry that may not already be provided in your logs from that particular vendor. You can also simply use Push to block users from accessing device login pages if you’re confident that disruption won’t be caused. ",[],{},{"nodeType":1177,"data":3766,"content":3767},{},[3768],{"nodeType":247,"value":3769,"marks":3770,"data":3772},"Learn more about Push",[3771],{"type":251},{},{"nodeType":254,"data":3774,"content":3775},{},[3776],{"nodeType":247,"value":3777,"marks":3778,"data":3779},"Push Security's browser-based security platform detects and blocks browser-based attacks like AiTM phishing, credential stuffing, malicious browser extensions, ClickFix, and session hijacking. You don't need to wait until it all goes wrong either — you can use Push to proactively find and fix vulnerabilities across the apps that your employees use, like ghost logins, SSO coverage gaps, MFA gaps, vulnerable passwords, and more to harden your attack surface.",[],{},{"nodeType":254,"data":3781,"content":3782},{},[3783,3787,3796,3799,3808,3812,3820],{"nodeType":247,"value":3784,"marks":3785,"data":3786},"To learn more about Push, ",[],{},{"nodeType":278,"data":3788,"content":3790},{"uri":3789},"https://pushsecurity.com/resources/product-brochure",[3791],{"nodeType":247,"value":3792,"marks":3793,"data":3795},"check out our latest product overview",[3794],{"type":539},{},{"nodeType":247,"value":542,"marks":3797,"data":3798},[],{},{"nodeType":278,"data":3800,"content":3802},{"uri":3801},"https://pushsecurity.com/product-demo/",[3803],{"nodeType":247,"value":3804,"marks":3805,"data":3807},"view our demo library",[3806],{"type":539},{},{"nodeType":247,"value":3809,"marks":3810,"data":3811},", or ",[],{},{"nodeType":278,"data":3813,"content":3814},{"uri":766},[3815],{"nodeType":247,"value":3816,"marks":3817,"data":3819},"book some time with one of our team for a live demo",[3818],{"type":539},{},{"nodeType":247,"value":339,"marks":3821,"data":3822},[],{},"Device code phishing attacks have skyrocketed: here’s what you need to know","Device code phishing is seeing a huge spike in adoption in 2026, enabling attackers to steal access tokens while bypassing standard access controls.","2026-04-04T00:00:00.000Z","device-code-phishing",{"items":3828},[3829,3833],{"sys":3830,"name":3832},{"id":3831},"6A5RXS31ZQx3PwryGb1IMy","Browser-based attacks",{"sys":3834,"name":3836},{"id":3835},"4ksQNCFeBf8H4QIORqpRLw","Detection & response",{"items":3838},[3839],{"fullName":3840,"firstName":3841,"jobTitle":3842,"profilePicture":3843},"Luke Jennings","Luke","Vice President, R&D",{"url":3844},"https://images.ctfassets.net/y1cdw1ablpvd/4Hosb4zKi1dA0PUyDLMe1h/27e09d894861f2196ba794037986fb08/T016S22KZ96-U02NVQM7ZD4-57761d542d83-512.jpeg",{"__typename":808,"sys":3846,"content":3848,"title":5085,"synopsis":5086,"hashTags":62,"publishedDate":5087,"slug":5088,"tagsCollection":5089,"authorsCollection":5099},{"id":3847},"6MoHWfQlVildcFYKSbfMcE",{"json":3849},{"nodeType":239,"data":3850,"content":3851},{},[3852,3868,3874,3881,3888,3894,3897,3905,3913,3932,3979,3985,4000,4003,4011,4018,4046,4086,4093,4096,4104,4112,4119,4125,4132,4135,4143,4150,4192,4229,4236,4239,4247,4254,4279,4286,4332,4339,4342,4350,4358,4404,4411,4417,4420,4428,4436,4469,4476,4482,4489,4492,4500,4508,4537,4544,4551,4558,4561,4569,4577,4584,4590,4597,4620,4649,4652,4660,4668,4675,4682,4685,4693,4756,4759,4767,4774,5065,5068],{"nodeType":254,"data":3853,"content":3854},{},[3855,3859,3864],{"nodeType":247,"value":3856,"marks":3857,"data":3858},"Browser security solutions are one of the most significant additions to the enterprise security stack in recent years — and the data shows it. The browser is where ",[],{},{"nodeType":247,"value":3860,"marks":3861,"data":3863},"85% of work now happens",[3862],{"type":251},{},{"nodeType":247,"value":3865,"marks":3866,"data":3867},", where AI tools are accessed, and where attackers increasingly choose to strike.",[],{},{"nodeType":447,"data":3869,"content":3873},{"target":3870},{"sys":3871},{"id":3872,"type":452,"linkType":453},"5P6PyFbn4EakRNlIWtNzyL",[],{"nodeType":254,"data":3875,"content":3876},{},[3877],{"nodeType":247,"value":3878,"marks":3879,"data":3880},"But browser security is a nascent category. Getting a clear picture of which solution is right for your team, and how to get the most out of it, isn't straightforward. Current solutions on the market serve a wide range of IT and security use cases, with varying degrees of depth and differentiation across them. Not all use cases are equal in terms of their security value, and not all of them are best addressed in the browser.",[],{},{"nodeType":254,"data":3882,"content":3883},{},[3884],{"nodeType":247,"value":3885,"marks":3886,"data":3887},"This article ranks the security problems that browser security solutions can address by the value they deliver: a combination of the risk reduction on offer, and the degree to which the browser is genuinely the best (or only) layer to solve the problem. ",[],{},{"nodeType":447,"data":3889,"content":3893},{"target":3890},{"sys":3891},{"id":3892,"type":452,"linkType":453},"6SJPvEHizSYk29lEvVVNj",[],{"nodeType":305,"data":3895,"content":3896},{},[],{"nodeType":243,"data":3898,"content":3899},{},[3900],{"nodeType":247,"value":3901,"marks":3902,"data":3904},"#1 — Account takeover prevention: detecting credential attacks across all vectors",[3903],{"type":251},{},{"nodeType":254,"data":3906,"content":3907},{},[3908],{"nodeType":247,"value":3909,"marks":3910,"data":3912},"Security value: Very high | Browser fit: Uniquely suited",[3911],{"type":251},{},{"nodeType":254,"data":3914,"content":3915},{},[3916,3920,3928],{"nodeType":247,"value":3917,"marks":3918,"data":3919},"Account takeover (ATO) is the dominant entry point for enterprise breaches: ",[],{},{"nodeType":278,"data":3921,"content":3923},{"uri":3922},"https://www.crowdstrike.com/en-gb/resources/infographics/identity-security-risk-review/",[3924],{"nodeType":247,"value":3925,"marks":3926,"data":3927},"80% of all modern breaches involve compromised or stolen identities",[],{},{"nodeType":247,"value":3929,"marks":3930,"data":3931},". The attack surface is far wider than most identity tooling can see: credential stuffing, password spraying, ghost logins (password-based fallback authentication that persists after SSO is configured), weak or reused credentials on shadow SaaS apps, and accounts where MFA was never enforced.",[],{},{"nodeType":254,"data":3933,"content":3934},{},[3935,3939,3947,3950,3955,3958,3963,3967,3975],{"nodeType":247,"value":3936,"marks":3937,"data":3938},"According to ",[],{},{"nodeType":278,"data":3940,"content":3942},{"uri":3941},"https://cf-assets.www.cloudflare.com/slt3lc6tev37/sWDBUMNVtEJB9ZFLt1dUU/8d69e92de2edfb3bf59e7d21d57e7e1a/Cloudflare-2026-threat-report.pdf",[3943],{"nodeType":247,"value":3944,"marks":3945,"data":3946},"Cloudflare's 2026 Threat Report",[],{},{"nodeType":247,"value":542,"marks":3948,"data":3949},[],{},{"nodeType":247,"value":3951,"marks":3952,"data":3954},"63% of all human logins involve credentials already compromised elsewhere",[3953],{"type":251},{},{"nodeType":247,"value":1114,"marks":3956,"data":3957},[],{},{"nodeType":247,"value":3959,"marks":3960,"data":3962},"94% of all login attempts originate from bots",[3961],{"type":251},{},{"nodeType":247,"value":3964,"marks":3965,"data":3966},". The ",[],{},{"nodeType":278,"data":3968,"content":3970},{"uri":3969},"https://pushsecurity.com/blog/snowflake-retro/",[3971],{"nodeType":247,"value":3972,"marks":3973,"data":3974},"Snowflake breach",[],{},{"nodeType":247,"value":3976,"marks":3977,"data":3978}," — 165+ organizations compromised, 1 billion+ records stolen — was powered almost entirely by ghost logins: accounts missing MFA that were susceptible to credential stuffing. It's particularly telling that 80% of the accounts impacted had prior breach exposure.",[],{},{"nodeType":447,"data":3980,"content":3984},{"target":3981},{"sys":3982},{"id":3983,"type":452,"linkType":453},"HbZ66kp5DiAZtwNGFJK7d",[],{"nodeType":254,"data":3986,"content":3987},{},[3988,3992,3997],{"nodeType":247,"value":3989,"marks":3990,"data":3991},"For organizations with contractors and BYOD users, the browser extension is also the only enterprise control deployable on devices that can't be MDM-enrolled — extending ATO detection to exactly the place where, per Verizon DBIR 2025, ",[],{},{"nodeType":247,"value":3993,"marks":3994,"data":3996},"46% of infostealer infections originate",[3995],{"type":251},{},{"nodeType":247,"value":339,"marks":3998,"data":3999},[],{},{"nodeType":305,"data":4001,"content":4002},{},[],{"nodeType":243,"data":4004,"content":4005},{},[4006],{"nodeType":247,"value":4007,"marks":4008,"data":4010},"#2 — Detecting and stopping advanced phishing: AiTM, multi-channel delivery, and zero-day lures",[4009],{"type":251},{},{"nodeType":254,"data":4012,"content":4013},{},[4014],{"nodeType":247,"value":3909,"marks":4015,"data":4017},[4016],{"type":251},{},{"nodeType":254,"data":4019,"content":4020},{},[4021,4025,4033,4037,4042],{"nodeType":247,"value":4022,"marks":4023,"data":4024},"Adversary-in-the-Middle (AiTM) phishing — where an attacker's reverse proxy intercepts credentials and session tokens in real time — has become the standard technique for bypassing MFA at scale. ",[],{},{"nodeType":278,"data":4026,"content":4028},{"uri":4027},"https://www.esentire.com/resources/library/2026-threat-report",[4029],{"nodeType":247,"value":4030,"marks":4031,"data":4032},"eSentire's 2026 Threat Report",[],{},{"nodeType":247,"value":4034,"marks":4035,"data":4036}," attributes ",[],{},{"nodeType":247,"value":4038,"marks":4039,"data":4041},"63% of account compromise incidents to PhaaS kits",[4040],{"type":251},{},{"nodeType":247,"value":4043,"marks":4044,"data":4045},", with account compromise surging 389% year-over-year.",[],{},{"nodeType":254,"data":4047,"content":4048},{},[4049,4053,4060,4064,4069,4073,4082],{"nodeType":247,"value":4050,"marks":4051,"data":4052},"Traditional phishing controls are also no longer in the right place to intercept these attacks. The delivery channel has shifted decisively away from email: ",[],{},{"nodeType":278,"data":4054,"content":4055},{"uri":691},[4056],{"nodeType":247,"value":4057,"marks":4058,"data":4059},"Mandiant M-Trends 2026",[],{},{"nodeType":247,"value":4061,"marks":4062,"data":4063}," found email phishing dropped from 14% to 6% as an infection vector, and Push data shows ",[],{},{"nodeType":247,"value":4065,"marks":4066,"data":4068},"roughly 1 in 3 phishing payloads intercepted were delivered outside email entirely",[4067],{"type":251},{},{"nodeType":247,"value":4070,"marks":4071,"data":4072}," — via search engine malvertising, social platforms, and compromised websites. Meanwhile, ",[],{},{"nodeType":278,"data":4074,"content":4076},{"uri":4075},"https://www.spamhaus.com/resource-center/supporting-researchers-with-passive-dns/",[4077],{"nodeType":247,"value":4078,"marks":4079,"data":4081},"89% of phishing domains are active for less than two days",[4080],{"type":251},{},{"nodeType":247,"value":4083,"marks":4084,"data":4085},", making blocklist-based detection structurally too slow — attackers can spin up, tear down, and move on before blocklists can catch up.",[],{},{"nodeType":254,"data":4087,"content":4088},{},[4089],{"nodeType":247,"value":4090,"marks":4091,"data":4092},"Modern phishing plays out entirely inside the browser session. The only detection layer that can see the phishing page structure, the credential entry, and the anomalous token context is the browser itself. Browser-native detection analyses page behavior rather than matching known-bad domains, which means it fires on zero-day kits regardless of how recently the infrastructure was stood up. Controls like credential entry guardrails add an additional layer — blocking corporate passwords from being submitted to unauthorized domains independently of content and behavior-based detections.",[],{},{"nodeType":305,"data":4094,"content":4095},{},[],{"nodeType":243,"data":4097,"content":4098},{},[4099],{"nodeType":247,"value":4100,"marks":4101,"data":4103},"#3 — Identity posture hardening: enforcing security across the apps your IdP doesn't manage",[4102],{"type":251},{},{"nodeType":254,"data":4105,"content":4106},{},[4107],{"nodeType":247,"value":4108,"marks":4109,"data":4111},"Security value: High | Browser fit: Uniquely suited",[4110],{"type":251},{},{"nodeType":254,"data":4113,"content":4114},{},[4115],{"nodeType":247,"value":4116,"marks":4117,"data":4118},"The first challenge is knowing what you're protecting. Every identity an employee creates — every app they sign up to, every password they set, every login that bypasses SSO — is an authentication event that happens inside a browser session. The browser is the only layer that observes all of these events regardless of whether the app is sanctioned, managed, or even known to IT. Solutions that rely on API-level integrations with known apps, network traffic inspection, or email sign-up notifications can only ever build a partial picture, because they can only see apps they already know about. The browser sees the login itself, which means it discovers the identity at the moment it's created or used — authentication method, password strength, MFA status, and all.",[],{},{"nodeType":447,"data":4120,"content":4124},{"target":4121},{"sys":4122},{"id":4123,"type":452,"linkType":453},"HETvBCPsKGkqLVtaasXH0",[],{"nodeType":254,"data":4126,"content":4127},{},[4128],{"nodeType":247,"value":4129,"marks":4130,"data":4131},"But discovery without enforcement is just an inventory problem. Being in the browser means that you're in a great position to act on what it finds at the moment of authentication. Browser-native guardrails that prompt MFA enrollment, guide users toward stronger credentials, and redirect to SSO login paths close the gap at scale, on every app, including those the IdP has never seen. They also produce the continuous, auditable evidence of MFA coverage and credential hygiene across the full application estate that regulators, insurers, and auditors increasingly require — evidence that no IdP-centric tool can provide for apps outside its scope.",[],{},{"nodeType":305,"data":4133,"content":4134},{},[],{"nodeType":243,"data":4136,"content":4137},{},[4138],{"nodeType":247,"value":4139,"marks":4140,"data":4142},"#4 — Browser extension security",[4141],{"type":251},{},{"nodeType":254,"data":4144,"content":4145},{},[4146],{"nodeType":247,"value":4108,"marks":4147,"data":4149},[4148],{"type":251},{},{"nodeType":254,"data":4151,"content":4152},{},[4153,4157,4166,4169,4177,4180,4188],{"nodeType":247,"value":4154,"marks":4155,"data":4156},"Browser extensions have become one of the most talked-about attack surfaces in security over the past 18 months, and understandably so — a string of high-profile supply chain compromises have collectively impacted tens of millions of users since late 2024 (",[],{},{"nodeType":278,"data":4158,"content":4160},{"uri":4159},"https://www.cyberhaven.com/blog/cyberhavens-chrome-extension-security-incident-and-what-were-doing-about-it",[4161],{"nodeType":247,"value":4162,"marks":4163,"data":4165},"Cyberhaven",[4164],{"type":539},{},{"nodeType":247,"value":542,"marks":4167,"data":4168},[],{},{"nodeType":278,"data":4170,"content":4172},{"uri":4171},"https://thehackernews.com/2025/12/darkspectre-browser-extension-campaigns.html",[4173],{"nodeType":247,"value":4174,"marks":4175,"data":4176},"DarkSpectre",[],{},{"nodeType":247,"value":542,"marks":4178,"data":4179},[],{},{"nodeType":278,"data":4181,"content":4183},{"uri":4182},"https://thehackernews.com/2025/12/trust-wallet-chrome-extension-hack.html",[4184],{"nodeType":247,"value":4185,"marks":4186,"data":4187},"Trust Wallet",[],{},{"nodeType":247,"value":4189,"marks":4190,"data":4191},", among many others).",[],{},{"nodeType":254,"data":4193,"content":4194},{},[4195,4198,4206,4210,4215,4219,4225],{"nodeType":247,"value":29,"marks":4196,"data":4197},[],{},{"nodeType":278,"data":4199,"content":4200},{"uri":614},[4201],{"nodeType":247,"value":4202,"marks":4203,"data":4205},"Analysis of 20,000+ extensions across Push customers",[4204],{"type":539},{},{"nodeType":247,"value":4207,"marks":4208,"data":4209}," found ",[],{},{"nodeType":247,"value":4211,"marks":4212,"data":4214},"46.76% have the permission combinations needed to perform account takeover with no user interaction",[4213],{"type":251},{},{"nodeType":247,"value":4216,"marks":4217,"data":4218},", making permissions-based risk scoring effectively useless as a triage tool. The real threat model is not malicious extensions at install time — it's legitimate extensions that ",[],{},{"nodeType":247,"value":4220,"marks":4221,"data":4224},"become",[4222],{"type":4223},"italic",{},{"nodeType":247,"value":4226,"marks":4227,"data":4228}," malicious after an ownership transfer, developer account compromise, or silent update push. Every major extension supply chain breach of the past 18 months scored as low-risk immediately before compromise.",[],{},{"nodeType":254,"data":4230,"content":4231},{},[4232],{"nodeType":247,"value":4233,"marks":4234,"data":4235},"SWGs and network tools are structurally blind to this attack surface: a malicious extension exfiltrating session tokens generates no anomalous network signal — its traffic is indistinguishable from normal browsing. Endpoint agents have no visibility into extension behavior at the session level. Extension inventory, supply chain change monitoring — ownership transfers, permission escalations, developer contact changes — and enforcement all require browser-layer access by definition.",[],{},{"nodeType":305,"data":4237,"content":4238},{},[],{"nodeType":243,"data":4240,"content":4241},{},[4242],{"nodeType":247,"value":4243,"marks":4244,"data":4246},"#5 — Shadow SaaS discovery and OAuth integration governance",[4245],{"type":251},{},{"nodeType":254,"data":4248,"content":4249},{},[4250],{"nodeType":247,"value":4108,"marks":4251,"data":4253},[4252],{"type":251},{},{"nodeType":254,"data":4255,"content":4256},{},[4257,4261,4266,4270,4275],{"nodeType":247,"value":4258,"marks":4259,"data":4260},"Shadow SaaS discovery shares DNA with identity posture hardening (#3) — both start with the same browser-native visibility into login events that no other layer can replicate. Where identity posture focuses on hardening ",[],{},{"nodeType":247,"value":4262,"marks":4263,"data":4265},"how",[4264],{"type":4223},{},{"nodeType":247,"value":4267,"marks":4268,"data":4269}," employees authenticate, shadow SaaS discovery focuses on ",[],{},{"nodeType":247,"value":4271,"marks":4272,"data":4274},"what",[4273],{"type":4223},{},{"nodeType":247,"value":4276,"marks":4277,"data":4278}," they authenticate to: surfacing the full estate of applications in use across the organization, including those that IT has never sanctioned or even heard of.",[],{},{"nodeType":254,"data":4280,"content":4281},{},[4282],{"nodeType":247,"value":4283,"marks":4284,"data":4285},"OAuth integration governance is the component of shadow SaaS that is both the most potentially damaging and the hardest to surface through other means. The SaaS-to-SaaS OAuth pivot is now an industrialized attack pattern.",[],{},{"nodeType":1023,"data":4287,"content":4288},{},[4289,4311],{"nodeType":1027,"data":4290,"content":4291},{},[4292],{"nodeType":254,"data":4293,"content":4294},{},[4295,4299,4307],{"nodeType":247,"value":4296,"marks":4297,"data":4298},"The ",[],{},{"nodeType":278,"data":4300,"content":4302},{"uri":4301},"https://pushsecurity.com/blog/analyzing-the-instructure-breach/",[4303],{"nodeType":247,"value":4304,"marks":4305,"data":4306},"ShinyHunters",[],{},{"nodeType":247,"value":4308,"marks":4309,"data":4310}," Salesforce campaign — which compromised 1,000+ organizations and 1.5 billion records — demonstrated the full chain: the attacker didn't stop at stealing customer data but harvested OAuth tokens, AWS access keys, and Snowflake tokens from breached tenants and pivoted through connected services like Salesloft, Drift, and Gainsight to reach hundreds more organizations.",[],{},{"nodeType":1027,"data":4312,"content":4313},{},[4314],{"nodeType":254,"data":4315,"content":4316},{},[4317,4320,4328],{"nodeType":247,"value":4296,"marks":4318,"data":4319},[],{},{"nodeType":278,"data":4321,"content":4323},{"uri":4322},"https://pushsecurity.com/blog/unpacking-the-vercel-breach/",[4324],{"nodeType":247,"value":4325,"marks":4326,"data":4327},"Context.ai → Vercel",[],{},{"nodeType":247,"value":4329,"marks":4330,"data":4331}," chain followed the same logic — stored OAuth tokens from a forgotten AI app trial provided the bridge into Google Workspace, internal dashboards, and API keys. These are not isolated incidents; they are the repeatable playbook for extracting maximum value from a single compromise through the trust relationships that OAuth connections encode.",[],{},{"nodeType":254,"data":4333,"content":4334},{},[4335],{"nodeType":247,"value":4336,"marks":4337,"data":4338},"Every OAuth consent grant transits the browser — the authorization prompt, the scope disclosure, the user's approval click, and the redirect that completes the grant all happen inside a browser session — which makes the browser the only layer where an unwanted grant can be intercepted before the token is issued and the persistent access path is created. Once a token exists, the damage is done: it survives password resets, MFA changes, and session revocations, and revoking it after the fact requires first knowing it was granted, which most organizations do not.",[],{},{"nodeType":305,"data":4340,"content":4341},{},[],{"nodeType":243,"data":4343,"content":4344},{},[4345],{"nodeType":247,"value":4346,"marks":4347,"data":4349},"#6 — Blocking ClickFix and social engineering-based malware delivery",[4348],{"type":251},{},{"nodeType":254,"data":4351,"content":4352},{},[4353],{"nodeType":247,"value":4354,"marks":4355,"data":4357},"Security value: High | Browser fit: Strong for interception — shared with endpoint security for execution. ConsentFix is a browser-native exception that is T1-aligned.",[4356],{"type":251},{},{"nodeType":254,"data":4359,"content":4360},{},[4361,4365,4370,4374,4382,4386,4391,4395,4400],{"nodeType":247,"value":4362,"marks":4363,"data":4364},"ClickFix was the most common initial access vector reported by Microsoft in 2025, accounting for ",[],{},{"nodeType":247,"value":4366,"marks":4367,"data":4369},"47% of observed attacks",[4368],{"type":251},{},{"nodeType":247,"value":4371,"marks":4372,"data":4373},". CrowdStrike's ",[],{},{"nodeType":278,"data":4375,"content":4377},{"uri":4376},"https://www.crowdstrike.com/explore/2026-global-threat-report",[4378],{"nodeType":247,"value":4379,"marks":4380,"data":4381},"2026 Global Threat Report",[],{},{"nodeType":247,"value":4383,"marks":4384,"data":4385}," identified fake CAPTCHA lures as the most common malware download type, increasing ",[],{},{"nodeType":247,"value":4387,"marks":4388,"data":4390},"563% year-over-year",[4389],{"type":251},{},{"nodeType":247,"value":4392,"marks":4393,"data":4394},". The technique writes a malicious command to the victim's clipboard and social-engineers them into executing it. It is fileless (bypassing download scanning), user-executed (bypassing endpoint behavioral detections), and ",[],{},{"nodeType":247,"value":4396,"marks":4397,"data":4399},"4 in 5 ClickFix payloads intercepted by Push arrived via search engines",[4398],{"type":251},{},{"nodeType":247,"value":4401,"marks":4402,"data":4403}," — not email (bypassing email anti-phishing controls).",[],{},{"nodeType":254,"data":4405,"content":4406},{},[4407],{"nodeType":247,"value":4408,"marks":4409,"data":4410},"The browser is the earliest and most effective intervention point — detecting the clipboard injection and social engineering lure before anything reaches the endpoint in executable form. But the problem doesn't end at the browser boundary: once the command has been pasted and run, detection and remediation become endpoint problems, and a mature defense requires both layers. The broader *Fix family — FileFix, InstallFix, and similar derivatives — follows the same pattern, with the browser providing the critical early-warning layer within a defense that spans browser and endpoint.",[],{},{"nodeType":447,"data":4412,"content":4416},{"target":4413},{"sys":4414},{"id":4415,"type":452,"linkType":453},"39alMHtw9FPHbQINqbAgBN",[],{"nodeType":305,"data":4418,"content":4419},{},[],{"nodeType":243,"data":4421,"content":4422},{},[4423],{"nodeType":247,"value":4424,"marks":4425,"data":4427},"#7 — AI visibility and control: enforcing which AI tools employees can use and how",[4426],{"type":251},{},{"nodeType":254,"data":4429,"content":4430},{},[4431],{"nodeType":247,"value":4432,"marks":4433,"data":4435},"Security value: High | Browser fit: Strong for access enforcement — but AI governance is not a new security problem so much as a force multiplier on existing ones",[4434],{"type":251},{},{"nodeType":254,"data":4437,"content":4438},{},[4439,4443,4452,4456,4465],{"nodeType":247,"value":4440,"marks":4441,"data":4442},"AI adoption is outpacing security governance at nearly every organization, and ",[],{},{"nodeType":278,"data":4444,"content":4446},{"uri":4445},"https://pushsecurity.com/blog/7-things-omdias-latest-report-tells-us-about-the-secure-enterprise-browser-market/",[4447],{"nodeType":247,"value":4448,"marks":4449,"data":4451},"71% of organizations are concerned about data leakage via unsanctioned AI apps",[4450],{"type":251},{},{"nodeType":247,"value":4453,"marks":4454,"data":4455},". But the security problems that AI creates are not, for the most part, novel — they are existing Tier 1 problems amplified by a new category of tooling. Shadow AI apps are shadow SaaS (#5). AI OAuth integrations are OAuth governance (#5). AI browser extensions are extension security (#4). The risk of employees using personal AI accounts — ",[],{},{"nodeType":278,"data":4457,"content":4459},{"uri":4458},"https://keepaware.com/blog/46-of-sensitive-data-bypasses-your-dlp",[4460],{"nodeType":247,"value":4461,"marks":4462,"data":4464},"46% of sensitive inputs to AI tools are sent via personal accounts",[4463],{"type":251},{},{"nodeType":247,"value":4466,"marks":4467,"data":4468}," — is an identity posture problem (#3).",[],{},{"nodeType":254,"data":4470,"content":4471},{},[4472],{"nodeType":247,"value":4473,"marks":4474,"data":4475},"The component parts that allow you to govern AI are individually Tier 1 capabilities, and the browser is the best single layer for gaining visibility and control over AI usage — it sees the apps, the OAuth grants, the extensions, and the account context. But a complete end-to-end solution also requires a presence on the endpoint layer (for local AI tools, IDE-integrated agents, and API-level usage that never touches the browser), and prompt-level DLP on sanctioned tools is better handled by platform-native controls than by browser-layer observation.",[],{},{"nodeType":447,"data":4477,"content":4481},{"target":4478},{"sys":4479},{"id":4480,"type":452,"linkType":453},"6Py3z9VgjhKrchmYvhmbsq",[],{"nodeType":254,"data":4483,"content":4484},{},[4485],{"nodeType":247,"value":4486,"marks":4487,"data":4488},"The browser is what makes platform controls effective — if employees are using personal accounts, there are no enterprise audit logs to inspect. And for the growing category of AI agents, agentic browsers, and MCP-connected tools that operate through OAuth grants rather than direct user interaction, the browser is where the consent decisions that authorize those agents are made.",[],{},{"nodeType":305,"data":4490,"content":4491},{},[],{"nodeType":243,"data":4493,"content":4494},{},[4495],{"nodeType":247,"value":4496,"marks":4497,"data":4499},"#8 — Investigation acceleration and incident response: closing the missing middle",[4498],{"type":251},{},{"nodeType":254,"data":4501,"content":4502},{},[4503],{"nodeType":247,"value":4504,"marks":4505,"data":4507},"Security value: High | Browser fit: Strong — fills a structural gap complementary to endpoint, network, and identity telemetry",[4506],{"type":251},{},{"nodeType":254,"data":4509,"content":4510},{},[4511,4515,4520,4524,4533],{"nodeType":247,"value":4512,"marks":4513,"data":4514},"Endpoint logs show what processes executed. Network logs show traffic destinations. IdP logs show authentication events. None of them show what happened ",[],{},{"nodeType":247,"value":4516,"marks":4517,"data":4519},"inside the browser session",[4518],{"type":4223},{},{"nodeType":247,"value":4521,"marks":4522,"data":4523}," — the phishing page the user saw, the credentials they entered, the malicious OAuth consent grant, the data uploaded or pasted to an unsanctioned service. This is the missing middle of modern incident investigations, and for the ",[],{},{"nodeType":278,"data":4525,"content":4527},{"uri":4526},"https://www.paloaltonetworks.co.uk/resources/research/unit-42-incident-response-report",[4528],{"nodeType":247,"value":4529,"marks":4530,"data":4532},"48% of intrusions involving browser-based activity",[4531],{"type":251},{},{"nodeType":247,"value":4534,"marks":4535,"data":4536},", the absence of browser telemetry is a significant investigative gap.",[],{},{"nodeType":254,"data":4538,"content":4539},{},[4540],{"nodeType":247,"value":4541,"marks":4542,"data":4543},"Browser-layer telemetry fills that gap with a fundamentally different quality of signal: what users actually clicked, what pages loaded and how they behaved, what credentials were entered, what session activity followed — structured, high-fidelity data from inside the session where the attack played out. That's the difference between inferring what happened and seeing it directly, and it determines scope, drives containment decisions, and provides the direct evidential record that neither endpoint DLP nor network monitoring can supply for browser-native attacks.",[],{},{"nodeType":254,"data":4545,"content":4546},{},[4547],{"nodeType":247,"value":4548,"marks":4549,"data":4550},"Browser telemetry is a key addition to the investigative picture. Investigations are inherently multi-source — without browser data, reconstructing an incident from EDR, network, and IdP logs won't tell you the full picture (particularly when attacks are increasingly delivered outside of email, intercepting users as they browse the internet normally).",[],{},{"nodeType":254,"data":4552,"content":4553},{},[4554],{"nodeType":247,"value":4555,"marks":4556,"data":4557},"The browser provides the causal link that other sources miss: the bridge between \"a user visited a URL\" and \"credentials were submitted to a phishing page that issued a session token now being replayed from an attacker-controlled browser.\" Integrated with SIEM and SOAR platforms, that signal enables automated response workflows to execute on high-confidence detections without waiting for manual triage.",[],{},{"nodeType":305,"data":4559,"content":4560},{},[],{"nodeType":243,"data":4562,"content":4563},{},[4564],{"nodeType":247,"value":4565,"marks":4566,"data":4568},"#9 — Infostealer defense: detecting exposure and blocking delivery",[4567],{"type":251},{},{"nodeType":254,"data":4570,"content":4571},{},[4572],{"nodeType":247,"value":4573,"marks":4574,"data":4576},"Security value: High | Browser fit: Strong for delivery interception and stolen factor detection — complementary to endpoint security for execution",[4575],{"type":251},{},{"nodeType":254,"data":4578,"content":4579},{},[4580],{"nodeType":247,"value":4581,"marks":4582,"data":4583},"Infostealers are the upstream supply chain for a disproportionate share of the most damaging enterprise attacks — harvesting credentials, session cookies, and browser profile data en masse from infected devices, then selling the outputs on infostealer markets for use in credential stuffing, ATO, and ransomware campaigns.",[],{},{"nodeType":447,"data":4585,"content":4589},{"target":4586},{"sys":4587},{"id":4588,"type":452,"linkType":453},"5NF1afwu3zFGThZTtStVQA",[],{"nodeType":254,"data":4591,"content":4592},{},[4593],{"nodeType":247,"value":4594,"marks":4595,"data":4596},"The browser is relevant at two points in the infostealer kill chain. First, delivery interception: ClickFix (covered in #6) is now the primary infostealer delivery mechanism, and the browser is the only layer that can intercept it before execution. Second, detecting stolen factors when attackers attempt to use them — and infostealers produce two categories of stolen factor that the browser can guard against.",[],{},{"nodeType":1023,"data":4598,"content":4599},{},[4600,4610],{"nodeType":1027,"data":4601,"content":4602},{},[4603],{"nodeType":254,"data":4604,"content":4605},{},[4606],{"nodeType":247,"value":4607,"marks":4608,"data":4609},"Stolen credentials can be identified at the point of login: browser-layer detection flags credentials that appear in known breach datasets, catching infostealer-harvested passwords being replayed in credential stuffing campaigns before the account is compromised.",[],{},{"nodeType":1027,"data":4611,"content":4612},{},[4613],{"nodeType":254,"data":4614,"content":4615},{},[4616],{"nodeType":247,"value":4617,"marks":4618,"data":4619},"Stolen session tokens are caught through a different mechanism: sessions originating in instrumented browsers carry a marker, and when a token subsequently appears in an un-instrumented browser it is a confirmed stolen session — catching infostealer-harvested cookies being replayed regardless of how or where the token was originally harvested.",[],{},{"nodeType":254,"data":4621,"content":4622},{},[4623,4627,4636,4640,4645],{"nodeType":247,"value":4624,"marks":4625,"data":4626},"This is particularly critical for the ",[],{},{"nodeType":278,"data":4628,"content":4630},{"uri":4629},"https://www.verizon.com/business/en-gb/resources/reports/dbir/",[4631],{"nodeType":247,"value":4632,"marks":4633,"data":4635},"46% of infected devices that are unmanaged",[4634],{"type":251},{},{"nodeType":247,"value":4637,"marks":4638,"data":4639}," where EDR is absent and the stolen credentials and session tokens will never be detected at the endpoint. Infostealer ",[],{},{"nodeType":247,"value":4641,"marks":4642,"data":4644},"execution",[4643],{"type":4223},{},{"nodeType":247,"value":4646,"marks":4647,"data":4648}," remains an endpoint problem; the browser closes the delivery and replay gaps that endpoint tools miss.",[],{},{"nodeType":305,"data":4650,"content":4651},{},[],{"nodeType":243,"data":4653,"content":4654},{},[4655],{"nodeType":247,"value":4656,"marks":4657,"data":4659},"#10 — Data loss prevention: a key component of effective DLP, but not the full picture",[4658],{"type":251},{},{"nodeType":254,"data":4661,"content":4662},{},[4663],{"nodeType":247,"value":4664,"marks":4665,"data":4667},"Security value: Medium-high | Browser fit: Partial — complementary to dedicated DLP",[4666],{"type":251},{},{"nodeType":254,"data":4669,"content":4670},{},[4671],{"nodeType":247,"value":4672,"marks":4673,"data":4674},"File uploads to unsanctioned services, sensitive data pasted into AI tools, and exfiltration through personal accounts are genuine and growing risks that traditional email and endpoint-centric DLP tools were not designed to catch. Browser-layer controls provide real value here — particularly for BYOD users and contractors, where endpoint DLP agents cannot be deployed and the browser is the only available data loss visibility.",[],{},{"nodeType":254,"data":4676,"content":4677},{},[4678],{"nodeType":247,"value":4679,"marks":4680,"data":4681},"The honest scope: browser-layer DLP does not cover email-based loss, endpoint-to-endpoint transfers, or cloud API exfiltration. It closes specific and important gaps within a broader DLP strategy, not a replacement for one. A further distinction for organizations evaluating browser DLP for secure third-party access: full-stack enterprise browsers can enforce deeper output controls — watermarking, obfuscation, screenshot and print restrictions — at the OS rendering level that browser extensions cannot reliably replicate. Extension-based browser DLP is strongest for upload, input, and access control use cases rather than OS-level output restriction.",[],{},{"nodeType":305,"data":4683,"content":4684},{},[],{"nodeType":243,"data":4686,"content":4687},{},[4688],{"nodeType":247,"value":4689,"marks":4690,"data":4692},"Tier 3 — Lower Value: A problem best addressed outside of the browser",[4691],{"type":251},{},{"nodeType":1023,"data":4694,"content":4695},{},[4696,4711,4726,4741],{"nodeType":1027,"data":4697,"content":4698},{},[4699],{"nodeType":254,"data":4700,"content":4701},{},[4702,4707],{"nodeType":247,"value":4703,"marks":4704,"data":4706},"Browser exploit protection",[4705],{"type":251},{},{"nodeType":247,"value":4708,"marks":4709,"data":4710}," (narrow RCE/sandbox sense) ranks lower because browser zero-days represent just 9% of all zero-days reported to Google, and 82% of attack detections are now malware-free (CrowdStrike 2026). This is a problem for browser vendors to solve, and it's not a big enough problem to warrant enterprises investing in additional mitigating controls.",[],{},{"nodeType":1027,"data":4712,"content":4713},{},[4714],{"nodeType":254,"data":4715,"content":4716},{},[4717,4722],{"nodeType":247,"value":4718,"marks":4719,"data":4721},"Domain and URL category controls",[4720],{"type":251},{},{"nodeType":247,"value":4723,"marks":4724,"data":4725}," offer genuine browser-layer value but are commoditized by SWG and DNS filtering tools most organizations already operate. This can be provided in the browser, sure (and it's something we do at Push) but offers limited security value in terms of making a difference against modern attacks that quickly rotate these kinds of indicators and are designed to blend in.",[],{},{"nodeType":1027,"data":4727,"content":4728},{},[4729],{"nodeType":254,"data":4730,"content":4731},{},[4732,4737],{"nodeType":247,"value":4733,"marks":4734,"data":4736},"Access management",[4735],{"type":251},{},{"nodeType":247,"value":4738,"marks":4739,"data":4740}," — ZTNA, VPN replacement, PAM, BYOD access control — is an IT infrastructure and access architecture problem, not a security operations problem, and belongs to a different buyer with a different evaluation frame. There are numerous (typically full-stack) Enterprise Browser solutions on the market that address IT use cases like this well.",[],{},{"nodeType":1027,"data":4742,"content":4743},{},[4744],{"nodeType":254,"data":4745,"content":4746},{},[4747,4752],{"nodeType":247,"value":4748,"marks":4749,"data":4751},"Remote browser isolation",[4750],{"type":251},{},{"nodeType":247,"value":4753,"marks":4754,"data":4755}," addresses browser exploit risk rather than the identity-first attacks that represent the majority of current enterprise browser risk, and introduces UX friction that limits deployment at scale. When it triggers, it introduces latency but still fails to detect and stop browser-native attacks.",[],{},{"nodeType":305,"data":4757,"content":4758},{},[],{"nodeType":243,"data":4760,"content":4761},{},[4762],{"nodeType":247,"value":4763,"marks":4764,"data":4766},"How Push Security maps to the highest-value security use cases",[4765],{"type":251},{},{"nodeType":254,"data":4768,"content":4769},{},[4770],{"nodeType":247,"value":4771,"marks":4772,"data":4773},"Push is purpose-built to address all of these problems using a flexible browser extension — plug into any browser with no migration, no host agent deployment, and no IT overhead — that delivers telemetry and control from day one, and extends coverage to every enrolled browser regardless of device ownership.",[],{},{"nodeType":1329,"data":4775,"content":4776},{},[4777,4802,4826,4850,4874,4898,4922,4946,4970,4994,5018,5042],{"nodeType":1333,"data":4778,"content":4779},{},[4780,4791],{"nodeType":1337,"data":4781,"content":4782},{},[4783],{"nodeType":254,"data":4784,"content":4785},{},[4786],{"nodeType":247,"value":4787,"marks":4788,"data":4790},"Security use case",[4789],{"type":251},{},{"nodeType":1337,"data":4792,"content":4793},{},[4794],{"nodeType":254,"data":4795,"content":4796},{},[4797],{"nodeType":247,"value":4798,"marks":4799,"data":4801},"How Push addresses it",[4800],{"type":251},{},{"nodeType":1333,"data":4803,"content":4804},{},[4805,4816],{"nodeType":1337,"data":4806,"content":4807},{},[4808],{"nodeType":254,"data":4809,"content":4810},{},[4811],{"nodeType":247,"value":4812,"marks":4813,"data":4815},"Account takeover prevention",[4814],{"type":251},{},{"nodeType":1337,"data":4817,"content":4818},{},[4819],{"nodeType":254,"data":4820,"content":4821},{},[4822],{"nodeType":247,"value":4823,"marks":4824,"data":4825},"Surfaces and fixes ghost logins, weak and breached credentials and missing MFA controls across every app and device — including shadow SaaS and unmanaged devices invisible to the IdP. Push also detects and stops the attack techniques that typically lead to ATO early in the kill chain and before an account can be compromised.",[],{},{"nodeType":1333,"data":4827,"content":4828},{},[4829,4840],{"nodeType":1337,"data":4830,"content":4831},{},[4832],{"nodeType":254,"data":4833,"content":4834},{},[4835],{"nodeType":247,"value":4836,"marks":4837,"data":4839},"Advanced phishing detection",[4838],{"type":251},{},{"nodeType":1337,"data":4841,"content":4842},{},[4843],{"nodeType":254,"data":4844,"content":4845},{},[4846],{"nodeType":247,"value":4847,"marks":4848,"data":4849},"Behavioral page analysis detects phishing kits regardless of whether the domain is known-bad. Credential entry guardrails block corporate passwords from being submitted to unauthorized domains. TTP-based detection remains effective as attacker infrastructure rotates.",[],{},{"nodeType":1333,"data":4851,"content":4852},{},[4853,4864],{"nodeType":1337,"data":4854,"content":4855},{},[4856],{"nodeType":254,"data":4857,"content":4858},{},[4859],{"nodeType":247,"value":4860,"marks":4861,"data":4863},"Identity posture hardening",[4862],{"type":251},{},{"nodeType":1337,"data":4865,"content":4866},{},[4867],{"nodeType":254,"data":4868,"content":4869},{},[4870],{"nodeType":247,"value":4871,"marks":4872,"data":4873},"Enforces MFA, strong credentials, and SSO adoption across every app the IdP doesn't manage. Produces continuous, auditable MFA coverage and credential hygiene evidence across the full application and device estate.",[],{},{"nodeType":1333,"data":4875,"content":4876},{},[4877,4888],{"nodeType":1337,"data":4878,"content":4879},{},[4880],{"nodeType":254,"data":4881,"content":4882},{},[4883],{"nodeType":247,"value":4884,"marks":4885,"data":4887},"Browser extension security",[4886],{"type":251},{},{"nodeType":1337,"data":4889,"content":4890},{},[4891],{"nodeType":254,"data":4892,"content":4893},{},[4894],{"nodeType":247,"value":4895,"marks":4896,"data":4897},"Live extension inventory with supply chain change event monitoring — ownership transfers, permission escalations, developer contact changes — rather than static risk scoring. Supports default-deny allowlisting and remote extension removal. Blocks known-bad malicious extensions automatically.",[],{},{"nodeType":1333,"data":4899,"content":4900},{},[4901,4912],{"nodeType":1337,"data":4902,"content":4903},{},[4904],{"nodeType":254,"data":4905,"content":4906},{},[4907],{"nodeType":247,"value":4908,"marks":4909,"data":4911},"Shadow SaaS and OAuth governance",[4910],{"type":251},{},{"nodeType":1337,"data":4913,"content":4914},{},[4915],{"nodeType":254,"data":4916,"content":4917},{},[4918],{"nodeType":247,"value":4919,"marks":4920,"data":4921},"Discovers shadow SaaS from actual login events with full authentication context. Monitors and blocks OAuth consent flows — including AI and MCP integrations — in real time before persistent access paths are created.",[],{},{"nodeType":1333,"data":4923,"content":4924},{},[4925,4936],{"nodeType":1337,"data":4926,"content":4927},{},[4928],{"nodeType":254,"data":4929,"content":4930},{},[4931],{"nodeType":247,"value":4932,"marks":4933,"data":4935},"ClickFix and the *Fix family",[4934],{"type":251},{},{"nodeType":1337,"data":4937,"content":4938},{},[4939],{"nodeType":254,"data":4940,"content":4941},{},[4942],{"nodeType":247,"value":4943,"marks":4944,"data":4945},"Detects and blocks ClickFix lures, clipboard injection, and browser-native variants like ConsentFix in real time — before the payload executes or OAuth key material is captured.",[],{},{"nodeType":1333,"data":4947,"content":4948},{},[4949,4960],{"nodeType":1337,"data":4950,"content":4951},{},[4952],{"nodeType":254,"data":4953,"content":4954},{},[4955],{"nodeType":247,"value":4956,"marks":4957,"data":4959},"AI visibility & control",[4958],{"type":251},{},{"nodeType":1337,"data":4961,"content":4962},{},[4963],{"nodeType":254,"data":4964,"content":4965},{},[4966],{"nodeType":247,"value":4967,"marks":4968,"data":4969},"Enforces which AI tools employees can access and routes usage to corporate tenants. Governs AI browser extensions and blocks OAuth consent grants to unapproved AI applications — drawing on the same Tier 1 capabilities (OAuth governance, extension security, shadow SaaS discovery) that make this possible.",[],{},{"nodeType":1333,"data":4971,"content":4972},{},[4973,4984],{"nodeType":1337,"data":4974,"content":4975},{},[4976],{"nodeType":254,"data":4977,"content":4978},{},[4979],{"nodeType":247,"value":4980,"marks":4981,"data":4983},"Security investigations & incident response",[4982],{"type":251},{},{"nodeType":1337,"data":4985,"content":4986},{},[4987],{"nodeType":254,"data":4988,"content":4989},{},[4990],{"nodeType":247,"value":4991,"marks":4992,"data":4993},"High-fidelity session telemetry — page loads, credential entries, DOM changes, OAuth grants — fills the missing middle that endpoint, network, and IdP logs leave open. Feeds directly into SIEM and SOAR for automated response.",[],{},{"nodeType":1333,"data":4995,"content":4996},{},[4997,5008],{"nodeType":1337,"data":4998,"content":4999},{},[5000],{"nodeType":254,"data":5001,"content":5002},{},[5003],{"nodeType":247,"value":5004,"marks":5005,"data":5007},"Infostealer defense",[5006],{"type":251},{},{"nodeType":1337,"data":5009,"content":5010},{},[5011],{"nodeType":254,"data":5012,"content":5013},{},[5014],{"nodeType":247,"value":5015,"marks":5016,"data":5017},"Intercepts ClickFix-based infostealer delivery before execution. Detects token replay in unenrolled browser contexts — catching post-theft abuse from AiTM-sourced tokens and infostealer-harvested cookies, including from unmanaged devices.",[],{},{"nodeType":1333,"data":5019,"content":5020},{},[5021,5032],{"nodeType":1337,"data":5022,"content":5023},{},[5024],{"nodeType":254,"data":5025,"content":5026},{},[5027],{"nodeType":247,"value":5028,"marks":5029,"data":5031},"Data loss prevention",[5030],{"type":251},{},{"nodeType":1337,"data":5033,"content":5034},{},[5035],{"nodeType":254,"data":5036,"content":5037},{},[5038],{"nodeType":247,"value":5039,"marks":5040,"data":5041},"Observes file uploads, downloads, and sensitive data inputs across all applications. Extends data loss visibility to BYOD and contractor devices where endpoint DLP cannot reach.",[],{},{"nodeType":1333,"data":5043,"content":5044},{},[5045,5055],{"nodeType":1337,"data":5046,"content":5047},{},[5048],{"nodeType":254,"data":5049,"content":5050},{},[5051],{"nodeType":247,"value":4718,"marks":5052,"data":5054},[5053],{"type":251},{},{"nodeType":1337,"data":5056,"content":5057},{},[5058],{"nodeType":254,"data":5059,"content":5060},{},[5061],{"nodeType":247,"value":5062,"marks":5063,"data":5064},"Custom URL blocklists with wildcard support and REST API management for threat intelligence feed sync. Application category blocking restricts access to classes of apps (file-sharing, unsanctioned AI tools) configurable by user group. Domain categorization bringing SWG-style category blocking natively to the browser without a network proxy.",[],{},{"nodeType":305,"data":5066,"content":5067},{},[],{"nodeType":254,"data":5069,"content":5070},{},[5071,5075,5082],{"nodeType":247,"value":5072,"marks":5073,"data":5074},"Push Security is the most powerful AI-native security tool in the browser. Think EDR, but for the browser — high-fidelity telemetry and real-time control across every session, on every device, with no browser migration required. ",[],{},{"nodeType":278,"data":5076,"content":5077},{"uri":766},[5078],{"nodeType":247,"value":5079,"marks":5080,"data":5081},"Book a live demo to learn more.",[],{},{"nodeType":247,"value":29,"marks":5083,"data":5084},[],{},"The top 10 security problems you can solve in the browser — ranked by value","Ranking the security problems you can solve in the browser by security value and browser fit.","2026-05-14T00:00:00.000Z","the-top-10-security-problems-you-can-solve-in-the-browser-ranked-by-value",{"items":5090},[5091,5095],{"sys":5092,"name":5094},{"id":5093},"3pjES4THCIfSAwhGdNwBcy","Browser security",{"sys":5096,"name":5098},{"id":5097},"1gZi8NrRy2v9OqPV7C4dwD","Risk management",{"items":5100},[5101],{"fullName":5102,"firstName":5103,"jobTitle":5104,"profilePicture":5105},"Alex Henshall","Alex","Product Team",{"url":5106},"https://images.ctfassets.net/y1cdw1ablpvd/2rz3Pre3b1MexPIQ4hzPUe/0ef8a092b7e7df00fbce3f7d1ccb96d1/Alex_Henshall.jpeg",{"__typename":808,"sys":5108,"content":5110,"title":5940,"synopsis":5941,"hashTags":62,"publishedDate":5942,"slug":5943,"tagsCollection":5944,"authorsCollection":5950},{"id":5109},"211Dd0EIrXPOFpvRgs0fEE",{"json":5111},{"nodeType":239,"data":5112,"content":5113},{},[5114,5133,5152,5169,5175,5178,5186,5193,5200,5207,5214,5222,5225,5233,5240,5247,5254,5260,5268,5286,5293,5300,5316,5324,5354,5370,5377,5404,5412,5443,5450,5458,5476,5483,5490,5496,5503,5511,5529,5536,5555,5562,5565,5573,5580,5665,5672,5688,5691,5721,5739,5746,5753,5756,5764,5782,5789,5796,5813,5816,5824,5831,5864,5871,5888,5907,5913,5916,5923],{"nodeType":254,"data":5115,"content":5116},{},[5117,5121,5129],{"nodeType":247,"value":5118,"marks":5119,"data":5120},"When we released the ",[],{},{"nodeType":278,"data":5122,"content":5124},{"uri":5123},"https://pushsecurity.com/blog/saas-attack-techniques/",[5125],{"nodeType":247,"value":5126,"marks":5127,"data":5128},"SaaS attack matrix",[],{},{"nodeType":247,"value":5130,"marks":5131,"data":5132}," in 2023, we were anticipating a shift that was just beginning to take shape. The techniques that attackers were using to compromise cloud applications and identities weren't well represented in existing frameworks, and many of the ones we documented hadn't yet been widely observed in the wild.",[],{},{"nodeType":254,"data":5134,"content":5135},{},[5136,5140,5148],{"nodeType":247,"value":5137,"marks":5138,"data":5139},"A year later, we ",[],{},{"nodeType":278,"data":5141,"content":5143},{"uri":5142},"https://pushsecurity.com/blog/the-saas-attack-matrix-one-year-on/",[5144],{"nodeType":247,"value":5145,"marks":5146,"data":5147},"reviewed what had changed",[],{},{"nodeType":247,"value":5149,"marks":5150,"data":5151}," and found that the initial access phase — the techniques designed to compromise an identity in the first place — was where almost all of the attacker innovation was concentrated. And two years on, that trend has become the story of the modern threat landscape. ",[],{},{"nodeType":254,"data":5153,"content":5154},{},[5155,5159,5165],{"nodeType":247,"value":5156,"marks":5157,"data":5158},"Today, we're re-releasing the matrix as the ",[],{},{"nodeType":278,"data":5160,"content":5161},{"uri":789},[5162],{"nodeType":247,"value":793,"marks":5163,"data":5164},[],{},{"nodeType":247,"value":5166,"marks":5167,"data":5168},". The name change isn't cosmetic. It reflects that the attacks driving the most consequential breaches are browser-based and identity-first.",[],{},{"nodeType":447,"data":5170,"content":5174},{"target":5171},{"sys":5172},{"id":5173,"type":452,"linkType":453},"MSnrBRJtiQxpv2qxFLCVE",[],{"nodeType":305,"data":5176,"content":5177},{},[],{"nodeType":243,"data":5179,"content":5180},{},[5181],{"nodeType":247,"value":5182,"marks":5183,"data":5185},"Why the scope needed to change",[5184],{"type":251},{},{"nodeType":254,"data":5187,"content":5188},{},[5189],{"nodeType":247,"value":5190,"marks":5191,"data":5192},"The original SaaS attack matrix was built around a specific insight: that attacks targeting modern business applications played out entirely over the internet, without touching endpoints or internal networks in any way that EDR or network detection tools would recognize.",[],{},{"nodeType":254,"data":5194,"content":5195},{},[5196],{"nodeType":247,"value":5197,"marks":5198,"data":5199},"That framing was useful, and it remains true. But it anchored the matrix to the post-access phase — what attackers do once they're inside a SaaS application — and didn't give enough weight to the initial access techniques that determine whether attackers get there in the first place.",[],{},{"nodeType":254,"data":5201,"content":5202},{},[5203],{"nodeType":247,"value":5204,"marks":5205,"data":5206},"The problem is that initial access is where the overwhelming majority of attacker innovation and investment is concentrated, and the techniques being used to achieve it are best understood as browser and identity attacks rather than SaaS-specific ones. AiTM phishing, ClickFix and its growing family of clipboard-injection variants, device code phishing, OAuth consent abuse, credential stuffing powered by infostealer supply chains, malicious browser extensions all happen in or via the browser.",[],{},{"nodeType":254,"data":5208,"content":5209},{},[5210],{"nodeType":247,"value":5211,"marks":5212,"data":5213},"Another issue is that \"SaaS\" has arguably ceased to be a meaningful category. When we consider that most organizations run the majority of their business on cloud applications, the difference between what constitutes \"SaaS\" versus cloud versus just \"business IT\" is pretty blurry (and feels like an academic rather than practical difference).",[],{},{"nodeType":254,"data":5215,"content":5216},{},[5217],{"nodeType":247,"value":5218,"marks":5219,"data":5221},"So it's less about whether an attack is a \"SaaS attack\" and more about how these attacks actually play out. ",[5220],{"type":251},{},{"nodeType":305,"data":5223,"content":5224},{},[],{"nodeType":243,"data":5226,"content":5227},{},[5228],{"nodeType":247,"value":5229,"marks":5230,"data":5232},"The technique landscape has transformed",[5231],{"type":251},{},{"nodeType":254,"data":5234,"content":5235},{},[5236],{"nodeType":247,"value":5237,"marks":5238,"data":5239},"The second part to the change is the fact that scale and speed of attacker innovation in the space justifies it.",[],{},{"nodeType":254,"data":5241,"content":5242},{},[5243],{"nodeType":247,"value":5244,"marks":5245,"data":5246},"When we launched the matrix in mid-2023, AiTM phishing was emerging as a serious concern but was far from ubiquitous. ClickFix didn't exist as a named technique. Device code phishing was a curiosity documented by a handful of researchers. ConsentFix was years away from being discovered. Browser extension supply chain attacks were rare enough to be individually notable.",[],{},{"nodeType":254,"data":5248,"content":5249},{},[5250],{"nodeType":247,"value":5251,"marks":5252,"data":5253},"In the two and a half years since, every one of these has become a mainstream, industrialized attack technique — and several have converged in ways that would have been hard to predict.",[],{},{"nodeType":447,"data":5255,"content":5259},{"target":5256},{"sys":5257},{"id":5258,"type":452,"linkType":453},"5Kw2kSrL8u4VyslxK8HCtR",[],{"nodeType":1177,"data":5261,"content":5262},{},[5263],{"nodeType":247,"value":5264,"marks":5265,"data":5267},"AiTM phishing has become the default phishing method",[5266],{"type":251},{},{"nodeType":254,"data":5269,"content":5270},{},[5271,5275,5282],{"nodeType":247,"value":5272,"marks":5273,"data":5274},"AiTM phishing is now the standard, powered by Phishing-as-a-Service kits that operate with the release cycles and customer support of legitimate SaaS products. Tycoon 2FA alone accounted for ",[],{},{"nodeType":278,"data":5276,"content":5277},{"uri":414},[5278],{"nodeType":247,"value":5279,"marks":5280,"data":5281},"62% of phishing detected by Microsoft",[],{},{"nodeType":247,"value":5283,"marks":5284,"data":5285}," and over 64,000 confirmed incidents, with Sneaky2FA, FlowerStorm, Evilginx, and a growing roster of competitors filling out the marketplace.",[],{},{"nodeType":254,"data":5287,"content":5288},{},[5289],{"nodeType":247,"value":5290,"marks":5291,"data":5292},"AiTM is constantly evolving, with vendors adding new features, capabilities, detection evasion techniques, and so on. Abuse of legitimate platforms, and increasingly AI-assisted development means that it’s trivial for attackers to spin up and tear down infrastructure, scale their campaigns, target specific organizations with crafted pages and lures, and generally means that attackers can operate highly sophisticated attacks with minimal effort and complexity. This makes AiTM and other PhaaS-powered techniques extremely accessible to all kinds of criminals.  ",[],{},{"nodeType":254,"data":5294,"content":5295},{},[5296],{"nodeType":247,"value":5297,"marks":5298,"data":5299},"These kits are delivered across several browser-based channels — not just email. Push data consistently shows that roughly 1 in 3 phishing payloads we intercept arrive via social media, search ads, messaging apps, or other non-email vectors.",[],{},{"nodeType":254,"data":5301,"content":5302},{},[5303,5307,5312],{"nodeType":247,"value":5304,"marks":5305,"data":5306},"Vishing has also surged as a delivery channel — CrowdStrike documented a ",[],{},{"nodeType":247,"value":5308,"marks":5309,"data":5311},"442% year-over-year increase",[5310],{"type":251},{},{"nodeType":247,"value":5313,"marks":5314,"data":5315},", and Mandiant found it was the single most common initial vector in cloud compromises at 23%. But the trend that matters isn't voice calls in isolation; it's voice calls combined with browser-based payloads, where a live operator guides the victim into an AiTM page or device code flow that the call alone could not execute.",[],{},{"nodeType":1177,"data":5317,"content":5318},{},[5319],{"nodeType":247,"value":5320,"marks":5321,"data":5323},"ClickFix is the top reported initial access vector",[5322],{"type":251},{},{"nodeType":254,"data":5325,"content":5326},{},[5327,5331,5339,5343,5350],{"nodeType":247,"value":5328,"marks":5329,"data":5330},"ClickFix has gone from nonexistent to one of the most prevalent initial access techniques in under 18 months. Microsoft reported it as the ",[],{},{"nodeType":278,"data":5332,"content":5334},{"uri":5333},"https://cdn-dynmedia-1.microsoft.com/is/content/microsoftcorp/microsoft/msc/documents/presentations/CSR/Microsoft-Digital-Defense-Report-2025.pdf",[5335],{"nodeType":247,"value":5336,"marks":5337,"data":5338},"most common initial access vector in 2025",[],{},{"nodeType":247,"value":5340,"marks":5341,"data":5342},", accounting for 47% of observed attacks, while CrowdStrike documented a ",[],{},{"nodeType":278,"data":5344,"content":5345},{"uri":4376},[5346],{"nodeType":247,"value":5347,"marks":5348,"data":5349},"563% increase",[],{},{"nodeType":247,"value":5351,"marks":5352,"data":5353}," in fake CAPTCHA lures (a top ClickFix style).",[],{},{"nodeType":254,"data":5355,"content":5356},{},[5357,5361,5366],{"nodeType":247,"value":5358,"marks":5359,"data":5360},"ClickFix is admittedly an outlier in a browser attacks matrix — the payload ultimately executes on the endpoint, not in the browser — but the delivery is overwhelmingly browser-based: ",[],{},{"nodeType":247,"value":5362,"marks":5363,"data":5365},"4 in 5 ClickFix payloads",[5364],{"type":251},{},{"nodeType":247,"value":5367,"marks":5368,"data":5369}," intercepted by Push arrive via search engines as a result of malvertising or compromised web pages, not email, which means the browser is the only control point that actually sees the attack before the user pastes the malicious command.",[],{},{"nodeType":254,"data":5371,"content":5372},{},[5373],{"nodeType":247,"value":5374,"marks":5375,"data":5376},"ClickFix is now the primary delivery mechanism for infostealer malware, which is in turn the primary source of the stolen credentials and session tokens that power credential stuffing and session hijacking — which means the technique sits at the start of a cycle where one class of browser-delivered attack generates the raw material for the next.",[],{},{"nodeType":254,"data":5378,"content":5379},{},[5380,5384,5390,5394,5400],{"nodeType":247,"value":5381,"marks":5382,"data":5383},"The success of ClickFix has predictably spawned a growing family of derivatives — FileFix, CrashFix, ",[],{},{"nodeType":278,"data":5385,"content":5386},{"uri":533},[5387],{"nodeType":247,"value":536,"marks":5388,"data":5389},[],{},{"nodeType":247,"value":5391,"marks":5392,"data":5393}," — and much of the naming is marketing hype around variations on the same clipboard-injection mechanic. But ",[],{},{"nodeType":278,"data":5395,"content":5396},{"uri":547},[5397],{"nodeType":247,"value":550,"marks":5398,"data":5399},[],{},{"nodeType":247,"value":5401,"marks":5402,"data":5403}," was a genuinely novel development.",[],{},{"nodeType":1177,"data":5405,"content":5406},{},[5407],{"nodeType":247,"value":5408,"marks":5409,"data":5411},"Browser-native ClickFix: ConsentFix",[5410],{"type":251},{},{"nodeType":254,"data":5413,"content":5414},{},[5415,5419,5427,5431,5439],{"nodeType":247,"value":5416,"marks":5417,"data":5418},"ConsentFix is a fully browser-native attack that merged ClickFix-style social engineering with OAuth consent abuse, compromising accounts through a legitimate Microsoft authorization flow with no endpoint component at all. ConsentFix was ",[],{},{"nodeType":278,"data":5420,"content":5422},{"uri":5421},"https://pushsecurity.com/blog/consentfix-debrief/",[5423],{"nodeType":247,"value":5424,"marks":5425,"data":5426},"traced to APT29",[],{},{"nodeType":247,"value":5428,"marks":5429,"data":5430}," and has since been ",[],{},{"nodeType":278,"data":5432,"content":5434},{"uri":5433},"https://pushsecurity.com/blog/consentfix-v3-analyzing-a-new-toolkit/",[5435],{"nodeType":247,"value":5436,"marks":5437,"data":5438},"commercialized on criminal forums",[],{},{"nodeType":247,"value":5440,"marks":5441,"data":5442},", following the same path from state-sponsored technique to commodity criminal tooling that we've seen repeatedly in this space.",[],{},{"nodeType":254,"data":5444,"content":5445},{},[5446],{"nodeType":247,"value":5447,"marks":5448,"data":5449},"ConsentFix demonstrates that the clipboard-injection mechanic can evolve into something that operates entirely within the browser, eliminating the endpoint detection surface that traditional ClickFix still exposed.",[],{},{"nodeType":1177,"data":5451,"content":5452},{},[5453],{"nodeType":247,"value":5454,"marks":5455,"data":5457},"Attackers have pivoted to authorization attacks to get around login controls",[5456],{"type":251},{},{"nodeType":254,"data":5459,"content":5460},{},[5461,5465,5472],{"nodeType":247,"value":5462,"marks":5463,"data":5464},"Authorization attacks like device code phishing have seen a ",[],{},{"nodeType":278,"data":5466,"content":5467},{"uri":433},[5468],{"nodeType":247,"value":5469,"marks":5470,"data":5471},"37.5x increase",[],{},{"nodeType":247,"value":5473,"marks":5474,"data":5475}," since the start of 2026, with at least 12 distinct kits now offering the technique. It bypasses standard authentication controls — including passkeys — because the attack occurs through the OAuth device authorization flow rather than the standard login flow. ",[],{},{"nodeType":254,"data":5477,"content":5478},{},[5479],{"nodeType":247,"value":5480,"marks":5481,"data":5482},"The technique was first associated with nation-state actors like Storm-2372, but went from espionage-grade to commodity PhaaS tooling in roughly eighteen months, with kits like EvilTokens and Venom now offering turnkey device code phishing as a service.",[],{},{"nodeType":254,"data":5484,"content":5485},{},[5486],{"nodeType":247,"value":5487,"marks":5488,"data":5489},"The device code authorization is effectively performed post-authentication. If you already have an active session in your browser, entering the device code and selecting your account from a drop-down menu is all that's needed. No password or MFA required. You can see an example in the video below.",[],{},{"nodeType":447,"data":5491,"content":5495},{"target":5492},{"sys":5493},{"id":5494,"type":452,"linkType":453},"2WPb41lNRajdpt5pogQg8M",[],{"nodeType":254,"data":5497,"content":5498},{},[5499],{"nodeType":247,"value":5500,"marks":5501,"data":5502},"And the ecosystem is adapting to this opportunity: established AiTM vendors like Tycoon are adding authorization-focused options alongside their existing credential-harvesting capabilities, which points toward multi-technique platforms where operators pick the right tool for whatever defenses the target has in place.",[],{},{"nodeType":1177,"data":5504,"content":5505},{},[5506],{"nodeType":247,"value":5507,"marks":5508,"data":5510},"Malicious and hacked browser extensions are one of the fastest growing threats",[5509],{"type":251},{},{"nodeType":254,"data":5512,"content":5513},{},[5514,5518,5525],{"nodeType":247,"value":5515,"marks":5516,"data":5517},"Malicious browser extensions have matured from an occasional nuisance into a scalable supply chain attack vector. The ",[],{},{"nodeType":278,"data":5519,"content":5520},{"uri":614},[5521],{"nodeType":247,"value":5522,"marks":5523,"data":5524},"Cyberhaven compromise",[],{},{"nodeType":247,"value":5526,"marks":5527,"data":5528}," in December 2024 — where approximately 35 extensions were weaponized through a single OAuth phishing campaign targeting developers — impacted 2.6 million users and demonstrated that extension supply chain attacks can achieve the kind of reach that used to require a compromised software update server.",[],{},{"nodeType":254,"data":5530,"content":5531},{},[5532],{"nodeType":247,"value":5533,"marks":5534,"data":5535},"Since Cyberhaven, the pace has only accelerated. In 2026 alone, researchers have publicly disclosed at least 250 confirmed malicious browser extensions affecting roughly 1.75 million users, alongside a further 370+ extensions engaged in undisclosed or policy-disclosed data harvesting affecting an additional 44 million users. That doesn't count the extensions from late-2025 campaigns (DarkSpectre, AITOPIA, Trust Wallet) whose impacts carried into 2026.",[],{},{"nodeType":254,"data":5537,"content":5538},{},[5539,5543,5551],{"nodeType":247,"value":5540,"marks":5541,"data":5542},"The attack paths have also expanded. Beyond phishing developers for take over Web Store accounts (the Cyberhaven playbook), attackers are buying existing extensions from developers, waiting for ownership transfers or abandonments to take over, and increasingly vibe-coding their own functional extensions from scratch to build an audience that can later be weaponized. The common thread is that ",[],{},{"nodeType":278,"data":5544,"content":5545},{"uri":614},[5546],{"nodeType":247,"value":5547,"marks":5548,"data":5550},"most malicious extensions didn't start out malicious",[5549],{"type":539},{},{"nodeType":247,"value":5552,"marks":5553,"data":5554}," — they started as legitimate tools and were turned into weapons after the fact.",[],{},{"nodeType":254,"data":5556,"content":5557},{},[5558],{"nodeType":247,"value":5559,"marks":5560,"data":5561},"None of this is happening in isolation. The threat landscape has reoriented around browser-based initial access and identity compromise — and the matrix needed to catch up.",[],{},{"nodeType":305,"data":5563,"content":5564},{},[],{"nodeType":243,"data":5566,"content":5567},{},[5568],{"nodeType":247,"value":5569,"marks":5570,"data":5572},"The evolution is playing out in public breaches",[5571],{"type":251},{},{"nodeType":254,"data":5574,"content":5575},{},[5576],{"nodeType":247,"value":5577,"marks":5578,"data":5579},"It’s worth reinforcing that when the SaaS matrix was first released, many of these attacks hadn’t been seen in the wild. The change today is staggering:",[],{},{"nodeType":1023,"data":5581,"content":5582},{},[5583,5603,5625,5645],{"nodeType":1027,"data":5584,"content":5585},{},[5586],{"nodeType":254,"data":5587,"content":5588},{},[5589,5593,5599],{"nodeType":247,"value":5590,"marks":5591,"data":5592},"When ",[],{},{"nodeType":278,"data":5594,"content":5595},{"uri":1072},[5596],{"nodeType":247,"value":1075,"marks":5597,"data":5598},[],{},{"nodeType":247,"value":5600,"marks":5601,"data":5602}," compromised over a thousand organizations' Salesforce tenants through device code phishing, the attack started with a phone call, moved through a browser-based authorization flow for the attacker’s app, and ended with mass data exfiltration via API.",[],{},{"nodeType":1027,"data":5604,"content":5605},{},[5606],{"nodeType":254,"data":5607,"content":5608},{},[5609,5613,5621],{"nodeType":247,"value":5610,"marks":5611,"data":5612},"When the same collective launched ",[],{},{"nodeType":278,"data":5614,"content":5616},{"uri":5615},"https://pushsecurity.com/blog/unpacking-the-latest-slh-campaign/",[5617],{"nodeType":247,"value":5618,"marks":5619,"data":5620},"AiTM phishing campaigns",[],{},{"nodeType":247,"value":5622,"marks":5623,"data":5624}," targeting Okta and Entra SSO, the phishing page was operated by a human in real time and delivered over a voice call — not email.",[],{},{"nodeType":1027,"data":5626,"content":5627},{},[5628],{"nodeType":254,"data":5629,"content":5630},{},[5631,5634,5641],{"nodeType":247,"value":5590,"marks":5632,"data":5633},[],{},{"nodeType":278,"data":5635,"content":5636},{"uri":547},[5637],{"nodeType":247,"value":5638,"marks":5639,"data":5640},"APT29 deployed ConsentFix",[],{},{"nodeType":247,"value":5642,"marks":5643,"data":5644}," across dozens of compromised websites, the entire attack chain was browser-native, abusing a legitimate Microsoft OAuth flow to bypass MFA without proxying a single credential.",[],{},{"nodeType":1027,"data":5646,"content":5647},{},[5648],{"nodeType":254,"data":5649,"content":5650},{},[5651,5654,5661],{"nodeType":247,"value":4296,"marks":5652,"data":5653},[],{},{"nodeType":278,"data":5655,"content":5657},{"uri":5656},"https://pushsecurity.com/blog/identity-attacks-in-the-wild/#id-snowflake-june-2024",[5658],{"nodeType":247,"value":3972,"marks":5659,"data":5660},[],{},{"nodeType":247,"value":5662,"marks":5663,"data":5664}," — arguably the most consequential credential-based campaign of the past several years — saw 165 organizations breached using credentials that had been sitting in infostealer dumps for years, replayed against Snowflake tenants that lacked mandatory MFA. The attack surface wasn't Snowflake's application logic; it was the identity hygiene gap that every organization carries across hundreds of apps.",[],{},{"nodeType":254,"data":5666,"content":5667},{},[5668],{"nodeType":247,"value":5669,"marks":5670,"data":5671},"And that’s just the big picture. Every month we’re tracking new public breaches involving browser and identity TTPs — which again, are just the tip of the iceberg when you consider that many breaches are settled quietly without hitting the headlines. ",[],{},{"nodeType":254,"data":5673,"content":5674},{},[5675,5679,5684],{"nodeType":247,"value":5676,"marks":5677,"data":5678},"One of the key drivers here is the shrinking time-to-exploit. CrowdStrike's average e-crime breakout time is down to ",[],{},{"nodeType":247,"value":5680,"marks":5681,"data":5683},"29 minutes",[5682],{"type":251},{},{"nodeType":247,"value":5685,"marks":5686,"data":5687},", with the fastest recorded at 27 seconds. When attackers can move from initial access to data exfiltration within minutes, the window for post-compromise detection collapses to near zero. The best chance of stopping the attack is at the point of initial access before the identity is compromised.",[],{},{"nodeType":305,"data":5689,"content":5690},{},[],{"nodeType":243,"data":5692,"content":5693},{},[5694,5699,5705,5710,5716],{"nodeType":247,"value":5695,"marks":5696,"data":5698},"Sidenote: why we're looking at attacks ",[5697],{"type":251},{},{"nodeType":247,"value":5700,"marks":5701,"data":5704},"in",[5702,5703],{"type":4223},{"type":251},{},{"nodeType":247,"value":5706,"marks":5707,"data":5709}," the browser, not ",[5708],{"type":251},{},{"nodeType":247,"value":5711,"marks":5712,"data":5715},"on",[5713,5714],{"type":4223},{"type":251},{},{"nodeType":247,"value":5717,"marks":5718,"data":5720}," the browser",[5719],{"type":251},{},{"nodeType":254,"data":5722,"content":5723},{},[5724,5728,5735],{"nodeType":247,"value":5725,"marks":5726,"data":5727},"Calling this a \"browser attacks\" matrix needs clarification. We're not talking about browser exploits — RCE vulnerabilities, sandbox escapes, memory corruption bugs. Those attacks target the browser itself, they're extraordinarily expensive to develop, and they're increasingly rare. Browser zero-days hit a ",[],{},{"nodeType":278,"data":5729,"content":5730},{"uri":332},[5731],{"nodeType":247,"value":5732,"marks":5733,"data":5734},"historic low of 9%",[],{},{"nodeType":247,"value":5736,"marks":5737,"data":5738}," of all zero-days reported to Google, and a Chrome RCE commands a $250,000 bug bounty.",[],{},{"nodeType":254,"data":5740,"content":5741},{},[5742],{"nodeType":247,"value":5743,"marks":5744,"data":5745},"In comparison, a one-year phishing kit rental costs $1,000. A bulk stolen credential list costs $15. An initial-access-broker-provided IdP admin account costs $3,000. When it costs orders of magnitude less to exploit the person using the browser than to exploit the browser itself, attackers will take the cheaper option every time.",[],{},{"nodeType":254,"data":5747,"content":5748},{},[5749],{"nodeType":247,"value":5750,"marks":5751,"data":5752},"It's worth heading off the obvious counterargument: won't AI-assisted vulnerability discovery eventually make browser exploits cheaper? Perhaps — but it will simultaneously make them easier for browser vendors to find and patch, and vendors like Google and Microsoft have the engineering capacity and financial incentive to scale AI-driven remediation far faster than attackers can scale exploit development.",[],{},{"nodeType":305,"data":5754,"content":5755},{},[],{"nodeType":243,"data":5757,"content":5758},{},[5759],{"nodeType":247,"value":5760,"marks":5761,"data":5763},"What hasn't changed",[5762],{"type":251},{},{"nodeType":254,"data":5765,"content":5766},{},[5767,5771,5778],{"nodeType":247,"value":5768,"marks":5769,"data":5770},"The matrix remains open-source, community-maintained, and available on ",[],{},{"nodeType":278,"data":5772,"content":5774},{"uri":5773},"https://github.com/pushsecurity/saas-attacks",[5775],{"nodeType":247,"value":3608,"marks":5776,"data":5777},[],{},{"nodeType":247,"value":5779,"marks":5780,"data":5781},". The goal is the same as it was in 2023: to give offensive and defensive security teams a shared reference point for the techniques that matter most.",[],{},{"nodeType":254,"data":5783,"content":5784},{},[5785],{"nodeType":247,"value":5786,"marks":5787,"data":5788},"We built it because there was a gap in how the industry talked about these techniques, and that gap still exists — MITRE ATT&CK remains essential for endpoint and network TTPs, but the browser-based, identity-first techniques behind most modern breaches are still underrepresented in traditional frameworks.",[],{},{"nodeType":254,"data":5790,"content":5791},{},[5792],{"nodeType":247,"value":5793,"marks":5794,"data":5795},"We continue to maintain the matrix with input from red teams, detection engineers, and threat researchers across the community. Some of the most valuable additions over the past two years have come from practitioners who encountered a technique on an engagement or in an investigation and contributed it back to the repository.",[],{},{"nodeType":254,"data":5797,"content":5798},{},[5799,5803,5810],{"nodeType":247,"value":5800,"marks":5801,"data":5802},"If you're an offensive security professional using these techniques on engagements, or a defender building detections against them, we want to hear from you. Submit a PR, open a discussion, or flag a technique we've missed on ",[],{},{"nodeType":278,"data":5804,"content":5806},{"uri":5805},"https://github.com/pushsecurity/browser-identity-attacks-matrix",[5807],{"nodeType":247,"value":3608,"marks":5808,"data":5809},[],{},{"nodeType":247,"value":339,"marks":5811,"data":5812},[],{},{"nodeType":305,"data":5814,"content":5815},{},[],{"nodeType":243,"data":5817,"content":5818},{},[5819],{"nodeType":247,"value":5820,"marks":5821,"data":5823},"Looking ahead",[5822],{"type":251},{},{"nodeType":254,"data":5825,"content":5826},{},[5827],{"nodeType":247,"value":5828,"marks":5829,"data":5830},"The pace of attacker innovation in browser-based initial access techniques over the past 18 months has been unlike anything we've tracked before — technique after technique moving from research curiosity to industrialized criminal tooling within months, not years.",[],{},{"nodeType":1023,"data":5832,"content":5833},{},[5834,5844,5854],{"nodeType":1027,"data":5835,"content":5836},{},[5837],{"nodeType":254,"data":5838,"content":5839},{},[5840],{"nodeType":247,"value":5841,"marks":5842,"data":5843},"AiTM platforms are adding authorization-based attack options alongside their credential-harvesting capabilities.",[],{},{"nodeType":1027,"data":5845,"content":5846},{},[5847],{"nodeType":254,"data":5848,"content":5849},{},[5850],{"nodeType":247,"value":5851,"marks":5852,"data":5853},"ClickFix has spawned fully browser-native variants.",[],{},{"nodeType":1027,"data":5855,"content":5856},{},[5857],{"nodeType":254,"data":5858,"content":5859},{},[5860],{"nodeType":247,"value":5861,"marks":5862,"data":5863},"AI is lowering the cost of producing convincing social engineering and phishing infrastructure at scale.",[],{},{"nodeType":254,"data":5865,"content":5866},{},[5867],{"nodeType":247,"value":5868,"marks":5869,"data":5870},"We don't see any of this slowing down, and that's exactly why thinking about these attacks as a browser problem instead of siloing them across email, endpoint, network, and cloud categories, each with a partial view of the picture (and still missing the whole when combined).",[],{},{"nodeType":254,"data":5872,"content":5873},{},[5874,5878,5885],{"nodeType":247,"value":5875,"marks":5876,"data":5877},"The Browser & Identity Attacks Matrix is our contribution to keeping that shared understanding current. You can ",[],{},{"nodeType":278,"data":5879,"content":5880},{"uri":789},[5881],{"nodeType":247,"value":5882,"marks":5883,"data":5884},"explore the matrix here",[],{},{"nodeType":247,"value":339,"marks":5886,"data":5887},[],{},{"nodeType":254,"data":5889,"content":5890},{},[5891,5895,5903],{"nodeType":247,"value":5892,"marks":5893,"data":5894},"You can also read our recent ",[],{},{"nodeType":278,"data":5896,"content":5898},{"uri":5897},"https://pushsecurity.com/thank-you/browser-attacks-report",[5899],{"nodeType":247,"value":5900,"marks":5901,"data":5902},"browser attack techniques report",[],{},{"nodeType":247,"value":5904,"marks":5905,"data":5906}," for more information.",[],{},{"nodeType":447,"data":5908,"content":5912},{"target":5909},{"sys":5910},{"id":5911,"type":452,"linkType":453},"1hx6sxpyEzxn4F4jc1RGQi",[],{"nodeType":305,"data":5914,"content":5915},{},[],{"nodeType":254,"data":5917,"content":5918},{},[5919],{"nodeType":247,"value":5920,"marks":5921,"data":5922},"Push Security is the most powerful AI-native security tool in the browser. Think EDR, but for the browser — high-fidelity telemetry and real-time control across every session, on every device, with no browser migration required. Security teams use Push to detect and stop advanced browser-based attacks like AiTM phishing, ClickFix, and session hijacking; gain visibility and control over AI tool usage across their workforce; harden identities by surfacing credential reuse, SSO gaps, and shadow IT; and support data loss and insider investigations with browser-layer telemetry that other tools can't see.",[],{},{"nodeType":254,"data":5924,"content":5925},{},[5926,5930,5937],{"nodeType":247,"value":5927,"marks":5928,"data":5929},"Book a ",[],{},{"nodeType":278,"data":5931,"content":5932},{"uri":766},[5933],{"nodeType":247,"value":5934,"marks":5935,"data":5936},"live demo",[],{},{"nodeType":247,"value":774,"marks":5938,"data":5939},[],{},"Introducing the Browser & Identity Attacks Matrix","We're re-releasing the SaaS attack matrix as the Browser & Identity Attacks Matrix. Here's why we've decided to make the change and what it means.","2026-05-08T00:00:00.000Z","introducing-the-browser-and-identity-attacks-matrix",{"items":5945},[5946,5948],{"sys":5947,"name":3832},{"id":3831},{"sys":5949,"name":3836},{"id":3835},{"items":5951},[5952],{"fullName":5953,"firstName":5954,"jobTitle":5955,"profilePicture":5956},"Dan Green","Dan","Threat Research",{"url":5957},"https://images.ctfassets.net/y1cdw1ablpvd/7jik1VhFgA3kgzXBXTm2Vw/fcd8c171da644903d0827eafcfbcaad0/Dan_Headshot_2025.png","7-things-we-learned-from-matt-johansen","blog/7-things-we-learned-from-matt-johansen",{"json":5961},{"data":5962,"content":5963,"nodeType":239},{},[5964],{"data":5965,"content":5966,"nodeType":254},{},[5967,5971,5978],{"data":5968,"marks":5969,"value":5970,"nodeType":247},{},[],"In the final installment of our ",{"data":5972,"content":5973,"nodeType":278},{"uri":731},[5974],{"data":5975,"marks":5976,"value":5977,"nodeType":247},{},[],"State of Browser Attacks series",{"data":5979,"marks":5980,"value":5981,"nodeType":247},{},[],", Push Field CTO Mark Orlando sat down with Matt Johansen, security veteran, former Reddit security lead, and founder of the Vulnerable U newsletter, to talk about what's actually working in security and what's just theater. Here are seven takeaways from the conversation.","What we learned from sitting down with Matt Johansen to discuss the difference between security theater and security that actually works. ",{"id":5984,"publishedAt":5985},"3EM39T0mqy5DscsNSact3Z","2026-06-01T16:23:11.412Z",{"items":5987},[5988,5990],{"sys":5989,"name":5094},{"id":5093},{"sys":5991,"name":5098},{"id":5097},"bHkUYIIuFzgzg-tpS0lCBGqKpEitM94FUC88-Uo6Dzk",1784196727756]