[{"data":1,"prerenderedAt":4206},["ShallowReactive",2],{"application-flags":3,"navbar":7,"always-visible-banner":36,"navbar-about-highlight":108,"navbar-resource-highlight":182,"blog/browser-sync-attacks-where-personal-account-hacks-lead-to-corporate-breaches":226},[4],{"name":5,"enabled":6},"maintenanceMode",false,[8],{"createdDate":9,"id":10,"name":11,"modelId":12,"published":13,"query":14,"data":15,"variations":20,"lastUpdated":21,"firstPublished":22,"testRatio":23,"createdBy":24,"lastUpdatedBy":25,"folders":26,"meta":27,"rev":35},1742208588866,"1c7a4e423bf54ac1a328bb4063459ef2","Banner","1c6207a5f24948ab82d4a0b17f251193","published",[],{"type":16,"url":17,"text":18,"link":19},"web-banner","https://pushsecurity.com/resources/browser-attacks-report","Get our latest report analyzing browser attack techniques in 2026",{},{},1774258294825,1742208637545,1,"CydmZnOWU1XuAaLhEDCoYNM4Z8W2","jKjF9r5jcvXU8tzZEfFQm31Iyvr2",[],{"kind":28,"lastPreviewUrl":29,"breakpoints":30,"hasAutosaves":34},"data","",{"xsmall":31,"small":32,"medium":33},320,640,768,true,"ga0kpxjhh76",{"createdDate":37,"id":38,"name":39,"modelId":40,"published":13,"stageModifiedSincePublish":6,"query":41,"data":42,"variations":97,"lastUpdated":98,"firstPublished":99,"testRatio":23,"createdBy":100,"lastUpdatedBy":101,"folders":102,"meta":103,"rev":107},1774965361051,"fd266d0172cc47429be7ad10f48c99ad","always visible banner","0678d178ec8b41efb8a23c09dba7874d",[],{"ctaText":43,"text":44,"url":29,"blocks":45,"state":93},"ewrererw","testrfesssssssssss",[46,73,81],{"@type":47,"@version":48,"id":49,"component":50,"responsiveStyles":63},"@builder.io/sdk:Element",2,"builder-ca12c06a52de41d7b8743da53118cd38",{"name":51,"tag":51,"options":52,"isRSC":62},"TopBannerContent",{"text":53,"ctaText":54,"url":55,"mainText":56,"cta":59},"New Webinar Series: Join John Hammond, Troy Hunt, and Matt Johansen for the State of Browser Attacks","Save Your Spot","https://pushsecurity.com/webinar/state-of-browser-security",{"content":57,"fontSize":58},"\u003Cp>Meet Push's browser security experts at BlackHat 2026.\u003C/p>","text-base",{"content":60,"fontSize":58,"url":61},"\u003Cp>Book a meeting →\u003C/p>","https://pushsecurity.com/events/blackhat-2026-meeting",null,{"large":64},{"display":65,"flexDirection":66,"position":67,"flexShrink":68,"boxSizing":69,"marginTop":70,"marginBottom":70,"fontSize":71,"fontWeight":72},"flex","column","relative","0","border-box",".56rem","1.125rem","700",{"@type":47,"@version":48,"id":74,"component":75,"responsiveStyles":79},"builder-a2e1f4b9f30b464bb814d7f5de5b0aa7",{"name":76,"options":77,"isRSC":62},"Custom Code",{"code":78,"scriptsClientOnly":6},"\u003Cstyle>\n  .top-banner.bg-web-orange{background:rgb(114, 79, 255);}\n\u003C/style>\n",{"large":80},{"display":65,"flexDirection":66,"position":67,"flexShrink":68,"boxSizing":69},{"id":82,"@type":47,"tagName":83,"properties":84,"responsiveStyles":88},"builder-pixel-o503s4fpvk","img",{"src":85,"aria-hidden":86,"alt":29,"role":87,"width":68,"height":68},"https://cdn.builder.io/api/v1/pixel?apiKey=f3a1111ff5be48cdbb123cd9f5795a05","true","presentation",{"large":89},{"height":68,"width":68,"display":90,"opacity":68,"overflow":91,"pointerEvents":92},"block","hidden","none",{"deviceSize":94,"location":95},"large",{"path":29,"query":96},{},{},1783541846936,1774968080803,"ST0tXQM8slWpFrmioqKHmENB2qe2","kYgMv6WsbvfmlOUYqR2SFwGzw6e2",[],{"kind":104,"lastPreviewUrl":105,"hasLinks":6,"breakpoints":106,"hasErrors":6,"hasAutosaves":6},"component","https://pushsecurity.com/?builder.space=f3a1111ff5be48cdbb123cd9f5795a05&builder.user.permissions=read%2Ccreate%2Cpublish%2CeditDesigns%2CeditLayouts%2CeditLayers%2CeditContentPriority%2CeditFolders%2CcreateProjects%2CsendPullRequests&builder.user.role.name=Designer&builder.user.role.id=creator&builder.cachebust=true&builder.preview=always-visible-banner&builder.noCache=true&builder.allowTextEdit=true&__builder_editing__=true&builder.overrides.always-visible-banner=fd266d0172cc47429be7ad10f48c99ad&builder.overrides.fd266d0172cc47429be7ad10f48c99ad=fd266d0172cc47429be7ad10f48c99ad&builder.options.locale=Default",{"xsmall":31,"small":32,"medium":33},"kyujw1aptq",[109,145],{"createdDate":110,"id":111,"name":112,"modelId":113,"published":13,"stageModifiedSincePublish":6,"query":114,"data":115,"variations":138,"lastUpdated":139,"firstPublished":140,"testRatio":23,"createdBy":24,"lastUpdatedBy":24,"folders":141,"meta":142,"rev":144},1776247359804,"9136a8f18b3b4a6ba29b8653a99372b1","testimonial-inductive-automation","20d9eaa352304613b3d1a794b400703d",[],{"link":116,"type":117,"testimonialLink":118,"testimonial":119},{},"testimonial","/customer-stories/inductive-automation",{"@type":120,"id":121,"model":117,"value":122},"@builder.io/core:Reference","f028f2b685bb47cd8bf9e82a26dd5a79",{"query":123,"folders":124,"createdDate":125,"id":121,"name":126,"modelId":127,"published":13,"data":128,"variations":132,"lastUpdated":133,"firstPublished":134,"testRatio":23,"createdBy":100,"lastUpdatedBy":100,"meta":135,"rev":137},[],[],1735823466309,"We found Push to be more accurate when compared to competitors and the browser agent offered features that others couldn’t match.","42035571a56940ac98bff4544aa79aa5",{"author":129,"jobTitle":130,"quote":126,"image":131},"Jason Waits","\u003Cp>CISO at Inductive Automation\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Ff04c0c0689ce4a89ac0f0708d78c0a07",{},1735910703862,1735823501152,{"kind":28,"lastPreviewUrl":29,"breakpoints":136,"hasAutosaves":34},{"small":32,"medium":33},"e8bsg4qrgtu",{},1776247404986,1776247404973,[],{"breakpoints":143,"kind":28,"lastPreviewUrl":29,"hasAutosaves":6},{"xsmall":31,"small":32,"medium":33},"g9lqcuxphw7",{"createdDate":146,"id":147,"name":148,"modelId":113,"published":13,"meta":149,"stageModifiedSincePublish":6,"query":151,"data":152,"variations":178,"lastUpdated":179,"firstPublished":180,"testRatio":23,"createdBy":24,"lastUpdatedBy":24,"folders":181,"rev":144},1776255761419,"05a9322735fc427db12e2740e4302300","Report: 2026 Browser Attack Techniques",{"breakpoints":150,"kind":28,"lastPreviewUrl":29,"hasAutosaves":6},{"xsmall":31,"small":32,"medium":33},[],{"testimonial":153,"link":172,"type":175,"title":148,"description":176,"image":177},{"@type":120,"id":154,"model":117,"value":155},"192acbb1f9ca4cac918c0ec435a8bae3",{"query":156,"folders":157,"createdDate":158,"id":154,"name":159,"modelId":127,"published":13,"data":160,"variations":166,"lastUpdated":167,"firstPublished":168,"testRatio":23,"createdBy":100,"lastUpdatedBy":24,"meta":169,"rev":171},[],[],1728981467463,"Push does for identity what CrowdStrike did for the endpoint",{"video":161,"jobTitle":162,"author":163,"qoute":29,"quote":164,"image":165},"https://cdn.builder.io/o/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F8b30e8ca50064058bbaef0f3c6164575%2Fcompressed?apiKey=f3a1111ff5be48cdbb123cd9f5795a05&token=8b30e8ca50064058bbaef0f3c6164575&alt=media&optimized=true","\u003Cp>Deputy CISO at Microsoft\u003C/p>\u003Cp>Former LinkedIn, Slack, Palantir\u003C/p>","Geoff Belknap","Push does for identity what CrowdStrike did for the endpoint.","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F748f0ad0a5064a00a13f4721fcc8dea1",{},1742902158597,1728981782923,{"kind":28,"lastPreviewUrl":29,"breakpoints":170,"hasAutosaves":34},{"small":32,"medium":33},"ulhc0im1hfo",{"text":173,"url":174},"Download now","/resources/browser-attacks-report","resource","Learn about the latest techniques being used in the wild.","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F7b4a5ebf81d64e8c9d7fc35f6c96c4a9",{},1776255810913,1776255810900,[],[183,205],{"createdDate":184,"id":185,"name":148,"modelId":186,"published":13,"meta":187,"stageModifiedSincePublish":6,"query":189,"data":190,"variations":200,"lastUpdated":201,"firstPublished":202,"testRatio":23,"createdBy":24,"lastUpdatedBy":24,"folders":203,"rev":204},1776256900280,"1f429607996e4e5fae8fe3f9b9610e55","4829faa81e7c4ee8bd2d000e160e8d3c",{"breakpoints":188,"kind":28,"lastPreviewUrl":29,"hasAutosaves":6},{"xsmall":31,"small":32,"medium":33},[],{"testimonial":191,"link":199,"type":175,"title":148,"description":176,"image":177},{"@type":120,"id":154,"model":117,"value":192},{"query":193,"folders":194,"createdDate":158,"id":154,"name":159,"modelId":127,"published":13,"data":195,"variations":196,"lastUpdated":167,"firstPublished":168,"testRatio":23,"createdBy":100,"lastUpdatedBy":24,"meta":197,"rev":171},[],[],{"video":161,"jobTitle":162,"author":163,"qoute":29,"quote":164,"image":165},{},{"kind":28,"lastPreviewUrl":29,"breakpoints":198,"hasAutosaves":34},{"small":32,"medium":33},{"text":173,"url":174},{},1776256937553,1776256937540,[],"xggsv10v1q9",{"createdDate":206,"id":207,"name":208,"modelId":186,"published":13,"stageModifiedSincePublish":6,"query":209,"data":210,"variations":220,"lastUpdated":221,"firstPublished":222,"testRatio":23,"createdBy":24,"lastUpdatedBy":24,"folders":223,"meta":224,"rev":204},1776256949234,"ce043785b71b4ece98eac811ecf4ba10","inductive-automation",[],{"link":211,"type":117,"testimonial":212,"testimonialLink":118},{},{"@type":120,"id":121,"model":117,"value":213},{"query":214,"folders":215,"createdDate":125,"id":121,"name":126,"modelId":127,"published":13,"data":216,"variations":217,"lastUpdated":133,"firstPublished":134,"testRatio":23,"createdBy":100,"lastUpdatedBy":100,"meta":218,"rev":137},[],[],{"author":129,"jobTitle":130,"quote":126,"image":131},{},{"kind":28,"lastPreviewUrl":29,"breakpoints":219,"hasAutosaves":34},{"small":32,"medium":33},{},1776256974140,1776256974130,[],{"breakpoints":225,"kind":28,"lastPreviewUrl":29,"hasAutosaves":6},{"xsmall":31,"small":32,"medium":33},{"id":227,"title":228,"authorsCollection":229,"content":237,"extension":910,"faqItemsCollection":911,"faqTitle":62,"featured":6,"hashTags":62,"meta":913,"metaTitle":914,"ogImage":62,"publishedDate":915,"relatedBlogPostsCollection":916,"slug":4183,"stem":4184,"subtitle":62,"summary":4185,"synopsis":4195,"sys":4196,"tagsCollection":4199,"__hash__":4205},"blog/blog/browser-sync-attacks-where-personal-account-hacks-lead-to-corporate-breaches.json","Browser sync attacks: Where personal account hacks lead to corporate breaches",{"items":230},[231],{"fullName":232,"firstName":233,"jobTitle":234,"profilePicture":235},"Dan Green","Dan","Threat Research",{"url":236},"https://images.ctfassets.net/y1cdw1ablpvd/7jik1VhFgA3kgzXBXTm2Vw/fcd8c171da644903d0827eafcfbcaad0/Dan_Headshot_2025.png",{"json":238,"links":776},{"nodeType":239,"data":240,"content":241},"document",{},[242,266,283,292,305,312,316,325,332,339,360,372,378,390,402,408,415,422,425,433,442,474,481,488,496,516,523,530,537,544,552,571,578,585,592,599,602,610,617,623,630,633,641,648,655,661,668,674,681,687,694,700,706,712,715,723,730],{"nodeType":243,"data":244,"content":245},"paragraph",{},[246,251,262],{"nodeType":247,"value":248,"marks":249,"data":250},"text","One of the breakaway stories of 2026 has been the rise in attacks powered by ",[],{},{"nodeType":252,"data":253,"content":255},"hyperlink",{"uri":254},"https://pushsecurity.com/blog/browser-extension-management-guide/",[256],{"nodeType":247,"value":257,"marks":258,"data":261},"malicious browser extensions",[259],{"type":260},"underline",{},{"nodeType":247,"value":263,"marks":264,"data":265},". ",[],{},{"nodeType":243,"data":267,"content":268},{},[269,273,279],{"nodeType":247,"value":270,"marks":271,"data":272},"Most browser extension attacks are really targeting the apps your users are accessing ",[],{},{"nodeType":247,"value":274,"marks":275,"data":278},"inside",[276],{"type":277},"italic",{},{"nodeType":247,"value":280,"marks":281,"data":282}," the browser. They do this by intercepting credentials (passwords, session cookies, and so on) as you browse the internet. ",[],{},{"nodeType":284,"data":285,"content":291},"embedded-entry-block",{"target":286},{"sys":287},{"id":288,"type":289,"linkType":290},"1nUMc1L69zkD3MmmdqbYm0","Link","Entry",[],{"nodeType":243,"data":293,"content":294},{},[295,301],{"nodeType":247,"value":296,"marks":297,"data":300},"But there’s an often overlooked vector that leads to the same outcome — synced browser profiles. ",[298],{"type":299},"bold",{},{"nodeType":247,"value":302,"marks":303,"data":304},"And the most dangerous part of this attack is that it often stems from personal device compromises — naturally, outside the scope of your corporate security software. ",[],{},{"nodeType":243,"data":306,"content":307},{},[308],{"nodeType":247,"value":309,"marks":310,"data":311},"Sign into Chrome or Edge with a Google or Microsoft account, and your passwords, bookmarks, history, and extensions follow you seamlessly across every device. For individual users, it's a quality-of-life improvement. But for organizations, it links corporate accounts to personal ones with far weaker security controls. ",[],{},{"nodeType":313,"data":314,"content":315},"hr",{},[],{"nodeType":317,"data":318,"content":319},"heading-1",{},[320],{"nodeType":247,"value":321,"marks":322,"data":324},"How browser sync attacks work",[323],{"type":299},{},{"nodeType":243,"data":326,"content":327},{},[328],{"nodeType":247,"value":329,"marks":330,"data":331},"When an employee signs into a personal browser profile on a work device (or saves work credentials on a personal device), the browser's sync mechanism copies those credentials into a cloud account outside the organization's control. That cloud account — typically a personal Google or Microsoft account — becomes the weakest link in the chain.",[],{},{"nodeType":243,"data":333,"content":334},{},[335],{"nodeType":247,"value":336,"marks":337,"data":338},"The typical sequence looks like this:",[],{},{"nodeType":243,"data":340,"content":341},{},[342,347,351,356],{"nodeType":247,"value":343,"marks":344,"data":346},"An employee signs into Chrome with their personal Google account on a corporate laptop. ",[345],{"type":299},{},{"nodeType":247,"value":348,"marks":349,"data":350},"During the course of their work, the browser prompts them to save passwords — for a VPN, an internal tool, a support system, a cloud platform. They click \"Save.\" The credential is now stored locally in the browser ",[],{},{"nodeType":247,"value":352,"marks":353,"data":355},"and",[354],{"type":277},{},{"nodeType":247,"value":357,"marks":358,"data":359}," synced to their personal Google account in the cloud.",[],{},{"nodeType":243,"data":361,"content":362},{},[363,368],{"nodeType":247,"value":364,"marks":365,"data":367},"The personal account is compromised. ",[366],{"type":299},{},{"nodeType":247,"value":369,"marks":370,"data":371},"This can happen in a lot of ways, and is made easier by the less secure nature of personal accounts. They are typically accessed from devices with less or no security protection, while MFA and other identity-layer controls are less common. Once the personal device or account is breached, every synced password — including corporate ones — is in the hands of the attacker. ",[],{},{"nodeType":284,"data":373,"content":377},{"target":374},{"sys":375},{"id":376,"type":289,"linkType":290},"2GQ4TVJQWS9VJB5W6fBeLS",[],{"nodeType":243,"data":379,"content":380},{},[381,386],{"nodeType":247,"value":382,"marks":383,"data":385},"With the harvested corporate credentials, the attacker authenticates to the organization's systems.",[384],{"type":299},{},{"nodeType":247,"value":387,"marks":388,"data":389}," If MFA is absent or bypassable (via fatigue attacks, social engineering, or session token reuse), they're in.",[],{},{"nodeType":243,"data":391,"content":392},{},[393,398],{"nodeType":247,"value":394,"marks":395,"data":397},"From here, it's a conventional intrusion — privilege escalation, reconnaissance, and exfiltration. ",[396],{"type":299},{},{"nodeType":247,"value":399,"marks":400,"data":401},"But the initial access was entirely outside the defender's visibility. No phishing email hit the corporate mail gateway. No exploit was fired at a corporate asset. The compromise happened in a personal context that security teams had no control over.",[],{},{"nodeType":284,"data":403,"content":407},{"target":404},{"sys":405},{"id":406,"type":289,"linkType":290},"5llxwUFxBOjuXTyr5LXOyy",[],{"nodeType":243,"data":409,"content":410},{},[411],{"nodeType":247,"value":412,"marks":413,"data":414},"What makes this attack so effective is that it entirely bypasses the corporate security stack. Endpoint detection, email filtering, network monitoring — none of it sees the initial compromise because it happens on a personal device or in a personal cloud account.",[],{},{"nodeType":243,"data":416,"content":417},{},[418],{"nodeType":247,"value":419,"marks":420,"data":421},"The scope isn’t limited to “personal” devices either. BYOD and contractor machines suffer from the same security limitations in that they are a place where personal and corporate use converges, and/or they sit outside of the scope of your security tooling. ",[],{},{"nodeType":313,"data":423,"content":424},{},[],{"nodeType":317,"data":426,"content":427},{},[428],{"nodeType":247,"value":429,"marks":430,"data":432},"Real-world incidents",[431],{"type":299},{},{"nodeType":434,"data":435,"content":436},"heading-2",{},[437],{"nodeType":247,"value":438,"marks":439,"data":441},"Cisco (2022)",[440],{"type":299},{},{"nodeType":243,"data":443,"content":444},{},[445,448,457,461,470],{"nodeType":247,"value":29,"marks":446,"data":447},[],{},{"nodeType":252,"data":449,"content":451},{"uri":450},"https://thehackernews.com/2022/08/cisco-confirms-its-been-hacked-by.html",[452],{"nodeType":247,"value":453,"marks":454,"data":456},"Cisco",[455],{"type":260},{},{"nodeType":247,"value":458,"marks":459,"data":460}," was breached by an initial access broker with ties to the Yanluowang ransomware group, UNC2447, and the ",[],{},{"nodeType":252,"data":462,"content":464},{"uri":463},"https://pushsecurity.com/blog/scattered-lapsus-hunters/",[465],{"nodeType":247,"value":466,"marks":467,"data":469},"Lapsus$",[468],{"type":260},{},{"nodeType":247,"value":471,"marks":472,"data":473}," threat actor group. ",[],{},{"nodeType":243,"data":475,"content":476},{},[477],{"nodeType":247,"value":478,"marks":479,"data":480},"A Cisco employee had enabled Chrome's password syncing feature and had stored their Cisco VPN credentials in the browser. Those credentials were synchronized to their personal Google account. The attacker compromised the personal Google account, obtained the VPN credentials, and then used a combination of voice phishing and MFA fatigue — repeatedly sending push notifications until the employee accepted one — to bypass multi-factor authentication and gain VPN access.",[],{},{"nodeType":243,"data":482,"content":483},{},[484],{"nodeType":247,"value":485,"marks":486,"data":487},"Once inside the network, the attacker escalated privileges, moved laterally to Citrix servers and domain controllers, and deployed offensive tooling consistent with pre-ransomware activity. Cisco's security team ultimately detected and removed the attacker before ransomware was deployed, but the adversary made repeated attempts to regain access in the following weeks, including targeting accounts where employees had only made single-character password changes after the company-wide reset.",[],{},{"nodeType":434,"data":489,"content":490},{},[491],{"nodeType":247,"value":492,"marks":493,"data":495},"Okta (2023)",[494],{"type":299},{},{"nodeType":243,"data":497,"content":498},{},[499,503,512],{"nodeType":247,"value":500,"marks":501,"data":502},"The ",[],{},{"nodeType":252,"data":504,"content":506},{"uri":505},"https://sec.okta.com/articles/2023/11/unauthorized-access-oktas-support-case-management-system-root-cause/",[507],{"nodeType":247,"value":508,"marks":509,"data":511},"Okta breach",[510],{"type":260},{},{"nodeType":247,"value":513,"marks":514,"data":515}," followed an almost identical pattern to Cisco, but with more severe downstream consequences.",[],{},{"nodeType":243,"data":517,"content":518},{},[519],{"nodeType":247,"value":520,"marks":521,"data":522},"Between September 28 and October 17, 2023, an attacker gained unauthorized access to Okta's customer support case management system. The root cause: an Okta employee had signed into their personal Google profile on Chrome on their Okta-managed laptop. While signed into that personal profile, they accessed a service account for the support system. The service account's username and password were saved by Chrome and synced to the employee's personal Google account.",[],{},{"nodeType":243,"data":524,"content":525},{},[526],{"nodeType":247,"value":527,"marks":528,"data":529},"The attacker — having compromised either the personal Google account or a personal device — obtained these service account credentials and used them to access the support system. The compromised service account had permissions to view and update customer support cases, which contained HAR (HTTP Archive) files uploaded by customers for troubleshooting. Some of these HAR files contained session tokens.",[],{},{"nodeType":243,"data":531,"content":532},{},[533],{"nodeType":247,"value":534,"marks":535,"data":536},"The attacker used the stolen session tokens to hijack the legitimate Okta sessions of five customers, including 1Password, BeyondTrust, and Cloudflare — three security companies that independently detected the suspicious activity and reported it to Okta. In total, files associated with 134 Okta customers were accessed.",[],{},{"nodeType":243,"data":538,"content":539},{},[540],{"nodeType":247,"value":541,"marks":542,"data":543},"What made this breach particularly notable was the detection gap. Okta's security team was unable to identify suspicious file downloads in their logs for 14 days. The attacker navigated directly to the Files tab in the support system rather than opening files through individual support cases, which generated a different log event type that wasn't part of the initial investigation scope. It wasn't until BeyondTrust provided a suspicious IP address on October 13 that Okta was able to correlate the activity.",[],{},{"nodeType":434,"data":545,"content":546},{},[547],{"nodeType":247,"value":548,"marks":549,"data":551},"Snowflake (customers) (2024)",[550],{"type":299},{},{"nodeType":243,"data":553,"content":554},{},[555,558,567],{"nodeType":247,"value":500,"marks":556,"data":557},[],{},{"nodeType":252,"data":559,"content":561},{"uri":560},"https://pushsecurity.com/blog/snowflake-retro/",[562],{"nodeType":247,"value":563,"marks":564,"data":566},"Snowflake campaign",[565],{"type":260},{},{"nodeType":247,"value":568,"marks":569,"data":570}," represents what happens when the browser-credential-sync problem meets infostealer malware at scale. ",[],{},{"nodeType":243,"data":572,"content":573},{},[574],{"nodeType":247,"value":575,"marks":576,"data":577},"In 2024, a financially motivated threat actor tracked as UNC5537 (associated with the ShinyHunters group) systematically compromised approximately 165 Snowflake customer environments. The attackers didn't exploit any vulnerability in Snowflake itself. They logged in with valid credentials.",[],{},{"nodeType":243,"data":579,"content":580},{},[581],{"nodeType":247,"value":582,"marks":583,"data":584},"Those credentials had been harvested by infostealer malware — including Vidar, RedLine, Lumma, RisePro, Raccoon Stealer, and MetaStealer — from employee and contractor devices over a period stretching back to 2020. Mandiant's investigation found that over 80% of the compromised accounts had prior credential exposure, and critically, the stolen credentials had never been rotated.",[],{},{"nodeType":243,"data":586,"content":587},{},[588],{"nodeType":247,"value":589,"marks":590,"data":591},"The personal/corporate boundary failure was central to the campaign. Mandiant specifically noted that in several cases, the initial infostealer infections occurred on contractor systems that were also used for personal activities, including gaming and downloads of pirated software. These were personal or unmonitored laptops where corporate credentials had been saved in the browser alongside everything else.",[],{},{"nodeType":243,"data":593,"content":594},{},[595],{"nodeType":247,"value":596,"marks":597,"data":598},"The impacted Snowflake accounts lacked MFA (which Snowflake did not enforce by default at the time), and the attackers used a custom tool to automate SQL-based reconnaissance and data exfiltration across customer instances. The stolen data encompassed hundreds of millions of customer records, and at least one victim paid an undisclosed ransom.",[],{},{"nodeType":313,"data":600,"content":601},{},[],{"nodeType":317,"data":603,"content":604},{},[605],{"nodeType":247,"value":606,"marks":607,"data":609},"What security teams can do about it",[608],{"type":299},{},{"nodeType":243,"data":611,"content":612},{},[613],{"nodeType":247,"value":614,"marks":615,"data":616},"Chrome Enterprise and Microsoft Edge for Business both support policies that prevent employees from signing into personal accounts on corporate-managed browsers. This is the most direct control. It doesn't prevent all credential leakage scenarios, but it closes the sync-to-personal-cloud path.",[],{},{"nodeType":284,"data":618,"content":622},{"target":619},{"sys":620},{"id":621,"type":289,"linkType":290},"CmrOdYVVW6wz9kdRqxOmX",[],{"nodeType":243,"data":624,"content":625},{},[626],{"nodeType":247,"value":627,"marks":628,"data":629},"Every incident described above was enabled or worsened by the absence of MFA on the target system. MFA should be mandatory for all human user accounts, and organizations should audit for \"ghost logins\" — local username/password accounts that persist alongside SSO and bypass its MFA enforcement.",[],{},{"nodeType":313,"data":631,"content":632},{},[],{"nodeType":317,"data":634,"content":635},{},[636],{"nodeType":247,"value":637,"marks":638,"data":640},"How Push can help",[639],{"type":299},{},{"nodeType":243,"data":642,"content":643},{},[644],{"nodeType":247,"value":645,"marks":646,"data":647},"Push makes browser security easier than ever, particularly when dealing with complex environments running different browsers and operating systems. ",[],{},{"nodeType":243,"data":649,"content":650},{},[651],{"nodeType":247,"value":652,"marks":653,"data":654},"You can use Push to surface which users are logged into their browser using a non-work profile and whether the profile is synced across devices. Push captures this information for every browser that your employees are using, including Chrome, Edge, Firefox, Safari, Brave, Opera, Arc, Island, and Prisma (and we’re always adding support for new ones). ",[],{},{"nodeType":284,"data":656,"content":660},{"target":657},{"sys":658},{"id":659,"type":289,"linkType":290},"67sSoSW136TeBZzYIEXggP",[],{"nodeType":243,"data":662,"content":663},{},[664],{"nodeType":247,"value":665,"marks":666,"data":667},"Sync attacks can impact both saved credentials and browser extensions. This means that even if your employees aren’t saving credentials to their browser profile, you can still be at risk if they’ve installed any extensions in another browser where they’re signed in. ",[],{},{"nodeType":284,"data":669,"content":673},{"target":670},{"sys":671},{"id":672,"type":289,"linkType":290},"1MzuYaPlUpYfTnBJRqUBtO",[],{"nodeType":243,"data":675,"content":676},{},[677],{"nodeType":247,"value":678,"marks":679,"data":680},"You can use Push to identify where credentials are being saved — for example, are employees using your company-approved password manager, or copying credentials from unsanctioned apps or locations? This includes where users are manually copying passwords from a password manager app rather than auto-populating (this increases the chance of them entering these passwords into phishing pages).",[],{},{"nodeType":284,"data":682,"content":686},{"target":683},{"sys":684},{"id":685,"type":289,"linkType":290},"7gNX2RXqB2NIf1tNnJBIFD",[],{"nodeType":243,"data":688,"content":689},{},[690],{"nodeType":247,"value":691,"marks":692,"data":693},"You can also see where those credentials have a vulnerability, such as a weak, breached, or reused password. In this scenario, we’re looking for credentials that have been leaked online, where an employee is signed into their work browser with a personal account, and profile sync is enabled. This could indicate that the user has been the victim of an infostealer compromise or malicious extension on their personal device.",[],{},{"nodeType":284,"data":695,"content":699},{"target":696},{"sys":697},{"id":698,"type":289,"linkType":290},"1CBezYXZtlIVbReROF7QpK",[],{"nodeType":284,"data":701,"content":705},{"target":702},{"sys":703},{"id":704,"type":289,"linkType":290},"4xs0WNCijnwnIVc0xqpUu9",[],{"nodeType":284,"data":707,"content":711},{"target":708},{"sys":709},{"id":710,"type":289,"linkType":290},"8gVeg0IBB5EV17iBk6XP8",[],{"nodeType":313,"data":713,"content":714},{},[],{"nodeType":317,"data":716,"content":717},{},[718],{"nodeType":247,"value":719,"marks":720,"data":722},"Stop browser-based attacks with Push",[721],{"type":299},{},{"nodeType":243,"data":724,"content":725},{},[726],{"nodeType":247,"value":727,"marks":728,"data":729},"Push Security's browser-based security platform detects and blocks browser-based attacks like AiTM phishing, credential stuffing, malicious browser extensions, ClickFix, and session hijacking. You don't need to wait until it all goes wrong either — you can use Push to proactively find and fix vulnerabilities across the apps that your employees use, like ghost logins, SSO coverage gaps, MFA gaps, vulnerable passwords, and more to harden your attack surface.",[],{},{"nodeType":243,"data":731,"content":732},{},[733,737,746,750,759,763,772],{"nodeType":247,"value":734,"marks":735,"data":736},"To learn more about Push, ",[],{},{"nodeType":252,"data":738,"content":740},{"uri":739},"https://pushsecurity.com/resources/product-brochure",[741],{"nodeType":247,"value":742,"marks":743,"data":745},"check out our latest product overview",[744],{"type":260},{},{"nodeType":247,"value":747,"marks":748,"data":749},", ",[],{},{"nodeType":252,"data":751,"content":753},{"uri":752},"https://pushsecurity.com/product-demo/",[754],{"nodeType":247,"value":755,"marks":756,"data":758},"view our demo library",[757],{"type":260},{},{"nodeType":247,"value":760,"marks":761,"data":762},", or ",[],{},{"nodeType":252,"data":764,"content":766},{"uri":765},"https://pushsecurity.com/demo",[767],{"nodeType":247,"value":768,"marks":769,"data":771},"book some time with one of our team for a live demo",[770],{"type":260},{},{"nodeType":247,"value":773,"marks":774,"data":775},".",[],{},{"entries":777},{"hyperlink":778,"inline":779,"block":780},[],[],[781,796,815,824,832,839,865,873,878,904],{"sys":782,"__typename":783,"content":784,"name":795,"title":62},{"id":288},"InsightTextBlockComponent",{"json":785},{"data":786,"content":787,"nodeType":239},{},[788],{"data":789,"content":790,"nodeType":243},{},[791],{"data":792,"marks":793,"value":794,"nodeType":247},{},[],"This is the same for most browser-based attacks, like phishing (of multiple varieties, with AITM phishing and device code phishing being the most common in 2026), and even hybrid attacks like ClickFix (trick victim into installing an infostealer on their device > steal credentials and cookies > log into apps). ","Browser Sync Blog IB1",{"sys":797,"__typename":783,"content":798,"name":814,"title":62},{"id":376},{"json":799},{"nodeType":239,"data":800,"content":801},{},[802],{"nodeType":243,"data":803,"content":804},{},[805,809],{"nodeType":247,"value":806,"marks":807,"data":808},"Personal devices are far softer targets than corporate endpoints. They typically have no EDR agent, no centrally managed antivirus, no hardened configuration baselines, and no security operations team watching for alerts. And personal browsing habits are way more likely to lead to infostealer deployment, which are often distributed through malicious advertisements on all manner of platforms — search results, social media ads, gaming forums, and so on. ",[],{},{"nodeType":247,"value":810,"marks":811,"data":813},"Notably, the 2025 Verizon DBIR found that 46% of infostealer-infected systems with compromised corporate credentials were non-managed devices. ",[812],{"type":299},{},"Browser Sync Blog IB2",{"sys":816,"__typename":817,"title":818,"caption":819,"layoutMode":62,"file":820},{"id":406},"Image","Browser sync attack diagram","How a personal account compromise can lead to a corporate breach.",{"url":821,"width":822,"height":823},"https://images.ctfassets.net/y1cdw1ablpvd/7KIXnq2SeCTN2zA7DoIOj4/f2b7c37c47d28ac110cd2769c35652ae/Browser_sync_attack_diagram.png",3922,1636,{"sys":825,"__typename":817,"title":826,"caption":827,"layoutMode":62,"file":828},{"id":621},"Preventing browser profile syncing in Chrome","Preventing browser profile syncing in Chrome.",{"url":829,"width":830,"height":831},"https://images.ctfassets.net/y1cdw1ablpvd/54OsAScfL5a896m3n0is80/ee84ec32221be0a6342eb6792c8b6dca/image1.png",1999,1054,{"sys":833,"__typename":817,"title":834,"caption":834,"layoutMode":62,"file":835},{"id":659},"Identify profile syncing using Push.",{"url":836,"width":837,"height":838},"https://images.ctfassets.net/y1cdw1ablpvd/7Gmo7lSxoyLpmRyeEbXz4H/10e82ddfcba7a390ee5a25c931f730ff/image3.png",1380,465,{"sys":840,"__typename":783,"content":841,"name":864,"title":62},{"id":672},{"json":842},{"data":843,"content":844,"nodeType":239},{},[845],{"data":846,"content":847,"nodeType":243},{},[848,852,860],{"data":849,"marks":850,"value":851,"nodeType":247},{},[],"To learn more about how you can use Push to lock down extension use and block malicious extensions from running across every browser, check out our ",{"data":853,"content":854,"nodeType":252},{"uri":254},[855],{"data":856,"marks":857,"value":859,"nodeType":247},{},[858],{"type":260},"guide",{"data":861,"marks":862,"value":863,"nodeType":247},{},[]," here. ","Browser Sync Blog IB3",{"sys":866,"__typename":817,"title":867,"caption":868,"layoutMode":62,"file":869},{"id":685},"Get detailed visibility of password manager use and password entry behavior.","Get deep visibility of password manager use and password entry behavior.",{"url":870,"width":871,"height":872},"https://images.ctfassets.net/y1cdw1ablpvd/74hJdhrMBMXv0enE2Qs5VD/2cdff9be14f70d2ae2283b88da0f3eeb/Push_Password_Manager.gif",1280,720,{"sys":874,"__typename":817,"title":875,"caption":875,"layoutMode":62,"file":876},{"id":698},"Identify browser profile syncing and whether the user has active credentials that have been leaked online.",{"url":877,"width":871,"height":872},"https://images.ctfassets.net/y1cdw1ablpvd/3BIn8peNvp8EXo1TWqZqXO/0c3f849f24d60fa546603d12abd4c349/Browser_Profile_Sync.gif",{"sys":879,"__typename":783,"content":880,"name":903,"title":62},{"id":704},{"json":881},{"data":882,"content":883,"nodeType":239},{},[884],{"data":885,"content":886,"nodeType":243},{},[887,891,899],{"data":888,"marks":889,"value":890,"nodeType":247},{},[],"As well as identifying password vulnerabilities, you can also use Push to harden accounts by detecting MFA gaps and enforcing MFA (even on apps where this isn’t natively possible). Check out our ",{"data":892,"content":894,"nodeType":252},{"uri":893},"https://pushsecurity.com/blog/guide-how-to-use-push-controls-to-protect-your-users-from-modern-attacks/",[895],{"data":896,"marks":897,"value":859,"nodeType":247},{},[898],{"type":260},{"data":900,"marks":901,"value":902,"nodeType":247},{},[]," for more information.","Browser Sync Blog IB4",{"sys":905,"__typename":906,"title":907,"arcadeDemoUrl":908,"playText":909},{"id":710},"ArcadeDemo","Find and fix vulnerabilities using Push to harden attack paths.","https://demo.arcade.software/3gsvKeVcdatDBiW7oC9g?embed","2 mins","json",{"items":912},[],{},"Analyzing browser sync attacks and how to stop them","2026-04-15T00:00:00.000Z",{"items":917},[918,2312,3373],{"__typename":919,"sys":920,"content":922,"title":2290,"synopsis":2291,"hashTags":62,"publishedDate":2292,"slug":2293,"tagsCollection":2294,"authorsCollection":2304},"BlogPosts",{"id":921},"wI3paLVDlEKdaRI5qMYFc",{"json":923},{"nodeType":239,"data":924,"content":925},{},[926,933,958,965,971,978,985,992,998,1001,1009,1016,1022,1028,1044,1256,1268,1276,1283,1290,1297,1317,1323,1330,1333,1341,1348,1381,1388,1404,1425,1460,1466,1473,1492,1499,1506,1509,1517,1524,1618,1625,1632,1640,1647,1654,1661,1667,1675,1682,1689,1696,1702,1709,1717,1736,1744,1751,1757,1760,1768,1775,1782,1893,1899,1906,1913,1920,1927,1934,1942,1949,1956,1981,1987,2003,2018,2034,2040,2048,2055,2063,2070,2073,2081,2088,2121,2127,2151,2158,2161,2169,2176,2192,2198,2205,2212,2215,2223,2241,2248],{"nodeType":243,"data":927,"content":928},{},[929],{"nodeType":247,"value":930,"marks":931,"data":932},"Here are two things that can’t both be true:",[],{},{"nodeType":934,"data":935,"content":936},"unordered-list",{},[937,948],{"nodeType":938,"data":939,"content":940},"list-item",{},[941],{"nodeType":243,"data":942,"content":943},{},[944],{"nodeType":247,"value":945,"marks":946,"data":947},"Users are the weakest link in security. They just need to stop clicking on things.",[],{},{"nodeType":938,"data":949,"content":950},{},[951],{"nodeType":243,"data":952,"content":953},{},[954],{"nodeType":247,"value":955,"marks":956,"data":957},"The internet is a giant clicking-on-things machine.",[],{},{"nodeType":243,"data":959,"content":960},{},[961],{"nodeType":247,"value":962,"marks":963,"data":964},"In particular, when we look at the TTPs of modern browser-based attacks that target employees, it’s obvious where this disconnect has real consequences. ",[],{},{"nodeType":284,"data":966,"content":970},{"target":967},{"sys":968},{"id":969,"type":289,"linkType":290},"2x3blnHzZYcJ8c439C4NqI",[],{"nodeType":243,"data":972,"content":973},{},[974],{"nodeType":247,"value":975,"marks":976,"data":977},"Here’s why: Security tooling hasn’t kept up with adversary advances, and normal human behaviors are being expressly targeted via the browser to achieve compromise of accounts and endpoints. If you list the pitfalls facing the common end-user encountering these kinds of attack methods, the picture becomes even more stark.",[],{},{"nodeType":243,"data":979,"content":980},{},[981],{"nodeType":247,"value":982,"marks":983,"data":984},"To solve these problems, you need security tooling that sits in line with the user where they’re already working: In the browser. In this Push product guide, we’ll cover how you can use Push to provide point-in-time guidance — everything from block pages to informational banners — to protect users from modern browser-based TTPs and to guide them to remediate common vulnerabilities that can lead to account takeover.",[],{},{"nodeType":243,"data":986,"content":987},{},[988],{"nodeType":247,"value":989,"marks":990,"data":991},"We’ve also recently introduced custom branding and styling options for user-facing block pages and banners so you can provide a cohesive and trustworthy experience across your security ecosystem.",[],{},{"nodeType":284,"data":993,"content":997},{"target":994},{"sys":995},{"id":996,"type":289,"linkType":290},"7fwCnr9bz76rWWCL6EReOT",[],{"nodeType":313,"data":999,"content":1000},{},[],{"nodeType":317,"data":1002,"content":1003},{},[1004],{"nodeType":247,"value":1005,"marks":1006,"data":1008},"Why you can’t train users to recognize modern browser-based attack methods",[1007],{"type":299},{},{"nodeType":243,"data":1010,"content":1011},{},[1012],{"nodeType":247,"value":1013,"marks":1014,"data":1015},"User awareness training can help you build your workforce’s basic security baseline. But it’s not a reliable remedy for modern browser-based TTPs. When you look at the creative methods attackers are using — and rapidly improving on — it’s obvious why.",[],{},{"nodeType":284,"data":1017,"content":1021},{"target":1018},{"sys":1019},{"id":1020,"type":289,"linkType":290},"eHla7GPCH5eTpdfEqW5Zo",[],{"nodeType":284,"data":1023,"content":1027},{"target":1024},{"sys":1025},{"id":1026,"type":289,"linkType":290},"29vUtbEUam8fhbwnQdINRJ",[],{"nodeType":243,"data":1029,"content":1030},{},[1031,1035,1040],{"nodeType":247,"value":1032,"marks":1033,"data":1034},"To avoid account or endpoint compromise while going about your daily work as a user, you would need to accomplish these ",[],{},{"nodeType":247,"value":1036,"marks":1037,"data":1039},"extremely 100% achievable activities",[1038],{"type":277},{},{"nodeType":247,"value":1041,"marks":1042,"data":1043},", including:",[],{},{"nodeType":1045,"data":1046,"content":1047},"table",{},[1048,1075,1118,1141,1176,1210],{"nodeType":1049,"data":1050,"content":1051},"table-row",{},[1052,1064],{"nodeType":1053,"data":1054,"content":1055},"table-header-cell",{},[1056],{"nodeType":243,"data":1057,"content":1058},{},[1059],{"nodeType":247,"value":1060,"marks":1061,"data":1063},"Scenario",[1062],{"type":299},{},{"nodeType":1053,"data":1065,"content":1066},{},[1067],{"nodeType":243,"data":1068,"content":1069},{},[1070],{"nodeType":247,"value":1071,"marks":1072,"data":1074},"Threat",[1073],{"type":299},{},{"nodeType":1049,"data":1076,"content":1077},{},[1078,1104],{"nodeType":1079,"data":1080,"content":1081},"table-cell",{},[1082],{"nodeType":243,"data":1083,"content":1084},{},[1085,1089,1100],{"nodeType":247,"value":1086,"marks":1087,"data":1088},"While using search engines, never click on a ",[],{},{"nodeType":1090,"data":1091,"content":1095},"entry-hyperlink",{"target":1092},{"sys":1093},{"id":1094,"type":289,"linkType":290},"2YmiesBvJHGw4wiKEKzLUq",[1096],{"nodeType":247,"value":1097,"marks":1098,"data":1099},"malicious link",[],{},{"nodeType":247,"value":1101,"marks":1102,"data":1103}," in sponsored or organic results (it's often the first link you see, too).",[],{},{"nodeType":1079,"data":1105,"content":1106},{},[1107],{"nodeType":243,"data":1108,"content":1109},{},[1110,1114],{"nodeType":247,"value":1111,"marks":1112,"data":1113},"M",[],{},{"nodeType":247,"value":1115,"marks":1116,"data":1117},"alvertising, SEO poisoning, compromised legitimate webpages, vibecoded phishing webpages.",[],{},{"nodeType":1049,"data":1119,"content":1120},{},[1121,1131],{"nodeType":1079,"data":1122,"content":1123},{},[1124],{"nodeType":243,"data":1125,"content":1126},{},[1127],{"nodeType":247,"value":1128,"marks":1129,"data":1130},"Know when to trust an email coming from an app you use every day, and when it could be malicious (it looks the same).",[],{},{"nodeType":1079,"data":1132,"content":1133},{},[1134],{"nodeType":243,"data":1135,"content":1136},{},[1137],{"nodeType":247,"value":1138,"marks":1139,"data":1140},"Using SaaS services to distribute malicious links using trusted sites (also a handy way of evading email controls).",[],{},{"nodeType":1049,"data":1142,"content":1143},{},[1144,1166],{"nodeType":1079,"data":1145,"content":1146},{},[1147],{"nodeType":243,"data":1148,"content":1149},{},[1150,1154,1162],{"nodeType":247,"value":1151,"marks":1152,"data":1153},"When reading a LinkedIn DM from a colleague, anticipate that they might have been hacked and have sent you a malicious link. (Yes, this was a ",[],{},{"nodeType":252,"data":1155,"content":1157},{"uri":1156},"https://pushsecurity.com/blog/how-push-stopped-a-high-risk-linkedin-spear-phishing-attack/",[1158],{"nodeType":247,"value":1159,"marks":1160,"data":1161},"real scenario",[],{},{"nodeType":247,"value":1163,"marks":1164,"data":1165},"). ",[],{},{"nodeType":1079,"data":1167,"content":1168},{},[1169],{"nodeType":243,"data":1170,"content":1171},{},[1172],{"nodeType":247,"value":1173,"marks":1174,"data":1175},"Abuse of social media, IM platforms, and other apps where you can be directly contacted by users external to your organization. ",[],{},{"nodeType":1049,"data":1177,"content":1178},{},[1179,1189],{"nodeType":1079,"data":1180,"content":1181},{},[1182],{"nodeType":243,"data":1183,"content":1184},{},[1185],{"nodeType":247,"value":1186,"marks":1187,"data":1188},"When logging in to an app, never follow benign-seeming but actually malicious instructions to enter a code onto a legitimate page to complete your login.",[],{},{"nodeType":1079,"data":1190,"content":1191},{},[1192],{"nodeType":243,"data":1193,"content":1194},{},[1195,1199,1207],{"nodeType":247,"value":1196,"marks":1197,"data":1198},"AiTM phishing, OAuth consent phishing, ",[],{},{"nodeType":252,"data":1200,"content":1202},{"uri":1201},"https://pushsecurity.com/blog/device-code-phishing/",[1203],{"nodeType":247,"value":1204,"marks":1205,"data":1206},"device code phishing",[],{},{"nodeType":247,"value":773,"marks":1208,"data":1209},[],{},{"nodeType":1049,"data":1211,"content":1212},{},[1213,1223],{"nodeType":1079,"data":1214,"content":1215},{},[1216],{"nodeType":243,"data":1217,"content":1218},{},[1219],{"nodeType":247,"value":1220,"marks":1221,"data":1222},"Know which instructions to follow and which are malicious when verifying that you're human on a CAPTCHA-style page.",[],{},{"nodeType":1079,"data":1224,"content":1225},{},[1226],{"nodeType":243,"data":1227,"content":1228},{},[1229,1232,1240,1244,1252],{"nodeType":247,"value":29,"marks":1230,"data":1231},[],{},{"nodeType":252,"data":1233,"content":1235},{"uri":1234},"https://pushsecurity.com/blog/the-most-advanced-clickfix-yet/",[1236],{"nodeType":247,"value":1237,"marks":1238,"data":1239},"ClickFix",[],{},{"nodeType":247,"value":1241,"marks":1242,"data":1243},"-style attacks that trick the user into running a malicious script or command, or ",[],{},{"nodeType":252,"data":1245,"content":1247},{"uri":1246},"https://pushsecurity.com/blog/consentfix/",[1248],{"nodeType":247,"value":1249,"marks":1250,"data":1251},"ConsentFix",[],{},{"nodeType":247,"value":1253,"marks":1254,"data":1255}," (which is even sneakier and simply involves copying a URL).",[],{},{"nodeType":243,"data":1257,"content":1258},{},[1259,1263],{"nodeType":247,"value":1260,"marks":1261,"data":1262},"And we're barely scratching the surface here. ",[],{},{"nodeType":247,"value":1264,"marks":1265,"data":1267},"Easy, right?",[1266],{"type":299},{},{"nodeType":434,"data":1269,"content":1270},{},[1271],{"nodeType":247,"value":1272,"marks":1273,"data":1275},"Can't we block users from interacting with bad content? ",[1274],{"type":299},{},{"nodeType":243,"data":1277,"content":1278},{},[1279],{"nodeType":247,"value":1280,"marks":1281,"data":1282},"So if you can’t train your way out of these problems, what about locking down and blocking your way out of the problem?",[],{},{"nodeType":243,"data":1284,"content":1285},{},[1286],{"nodeType":247,"value":1287,"marks":1288,"data":1289},"This, too, simply isn’t really feasible. ",[],{},{"nodeType":243,"data":1291,"content":1292},{},[1293],{"nodeType":247,"value":1294,"marks":1295,"data":1296},"Modern cloud-first adversaries routinely rotate domains on malicious pages; use trusted services like SharePoint, Adobe, Google Sites, Cloudflare, and Atlassian to deliver lures; target end-users across multiple channels, including social media, forums, chat platforms, Google search results, email, and webpages; and use legitimate security tools like bot protection to bypass detection by other legitimate security tools, such as web content scanning and analysis solutions.",[],{},{"nodeType":243,"data":1298,"content":1299},{},[1300,1304,1308,1313],{"nodeType":247,"value":1301,"marks":1302,"data":1303},"To safely navigate the internet today, y",[],{},{"nodeType":247,"value":1305,"marks":1306,"data":1307},"ou need to be able to spot malicious pages and content ",[],{},{"nodeType":247,"value":1309,"marks":1310,"data":1312},"the first time they're seen in the wild",[1311],{"type":299},{},{"nodeType":247,"value":1314,"marks":1315,"data":1316},". If you're relying on indicators of known bad, you're always a step behind, leaving users exposed.",[],{},{"nodeType":284,"data":1318,"content":1322},{"target":1319},{"sys":1320},{"id":1321,"type":289,"linkType":290},"3ZfqOLRdJZJIc78rj9E9JZ",[],{"nodeType":243,"data":1324,"content":1325},{},[1326],{"nodeType":247,"value":1327,"marks":1328,"data":1329},"To protect users while they work online, you need a purpose-built security tool that can respond in real time to modern TTPs and guide users securely — without introducing extra work or a lot of friction. Push can help with that.",[],{},{"nodeType":313,"data":1331,"content":1332},{},[],{"nodeType":317,"data":1334,"content":1335},{},[1336],{"nodeType":247,"value":1337,"marks":1338,"data":1340},"Why in-browser controls?",[1339],{"type":299},{},{"nodeType":243,"data":1342,"content":1343},{},[1344],{"nodeType":247,"value":1345,"marks":1346,"data":1347},"Simply put, using in-browser security controls gets you the closest to the user and their work in order to protect them from modern browser-based threats. Adding in-browser controls also solves two tricky problems for security teams: ",[],{},{"nodeType":934,"data":1349,"content":1350},{},[1351,1366],{"nodeType":938,"data":1352,"content":1353},{},[1354],{"nodeType":243,"data":1355,"content":1356},{},[1357,1362],{"nodeType":247,"value":1358,"marks":1359,"data":1361},"Filling the gap between solution layers",[1360],{"type":299},{},{"nodeType":247,"value":1363,"marks":1364,"data":1365}," in order to detect and block attack methods like Adversary-in-the-Middle phishing, malicious browser extensions, and ClickFix-style social engineering attacks that other tools miss.",[],{},{"nodeType":938,"data":1367,"content":1368},{},[1369],{"nodeType":243,"data":1370,"content":1371},{},[1372,1377],{"nodeType":247,"value":1373,"marks":1374,"data":1376},"Providing just-in-time security enforcement",[1375],{"type":299},{},{"nodeType":247,"value":1378,"marks":1379,"data":1380}," to end-users when it’s the right moment to act on that guidance, reducing your attack surface across your online apps, browser extensions, and accounts, and ensuring your app usage policies are followed.",[],{},{"nodeType":434,"data":1382,"content":1383},{},[1384],{"nodeType":247,"value":1385,"marks":1386,"data":1387},"Fill the gap between solution layers",[],{},{"nodeType":243,"data":1389,"content":1390},{},[1391,1395,1400],{"nodeType":247,"value":1392,"marks":1393,"data":1394},"Most existing security solutions operate just ",[],{},{"nodeType":247,"value":1396,"marks":1397,"data":1399},"outside",[1398],{"type":277},{},{"nodeType":247,"value":1401,"marks":1402,"data":1403}," the context of a user interacting with a webpage. This leaves blind spots that attackers are exploiting between layers of security tooling.",[],{},{"nodeType":243,"data":1405,"content":1406},{},[1407,1411,1421],{"nodeType":247,"value":1408,"marks":1409,"data":1410},"For example, network proxies see HTTP requests, URLs, and page headers, but not the ",[],{},{"nodeType":1090,"data":1412,"content":1416},{"target":1413},{"sys":1414},{"id":1415,"type":289,"linkType":290},"5caCcGCqMMPm5KlwUv0sbz",[1417],{"nodeType":247,"value":1418,"marks":1419,"data":1420},"structural elements",[],{},{"nodeType":247,"value":1422,"marks":1423,"data":1424}," of the DOM or on-page user interactions that are key to fingerprinting the behavior of AiTM phishing kits or ClickFix-style social engineering attacks. ",[],{},{"nodeType":243,"data":1426,"content":1427},{},[1428,1432,1442,1446,1456],{"nodeType":247,"value":1429,"marks":1430,"data":1431},"Similarly, ",[],{},{"nodeType":1090,"data":1433,"content":1437},{"target":1434},{"sys":1435},{"id":1436,"type":289,"linkType":290},"6YWYKGESlyUKQxvhKmBzeH",[1438],{"nodeType":247,"value":1439,"marks":1440,"data":1441},"EDR tools",[],{},{"nodeType":247,"value":1443,"marks":1444,"data":1445}," only see the bad thing when it hits the endpoint, and many ",[],{},{"nodeType":1090,"data":1447,"content":1451},{"target":1448},{"sys":1449},{"id":1450,"type":289,"linkType":290},"2k2aDK5dyQKlQBrk66pMXE",[1452],{"nodeType":247,"value":1453,"marks":1454,"data":1455},"cloud security tools",[],{},{"nodeType":247,"value":1457,"marks":1458,"data":1459}," rely on complex policy configurations across a core set of apps to provide security protection — leaving a gap in detection and response capabilities outside their purview.",[],{},{"nodeType":284,"data":1461,"content":1465},{"target":1462},{"sys":1463},{"id":1464,"type":289,"linkType":290},"50NyBpr96dKspvTzJTBOlC",[],{"nodeType":434,"data":1467,"content":1468},{},[1469],{"nodeType":247,"value":1470,"marks":1471,"data":1472},"Provide just-in-time security enforcement",[],{},{"nodeType":243,"data":1474,"content":1475},{},[1476,1480,1488],{"nodeType":247,"value":1477,"marks":1478,"data":1479},"As some of our customers like to say, Push provides security teams with a ",[],{},{"nodeType":252,"data":1481,"content":1483},{"uri":1482},"/customer-stories/upvest",[1484],{"nodeType":247,"value":1485,"marks":1486,"data":1487},"“seat on the user’s side”",[],{},{"nodeType":247,"value":1489,"marks":1490,"data":1491}," of the equation so you can enforce security best practices.",[],{},{"nodeType":243,"data":1493,"content":1494},{},[1495],{"nodeType":247,"value":1496,"marks":1497,"data":1498},"Having that seat on the user’s side also helps you deliver guidance in the right context for it to be followed: When the user is engaged in doing the behavior you want to influence (or prevent). The right information, at the right time, in the right format — not a belated reminder through a different channel that’s easy to ignore.",[],{},{"nodeType":243,"data":1500,"content":1501},{},[1502],{"nodeType":247,"value":1503,"marks":1504,"data":1505},"With those outcomes in mind, let’s look at some specific solutions from the Push platform.",[],{},{"nodeType":313,"data":1507,"content":1508},{},[],{"nodeType":317,"data":1510,"content":1511},{},[1512],{"nodeType":247,"value":1513,"marks":1514,"data":1516},"How Push helps you protect users from browser-based ATO, ClickFix, and similar attacks",[1515],{"type":299},{},{"nodeType":243,"data":1518,"content":1519},{},[1520],{"nodeType":247,"value":1521,"marks":1522,"data":1523},"The Push platform provides out-of-the-box detections for browser-based attacks, including:",[],{},{"nodeType":934,"data":1525,"content":1526},{},[1527,1550,1573,1595],{"nodeType":938,"data":1528,"content":1529},{},[1530],{"nodeType":243,"data":1531,"content":1532},{},[1533,1536,1546],{"nodeType":247,"value":29,"marks":1534,"data":1535},[],{},{"nodeType":1090,"data":1537,"content":1541},{"target":1538},{"sys":1539},{"id":1540,"type":289,"linkType":290},"7KRnTSnJAbbiho69gNyN0B",[1542],{"nodeType":247,"value":1543,"marks":1544,"data":1545},"AiTM phishing kits",[],{},{"nodeType":247,"value":1547,"marks":1548,"data":1549}," that can bypass MFA",[],{},{"nodeType":938,"data":1551,"content":1552},{},[1553],{"nodeType":243,"data":1554,"content":1555},{},[1556,1559,1569],{"nodeType":247,"value":29,"marks":1557,"data":1558},[],{},{"nodeType":1090,"data":1560,"content":1564},{"target":1561},{"sys":1562},{"id":1563,"type":289,"linkType":290},"jN3GN5ddMJZiDtl0fgUVd",[1565],{"nodeType":247,"value":1566,"marks":1567,"data":1568},"Cloned login pages",[],{},{"nodeType":247,"value":1570,"marks":1571,"data":1572}," designed to steal user credentials",[],{},{"nodeType":938,"data":1574,"content":1575},{},[1576],{"nodeType":243,"data":1577,"content":1578},{},[1579,1582,1592],{"nodeType":247,"value":29,"marks":1580,"data":1581},[],{},{"nodeType":1090,"data":1583,"content":1587},{"target":1584},{"sys":1585},{"id":1586,"type":289,"linkType":290},"5NyiWgjMDwk16XZ0S681JK",[1588],{"nodeType":247,"value":1589,"marks":1590,"data":1591},"Malicious browser extensions",[],{},{"nodeType":247,"value":29,"marks":1593,"data":1594},[],{},{"nodeType":938,"data":1596,"content":1597},{},[1598],{"nodeType":243,"data":1599,"content":1600},{},[1601,1604,1614],{"nodeType":247,"value":29,"marks":1602,"data":1603},[],{},{"nodeType":1090,"data":1605,"content":1609},{"target":1606},{"sys":1607},{"id":1608,"type":289,"linkType":290},"7jygmadjoz0asAHv7e5PuK",[1610],{"nodeType":247,"value":1611,"marks":1612,"data":1613},"Malicious copy and paste attacks",[],{},{"nodeType":247,"value":1615,"marks":1616,"data":1617}," like ClickFix, FileFix, and similar",[],{},{"nodeType":243,"data":1619,"content":1620},{},[1621],{"nodeType":247,"value":1622,"marks":1623,"data":1624},"For each of these attack vectors, Push delivers detection events and associated metadata for quick triage by the security team, as well as employee-facing warn or block screens, based on your selected configuration.",[],{},{"nodeType":243,"data":1626,"content":1627},{},[1628],{"nodeType":247,"value":1629,"marks":1630,"data":1631},"Here’s a snapshot of the capabilities of these controls and what end-users will experience.",[],{},{"nodeType":434,"data":1633,"content":1634},{},[1635],{"nodeType":247,"value":1636,"marks":1637,"data":1639},"The scenario:",[1638],{"type":299},{},{"nodeType":243,"data":1641,"content":1642},{},[1643],{"nodeType":247,"value":1644,"marks":1645,"data":1646},"When a user encounters a malicious page — whether that’s an AiTM phishing tool running on a webpage, or a ClickFix-style attack — or attempts to install a malicious extension, Push immediately steps in. ",[],{},{"nodeType":243,"data":1648,"content":1649},{},[1650],{"nodeType":247,"value":1651,"marks":1652,"data":1653},"Push can prevent users from entering their credentials on phishing pages, including cloned login pages, or from pasting malicious clipboard contents that can run malware on their device. Push can also prevent users from installing known-bad browser extensions. ",[],{},{"nodeType":243,"data":1655,"content":1656},{},[1657],{"nodeType":247,"value":1658,"marks":1659,"data":1660},"In each of these scenarios, Push admins get detailed detection information they can use to triage the incident.",[],{},{"nodeType":284,"data":1662,"content":1666},{"target":1663},{"sys":1664},{"id":1665,"type":289,"linkType":290},"5jR3YVUiusHGnXDOyrgYpr",[],{"nodeType":434,"data":1668,"content":1669},{},[1670],{"nodeType":247,"value":1671,"marks":1672,"data":1674},"How it works:",[1673],{"type":299},{},{"nodeType":243,"data":1676,"content":1677},{},[1678],{"nodeType":247,"value":1679,"marks":1680,"data":1681},"Rather than relying on known-bad intelligence like domains or URLs, Push performs a behavioral and structural analysis of malicious pages in real time.",[],{},{"nodeType":243,"data":1683,"content":1684},{},[1685],{"nodeType":247,"value":1686,"marks":1687,"data":1688},"That means a phishing page never has to appear in a threat intelligence feed in order to be detected and blocked.",[],{},{"nodeType":243,"data":1690,"content":1691},{},[1692],{"nodeType":247,"value":1693,"marks":1694,"data":1695},"Similarly, for malicious copy and paste attacks like ClickFix, Push analyzes the content copied to the clipboard but also evaluates the context of the page to reduce false positives. In blocking mode, Push’s control for ClickFix-style attacks replaces the malicious clipboard contents with safe text — preventing potential endpoint compromise before it can occur.",[],{},{"nodeType":284,"data":1697,"content":1701},{"target":1698},{"sys":1699},{"id":1700,"type":289,"linkType":290},"3OkejjEjV9xflBc5ouOVFn",[],{"nodeType":243,"data":1703,"content":1704},{},[1705],{"nodeType":247,"value":1706,"marks":1707,"data":1708},"Finally, for identifying malicious browser extensions, Push takes a slightly different approach — combining both behavioral detections and curated intelligence of known-bad extensions from our own research and from trusted industry sources. We’ve found this combination provides the highest-fidelity way to identify malicious extensions without relying on approaches like analyzing extension permissions, which often isn’t actionable. ",[],{},{"nodeType":434,"data":1710,"content":1711},{},[1712],{"nodeType":247,"value":1713,"marks":1714,"data":1716},"Your security team gets:",[1715],{"type":299},{},{"nodeType":243,"data":1718,"content":1719},{},[1720,1724,1732],{"nodeType":247,"value":1721,"marks":1722,"data":1723},"Readymade detection and alerting, combined with detailed telemetry. Detections and their associated metadata can be consumed via ",[],{},{"nodeType":252,"data":1725,"content":1727},{"uri":1726},"/help/audience/administrators/docs/getting-started/#api-and-webhooks",[1728],{"nodeType":247,"value":1729,"marks":1730,"data":1731},"Push’s REST API and webhooks",[],{},{"nodeType":247,"value":1733,"marks":1734,"data":1735},". ",[],{},{"nodeType":434,"data":1737,"content":1738},{},[1739],{"nodeType":247,"value":1740,"marks":1741,"data":1743},"Your end-users see:",[1742],{"type":299},{},{"nodeType":243,"data":1745,"content":1746},{},[1747],{"nodeType":247,"value":1748,"marks":1749,"data":1750},"An immediate block screen in your company colors and brand style, providing a highly memorable, contextual moment of learning — and reassuring them that an incident has been prevented.",[],{},{"nodeType":284,"data":1752,"content":1756},{"target":1753},{"sys":1754},{"id":1755,"type":289,"linkType":290},"4QfjDDfKjohKr1qqDLRT0m",[],{"nodeType":313,"data":1758,"content":1759},{},[],{"nodeType":317,"data":1761,"content":1762},{},[1763],{"nodeType":247,"value":1764,"marks":1765,"data":1767},"How Push helps you remediate account vulnerabilities at scale",[1766],{"type":299},{},{"nodeType":243,"data":1769,"content":1770},{},[1771],{"nodeType":247,"value":1772,"marks":1773,"data":1774},"Just-in-time security enforcement works best when it’s trustworthy and contextual — without making a lot more work for your team. Push also provides readymade controls for remediating common account vulnerabilities that contribute to your attack surface online, helping you harden existing accounts and reduce behaviors that introduce new risks.",[],{},{"nodeType":243,"data":1776,"content":1777},{},[1778],{"nodeType":247,"value":1779,"marks":1780,"data":1781},"With Push, you can:",[],{},{"nodeType":934,"data":1783,"content":1784},{},[1785,1808,1846,1870],{"nodeType":938,"data":1786,"content":1787},{},[1788],{"nodeType":243,"data":1789,"content":1790},{},[1791,1794,1804],{"nodeType":247,"value":29,"marks":1792,"data":1793},[],{},{"nodeType":1090,"data":1795,"content":1799},{"target":1796},{"sys":1797},{"id":1798,"type":289,"linkType":290},"6FYHbkcRUrtznPo7RarRsz",[1800],{"nodeType":247,"value":1801,"marks":1802,"data":1803},"Prevent the phishing or reuse of high-value passwords",[],{},{"nodeType":247,"value":1805,"marks":1806,"data":1807},", like your IdP, AWS, or code repository passwords.",[],{},{"nodeType":938,"data":1809,"content":1810},{},[1811],{"nodeType":243,"data":1812,"content":1813},{},[1814,1818,1828,1832,1842],{"nodeType":247,"value":1815,"marks":1816,"data":1817},"Remediate ",[],{},{"nodeType":1090,"data":1819,"content":1823},{"target":1820},{"sys":1821},{"id":1822,"type":289,"linkType":290},"2WAc5HflKonFN7Jc53ROgj",[1824],{"nodeType":247,"value":1825,"marks":1826,"data":1827},"missing MFA",[],{},{"nodeType":247,"value":1829,"marks":1830,"data":1831}," or ",[],{},{"nodeType":1090,"data":1833,"content":1837},{"target":1834},{"sys":1835},{"id":1836,"type":289,"linkType":290},"2dAP36chda6ZDGKzw0Itfs",[1838],{"nodeType":247,"value":1839,"marks":1840,"data":1841},"insecure passwords",[],{},{"nodeType":247,"value":1843,"marks":1844,"data":1845}," on any work app, even those not managed by your SSO solution.",[],{},{"nodeType":938,"data":1847,"content":1848},{},[1849],{"nodeType":243,"data":1850,"content":1851},{},[1852,1856,1866],{"nodeType":247,"value":1853,"marks":1854,"data":1855},"Use ",[],{},{"nodeType":1090,"data":1857,"content":1861},{"target":1858},{"sys":1859},{"id":1860,"type":289,"linkType":290},"2ZpKnuljaUH0jzVaae4SMN",[1862],{"nodeType":247,"value":1863,"marks":1864,"data":1865},"in-browser banners",[],{},{"nodeType":247,"value":1867,"marks":1868,"data":1869}," to add guardrails to app usage, including blocking unapproved SaaS or collecting a business reason to access an app before approving it.",[],{},{"nodeType":938,"data":1871,"content":1872},{},[1873],{"nodeType":243,"data":1874,"content":1875},{},[1876,1879,1889],{"nodeType":247,"value":29,"marks":1877,"data":1878},[],{},{"nodeType":1090,"data":1880,"content":1884},{"target":1881},{"sys":1882},{"id":1883,"type":289,"linkType":290},"3ibVBa6u0XfcXXDVtON5th",[1885],{"nodeType":247,"value":1886,"marks":1887,"data":1888},"Block unwanted or unapproved browser extensions",[],{},{"nodeType":247,"value":1890,"marks":1891,"data":1892}," from being installed, or disable them if they’ve been installed previously.",[],{},{"nodeType":243,"data":1894,"content":1895},{},[1896],{"nodeType":247,"value":1629,"marks":1897,"data":1898},[],{},{"nodeType":434,"data":1900,"content":1901},{},[1902],{"nodeType":247,"value":1636,"marks":1903,"data":1905},[1904],{"type":299},{},{"nodeType":243,"data":1907,"content":1908},{},[1909],{"nodeType":247,"value":1910,"marks":1911,"data":1912},"Push uses in-browser controls to intervene when a user is missing MFA; reusing a high-value password; using an insecure password; attempting to log in to an unapproved app; or attempting to install a blocked extension. ",[],{},{"nodeType":243,"data":1914,"content":1915},{},[1916],{"nodeType":247,"value":1917,"marks":1918,"data":1919},"Push can block users from reusing passwords set as “protected” (meaning they can’t be reused on any other page or app) or from using unapproved apps or extensions. Push can guide users to update their password or register for MFA on accounts where they lack it. Push can also provide any other specific security or policy guidance to employees via banners that appear on apps in your environment, including GenAI apps. ",[],{},{"nodeType":243,"data":1921,"content":1922},{},[1923],{"nodeType":247,"value":1924,"marks":1925,"data":1926},"For all of these scenarios, you can tune Push controls to your preferred mode (informing vs. blocking, for example) and select which employees, employee groups, and apps or accounts to focus on.",[],{},{"nodeType":243,"data":1928,"content":1929},{},[1930],{"nodeType":247,"value":1931,"marks":1932,"data":1933},"You can also customize the message that employees see, to match your organizational culture and policies.",[],{},{"nodeType":434,"data":1935,"content":1936},{},[1937],{"nodeType":247,"value":1938,"marks":1939,"data":1941},"How it works: ",[1940],{"type":299},{},{"nodeType":243,"data":1943,"content":1944},{},[1945],{"nodeType":247,"value":1946,"marks":1947,"data":1948},"The Push browser agent observes real-time user behavior and securely analyzes users’ account vulnerabilities in order to identify risks and execute your preconfigured controls. ",[],{},{"nodeType":243,"data":1950,"content":1951},{},[1952],{"nodeType":247,"value":1953,"marks":1954,"data":1955},"To identify MFA status, Push uses the app’s own API to query the logged-in user’s registered MFA methods. To analyze password security, Push creates a salted, truncated hash that is stored locally in the user’s browser and then used for comparison to find reused passwords, leaked passwords, and shared passwords. ",[],{},{"nodeType":243,"data":1957,"content":1958},{},[1959,1963,1968,1972,1977],{"nodeType":247,"value":1960,"marks":1961,"data":1962},"Using the ",[],{},{"nodeType":247,"value":1964,"marks":1965,"data":1967},"MFA enforcement",[1966],{"type":299},{},{"nodeType":247,"value":1969,"marks":1970,"data":1971}," and ",[],{},{"nodeType":247,"value":1973,"marks":1974,"data":1976},"Strong password enforcement",[1975],{"type":299},{},{"nodeType":247,"value":1978,"marks":1979,"data":1980}," controls, you can then automatically display a banner to users with those account vulnerabilities, guiding them to fix the issue.",[],{},{"nodeType":284,"data":1982,"content":1986},{"target":1983},{"sys":1984},{"id":1985,"type":289,"linkType":290},"7Ka4CumZk9it6GsdlNHREA",[],{"nodeType":243,"data":1988,"content":1989},{},[1990,1994,1999],{"nodeType":247,"value":1991,"marks":1992,"data":1993},"Using Push’s ",[],{},{"nodeType":247,"value":1995,"marks":1996,"data":1998},"Password protection",[1997],{"type":299},{},{"nodeType":247,"value":2000,"marks":2001,"data":2002}," control, you can select apps where you want to essentially “pin” the high-value password to only that app and prevent its reuse (or phishing) on any other domain. ",[],{},{"nodeType":243,"data":2004,"content":2005},{},[2006,2009,2014],{"nodeType":247,"value":1991,"marks":2007,"data":2008},[],{},{"nodeType":247,"value":2010,"marks":2011,"data":2013},"Browser extension blocking",[2012],{"type":299},{},{"nodeType":247,"value":2015,"marks":2016,"data":2017}," control, you can create a blocklist or allowlist of extensions and prevent users from installing or enabling blocked extensions.",[],{},{"nodeType":243,"data":2019,"content":2020},{},[2021,2025,2030],{"nodeType":247,"value":2022,"marks":2023,"data":2024},"Finally, using Push’s ",[],{},{"nodeType":247,"value":2026,"marks":2027,"data":2029},"App banners",[2028],{"type":299},{},{"nodeType":247,"value":2031,"marks":2032,"data":2033}," feature, you can add custom messages in a range of modes — from informing to blocking — to apps in use across your business, or even specific URL patterns.",[],{},{"nodeType":284,"data":2035,"content":2039},{"target":2036},{"sys":2037},{"id":2038,"type":289,"linkType":290},"5Mq4PEzEhW8p1qLvS9aZMm",[],{"nodeType":434,"data":2041,"content":2042},{},[2043],{"nodeType":247,"value":2044,"marks":2045,"data":2047},"Your security team gets: ",[2046],{"type":299},{},{"nodeType":243,"data":2049,"content":2050},{},[2051],{"nodeType":247,"value":2052,"marks":2053,"data":2054},"A flexible and highly configurable set of controls to solve account vulnerabilities at scale and to enforce your security controls around browser extensions and app usage.",[],{},{"nodeType":434,"data":2056,"content":2057},{},[2058],{"nodeType":247,"value":2059,"marks":2060,"data":2062},"Your end-users see: ",[2061],{"type":299},{},{"nodeType":243,"data":2064,"content":2065},{},[2066],{"nodeType":247,"value":2067,"marks":2068,"data":2069},"Contextual, actionable guidance in the midst of their actual workflow, helping them fix the issue or guiding them to safety.",[],{},{"nodeType":313,"data":2071,"content":2072},{},[],{"nodeType":317,"data":2074,"content":2075},{},[2076],{"nodeType":247,"value":2077,"marks":2078,"data":2080},"Implementation tips",[2079],{"type":299},{},{"nodeType":243,"data":2082,"content":2083},{},[2084],{"nodeType":247,"value":2085,"marks":2086,"data":2087},"Push allows you to set the scope and mode of each control, making it simple to roll out. ",[],{},{"nodeType":243,"data":2089,"content":2090},{},[2091,2095,2100,2104,2108,2112,2117],{"nodeType":247,"value":2092,"marks":2093,"data":2094},"We recommend starting in ",[],{},{"nodeType":247,"value":2096,"marks":2097,"data":2099},"Monitor",[2098],{"type":299},{},{"nodeType":247,"value":2101,"marks":2102,"data":2103}," mode for controls that intervene in end-user activities. That way, you can perform testing with sample malicious sites or scenarios like reused protected passwords, tune out any benign true positives, and develop the messaging you want to use on warn or block pages. (For controls without an explicit monitor mode, like ",[],{},{"nodeType":247,"value":1973,"marks":2105,"data":2107},[2106],{"type":299},{},{"nodeType":247,"value":2109,"marks":2110,"data":2111},", you can still monitor for related events on the ",[],{},{"nodeType":247,"value":2113,"marks":2114,"data":2116},"Events",[2115],{"type":299},{},{"nodeType":247,"value":2118,"marks":2119,"data":2120}," page, such as account security findings, or by consuming webhooks into a downstream tool.)",[],{},{"nodeType":284,"data":2122,"content":2126},{"target":2123},{"sys":2124},{"id":2125,"type":289,"linkType":290},"7vk8DHv01cM1o2C0ZpAvZu",[],{"nodeType":243,"data":2128,"content":2129},{},[2130,2134,2139,2142,2147],{"nodeType":247,"value":2131,"marks":2132,"data":2133},"When you’re ready, set the mode to ",[],{},{"nodeType":247,"value":2135,"marks":2136,"data":2138},"Warn",[2137],{"type":299},{},{"nodeType":247,"value":1829,"marks":2140,"data":2141},[],{},{"nodeType":247,"value":2143,"marks":2144,"data":2146},"Block",[2145],{"type":299},{},{"nodeType":247,"value":2148,"marks":2149,"data":2150}," and use the scope options to perform a phased rollout to your user population by adding additional user groups to the control until you have complete coverage of your population.",[],{},{"nodeType":243,"data":2152,"content":2153},{},[2154],{"nodeType":247,"value":2155,"marks":2156,"data":2157},"By consuming webhook events into your SIEM, you can integrate Push alerts into your existing security workflows, monitoring for new detections or tracking when account vulnerabilities are resolved.",[],{},{"nodeType":313,"data":2159,"content":2160},{},[],{"nodeType":317,"data":2162,"content":2163},{},[2164],{"nodeType":247,"value":2165,"marks":2166,"data":2168},"Enhancing user trust with custom branding",[2167],{"type":299},{},{"nodeType":243,"data":2170,"content":2171},{},[2172],{"nodeType":247,"value":2173,"marks":2174,"data":2175},"We recently released the option to customize the look and feel of all employee-facing banners and block pages. ",[],{},{"nodeType":243,"data":2177,"content":2178},{},[2179,2183,2188],{"nodeType":247,"value":2180,"marks":2181,"data":2182},"From the ",[],{},{"nodeType":247,"value":2184,"marks":2185,"data":2187},"Settings",[2186],{"type":299},{},{"nodeType":247,"value":2189,"marks":2190,"data":2191}," page in the Push admin console, you can upload your logo, add accent colors, and choose from light or dark backgrounds.",[],{},{"nodeType":284,"data":2193,"content":2197},{"target":2194},{"sys":2195},{"id":2196,"type":289,"linkType":290},"51lk1VRP20G7H4PAoRZANI",[],{"nodeType":243,"data":2199,"content":2200},{},[2201],{"nodeType":247,"value":2202,"marks":2203,"data":2204},"Custom branding increases the trustworthiness of these in-the-moment security guardrails so that users recognize them immediately and act on their guidance.",[],{},{"nodeType":243,"data":2206,"content":2207},{},[2208],{"nodeType":247,"value":2209,"marks":2210,"data":2211},"The result: Better compliance and lower friction for you and your employees.",[],{},{"nodeType":313,"data":2213,"content":2214},{},[],{"nodeType":317,"data":2216,"content":2217},{},[2218],{"nodeType":247,"value":2219,"marks":2220,"data":2222},"Learn more about Push",[2221],{"type":299},{},{"nodeType":243,"data":2224,"content":2225},{},[2226,2230,2237],{"nodeType":247,"value":2227,"marks":2228,"data":2229},"Push Security’s browser-based security platform stops browser-based attacks like AiTM phishing, credential stuffing, malicious browser extensions, ClickFix, and session hijacking — ",[],{},{"nodeType":252,"data":2231,"content":2232},{"uri":174},[2233],{"nodeType":247,"value":2234,"marks":2235,"data":2236},"modern attack techniques",[],{},{"nodeType":247,"value":2238,"marks":2239,"data":2240}," that are the leading cause of breaches today.",[],{},{"nodeType":243,"data":2242,"content":2243},{},[2244],{"nodeType":247,"value":2245,"marks":2246,"data":2247},"You don’t need to wait until it all goes wrong either. You can also use Push to proactively find and fix vulnerabilities across the apps that your employees use, like ghost logins, SSO coverage gaps, MFA gaps, vulnerable passwords, and more to harden your attack surface.",[],{},{"nodeType":243,"data":2249,"content":2250},{},[2251,2255,2263,2267,2275,2279,2287],{"nodeType":247,"value":2252,"marks":2253,"data":2254},"Want to learn more about Push? Check out our latest ",[],{},{"nodeType":252,"data":2256,"content":2258},{"uri":2257},"/resources/product-brochure",[2259],{"nodeType":247,"value":2260,"marks":2261,"data":2262},"product overview",[],{},{"nodeType":247,"value":2264,"marks":2265,"data":2266},", visit our ",[],{},{"nodeType":252,"data":2268,"content":2270},{"uri":2269},"/product-demo/",[2271],{"nodeType":247,"value":2272,"marks":2273,"data":2274},"demo library",[],{},{"nodeType":247,"value":2276,"marks":2277,"data":2278},", or book some time with one of our team for a ",[],{},{"nodeType":252,"data":2280,"content":2282},{"uri":2281},"/demo",[2283],{"nodeType":247,"value":2284,"marks":2285,"data":2286},"live demo",[],{},{"nodeType":247,"value":773,"marks":2288,"data":2289},[],{},"Guide: How to use Push controls to protect your users from modern browser threats","How to use in-browser controls to stop browser-based attacks before compromise can occur","2026-04-08T00:00:00.000Z","guide-how-to-use-push-controls-to-protect-your-users-from-modern-attacks",{"items":2295},[2296,2300],{"sys":2297,"name":2299},{"id":2298},"6A5RXS31ZQx3PwryGb1IMy","Browser-based attacks",{"sys":2301,"name":2303},{"id":2302},"4ksQNCFeBf8H4QIORqpRLw","Detection & response",{"items":2305},[2306],{"fullName":2307,"firstName":2308,"jobTitle":2309,"profilePicture":2310},"Kelly Davenport","Kelly","Product Team",{"url":2311},"https://images.ctfassets.net/y1cdw1ablpvd/1hi8bEuVfn5sF57LivAq6d/9a3b82426c697d765e2e450e33a18424/kelly_profile_pic.jpeg",{"__typename":919,"sys":2313,"content":2315,"title":3359,"synopsis":3360,"hashTags":62,"publishedDate":3361,"slug":3362,"tagsCollection":3363,"authorsCollection":3369},{"id":2314},"4DqTwJKeCSPnJUc6YPFC5A",{"json":2316},{"nodeType":239,"data":2317,"content":2318},{},[2319,2388,2395,2401,2404,2412,2419,2426,2434,2441,2497,2514,2521,2528,2531,2539,2546,2608,2616,2623,2629,2635,2642,2649,2667,2674,2722,2728,2736,2757,2764,2771,2864,2871,2887,2893,2900,2907,2914,2921,2982,2988,2994,3002,3009,3016,3039,3046,3052,3074,3080,3087,3094,3101,3108,3141,3160,3167,3179,3182,3190,3197,3203,3206,3214,3222,3229,3248,3255,3262,3268,3275,3282,3288,3291,3298,3314,3320],{"nodeType":243,"data":2320,"content":2321},{},[2322,2326,2335,2338,2347,2350,2359,2363,2372,2375,2384],{"nodeType":247,"value":2323,"marks":2324,"data":2325},"Attackers are doubling down on malicious browser extensions as their method of choice. Recent campaigns like ",[],{},{"nodeType":252,"data":2327,"content":2329},{"uri":2328},"https://www.bleepingcomputer.com/news/security/shadypanda-browser-extensions-amass-43m-installs-in-malicious-campaign/",[2330],{"nodeType":247,"value":2331,"marks":2332,"data":2334},"ShadyPanda",[2333],{"type":260},{},{"nodeType":247,"value":747,"marks":2336,"data":2337},[],{},{"nodeType":252,"data":2339,"content":2341},{"uri":2340},"https://www.bleepingcomputer.com/news/security/zoom-stealer-browser-extensions-harvest-corporate-meeting-intelligence/",[2342],{"nodeType":247,"value":2343,"marks":2344,"data":2346},"ZoomStealer",[2345],{"type":260},{},{"nodeType":247,"value":747,"marks":2348,"data":2349},[],{},{"nodeType":252,"data":2351,"content":2353},{"uri":2352},"https://www.bleepingcomputer.com/news/security/malicious-ghostposter-browser-extensions-found-with-840-000-installs/",[2354],{"nodeType":247,"value":2355,"marks":2356,"data":2358},"GhostPoster",[2357],{"type":260},{},{"nodeType":247,"value":2360,"marks":2361,"data":2362},", and the breaches impacting vendors like ",[],{},{"nodeType":252,"data":2364,"content":2366},{"uri":2365},"https://www.bleepingcomputer.com/news/security/cybersecurity-firms-chrome-extension-hijacked-to-steal-users-data/",[2367],{"nodeType":247,"value":2368,"marks":2369,"data":2371},"Cyberhaven",[2370],{"type":260},{},{"nodeType":247,"value":1969,"marks":2373,"data":2374},[],{},{"nodeType":252,"data":2376,"content":2378},{"uri":2377},"https://www.bleepingcomputer.com/news/security/trust-wallet-confirms-extension-hack-led-to-7-million-crypto-theft/",[2379],{"nodeType":247,"value":2380,"marks":2381,"data":2383},"Trust Wallet",[2382],{"type":260},{},{"nodeType":247,"value":2385,"marks":2386,"data":2387},", all highlight the threat posed by malicious extensions. ",[],{},{"nodeType":243,"data":2389,"content":2390},{},[2391],{"nodeType":247,"value":2392,"marks":2393,"data":2394},"Most malicious extensions didn’t start that way. Attackers often begin with a legitimate extension — either by creating something that is initially benign, purchasing an extension that already exists and has a large number of installs, or by phishing an extension developer’s account to publish a malicious version. Then, they bide their time, waiting for the right moment to flip the switch and deploy a malicious update, compromising every browser that they’re deployed to. ",[],{},{"nodeType":284,"data":2396,"content":2400},{"target":2397},{"sys":2398},{"id":2399,"type":289,"linkType":290},"7eTmqh5jqYA3l1Xk4GikVO",[],{"nodeType":313,"data":2402,"content":2403},{},[],{"nodeType":317,"data":2405,"content":2406},{},[2407],{"nodeType":247,"value":2408,"marks":2409,"data":2411},"Why tackling malicious extensions is a hard problem for security teams",[2410],{"type":299},{},{"nodeType":243,"data":2413,"content":2414},{},[2415],{"nodeType":247,"value":2416,"marks":2417,"data":2418},"The Chrome extension store alone has in excess of 100k extensions with a wide range of use cases. Pretty much every major app today has an extension counterpart, and there are countless smaller extensions — from AI overlays, to screen recording, spell checking, and color matching. AI-assisted development has further increased the rate at which new extensions are created and added to the marketplace (for both legit developers and malicious ones). ",[],{},{"nodeType":243,"data":2420,"content":2421},{},[2422],{"nodeType":247,"value":2423,"marks":2424,"data":2425},"For organizations just beginning to think about extension management, this isn’t an easy problem to get a handle on. If you’ve allowed your employees to freely install extensions without restriction, then there could be hundreds, if not thousands, of different extensions in use across your business. ",[],{},{"nodeType":434,"data":2427,"content":2428},{},[2429],{"nodeType":247,"value":2430,"marks":2431,"data":2433},"Malicious extensions are good at hiding bad code",[2432],{"type":299},{},{"nodeType":243,"data":2435,"content":2436},{},[2437],{"nodeType":247,"value":2438,"marks":2439,"data":2440},"Right now, extension stores are fighting a losing battle against attackers. ",[],{},{"nodeType":934,"data":2442,"content":2443},{},[2444,2467,2477,2487],{"nodeType":938,"data":2445,"content":2446},{},[2447],{"nodeType":243,"data":2448,"content":2449},{},[2450,2454,2463],{"nodeType":247,"value":2451,"marks":2452,"data":2453},"Malicious extensions are being regularly uploaded, bypassing code analysis checks, and even achieving ",[],{},{"nodeType":252,"data":2455,"content":2457},{"uri":2456},"https://thehackernews.com/2026/02/malicious-chrome-extensions-caught.html",[2458],{"nodeType":247,"value":2459,"marks":2460,"data":2462},"“Featured” or “Verified” status",[2461],{"type":260},{},{"nodeType":247,"value":2464,"marks":2465,"data":2466}," in the app stores. This is because attackers are using dynamically compiled, stealthily smuggled code that can’t be reliably spotted through static code checks or sandbox analysis. ",[],{},{"nodeType":938,"data":2468,"content":2469},{},[2470],{"nodeType":243,"data":2471,"content":2472},{},[2473],{"nodeType":247,"value":2474,"marks":2475,"data":2476},"Bad isn't detected until an extension is observed doing malicious things in the wild. Most of the time, this is because there’s been a breach. ",[],{},{"nodeType":938,"data":2478,"content":2479},{},[2480],{"nodeType":243,"data":2481,"content":2482},{},[2483],{"nodeType":247,"value":2484,"marks":2485,"data":2486},"When an extension is reported as bad, it enters a lengthy review process. Unless there’s pressure to act quickly (e.g. there’s a large amount of reporting), it won’t get prioritized. ",[],{},{"nodeType":938,"data":2488,"content":2489},{},[2490],{"nodeType":243,"data":2491,"content":2492},{},[2493],{"nodeType":247,"value":2494,"marks":2495,"data":2496},"Just because an extension is removed from the store doesn’t mean that it’s automatically removed from browsers where it is installed. ",[],{},{"nodeType":243,"data":2498,"content":2499},{},[2500,2505,2509],{"nodeType":247,"value":2501,"marks":2502,"data":2504},"The bottom line:",[2503],{"type":299},{},{"nodeType":247,"value":2506,"marks":2507,"data":2508}," ",[],{},{"nodeType":247,"value":2510,"marks":2511,"data":2513},"The security teams at Google and Microsoft analyse and manually approve every single extension upload and code change that enters their store, and even they aren’t detecting bad before malware executes in the victim’s browser. ",[2512],{"type":299},{},{"nodeType":243,"data":2515,"content":2516},{},[2517],{"nodeType":247,"value":2518,"marks":2519,"data":2520},"Today, there’s no single magic bullet tool or control that organizations can use — unless you simply want to disable browser extensions altogether, which might not be the best option for users and their productivity.",[],{},{"nodeType":243,"data":2522,"content":2523},{},[2524],{"nodeType":247,"value":2525,"marks":2526,"data":2527},"Fortunately, Push is in a good position to help, with its ability to inventory all your browser extensions and help you find and block malicious ones.",[],{},{"nodeType":313,"data":2529,"content":2530},{},[],{"nodeType":317,"data":2532,"content":2533},{},[2534],{"nodeType":247,"value":2535,"marks":2536,"data":2538},"How to securely manage browser extensions (and how Push can help)",[2537],{"type":299},{},{"nodeType":243,"data":2540,"content":2541},{},[2542],{"nodeType":247,"value":2543,"marks":2544,"data":2545},"Here’s our step-by-step guide to securely using browser extensions in your organization.",[],{},{"nodeType":934,"data":2547,"content":2548},{},[2549,2568,2578,2588,2598],{"nodeType":938,"data":2550,"content":2551},{},[2552],{"nodeType":243,"data":2553,"content":2554},{},[2555,2559,2564],{"nodeType":247,"value":2556,"marks":2557,"data":2558},"Step 0: Enable ",[],{},{"nodeType":247,"value":2560,"marks":2561,"data":2563},"malicious browser extension detection",[2562],{"type":299},{},{"nodeType":247,"value":2565,"marks":2566,"data":2567}," to stop known-bad extensions from running in your environment. ",[],{},{"nodeType":938,"data":2569,"content":2570},{},[2571],{"nodeType":243,"data":2572,"content":2573},{},[2574],{"nodeType":247,"value":2575,"marks":2576,"data":2577},"Step 1: Establish an inventory of extensions currently in use across your users and their browsers. ",[],{},{"nodeType":938,"data":2579,"content":2580},{},[2581],{"nodeType":243,"data":2582,"content":2583},{},[2584],{"nodeType":247,"value":2585,"marks":2586,"data":2587},"Step 2: Risk-assess the extensions running in your environment using Push data.",[],{},{"nodeType":938,"data":2589,"content":2590},{},[2591],{"nodeType":243,"data":2592,"content":2593},{},[2594],{"nodeType":247,"value":2595,"marks":2596,"data":2597},"Step 3: Create an allowlist or blocklist to control the extensions active in your environment.",[],{},{"nodeType":938,"data":2599,"content":2600},{},[2601],{"nodeType":243,"data":2602,"content":2603},{},[2604],{"nodeType":247,"value":2605,"marks":2606,"data":2607},"Step 4: Monitor for risky changes.",[],{},{"nodeType":434,"data":2609,"content":2610},{},[2611],{"nodeType":247,"value":2612,"marks":2613,"data":2615},"Step 0: Enable malicious browser extension detection in the Push platform",[2614],{"type":299},{},{"nodeType":243,"data":2617,"content":2618},{},[2619],{"nodeType":247,"value":2620,"marks":2621,"data":2622},"First, we recommend you take action to ensure that extensions reported as suspicious or malicious are blocked from running in your environment. ",[],{},{"nodeType":284,"data":2624,"content":2628},{"target":2625},{"sys":2626},{"id":2627,"type":289,"linkType":290},"yniMglSNypgyxmdGVcFxJ",[],{"nodeType":284,"data":2630,"content":2634},{"target":2631},{"sys":2632},{"id":2633,"type":289,"linkType":290},"37bID8AChVgerAnD6q8NPZ",[],{"nodeType":243,"data":2636,"content":2637},{},[2638],{"nodeType":247,"value":2639,"marks":2640,"data":2641},"If you’re a Push customer, you can ensure that any extension that is reported as malicious is automatically blocked in your environment. This means that the extension gets disabled and cannot run in any browser with the Push extension installed. ",[],{},{"nodeType":243,"data":2643,"content":2644},{},[2645],{"nodeType":247,"value":2646,"marks":2647,"data":2648},"The Push Security research team maintains a global list of known-bad extensions based on threat intelligence reporting. This list is continuously updated and ensures that as soon as an extension is reported as malicious, it is blocked. ",[],{},{"nodeType":243,"data":2650,"content":2651},{},[2652,2656,2664],{"nodeType":247,"value":2653,"marks":2654,"data":2655},"You can enable the control via the Controls page in the Push admin console. Admins can configure rules in Off, Monitor, or Block mode. Block mode is recommended, meaning that extensions are disabled and web store access is blocked. You can read more about this in our ",[],{},{"nodeType":252,"data":2657,"content":2659},{"uri":2658},"https://pushsecurity.com/help/how-does-push-detect-malicious-browser-extensions",[2660],{"nodeType":247,"value":2661,"marks":2662,"data":2663},"Help Center",[],{},{"nodeType":247,"value":1733,"marks":2665,"data":2666},[],{},{"nodeType":243,"data":2668,"content":2669},{},[2670],{"nodeType":247,"value":2671,"marks":2672,"data":2673},"When an extension is flagged as malicious, a detection event will be generated and appear on the Detections page in the Push admin console. The severity of these detections is classified as follows:",[],{},{"nodeType":934,"data":2675,"content":2676},{},[2677,2692,2707],{"nodeType":938,"data":2678,"content":2679},{},[2680],{"nodeType":243,"data":2681,"content":2682},{},[2683,2688],{"nodeType":247,"value":2684,"marks":2685,"data":2687},"Low",[2686],{"type":299},{},{"nodeType":247,"value":2689,"marks":2690,"data":2691}," for an extension that has never been enabled. The control prevented either the installation or the extension from being enabled.",[],{},{"nodeType":938,"data":2693,"content":2694},{},[2695],{"nodeType":243,"data":2696,"content":2697},{},[2698,2703],{"nodeType":247,"value":2699,"marks":2700,"data":2702},"Medium",[2701],{"type":299},{},{"nodeType":247,"value":2704,"marks":2705,"data":2706}," for an extension that was installed and enabled, but has been disabled by the control. ",[],{},{"nodeType":938,"data":2708,"content":2709},{},[2710],{"nodeType":243,"data":2711,"content":2712},{},[2713,2718],{"nodeType":247,"value":2714,"marks":2715,"data":2717},"High",[2716],{"type":299},{},{"nodeType":247,"value":2719,"marks":2720,"data":2721}," if the extension was enabled and is still active (i.e. the control was in monitor mode).",[],{},{"nodeType":284,"data":2723,"content":2727},{"target":2724},{"sys":2725},{"id":2726,"type":289,"linkType":290},"1yOPlBKtLGYyN80OCJ9qMn",[],{"nodeType":434,"data":2729,"content":2730},{},[2731],{"nodeType":247,"value":2732,"marks":2733,"data":2735},"Step 1: Establish an inventory of existing extensions.",[2734],{"type":299},{},{"nodeType":243,"data":2737,"content":2738},{},[2739,2743,2748,2752],{"nodeType":247,"value":2740,"marks":2741,"data":2742},"Next, we recommend you take stock of what’s already running in your environment so you can begin to make risk-based decisions about what you allow, and what you don’t. This means building an inventory of ",[],{},{"nodeType":247,"value":2744,"marks":2745,"data":2747},"every extension ",[2746],{"type":299},{},{"nodeType":247,"value":2749,"marks":2750,"data":2751},"running in ",[],{},{"nodeType":247,"value":2753,"marks":2754,"data":2756},"every browser. ",[2755],{"type":299},{},{"nodeType":243,"data":2758,"content":2759},{},[2760],{"nodeType":247,"value":2761,"marks":2762,"data":2763},"Push provides real-time visibility of extensions installed in every browser across your workforce. ",[],{},{"nodeType":243,"data":2765,"content":2766},{},[2767],{"nodeType":247,"value":2768,"marks":2769,"data":2770},"Push tracks several key data points, including: ",[],{},{"nodeType":934,"data":2772,"content":2773},{},[2774,2784,2794,2804,2814,2824,2834,2844,2854],{"nodeType":938,"data":2775,"content":2776},{},[2777],{"nodeType":243,"data":2778,"content":2779},{},[2780],{"nodeType":247,"value":2781,"marks":2782,"data":2783},"Extension name, ID, and version number",[],{},{"nodeType":938,"data":2785,"content":2786},{},[2787],{"nodeType":243,"data":2788,"content":2789},{},[2790],{"nodeType":247,"value":2791,"marks":2792,"data":2793},"Update & homepage URL",[],{},{"nodeType":938,"data":2795,"content":2796},{},[2797],{"nodeType":243,"data":2798,"content":2799},{},[2800],{"nodeType":247,"value":2801,"marks":2802,"data":2803},"Extension permissions",[],{},{"nodeType":938,"data":2805,"content":2806},{},[2807],{"nodeType":243,"data":2808,"content":2809},{},[2810],{"nodeType":247,"value":2811,"marks":2812,"data":2813},"Host permissions (where applicable)",[],{},{"nodeType":938,"data":2815,"content":2816},{},[2817],{"nodeType":243,"data":2818,"content":2819},{},[2820],{"nodeType":247,"value":2821,"marks":2822,"data":2823},"Deployment method (e.g. managed, manual, sideloaded or development)",[],{},{"nodeType":938,"data":2825,"content":2826},{},[2827],{"nodeType":243,"data":2828,"content":2829},{},[2830],{"nodeType":247,"value":2831,"marks":2832,"data":2833},"Which employees use the extension",[],{},{"nodeType":938,"data":2835,"content":2836},{},[2837],{"nodeType":243,"data":2838,"content":2839},{},[2840],{"nodeType":247,"value":2841,"marks":2842,"data":2843},"Which browsers have the extension installed",[],{},{"nodeType":938,"data":2845,"content":2846},{},[2847],{"nodeType":243,"data":2848,"content":2849},{},[2850],{"nodeType":247,"value":2851,"marks":2852,"data":2853},"Whether the extension is enabled or disabled",[],{},{"nodeType":938,"data":2855,"content":2856},{},[2857],{"nodeType":243,"data":2858,"content":2859},{},[2860],{"nodeType":247,"value":2861,"marks":2862,"data":2863},"Useful metadata like install count, ownership history, update history, and whether the extension has been unlisted from the web store.",[],{},{"nodeType":243,"data":2865,"content":2866},{},[2867],{"nodeType":247,"value":2868,"marks":2869,"data":2870},"This information is critical for assessing risk, as well as providing an early warning of future malicious intent. ",[],{},{"nodeType":243,"data":2872,"content":2873},{},[2874,2878,2883],{"nodeType":247,"value":2875,"marks":2876,"data":2877},"You can enable browser extension visibility in the Push platform by going to ",[],{},{"nodeType":247,"value":2879,"marks":2880,"data":2882},"Settings > Organization > Browser extension visibility",[2881],{"type":299},{},{"nodeType":247,"value":2884,"marks":2885,"data":2886}," and toggling on the feature.",[],{},{"nodeType":284,"data":2888,"content":2892},{"target":2889},{"sys":2890},{"id":2891,"type":289,"linkType":290},"2LCwZNbSazYGIEfWHZKJRU",[],{"nodeType":434,"data":2894,"content":2895},{},[2896],{"nodeType":247,"value":2585,"marks":2897,"data":2899},[2898],{"type":299},{},{"nodeType":243,"data":2901,"content":2902},{},[2903],{"nodeType":247,"value":2904,"marks":2905,"data":2906},"Now that you’ve built a real-time inventory, you can start to analyse the data to find risky extensions. ",[],{},{"nodeType":243,"data":2908,"content":2909},{},[2910],{"nodeType":247,"value":2911,"marks":2912,"data":2913},"Every extension that is running in your environment expands your potential attack surface, representing another node that can be compromised by an attacker. So it makes sense to only allow those that are absolutely necessary in order to sensibly control the risk. ",[],{},{"nodeType":243,"data":2915,"content":2916},{},[2917],{"nodeType":247,"value":2918,"marks":2919,"data":2920},"You can start to investigate and prune extensions based on the properties tracked in the Push platform. For example:",[],{},{"nodeType":934,"data":2922,"content":2923},{},[2924,2934,2962,2972],{"nodeType":938,"data":2925,"content":2926},{},[2927],{"nodeType":243,"data":2928,"content":2929},{},[2930],{"nodeType":247,"value":2931,"marks":2932,"data":2933},"Extensions with a low install count from an unverified publisher. ",[],{},{"nodeType":938,"data":2935,"content":2936},{},[2937],{"nodeType":243,"data":2938,"content":2939},{},[2940,2944,2949,2953,2958],{"nodeType":247,"value":2941,"marks":2942,"data":2943},"Extensions that have been ",[],{},{"nodeType":247,"value":2945,"marks":2946,"data":2948},"sideloaded",[2947],{"type":299},{},{"nodeType":247,"value":2950,"marks":2951,"data":2952}," (installed by software on the machine) or are ",[],{},{"nodeType":247,"value":2954,"marks":2955,"data":2957},"development",[2956],{"type":299},{},{"nodeType":247,"value":2959,"marks":2960,"data":2961}," (installed from a folder off-disk when Developer mode is turned on)",[],{},{"nodeType":938,"data":2963,"content":2964},{},[2965],{"nodeType":243,"data":2966,"content":2967},{},[2968],{"nodeType":247,"value":2969,"marks":2970,"data":2971},"Extensions that are used by a small number of employees for niche / non-critical functions. ",[],{},{"nodeType":938,"data":2973,"content":2974},{},[2975],{"nodeType":243,"data":2976,"content":2977},{},[2978],{"nodeType":247,"value":2979,"marks":2980,"data":2981},"Extensions with risky permissions.",[],{},{"nodeType":284,"data":2983,"content":2987},{"target":2984},{"sys":2985},{"id":2986,"type":289,"linkType":290},"FpGNvFgEGj6eAGihoWEUi",[],{"nodeType":284,"data":2989,"content":2993},{"target":2990},{"sys":2991},{"id":2992,"type":289,"linkType":290},"5JccSPh103QIQJxIh9pk4x",[],{"nodeType":434,"data":2995,"content":2996},{},[2997],{"nodeType":247,"value":2998,"marks":2999,"data":3001},"Step 3: Create an allowlist to control the extensions active in your environment.",[3000],{"type":299},{},{"nodeType":243,"data":3003,"content":3004},{},[3005],{"nodeType":247,"value":3006,"marks":3007,"data":3008},"Using the output of your risk assessment and the data provided by the Push platform, you can control the extensions that you allow your employees to use.",[],{},{"nodeType":243,"data":3010,"content":3011},{},[3012],{"nodeType":247,"value":3013,"marks":3014,"data":3015},"To do this, you need to allowlist the extensions you’re happy for employees to use (and block everything else). That way, you remove the ability for employees to add new extensions unless approved by an admin. This means you either:",[],{},{"nodeType":934,"data":3017,"content":3018},{},[3019,3029],{"nodeType":938,"data":3020,"content":3021},{},[3022],{"nodeType":243,"data":3023,"content":3024},{},[3025],{"nodeType":247,"value":3026,"marks":3027,"data":3028},"Add every extension you currently have running in your environment to an allowlist, block everything else, and then start to prune extensions from that list. ",[],{},{"nodeType":938,"data":3030,"content":3031},{},[3032],{"nodeType":243,"data":3033,"content":3034},{},[3035],{"nodeType":247,"value":3036,"marks":3037,"data":3038},"Create a shortened allowlist from the outset. ",[],{},{"nodeType":243,"data":3040,"content":3041},{},[3042],{"nodeType":247,"value":3043,"marks":3044,"data":3045},"Both are valid ways of solving the problem, with the first option being the least potentially disruptive (i.e. you’re not switching off a load of extensions in one go). That said, this might not be a viable solution depending on your company size. ",[],{},{"nodeType":284,"data":3047,"content":3051},{"target":3048},{"sys":3049},{"id":3050,"type":289,"linkType":290},"6wQW4VqLeLXMXdPPWLhQAF",[],{"nodeType":243,"data":3053,"content":3054},{},[3055,3060,3070],{"nodeType":247,"value":3056,"marks":3057,"data":3059},"You can do this in lots of different ways depending on the OS and browsers used across your workforce. This can get messy depending on the complexity of your environment. But you can do it in a streamlined, browser-agnostic way ",[3058],{"type":299},{},{"nodeType":252,"data":3061,"content":3063},{"uri":3062},"https://pushsecurity.com/help/10138/#start",[3064],{"nodeType":247,"value":3065,"marks":3066,"data":3069},"using Push",[3067,3068],{"type":260},{"type":299},{},{"nodeType":247,"value":263,"marks":3071,"data":3073},[3072],{"type":299},{},{"nodeType":284,"data":3075,"content":3079},{"target":3076},{"sys":3077},{"id":3078,"type":289,"linkType":290},"97dDukjKsRsAptpHV1kpn",[],{"nodeType":243,"data":3081,"content":3082},{},[3083],{"nodeType":247,"value":3084,"marks":3085,"data":3086},"Managing which extensions you’ve opted to allow is a continuous process that will change as user behavior changes and new extensions are added. It’s important that you regularly review whether your current allowlist is fit for purpose. ",[],{},{"nodeType":434,"data":3088,"content":3089},{},[3090],{"nodeType":247,"value":2605,"marks":3091,"data":3093},[3092],{"type":299},{},{"nodeType":243,"data":3095,"content":3096},{},[3097],{"nodeType":247,"value":3098,"marks":3099,"data":3100},"Finally, once you’ve begun the process of pruning the extensions in your environment and you’ve reached a baseline you’re happy with, it’s now about reviewing and approving any new extension requests, and monitoring for risky changes. ",[],{},{"nodeType":243,"data":3102,"content":3103},{},[3104],{"nodeType":247,"value":3105,"marks":3106,"data":3107},"We recommend monitoring for things like:",[],{},{"nodeType":934,"data":3109,"content":3110},{},[3111,3121,3131],{"nodeType":938,"data":3112,"content":3113},{},[3114],{"nodeType":243,"data":3115,"content":3116},{},[3117],{"nodeType":247,"value":3118,"marks":3119,"data":3120},"Regularly reviewing changes in extension ownership + recent updates",[],{},{"nodeType":938,"data":3122,"content":3123},{},[3124],{"nodeType":243,"data":3125,"content":3126},{},[3127],{"nodeType":247,"value":3128,"marks":3129,"data":3130},"Monitoring for updates to extensions to track risky permissions being added ",[],{},{"nodeType":938,"data":3132,"content":3133},{},[3134],{"nodeType":243,"data":3135,"content":3136},{},[3137],{"nodeType":247,"value":3138,"marks":3139,"data":3140},"Monitoring for new malicious browser extension detections",[],{},{"nodeType":243,"data":3142,"content":3143},{},[3144,3148,3157],{"nodeType":247,"value":3145,"marks":3146,"data":3147},"It’s super simple to use Push data to create alerts and feed your detection and response workflows. ",[],{},{"nodeType":252,"data":3149,"content":3151},{"uri":3150},"https://pushsecurity.com/help/audience/administrators/docs/connect-to-siem-or-soar/#start",[3152],{"nodeType":247,"value":3153,"marks":3154,"data":3156},"See how to connect Push to your SIEM/SOAR and learn more about the Push REST API and webhooks. ",[3155],{"type":260},{},{"nodeType":247,"value":29,"marks":3158,"data":3159},[],{},{"nodeType":243,"data":3161,"content":3162},{},[3163],{"nodeType":247,"value":3164,"marks":3165,"data":3166},"At this point, you can then triage and investigate further to see whether additional action is required. ",[],{},{"nodeType":3168,"data":3169,"content":3170},"blockquote",{},[3171],{"nodeType":243,"data":3172,"content":3173},{},[3174],{"nodeType":247,"value":3175,"marks":3176,"data":3178},"And there you have it! You’ve secured browser extension use across your organization using Push. ",[3177],{"type":299},{},{"nodeType":313,"data":3180,"content":3181},{},[],{"nodeType":434,"data":3183,"content":3184},{},[3185],{"nodeType":247,"value":3186,"marks":3187,"data":3189},"Don’t take our word for it …",[3188],{"type":299},{},{"nodeType":243,"data":3191,"content":3192},{},[3193],{"nodeType":247,"value":3194,"marks":3195,"data":3196},"Our friends at GitLab echo our thoughts on browser extensions and the value of tools like Push that help them to solve this problem.",[],{},{"nodeType":284,"data":3198,"content":3202},{"target":3199},{"sys":3200},{"id":3201,"type":289,"linkType":290},"1m0x2Q6MmOn7ANqCtpYptu",[],{"nodeType":313,"data":3204,"content":3205},{},[],{"nodeType":317,"data":3207,"content":3208},{},[3209],{"nodeType":247,"value":3210,"marks":3211,"data":3213},"Additional tips",[3212],{"type":299},{},{"nodeType":434,"data":3215,"content":3216},{},[3217],{"nodeType":247,"value":3218,"marks":3219,"data":3221},"Disable browser syncing",[3220],{"type":299},{},{"nodeType":243,"data":3223,"content":3224},{},[3225],{"nodeType":247,"value":3226,"marks":3227,"data":3228},"If you’re in the early stages of your extension management process, an extra step you might want to consider is disabling browser syncing for extensions. ",[],{},{"nodeType":243,"data":3230,"content":3231},{},[3232,3236,3245],{"nodeType":247,"value":3233,"marks":3234,"data":3235},"When we deploy Push, we find it’s not unusual for people to sign into their work browser with a personal email profile. There’s a significant risk here — if you end up saving and syncing credentials across devices, a compromise on a (usually less secure) personal device can lead to business accounts being compromised. Notably, this was exploited in a ",[],{},{"nodeType":252,"data":3237,"content":3239},{"uri":3238},"https://sec.okta.com/articles/harfiles/",[3240],{"nodeType":247,"value":3241,"marks":3242,"data":3244},"2023 Okta security breach",[3243],{"type":260},{},{"nodeType":247,"value":773,"marks":3246,"data":3247},[],{},{"nodeType":243,"data":3249,"content":3250},{},[3251],{"nodeType":247,"value":3252,"marks":3253,"data":3254},"The same model applies to browser extensions. By default, any extension installed from the web store is synced across devices where a profile is logged in and syncing is enabled. ",[],{},{"nodeType":243,"data":3256,"content":3257},{},[3258],{"nodeType":247,"value":3259,"marks":3260,"data":3261},"As an example, you can see how to disable browser extension syncing if you manage Chrome in Google Workspace.",[],{},{"nodeType":284,"data":3263,"content":3267},{"target":3264},{"sys":3265},{"id":3266,"type":289,"linkType":290},"23gbN24WiOzszvwP9zy2MM",[],{"nodeType":243,"data":3269,"content":3270},{},[3271],{"nodeType":247,"value":3272,"marks":3273,"data":3274},"This only applies if you haven’t yet created an allowlist for extensions in your environment, in which case any extensions not on the list will be blocked. ",[],{},{"nodeType":243,"data":3276,"content":3277},{},[3278],{"nodeType":247,"value":3279,"marks":3280,"data":3281},"You can also use Push to surface which users are logged into their browser using a non-work profile and whether the profile is synced across devices. ",[],{},{"nodeType":284,"data":3283,"content":3287},{"target":3284},{"sys":3285},{"id":3286,"type":289,"linkType":290},"421C3CL6Sfa8gmn56X7lRI",[],{"nodeType":313,"data":3289,"content":3290},{},[],{"nodeType":317,"data":3292,"content":3293},{},[3294],{"nodeType":247,"value":2219,"marks":3295,"data":3297},[3296],{"type":299},{},{"nodeType":243,"data":3299,"content":3300},{},[3301,3304,3311],{"nodeType":247,"value":2227,"marks":3302,"data":3303},[],{},{"nodeType":252,"data":3305,"content":3306},{"uri":17},[3307],{"nodeType":247,"value":3308,"marks":3309,"data":3310},"modern attack techniques that are the leading cause of breaches today",[],{},{"nodeType":247,"value":773,"marks":3312,"data":3313},[],{},{"nodeType":243,"data":3315,"content":3316},{},[3317],{"nodeType":247,"value":2245,"marks":3318,"data":3319},[],{},{"nodeType":243,"data":3321,"content":3322},{},[3323,3327,3335,3338,3346,3349,3356],{"nodeType":247,"value":3324,"marks":3325,"data":3326},"Want to learn more about Push? ",[],{},{"nodeType":252,"data":3328,"content":3329},{"uri":739},[3330],{"nodeType":247,"value":3331,"marks":3332,"data":3334},"Check out our latest product overview",[3333],{"type":260},{},{"nodeType":247,"value":747,"marks":3336,"data":3337},[],{},{"nodeType":252,"data":3339,"content":3340},{"uri":752},[3341],{"nodeType":247,"value":3342,"marks":3343,"data":3345},"visit our demo library",[3344],{"type":260},{},{"nodeType":247,"value":760,"marks":3347,"data":3348},[],{},{"nodeType":252,"data":3350,"content":3351},{"uri":765},[3352],{"nodeType":247,"value":768,"marks":3353,"data":3355},[3354],{"type":260},{},{"nodeType":247,"value":773,"marks":3357,"data":3358},[],{},"Guide: How to manage and block browser extensions using Push","How to detect risky and malicious extensions and block them from running in employee browsers. ","2026-03-04T00:00:00.000Z","browser-extension-management-guide",{"items":3364},[3365,3367],{"sys":3366,"name":2299},{"id":2298},{"sys":3368,"name":2303},{"id":2302},{"items":3370},[3371],{"fullName":232,"firstName":233,"jobTitle":234,"profilePicture":3372},{"url":236},{"__typename":919,"sys":3374,"content":3376,"title":4171,"synopsis":4172,"hashTags":62,"publishedDate":4173,"slug":4174,"tagsCollection":4175,"authorsCollection":4179},{"id":3375},"PAPJPr3CIB6J20udYyy1r",{"json":3377},{"data":3378,"content":3379,"nodeType":239},{},[3380,3386,3406,3413,3420,3426,3429,3437,3444,3463,3474,3481,3488,3495,3588,3591,3599,3682,3688,3691,3699,3707,3714,3721,3729,3748,3755,3763,3770,3777,3785,3792,3799,3819,3825,3828,3836,3844,3851,3956,3963,3971,3978,3985,3991,3999,4006,4013,4020,4028,4035,4042,4049,4056,4062,4065,4073,4080,4113,4120,4139,4159,4165],{"data":3381,"content":3385,"nodeType":284},{"target":3382},{"sys":3383},{"id":3384,"type":289,"linkType":290},"1eBClNW4NOR66F0tl9h6lD",[],{"data":3387,"content":3388,"nodeType":243},{},[3389,3393,3402],{"data":3390,"marks":3391,"value":3392,"nodeType":247},{},[],"The attacks on Snowflake customers in 2024 collectively constituted the biggest cyber security event of the year in terms of the number of organizations and individuals affected (at least, if you exclude CrowdStrike causing a worldwide outage in July) — certainly, it was the largest perpetrated by a criminal group against commercial enterprises. It has been touted by some news outlets as ‘",{"data":3394,"content":3396,"nodeType":252},{"uri":3395},"https://www.wired.com/story/snowflake-breach-advanced-auto-parts-lendingtree/",[3397],{"data":3398,"marks":3399,"value":3401,"nodeType":247},{},[3400],{"type":260},"one of the biggest breaches ever",{"data":3403,"marks":3404,"value":3405,"nodeType":247},{},[],"’.  ",{"data":3407,"content":3408,"nodeType":243},{},[3409],{"data":3410,"marks":3411,"value":3412,"nodeType":247},{},[],"Snowflake was a watershed moment that signalled the significant opportunity presented by identity attacks on cloud services. It demonstrated how comparatively unsophisticated methods (logging in to user accounts with stolen credentials and dumping the data) can have the same or greater impact as a traditional network or endpoint based cyber attack involving vulnerability exploitation, malware deployment, ransomware, etc. ",{"data":3414,"content":3415,"nodeType":243},{},[3416],{"data":3417,"marks":3418,"value":3419,"nodeType":247},{},[],"Here’s everything you need to know about the Snowflake attacks — and what you can do to protect yourself against the next Snowflake in the future.",{"data":3421,"content":3425,"nodeType":284},{"target":3422},{"sys":3423},{"id":3424,"type":289,"linkType":290},"4QoPUiP5q6Mwj1eWUZT15Q",[],{"data":3427,"content":3428,"nodeType":313},{},[],{"data":3430,"content":3431,"nodeType":317},{},[3432],{"data":3433,"marks":3434,"value":3436,"nodeType":247},{},[3435],{"type":299},"Snowflake: The facts",{"data":3438,"content":3439,"nodeType":243},{},[3440],{"data":3441,"marks":3442,"value":3443,"nodeType":247},{},[],"Cyber criminals associated with the threat group known as ShinyHunters claimed responsibility for breaching multiple organizations using Snowflake, a cloud-based data warehousing and analytics platform. ",{"data":3445,"content":3446,"nodeType":243},{},[3447,3451,3460],{"data":3448,"marks":3449,"value":3450,"nodeType":247},{},[],"ShinyHunters associates targeted ~165 organizations that were subjected to account takeover attacks using stolen credentials harvested from historical infostealer infections dating back as far as 2020, ",{"data":3452,"content":3454,"nodeType":252},{"uri":3453},"https://cloud.google.com/blog/topics/threat-intelligence/unc5537-snowflake-data-theft-extortion",[3455],{"data":3456,"marks":3457,"value":3459,"nodeType":247},{},[3458],{"type":260},"according to Mandiant’s investigation",{"data":3461,"marks":3462,"value":263,"nodeType":247},{},[],{"data":3464,"content":3465,"nodeType":3168},{},[3466],{"data":3467,"content":3468,"nodeType":243},{},[3469],{"data":3470,"marks":3471,"value":3473,"nodeType":247},{},[3472],{"type":299},">80% of the compromised accounts belonging to Snowflake customers had prior credential exposure. ",{"data":3475,"content":3476,"nodeType":243},{},[3477],{"data":3478,"marks":3479,"value":3480,"nodeType":247},{},[],"The impacted accounts lacked MFA, meaning successful authentication only required a valid username and password. As the Snowflake credentials found in infostealer malware credential dumps had not been rotated or updated, they remained valid and could be used to authenticate to user accounts on Snowflake tenants belonging to various customers.",{"data":3482,"content":3483,"nodeType":243},{},[3484],{"data":3485,"marks":3486,"value":3487,"nodeType":247},{},[],"As a data warehousing platform integrated with a range of connected cloud services, access to a customer’s Snowflake tenant provided attackers with large quantities of sensitive commercial and personal data that could be stolen and monetized by attackers in a variety of ways — such as by ransoming the victim organization, extorting individual end-customers, and selling the data on to other criminal organizations. ",{"data":3489,"content":3490,"nodeType":243},{},[3491],{"data":3492,"marks":3493,"value":3494,"nodeType":247},{},[],"In total, 9 public victims were named following the breach, collectively impacting hundreds of millions of people. ",{"data":3496,"content":3497,"nodeType":934},{},[3498,3508,3518,3528,3538,3548,3558,3568,3578],{"data":3499,"content":3500,"nodeType":938},{},[3501],{"data":3502,"content":3503,"nodeType":243},{},[3504],{"data":3505,"marks":3506,"value":3507,"nodeType":247},{},[],"Lending Tree: Sensitive data for over 190 million people available online including customer details, partial credit card numbers, insurance quotes and other information, being sold for $2m.",{"data":3509,"content":3510,"nodeType":938},{},[3511],{"data":3512,"content":3513,"nodeType":243},{},[3514],{"data":3515,"marks":3516,"value":3517,"nodeType":247},{},[],"Truist Bank: Information belonging to 65,000 employees being sold online for $1m",{"data":3519,"content":3520,"nodeType":938},{},[3521],{"data":3522,"content":3523,"nodeType":243},{},[3524],{"data":3525,"marks":3526,"value":3527,"nodeType":247},{},[],"Advance Auto Parts: 3TB of data for sale for $1.5 million. Affected 2.3 million people, as well as current and former employees and job applicants.",{"data":3529,"content":3530,"nodeType":938},{},[3531],{"data":3532,"content":3533,"nodeType":243},{},[3534],{"data":3535,"marks":3536,"value":3537,"nodeType":247},{},[],"Pure Storage: Workspace with 11k customer records including company, email, LDAP username and software version numbers.",{"data":3539,"content":3540,"nodeType":938},{},[3541],{"data":3542,"content":3543,"nodeType":243},{},[3544],{"data":3545,"marks":3546,"value":3547,"nodeType":247},{},[],"Los Angeles Unified: Student data, disability information, discipline details, and parent information, being sold online for $150k.",{"data":3549,"content":3550,"nodeType":938},{},[3551],{"data":3552,"content":3553,"nodeType":243},{},[3554],{"data":3555,"marks":3556,"value":3557,"nodeType":247},{},[],"Neiman Marcus: 31m email addresses exposed alongside various personal information.",{"data":3559,"content":3560,"nodeType":938},{},[3561],{"data":3562,"content":3563,"nodeType":243},{},[3564],{"data":3565,"marks":3566,"value":3567,"nodeType":247},{},[],"Santander: 30 million customer details for sale relating to customers of Santander Chile, Spain, and Uruguay.",{"data":3569,"content":3570,"nodeType":938},{},[3571],{"data":3572,"content":3573,"nodeType":243},{},[3574],{"data":3575,"marks":3576,"value":3577,"nodeType":247},{},[],"Ticketmaster: 560 million customer details for sale, disruption to events and ticketing worldwide, increasing in scam ticket production.",{"data":3579,"content":3580,"nodeType":938},{},[3581],{"data":3582,"content":3583,"nodeType":243},{},[3584],{"data":3585,"marks":3586,"value":3587,"nodeType":247},{},[],"AT&T: Call logs stolen for approximately 109 million customers (nearly all of its mobile customers). AT&T paid an undisclosed ransom fee. ",{"data":3589,"content":3590,"nodeType":313},{},[],{"data":3592,"content":3593,"nodeType":317},{},[3594],{"data":3595,"marks":3596,"value":3598,"nodeType":247},{},[3597],{"type":299},"The Snowflake attacks step-by-step",{"data":3600,"content":3601,"nodeType":934},{},[3602,3612,3622,3632,3642,3652,3662,3672],{"data":3603,"content":3604,"nodeType":938},{},[3605],{"data":3606,"content":3607,"nodeType":243},{},[3608],{"data":3609,"marks":3610,"value":3611,"nodeType":247},{},[],"Snowflake users were infected with infostealer malware that harvested credentials from user devices over an extended period via several infostealer malware variants, including; VIDAR, RISEPRO, REDLINE, RACOON STEALER, LUMMA and METASTEALER.",{"data":3613,"content":3614,"nodeType":938},{},[3615],{"data":3616,"content":3617,"nodeType":243},{},[3618],{"data":3619,"marks":3620,"value":3621,"nodeType":247},{},[],"Credentials appeared on criminal marketplaces e.g. dark web forums and Telegram channels.",{"data":3623,"content":3624,"nodeType":938},{},[3625],{"data":3626,"content":3627,"nodeType":243},{},[3628],{"data":3629,"marks":3630,"value":3631,"nodeType":247},{},[],"ShinyHunters saw the potential in targeting Snowflake users, based on the availability of credentials, number of customer organizations, and the value of the data that can be accessed in Snowflake. ",{"data":3633,"content":3634,"nodeType":938},{},[3635],{"data":3636,"content":3637,"nodeType":243},{},[3638],{"data":3639,"marks":3640,"value":3641,"nodeType":247},{},[],"ShinyHunters embarked on a large-scale campaign targeting Snowflake customer accounts using previously breached credentials. ",{"data":3643,"content":3644,"nodeType":938},{},[3645],{"data":3646,"content":3647,"nodeType":243},{},[3648],{"data":3649,"marks":3650,"value":3651,"nodeType":247},{},[],"ShinyHunters accessed user accounts that lacked MFA, belonging to approximately 165 Snowflake customers. ",{"data":3653,"content":3654,"nodeType":938},{},[3655],{"data":3656,"content":3657,"nodeType":243},{},[3658],{"data":3659,"marks":3660,"value":3661,"nodeType":247},{},[],"ShinyHunters used SQL-based reconnaissance, staging, and data exfiltration techniques, expedited by custom hacker tooling developed specifically for Snowflake, to conduct attacks at scale.",{"data":3663,"content":3664,"nodeType":938},{},[3665],{"data":3666,"content":3667,"nodeType":243},{},[3668],{"data":3669,"marks":3670,"value":3671,"nodeType":247},{},[],"ShinyHunters acquired massive quantities of Snowflake data based on the information that each customer stored in Snowflake or connected apps. ",{"data":3673,"content":3674,"nodeType":938},{},[3675],{"data":3676,"content":3677,"nodeType":243},{},[3678],{"data":3679,"marks":3680,"value":3681,"nodeType":247},{},[],"ShinyHunters began attempts to extort Snowflake and end-customers using the data acquired.",{"data":3683,"content":3687,"nodeType":284},{"target":3684},{"sys":3685},{"id":3686,"type":289,"linkType":290},"2J92gFLs1wAAGC4nQTaiWu",[],{"data":3689,"content":3690,"nodeType":313},{},[],{"data":3692,"content":3693,"nodeType":317},{},[3694],{"data":3695,"marks":3696,"value":3698,"nodeType":247},{},[3697],{"type":299},"Why did the Snowflake breaches happen?",{"data":3700,"content":3701,"nodeType":434},{},[3702],{"data":3703,"marks":3704,"value":3706,"nodeType":247},{},[3705],{"type":299},"Stolen credentials remained valid for years",{"data":3708,"content":3709,"nodeType":243},{},[3710],{"data":3711,"marks":3712,"value":3713,"nodeType":247},{},[],"The credentials used to access Snowflake accounts from historical infostealer infections had not been changed or rotated despite dating back as far as 2020, and remained valid. ",{"data":3715,"content":3716,"nodeType":243},{},[3717],{"data":3718,"marks":3719,"value":3720,"nodeType":247},{},[],"This highlights the potential risk of breached credentials already in the public domain, particularly in the case of cloud services like Snowflake that may not be subject to the same levels of credential hygiene as other traditional enterprise domain accounts. ",{"data":3722,"content":3723,"nodeType":434},{},[3724],{"data":3725,"marks":3726,"value":3728,"nodeType":247},{},[3727],{"type":299},"Local logins lacked MFA ",{"data":3730,"content":3731,"nodeType":243},{},[3732,3736,3745],{"data":3733,"marks":3734,"value":3735,"nodeType":247},{},[],"Even where organizations were primarily encouraging employees to use SSO to access their Snowflake tenant, previously created local logins with a username and password continue to exist even after introducing SSO-based logins. Further, MFA was not globally enforceable at the application level, meaning that MFA was only set when logging into an IdP account for SSO, but not for local logins. We call this problem ",{"data":3737,"content":3739,"nodeType":252},{"uri":3738},"https://pushsecurity.com/blog/ghost-logins-when-forgotten-identities-come-back-to-haunt-you/",[3740],{"data":3741,"marks":3742,"value":3744,"nodeType":247},{},[3743],{"type":260},"ghost logins",{"data":3746,"marks":3747,"value":263,"nodeType":247},{},[],{"data":3749,"content":3750,"nodeType":243},{},[3751],{"data":3752,"marks":3753,"value":3754,"nodeType":247},{},[],"This meant that attackers were able to take over Snowflake accounts with only a single authentication factor (username & password). ",{"data":3756,"content":3757,"nodeType":434},{},[3758],{"data":3759,"marks":3760,"value":3762,"nodeType":247},{},[3761],{"type":299},"Snowflake was a high-value target used by many organizations",{"data":3764,"content":3765,"nodeType":243},{},[3766],{"data":3767,"marks":3768,"value":3769,"nodeType":247},{},[],"As a data warehousing platform used by a vast number of organizations, Snowflake represented a high-value target based on the data typically stored within it, and the repeatable way in which Snowflake users could be targeted. ",{"data":3771,"content":3772,"nodeType":243},{},[3773],{"data":3774,"marks":3775,"value":3776,"nodeType":247},{},[],"The attacker followed a near identical process when targeting Snowflake victims, meaning it could be scripted and executed at scale, with attacks taking a matter of minutes. ",{"data":3778,"content":3779,"nodeType":434},{},[3780],{"data":3781,"marks":3782,"value":3784,"nodeType":247},{},[3783],{"type":299},"Infostealer infections are driving credential availability",{"data":3786,"content":3787,"nodeType":243},{},[3788],{"data":3789,"marks":3790,"value":3791,"nodeType":247},{},[],"Infostealers are often seen as a low-priority issue, but are the primary source of stolen credentials used in campaigns like this one. ",{"data":3793,"content":3794,"nodeType":243},{},[3795],{"data":3796,"marks":3797,"value":3798,"nodeType":247},{},[],"EDR is a strong protection but is often bypassed by infostealers as attackers continually modify them to bypass security controls. Further, unmanaged devices such as those used by third-party contractors or BYOD employees often lack the robust controls applied to company-managed devices and are naturally more susceptible to infostealer attacks. And since browser profiles can be synced across devices, even personal device compromises can result in the capture of corporate credentials.  ",{"data":3800,"content":3801,"nodeType":243},{},[3802,3806,3815],{"data":3803,"marks":3804,"value":3805,"nodeType":247},{},[],"There is some suggestion that targeting key third-party suppliers – ",{"data":3807,"content":3809,"nodeType":252},{"uri":3808},"https://www.wired.com/story/epam-snowflake-ticketmaster-breach-shinyhunters/",[3810],{"data":3811,"marks":3812,"value":3814,"nodeType":247},{},[3813],{"type":260},"such as EPAM Systems, a software engineering firm and Snowflake ‘Elite Tier Partner’",{"data":3816,"marks":3817,"value":3818,"nodeType":247},{},[]," – provided some of the access to Snowflake customers needed. It’s unclear what came first, but it’s possible (likely, even) that EPAM was identified as a target specifically because of its lucrative customer base and Snowflake credentials — adding another indicator that Snowflake was potentially a premeditated attack inspired by the availability of Snowflake credentials online.",{"data":3820,"content":3824,"nodeType":284},{"target":3821},{"sys":3822},{"id":3823,"type":289,"linkType":290},"4D0gjt5oJLNKJH8GzjP8Je",[],{"data":3826,"content":3827,"nodeType":313},{},[],{"data":3829,"content":3830,"nodeType":317},{},[3831],{"data":3832,"marks":3833,"value":3835,"nodeType":247},{},[3834],{"type":299},"Key takeaways from the Snowflake attacks",{"data":3837,"content":3838,"nodeType":434},{},[3839],{"data":3840,"marks":3841,"value":3843,"nodeType":247},{},[3842],{"type":299},"Securing your IdP accounts is not enough",{"data":3845,"content":3846,"nodeType":243},{},[3847],{"data":3848,"marks":3849,"value":3850,"nodeType":247},{},[],"SSO can help reduce your identity attack surface, but it's not feasible to get every workforce identity behind it.",{"data":3852,"content":3853,"nodeType":934},{},[3854,3877,3899,3934],{"data":3855,"content":3856,"nodeType":938},{},[3857],{"data":3858,"content":3859,"nodeType":243},{},[3860,3864,3873],{"data":3861,"marks":3862,"value":3863,"nodeType":247},{},[],"Only 1 in 3 apps support SAML SSO, and those that offer it often charge more for it; the “",{"data":3865,"content":3867,"nodeType":252},{"uri":3866},"https://ssotax.org/",[3868],{"data":3869,"marks":3870,"value":3872,"nodeType":247},{},[3871],{"type":260},"SSO tax",{"data":3874,"marks":3875,"value":3876,"nodeType":247},{},[],"”.",{"data":3878,"content":3879,"nodeType":938},{},[3880],{"data":3881,"content":3882,"nodeType":243},{},[3883,3887,3896],{"data":3884,"marks":3885,"value":3886,"nodeType":247},{},[],"Many apps are self-adopted by employees, leaving security teams unaware and unable to enforce SSO.  The typical organization has ",{"data":3888,"content":3890,"nodeType":252},{"uri":3889},"https://pushsecurity.com/blog/how-many-vulnerable-identities-do-you-have/",[3891],{"data":3892,"marks":3893,"value":3895,"nodeType":247},{},[3894],{"type":260},"hundreds of apps and thousands of unmanaged identities outside of SSO",{"data":3897,"marks":3898,"value":773,"nodeType":247},{},[],{"data":3900,"content":3901,"nodeType":938},{},[3902],{"data":3903,"content":3904,"nodeType":243},{},[3905,3909,3917,3921,3930],{"data":3906,"marks":3907,"value":3908,"nodeType":247},{},[],"Most apps do not prevent users from creating additional \"",{"data":3910,"content":3911,"nodeType":252},{"uri":3738},[3912],{"data":3913,"marks":3914,"value":3916,"nodeType":247},{},[3915],{"type":260},"ghost login",{"data":3918,"marks":3919,"value":3920,"nodeType":247},{},[],"\" methods outside of SSO (especially by default), accounting for around ",{"data":3922,"content":3924,"nodeType":252},{"uri":3923},"https://pushsecurity.com/blog/how-many-vulnerable-identities-do-you-have/#id-identity-configurations-and-how-they-can-be-exploited_id-many-accounts-lack-the-most-basic-protections",[3925],{"data":3926,"marks":3927,"value":3929,"nodeType":247},{},[3928],{"type":260},"10% of all identities",{"data":3931,"marks":3932,"value":3933,"nodeType":247},{},[]," observed by Push. ",{"data":3935,"content":3936,"nodeType":938},{},[3937],{"data":3938,"content":3939,"nodeType":243},{},[3940,3944,3952],{"data":3941,"marks":3942,"value":3943,"nodeType":247},{},[],"In total, we identified that ",{"data":3945,"content":3946,"nodeType":252},{"uri":3889},[3947],{"data":3948,"marks":3949,"value":3951,"nodeType":247},{},[3950],{"type":260},"37% (2 in 5) accounts have a password login set with no MFA",{"data":3953,"marks":3954,"value":3955,"nodeType":247},{},[],", while 9% have no MFA AND a weak, breached, or reused password.",{"data":3957,"content":3958,"nodeType":243},{},[3959],{"data":3960,"marks":3961,"value":3962,"nodeType":247},{},[],"So, relying on locked-down IdP accounts and maximising the use of SSO is an important pillar of an effective identity security strategy, but there will always be gaps. Unless you recognize this, you may be blindsided by attackers finding them before you do. ",{"data":3964,"content":3965,"nodeType":434},{},[3966],{"data":3967,"marks":3968,"value":3970,"nodeType":247},{},[3969],{"type":299},"The threat of infostealers and stolen credentials needs to be taken seriously",{"data":3972,"content":3973,"nodeType":243},{},[3974],{"data":3975,"marks":3976,"value":3977,"nodeType":247},{},[],"Breached credentials appearing online is not always seen as a top priority for security teams, particularly when there’s so much noise from all of the outdated or simply erroneous findings (anyone that’s ever subscribed to a credential TI feed knows the pain of this). ",{"data":3979,"content":3980,"nodeType":243},{},[3981],{"data":3982,"marks":3983,"value":3984,"nodeType":247},{},[],"But Snowflake serves as a stark reminder that despite all the false positives, stolen credentials are sometimes valid — and when weaponized at-scale they can be a powerful tool for attackers. ",{"data":3986,"content":3990,"nodeType":284},{"target":3987},{"sys":3988},{"id":3989,"type":289,"linkType":290},"4EODpwKsqNivpvP2yMtZCd",[],{"data":3992,"content":3993,"nodeType":434},{},[3994],{"data":3995,"marks":3996,"value":3998,"nodeType":247},{},[3997],{"type":299},"Don’t rely on third-parties to protect your identities for you",{"data":4000,"content":4001,"nodeType":243},{},[4002],{"data":4003,"marks":4004,"value":4005,"nodeType":247},{},[],"Snowflake came under fire following the attacks for not enabling MFA by default, or giving security teams sufficient tools to deal with the incident. ",{"data":4007,"content":4008,"nodeType":243},{},[4009],{"data":4010,"marks":4011,"value":4012,"nodeType":247},{},[],"This is perhaps justifiable, but is hardly the exception. Very few apps enforce MFA by default or provide a global MFA enforcement mechanism. Most don’t even provide audit logs (and when they do, the scope of logging is pretty limited). And we regularly encounter apps that don’t give you any information about account configuration as an admin — like which accounts have MFA, or the login methods that they’re using (e.g. SSO via SAML, SSO via OIDC, password, which IdPs are being used…) which is essential information to be able to secure your identity attack surface. ",{"data":4014,"content":4015,"nodeType":243},{},[4016],{"data":4017,"marks":4018,"value":4019,"nodeType":247},{},[],"Yes, it would be great if app vendors put security first and made controls available by default, for all customers (not just the premium ones). But in the absence of an industrywide shift toward security-first product development, it’s important that organizations don’t just point the finger at service providers — and take matters into their own hands when it comes to securing their user identities. ",{"data":4021,"content":4022,"nodeType":434},{},[4023],{"data":4024,"marks":4025,"value":4027,"nodeType":247},{},[4026],{"type":299},"This isn’t a specific Snowflake problem — it could have been any application",{"data":4029,"content":4030,"nodeType":243},{},[4031],{"data":4032,"marks":4033,"value":4034,"nodeType":247},{},[],"While Snowflake was admittedly a high-value target because of the data it collected, apps with sensitive data (or with integrations connecting them to data collected in adjacent apps) are not in short supply. ",{"data":4036,"content":4037,"nodeType":243},{},[4038],{"data":4039,"marks":4040,"value":4041,"nodeType":247},{},[],"If we accept that many other apps are similarly desirable targets, then we should also consider that it’s unlikely that Snowflake is the only app that has valid credentials sitting around on the internet, waiting to be weaponized by criminals. Equally, it’s not the only app that doesn’t require mandatory MFA for user accounts, as we discussed above. The next Snowflake is likely to lurk in the same breached datasets, possibly even using the same credentials.",{"data":4043,"content":4044,"nodeType":243},{},[4045],{"data":4046,"marks":4047,"value":4048,"nodeType":247},{},[],"There’s been a clear increase in the number of infostealer and stolen credential related breaches and news stories since Snowflake as attackers wise up to the potential opportunity and start seeing the dollar signs. It would be naive to think that this was a one off event — the next Snowflake is probably not too far away. ",{"data":4050,"content":4051,"nodeType":243},{},[4052],{"data":4053,"marks":4054,"value":4055,"nodeType":247},{},[],"For a deep-dive analysis of the impact of Snowflake, check out our on-demand webinar from earlier this year.",{"data":4057,"content":4061,"nodeType":284},{"target":4058},{"sys":4059},{"id":4060,"type":289,"linkType":290},"7LkU5DqE9HJ1PQu9BTg6Mw",[],{"data":4063,"content":4064,"nodeType":313},{},[],{"data":4066,"content":4067,"nodeType":317},{},[4068],{"data":4069,"marks":4070,"value":4072,"nodeType":247},{},[4071],{"type":299},"How to protect yourself from the next Snowflake using Push",{"data":4074,"content":4075,"nodeType":243},{},[4076],{"data":4077,"marks":4078,"value":4079,"nodeType":247},{},[],"Organizations looking to reduce their exposure to account takeover using stolen credentials should look to:",{"data":4081,"content":4082,"nodeType":934},{},[4083,4093,4103],{"data":4084,"content":4085,"nodeType":938},{},[4086],{"data":4087,"content":4088,"nodeType":243},{},[4089],{"data":4090,"marks":4091,"value":4092,"nodeType":247},{},[],"Identify the apps being used across the business and locate vulnerable workforce identities using weak, breached, or reused credentials, and missing MFA. Where SSO is the preferred login method, local username & password logins should ideally be removed. ",{"data":4094,"content":4095,"nodeType":938},{},[4096],{"data":4097,"content":4098,"nodeType":243},{},[4099],{"data":4100,"marks":4101,"value":4102,"nodeType":247},{},[],"Where credentials appear in third-party data breaches, verify where they are still valid and ensure that the credentials are changed. ",{"data":4104,"content":4105,"nodeType":938},{},[4106],{"data":4107,"content":4108,"nodeType":243},{},[4109],{"data":4110,"marks":4111,"value":4112,"nodeType":247},{},[],"Detect unauthorized access to workforce identities where sessions are initiated or resumed from unusual or unexpected locations. It should be noted that while this is a fairly common feature for larger enterprise cloud platforms with configurable access control policies, this is not typically possible for most SaaS applications.  ",{"data":4114,"content":4115,"nodeType":243},{},[4116],{"data":4117,"marks":4118,"value":4119,"nodeType":247},{},[],"All of these use cases can be achieved using Push. The Push browser extension detects all logins performed in employee browsers, capturing granular information about the login method and MFA types used, and enriching this data by integrating with your preferred IdP.",{"data":4121,"content":4122,"nodeType":243},{},[4123,4127,4135],{"data":4124,"marks":4125,"value":4126,"nodeType":247},{},[],"Push’s ",{"data":4128,"content":4130,"nodeType":252},{"uri":4129},"https://pushsecurity.com/blog/verified-stolen-credential-detection",[4131],{"data":4132,"marks":4133,"value":4134,"nodeType":247},{},[],"verified stolen credential detection feature",{"data":4136,"marks":4137,"value":4138,"nodeType":247},{},[]," compares a k-anonymized hash of user passwords observed with stolen credential TI feeds to cut through the noise and identify where stolen credentials appearing online represent a genuine vulnerability.   ",{"data":4140,"content":4141,"nodeType":243},{},[4142,4146,4155],{"data":4143,"marks":4144,"value":4145,"nodeType":247},{},[],"On top of this, all logins made in browsers protected by the Push extension, across every app, are verified by ",{"data":4147,"content":4149,"nodeType":252},{"uri":4148},"https://pushsecurity.com/blog/introducing-session-token-theft-detection-why-browser-is-best/",[4150],{"data":4151,"marks":4152,"value":4154,"nodeType":247},{},[4153],{"type":260},"adding a unique marker to the user agent string of the session",{"data":4156,"marks":4157,"value":4158,"nodeType":247},{},[],", which will then appear in your IdP logs. This means that any session occurring outside of the Push-protected estate can be flagged to your security team via SIEM alert — including where an attacker uses stolen credentials to log into an app from a browser without the Push extension running. ",{"data":4160,"content":4164,"nodeType":284},{"target":4161},{"sys":4162},{"id":4163,"type":289,"linkType":290},"3tqVk7Vr7pYLOEVukIJM2g",[],{"data":4166,"content":4167,"nodeType":243},{},[4168],{"data":4169,"marks":4170,"value":29,"nodeType":247},{},[],"Snowflake: Looking back on 2024’s landmark security event","165 Snowflake customers were targeted by criminals using stolen credentials from infostealer infections, impacting hundreds of millions of people. ","2024-11-29T00:00:00.000Z","snowflake-retro",{"items":4176},[4177],{"sys":4178,"name":2299},{"id":2298},{"items":4180},[4181],{"fullName":232,"firstName":233,"jobTitle":234,"profilePicture":4182},{"url":236},"browser-sync-attacks-where-personal-account-hacks-lead-to-corporate-breaches","blog/browser-sync-attacks-where-personal-account-hacks-lead-to-corporate-breaches",{"json":4186},{"data":4187,"content":4188,"nodeType":239},{},[4189],{"data":4190,"content":4191,"nodeType":243},{},[4192],{"data":4193,"marks":4194,"value":4195,"nodeType":247},{},[],"Browser sync attacks result in business credentials being compromised via personal account and device breaches. Here's what you need to know. ",{"id":4197,"publishedAt":4198},"4Mq5IZ2E0h9HRT3YkkHaLU","2026-04-20T13:31:20.897Z",{"items":4200},[4201,4203],{"sys":4202,"name":2303},{"id":2302},{"sys":4204,"name":2299},{"id":2298},"Yl66DPy301hiB-HnlrLYQ_I3UvJz-91RpDQxat1yb2E",1784196725077]