[{"data":1,"prerenderedAt":3957},["ShallowReactive",2],{"application-flags":3,"navbar":7,"always-visible-banner":36,"navbar-about-highlight":108,"navbar-resource-highlight":182,"blog/consentfix-debrief":226},[4],{"name":5,"enabled":6},"maintenanceMode",false,[8],{"createdDate":9,"id":10,"name":11,"modelId":12,"published":13,"query":14,"data":15,"variations":20,"lastUpdated":21,"firstPublished":22,"testRatio":23,"createdBy":24,"lastUpdatedBy":25,"folders":26,"meta":27,"rev":35},1742208588866,"1c7a4e423bf54ac1a328bb4063459ef2","Banner","1c6207a5f24948ab82d4a0b17f251193","published",[],{"type":16,"url":17,"text":18,"link":19},"web-banner","https://pushsecurity.com/resources/browser-attacks-report","Get our latest report analyzing browser attack techniques in 2026",{},{},1774258294825,1742208637545,1,"CydmZnOWU1XuAaLhEDCoYNM4Z8W2","jKjF9r5jcvXU8tzZEfFQm31Iyvr2",[],{"kind":28,"lastPreviewUrl":29,"breakpoints":30,"hasAutosaves":34},"data","",{"xsmall":31,"small":32,"medium":33},320,640,768,true,"ga0kpxjhh76",{"createdDate":37,"id":38,"name":39,"modelId":40,"published":13,"stageModifiedSincePublish":6,"query":41,"data":42,"variations":97,"lastUpdated":98,"firstPublished":99,"testRatio":23,"createdBy":100,"lastUpdatedBy":101,"folders":102,"meta":103,"rev":107},1774965361051,"fd266d0172cc47429be7ad10f48c99ad","always visible banner","0678d178ec8b41efb8a23c09dba7874d",[],{"ctaText":43,"text":44,"url":29,"blocks":45,"state":93},"ewrererw","testrfesssssssssss",[46,73,81],{"@type":47,"@version":48,"id":49,"component":50,"responsiveStyles":63},"@builder.io/sdk:Element",2,"builder-ca12c06a52de41d7b8743da53118cd38",{"name":51,"tag":51,"options":52,"isRSC":62},"TopBannerContent",{"text":53,"ctaText":54,"url":55,"mainText":56,"cta":59},"New Webinar Series: Join John Hammond, Troy Hunt, and Matt Johansen for the State of Browser Attacks","Save Your Spot","https://pushsecurity.com/webinar/state-of-browser-security",{"content":57,"fontSize":58},"\u003Cp>Meet Push's browser security experts at BlackHat 2026.\u003C/p>","text-base",{"content":60,"fontSize":58,"url":61},"\u003Cp>Book a meeting →\u003C/p>","https://pushsecurity.com/events/blackhat-2026-meeting",null,{"large":64},{"display":65,"flexDirection":66,"position":67,"flexShrink":68,"boxSizing":69,"marginTop":70,"marginBottom":70,"fontSize":71,"fontWeight":72},"flex","column","relative","0","border-box",".56rem","1.125rem","700",{"@type":47,"@version":48,"id":74,"component":75,"responsiveStyles":79},"builder-a2e1f4b9f30b464bb814d7f5de5b0aa7",{"name":76,"options":77,"isRSC":62},"Custom Code",{"code":78,"scriptsClientOnly":6},"\u003Cstyle>\n  .top-banner.bg-web-orange{background:rgb(114, 79, 255);}\n\u003C/style>\n",{"large":80},{"display":65,"flexDirection":66,"position":67,"flexShrink":68,"boxSizing":69},{"id":82,"@type":47,"tagName":83,"properties":84,"responsiveStyles":88},"builder-pixel-o503s4fpvk","img",{"src":85,"aria-hidden":86,"alt":29,"role":87,"width":68,"height":68},"https://cdn.builder.io/api/v1/pixel?apiKey=f3a1111ff5be48cdbb123cd9f5795a05","true","presentation",{"large":89},{"height":68,"width":68,"display":90,"opacity":68,"overflow":91,"pointerEvents":92},"block","hidden","none",{"deviceSize":94,"location":95},"large",{"path":29,"query":96},{},{},1783541846936,1774968080803,"ST0tXQM8slWpFrmioqKHmENB2qe2","kYgMv6WsbvfmlOUYqR2SFwGzw6e2",[],{"kind":104,"lastPreviewUrl":105,"hasLinks":6,"breakpoints":106,"hasErrors":6,"hasAutosaves":6},"component","https://pushsecurity.com/?builder.space=f3a1111ff5be48cdbb123cd9f5795a05&builder.user.permissions=read%2Ccreate%2Cpublish%2CeditDesigns%2CeditLayouts%2CeditLayers%2CeditContentPriority%2CeditFolders%2CcreateProjects%2CsendPullRequests&builder.user.role.name=Designer&builder.user.role.id=creator&builder.cachebust=true&builder.preview=always-visible-banner&builder.noCache=true&builder.allowTextEdit=true&__builder_editing__=true&builder.overrides.always-visible-banner=fd266d0172cc47429be7ad10f48c99ad&builder.overrides.fd266d0172cc47429be7ad10f48c99ad=fd266d0172cc47429be7ad10f48c99ad&builder.options.locale=Default",{"xsmall":31,"small":32,"medium":33},"kyujw1aptq",[109,145],{"createdDate":110,"id":111,"name":112,"modelId":113,"published":13,"stageModifiedSincePublish":6,"query":114,"data":115,"variations":138,"lastUpdated":139,"firstPublished":140,"testRatio":23,"createdBy":24,"lastUpdatedBy":24,"folders":141,"meta":142,"rev":144},1776247359804,"9136a8f18b3b4a6ba29b8653a99372b1","testimonial-inductive-automation","20d9eaa352304613b3d1a794b400703d",[],{"link":116,"type":117,"testimonialLink":118,"testimonial":119},{},"testimonial","/customer-stories/inductive-automation",{"@type":120,"id":121,"model":117,"value":122},"@builder.io/core:Reference","f028f2b685bb47cd8bf9e82a26dd5a79",{"query":123,"folders":124,"createdDate":125,"id":121,"name":126,"modelId":127,"published":13,"data":128,"variations":132,"lastUpdated":133,"firstPublished":134,"testRatio":23,"createdBy":100,"lastUpdatedBy":100,"meta":135,"rev":137},[],[],1735823466309,"We found Push to be more accurate when compared to competitors and the browser agent offered features that others couldn’t match.","42035571a56940ac98bff4544aa79aa5",{"author":129,"jobTitle":130,"quote":126,"image":131},"Jason Waits","\u003Cp>CISO at Inductive Automation\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Ff04c0c0689ce4a89ac0f0708d78c0a07",{},1735910703862,1735823501152,{"kind":28,"lastPreviewUrl":29,"breakpoints":136,"hasAutosaves":34},{"small":32,"medium":33},"e8bsg4qrgtu",{},1776247404986,1776247404973,[],{"breakpoints":143,"kind":28,"lastPreviewUrl":29,"hasAutosaves":6},{"xsmall":31,"small":32,"medium":33},"g9lqcuxphw7",{"createdDate":146,"id":147,"name":148,"modelId":113,"published":13,"meta":149,"stageModifiedSincePublish":6,"query":151,"data":152,"variations":178,"lastUpdated":179,"firstPublished":180,"testRatio":23,"createdBy":24,"lastUpdatedBy":24,"folders":181,"rev":144},1776255761419,"05a9322735fc427db12e2740e4302300","Report: 2026 Browser Attack Techniques",{"breakpoints":150,"kind":28,"lastPreviewUrl":29,"hasAutosaves":6},{"xsmall":31,"small":32,"medium":33},[],{"testimonial":153,"link":172,"type":175,"title":148,"description":176,"image":177},{"@type":120,"id":154,"model":117,"value":155},"192acbb1f9ca4cac918c0ec435a8bae3",{"query":156,"folders":157,"createdDate":158,"id":154,"name":159,"modelId":127,"published":13,"data":160,"variations":166,"lastUpdated":167,"firstPublished":168,"testRatio":23,"createdBy":100,"lastUpdatedBy":24,"meta":169,"rev":171},[],[],1728981467463,"Push does for identity what CrowdStrike did for the endpoint",{"video":161,"jobTitle":162,"author":163,"qoute":29,"quote":164,"image":165},"https://cdn.builder.io/o/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F8b30e8ca50064058bbaef0f3c6164575%2Fcompressed?apiKey=f3a1111ff5be48cdbb123cd9f5795a05&token=8b30e8ca50064058bbaef0f3c6164575&alt=media&optimized=true","\u003Cp>Deputy CISO at Microsoft\u003C/p>\u003Cp>Former LinkedIn, Slack, Palantir\u003C/p>","Geoff Belknap","Push does for identity what CrowdStrike did for the endpoint.","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F748f0ad0a5064a00a13f4721fcc8dea1",{},1742902158597,1728981782923,{"kind":28,"lastPreviewUrl":29,"breakpoints":170,"hasAutosaves":34},{"small":32,"medium":33},"ulhc0im1hfo",{"text":173,"url":174},"Download now","/resources/browser-attacks-report","resource","Learn about the latest techniques being used in the wild.","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F7b4a5ebf81d64e8c9d7fc35f6c96c4a9",{},1776255810913,1776255810900,[],[183,205],{"createdDate":184,"id":185,"name":148,"modelId":186,"published":13,"meta":187,"stageModifiedSincePublish":6,"query":189,"data":190,"variations":200,"lastUpdated":201,"firstPublished":202,"testRatio":23,"createdBy":24,"lastUpdatedBy":24,"folders":203,"rev":204},1776256900280,"1f429607996e4e5fae8fe3f9b9610e55","4829faa81e7c4ee8bd2d000e160e8d3c",{"breakpoints":188,"kind":28,"lastPreviewUrl":29,"hasAutosaves":6},{"xsmall":31,"small":32,"medium":33},[],{"testimonial":191,"link":199,"type":175,"title":148,"description":176,"image":177},{"@type":120,"id":154,"model":117,"value":192},{"query":193,"folders":194,"createdDate":158,"id":154,"name":159,"modelId":127,"published":13,"data":195,"variations":196,"lastUpdated":167,"firstPublished":168,"testRatio":23,"createdBy":100,"lastUpdatedBy":24,"meta":197,"rev":171},[],[],{"video":161,"jobTitle":162,"author":163,"qoute":29,"quote":164,"image":165},{},{"kind":28,"lastPreviewUrl":29,"breakpoints":198,"hasAutosaves":34},{"small":32,"medium":33},{"text":173,"url":174},{},1776256937553,1776256937540,[],"xggsv10v1q9",{"createdDate":206,"id":207,"name":208,"modelId":186,"published":13,"stageModifiedSincePublish":6,"query":209,"data":210,"variations":220,"lastUpdated":221,"firstPublished":222,"testRatio":23,"createdBy":24,"lastUpdatedBy":24,"folders":223,"meta":224,"rev":204},1776256949234,"ce043785b71b4ece98eac811ecf4ba10","inductive-automation",[],{"link":211,"type":117,"testimonial":212,"testimonialLink":118},{},{"@type":120,"id":121,"model":117,"value":213},{"query":214,"folders":215,"createdDate":125,"id":121,"name":126,"modelId":127,"published":13,"data":216,"variations":217,"lastUpdated":133,"firstPublished":134,"testRatio":23,"createdBy":100,"lastUpdatedBy":100,"meta":218,"rev":137},[],[],{"author":129,"jobTitle":130,"quote":126,"image":131},{},{"kind":28,"lastPreviewUrl":29,"breakpoints":219,"hasAutosaves":34},{"small":32,"medium":33},{},1776256974140,1776256974130,[],{"breakpoints":225,"kind":28,"lastPreviewUrl":29,"hasAutosaves":6},{"xsmall":31,"small":32,"medium":33},{"id":227,"title":228,"authorsCollection":229,"content":237,"extension":1108,"faqItemsCollection":1109,"faqTitle":62,"featured":6,"hashTags":62,"meta":1111,"metaTitle":1112,"ogImage":62,"publishedDate":1113,"relatedBlogPostsCollection":1114,"slug":3933,"stem":3934,"subtitle":62,"summary":3935,"synopsis":3946,"sys":3947,"tagsCollection":3950,"__hash__":3956},"blog/blog/consentfix-debrief.json","ConsentFix debrief: latest community insights, recommendations, and predictions",{"items":230},[231],{"fullName":232,"firstName":233,"jobTitle":234,"profilePicture":235},"Dan Green","Dan","Threat Research",{"url":236},"https://images.ctfassets.net/y1cdw1ablpvd/7jik1VhFgA3kgzXBXTm2Vw/fcd8c171da644903d0827eafcfbcaad0/Dan_Headshot_2025.png",{"json":238,"links":1074},{"nodeType":239,"data":240,"content":241},"document",{},[242,266,273,282,341,348,355,359,369,376,383,442,451,458,483,490,493,501,508,515,522,529,536,543,549,557,564,583,603,606,614,621,628,635,643,662,669,675,683,703,723,836,839,847,854,861,864,872,879,886,893,960,991,994,1002,1009,1016,1023,1030,1062,1068],{"nodeType":243,"data":244,"content":245},"paragraph",{},[246,251,262],{"nodeType":247,"value":248,"marks":249,"data":250},"text","In December, the Push Security research team discovered and blocked a brand new attack technique that we coined ",[],{},{"nodeType":252,"data":253,"content":255},"hyperlink",{"uri":254},"https://pushsecurity.com/blog/consentfix/",[256],{"nodeType":247,"value":257,"marks":258,"data":261},"ConsentFix",[259],{"type":260},"underline",{},{"nodeType":247,"value":263,"marks":264,"data":265},". This technique merged ClickFix-style social engineering with OAuth consent phishing to hijack Microsoft accounts. ",[],{},{"nodeType":243,"data":267,"content":268},{},[269],{"nodeType":247,"value":270,"marks":271,"data":272},"We saw this attack running across a large network of compromised websites that attackers were injecting the malicious payload into, forming a large-scale campaign that was detected across multiple customer estates. ",[],{},{"nodeType":274,"data":275,"content":281},"embedded-entry-block",{"target":276},{"sys":277},{"id":278,"type":279,"linkType":280},"603MWDqc9NsqkklIkfGNZN","Link","Entry",[],{"nodeType":243,"data":283,"content":284},{},[285,289,298,302,311,315,324,328,337],{"nodeType":247,"value":286,"marks":287,"data":288},"ConsentFix got a pretty awesome response from the community in a very short space of time. Within days, ",[],{},{"nodeType":252,"data":290,"content":292},{"uri":291},"https://www.youtube.com/watch?v=AAiiIY-Soak",[293],{"nodeType":247,"value":294,"marks":295,"data":297},"John Hammond shared a new and improved version of the technique",[296],{"type":260},{},{"nodeType":247,"value":299,"marks":300,"data":301}," that he’d spun up in his own lab, while security researchers from ",[],{},{"nodeType":252,"data":303,"content":305},{"uri":304},"https://medium.com/@nitashathakur/consentfix-poc-how-the-attack-works-end-to-end-4f8b656f977d",[306],{"nodeType":247,"value":307,"marks":308,"data":310},"Microsoft",[309],{"type":260},{},{"nodeType":247,"value":312,"marks":313,"data":314},", ",[],{},{"nodeType":252,"data":316,"content":318},{"uri":317},"https://www.glueckkanja.com/en/posts/2025-12-31-vulnerability-consentfix",[319],{"nodeType":247,"value":320,"marks":321,"data":323},"Glueck Kanja",[322],{"type":260},{},{"nodeType":247,"value":325,"marks":326,"data":327},", and ",[],{},{"nodeType":252,"data":329,"content":331},{"uri":330},"https://msendpointmgr.com/2026/01/08/consentfix-quickfix/",[332],{"nodeType":247,"value":333,"marks":334,"data":336},"other individual contributors",[335],{"type":260},{},{"nodeType":247,"value":338,"marks":339,"data":340}," all shared analysis and recommendations. ",[],{},{"nodeType":243,"data":342,"content":343},{},[344],{"nodeType":247,"value":345,"marks":346,"data":347},"In this blog, we’re sharing some new insights on the campaign, pulling together some of the top recommendations and resources shared across the community, and predicting what the future holds for this novel technique as it quickly enters the mainstream. ",[],{},{"nodeType":243,"data":349,"content":350},{},[351],{"nodeType":247,"value":352,"marks":353,"data":354},"First though, let’s quickly recap what ConsentFix is and how it works. ",[],{},{"nodeType":356,"data":357,"content":358},"hr",{},[],{"nodeType":360,"data":361,"content":362},"heading-1",{},[363],{"nodeType":247,"value":364,"marks":365,"data":368},"ConsentFix 101",[366],{"type":367},"bold",{},{"nodeType":243,"data":370,"content":371},{},[372],{"nodeType":247,"value":373,"marks":374,"data":375},"ConsentFix is an attack technique that prompts the victim to share an OAuth authorization code with an attacker via a phishing page. The attacker then enters this code into a target application on their own device in order to complete the authorization handshake and take over the account. ",[],{},{"nodeType":243,"data":377,"content":378},{},[379],{"nodeType":247,"value":380,"marks":381,"data":382},"By hijacking OAuth, attackers can effectively bypass identity-layer controls like passwords and MFA — even phishing resistant authentication methods like passkeys have no impact on this attack, because it sidesteps the authentication process altogether. ",[],{},{"nodeType":243,"data":384,"content":385},{},[386,390,399,403,412,416,425,429,438],{"nodeType":247,"value":387,"marks":388,"data":389},"OAuth abuse attacks are not new. Techniques like ",[],{},{"nodeType":252,"data":391,"content":393},{"uri":392},"https://github.com/pushsecurity/saas-attacks/blob/main/techniques/consent_phishing/description.md",[394],{"nodeType":247,"value":395,"marks":396,"data":398},"consent phishing",[397],{"type":260},{},{"nodeType":247,"value":400,"marks":401,"data":402}," and ",[],{},{"nodeType":252,"data":404,"content":406},{"uri":405},"https://github.com/pushsecurity/saas-attacks/blob/main/techniques/device_code_phishing/description.md",[407],{"nodeType":247,"value":408,"marks":409,"data":411},"device code phishing",[410],{"type":260},{},{"nodeType":247,"value":413,"marks":414,"data":415}," have been around for some time. However, these mainly focus on connecting your primary workspace account (e.g. Microsoft, Google, etc.) to a fraudulent, attacker-controlled application. But this is becoming increasingly difficult in core enterprise cloud environments like Azure due to ",[],{},{"nodeType":252,"data":417,"content":419},{"uri":418},"https://learn.microsoft.com/en-us/microsoft-365/admin/misc/user-consent?view=o365-worldwide",[420],{"nodeType":247,"value":421,"marks":422,"data":424},"stricter default configs",[423],{"type":260},{},{"nodeType":247,"value":426,"marks":427,"data":428},". That said, device code phishing still featured prominently in the recent ",[],{},{"nodeType":252,"data":430,"content":432},{"uri":431},"https://pushsecurity.com/blog/scattered-lapsus-hunters/",[433],{"nodeType":247,"value":434,"marks":435,"data":437},"high-profile Salesforce attacks in 2025",[436],{"type":260},{},{"nodeType":247,"value":439,"marks":440,"data":441},".",[],{},{"nodeType":443,"data":444,"content":445},"heading-2",{},[446],{"nodeType":247,"value":447,"marks":448,"data":450},"What makes ConsentFix so dangerous?",[449],{"type":367},{},{"nodeType":243,"data":452,"content":453},{},[454],{"nodeType":247,"value":455,"marks":456,"data":457},"Unlike typical OAuth attacks, the novel ConsentFix approach enabled the attacker to target different types of application to what they usually go after — with big implications for detection and response. In this case, the attacker:",[],{},{"nodeType":459,"data":460,"content":461},"unordered-list",{},[462,473],{"nodeType":463,"data":464,"content":465},"list-item",{},[466],{"nodeType":243,"data":467,"content":468},{},[469],{"nodeType":247,"value":470,"marks":471,"data":472},"Specifically targeted first-party Microsoft apps that cannot be restricted in the same way as third-party applications, and are pre-consented in every tenant (meaning users can authenticate to them without admin approval). ",[],{},{"nodeType":463,"data":474,"content":475},{},[476],{"nodeType":243,"data":477,"content":478},{},[479],{"nodeType":247,"value":480,"marks":481,"data":482},"Leveraged legacy scopes that are outside the scope of default logging to evade detection, and targeted scopes with known Conditional Access policy exclusions.",[],{},{"nodeType":243,"data":484,"content":485},{},[486],{"nodeType":247,"value":487,"marks":488,"data":489},"This means that default controls you’d expect to block malicious OAuth grants don’t apply, you may not have logging enabled to detect it if it did happen to you, and to top it off, conditional access policy exclusions mean that many organizations’ expected controls don’t work as intended in this case. ",[],{},{"nodeType":356,"data":491,"content":492},{},[],{"nodeType":360,"data":494,"content":495},{},[496],{"nodeType":247,"value":497,"marks":498,"data":500},"ConsentFix campaign recap",[499],{"type":367},{},{"nodeType":243,"data":502,"content":503},{},[504],{"nodeType":247,"value":505,"marks":506,"data":507},"Let’s quickly recap how the ConsentFix campaign was implemented. ",[],{},{"nodeType":243,"data":509,"content":510},{},[511],{"nodeType":247,"value":512,"marks":513,"data":514},"The victim is served a page which requires that they verify that they are human by pasting a URL into the phishing page.",[],{},{"nodeType":243,"data":516,"content":517},{},[518],{"nodeType":247,"value":519,"marks":520,"data":521},"Clicking the “Sign In” button opens a legitimate Microsoft login page. If the user is already logged in (which they likely are if working in their normal browser) their account information is already pre-populated and they won’t need to authenticate again. ",[],{},{"nodeType":243,"data":523,"content":524},{},[525],{"nodeType":247,"value":526,"marks":527,"data":528},"Selecting their account redirects them to a localhost URL containing an OAuth authorization code — this is what they then post into the original phishing page to complete the attack. ",[],{},{"nodeType":243,"data":530,"content":531},{},[532],{"nodeType":247,"value":533,"marks":534,"data":535},"Once the attacker gets the URL, they can exchange it for an access token or refresh token for the particular application being targeted — in this case, Azure CLI.",[],{},{"nodeType":243,"data":537,"content":538},{},[539],{"nodeType":247,"value":540,"marks":541,"data":542},"The TL;DR is that the attacker is manually completing an authorization flow that happens when a user logs into Azure CLI — a a command line client that provides you with the ability to easily manage your Azure AD / Entra ID environment. Except in this case, they’re taking the victim’s information to log in on the attacker’s device instead. ",[],{},{"nodeType":274,"data":544,"content":548},{"target":545},{"sys":546},{"id":547,"type":279,"linkType":280},"1eZOs7hXi9FzCE92QEP6xh",[],{"nodeType":443,"data":550,"content":551},{},[552],{"nodeType":247,"value":553,"marks":554,"data":556},"Latest campaign details",[555],{"type":367},{},{"nodeType":243,"data":558,"content":559},{},[560],{"nodeType":247,"value":561,"marks":562,"data":563},"Since we shared our blog post, we’ve had a number of additional details come to light about the campaign, which we’ve continued to track. ",[],{},{"nodeType":243,"data":565,"content":566},{},[567,571,579],{"nodeType":247,"value":568,"marks":569,"data":570},"It appears to be linked to Russian state-affiliated APT29, as corroborated by threat researchers we’ve been collaborating with. This is consistent with the ",[],{},{"nodeType":252,"data":572,"content":573},{"uri":254},[574],{"nodeType":247,"value":575,"marks":576,"data":578},"stealthy tactics we observed",[577],{"type":260},{},{"nodeType":247,"value":580,"marks":581,"data":582},", which go far beyond the run-of-the-mill detection evasion techniques we see used in criminal phishing campaigns. ",[],{},{"nodeType":243,"data":584,"content":585},{},[586,590,599],{"nodeType":247,"value":587,"marks":588,"data":589},"It shares many similarities with, and appears to be an evolution of, ",[],{},{"nodeType":252,"data":591,"content":593},{"uri":592},"https://www.volexity.com/blog/2025/12/04/dangerous-invitations-russian-threat-actor-spoofs-european-security-events-in-targeted-phishing-attacks/",[594],{"nodeType":247,"value":595,"marks":596,"data":598},"this Russia-affiliated campaign identified by Volexity",[597],{"type":260},{},{"nodeType":247,"value":600,"marks":601,"data":602}," that featured a manual version of the attack — where they victim was social engineered via email into opening the Microsoft URL, copying the localhost response, and sending it back to the attacker via email. ",[],{},{"nodeType":356,"data":604,"content":605},{},[],{"nodeType":360,"data":607,"content":608},{},[609],{"nodeType":247,"value":610,"marks":611,"data":613},"Top contributions from the community",[612],{"type":367},{},{"nodeType":243,"data":615,"content":616},{},[617],{"nodeType":247,"value":618,"marks":619,"data":620},"As we mentioned earlier, the community response to ConsentFix has been incredible. ",[],{},{"nodeType":243,"data":622,"content":623},{},[624],{"nodeType":247,"value":625,"marks":626,"data":627},"As ever, you get a lot of vendors covering the attack technique with “install our product” as the recommendation. This is to be expected, but it’s misleading when some of these vendors are pushing EDR products that would have absolutely no way of detecting or blocking the attack. ",[],{},{"nodeType":243,"data":629,"content":630},{},[631],{"nodeType":247,"value":632,"marks":633,"data":634},"But cutting through the marketing, a lot of really great resources and recommendations were shared. ",[],{},{"nodeType":443,"data":636,"content":637},{},[638],{"nodeType":247,"value":639,"marks":640,"data":642},"V2.0 released by John Hammond",[641],{"type":367},{},{"nodeType":243,"data":644,"content":645},{},[646,650,658],{"nodeType":247,"value":647,"marks":648,"data":649},"Within days, John Hammond ",[],{},{"nodeType":252,"data":651,"content":652},{"uri":291},[653],{"nodeType":247,"value":654,"marks":655,"data":657},"posted about ConsentFix on his Youtube channel",[656],{"type":260},{},{"nodeType":247,"value":659,"marks":660,"data":661},", where he showed off a slick improvement on the ConsentFix implementation used by attackers. In his version, the URL containing the Microsoft authorization code was generated in a pop-up browser window that could simply be drag-and-dropped into the phishing page. ",[],{},{"nodeType":243,"data":663,"content":664},{},[665],{"nodeType":247,"value":666,"marks":667,"data":668},"This implementation is way smoother, making it much more likely that a victim would fall for it. And this took a matter of days… ",[],{},{"nodeType":274,"data":670,"content":674},{"target":671},{"sys":672},{"id":673,"type":279,"linkType":280},"59tfJDRhGThKD48Wjg7uY2",[],{"nodeType":443,"data":676,"content":677},{},[678],{"nodeType":247,"value":679,"marks":680,"data":682},"Additional vulnerable first-party apps identified",[681],{"type":367},{},{"nodeType":243,"data":684,"content":685},{},[686,690,699],{"nodeType":247,"value":687,"marks":688,"data":689},"Fabian Bader and Dirk-jan Mollema from Glueck Kanja have ",[],{},{"nodeType":252,"data":691,"content":693},{"uri":692},"https://entrascopes.com/?bypass=true&authcodeFix=true",[694],{"nodeType":247,"value":695,"marks":696,"data":698},"shared a great resource",[697],{"type":260},{},{"nodeType":247,"value":700,"marks":701,"data":702}," on wider first-party apps that are vulnerable to ConsentFix. ",[],{},{"nodeType":243,"data":704,"content":705},{},[706,710,719],{"nodeType":247,"value":707,"marks":708,"data":709},"In total, there are 11 apps vulnerable to ConsentFix that also have known ",[],{},{"nodeType":252,"data":711,"content":713},{"uri":712},"https://cloudbrothers.info/conditional-access-bypasses/#documented-bypasses",[714],{"nodeType":247,"value":715,"marks":716,"data":718},"Conditional Access exclusions",[717],{"type":260},{},{"nodeType":247,"value":720,"marks":721,"data":722}," (either for the app generally, or when specific scopes are requested for the app):",[],{},{"nodeType":459,"data":724,"content":725},{},[726,736,746,756,766,776,786,796,806,816,826],{"nodeType":463,"data":727,"content":728},{},[729],{"nodeType":243,"data":730,"content":731},{},[732],{"nodeType":247,"value":733,"marks":734,"data":735},"Microsoft Azure CLI: 04b07795-8ddb-461a-bbee-02f9e1bf7b46",[],{},{"nodeType":463,"data":737,"content":738},{},[739],{"nodeType":243,"data":740,"content":741},{},[742],{"nodeType":247,"value":743,"marks":744,"data":745},"Microsoft Azure PowerShell: 1950a258-227b-4e31-a9cf-717495945fc2",[],{},{"nodeType":463,"data":747,"content":748},{},[749],{"nodeType":243,"data":750,"content":751},{},[752],{"nodeType":247,"value":753,"marks":754,"data":755},"Microsoft Teams: 1fec8e78-bce4-4aaf-ab1b-5451cc387264",[],{},{"nodeType":463,"data":757,"content":758},{},[759],{"nodeType":243,"data":760,"content":761},{},[762],{"nodeType":247,"value":763,"marks":764,"data":765},"Microsoft Whiteboard Client: 57336123-6e14-4acc-8dcf-287b6088aa28",[],{},{"nodeType":463,"data":767,"content":768},{},[769],{"nodeType":243,"data":770,"content":771},{},[772],{"nodeType":247,"value":773,"marks":774,"data":775},"Microsoft Flow Mobile PROD-GCCH-CN: 57fcbcfa-7cee-4eb1-8b25-12d2030b4ee0",[],{},{"nodeType":463,"data":777,"content":778},{},[779],{"nodeType":243,"data":780,"content":781},{},[782],{"nodeType":247,"value":783,"marks":784,"data":785},"Enterprise Roaming and Backup: 60c8bde5-3167-4f92-8fdb-059f6176dc0",[],{},{"nodeType":463,"data":787,"content":788},{},[789],{"nodeType":243,"data":790,"content":791},{},[792],{"nodeType":247,"value":793,"marks":794,"data":795},"Visual Studio: 872cd9fa-d31f-45e0-9eab-6e460a02d1f1",[],{},{"nodeType":463,"data":797,"content":798},{},[799],{"nodeType":243,"data":800,"content":801},{},[802],{"nodeType":247,"value":803,"marks":804,"data":805},"Aadrm Admin Powershell: 90f610bf-206d-4950-b61d-37fa6fd1b224",[],{},{"nodeType":463,"data":807,"content":808},{},[809],{"nodeType":243,"data":810,"content":811},{},[812],{"nodeType":247,"value":813,"marks":814,"data":815},"Microsoft SharePoint Online Management Shell: 9bc3ab49-b65d-410a-85ad-de819febfddc",[],{},{"nodeType":463,"data":817,"content":818},{},[819],{"nodeType":243,"data":820,"content":821},{},[822],{"nodeType":247,"value":823,"marks":824,"data":825},"Microsoft Power Query for Excel: a672d62c-fc7b-4e81-a576-e60dc46e951d",[],{},{"nodeType":463,"data":827,"content":828},{},[829],{"nodeType":243,"data":830,"content":831},{},[832],{"nodeType":247,"value":833,"marks":834,"data":835},"Visual Studio Code: aebc6443-996d-45c2-90f0-388ff96faa56",[],{},{"nodeType":356,"data":837,"content":838},{},[],{"nodeType":360,"data":840,"content":841},{},[842],{"nodeType":247,"value":843,"marks":844,"data":846},"Predictions for ConsentFix",[845],{"type":367},{},{"nodeType":243,"data":848,"content":849},{},[850],{"nodeType":247,"value":851,"marks":852,"data":853},"Based on the speed at which new iterations on the ConsentFix technique were shared by security researchers, and the breadth of apps and possible scopes that can be leveraged, both red teams and criminals will inevitably adopt ConsentFix into their arsenal of TTPs in the near future. It is likely that new ConsentFix variants will emerge imminently (if not already in circulation). ",[],{},{"nodeType":243,"data":855,"content":856},{},[857],{"nodeType":247,"value":858,"marks":859,"data":860},"All security teams responsible for protecting Microsoft environments should ensure that monitoring controls and mitigations are put in place as a matter of high priority. ",[],{},{"nodeType":356,"data":862,"content":863},{},[],{"nodeType":360,"data":865,"content":866},{},[867],{"nodeType":247,"value":868,"marks":869,"data":871},"Updated recommendations for security teams",[870],{"type":367},{},{"nodeType":243,"data":873,"content":874},{},[875],{"nodeType":247,"value":876,"marks":877,"data":878},"As an entirely browser-native attack technique, many traditional security tools and data sources are of limited use when it comes to detecting or pre-emptively blocking this attack. At the same time, the attack exploits default Microsoft security configs to evade both prevention and detection controls.",[],{},{"nodeType":243,"data":880,"content":881},{},[882],{"nodeType":247,"value":883,"marks":884,"data":885},"To be able to tackle modern attacks like ConsentFix that occur entirely within the browser context, it is vital that organizations look to monitor the browser as a detection surface, hunt for signs of malicious activity, and block attacks in real-time — in the same way that you would expect EDR to work for endpoint attacks. ",[],{},{"nodeType":243,"data":887,"content":888},{},[889],{"nodeType":247,"value":890,"marks":891,"data":892},"For organizations relying on Microsoft logging as the sole line of defense against this attack, there are some new recommendations to add to the list thanks to the community response: ",[],{},{"nodeType":459,"data":894,"content":895},{},[896,919,929,950],{"nodeType":463,"data":897,"content":898},{},[899],{"nodeType":243,"data":900,"content":901},{},[902,906,915],{"nodeType":247,"value":903,"marks":904,"data":905},"Ensure that logging for the deprecated ",[],{},{"nodeType":252,"data":907,"content":909},{"uri":908},"https://learn.microsoft.com/en-us/azure/azure-monitor/reference/tables/aadgraphactivitylogs",[910],{"nodeType":247,"value":911,"marks":912,"data":914},"AADGraphActivityLogs",[913],{"type":260},{},{"nodeType":247,"value":916,"marks":917,"data":918}," is enabled.",[],{},{"nodeType":463,"data":920,"content":921},{},[922],{"nodeType":243,"data":923,"content":924},{},[925],{"nodeType":247,"value":926,"marks":927,"data":928},"Hunt in logs for the Application IDs highlighted above, along with the Resource IDs for Windows Azure Active Directory (00000002-0000-0000-c000-000000000000) and Microsoft Intune Checkin (26a4ae64-5862-427f-a9b0-044e62572a4f)",[],{},{"nodeType":463,"data":930,"content":931},{},[932],{"nodeType":243,"data":933,"content":934},{},[935,938,946],{"nodeType":247,"value":29,"marks":936,"data":937},[],{},{"nodeType":252,"data":939,"content":940},{"uri":330},[941],{"nodeType":247,"value":942,"marks":943,"data":945},"Create Service Principals for each of the vulnerable apps and restrict the users that are authorized to access them",[944],{"type":260},{},{"nodeType":247,"value":947,"marks":948,"data":949}," to reduce the attack surface of users that can be phished with this method.",[],{},{"nodeType":463,"data":951,"content":952},{},[953],{"nodeType":243,"data":954,"content":955},{},[956],{"nodeType":247,"value":957,"marks":958,"data":959},"Block access to CLI tools via Conditional Access policy and issue exclusions for authorized users/groups. ",[],{},{"nodeType":243,"data":961,"content":962},{},[963,967,976,980,987],{"nodeType":247,"value":964,"marks":965,"data":966},"Additional resources that may be of use include community-created ",[],{},{"nodeType":252,"data":968,"content":970},{"uri":969},"https://github.com/elastic/detection-rules/pull/5485",[971],{"nodeType":247,"value":972,"marks":973,"data":975},"Elastic detection rules",[974],{"type":260},{},{"nodeType":247,"value":977,"marks":978,"data":979}," for ConsentFix and further mitigation and hunting guidance from ",[],{},{"nodeType":252,"data":981,"content":982},{"uri":317},[983],{"nodeType":247,"value":320,"marks":984,"data":986},[985],{"type":260},{},{"nodeType":247,"value":988,"marks":989,"data":990},". ",[],{},{"nodeType":356,"data":992,"content":993},{},[],{"nodeType":360,"data":995,"content":996},{},[997],{"nodeType":247,"value":998,"marks":999,"data":1001},"Learn more about Push Security",[1000],{"type":367},{},{"nodeType":243,"data":1003,"content":1004},{},[1005],{"nodeType":247,"value":1006,"marks":1007,"data":1008},"Even though this was a brand new technique, Push intercepted this attack and shut it down before customers could interact with it. ",[],{},{"nodeType":243,"data":1010,"content":1011},{},[1012],{"nodeType":247,"value":1013,"marks":1014,"data":1015},"Push tackles browser-based attacks using behavioral threat detection controls, powered by deep browser telemetry, to provide broad detection and blocking capabilities against attacks happening in the browser. This means analyzing the end-to-end process of a webpage loading/running in the browser, and how the user interacts with the page, to spot universal indicators of bad activity. ",[],{},{"nodeType":243,"data":1017,"content":1018},{},[1019],{"nodeType":247,"value":1020,"marks":1021,"data":1022},"This is the only reliable way to detect malicious websites in a world where IoC-based detections are trivial for attackers to get around. Rather than playing known-bad whac-a-mole, Push detects and blocks even zero-day browser threats in real time.",[],{},{"nodeType":243,"data":1024,"content":1025},{},[1026],{"nodeType":247,"value":1027,"marks":1028,"data":1029},"Push stops browser-based attacks like AiTM phishing, credential stuffing, malicious browser extensions, ClickFix, ConsentFix, and session hijacking. You don’t need to wait until it all goes wrong either — you can also use Push to proactively find and fix vulnerabilities across the apps that your employees use, like ghost logins, SSO coverage gaps, MFA gaps, vulnerable passwords, and more to harden your identity attack surface.",[],{},{"nodeType":243,"data":1031,"content":1032},{},[1033,1037,1046,1050,1059],{"nodeType":247,"value":1034,"marks":1035,"data":1036},"To learn more about Push, ",[],{},{"nodeType":252,"data":1038,"content":1040},{"uri":1039},"https://pushsecurity.com/resources/product-brochure",[1041],{"nodeType":247,"value":1042,"marks":1043,"data":1045},"check out our latest product overview",[1044],{"type":260},{},{"nodeType":247,"value":1047,"marks":1048,"data":1049}," or ",[],{},{"nodeType":252,"data":1051,"content":1053},{"uri":1052},"https://pushsecurity.com/demo",[1054],{"nodeType":247,"value":1055,"marks":1056,"data":1058},"book some time with one of our team for a live demo",[1057],{"type":260},{},{"nodeType":247,"value":439,"marks":1060,"data":1061},[],{},{"nodeType":274,"data":1063,"content":1067},{"target":1064},{"sys":1065},{"id":1066,"type":279,"linkType":280},"4D7zpYAc1tTEAmn2hpkWPe",[],{"nodeType":243,"data":1069,"content":1070},{},[1071],{"nodeType":247,"value":29,"marks":1072,"data":1073},[],{},{"entries":1075},{"hyperlink":1076,"inline":1077,"block":1078},[],[],[1079,1087,1093,1100],{"sys":1080,"__typename":1081,"title":1082,"caption":1082,"layoutMode":62,"file":1083},{"id":278},"Image","“ConsentFix” phishing site detected and blocked by Push. ",{"url":1084,"width":1085,"height":1086},"https://images.ctfassets.net/y1cdw1ablpvd/3FyJ6MHYvAi7z9O7LahUer/ac4384da808287779f1e1f622186dcbc/1.png",1999,1185,{"sys":1088,"__typename":1081,"title":1089,"caption":1090,"layoutMode":62,"file":1091},{"id":547},"ConsentFix attack breakdown.","ConsentFix attack breakdown: The victim is tricked into copy-and-pasting a URL containing OAuth key material into a phishing page.",{"url":1092,"width":1085,"height":33},"https://images.ctfassets.net/y1cdw1ablpvd/7x6SiBWarYH3w4nPfjtf7r/4c1dd037b9ad47ccbba0a87256ecd909/2.png",{"sys":1094,"__typename":1081,"title":1095,"caption":1095,"layoutMode":62,"file":1096},{"id":673},"John Hammond showed off a slick new ConsentFix implementation.",{"url":1097,"width":1098,"height":1099},"https://images.ctfassets.net/y1cdw1ablpvd/1bjvJgwJQYYITray4cgquD/056744beab8fd24153b1c42b73090aeb/consentfix_v2.gif",1280,720,{"sys":1101,"__typename":1102,"type":1103,"ctaText":1104,"buttonLabel":1105,"buttonColour":1106,"buttonUrl":1107},{"id":1066},"CtaWidget","Custom","Want to see how security controls match up with modern browser-based attacks? Register for our upcoming webinar for an interactive walkthrough.","Register Now","sunny orange","https://pushsecurity.com/webinar/investigating-browser-threats","json",{"items":1110},[],{},"ConsentFix debrief: insights, recommendations & predictions","2026-01-14T00:00:00.000Z",{"items":1115},[1116,1988,2605],{"__typename":1117,"sys":1118,"content":1120,"title":1966,"synopsis":1967,"hashTags":62,"publishedDate":1968,"slug":1969,"tagsCollection":1970,"authorsCollection":1980},"BlogPosts",{"id":1119},"71EaaK7lfl6bQBbkAU0qjv",{"json":1121},{"nodeType":239,"data":1122,"content":1123},{},[1124,1132,1139,1146,1153,1165,1172,1178,1184,1187,1195,1202,1209,1215,1235,1242,1248,1255,1261,1268,1311,1317,1322,1329,1336,1339,1347,1367,1374,1380,1399,1405,1425,1432,1435,1443,1450,1491,1503,1506,1514,1533,1540,1556,1563,1570,1576,1583,1586,1594,1601,1654,1661,1664,1672,1678,1685,1692,1698,1705,1738,1745,1752,1758,1765,1771,1779,1799,1806,1839,1846,1879,1882,1890,1896,1902,1921,1928,1954,1960],{"nodeType":360,"data":1125,"content":1126},{},[1127],{"nodeType":247,"value":1128,"marks":1129,"data":1131},"Introducing “ConsentFix” — a new kind of phishing attack",[1130],{"type":367},{},{"nodeType":243,"data":1133,"content":1134},{},[1135],{"nodeType":247,"value":1136,"marks":1137,"data":1138},"The Push browser agent recently detected and blocked a new attack technique seen targeting several Push customers. ",[],{},{"nodeType":243,"data":1140,"content":1141},{},[1142],{"nodeType":247,"value":1143,"marks":1144,"data":1145},"This is a new kind of browser-based attack technique that takes over user accounts with a simple copy and paste. If you’re already logged into the app in your browser, you don’t even need to supply creds, or pass an MFA check — meaning it effectively circumvents phishing-resistant auth like passkeys too.",[],{},{"nodeType":243,"data":1147,"content":1148},{},[1149],{"nodeType":247,"value":1150,"marks":1151,"data":1152},"This is so different from the AiTM phish kits we usually come up against that we felt it deserved a new name. ",[],{},{"nodeType":243,"data":1154,"content":1155},{},[1156,1161],{"nodeType":247,"value":1157,"marks":1158,"data":1160},"Enter: ConsentFix. ",[1159],{"type":367},{},{"nodeType":247,"value":1162,"marks":1163,"data":1164},"This attack shares a lot of similarities with ClickFix/FileFix, AiTM phishing, and OAuth Consent Phishing. You can think of this as a browser-native ClickFix attack that phishes an OAuth token on a target app by getting the victim to copy and paste a URL containing OAuth key material into a phishing page. ",[],{},{"nodeType":243,"data":1166,"content":1167},{},[1168],{"nodeType":247,"value":1169,"marks":1170,"data":1171},"The campaign we detected looks to be specifically targeting Microsoft accounts by abusing the Azure CLI OAuth app. Essentially, the attacker tricks the victim into logging into Azure CLI, by generating an OAuth authorization code — visible in a localhost URL — and then pasting that URL (including the code) into an attacker-controlled page. This then creates an OAuth connection between the victim’s Microsoft account and the attacker’s Azure CLI instance. ",[],{},{"nodeType":274,"data":1173,"content":1177},{"target":1174},{"sys":1175},{"id":1176,"type":279,"linkType":280},"5GTnqWIbmraz8HZeHMybrP",[],{"nodeType":274,"data":1179,"content":1183},{"target":1180},{"sys":1181},{"id":1182,"type":279,"linkType":280},"1lcjX5q3b1bsuhyOXKvJpW",[],{"nodeType":356,"data":1185,"content":1186},{},[],{"nodeType":360,"data":1188,"content":1189},{},[1190],{"nodeType":247,"value":1191,"marks":1192,"data":1194},"How ConsentFix works",[1193],{"type":367},{},{"nodeType":243,"data":1196,"content":1197},{},[1198],{"nodeType":247,"value":1199,"marks":1200,"data":1201},"In all of the examples we saw, the victim accessed a malicious or compromised webpage via Google Search. The vast majority of the sites we’ve seen associated with the campaign are legitimate, compromised websites with high domain reputation that are easily findable via search engines.",[],{},{"nodeType":243,"data":1203,"content":1204},{},[1205],{"nodeType":247,"value":1206,"marks":1207,"data":1208},"The attacker had injected a fake Cloudflare Turnstile into the compromised websites, requiring an email address to be supplied in order to proceed. ",[],{},{"nodeType":274,"data":1210,"content":1214},{"target":1211},{"sys":1212},{"id":1213,"type":279,"linkType":280},"39jEjeLqOYIkGc4o9w3MuX",[],{"nodeType":243,"data":1216,"content":1217},{},[1218,1222,1231],{"nodeType":247,"value":1219,"marks":1220,"data":1221},"This acted as a form of ",[],{},{"nodeType":252,"data":1223,"content":1225},{"uri":1224},"https://phishing-techniques.pushsecurity.com/techniques/conditional-loading/",[1226],{"nodeType":247,"value":1227,"marks":1228,"data":1230},"conditional loading",[1229],{"type":260},{},{"nodeType":247,"value":1232,"marks":1233,"data":1234}," that would only continue if a valid email address and domain was supplied, designed to prevent the page from being analyzed by security bots, analysts, and low-value accounts that run the risk of exposing the campaign before the intended recipient(s) can be phished. ",[],{},{"nodeType":243,"data":1236,"content":1237},{},[1238],{"nodeType":247,"value":1239,"marks":1240,"data":1241},"If a domain not on the target list was provided, the victim was passed back to the original website and the attack did not progress to the next stage. Further, once the check has concluded per IP, the phishing page will no longer activate, even a different email is provided.  ",[],{},{"nodeType":274,"data":1243,"content":1247},{"target":1244},{"sys":1245},{"id":1246,"type":279,"linkType":280},"7ttmGnTzi9j87tBXfyFcOA",[],{"nodeType":243,"data":1249,"content":1250},{},[1251],{"nodeType":247,"value":1252,"marks":1253,"data":1254},"After entering an approved email address, the next stage was loaded, prompting the victim to complete a set of instructions on the page to continue.",[],{},{"nodeType":274,"data":1256,"content":1260},{"target":1257},{"sys":1258},{"id":1259,"type":279,"linkType":280},"2oHYNoMgAz6MdgLlcWjbaB",[],{"nodeType":243,"data":1262,"content":1263},{},[1264],{"nodeType":247,"value":1265,"marks":1266,"data":1267},"To complete the attack, the victim must:",[],{},{"nodeType":459,"data":1269,"content":1270},{},[1271,1281,1291,1301],{"nodeType":463,"data":1272,"content":1273},{},[1274],{"nodeType":243,"data":1275,"content":1276},{},[1277],{"nodeType":247,"value":1278,"marks":1279,"data":1280},"Click the “Sign In” button. This opens a new tab that loads a legitimate Microsoft URL associated with the user account/email used to access the page.",[],{},{"nodeType":463,"data":1282,"content":1283},{},[1284],{"nodeType":243,"data":1285,"content":1286},{},[1287],{"nodeType":247,"value":1288,"marks":1289,"data":1290},"If the user is already logged into Microsoft in their browser, they simply need to select their MS account from the dropdown. Otherwise, they will be required to login via the legitimate Microsoft login URL (no phishing takes place at this stage). ",[],{},{"nodeType":463,"data":1292,"content":1293},{},[1294],{"nodeType":243,"data":1295,"content":1296},{},[1297],{"nodeType":247,"value":1298,"marks":1299,"data":1300},"Once logged into legit Microsoft or the account is selected from the dropdown, the user is redirected to localhost, which generates a URL containing a code associated with the user’s Microsoft account. ",[],{},{"nodeType":463,"data":1302,"content":1303},{},[1304],{"nodeType":243,"data":1305,"content":1306},{},[1307],{"nodeType":247,"value":1308,"marks":1309,"data":1310},"To complete the phish, the victim copies the URL and pastes it onto the original page. ",[],{},{"nodeType":274,"data":1312,"content":1316},{"target":1313},{"sys":1314},{"id":1315,"type":279,"linkType":280},"7zendMbmCViGwtEpUQvq6y",[],{"nodeType":274,"data":1318,"content":1321},{"target":1319},{"sys":1320},{"id":547,"type":279,"linkType":280},[],{"nodeType":243,"data":1323,"content":1324},{},[1325],{"nodeType":247,"value":1326,"marks":1327,"data":1328},"Once the steps are completed, the victim has granted the attacker access to their Microsoft account via Azure CLI. ",[],{},{"nodeType":243,"data":1330,"content":1331},{},[1332],{"nodeType":247,"value":1333,"marks":1334,"data":1335},"At this point, the attacker has effective control of the victim’s Microsoft account, but without ever needing to phish a password, or pass an MFA check. In fact, if the user was already logged in to their Microsoft account (i.e. they had an active session) no login is required at all. ",[],{},{"nodeType":356,"data":1337,"content":1338},{},[],{"nodeType":360,"data":1340,"content":1341},{},[1342],{"nodeType":247,"value":1343,"marks":1344,"data":1346},"The next evolution of ClickFix?",[1345],{"type":367},{},{"nodeType":243,"data":1348,"content":1349},{},[1350,1354,1363],{"nodeType":247,"value":1351,"marks":1352,"data":1353},"When we presented ",[],{},{"nodeType":252,"data":1355,"content":1357},{"uri":1356},"https://pushsecurity.com/webinar/clickfix",[1358],{"nodeType":247,"value":1359,"marks":1360,"data":1362},"our last webinar on ClickFix",[1361],{"type":260},{},{"nodeType":247,"value":1364,"marks":1365,"data":1366},", we predicted that the next evolution of the attack would happen entirely within the browser context. This is because any attack that touches the endpoint (a traditionally much better protected surface) is way more likely to be detected. And with many ClickFix attacks being used to deliver infostealer malware, these attacks are really trying to get back into the browser anyway — to steal credentials and sessions stored there. ",[],{},{"nodeType":243,"data":1368,"content":1369},{},[1370],{"nodeType":247,"value":1371,"marks":1372,"data":1373},"Let’s take a closer look at the page — if you follow Push research, you might be getting déjà vu. ",[],{},{"nodeType":274,"data":1375,"content":1379},{"target":1376},{"sys":1377},{"id":1378,"type":279,"linkType":280},"1vMZCJ92IxFdR1EzzCOOvb",[],{"nodeType":243,"data":1381,"content":1382},{},[1383,1387,1396],{"nodeType":247,"value":1384,"marks":1385,"data":1386},"We’ve seen this kind of embedded video player before (albeit a slicker looking one) that we blogged about as ",[],{},{"nodeType":252,"data":1388,"content":1390},{"uri":1389},"https://pushsecurity.com/blog/the-most-advanced-clickfix-yet/",[1391],{"nodeType":247,"value":1392,"marks":1393,"data":1395},"the most advanced ClickFix we’d seen",[1394],{"type":260},{},{"nodeType":247,"value":439,"marks":1397,"data":1398},[],{},{"nodeType":274,"data":1400,"content":1404},{"target":1401},{"sys":1402},{"id":1403,"type":279,"linkType":280},"ID7VKJNOZk729P5zBOBjZ",[],{"nodeType":243,"data":1406,"content":1407},{},[1408,1412,1421],{"nodeType":247,"value":1409,"marks":1410,"data":1411},"Another similarity with ClickFix campaigns we’ve investigated is the use of Google Search as a delivery vector. 4 in 5 ClickFix attacks intercepted by Push came via Google Search, with attackers using ",[],{},{"nodeType":252,"data":1413,"content":1415},{"uri":1414},"https://phishing-techniques.pushsecurity.com/techniques/malvertising/",[1416],{"nodeType":247,"value":1417,"marks":1418,"data":1420},"malvertising",[1419],{"type":260},{},{"nodeType":247,"value":1422,"marks":1423,"data":1424}," and either compromised or custom vibe-coded websites to intercept users as they browse the internet. ",[],{},{"nodeType":243,"data":1426,"content":1427},{},[1428],{"nodeType":247,"value":1429,"marks":1430,"data":1431},"So it seems highly likely that this is a kind of browser-native evolution of ClickFix that shares many elements with typical ClickFix attacks, and is probably used by the same groups of attackers.",[],{},{"nodeType":356,"data":1433,"content":1434},{},[],{"nodeType":360,"data":1436,"content":1437},{},[1438],{"nodeType":247,"value":1439,"marks":1440,"data":1442},"OAuth shenanigans via Azure CLI",[1441],{"type":367},{},{"nodeType":243,"data":1444,"content":1445},{},[1446],{"nodeType":247,"value":1447,"marks":1448,"data":1449},"The clever use of Azure CLI and OAuth consent abuse is another clever iteration on previous techniques. ",[],{},{"nodeType":243,"data":1451,"content":1452},{},[1453,1457,1465,1468,1476,1480,1487],{"nodeType":247,"value":1454,"marks":1455,"data":1456},"We’ve previously seen ",[],{},{"nodeType":252,"data":1458,"content":1460},{"uri":1459},"https://phishing-techniques.pushsecurity.com/techniques/consent-phishing/",[1461],{"nodeType":247,"value":395,"marks":1462,"data":1464},[1463],{"type":260},{},{"nodeType":247,"value":400,"marks":1466,"data":1467},[],{},{"nodeType":252,"data":1469,"content":1471},{"uri":1470},"https://phishing-techniques.pushsecurity.com/techniques/device-code-phishing/",[1472],{"nodeType":247,"value":408,"marks":1473,"data":1475},[1474],{"type":260},{},{"nodeType":247,"value":1477,"marks":1478,"data":1479}," attacks where attackers have tricked victims into connecting malicious external apps into their tenant via OAuth, but this is becoming increasingly difficult in core enterprise cloud environments like Azure due to ",[],{},{"nodeType":252,"data":1481,"content":1482},{"uri":418},[1483],{"nodeType":247,"value":421,"marks":1484,"data":1486},[1485],{"type":260},{},{"nodeType":247,"value":1488,"marks":1489,"data":1490},". However, since Azure CLI is a first-party Microsoft app, it is implicitly trusted in Entra ID, and is excluded from these restrictions. ",[],{},{"nodeType":243,"data":1492,"content":1493},{},[1494,1498],{"nodeType":247,"value":1495,"marks":1496,"data":1497},"First-party apps like Azure CLI are trusted by default in all tenants, allowed to request permissions without admin approval, and cannot be deleted or blocked. They can also be granted special permissions, such as tenant-wide service permissions (without needing admin approval), use of legacy or undocumented graph scopes, internal scopes for Microsoft client operations, and permissions for Office/Entra admin functions. ",[],{},{"nodeType":247,"value":1499,"marks":1500,"data":1502},"This makes Azure CLI a prime target for attackers, and significantly more exploitable than when connecting a third-party app. ",[1501],{"type":367},{},{"nodeType":356,"data":1504,"content":1505},{},[],{"nodeType":360,"data":1507,"content":1508},{},[1509],{"nodeType":247,"value":1510,"marks":1511,"data":1513},"Advanced detection evasion techniques",[1512],{"type":367},{},{"nodeType":243,"data":1515,"content":1516},{},[1517,1521,1529],{"nodeType":247,"value":1518,"marks":1519,"data":1520},"This campaign features some of the most advanced ",[],{},{"nodeType":252,"data":1522,"content":1524},{"uri":1523},"https://phishing-techniques.pushsecurity.com/",[1525],{"nodeType":247,"value":1526,"marks":1527,"data":1528},"detection evasion techniques",[],{},{"nodeType":247,"value":1530,"marks":1531,"data":1532}," we've seen in the wild. ",[],{},{"nodeType":243,"data":1534,"content":1535},{},[1536],{"nodeType":247,"value":1537,"marks":1538,"data":1539},"As well as the use of Google Search to deliver the lure, and bot protection to prevent security tools from analyzing the page, there were multiple layers of anti-analysis techniques to navigate.",[],{},{"nodeType":243,"data":1541,"content":1542},{},[1543,1547,1552],{"nodeType":247,"value":1544,"marks":1545,"data":1546},"We already mentioned the use of selective targeting based on email addresses and domain names. But all sites involved in the campaign also have synchronized IP blocking — meaning if you visit one site and are served one of the associated phishing pages, the phish will never be served again, ",[],{},{"nodeType":247,"value":1548,"marks":1549,"data":1551},"across any of the sites linked to the campaign",[1550],{"type":367},{},{"nodeType":247,"value":1553,"marks":1554,"data":1555},". When you visit any of the sites again, the phish won't trigger, and it can be browsed as normal. ",[],{},{"nodeType":243,"data":1557,"content":1558},{},[1559],{"nodeType":247,"value":1560,"marks":1561,"data":1562},"On the backend, there are multiple checks based on your IP and identifiers unique to your session. Unless all of the conditions are met, certain JavaScript packages won't be served — preventing full inspection of the page to detect malicious elements. ",[],{},{"nodeType":243,"data":1564,"content":1565},{},[1566],{"nodeType":247,"value":1567,"marks":1568,"data":1569},"If the conditions aren't met, the page may not load the Cloudflare Turnstile check at all, or will redirect you back to the site to continue browsing as normal.",[],{},{"nodeType":274,"data":1571,"content":1575},{"target":1572},{"sys":1573},{"id":1574,"type":279,"linkType":280},"5v0zDoscA6pYLBfkXrNtIH",[],{"nodeType":243,"data":1577,"content":1578},{},[1579],{"nodeType":247,"value":1580,"marks":1581,"data":1582},"All of these make it incredibly hard to detect and block these attacks ahead of time when relying on URL-based checks and traffic analysis.",[],{},{"nodeType":356,"data":1584,"content":1585},{},[],{"nodeType":360,"data":1587,"content":1588},{},[1589],{"nodeType":247,"value":1590,"marks":1591,"data":1593},"Key takeaways",[1592],{"type":367},{},{"nodeType":243,"data":1595,"content":1596},{},[1597],{"nodeType":247,"value":1598,"marks":1599,"data":1600},"ConsentFix is a dangerous evolution of ClickFix and consent phishing that is incredibly hard for traditional security tools to detect and block, as:",[],{},{"nodeType":459,"data":1602,"content":1603},{},[1604,1614,1624,1634,1644],{"nodeType":463,"data":1605,"content":1606},{},[1607],{"nodeType":243,"data":1608,"content":1609},{},[1610],{"nodeType":247,"value":1611,"marks":1612,"data":1613},"The attack happens entirely inside the browser context, removing one of the key detection opportunities for ClickFix (because it doesn’t touch the endpoint).",[],{},{"nodeType":463,"data":1615,"content":1616},{},[1617],{"nodeType":243,"data":1618,"content":1619},{},[1620],{"nodeType":247,"value":1621,"marks":1622,"data":1623},"Delivering the lure via a Google Search watering hole attack completely circumvents email-based anti-phishing controls.",[],{},{"nodeType":463,"data":1625,"content":1626},{},[1627],{"nodeType":243,"data":1628,"content":1629},{},[1630],{"nodeType":247,"value":1631,"marks":1632,"data":1633},"Targeting a first-party app like Azure CLI means that many of the mitigating controls available for third-party app integrations do not apply — making this attack way harder to prevent.",[],{},{"nodeType":463,"data":1635,"content":1636},{},[1637],{"nodeType":243,"data":1638,"content":1639},{},[1640],{"nodeType":247,"value":1641,"marks":1642,"data":1643},"Because there’s no login required, phishing-resistant authentication controls like passkeys have no impact on this attack. ",[],{},{"nodeType":463,"data":1645,"content":1646},{},[1647],{"nodeType":243,"data":1648,"content":1649},{},[1650],{"nodeType":247,"value":1651,"marks":1652,"data":1653},"The use of advanced detection evasion techniques makes this attack difficult to investigate, meaning these attacks are going undetected. ",[],{},{"nodeType":243,"data":1655,"content":1656},{},[1657],{"nodeType":247,"value":1658,"marks":1659,"data":1660},"We’re sure to see more examples of ConsentFix in future. We’ll be monitoring to see how attackers adapt in terms of integrating these capabilities with common as-a-Service offerings to make them more widespread, and whether the scope extends further beyond Microsoft / Azure CLI targets in the future to target other enterprise cloud ecosystems. ",[],{},{"nodeType":356,"data":1662,"content":1663},{},[],{"nodeType":360,"data":1665,"content":1666},{},[1667],{"nodeType":247,"value":1668,"marks":1669,"data":1671},"Recommendations",[1670],{"type":367},{},{"nodeType":274,"data":1673,"content":1677},{"target":1674},{"sys":1675},{"id":1676,"type":279,"linkType":280},"3aBCwdB2aNnLRxRN5RrshC",[],{"nodeType":243,"data":1679,"content":1680},{},[1681],{"nodeType":247,"value":1682,"marks":1683,"data":1684},"On the backend, exploitation of this attack will lead to login events being observed to the Microsoft Azure CLI app. It’s likely that any legitimate use of this will most likely be limited to system administrators and possibly developers. Therefore, logins outside of these groups will be inherently more suspicious.",[],{},{"nodeType":243,"data":1686,"content":1687},{},[1688],{"nodeType":247,"value":1689,"marks":1690,"data":1691},"Additionally, it’s possible that aspects of the logins themselves will be different between legitimate Azure CLI use and exploitation of this attack. For example, see the following logs from a lab environment. The login events with an application of  “Microsoft Azure CLI” and a resource of “Azure Resource Manager” was legitimate use of the Azure CLI using the powershell CLI framework. Conversely, the login event with the Resource of “Windows Azure Active Directory” was produced by logging in using the method used by the phishing kit.",[],{},{"nodeType":274,"data":1693,"content":1697},{"target":1694},{"sys":1695},{"id":1696,"type":279,"linkType":280},"6ie0nkk6XbgwidfwmiGwL4",[],{"nodeType":243,"data":1699,"content":1700},{},[1701],{"nodeType":247,"value":1702,"marks":1703,"data":1704},"There is no guarantee this can be used to differentiate between legitimate and malicious examples, but it’s another data point to consider. If searching logs you may wish to use the respective GUIDs for these:",[],{},{"nodeType":459,"data":1706,"content":1707},{},[1708,1723],{"nodeType":463,"data":1709,"content":1710},{},[1711],{"nodeType":243,"data":1712,"content":1713},{},[1714,1719],{"nodeType":247,"value":1715,"marks":1716,"data":1718},"Application ID",[1717],{"type":367},{},{"nodeType":247,"value":1720,"marks":1721,"data":1722}," = 04b07795-8ddb-461a-bbee-02f9e1bf7b46",[],{},{"nodeType":463,"data":1724,"content":1725},{},[1726],{"nodeType":243,"data":1727,"content":1728},{},[1729,1734],{"nodeType":247,"value":1730,"marks":1731,"data":1733},"Resource ID",[1732],{"type":367},{},{"nodeType":247,"value":1735,"marks":1736,"data":1737}," = 00000002-0000-0000-c000-000000000000",[],{},{"nodeType":243,"data":1739,"content":1740},{},[1741],{"nodeType":247,"value":1742,"marks":1743,"data":1744},"For interactive logins, like above, you cannot rely on looking for logins from suspicious IP addresses or locations. The login itself occurs from the victims browser directly to Microsoft, and so the IP addresses associated with these events will be the legitimate IP used by the target user, not by the threat actor. ",[],{},{"nodeType":243,"data":1746,"content":1747},{},[1748],{"nodeType":247,"value":1749,"marks":1750,"data":1751},"However, for non-interactive logins and other audit logs for actions taken, you may be able to uncover unusual IP addresses that differ from the original interactive login. For example, here are some non-interactive logins that were observed immediately after compromise that came from different IP addresses in both the US and Indonesia.",[],{},{"nodeType":274,"data":1753,"content":1757},{"target":1754},{"sys":1755},{"id":1756,"type":279,"linkType":280},"TD3YeWqgGIWIWM8FRHU4o",[],{"nodeType":243,"data":1759,"content":1760},{},[1761],{"nodeType":247,"value":1762,"marks":1763,"data":1764},"Interestingly, they differ in which resources they accessed, with one accessing the Windows Azure Active Directory resource ID like the interactive login, but two others accessing the Microsoft Intune Checkin resource ID. ",[],{},{"nodeType":274,"data":1766,"content":1770},{"target":1767},{"sys":1768},{"id":1769,"type":279,"linkType":280},"57PqDQiAiwzqkspVpROQXb",[],{"nodeType":443,"data":1772,"content":1773},{},[1774],{"nodeType":247,"value":1775,"marks":1776,"data":1778},"IoCs",[1777],{"type":367},{},{"nodeType":243,"data":1780,"content":1781},{},[1782,1786,1795],{"nodeType":247,"value":1783,"marks":1784,"data":1785},"Short-lived IoCs are of limited value when tackling modern phishing attacks due to the rate at which attackers are able to ",[],{},{"nodeType":252,"data":1787,"content":1789},{"uri":1788},"https://phishing-techniques.pushsecurity.com/techniques/domain-rotation-redirection/",[1790],{"nodeType":247,"value":1791,"marks":1792,"data":1794},"quickly spin up and rotate the sites used",[1793],{"type":260},{},{"nodeType":247,"value":1796,"marks":1797,"data":1798}," in the attack chain, often dynamically serving different URLs to site visitors. ",[],{},{"nodeType":243,"data":1800,"content":1801},{},[1802],{"nodeType":247,"value":1803,"marks":1804,"data":1805},"That said, the domains used to deliver the final phishing payload were:",[],{},{"nodeType":459,"data":1807,"content":1808},{},[1809,1819,1829],{"nodeType":463,"data":1810,"content":1811},{},[1812],{"nodeType":243,"data":1813,"content":1814},{},[1815],{"nodeType":247,"value":1816,"marks":1817,"data":1818},"hxxps://trustpointassurance.com/",[],{},{"nodeType":463,"data":1820,"content":1821},{},[1822],{"nodeType":243,"data":1823,"content":1824},{},[1825],{"nodeType":247,"value":1826,"marks":1827,"data":1828},"hxxps://fastwaycheck.com/",[],{},{"nodeType":463,"data":1830,"content":1831},{},[1832],{"nodeType":243,"data":1833,"content":1834},{},[1835],{"nodeType":247,"value":1836,"marks":1837,"data":1838},"hxxps://previewcentral.com",[],{},{"nodeType":243,"data":1840,"content":1841},{},[1842],{"nodeType":247,"value":1843,"marks":1844,"data":1845},"In addition, we recommend hunting for connections from the following IPs in Azure logs:",[],{},{"nodeType":459,"data":1847,"content":1848},{},[1849,1859,1869],{"nodeType":463,"data":1850,"content":1851},{},[1852],{"nodeType":243,"data":1853,"content":1854},{},[1855],{"nodeType":247,"value":1856,"marks":1857,"data":1858},"12.75.216.90",[],{},{"nodeType":463,"data":1860,"content":1861},{},[1862],{"nodeType":243,"data":1863,"content":1864},{},[1865],{"nodeType":247,"value":1866,"marks":1867,"data":1868},"182.3.36.223",[],{},{"nodeType":463,"data":1870,"content":1871},{},[1872],{"nodeType":243,"data":1873,"content":1874},{},[1875],{"nodeType":247,"value":1876,"marks":1877,"data":1878},"12.75.116.137",[],{},{"nodeType":356,"data":1880,"content":1881},{},[],{"nodeType":360,"data":1883,"content":1884},{},[1885],{"nodeType":247,"value":1886,"marks":1887,"data":1889},"How Push stopped the attack",[1888],{"type":367},{},{"nodeType":243,"data":1891,"content":1892},{},[1893],{"nodeType":247,"value":1006,"marks":1894,"data":1895},[],{},{"nodeType":274,"data":1897,"content":1901},{"target":1898},{"sys":1899},{"id":1900,"type":279,"linkType":280},"5YzpiQH974EYA5iPPZMXkV",[],{"nodeType":243,"data":1903,"content":1904},{},[1905,1909,1917],{"nodeType":247,"value":1906,"marks":1907,"data":1908},"Push doesn’t detect the redirect tricks or rely on outdated domain TI feeds. The reason we detect these attacks (which make it through all the other layers of phishing protection) is that Push sees what your users see. It doesn’t matter what ",[],{},{"nodeType":252,"data":1910,"content":1911},{"uri":1523},[1912],{"nodeType":247,"value":1913,"marks":1914,"data":1916},"delivery channel or camouflage methods are used",[1915],{"type":260},{},{"nodeType":247,"value":1918,"marks":1919,"data":1920},", Push shuts the attack down in real time, as the user loads the malicious page in their web browser.",[],{},{"nodeType":243,"data":1922,"content":1923},{},[1924],{"nodeType":247,"value":1925,"marks":1926,"data":1927},"This isn’t all we do: Push’s browser-based security platform provides comprehensive detection and response capabilities against the leading cause of breaches. Push blocks browser-based attacks like AiTM phishing, credential stuffing, malicious browser extensions, ClickFix, and session hijacking. You don’t need to wait until it all goes wrong — you can also use Push to proactively find and fix vulnerabilities across the apps that your employees use, like ghost logins, SSO coverage gaps, MFA gaps, vulnerable passwords, and more to harden your identity attack surface.",[],{},{"nodeType":243,"data":1929,"content":1930},{},[1931,1934,1941,1944,1951],{"nodeType":247,"value":1034,"marks":1932,"data":1933},[],{},{"nodeType":252,"data":1935,"content":1936},{"uri":1039},[1937],{"nodeType":247,"value":1042,"marks":1938,"data":1940},[1939],{"type":260},{},{"nodeType":247,"value":1047,"marks":1942,"data":1943},[],{},{"nodeType":252,"data":1945,"content":1946},{"uri":1052},[1947],{"nodeType":247,"value":1055,"marks":1948,"data":1950},[1949],{"type":260},{},{"nodeType":247,"value":439,"marks":1952,"data":1953},[],{},{"nodeType":274,"data":1955,"content":1959},{"target":1956},{"sys":1957},{"id":1958,"type":279,"linkType":280},"6QzB0BlVC5mstXwXHvy2c3",[],{"nodeType":243,"data":1961,"content":1962},{},[1963],{"nodeType":247,"value":29,"marks":1964,"data":1965},[],{},"ConsentFix: Analyzing a browser-native ClickFix-style attack that hijacks OAuth consent grants","Analyzing \"ConsentFix\", a new browser-native attack technique we've detected in the wild, combining OAuth consent phishing with a ClickFix-style user prompt. ","2025-12-11T00:00:00.000Z","consentfix",{"items":1971},[1972,1976],{"sys":1973,"name":1975},{"id":1974},"6A5RXS31ZQx3PwryGb1IMy","Browser-based attacks",{"sys":1977,"name":1979},{"id":1978},"4ksQNCFeBf8H4QIORqpRLw","Detection & response",{"items":1981},[1982],{"fullName":1983,"firstName":1984,"jobTitle":1985,"profilePicture":1986},"Luke Jennings","Luke","Vice President, R&D",{"url":1987},"https://images.ctfassets.net/y1cdw1ablpvd/4Hosb4zKi1dA0PUyDLMe1h/27e09d894861f2196ba794037986fb08/T016S22KZ96-U02NVQM7ZD4-57761d542d83-512.jpeg",{"__typename":1117,"sys":1989,"content":1991,"title":2591,"synopsis":2592,"hashTags":62,"publishedDate":2593,"slug":2594,"tagsCollection":2595,"authorsCollection":2601},{"id":1990},"2YmiesBvJHGw4wiKEKzLUq",{"json":1992},{"nodeType":239,"data":1993,"content":1994},{},[1995,2002,2009,2058,2064,2071,2078,2084,2090,2096,2099,2107,2114,2120,2127,2133,2139,2146,2152,2169,2172,2180,2187,2194,2201,2208,2214,2232,2235,2243,2250,2306,2313,2320,2323,2330,2337,2344,2351,2377,2380,2387,2403,2410,2453,2460,2503,2510,2583],{"nodeType":243,"data":1996,"content":1997},{},[1998],{"nodeType":247,"value":1999,"marks":2000,"data":2001},"In recent months, we’ve seen a significant increase in the number of attacks targeting ad manager accounts. These attacks ultimately serve up an Attacker-in-the-Middle (AITM) phishing page designed to steal the victim’s Google account. ",[],{},{"nodeType":243,"data":2003,"content":2004},{},[2005],{"nodeType":247,"value":2006,"marks":2007,"data":2008},"Most recently, we reported on:",[],{},{"nodeType":459,"data":2010,"content":2011},{},[2012,2035],{"nodeType":463,"data":2013,"content":2014},{},[2015],{"nodeType":243,"data":2016,"content":2017},{},[2018,2022,2031],{"nodeType":247,"value":2019,"marks":2020,"data":2021},"A campaign running ",[],{},{"nodeType":252,"data":2023,"content":2025},{"uri":2024},"https://pushsecurity.com/blog/analysing-a-malvertising-attack-targeting-business-google-accounts/",[2026],{"nodeType":247,"value":2027,"marks":2028,"data":2030},"fake malvertising ads for “Google Ads”",[2029],{"type":260},{},{"nodeType":247,"value":2032,"marks":2033,"data":2034}," in Google Search. ",[],{},{"nodeType":463,"data":2036,"content":2037},{},[2038],{"nodeType":243,"data":2039,"content":2040},{},[2041,2045,2054],{"nodeType":247,"value":2042,"marks":2043,"data":2044},"A campaign using sophisticated ",[],{},{"nodeType":252,"data":2046,"content":2048},{"uri":2047},"https://pushsecurity.com/blog/uncovering-a-calendly-themed-phishing-campaign/",[2049],{"nodeType":247,"value":2050,"marks":2051,"data":2053},"Calendly-themed phishing lures",[2052],{"type":260},{},{"nodeType":247,"value":2055,"marks":2056,"data":2057}," targeting marketing professionals.",[],{},{"nodeType":274,"data":2059,"content":2063},{"target":2060},{"sys":2061},{"id":2062,"type":279,"linkType":280},"1ThnhFZQIhzV179qclvzFH",[],{"nodeType":243,"data":2065,"content":2066},{},[2067],{"nodeType":247,"value":2068,"marks":2069,"data":2070},"Now, we’ve seen the Google Ads malvertising campaign expand to run additional ads impersonating Ahrefs, an AI marketing platform. Crucially, employees with access to Ahrefs are highly likely to also have access to Google Ads, meaning that attackers can reliably target Google accounts via Ahrefs. ",[],{},{"nodeType":243,"data":2072,"content":2073},{},[2074],{"nodeType":247,"value":2075,"marks":2076,"data":2077},"You can see a demo of the phishing chain below. ",[],{},{"nodeType":274,"data":2079,"content":2083},{"target":2080},{"sys":2081},{"id":2082,"type":279,"linkType":280},"2XjyySGldgl9uPA7CZRms8",[],{"nodeType":274,"data":2085,"content":2089},{"target":2086},{"sys":2087},{"id":2088,"type":279,"linkType":280},"yB12nGF91iq15GoHWItaX",[],{"nodeType":274,"data":2091,"content":2095},{"target":2092},{"sys":2093},{"id":2094,"type":279,"linkType":280},"2NK29DaTd93kOctyWxV0RT",[],{"nodeType":356,"data":2097,"content":2098},{},[],{"nodeType":360,"data":2100,"content":2101},{},[2102],{"nodeType":247,"value":2103,"marks":2104,"data":2106},"Attack breakdown",[2105],{"type":367},{},{"nodeType":243,"data":2108,"content":2109},{},[2110],{"nodeType":247,"value":2111,"marks":2112,"data":2113},"Users searching for “ahrefs” on Google Search were served with a fake ad impersonating Ahrefs, hosted on Squarespace, a legitimate website building and hosting platform. Previously, we’d seen this campaign use hosting sites Odoo and Kartra to similar effect. ",[],{},{"nodeType":274,"data":2115,"content":2119},{"target":2116},{"sys":2117},{"id":2118,"type":279,"linkType":280},"59dhFey5rahm5sA20NudTl",[],{"nodeType":243,"data":2121,"content":2122},{},[2123],{"nodeType":247,"value":2124,"marks":2125,"data":2126},"Upon clicking the link, the victim was taken to a clone of the real Ahrefs site. Crucially, you can see that the domain is not the official Ahrefs domain. ",[],{},{"nodeType":274,"data":2128,"content":2132},{"target":2129},{"sys":2130},{"id":2131,"type":279,"linkType":280},"48fQUiJXC1qACKUUPDliS5",[],{"nodeType":274,"data":2134,"content":2138},{"target":2135},{"sys":2136},{"id":2137,"type":279,"linkType":280},"77iqOW1jDVt5Oxw8qTwnKG",[],{"nodeType":243,"data":2140,"content":2141},{},[2142],{"nodeType":247,"value":2143,"marks":2144,"data":2145},"However, the site is not fully interactable beyond the front page. Clicking on any link takes the user to a Google sign-in page. ",[],{},{"nodeType":274,"data":2147,"content":2151},{"target":2148},{"sys":2149},{"id":2150,"type":279,"linkType":280},"7t9BoUyIFN8dlBDksjsYlD",[],{"nodeType":243,"data":2153,"content":2154},{},[2155,2159,2166],{"nodeType":247,"value":2156,"marks":2157,"data":2158},"This is in fact an AITM phishing page that is designed to hijack the victim’s Google account. Entering credentials and completing the MFA check will result in the attacker stealing the app session and effectively taking over the account. The phishing kit used matches ",[],{},{"nodeType":252,"data":2160,"content":2161},{"uri":2024},[2162],{"nodeType":247,"value":2163,"marks":2164,"data":2165},"the previous malvertising detected impersonating Google Ads",[],{},{"nodeType":247,"value":988,"marks":2167,"data":2168},[],{},{"nodeType":356,"data":2170,"content":2171},{},[],{"nodeType":360,"data":2173,"content":2174},{},[2175],{"nodeType":247,"value":2176,"marks":2177,"data":2179},"Why are attackers targeting ad manager accounts?",[2178],{"type":367},{},{"nodeType":243,"data":2181,"content":2182},{},[2183],{"nodeType":247,"value":2184,"marks":2185,"data":2186},"Ad Manager accounts on platforms like Google, Facebook, and LinkedIn have become lucrative targets for cybercriminals. By compromising these accounts, attackers can exploit the digital advertising ecosystem in various ways for financial gain. ",[],{},{"nodeType":243,"data":2188,"content":2189},{},[2190],{"nodeType":247,"value":2191,"marks":2192,"data":2193},"The ad industry’s scale makes it attractive to fraud. Estimates suggest digital ad fraud cost advertisers tens of billions, potentially nearing $100 billion or more, with projections reaching $172 billion by 2028.",[],{},{"nodeType":243,"data":2195,"content":2196},{},[2197],{"nodeType":247,"value":2198,"marks":2199,"data":2200},"A hijacked Google Ad Manager account gives attackers access to significant ad spend and account data which can be monetized illicitly. The tactics range from stealthy ad fraud to overt abuse like malicious ads or extortion schemes.",[],{},{"nodeType":243,"data":2202,"content":2203},{},[2204],{"nodeType":247,"value":2205,"marks":2206,"data":2207},"Pretty much every enterprise today advertises their services via Google ads — this makes attacks on these accounts pretty much a unanimous problem. Agencies managing numerous client accounts are put further at risk. For example, if an attacker can compromise an MCC account (used to manage several ad accounts) they get full access to the customer portfolio. ",[],{},{"nodeType":274,"data":2209,"content":2213},{"target":2210},{"sys":2211},{"id":2212,"type":279,"linkType":280},"1WPbstxHtdjnAKpF1rhCpW",[],{"nodeType":243,"data":2215,"content":2216},{},[2217,2221,2229],{"nodeType":247,"value":2218,"marks":2219,"data":2220},"Learn more about why attackers are targeting ad manager accounts ",[],{},{"nodeType":252,"data":2222,"content":2224},{"uri":2223},"https://pushsecurity.com/blog/cyber-criminal-ecosystem-analysis",[2225],{"nodeType":247,"value":2226,"marks":2227,"data":2228},"in our blog post",[],{},{"nodeType":247,"value":988,"marks":2230,"data":2231},[],{},{"nodeType":356,"data":2233,"content":2234},{},[],{"nodeType":360,"data":2236,"content":2237},{},[2238],{"nodeType":247,"value":2239,"marks":2240,"data":2242},"Why malvertising? ",[2241],{"type":367},{},{"nodeType":243,"data":2244,"content":2245},{},[2246],{"nodeType":247,"value":2247,"marks":2248,"data":2249},"Malvertising scams happen across lots of different sites, but the most common platform we see targeted is Google Search. This takes advantage of users browsing to find a website and clicking the first link that appears — in this case a fake sponsored link taking you to the attacker’s page. ",[],{},{"nodeType":243,"data":2251,"content":2252},{},[2253,2257,2265,2269,2278,2281,2290,2293,2302],{"nodeType":247,"value":2254,"marks":2255,"data":2256},"Malvertising attacks delivered over channels like Google Search are a great way to catch victims unawares while also evading typically email-based anti-phishing controls. Malvertising is an increasingly popular attack vector for the delivery of AITM phishing, malware downloads, and ",[],{},{"nodeType":252,"data":2258,"content":2259},{"uri":1389},[2260],{"nodeType":247,"value":2261,"marks":2262,"data":2264},"ClickFix",[2263],{"type":260},{},{"nodeType":247,"value":2266,"marks":2267,"data":2268}," (4 in 5 ClickFix attacks intercepted by Push were delivered via Google Search). This isn’t just targeting ad manager accounts — last year, we reported on campaigns impersonating ",[],{},{"nodeType":252,"data":2270,"content":2272},{"uri":2271},"https://pushsecurity.com/blog/analysing-a-sophisticated-google-malvertising-attack/",[2273],{"nodeType":247,"value":2274,"marks":2275,"data":2277},"TradingView",[2276],{"type":260},{},{"nodeType":247,"value":312,"marks":2279,"data":2280},[],{},{"nodeType":252,"data":2282,"content":2284},{"uri":2283},"https://pushsecurity.com/blog/phishing-with-active-directory-federation-services/",[2285],{"nodeType":247,"value":2286,"marks":2287,"data":2289},"Microsoft Office 365",[2288],{"type":260},{},{"nodeType":247,"value":325,"marks":2291,"data":2292},[],{},{"nodeType":252,"data":2294,"content":2296},{"uri":2295},"https://pushsecurity.com/blog/investigating-a-recent-malvertising-campaign-targeting-onfido-customers/",[2297],{"nodeType":247,"value":2298,"marks":2299,"data":2301},"Onfido",[2300],{"type":260},{},{"nodeType":247,"value":2303,"marks":2304,"data":2305},", to name a few. ",[],{},{"nodeType":243,"data":2307,"content":2308},{},[2309],{"nodeType":247,"value":2310,"marks":2311,"data":2312},"There’s a tendency to see malvertising as a more random attack, but Google Ads can be tuned to searches coming from specific geographic locations, tailored to specific email domain matches, or specific device types (e.g. desktop, mobile, etc.). If you know where your target organization is located, you can tailor the ad to that location. Even more precise ad targeting can be achieved on social media platforms. ",[],{},{"nodeType":243,"data":2314,"content":2315},{},[2316],{"nodeType":247,"value":2317,"marks":2318,"data":2319},"Because these attacks completely circumvent the traditional phishing detection surface (email) and often happen entirely over the internet (meaning no endpoint security controls can come into play) the only way to reliably detect and stop these attacks is to intercept them where they happen — in the user’s web browser. ",[],{},{"nodeType":356,"data":2321,"content":2322},{},[],{"nodeType":360,"data":2324,"content":2325},{},[2326],{"nodeType":247,"value":1886,"marks":2327,"data":2329},[2328],{"type":367},{},{"nodeType":243,"data":2331,"content":2332},{},[2333],{"nodeType":247,"value":2334,"marks":2335,"data":2336},"Regardless of the delivery channel, all roads lead to a web page accessed in the victim’s browser, where Push is waiting to detect and block the attack. Even if the page has never been previously flagged as suspicious or malicious, Push analyses the page in real time and blocks it — protecting against the latest zero-day threats.  ",[],{},{"nodeType":243,"data":2338,"content":2339},{},[2340],{"nodeType":247,"value":2341,"marks":2342,"data":2343},"By seeing what your users see, and getting an unfiltered, real-time view of the page as it loads, Push is able to pinpoint malicious content, code, and behaviors and shut the attack down before it happens. Whether it's entering credentials onto a phishing page, approving a malicious OAuth grant, installing a risky browser extension, or insecurely accessing an app with a weak password and no MFA, Push detects the action and shuts it down.",[],{},{"nodeType":243,"data":2345,"content":2346},{},[2347],{"nodeType":247,"value":2348,"marks":2349,"data":2350},"Push blocks browser-based attacks like AiTM phishing, credential stuffing, malicious browser extensions, malicious OAuth grants, ClickFix, and session hijacking. You don’t need to wait until it all goes wrong either — you can use Push to proactively find and fix vulnerabilities across the apps that your employees use, like ghost logins, SSO coverage gaps, MFA gaps, vulnerable passwords, and more to harden your identity attack surface.",[],{},{"nodeType":243,"data":2352,"content":2353},{},[2354,2357,2364,2367,2374],{"nodeType":247,"value":1034,"marks":2355,"data":2356},[],{},{"nodeType":252,"data":2358,"content":2359},{"uri":1039},[2360],{"nodeType":247,"value":1042,"marks":2361,"data":2363},[2362],{"type":260},{},{"nodeType":247,"value":1047,"marks":2365,"data":2366},[],{},{"nodeType":252,"data":2368,"content":2369},{"uri":1052},[2370],{"nodeType":247,"value":1055,"marks":2371,"data":2373},[2372],{"type":260},{},{"nodeType":247,"value":439,"marks":2375,"data":2376},[],{},{"nodeType":356,"data":2378,"content":2379},{},[],{"nodeType":360,"data":2381,"content":2382},{},[2383],{"nodeType":247,"value":1775,"marks":2384,"data":2386},[2385],{"type":367},{},{"nodeType":243,"data":2388,"content":2389},{},[2390,2393,2400],{"nodeType":247,"value":1783,"marks":2391,"data":2392},[],{},{"nodeType":252,"data":2394,"content":2395},{"uri":1788},[2396],{"nodeType":247,"value":1791,"marks":2397,"data":2399},[2398],{"type":260},{},{"nodeType":247,"value":1796,"marks":2401,"data":2402},[],{},{"nodeType":243,"data":2404,"content":2405},{},[2406],{"nodeType":247,"value":2407,"marks":2408,"data":2409},"That said, the domains observed in this chain were:",[],{},{"nodeType":459,"data":2411,"content":2412},{},[2413,2423,2433,2443],{"nodeType":463,"data":2414,"content":2415},{},[2416],{"nodeType":243,"data":2417,"content":2418},{},[2419],{"nodeType":247,"value":2420,"marks":2421,"data":2422},"comandd-ok[.]com",[],{},{"nodeType":463,"data":2424,"content":2425},{},[2426],{"nodeType":243,"data":2427,"content":2428},{},[2429],{"nodeType":247,"value":2430,"marks":2431,"data":2432},"ahrefs-ac.squarespace[.]com",[],{},{"nodeType":463,"data":2434,"content":2435},{},[2436],{"nodeType":243,"data":2437,"content":2438},{},[2439],{"nodeType":247,"value":2440,"marks":2441,"data":2442},"ahrefs-seo-app.squarespace[.]com",[],{},{"nodeType":463,"data":2444,"content":2445},{},[2446],{"nodeType":243,"data":2447,"content":2448},{},[2449],{"nodeType":247,"value":2450,"marks":2451,"data":2452},"slgn-ahrefs-app-com.squarespace[.]com",[],{},{"nodeType":243,"data":2454,"content":2455},{},[2456],{"nodeType":247,"value":2457,"marks":2458,"data":2459},"[Update 24th February] We also observed the following new domains:",[],{},{"nodeType":459,"data":2461,"content":2462},{},[2463,2473,2483,2493],{"nodeType":463,"data":2464,"content":2465},{},[2466],{"nodeType":243,"data":2467,"content":2468},{},[2469],{"nodeType":247,"value":2470,"marks":2471,"data":2472},"www-ahrefs-seo-ads[.]surge.sh",[],{},{"nodeType":463,"data":2474,"content":2475},{},[2476],{"nodeType":243,"data":2477,"content":2478},{},[2479],{"nodeType":247,"value":2480,"marks":2481,"data":2482},"web-semrush-seo-wold[.]surge[.]sh",[],{},{"nodeType":463,"data":2484,"content":2485},{},[2486],{"nodeType":243,"data":2487,"content":2488},{},[2489],{"nodeType":247,"value":2490,"marks":2491,"data":2492},"contabelforeehc[.]com",[],{},{"nodeType":463,"data":2494,"content":2495},{},[2496],{"nodeType":243,"data":2497,"content":2498},{},[2499],{"nodeType":247,"value":2500,"marks":2501,"data":2502},"contabelfore[.]com",[],{},{"nodeType":243,"data":2504,"content":2505},{},[2506],{"nodeType":247,"value":2507,"marks":2508,"data":2509},"In addition, the following domains were previously associated with the attacks we detected in December:",[],{},{"nodeType":459,"data":2511,"content":2512},{},[2513,2523,2533,2543,2553,2563,2573],{"nodeType":463,"data":2514,"content":2515},{},[2516],{"nodeType":243,"data":2517,"content":2518},{},[2519],{"nodeType":247,"value":2520,"marks":2521,"data":2522},"ads-adsword1.odoo[.]com",[],{},{"nodeType":463,"data":2524,"content":2525},{},[2526],{"nodeType":243,"data":2527,"content":2528},{},[2529],{"nodeType":247,"value":2530,"marks":2531,"data":2532},"sing-operador2[.]click/accounts/v3/login",[],{},{"nodeType":463,"data":2534,"content":2535},{},[2536],{"nodeType":243,"data":2537,"content":2538},{},[2539],{"nodeType":247,"value":2540,"marks":2541,"data":2542},"adsgooglie.odoo[.]com/",[],{},{"nodeType":463,"data":2544,"content":2545},{},[2546],{"nodeType":243,"data":2547,"content":2548},{},[2549],{"nodeType":247,"value":2550,"marks":2551,"data":2552},"word4only[.]online/",[],{},{"nodeType":463,"data":2554,"content":2555},{},[2556],{"nodeType":243,"data":2557,"content":2558},{},[2559],{"nodeType":247,"value":2560,"marks":2561,"data":2562},"adsloginacess.kartra[.]com/page/oeN7",[],{},{"nodeType":463,"data":2564,"content":2565},{},[2566],{"nodeType":243,"data":2567,"content":2568},{},[2569],{"nodeType":247,"value":2570,"marks":2571,"data":2572},"ads-o.odoo[.]com",[],{},{"nodeType":463,"data":2574,"content":2575},{},[2576],{"nodeType":243,"data":2577,"content":2578},{},[2579],{"nodeType":247,"value":2580,"marks":2581,"data":2582},"operador8-ads[.]lat/accounts/v3/login/",[],{},{"nodeType":243,"data":2584,"content":2585},{},[2586],{"nodeType":247,"value":2587,"marks":2588,"data":2590},"Push customers do not need to take any further action.",[2589],{"type":367},{},"Google Search malvertising campaign continues, now impersonating Ahrefs","New samples linked to a Push-tracked malvertising campaign detected, targeting Google accounts via an Ahrefs lure. ","2026-01-12T00:00:00.000Z","google-search-malvertising-campaign-continues-now-impersonating-ahrefs",{"items":2596},[2597,2599],{"sys":2598,"name":1979},{"id":1978},{"sys":2600,"name":1975},{"id":1974},{"items":2602},[2603],{"fullName":232,"firstName":233,"jobTitle":234,"profilePicture":2604},{"url":236},{"__typename":1117,"sys":2606,"content":2608,"title":3915,"synopsis":3916,"hashTags":62,"publishedDate":3917,"slug":3918,"tagsCollection":3919,"authorsCollection":3925},{"id":2607},"37KWV8V5L3aNZBSx6JMd0Z",{"json":2609},{"data":2610,"content":2611,"nodeType":239},{},[2612,2619,2626,2690,2697,2766,2772,2779,2786,2789,2796,2803,2810,2914,2933,2940,2983,2990,2997,3004,3037,3043,3075,3081,3088,3095,3128,3148,3151,3158,3164,3195,3202,3209,3216,3222,3229,3235,3250,3293,3299,3319,3322,3329,3335,3355,3362,3395,3416,3422,3443,3450,3457,3517,3524,3530,3545,3560,3581,3587,3608,3615,3618,3625,3631,3638,3645,3666,3672,3693,3699,3706,3739,3757,3760,3767,3773,3780,3801,3807,3822,3828,3835,3842,3861,3864,3871,3878,3885],{"data":2613,"content":2614,"nodeType":243},{},[2615],{"data":2616,"marks":2617,"value":2618,"nodeType":247},{},[],"Looking back over the year’s headlines and trending TTPs, it’s clear that 2025 was the year that browser-based account takeover techniques made the leap into the mainstream.",{"data":2620,"content":2621,"nodeType":243},{},[2622],{"data":2623,"marks":2624,"value":2625,"nodeType":247},{},[],"A few stats tell the story …",{"data":2627,"content":2628,"nodeType":459},{},[2629,2650,2669],{"data":2630,"content":2631,"nodeType":463},{},[2632],{"data":2633,"content":2634,"nodeType":243},{},[2635,2639,2646],{"data":2636,"marks":2637,"value":2638,"nodeType":247},{},[],"Identity-based attacks surged by 32% over the last year, and 97% of identity attacks were password-based, driven by a combination of credential leaks and infostealer malware. (",{"data":2640,"content":2642,"nodeType":252},{"uri":2641},"https://cdn-dynmedia-1.microsoft.com/is/content/microsoftcorp/microsoft/msc/documents/presentations/CSR/Microsoft-Digital-Defense-Report-2025.pdf#page=1",[2643],{"data":2644,"marks":2645,"value":307,"nodeType":247},{},[],{"data":2647,"marks":2648,"value":2649,"nodeType":247},{},[],")",{"data":2651,"content":2652,"nodeType":463},{},[2653],{"data":2654,"content":2655,"nodeType":243},{},[2656,2660,2666],{"data":2657,"marks":2658,"value":2659,"nodeType":247},{},[],"ClickFix was the most common initial point of access for adversaries in the past year, accounting for a whopping 47% of observed attacks. (",{"data":2661,"content":2662,"nodeType":252},{"uri":2641},[2663],{"data":2664,"marks":2665,"value":307,"nodeType":247},{},[],{"data":2667,"marks":2668,"value":2649,"nodeType":247},{},[],{"data":2670,"content":2671,"nodeType":463},{},[2672],{"data":2673,"content":2674,"nodeType":243},{},[2675,2679,2687],{"data":2676,"marks":2677,"value":2678,"nodeType":247},{},[],"Pure malware-based attacks declined, as adversaries continued to shift from targeting endpoints to corporate identities. In the last year-plus, 79% of detections were malware-free, up from 40% in 2019. And abuse of valid accounts was responsible for more than one-third of all cloud-related incidents. (",{"data":2680,"content":2682,"nodeType":252},{"uri":2681},"https://www.crowdstrike.com/en-gb/global-threat-report/",[2683],{"data":2684,"marks":2685,"value":2686,"nodeType":247},{},[],"Crowdstrike",{"data":2688,"marks":2689,"value":2649,"nodeType":247},{},[],{"data":2691,"content":2692,"nodeType":243},{},[2693],{"data":2694,"marks":2695,"value":2696,"nodeType":247},{},[],"… and so do the headlines from 2025:",{"data":2698,"content":2699,"nodeType":459},{},[2700,2719,2747],{"data":2701,"content":2702,"nodeType":463},{},[2703],{"data":2704,"content":2705,"nodeType":243},{},[2706,2710,2715],{"data":2707,"marks":2708,"value":2709,"nodeType":247},{},[],"Attackers stole over ",{"data":2711,"marks":2712,"value":2714,"nodeType":247},{},[2713],{"type":367},"1.5 billion records",{"data":2716,"marks":2717,"value":2718,"nodeType":247},{},[]," from an estimated 1,000+ Salesforce tenants by exploiting integrations (Salesloft, Gainsight), phishing credentials, and by tricking users into installing a malicious OAuth app.",{"data":2720,"content":2721,"nodeType":463},{},[2722],{"data":2723,"content":2724,"nodeType":243},{},[2725,2729,2734,2738,2743],{"data":2726,"marks":2727,"value":2728,"nodeType":247},{},[],"Marks & Spencer was hit with a help desk scam that led to a compromised Microsoft Entra account, followed by a ransomware deployment resulting in months of disruption, ",{"data":2730,"marks":2731,"value":2733,"nodeType":247},{},[2732],{"type":367},"$400M",{"data":2735,"marks":2736,"value":2737,"nodeType":247},{},[]," in lost profits, and around ",{"data":2739,"marks":2740,"value":2742,"nodeType":247},{},[2741],{"type":367},"$1.3B",{"data":2744,"marks":2745,"value":2746,"nodeType":247},{},[]," wiped off their stock market valuation at one stage.",{"data":2748,"content":2749,"nodeType":463},{},[2750],{"data":2751,"content":2752,"nodeType":243},{},[2753,2757,2762],{"data":2754,"marks":2755,"value":2756,"nodeType":247},{},[],"Jaguar Land Rover was compromised via highly privileged admin accounts — another help desk scam targeting workforce credentials for initial access — resulting in months of disruption that led the UK government to underwrite a ",{"data":2758,"marks":2759,"value":2761,"nodeType":247},{},[2760],{"type":367},"$1.5B",{"data":2763,"marks":2764,"value":2765,"nodeType":247},{},[]," loan to alleviate the supply chain impact. This was the most economically consequential cyber attack yet recorded in a G7 economy.",{"data":2767,"content":2771,"nodeType":274},{"target":2768},{"sys":2769},{"id":2770,"type":279,"linkType":280},"v5YYnjP2NViOh6Ucxp2Fe",[],{"data":2773,"content":2774,"nodeType":243},{},[2775],{"data":2776,"marks":2777,"value":2778,"nodeType":247},{},[],"At Push, we’ve been closely tracking the evolution of browser-based attacks. Looking back at 2025, we’ve seen a notable increase in the sophistication and frequency of modern attack techniques methods like ClickFix, commodified phish kits that bypass MFA, malicious browser extensions, and many more. (Writing phish kit teardowns for the Push blog is practically a full-time job now.)",{"data":2780,"content":2781,"nodeType":243},{},[2782],{"data":2783,"marks":2784,"value":2785,"nodeType":247},{},[],"In this article, we’ll take a look at how real-world attacks and our own research drove the features we delivered for Push customers this year to take the fight to adversaries.",{"data":2787,"content":2788,"nodeType":356},{},[],{"data":2790,"content":2791,"nodeType":360},{},[2792],{"data":2793,"marks":2794,"value":2795,"nodeType":247},{},[],"Detecting and blocking increasingly sophisticated phishing-as-a-service tools",{"data":2797,"content":2798,"nodeType":443},{},[2799],{"data":2800,"marks":2801,"value":2802,"nodeType":247},{},[],"What happened",{"data":2804,"content":2805,"nodeType":243},{},[2806],{"data":2807,"marks":2808,"value":2809,"nodeType":247},{},[],"The current state of the art for phishing centers on three core developments:",{"data":2811,"content":2812,"nodeType":459},{},[2813,2843,2885],{"data":2814,"content":2815,"nodeType":463},{},[2816],{"data":2817,"content":2818,"nodeType":243},{},[2819,2824,2828,2839],{"data":2820,"marks":2821,"value":2823,"nodeType":247},{},[2822],{"type":367},"Detection evasion: ",{"data":2825,"marks":2826,"value":2827,"nodeType":247},{},[],"Adversaries demonstrated a ",{"data":2829,"content":2833,"nodeType":2838},{"target":2830},{"sys":2831},{"id":2832,"type":279,"linkType":280},"4XZ6qCr8pjJvcD7hi09x2Y",[2834],{"data":2835,"marks":2836,"value":2837,"nodeType":247},{},[],"creative array of approaches","entry-hyperlink",{"data":2840,"marks":2841,"value":2842,"nodeType":247},{},[]," this year to hide their intentions from end-users and defenders, using methods such as sending phishing emails from legitimate services; serving phishing pages via malvertising and SEO poisoning; and obfuscating URLs. More sophisticated techniques used page-level obfuscation, cross-domain iframes, single-use links, and legitimate OIDC logins to evade detection and analysis from traditional tools.",{"data":2844,"content":2845,"nodeType":463},{},[2846],{"data":2847,"content":2848,"nodeType":243},{},[2849,2854,2858,2867,2871,2881],{"data":2850,"marks":2851,"value":2853,"nodeType":247},{},[2852],{"type":367},"Multi-channel delivery of lures:",{"data":2855,"marks":2856,"value":2857,"nodeType":247},{},[]," Adversaries proved the truism of “phishing doesn’t just happen in the mailbox” this year by increasing their observed use of ",{"data":2859,"content":2863,"nodeType":2838},{"target":2860},{"sys":2861},{"id":2862,"type":279,"linkType":280},"72lLmy0CXnOp3LWOdcUguX",[2864],{"data":2865,"marks":2866,"value":1417,"nodeType":247},{},[],{"data":2868,"marks":2869,"value":2870,"nodeType":247},{},[]," and SEO poisoning — techniques that place malicious pages within trusted contexts like the Google search engine results page — as well as the use of social media services like LinkedIn to ",{"data":2872,"content":2876,"nodeType":2838},{"target":2873},{"sys":2874},{"id":2875,"type":279,"linkType":280},"2yEhB2gFC2TJDLquVP3cg2",[2877],{"data":2878,"marks":2879,"value":2880,"nodeType":247},{},[],"deliver phishing lures",{"data":2882,"marks":2883,"value":2884,"nodeType":247},{},[],". ",{"data":2886,"content":2887,"nodeType":463},{},[2888],{"data":2889,"content":2890,"nodeType":243},{},[2891,2896,2900,2910],{"data":2892,"marks":2893,"value":2895,"nodeType":247},{},[2894],{"type":367},"Commodification of phishing toolkits:",{"data":2897,"marks":2898,"value":2899,"nodeType":247},{},[]," Phishing-as-a-service (PhaaS) kits have become another SaaS with their own supply chain, including developers of malicious tooling, operators who run the campaigns, and brokers who sell stolen credentials and tokens. The incentives for attackers are clear: quick ROI from targeting workforce identities, and out-of-the-box tools that make it easier to efficiently spin up new campaigns or try new techniques. As with any SaaS offering, the customer (attackers, in this case) benefits from rapid innovations they didn’t have to build. We saw this recently with the ",{"data":2901,"content":2905,"nodeType":2838},{"target":2902},{"sys":2903},{"id":2904,"type":279,"linkType":280},"6QLonRmBzbj9h88Y7jD0LU",[2906],{"data":2907,"marks":2908,"value":2909,"nodeType":247},{},[],"addition of a browser-in-the-browser (BitB) technique",{"data":2911,"marks":2912,"value":2913,"nodeType":247},{},[]," to the phish kit Sneaky2FA — a change that makes it even more effective.",{"data":2915,"content":2916,"nodeType":243},{},[2917,2921,2929],{"data":2918,"marks":2919,"value":2920,"nodeType":247},{},[],"In 2025, Push researchers tracked how each of these developments expanded in scope and sophistication. Check out our ",{"data":2922,"content":2924,"nodeType":252},{"uri":2923},"https://pushsecurity.github.io/phishing-techniques/",[2925],{"data":2926,"marks":2927,"value":2928,"nodeType":247},{},[],"phishing detection evasion techniques matrix",{"data":2930,"marks":2931,"value":2932,"nodeType":247},{},[]," on Github for more detail. ",{"data":2934,"content":2935,"nodeType":243},{},[2936],{"data":2937,"marks":2938,"value":2939,"nodeType":247},{},[],"The takeaways for security teams?",{"data":2941,"content":2942,"nodeType":459},{},[2943,2953,2973],{"data":2944,"content":2945,"nodeType":463},{},[2946],{"data":2947,"content":2948,"nodeType":243},{},[2949],{"data":2950,"marks":2951,"value":2952,"nodeType":247},{},[],"You can’t block your way to safety when adversaries are using the same legitimate apps that your employees use.",{"data":2954,"content":2955,"nodeType":463},{},[2956],{"data":2957,"content":2958,"nodeType":243},{},[2959,2963,2969],{"data":2960,"marks":2961,"value":2962,"nodeType":247},{},[],"Similarly, while end-user training is important, it’s not reasonable to expect employees to know when a SharePoint document link is malicious when it looks identical to the ones they trust every day — because adversaries ",{"data":2964,"marks":2965,"value":2968,"nodeType":247},{},[2966],{"type":2967},"italic","are using the legitimate service",{"data":2970,"marks":2971,"value":2972,"nodeType":247},{},[],". Push researchers have observed the abuse of hundreds of legitimate services in phishing attacks this year.",{"data":2974,"content":2975,"nodeType":463},{},[2976],{"data":2977,"content":2978,"nodeType":243},{},[2979],{"data":2980,"marks":2981,"value":2982,"nodeType":247},{},[],"Security solutions need to be able to analyze real-time context and behavior, not rely solely on inferences from secondary characteristics like domain reputation.",{"data":2984,"content":2985,"nodeType":243},{},[2986],{"data":2987,"marks":2988,"value":2989,"nodeType":247},{},[],"Here's what we built to help defend organizations.",{"data":2991,"content":2992,"nodeType":443},{},[2993],{"data":2994,"marks":2995,"value":2996,"nodeType":247},{},[],"What we built",{"data":2998,"content":2999,"nodeType":243},{},[3000],{"data":3001,"marks":3002,"value":3003,"nodeType":247},{},[],"The feature we built in 2025 that gave us unique insight into these TTPs is Push’s Detections capability. With Detections, you can:",{"data":3005,"content":3006,"nodeType":459},{},[3007,3017,3027],{"data":3008,"content":3009,"nodeType":463},{},[3010],{"data":3011,"content":3012,"nodeType":243},{},[3013],{"data":3014,"marks":3015,"value":3016,"nodeType":247},{},[],"Get alerted when Push detects a browser-based attack, and see how the Push agent responded to block the attack. The platform provides a front-end view for quick triage, and you can also pipe the detection events to your SIEM or other platform of choice.",{"data":3018,"content":3019,"nodeType":463},{},[3020],{"data":3021,"content":3022,"nodeType":243},{},[3023],{"data":3024,"marks":3025,"value":3026,"nodeType":247},{},[],"Review a timeline of the incident: Where a phishing link originated; whether a user entered their credentials; what kind of phishkit was detected; and how Push responded (configurable based on your environment).",{"data":3028,"content":3029,"nodeType":463},{},[3030],{"data":3031,"content":3032,"nodeType":243},{},[3033],{"data":3034,"marks":3035,"value":3036,"nodeType":247},{},[],"Get actionable telemetry and metadata about an incident, including a screenshot of the malicious page to see exactly what the user saw; intel about the involved domains, including when they were registered and if they’ve been scanned by urlscan before; and the blast radius of an attack, including other apps that shared a password with the potentially compromised account",{"data":3038,"content":3042,"nodeType":274},{"target":3039},{"sys":3040},{"id":3041,"type":279,"linkType":280},"5dygPaG3Gfw4Yeicffv6tV",[],{"data":3044,"content":3045,"nodeType":243},{},[3046,3050,3055,3058,3063,3066,3071],{"data":3047,"marks":3048,"value":3049,"nodeType":247},{},[],"This telemetry — combined with Push’s out-of-the-box controls like ",{"data":3051,"marks":3052,"value":3054,"nodeType":247},{},[3053],{"type":367},"Phishing tool detection",{"data":3056,"marks":3057,"value":312,"nodeType":247},{},[],{"data":3059,"marks":3060,"value":3062,"nodeType":247},{},[3061],{"type":367},"Cloned login page detection",{"data":3064,"marks":3065,"value":325,"nodeType":247},{},[],{"data":3067,"marks":3068,"value":3070,"nodeType":247},{},[3069],{"type":367},"Malicious copy and paste detection",{"data":3072,"marks":3073,"value":3074,"nodeType":247},{},[]," (aka ClickFix detection) — give you a seat on the user’s side of the equation, capturing real-time information about what users did and the TTPs of an attack so you can investigate and respond efficiently and confidently.",{"data":3076,"content":3080,"nodeType":274},{"target":3077},{"sys":3078},{"id":3079,"type":279,"linkType":280},"563fJFSgoLDOwSXSQ9Y0MM",[],{"data":3082,"content":3083,"nodeType":243},{},[3084],{"data":3085,"marks":3086,"value":3087,"nodeType":247},{},[],"With the visibility provided by this telemetry across Push’s install base, our R&D and Product teams have rapidly iterated all year on our detections to increase coverage and respond quickly to newly identified attack types.",{"data":3089,"content":3090,"nodeType":243},{},[3091],{"data":3092,"marks":3093,"value":3094,"nodeType":247},{},[],"This year, we also released:",{"data":3096,"content":3097,"nodeType":459},{},[3098,3108,3118],{"data":3099,"content":3100,"nodeType":463},{},[3101],{"data":3102,"content":3103,"nodeType":243},{},[3104],{"data":3105,"marks":3106,"value":3107,"nodeType":247},{},[],"Detections for new variants of cloned login pages and AiTM phish kits.",{"data":3109,"content":3110,"nodeType":463},{},[3111],{"data":3112,"content":3113,"nodeType":243},{},[3114],{"data":3115,"marks":3116,"value":3117,"nodeType":247},{},[],"12+ pre-release detections focused on flagging emerging attacker techniques.",{"data":3119,"content":3120,"nodeType":463},{},[3121],{"data":3122,"content":3123,"nodeType":243},{},[3124],{"data":3125,"marks":3126,"value":3127,"nodeType":247},{},[],"7+ first-class SIEM and SOAR integrations, to make it simpler to ingest Push telemetry and operationalize it.",{"data":3129,"content":3130,"nodeType":243},{},[3131,3135,3145],{"data":3132,"marks":3133,"value":3134,"nodeType":247},{},[],"Learn more about Push’s detections features in our ",{"data":3136,"content":3140,"nodeType":2838},{"target":3137},{"sys":3138},{"id":3139,"type":279,"linkType":280},"6OFdfAsoPUECeRAetWvedp",[3141],{"data":3142,"marks":3143,"value":3144,"nodeType":247},{},[],"blog article",{"data":3146,"marks":3147,"value":439,"nodeType":247},{},[],{"data":3149,"content":3150,"nodeType":356},{},[],{"data":3152,"content":3153,"nodeType":360},{},[3154],{"data":3155,"marks":3156,"value":3157,"nodeType":247},{},[],"Detecting and blocking ClickFix-style malicious copy and paste attacks",{"data":3159,"content":3160,"nodeType":443},{},[3161],{"data":3162,"marks":3163,"value":2802,"nodeType":247},{},[],{"data":3165,"content":3166,"nodeType":243},{},[3167,3171,3179,3183,3191],{"data":3168,"marks":3169,"value":3170,"nodeType":247},{},[],"ClickFix-style attacks left their mark in 2025, quickly becoming one of the most prevalent attack techniques — with ",{"data":3172,"content":3174,"nodeType":252},{"uri":3173},"https://www.scworld.com/news/clickfix-phishing-links-increased-nearly-400-in-12-months-report-says",[3175],{"data":3176,"marks":3177,"value":3178,"nodeType":247},{},[],"estimates",{"data":3180,"marks":3181,"value":3182,"nodeType":247},{},[]," of a 400 percent year-over-year increase, and another ",{"data":3184,"content":3186,"nodeType":252},{"uri":3185},"https://web-assets.esetstatic.com/wls/en/papers/threat-reports/eset-threat-report-h12025.pdf",[3187],{"data":3188,"marks":3189,"value":3190,"nodeType":247},{},[],"report",{"data":3192,"marks":3193,"value":3194,"nodeType":247},{},[]," documenting a 517 percent growth in just the last 6 months of the year.",{"data":3196,"content":3197,"nodeType":243},{},[3198],{"data":3199,"marks":3200,"value":3201,"nodeType":247},{},[],"What is ClickFix? This attack technique prompts the user to solve some kind of problem or troubleshooting step in the browser — often presented as a CAPTCHA challenge. The key aspect of the attack is that it tricks users into running malicious commands on their device by copying malicious code from the page clipboard and running it locally. (The copy typically occurs  automatically via the page itself, but can also be performed manually by the user.)",{"data":3203,"content":3204,"nodeType":243},{},[3205],{"data":3206,"marks":3207,"value":3208,"nodeType":247},{},[],"These malicious copy and paste attacks are often used to deliver infostealer malware or remote access software, with the attacker’s end goal being stealing session cookies and credentials to facilitate attacks on business apps.",{"data":3210,"content":3211,"nodeType":243},{},[3212],{"data":3213,"marks":3214,"value":3215,"nodeType":247},{},[],"What’s especially challenging about this attack type is that it usually can only be detected after the fact — when a machine is already compromised, or malicious code attempts to execute (if EDR catches it). Even if it is detected, security teams are left flying blind when they try to determine the initial vector for the attack, and which other users might have been targeted.",{"data":3217,"content":3218,"nodeType":443},{},[3219],{"data":3220,"marks":3221,"value":2996,"nodeType":247},{},[],{"data":3223,"content":3224,"nodeType":243},{},[3225],{"data":3226,"marks":3227,"value":3228,"nodeType":247},{},[],"Because of our position in the browser, Push is uniquely positioned to detect and block browser-native attacks like ClickFix and other forms of malicious copy and paste techniques. So that’s what we built.",{"data":3230,"content":3234,"nodeType":274},{"target":3231},{"sys":3232},{"id":3233,"type":279,"linkType":280},"56jVT7dbNqUGiSRTfTCQw2",[],{"data":3236,"content":3237,"nodeType":243},{},[3238,3242,3246],{"data":3239,"marks":3240,"value":3241,"nodeType":247},{},[],"With our ",{"data":3243,"marks":3244,"value":3070,"nodeType":247},{},[3245],{"type":367},{"data":3247,"marks":3248,"value":3249,"nodeType":247},{},[],", you can:",{"data":3251,"content":3252,"nodeType":459},{},[3253,3263,3273,3283],{"data":3254,"content":3255,"nodeType":463},{},[3256],{"data":3257,"content":3258,"nodeType":243},{},[3259],{"data":3260,"marks":3261,"value":3262,"nodeType":247},{},[],"Detect ClickFix-style attacks as soon as they target end-users, regardless of the delivery channel for the lure, or the specifics of the malware type and execution.",{"data":3264,"content":3265,"nodeType":463},{},[3266],{"data":3267,"content":3268,"nodeType":243},{},[3269],{"data":3270,"marks":3271,"value":3272,"nodeType":247},{},[],"Block these attacks before the malicious code is copied to the clipboard.",{"data":3274,"content":3275,"nodeType":463},{},[3276],{"data":3277,"content":3278,"nodeType":243},{},[3279],{"data":3280,"marks":3281,"value":3282,"nodeType":247},{},[],"Safely collect the payload for further investigation by your security team, and replace the clipboard contents with safe text as part of the blocking action.",{"data":3284,"content":3285,"nodeType":463},{},[3286],{"data":3287,"content":3288,"nodeType":243},{},[3289],{"data":3290,"marks":3291,"value":3292,"nodeType":247},{},[],"Capture a detailed timeline of events to see how users were targeted and how the attack unfolded.",{"data":3294,"content":3298,"nodeType":274},{"target":3295},{"sys":3296},{"id":3297,"type":279,"linkType":280},"sALkMt8UbTZ2f34hKvGLj",[],{"data":3300,"content":3301,"nodeType":243},{},[3302,3306,3316],{"data":3303,"marks":3304,"value":3305,"nodeType":247},{},[],"Learn more about ClickFix detection in our ",{"data":3307,"content":3311,"nodeType":2838},{"target":3308},{"sys":3309},{"id":3310,"type":279,"linkType":280},"7jygmadjoz0asAHv7e5PuK",[3312],{"data":3313,"marks":3314,"value":3315,"nodeType":247},{},[],"documentation",{"data":3317,"marks":3318,"value":439,"nodeType":247},{},[],{"data":3320,"content":3321,"nodeType":356},{},[],{"data":3323,"content":3324,"nodeType":360},{},[3325],{"data":3326,"marks":3327,"value":3328,"nodeType":247},{},[],"Getting ahead of breaches tied to stolen credentials and ghost logins",{"data":3330,"content":3331,"nodeType":443},{},[3332],{"data":3333,"marks":3334,"value":2802,"nodeType":247},{},[],{"data":3336,"content":3337,"nodeType":243},{},[3338,3342,3352],{"data":3339,"marks":3340,"value":3341,"nodeType":247},{},[],"Starting in November 2024 and continuing through July 2025, adversaries linked to the HELLCAT threat group compromised Jira tenants belonging to 10 organizations using ",{"data":3343,"content":3347,"nodeType":2838},{"target":3344},{"sys":3345},{"id":3346,"type":279,"linkType":280},"gANCbeL9AnxmbGAE5HhyG",[3348],{"data":3349,"marks":3350,"value":3351,"nodeType":247},{},[],"stolen credentials",{"data":3353,"marks":3354,"value":2884,"nodeType":247},{},[],{"data":3356,"content":3357,"nodeType":243},{},[3358],{"data":3359,"marks":3360,"value":3361,"nodeType":247},{},[],"Business-critical applications like Jira are prime targets for attackers, who in this case dumped valuable data and then held it for ransom (or sold it on criminal marketplaces). Of course, this isn’t just a problem for Jira — data from Push’s initial deployment into customer environments shows that lots of critical apps lack basic controls like strong passwords and MFA.",{"data":3363,"content":3364,"nodeType":243},{},[3365,3369,3379,3383,3391],{"data":3366,"marks":3367,"value":3368,"nodeType":247},{},[],"The evolving threat group known as ",{"data":3370,"content":3374,"nodeType":2838},{"target":3371},{"sys":3372},{"id":3373,"type":279,"linkType":280},"2sFCww9xnI8okIxhtOaiY1",[3375],{"data":3376,"marks":3377,"value":3378,"nodeType":247},{},[],"Scattered Lapsus$ Hunters",{"data":3380,"marks":3381,"value":3382,"nodeType":247},{},[]," has also embraced the use of stolen creds, session cookies, and unprotected local account logins — aka ",{"data":3384,"content":3386,"nodeType":252},{"uri":3385},"https://github.com/pushsecurity/saas-attacks/blob/main/techniques/ghost_logins/description.md",[3387],{"data":3388,"marks":3389,"value":3390,"nodeType":247},{},[],"ghost logins",{"data":3392,"marks":3393,"value":3394,"nodeType":247},{},[]," — to compromise large organizations.",{"data":3396,"content":3397,"nodeType":243},{},[3398,3402,3412],{"data":3399,"marks":3400,"value":3401,"nodeType":247},{},[],"In 2025, Red Hat’s GitLab instance was compromised due to a local account that essentially provided a backdoor to an otherwise secure and SSO-connected account — an attack reminiscent of the ",{"data":3403,"content":3407,"nodeType":2838},{"target":3404},{"sys":3405},{"id":3406,"type":279,"linkType":280},"PAPJPr3CIB6J20udYyy1r",[3408],{"data":3409,"marks":3410,"value":3411,"nodeType":247},{},[],"2024 Snowflake breach",{"data":3413,"marks":3414,"value":3415,"nodeType":247},{},[],", which targeted local logins that lacked MFA.",{"data":3417,"content":3418,"nodeType":443},{},[3419],{"data":3420,"marks":3421,"value":2996,"nodeType":247},{},[],{"data":3423,"content":3424,"nodeType":243},{},[3425,3429,3439],{"data":3426,"marks":3427,"value":3428,"nodeType":247},{},[],"Push already provided the ability to detect stolen credentials being actively used by employees in your organization with our ",{"data":3430,"content":3434,"nodeType":2838},{"target":3431},{"sys":3432},{"id":3433,"type":279,"linkType":280},"6vCr4d3R1XA1E8dU883l7N",[3435],{"data":3436,"marks":3437,"value":3438,"nodeType":247},{},[],"Stolen credential detection control",{"data":3440,"marks":3441,"value":3442,"nodeType":247},{},[],". This provides an early-warning signal when Push finds a match between credentials for sale on criminal forums with those still being used by your employees, reducing some 99.5% of false positives we usually see with TI feed data.",{"data":3444,"content":3445,"nodeType":243},{},[3446],{"data":3447,"marks":3448,"value":3449,"nodeType":247},{},[],"With Push, you can also identify where employees are logging in with passwords on apps that otherwise should be using SAML, OIDC, or some other federated mechanism — aka the ghost login vulnerability.",{"data":3451,"content":3452,"nodeType":243},{},[3453],{"data":3454,"marks":3455,"value":3456,"nodeType":247},{},[],"This year, we made it easier for security teams to enforce two security fundamentals that help harden accounts and reduce the risk of ATO, even on unmanaged apps:",{"data":3458,"content":3459,"nodeType":459},{},[3460,3489],{"data":3461,"content":3462,"nodeType":463},{},[3463],{"data":3464,"content":3465,"nodeType":243},{},[3466,3471,3475,3485],{"data":3467,"marks":3468,"value":3470,"nodeType":247},{},[3469],{"type":367},"Strong password enforcement:",{"data":3472,"marks":3473,"value":3474,"nodeType":247},{},[]," With this control, you can prompt end-users to ",{"data":3476,"content":3480,"nodeType":2838},{"target":3477},{"sys":3478},{"id":3479,"type":279,"linkType":280},"5aB5x5VXrMv7PDmH0iiK0c",[3481],{"data":3482,"marks":3483,"value":3484,"nodeType":247},{},[],"fix an insecure password",{"data":3486,"marks":3487,"value":3488,"nodeType":247},{},[]," on all your workforce apps, even the ones you don’t centrally manage. ",{"data":3490,"content":3491,"nodeType":463},{},[3492],{"data":3493,"content":3494,"nodeType":243},{},[3495,3500,3503,3513],{"data":3496,"marks":3497,"value":3499,"nodeType":247},{},[3498],{"type":367},"MFA enforcement:",{"data":3501,"marks":3502,"value":3474,"nodeType":247},{},[],{"data":3504,"content":3508,"nodeType":2838},{"target":3505},{"sys":3506},{"id":3507,"type":279,"linkType":280},"wikyVxlHwKUOKM9xo19eP",[3509],{"data":3510,"marks":3511,"value":3512,"nodeType":247},{},[],"register for MFA",{"data":3514,"marks":3515,"value":3516,"nodeType":247},{},[]," where Push detects it’s missing — again, even on unmanaged apps.",{"data":3518,"content":3519,"nodeType":243},{},[3520],{"data":3521,"marks":3522,"value":3523,"nodeType":247},{},[],"Both of these controls use in-browser banners to provide point-in-time guidance to users when they’re most likely to see it and act on it.",{"data":3525,"content":3529,"nodeType":274},{"target":3526},{"sys":3527},{"id":3528,"type":279,"linkType":280},"3XH0hnnhcZNI47PhdiD4q0",[],{"data":3531,"content":3532,"nodeType":243},{},[3533,3537,3542],{"data":3534,"marks":3535,"value":3536,"nodeType":247},{},[],"To address the pattern of adversaries moving from targeting hardened core apps such as identity providers to the likes of GitLab, Postman, Jira, and others containing valuable corporate data, we also expanded one of the Push platform’s core security controls called ",{"data":3538,"marks":3539,"value":3541,"nodeType":247},{},[3540],{"type":367},"Password protection",{"data":3543,"marks":3544,"value":439,"nodeType":247},{},[],{"data":3546,"content":3547,"nodeType":243},{},[3548,3552,3556],{"data":3549,"marks":3550,"value":3551,"nodeType":247},{},[],"The ",{"data":3553,"marks":3554,"value":3541,"nodeType":247},{},[3555],{"type":367},{"data":3557,"marks":3558,"value":3559,"nodeType":247},{},[]," control previously could be applied only to IdP passwords, allowing you to essentially “pin” the credential for those systems so that it could never be entered on a phishing page or reused on any other app. ",{"data":3561,"content":3562,"nodeType":243},{},[3563,3567,3577],{"data":3564,"marks":3565,"value":3566,"nodeType":247},{},[],"We expanded that control to allow you to ",{"data":3568,"content":3572,"nodeType":2838},{"target":3569},{"sys":3570},{"id":3571,"type":279,"linkType":280},"6FYHbkcRUrtznPo7RarRsz",[3573],{"data":3574,"marks":3575,"value":3576,"nodeType":247},{},[],"protect passwords on any valuable app",{"data":3578,"marks":3579,"value":3580,"nodeType":247},{},[],", preventing account takeover through phished creds and reducing the blast radius of attacks when a compromised account has been reusing passwords on multiple applications.",{"data":3582,"content":3586,"nodeType":274},{"target":3583},{"sys":3584},{"id":3585,"type":279,"linkType":280},"74l82HIeaumFX4u9AMjj79",[],{"data":3588,"content":3589,"nodeType":243},{},[3590,3594,3604],{"data":3591,"marks":3592,"value":3593,"nodeType":247},{},[],"Push also now gives you visibility into where employees are ",{"data":3595,"content":3599,"nodeType":2838},{"target":3596},{"sys":3597},{"id":3598,"type":279,"linkType":280},"7uLeQ9twNl5RyNaWkkJNjd",[3600],{"data":3601,"marks":3602,"value":3603,"nodeType":247},{},[],"syncing their corporate browser profile",{"data":3605,"marks":3606,"value":3607,"nodeType":247},{},[]," to a personal profile, raising the risk of syncing corporate passwords to unmanaged devices — another vector for credential harvesting if those endpoints become compromised.",{"data":3609,"content":3610,"nodeType":243},{},[3611],{"data":3612,"marks":3613,"value":3614,"nodeType":247},{},[],"And of course, underlying all these features is the foundational visibility of all your apps, accounts, account vulnerabilities, and login methods that Push provides.",{"data":3616,"content":3617,"nodeType":356},{},[],{"data":3619,"content":3620,"nodeType":360},{},[3621],{"data":3622,"marks":3623,"value":3624,"nodeType":247},{},[],"Blocking malicious browser extensions",{"data":3626,"content":3627,"nodeType":443},{},[3628],{"data":3629,"marks":3630,"value":2802,"nodeType":247},{},[],{"data":3632,"content":3633,"nodeType":243},{},[3634],{"data":3635,"marks":3636,"value":3637,"nodeType":247},{},[],"Getting visibility and control over all the browser extensions used across your workforce has long been a thorny problem for security teams. ",{"data":3639,"content":3640,"nodeType":243},{},[3641],{"data":3642,"marks":3643,"value":3644,"nodeType":247},{},[],"The possible solutions haven’t been great, either. Teams could either apply a blunt-force block for most or all extensions, or spend painstaking time trying to understand what was installed, why, and by whom, across all the browsers in the environment.",{"data":3646,"content":3647,"nodeType":243},{},[3648,3652,3662],{"data":3649,"marks":3650,"value":3651,"nodeType":247},{},[],"The urgency of solving this problem increased for many organizations this year after the December 2024 compromise of at least 35 Google Chrome extensions in a ",{"data":3653,"content":3657,"nodeType":2838},{"target":3654},{"sys":3655},{"id":3656,"type":279,"linkType":280},"6sprbTRpfnTJsP3mGR2gKa",[3658],{"data":3659,"marks":3660,"value":3661,"nodeType":247},{},[],"campaign targeting browser extension developers",{"data":3663,"marks":3664,"value":3665,"nodeType":247},{},[],". Cyberhaven’s extension was one of these, and the campaign inherited their name.",{"data":3667,"content":3668,"nodeType":443},{},[3669],{"data":3670,"marks":3671,"value":2996,"nodeType":247},{},[],{"data":3673,"content":3674,"nodeType":243},{},[3675,3679,3689],{"data":3676,"marks":3677,"value":3678,"nodeType":247},{},[],"With Push, you can now get visibility across ",{"data":3680,"content":3684,"nodeType":2838},{"target":3681},{"sys":3682},{"id":3683,"type":279,"linkType":280},"3ibVBa6u0XfcXXDVtON5th",[3685],{"data":3686,"marks":3687,"value":3688,"nodeType":247},{},[],"all the browser extensions",{"data":3690,"marks":3691,"value":3692,"nodeType":247},{},[]," installed on employee browsers in your environment, and block the ones you don’t want.",{"data":3694,"content":3698,"nodeType":274},{"target":3695},{"sys":3696},{"id":3697,"type":279,"linkType":280},"5J5jdmwugy7yU8GGwxe7iH",[],{"data":3700,"content":3701,"nodeType":243},{},[3702],{"data":3703,"marks":3704,"value":3705,"nodeType":247},{},[],"You can also:",{"data":3707,"content":3708,"nodeType":459},{},[3709,3719,3729],{"data":3710,"content":3711,"nodeType":463},{},[3712],{"data":3713,"content":3714,"nodeType":243},{},[3715],{"data":3716,"marks":3717,"value":3718,"nodeType":247},{},[],"Review extensions with risky permissions.",{"data":3720,"content":3721,"nodeType":463},{},[3722],{"data":3723,"content":3724,"nodeType":243},{},[3725],{"data":3726,"marks":3727,"value":3728,"nodeType":247},{},[],"Identify extensions with potentially suspicious installation methods, such as sideloaded or manually installed.",{"data":3730,"content":3731,"nodeType":463},{},[3732],{"data":3733,"content":3734,"nodeType":243},{},[3735],{"data":3736,"marks":3737,"value":3738,"nodeType":247},{},[],"Block extensions based on user groups and browser profiles (e.g. profiles logged in with a company domain).",{"data":3740,"content":3741,"nodeType":243},{},[3742,3746,3754],{"data":3743,"marks":3744,"value":3745,"nodeType":247},{},[],"Learn more about extension visibility and management in our ",{"data":3747,"content":3750,"nodeType":2838},{"target":3748},{"sys":3749},{"id":3683,"type":279,"linkType":280},[3751],{"data":3752,"marks":3753,"value":3315,"nodeType":247},{},[],{"data":3755,"marks":3756,"value":439,"nodeType":247},{},[],{"data":3758,"content":3759,"nodeType":356},{},[],{"data":3761,"content":3762,"nodeType":360},{},[3763],{"data":3764,"marks":3765,"value":3766,"nodeType":247},{},[],"Adding a layer of protection against help desk scams",{"data":3768,"content":3769,"nodeType":443},{},[3770],{"data":3771,"marks":3772,"value":2802,"nodeType":247},{},[],{"data":3774,"content":3775,"nodeType":243},{},[3776],{"data":3777,"marks":3778,"value":3779,"nodeType":247},{},[],"Finally, another big theme in this year’s TTPs was the use of help desk social engineering to compromise organizations. ",{"data":3781,"content":3782,"nodeType":243},{},[3783,3787,3797],{"data":3784,"marks":3785,"value":3786,"nodeType":247},{},[],"Attackers like ",{"data":3788,"content":3792,"nodeType":2838},{"target":3789},{"sys":3790},{"id":3791,"type":279,"linkType":280},"wgpdyHDn9NcpIJNr7jnFp",[3793],{"data":3794,"marks":3795,"value":3796,"nodeType":247},{},[],"Scattered Spider",{"data":3798,"marks":3799,"value":3800,"nodeType":247},{},[]," — now known as part of the evolving cybercriminal group Scattered Lapsus$ Hunters — have targeted organizations including MGM Resorts and Marks & Spencer by convincing help desk staff to help them bypass MFA or reset credentials for accounts they then use to access corporate systems. ",{"data":3802,"content":3803,"nodeType":443},{},[3804],{"data":3805,"marks":3806,"value":2996,"nodeType":247},{},[],{"data":3808,"content":3809,"nodeType":243},{},[3810,3814,3819],{"data":3811,"marks":3812,"value":3813,"nodeType":247},{},[],"To provide an additional layer of security when verifying employee identities during help desk interactions, Push introduced ",{"data":3815,"marks":3816,"value":3818,"nodeType":247},{},[3817],{"type":367},"Employee verification codes",{"data":3820,"marks":3821,"value":439,"nodeType":247},{},[],{"data":3823,"content":3827,"nodeType":274},{"target":3824},{"sys":3825},{"id":3826,"type":279,"linkType":280},"19Baqh5QwbonzsR0EcaDS8",[],{"data":3829,"content":3830,"nodeType":243},{},[3831],{"data":3832,"marks":3833,"value":3834,"nodeType":247},{},[],"These are a rotating 6-digit verification code accessible via the Push Security extension dropdown. When an employee contacts your help desk, staff can use this code to help verify their identity before performing any sensitive account changes.",{"data":3836,"content":3837,"nodeType":243},{},[3838],{"data":3839,"marks":3840,"value":3841,"nodeType":247},{},[],"Employee verification codes are lightweight, rotate every 24 hours, and don’t require any additional apps or devices.",{"data":3843,"content":3844,"nodeType":243},{},[3845,3849,3858],{"data":3846,"marks":3847,"value":3848,"nodeType":247},{},[],"Learn more about verification codes in our ",{"data":3850,"content":3854,"nodeType":2838},{"target":3851},{"sys":3852},{"id":3853,"type":279,"linkType":280},"4rLP8wr6HnvBG2OzqYYKpF",[3855],{"data":3856,"marks":3857,"value":3144,"nodeType":247},{},[],{"data":3859,"marks":3860,"value":439,"nodeType":247},{},[],{"data":3862,"content":3863,"nodeType":356},{},[],{"data":3865,"content":3866,"nodeType":360},{},[3867],{"data":3868,"marks":3869,"value":3870,"nodeType":247},{},[],"Learn more about Push",{"data":3872,"content":3873,"nodeType":243},{},[3874],{"data":3875,"marks":3876,"value":3877,"nodeType":247},{},[],"Push Security’s browser-based security platform provides comprehensive detection and response capabilities against the leading cause of breaches. Push blocks browser-based attacks like AiTM phishing, credential stuffing, malicious browser extensions, ClickFix, and session hijacking. ",{"data":3879,"content":3880,"nodeType":243},{},[3881],{"data":3882,"marks":3883,"value":3884,"nodeType":247},{},[],"You don’t need to wait until it all goes wrong — you can also use Push to proactively find and fix vulnerabilities across the apps that your employees use, like ghost logins, SSO coverage gaps, MFA gaps, vulnerable passwords, and more to harden your identity attack surface.",{"data":3886,"content":3887,"nodeType":243},{},[3888,3892,3900,3904,3912],{"data":3889,"marks":3890,"value":3891,"nodeType":247},{},[],"To learn more about Push, check out our latest ",{"data":3893,"content":3895,"nodeType":252},{"uri":3894},"/resources/product-brochure",[3896],{"data":3897,"marks":3898,"value":3899,"nodeType":247},{},[],"product overview",{"data":3901,"marks":3902,"value":3903,"nodeType":247},{},[]," or book some time with one of our team for a ",{"data":3905,"content":3907,"nodeType":252},{"uri":3906},"/demo",[3908],{"data":3909,"marks":3910,"value":3911,"nodeType":247},{},[],"live demo",{"data":3913,"marks":3914,"value":439,"nodeType":247},{},[],"Taking the fight to attackers: Push’s top features of 2025","Here’s how real-world attacks and our own R&D informed what we built for Push customers over the last year.","2025-12-17T00:00:00.000Z","taking-the-fight-to-attackers-top-features-of-2025",{"items":3920},[3921,3923],{"sys":3922,"name":1979},{"id":1978},{"sys":3924,"name":1975},{"id":1974},{"items":3926},[3927],{"fullName":3928,"firstName":3929,"jobTitle":3930,"profilePicture":3931},"Kelly Davenport","Kelly","Product Team",{"url":3932},"https://images.ctfassets.net/y1cdw1ablpvd/1hi8bEuVfn5sF57LivAq6d/9a3b82426c697d765e2e450e33a18424/kelly_profile_pic.jpeg","consentfix-debrief","blog/consentfix-debrief",{"json":3936},{"data":3937,"content":3938,"nodeType":239},{},[3939],{"data":3940,"content":3941,"nodeType":243},{},[3942],{"data":3943,"marks":3944,"value":3945,"nodeType":247},{},[],"In December, the Push Security research team discovered and blocked a brand new attack technique that we coined ConsentFix. We’re sharing some new insights on the campaign and pulling together some of the top recommendations and resources from across the community.","New insights on the ConsentFix campaign stopped by Push.",{"id":3948,"publishedAt":3949},"4jcVFrvGBtVXpKU3gDMaa2","2026-01-14T09:27:38.375Z",{"items":3951},[3952,3954],{"sys":3953,"name":1979},{"id":1978},{"sys":3955,"name":1975},{"id":1974},"ablN1BbDuuhBot4NGi0DAcF_iz0c8Xrh9Gd-Srs_7aE",1784196725180]