[{"data":1,"prerenderedAt":2837},["ShallowReactive",2],{"application-flags":3,"navbar":7,"always-visible-banner":36,"navbar-about-highlight":108,"navbar-resource-highlight":182,"blog/the-most-advanced-clickfix-yet":226},[4],{"name":5,"enabled":6},"maintenanceMode",false,[8],{"createdDate":9,"id":10,"name":11,"modelId":12,"published":13,"query":14,"data":15,"variations":20,"lastUpdated":21,"firstPublished":22,"testRatio":23,"createdBy":24,"lastUpdatedBy":25,"folders":26,"meta":27,"rev":35},1742208588866,"1c7a4e423bf54ac1a328bb4063459ef2","Banner","1c6207a5f24948ab82d4a0b17f251193","published",[],{"type":16,"url":17,"text":18,"link":19},"web-banner","https://pushsecurity.com/resources/browser-attacks-report","Get our latest report analyzing browser attack techniques in 2026",{},{},1774258294825,1742208637545,1,"CydmZnOWU1XuAaLhEDCoYNM4Z8W2","jKjF9r5jcvXU8tzZEfFQm31Iyvr2",[],{"kind":28,"lastPreviewUrl":29,"breakpoints":30,"hasAutosaves":34},"data","",{"xsmall":31,"small":32,"medium":33},320,640,768,true,"ga0kpxjhh76",{"createdDate":37,"id":38,"name":39,"modelId":40,"published":13,"stageModifiedSincePublish":6,"query":41,"data":42,"variations":97,"lastUpdated":98,"firstPublished":99,"testRatio":23,"createdBy":100,"lastUpdatedBy":101,"folders":102,"meta":103,"rev":107},1774965361051,"fd266d0172cc47429be7ad10f48c99ad","always visible banner","0678d178ec8b41efb8a23c09dba7874d",[],{"ctaText":43,"text":44,"url":29,"blocks":45,"state":93},"ewrererw","testrfesssssssssss",[46,73,81],{"@type":47,"@version":48,"id":49,"component":50,"responsiveStyles":63},"@builder.io/sdk:Element",2,"builder-ca12c06a52de41d7b8743da53118cd38",{"name":51,"tag":51,"options":52,"isRSC":62},"TopBannerContent",{"text":53,"ctaText":54,"url":55,"mainText":56,"cta":59},"New Webinar Series: Join John Hammond, Troy Hunt, and Matt Johansen for the State of Browser Attacks","Save Your Spot","https://pushsecurity.com/webinar/state-of-browser-security",{"content":57,"fontSize":58},"\u003Cp>Meet Push's browser security experts at BlackHat 2026.\u003C/p>","text-base",{"content":60,"fontSize":58,"url":61},"\u003Cp>Book a meeting →\u003C/p>","https://pushsecurity.com/events/blackhat-2026-meeting",null,{"large":64},{"display":65,"flexDirection":66,"position":67,"flexShrink":68,"boxSizing":69,"marginTop":70,"marginBottom":70,"fontSize":71,"fontWeight":72},"flex","column","relative","0","border-box",".56rem","1.125rem","700",{"@type":47,"@version":48,"id":74,"component":75,"responsiveStyles":79},"builder-a2e1f4b9f30b464bb814d7f5de5b0aa7",{"name":76,"options":77,"isRSC":62},"Custom Code",{"code":78,"scriptsClientOnly":6},"\u003Cstyle>\n  .top-banner.bg-web-orange{background:rgb(114, 79, 255);}\n\u003C/style>\n",{"large":80},{"display":65,"flexDirection":66,"position":67,"flexShrink":68,"boxSizing":69},{"id":82,"@type":47,"tagName":83,"properties":84,"responsiveStyles":88},"builder-pixel-o503s4fpvk","img",{"src":85,"aria-hidden":86,"alt":29,"role":87,"width":68,"height":68},"https://cdn.builder.io/api/v1/pixel?apiKey=f3a1111ff5be48cdbb123cd9f5795a05","true","presentation",{"large":89},{"height":68,"width":68,"display":90,"opacity":68,"overflow":91,"pointerEvents":92},"block","hidden","none",{"deviceSize":94,"location":95},"large",{"path":29,"query":96},{},{},1783541846936,1774968080803,"ST0tXQM8slWpFrmioqKHmENB2qe2","kYgMv6WsbvfmlOUYqR2SFwGzw6e2",[],{"kind":104,"lastPreviewUrl":105,"hasLinks":6,"breakpoints":106,"hasErrors":6,"hasAutosaves":6},"component","https://pushsecurity.com/?builder.space=f3a1111ff5be48cdbb123cd9f5795a05&builder.user.permissions=read%2Ccreate%2Cpublish%2CeditDesigns%2CeditLayouts%2CeditLayers%2CeditContentPriority%2CeditFolders%2CcreateProjects%2CsendPullRequests&builder.user.role.name=Designer&builder.user.role.id=creator&builder.cachebust=true&builder.preview=always-visible-banner&builder.noCache=true&builder.allowTextEdit=true&__builder_editing__=true&builder.overrides.always-visible-banner=fd266d0172cc47429be7ad10f48c99ad&builder.overrides.fd266d0172cc47429be7ad10f48c99ad=fd266d0172cc47429be7ad10f48c99ad&builder.options.locale=Default",{"xsmall":31,"small":32,"medium":33},"kyujw1aptq",[109,145],{"createdDate":110,"id":111,"name":112,"modelId":113,"published":13,"stageModifiedSincePublish":6,"query":114,"data":115,"variations":138,"lastUpdated":139,"firstPublished":140,"testRatio":23,"createdBy":24,"lastUpdatedBy":24,"folders":141,"meta":142,"rev":144},1776247359804,"9136a8f18b3b4a6ba29b8653a99372b1","testimonial-inductive-automation","20d9eaa352304613b3d1a794b400703d",[],{"link":116,"type":117,"testimonialLink":118,"testimonial":119},{},"testimonial","/customer-stories/inductive-automation",{"@type":120,"id":121,"model":117,"value":122},"@builder.io/core:Reference","f028f2b685bb47cd8bf9e82a26dd5a79",{"query":123,"folders":124,"createdDate":125,"id":121,"name":126,"modelId":127,"published":13,"data":128,"variations":132,"lastUpdated":133,"firstPublished":134,"testRatio":23,"createdBy":100,"lastUpdatedBy":100,"meta":135,"rev":137},[],[],1735823466309,"We found Push to be more accurate when compared to competitors and the browser agent offered features that others couldn’t match.","42035571a56940ac98bff4544aa79aa5",{"author":129,"jobTitle":130,"quote":126,"image":131},"Jason Waits","\u003Cp>CISO at Inductive Automation\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Ff04c0c0689ce4a89ac0f0708d78c0a07",{},1735910703862,1735823501152,{"kind":28,"lastPreviewUrl":29,"breakpoints":136,"hasAutosaves":34},{"small":32,"medium":33},"e8bsg4qrgtu",{},1776247404986,1776247404973,[],{"breakpoints":143,"kind":28,"lastPreviewUrl":29,"hasAutosaves":6},{"xsmall":31,"small":32,"medium":33},"g9lqcuxphw7",{"createdDate":146,"id":147,"name":148,"modelId":113,"published":13,"meta":149,"stageModifiedSincePublish":6,"query":151,"data":152,"variations":178,"lastUpdated":179,"firstPublished":180,"testRatio":23,"createdBy":24,"lastUpdatedBy":24,"folders":181,"rev":144},1776255761419,"05a9322735fc427db12e2740e4302300","Report: 2026 Browser Attack Techniques",{"breakpoints":150,"kind":28,"lastPreviewUrl":29,"hasAutosaves":6},{"xsmall":31,"small":32,"medium":33},[],{"testimonial":153,"link":172,"type":175,"title":148,"description":176,"image":177},{"@type":120,"id":154,"model":117,"value":155},"192acbb1f9ca4cac918c0ec435a8bae3",{"query":156,"folders":157,"createdDate":158,"id":154,"name":159,"modelId":127,"published":13,"data":160,"variations":166,"lastUpdated":167,"firstPublished":168,"testRatio":23,"createdBy":100,"lastUpdatedBy":24,"meta":169,"rev":171},[],[],1728981467463,"Push does for identity what CrowdStrike did for the endpoint",{"video":161,"jobTitle":162,"author":163,"qoute":29,"quote":164,"image":165},"https://cdn.builder.io/o/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F8b30e8ca50064058bbaef0f3c6164575%2Fcompressed?apiKey=f3a1111ff5be48cdbb123cd9f5795a05&token=8b30e8ca50064058bbaef0f3c6164575&alt=media&optimized=true","\u003Cp>Deputy CISO at Microsoft\u003C/p>\u003Cp>Former LinkedIn, Slack, Palantir\u003C/p>","Geoff Belknap","Push does for identity what CrowdStrike did for the endpoint.","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F748f0ad0a5064a00a13f4721fcc8dea1",{},1742902158597,1728981782923,{"kind":28,"lastPreviewUrl":29,"breakpoints":170,"hasAutosaves":34},{"small":32,"medium":33},"ulhc0im1hfo",{"text":173,"url":174},"Download now","/resources/browser-attacks-report","resource","Learn about the latest techniques being used in the wild.","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F7b4a5ebf81d64e8c9d7fc35f6c96c4a9",{},1776255810913,1776255810900,[],[183,205],{"createdDate":184,"id":185,"name":148,"modelId":186,"published":13,"meta":187,"stageModifiedSincePublish":6,"query":189,"data":190,"variations":200,"lastUpdated":201,"firstPublished":202,"testRatio":23,"createdBy":24,"lastUpdatedBy":24,"folders":203,"rev":204},1776256900280,"1f429607996e4e5fae8fe3f9b9610e55","4829faa81e7c4ee8bd2d000e160e8d3c",{"breakpoints":188,"kind":28,"lastPreviewUrl":29,"hasAutosaves":6},{"xsmall":31,"small":32,"medium":33},[],{"testimonial":191,"link":199,"type":175,"title":148,"description":176,"image":177},{"@type":120,"id":154,"model":117,"value":192},{"query":193,"folders":194,"createdDate":158,"id":154,"name":159,"modelId":127,"published":13,"data":195,"variations":196,"lastUpdated":167,"firstPublished":168,"testRatio":23,"createdBy":100,"lastUpdatedBy":24,"meta":197,"rev":171},[],[],{"video":161,"jobTitle":162,"author":163,"qoute":29,"quote":164,"image":165},{},{"kind":28,"lastPreviewUrl":29,"breakpoints":198,"hasAutosaves":34},{"small":32,"medium":33},{"text":173,"url":174},{},1776256937553,1776256937540,[],"xggsv10v1q9",{"createdDate":206,"id":207,"name":208,"modelId":186,"published":13,"stageModifiedSincePublish":6,"query":209,"data":210,"variations":220,"lastUpdated":221,"firstPublished":222,"testRatio":23,"createdBy":24,"lastUpdatedBy":24,"folders":223,"meta":224,"rev":204},1776256949234,"ce043785b71b4ece98eac811ecf4ba10","inductive-automation",[],{"link":211,"type":117,"testimonial":212,"testimonialLink":118},{},{"@type":120,"id":121,"model":117,"value":213},{"query":214,"folders":215,"createdDate":125,"id":121,"name":126,"modelId":127,"published":13,"data":216,"variations":217,"lastUpdated":133,"firstPublished":134,"testRatio":23,"createdBy":100,"lastUpdatedBy":100,"meta":218,"rev":137},[],[],{"author":129,"jobTitle":130,"quote":126,"image":131},{},{"kind":28,"lastPreviewUrl":29,"breakpoints":219,"hasAutosaves":34},{"small":32,"medium":33},{},1776256974140,1776256974130,[],{"breakpoints":225,"kind":28,"lastPreviewUrl":29,"hasAutosaves":6},{"xsmall":31,"small":32,"medium":33},{"id":227,"title":228,"authorsCollection":229,"content":237,"extension":919,"faqItemsCollection":920,"faqTitle":62,"featured":6,"hashTags":62,"meta":922,"metaTitle":228,"ogImage":62,"publishedDate":923,"relatedBlogPostsCollection":924,"slug":2814,"stem":2815,"subtitle":62,"summary":2816,"synopsis":2826,"sys":2827,"tagsCollection":2830,"__hash__":2836},"blog/blog/the-most-advanced-clickfix-yet.json","The most advanced ClickFix yet?",{"items":230},[231],{"fullName":232,"firstName":233,"jobTitle":234,"profilePicture":235},"Dan Green","Dan","Threat Research",{"url":236},"https://images.ctfassets.net/y1cdw1ablpvd/7jik1VhFgA3kgzXBXTm2Vw/fcd8c171da644903d0827eafcfbcaad0/Dan_Headshot_2025.png",{"json":238,"links":837},{"nodeType":239,"data":240,"content":241},"document",{},[242,251,258,271,280,287,291,300,307,313,329,336,361,368,374,377,385,420,426,446,452,472,479,485,488,496,503,523,530,550,557,563,566,574,581,614,621,628,674,693,704,711,714,722,742,749,756,762,765,773,793,826,831],{"nodeType":243,"data":244,"content":245},"paragraph",{},[246],{"nodeType":247,"value":248,"marks":249,"data":250},"text","ClickFix attacks have skyrocketed in the last year. This social engineering attack has established itself as a key part of the modern attacker’s toolkit, tricking victims into running malicious code on their device.",[],{},{"nodeType":243,"data":252,"content":253},{},[254],{"nodeType":247,"value":255,"marks":256,"data":257},"As we showcased in our last webinar and at our threat briefing in London earlier this month, ClickFix is evolving fast, in terms of the web pages themselves, the delivery mechanisms by which they are sent to victims, and the nature of the payload and its execution.",[],{},{"nodeType":243,"data":259,"content":260},{},[261,265],{"nodeType":247,"value":262,"marks":263,"data":264},"One particular example stood out to us in our research. ",[],{},{"nodeType":247,"value":266,"marks":267,"data":270},"So, is this the most advanced ClickFix you’ve seen?",[268],{"type":269},"bold",{},{"nodeType":272,"data":273,"content":279},"embedded-entry-block",{"target":274},{"sys":275},{"id":276,"type":277,"linkType":278},"ID7VKJNOZk729P5zBOBjZ","Link","Entry",[],{"nodeType":243,"data":281,"content":282},{},[283],{"nodeType":247,"value":284,"marks":285,"data":286},"Let’s break it down further.",[],{},{"nodeType":288,"data":289,"content":290},"hr",{},[],{"nodeType":292,"data":293,"content":294},"heading-1",{},[295],{"nodeType":247,"value":296,"marks":297,"data":299},"How ClickFix pages are evolving",[298],{"type":269},{},{"nodeType":243,"data":301,"content":302},{},[303],{"nodeType":247,"value":304,"marks":305,"data":306},"The CloudFlare-based lure is a great example of how ClickFix pages themselves are evolving — and becoming increasingly convincing to users. ",[],{},{"nodeType":272,"data":308,"content":312},{"target":309},{"sys":310},{"id":311,"type":277,"linkType":278},"4wJOgtofImjbsekyXMc5Ec",[],{"nodeType":243,"data":314,"content":315},{},[316,320,325],{"nodeType":247,"value":317,"marks":318,"data":319},"This is an incredibly slick example — ",[],{},{"nodeType":247,"value":321,"marks":322,"data":324},"it almost looks like Cloudflare shipped a new kind of bot check service. ",[323],{"type":269},{},{"nodeType":247,"value":326,"marks":327,"data":328},"The embedded video, countdown timer, and counter for “users verified in the last hour” all serve to increase the sense of authenticity, and put extra pressure on the victim to complete the check. ",[],{},{"nodeType":243,"data":330,"content":331},{},[332],{"nodeType":247,"value":333,"marks":334,"data":335},"There are a couple of extra things happening under the hood here, too:",[],{},{"nodeType":337,"data":338,"content":339},"unordered-list",{},[340,351],{"nodeType":341,"data":342,"content":343},"list-item",{},[344],{"nodeType":243,"data":345,"content":346},{},[347],{"nodeType":247,"value":348,"marks":349,"data":350},"The page is adapting to the device that you’re visiting from, serving up instructions specific to the user’s Mac (increasingly common as ClickFix expands to support different Operating Systems).",[],{},{"nodeType":341,"data":352,"content":353},{},[354],{"nodeType":243,"data":355,"content":356},{},[357],{"nodeType":247,"value":358,"marks":359,"data":360},"The page is automatically copying the malicious code to the user’s clipboard via JavaScript (which we see in 9/10 cases).",[],{},{"nodeType":243,"data":362,"content":363},{},[364],{"nodeType":247,"value":365,"marks":366,"data":367},"For the past decade or more, user awareness has focused on stopping users from clicking links in suspicious emails, downloading risky files, and entering their username and password into random websites. It hasn’t focused on opening up a program and running a command — so it’s no surprise that this kind of highly convincing page is so effective at duping victims into following the instructions. ",[],{},{"nodeType":272,"data":369,"content":373},{"target":370},{"sys":371},{"id":372,"type":277,"linkType":278},"LiVIyGxdAaUXUfvKjD6ON",[],{"nodeType":288,"data":375,"content":376},{},[],{"nodeType":292,"data":378,"content":379},{},[380],{"nodeType":247,"value":381,"marks":382,"data":384},"How ClickFix delivery methods are evolving",[383],{"type":269},{},{"nodeType":243,"data":386,"content":387},{},[388,392,403,407,416],{"nodeType":247,"value":389,"marks":390,"data":391},"There’s also the fact that this page wasn’t accessed via email. The top delivery vector for ClickFix attacks that we’ve observed is, in fact, Google Search — in the form of ",[],{},{"nodeType":393,"data":394,"content":396},"hyperlink",{"uri":395},"https://phishing-techniques.pushsecurity.com/techniques/malvertising/",[397],{"nodeType":247,"value":398,"marks":399,"data":402},"poisoned search results and malicious advertising (malvertising)",[400],{"type":401},"underline",{},{"nodeType":247,"value":404,"marks":405,"data":406},". Attackers are either taking over legitimate sites (there’s a ",[],{},{"nodeType":393,"data":408,"content":410},{"uri":409},"https://www.bleepingcomputer.com/news/security/hackers-launch-mass-attacks-exploiting-outdated-wordpress-plugins/",[411],{"nodeType":247,"value":412,"marks":413,"data":415},"steady supply of website hosting and CMS vulnerabilities",[414],{"type":401},{},{"nodeType":247,"value":417,"marks":418,"data":419}," to take advantage of) or simply vibe-coding their own sites and optimizing them for various search terms. ",[],{},{"nodeType":272,"data":421,"content":425},{"target":422},{"sys":423},{"id":424,"type":277,"linkType":278},"6N9EmH6AaN6Hr4xk6ozATR",[],{"nodeType":243,"data":427,"content":428},{},[429,433,442],{"nodeType":247,"value":430,"marks":431,"data":432},"And because most anti-phishing controls are implemented via email, by using ",[],{},{"nodeType":393,"data":434,"content":436},{"uri":435},"https://pushsecurity.com/blog/why-attackers-are-moving-beyond-email-based-phishing?utm_source=thehackernews&utm_medium=sponsored-content&utm_term=article",[437],{"nodeType":247,"value":438,"marks":439,"data":441},"non-email delivery vectors, an entire layer of detection opportunity is cut out",[440],{"type":401},{},{"nodeType":247,"value":443,"marks":444,"data":445},". ",[],{},{"nodeType":272,"data":447,"content":451},{"target":448},{"sys":449},{"id":450,"type":277,"linkType":278},"1CWsZlLFX9TS53J1uamOG8",[],{"nodeType":243,"data":453,"content":454},{},[455,459,468],{"nodeType":247,"value":456,"marks":457,"data":458},"But even when they are sent via email, ClickFix pages, like other modern phishing sites, are using a range of ",[],{},{"nodeType":393,"data":460,"content":462},{"uri":461},"https://pushsecurity.com/blog/phishing-detection-evasion-launch?utm_source=thehackernews&utm_medium=sponsored-content&utm_term=article",[463],{"nodeType":247,"value":464,"marks":465,"data":467},"detection evasion techniques",[466],{"type":401},{},{"nodeType":247,"value":469,"marks":470,"data":471}," that prevent them being flagged by security tools — from email scanners, to web-crawling security tools, to web proxies analyzing network traffic. Detection evasion mainly involves camouflaging and rotating domains to stay ahead of known-bad detections (i.e. blocklists), using bot protection to prevent analysis, and heavily obfuscating page content to stop detection signatures firing. ",[],{},{"nodeType":243,"data":473,"content":474},{},[475],{"nodeType":247,"value":476,"marks":477,"data":478},"Finally, because the code is copied inside the browser sandbox, typical security tools are unable to observe and flag this action as potentially malicious. This means that the last — and only — opportunity for organizations to stop ClickFix is on the endpoint, after the user has attempted to run the malicious code.",[],{},{"nodeType":272,"data":480,"content":484},{"target":481},{"sys":482},{"id":483,"type":277,"linkType":278},"3HiqpIBWWMr5FMi3IBzXcc",[],{"nodeType":288,"data":486,"content":487},{},[],{"nodeType":292,"data":489,"content":490},{},[491],{"nodeType":247,"value":492,"marks":493,"data":495},"How ClickFix payloads are evolving",[494],{"type":269},{},{"nodeType":243,"data":497,"content":498},{},[499],{"nodeType":247,"value":500,"marks":501,"data":502},"It’s not just the ClickFix page and delivery mechanisms that are evolving — the services where code is being run, and the type of payload, are also increasingly varied. ",[],{},{"nodeType":243,"data":504,"content":505},{},[506,510,519],{"nodeType":247,"value":507,"marks":508,"data":509},"While the main payloads observed by Push are mshta and PowerShell, ",[],{},{"nodeType":393,"data":511,"content":513},{"uri":512},"https://mhaggis.github.io/ClickGrab/techniques.html",[514],{"nodeType":247,"value":515,"marks":516,"data":518},"attackers are abusing a wide range of LOLBINS",[517],{"type":401},{},{"nodeType":247,"value":520,"marks":521,"data":522}," targeting different services across Operating Systems.",[],{},{"nodeType":243,"data":524,"content":525},{},[526],{"nodeType":247,"value":527,"marks":528,"data":529},"While it is possible to disable the Win+R dialog box and limit the applications that can be run from the File Explorer address bar, it is not possible to similarly restrict users from interacting with other legitimate services to run malicious commands. ",[],{},{"nodeType":243,"data":531,"content":532},{},[533,537,546],{"nodeType":247,"value":534,"marks":535,"data":536},"Another recent example termed ",[],{},{"nodeType":393,"data":538,"content":540},{"uri":539},"https://expel.com/blog/cache-smuggling-when-a-picture-isnt-a-thousand-words/",[541],{"nodeType":247,"value":542,"marks":543,"data":545},"cache smuggling",[544],{"type":401},{},{"nodeType":247,"value":547,"marks":548,"data":549}," was also identified by security researchers. This technique combines a ClickFix approach with JavaScript that caches a malicious file posing as a JPG. This means that the ClickFix command executes locally — effectively getting an entire zip file onto the local system without the PowerShell command needing to make any web requests.",[],{},{"nodeType":243,"data":551,"content":552},{},[553],{"nodeType":247,"value":554,"marks":555,"data":556},"Finally, it’s worth considering the future of ClickFix. The current attack path straddles browser and endpoint — what if it could take place entirely in the browser and evade EDR altogether? ",[],{},{"nodeType":272,"data":558,"content":562},{"target":559},{"sys":560},{"id":561,"type":277,"linkType":278},"2rUDKawJnrmZVtxfNcSNha",[],{"nodeType":288,"data":564,"content":565},{},[],{"nodeType":292,"data":567,"content":568},{},[569],{"nodeType":247,"value":570,"marks":571,"data":573},"What’s the impact of ClickFix evolution?",[572],{"type":269},{},{"nodeType":243,"data":575,"content":576},{},[577],{"nodeType":247,"value":578,"marks":579,"data":580},"To summarize:",[],{},{"nodeType":337,"data":582,"content":583},{},[584,594,604],{"nodeType":341,"data":585,"content":586},{},[587],{"nodeType":243,"data":588,"content":589},{},[590],{"nodeType":247,"value":591,"marks":592,"data":593},"ClickFix pages are becoming increasingly sophisticated, making it more likely that victims will fall for the social engineering.",[],{},{"nodeType":341,"data":595,"content":596},{},[597],{"nodeType":243,"data":598,"content":599},{},[600],{"nodeType":247,"value":601,"marks":602,"data":603},"ClickFix delivery is evading traditional monitoring controls at the email layer to reach victims. ",[],{},{"nodeType":341,"data":605,"content":606},{},[607],{"nodeType":243,"data":608,"content":609},{},[610],{"nodeType":247,"value":611,"marks":612,"data":613},"ClickFix payloads are becoming more varied and are finding new ways to evade security controls. ",[],{},{"nodeType":243,"data":615,"content":616},{},[617],{"nodeType":247,"value":618,"marks":619,"data":620},"This means that EDR-based interception of malware execution is the last — and only — real line of defense for most organizations, kicking in after the initial script has been run (typically acting as a stager for the real malware). ",[],{},{"nodeType":243,"data":622,"content":623},{},[624],{"nodeType":247,"value":625,"marks":626,"data":627},"Malware execution can and should be intercepted by EDR, but it’s not foolproof. ",[],{},{"nodeType":337,"data":629,"content":630},{},[631,654,664],{"nodeType":341,"data":632,"content":633},{},[634],{"nodeType":243,"data":635,"content":636},{},[637,641,650],{"nodeType":247,"value":638,"marks":639,"data":640},"Attackers are constantly ",[],{},{"nodeType":393,"data":642,"content":644},{"uri":643},"https://www.infostealers.com/article/logins-zip-leverages-chromium-zero-day-stealthy-infostealer-builder-promises-99-credential-theft-in-under-12-seconds/",[645],{"nodeType":247,"value":646,"marks":647,"data":649},"developing new tools and capabilities",[648],{"type":401},{},{"nodeType":247,"value":651,"marks":652,"data":653}," to bypass EDR in the cat-and-mouse game between attackers and defenders.",[],{},{"nodeType":341,"data":655,"content":656},{},[657],{"nodeType":243,"data":658,"content":659},{},[660],{"nodeType":247,"value":661,"marks":662,"data":663},"Because ClickFix attacks are user initiated, context might be missing that lead to the alert being misclassified. This can mean the difference between the level of priority alert that is raised, and whether or not it is automatically blocked.",[],{},{"nodeType":341,"data":665,"content":666},{},[667],{"nodeType":243,"data":668,"content":669},{},[670],{"nodeType":247,"value":671,"marks":672,"data":673},"If you’re an organization that allows employees and contractors to use unmanaged BYOD devices, there’s a strong chance that there are gaps in your EDR coverage.",[],{},{"nodeType":243,"data":675,"content":676},{},[677,681,689],{"nodeType":247,"value":678,"marks":679,"data":680},"This is why attackers are doubling down. According to the ",[],{},{"nodeType":393,"data":682,"content":684},{"uri":683},"https://cdn-dynmedia-1.microsoft.com/is/content/microsoftcorp/microsoft/msc/documents/presentations/CSR/Microsoft-Digital-Defense-Report-2025.pdf#page=1",[685],{"nodeType":247,"value":686,"marks":687,"data":688},"2025 Microsoft Digital Defense report",[],{},{"nodeType":247,"value":690,"marks":691,"data":692},", ClickFix was the most common initial access method in the last year, accounting for 47% of attacks. That's a pretty significant stat.",[],{},{"nodeType":694,"data":695,"content":696},"blockquote",{},[697],{"nodeType":243,"data":698,"content":699},{},[700],{"nodeType":247,"value":701,"marks":702,"data":703},"47% of attacks started with ClickFix in the last year, according to Microsoft.",[],{},{"nodeType":243,"data":705,"content":706},{},[707],{"nodeType":247,"value":708,"marks":709,"data":710},"Ultimately, organizations are leaving themselves relying on a single line of defense — if the attack isn’t detected and blocked by EDR, it isn’t spotted at all. ",[],{},{"nodeType":288,"data":712,"content":713},{},[],{"nodeType":292,"data":715,"content":716},{},[717],{"nodeType":247,"value":718,"marks":719,"data":721},"Don’t gamble on a single point of failure ",[720],{"type":269},{},{"nodeType":243,"data":723,"content":724},{},[725,729,738],{"nodeType":247,"value":726,"marks":727,"data":728},"Push Security’s latest feature, ",[],{},{"nodeType":393,"data":730,"content":732},{"uri":731},"https://pushsecurity.com/blog/introducing-malicious-copy-paste-detection?utm_source=thehackernews&utm_medium=sponsored-content&utm_term=article",[733],{"nodeType":247,"value":734,"marks":735,"data":737},"malicious copy and paste detection",[736],{"type":401},{},{"nodeType":247,"value":739,"marks":740,"data":741},", tackles ClickFix-style attacks at the earliest opportunity through browser-based detection and blocking. This is a universally effective control that works regardless of the lure delivery channel, page style and structure, or the specifics of the malware type and execution.",[],{},{"nodeType":243,"data":743,"content":744},{},[745],{"nodeType":247,"value":746,"marks":747,"data":748},"Unlike heavy-handed DLP solutions that block copy-paste altogether, Push protects your employees without disrupting their user experience or hampering productivity.",[],{},{"nodeType":243,"data":750,"content":751},{},[752],{"nodeType":247,"value":753,"marks":754,"data":755},"By adding a new layer of protection in the browser, security teams can reduce the strain on their EDR and reduce the risk of host-based controls being bypassed through misconfiguration or attacker innovation. ",[],{},{"nodeType":272,"data":757,"content":761},{"target":758},{"sys":759},{"id":760,"type":277,"linkType":278},"sALkMt8UbTZ2f34hKvGLj",[],{"nodeType":288,"data":763,"content":764},{},[],{"nodeType":292,"data":766,"content":767},{},[768],{"nodeType":247,"value":769,"marks":770,"data":772},"Learn more",[771],{"type":269},{},{"nodeType":243,"data":774,"content":775},{},[776,780,789],{"nodeType":247,"value":777,"marks":778,"data":779},"If you want to learn more about ClickFix attacks and how they’re evolving, ",[],{},{"nodeType":393,"data":781,"content":783},{"uri":782},"https://pushsecurity.com/resources/clickfix",[784],{"nodeType":247,"value":785,"marks":786,"data":788},"check out our latest webinar (now available on-demand!)",[787],{"type":401},{},{"nodeType":247,"value":790,"marks":791,"data":792}," where we dive into real-world ClickFix examples and demonstrate how ClickFix sites work under the hood. ",[],{},{"nodeType":243,"data":794,"content":795},{},[796,800,809,813,822],{"nodeType":247,"value":797,"marks":798,"data":799},"To learn more about Push, ",[],{},{"nodeType":393,"data":801,"content":803},{"uri":802},"https://pushsecurity.com/resources/product-brochure",[804],{"nodeType":247,"value":805,"marks":806,"data":808},"check out our latest product overview",[807],{"type":401},{},{"nodeType":247,"value":810,"marks":811,"data":812}," or ",[],{},{"nodeType":393,"data":814,"content":816},{"uri":815},"https://pushsecurity.com/demo",[817],{"nodeType":247,"value":818,"marks":819,"data":821},"book some time with one of our team for a live demo",[820],{"type":401},{},{"nodeType":247,"value":823,"marks":824,"data":825},".",[],{},{"nodeType":272,"data":827,"content":830},{"target":828},{"sys":829},{"id":372,"type":277,"linkType":278},[],{"nodeType":243,"data":832,"content":833},{},[834],{"nodeType":247,"value":29,"marks":835,"data":836},[],{},{"entries":838},{"hyperlink":839,"inline":840,"block":841},[],[],[842,847,855,862,886,893,907,914],{"sys":843,"__typename":844,"title":228,"arcadeDemoUrl":845,"playText":846},{"id":276},"ArcadeDemo","https://demo.arcade.software/yQIHbuD990Dk5CjI1cvS?embed","1 mins",{"sys":848,"__typename":849,"title":850,"caption":850,"layoutMode":62,"file":851},{"id":311},"Image","The most advanced ClickFix page we’ve seen — complete with an embedded video showing the victim how to complete the check.",{"url":852,"width":853,"height":854},"https://images.ctfassets.net/y1cdw1ablpvd/ImveC0bIdp4QxXqHyQKz9/526f7ae589f71d0c23c7c738b8d0bc90/image3.png",1999,1117,{"sys":856,"__typename":857,"type":858,"ctaText":859,"buttonLabel":860,"buttonColour":861,"buttonUrl":782},{"id":372},"CtaWidget","Custom","Check out our latest webinar for a deep dive into the evolution of ClickFix-style attacks, with real-world examples from investigations.","Watch On-demand","sunny orange",{"sys":863,"__typename":864,"content":865,"name":885,"title":62},{"id":424},"InsightTextBlockComponent",{"json":866},{"data":867,"content":868,"nodeType":239},{},[869],{"data":870,"content":871,"nodeType":243},{},[872,876,881],{"data":873,"marks":874,"value":875,"nodeType":247},{},[],"Of the ClickFix pages intercepted by Push where the delivery vector was observed, ",{"data":877,"marks":878,"value":880,"nodeType":247},{},[879],{"type":269},"4 in 5 were accessed via Google Search.",{"data":882,"marks":883,"value":884,"nodeType":247},{},[]," While other examples may have been stopped by controls such as email before the page could be loaded by the user, this shows a significant monitoring gap when it comes to non-email delivery vectors.","ClickFix blog insight box 2",{"sys":887,"__typename":849,"title":888,"caption":888,"layoutMode":62,"file":889},{"id":450},"Like other modern phishing attacks, ClickFix lures are distributed all over the internet — not just email.",{"url":890,"width":891,"height":892},"https://images.ctfassets.net/y1cdw1ablpvd/4l0xLRs8Z1w3aXMbzzyFPL/9cb4721c53379da31a4019371072a7ef/image1.png",1696,986,{"sys":894,"__typename":864,"content":895,"name":906,"title":62},{"id":483},{"json":896},{"data":897,"content":898,"nodeType":239},{},[899],{"data":900,"content":901,"nodeType":243},{},[902],{"data":903,"marks":904,"value":905,"nodeType":247},{},[],"Although there are ways to block web pages from performing copy to clipboard via device settings or group policy, the practical reality of ClickFix means that these methods are not effective. Because ClickFix is a user gesture initiated paste event (some form of user interaction such as a button press is required on the page before loading the ClickFix lure) it cannot be blocked from the host.","ClickFix insight box 1",{"sys":908,"__typename":849,"title":909,"caption":909,"layoutMode":62,"file":910},{"id":561},"The current hybrid attack path sees the attacker deliver lures in the browser, to compromise the endpoint, to get access to creds and cookies stored in the browser. What if you could skip the endpoint altogether? ",{"url":911,"width":912,"height":913},"https://images.ctfassets.net/y1cdw1ablpvd/7kIZUmQkiHKKX0kjZQYfia/a7957baa43f54fe407779e845240e27e/image2.png",1970,816,{"sys":915,"__typename":844,"title":916,"arcadeDemoUrl":917,"playText":918},{"id":760},"ClickFix Feature Release","https://demo.arcade.software/qhzGMAx2q3b6IRlHqBsB?embed","2 mins","json",{"items":921},[],{},"2025-11-06T00:00:00.000Z",{"items":925},[926,1512,2152],{"__typename":927,"sys":928,"content":930,"title":1494,"synopsis":1495,"hashTags":62,"publishedDate":1496,"slug":1497,"tagsCollection":1498,"authorsCollection":1508},"BlogPosts",{"id":929},"4wtqKNN8D4tvbICAQ17L1Z",{"json":931},{"data":932,"content":933,"nodeType":239},{},[934,942,949,956,963,969,972,980,987,994,1011,1057,1063,1070,1086,1093,1099,1102,1110,1117,1133,1153,1173,1193,1200,1203,1211,1230,1263,1269,1275,1278,1286,1305,1325,1332,1352,1358,1364,1367,1375,1382,1389,1422,1429,1432,1440,1447,1454,1461,1468],{"data":935,"content":936,"nodeType":292},{},[937],{"data":938,"marks":939,"value":941,"nodeType":247},{},[940],{"type":269},"Phishing has moved outside of the mailbox",{"data":943,"content":944,"nodeType":243},{},[945],{"data":946,"marks":947,"value":948,"nodeType":247},{},[],"Because of the changes to working practices, employees are more accessible than ever to external attackers. Once upon a time, email was the primary communication channel with the wider world, and work happened locally — on your device, and inside your locked-down network environment. This made email and the endpoint the highest priority from a security perspective. ",{"data":950,"content":951,"nodeType":243},{},[952],{"data":953,"marks":954,"value":955,"nodeType":247},{},[],"But now, with modern work happening across a network of decentralized internet apps, and more varied communication channels outside of email, it’s harder to stop users from interacting with malicious content.",{"data":957,"content":958,"nodeType":243},{},[959],{"data":960,"marks":961,"value":962,"nodeType":247},{},[],"Attackers can deliver links over instant messenger apps, social media, SMS, malicious ads, and using in-app messenger functionality, as well as sending emails directly from SaaS services to bypass email-based checks. Likewise, there are now hundreds of apps per enterprise to target, with varying levels of account security configuration.",{"data":964,"content":968,"nodeType":272},{"target":965},{"sys":966},{"id":967,"type":277,"linkType":278},"1tDciIJqKnNoR4FqZChjTy",[],{"data":970,"content":971,"nodeType":288},{},[],{"data":973,"content":974,"nodeType":292},{},[975],{"data":976,"marks":977,"value":979,"nodeType":247},{},[978],{"type":269},"Why am I not hearing about this more? ",{"data":981,"content":982,"nodeType":243},{},[983],{"data":984,"marks":985,"value":986,"nodeType":247},{},[],"Phishing attacks outside of email usually go unreported. This is to be expected when most of the industry’s data on phishing attacks comes from email security vendors and tools. ",{"data":988,"content":989,"nodeType":243},{},[990],{"data":991,"marks":992,"value":993,"nodeType":247},{},[],"If phishing bypasses the email layer, most organizations are left relying on user reported attacks. Some organizations might supplement this with a web proxy, but these are being increasingly defeated by modern phishing kits, which use an array of obfuscation and detection evasion techniques to bypass these detections. ",{"data":995,"content":996,"nodeType":243},{},[997,1001,1007],{"data":998,"marks":999,"value":1000,"nodeType":247},{},[],"The most valuable information for security teams today is the webpage that is loaded ",{"data":1002,"marks":1003,"value":1006,"nodeType":247},{},[1004],{"type":1005},"italic","through",{"data":1008,"marks":1009,"value":1010,"nodeType":247},{},[]," the network traffic: What does the HTML body look like? What is the user likely seeing on the page? To do this, you need to stitch together and reconstruct what the browser is doing by looking at the network data. Except for very simple websites, this happens through JavaScript on the client side. ",{"data":1012,"content":1013,"nodeType":243},{},[1014,1018,1027,1031,1040,1044,1053],{"data":1015,"marks":1016,"value":1017,"nodeType":247},{},[],"This is hard enough when analysing a typical SaaS app. But the latest generation of fully customized Attacker-in-the-Middle (AitM) phishing kits are going out of their way to make this as challenging as possible, using techniques like ",{"data":1019,"content":1021,"nodeType":393},{"uri":1020},"https://phishing-techniques.pushsecurity.com/techniques/dom-obfuscation/",[1022],{"data":1023,"marks":1024,"value":1026,"nodeType":247},{},[1025],{"type":401},"DOM obfuscation",{"data":1028,"marks":1029,"value":1030,"nodeType":247},{},[],", ",{"data":1032,"content":1034,"nodeType":393},{"uri":1033},"https://phishing-techniques.pushsecurity.com/techniques/page-obfuscation/",[1035],{"data":1036,"marks":1037,"value":1039,"nodeType":247},{},[1038],{"type":401},"Page obfuscation",{"data":1041,"marks":1042,"value":1043,"nodeType":247},{},[],", and ",{"data":1045,"content":1047,"nodeType":393},{"uri":1046},"https://phishing-techniques.pushsecurity.com/techniques/code-obfuscation/",[1048],{"data":1049,"marks":1050,"value":1052,"nodeType":247},{},[1051],{"type":401},"Code obfuscation",{"data":1054,"marks":1055,"value":1056,"nodeType":247},{},[]," so all you see at a network layer is a garbled, obfuscated mess of JS code.",{"data":1058,"content":1062,"nodeType":272},{"target":1059},{"sys":1060},{"id":1061,"type":277,"linkType":278},"71QsaPju68i5QiJcgQlHDs",[],{"data":1064,"content":1065,"nodeType":243},{},[1066],{"data":1067,"marks":1068,"value":1069,"nodeType":247},{},[],"So, non-email phishing is going broadly undetected through technical controls. And even when spotted and reported by a user — what can you really do about it?",{"data":1071,"content":1072,"nodeType":243},{},[1073,1077,1082],{"data":1074,"marks":1075,"value":1076,"nodeType":247},{},[],"Take a social media phish. You can’t see which other accounts were targeted or hit in your user base. Unlike email, there’s no way to recall or quarantine the same message hitting multiple users. There’s no rule you can modify, or senders you can block. You can report the account, and ",{"data":1078,"marks":1079,"value":1081,"nodeType":247},{},[1080],{"type":1005},"maybe",{"data":1083,"marks":1084,"value":1085,"nodeType":247},{},[]," something will happen when the site owner gets around to it — but the attacker has probably got what they needed by then and moved on. ",{"data":1087,"content":1088,"nodeType":243},{},[1089],{"data":1090,"marks":1091,"value":1092,"nodeType":247},{},[],"Most organizations simply block the URLs involved. But this doesn’t really help when attackers are rapidly rotating their phishing domains — by the time you block one site, another three have already taken its place. ",{"data":1094,"content":1098,"nodeType":272},{"target":1095},{"sys":1096},{"id":1097,"type":277,"linkType":278},"1II2kHyOZcShLsexx1TAgy",[],{"data":1100,"content":1101,"nodeType":288},{},[],{"data":1103,"content":1104,"nodeType":292},{},[1105],{"data":1106,"marks":1107,"value":1109,"nodeType":247},{},[1108],{"type":269},"But aren’t these just personal accounts?",{"data":1111,"content":1112,"nodeType":243},{},[1113],{"data":1114,"marks":1115,"value":1116,"nodeType":247},{},[],"Modern phishing attacks blur the boundary between corporate and personal. The fact is that your employees are routinely accessing personal messaging and social media apps on their corporate devices. Users are signed into apps like LinkedIn, X, WhatsApp, Signal, even message boards like Reddit on their work laptop and/or mobile devices. And with malicious links being found on search engines (aka. malvertising), they can even stumble upon them while browsing the web normally.",{"data":1118,"content":1119,"nodeType":243},{},[1120,1124,1129],{"data":1121,"marks":1122,"value":1123,"nodeType":247},{},[],"In short: anywhere that your users can be contacted by someone outside of your organization presents an opportunity for phishing. In fact, in most of these cases people ",{"data":1125,"marks":1126,"value":1128,"nodeType":247},{},[1127],{"type":269},"expect ",{"data":1130,"marks":1131,"value":1132,"nodeType":247},{},[],"to be contacted by people they don’t know. ",{"data":1134,"content":1135,"nodeType":243},{},[1136,1140,1149],{"data":1137,"marks":1138,"value":1139,"nodeType":247},{},[],"It’s also a myth that campaigns can’t be targeted in the same way on these platforms, that they’re somehow more random and therefore less dangerous. For example, social media accounts are some of the easiest for attackers to create en masse — or take over. According to the most recent ",{"data":1141,"content":1143,"nodeType":393},{"uri":1142},"https://www.verizon.com/business/resources/T149/reports/2025-dbir-data-breach-investigations-report.pdf",[1144],{"data":1145,"marks":1146,"value":1148,"nodeType":247},{},[1147],{"type":401},"Verizon DBIR",{"data":1150,"marks":1151,"value":1152,"nodeType":247},{},[],", 60%+ of creds found in infostealer logs were from social media sites. They’re also likely to use single-factor logins. If an attacker can take over one account, and use it to credibly communicate with one of your employees, they have a way higher likelihood of being successful than with your average unsolicited email. ",{"data":1154,"content":1155,"nodeType":243},{},[1156,1160,1169],{"data":1157,"marks":1158,"value":1159,"nodeType":247},{},[],"Malicious ads can also be targeted. For example, Google Ads can be targeted to searches coming from specific geographic locations, tailored to specific email domain matches, or specific device types (e.g. desktop, mobile, etc.). If you know where your target organization is located, you can tailor the ad to that location. Phishing sites also often come with ",{"data":1161,"content":1163,"nodeType":393},{"uri":1162},"https://phishing-techniques.pushsecurity.com/techniques/conditional-loading/",[1164],{"data":1165,"marks":1166,"value":1168,"nodeType":247},{},[1167],{"type":401},"conditional loading",{"data":1170,"marks":1171,"value":1172,"nodeType":247},{},[]," parameters to only deliver the malicious payload under specific conditions — for example, only if the visitor came from a particular email campaign link, or only if they are in a certain organization, using a certain browser, from a specific IP range, etc. ",{"data":1174,"content":1175,"nodeType":243},{},[1176,1180,1189],{"data":1177,"marks":1178,"value":1179,"nodeType":247},{},[],"And even if the attacker only manages to reach your employee on their personal device, this can still be laundered into a corporate account compromise. Just look at the ",{"data":1181,"content":1183,"nodeType":393},{"uri":1182},"https://sec.okta.com/articles/2023/11/unauthorized-access-oktas-support-case-management-system-root-cause",[1184],{"data":1185,"marks":1186,"value":1188,"nodeType":247},{},[1187],{"type":401},"2023 Okta breach",{"data":1190,"marks":1191,"value":1192,"nodeType":247},{},[],", where an attacker exploited the fact that an Okta employee had signed into a personal Google profile on their work device. This meant any credentials saved in their browser were synced to their personal device — including a customer support system service account providing access to 134 customer tenants. When their personal device got hacked, so too did all of their work credentials.",{"data":1194,"content":1195,"nodeType":243},{},[1196],{"data":1197,"marks":1198,"value":1199,"nodeType":247},{},[],"So, there’s plenty of scope for non-email phishing to result in targeted phishing campaigns. If anything, it’s arguably less work for the attacker to spin up these non-email campaigns than it is to do the necessary legwork to create and build up email sender reputation!",{"data":1201,"content":1202,"nodeType":288},{},[],{"data":1204,"content":1205,"nodeType":292},{},[1206],{"data":1207,"marks":1208,"value":1210,"nodeType":247},{},[1209],{"type":269},"Case study: LinkedIn spear-phishing",{"data":1212,"content":1213,"nodeType":243},{},[1214,1217,1226],{"data":1215,"marks":1216,"value":29,"nodeType":247},{},[],{"data":1218,"content":1220,"nodeType":393},{"uri":1219},"https://pushsecurity.com/blog/how-push-stopped-a-high-risk-linkedin-spear-phishing-attack/",[1221],{"data":1222,"marks":1223,"value":1225,"nodeType":247},{},[1224],{"type":401},"Attackers recently ran a LinkedIn spear-phishing campaign targeting tech company execs.",{"data":1227,"marks":1228,"value":1229,"nodeType":247},{},[]," The victims were targeted via LinkedIn direct message from another exec about a fake investment opportunity. The sender’s account had been compromised and used to approach high-value targets. ",{"data":1231,"content":1232,"nodeType":243},{},[1233,1237,1246,1250,1259],{"data":1234,"marks":1235,"value":1236,"nodeType":247},{},[],"The attack led the victim through a chain of custom pages hosted on ",{"data":1238,"content":1240,"nodeType":393},{"uri":1239},"https://phishing-techniques.pushsecurity.com/techniques/trusted-website-hosting/",[1241],{"data":1242,"marks":1243,"value":1245,"nodeType":247},{},[1244],{"type":401},"legitimate sites",{"data":1247,"marks":1248,"value":1249,"nodeType":247},{},[]," (a well-known ",{"data":1251,"content":1253,"nodeType":393},{"uri":1252},"https://pushsecurity.com/resources/phishing-evolution?",[1254],{"data":1255,"marks":1256,"value":1258,"nodeType":247},{},[1257],{"type":401},"detection evasion technique",{"data":1260,"marks":1261,"value":1262,"nodeType":247},{},[],") such as Google Sites, Google Search, and Microsoft Dynamics, before serving up an Attacker-in-the-Middle phishing page impersonating Google Workspace, before serving up a session-stealing AitM phishing page. ",{"data":1264,"content":1268,"nodeType":272},{"target":1265},{"sys":1266},{"id":1267,"type":277,"linkType":278},"1cEvEzLdKIuj6zuGn9aWJB",[],{"data":1270,"content":1274,"nodeType":272},{"target":1271},{"sys":1272},{"id":1273,"type":277,"linkType":278},"6LfBXkDKqh1ogCMxaxyV6x",[],{"data":1276,"content":1277,"nodeType":288},{},[],{"data":1279,"content":1280,"nodeType":292},{},[1281],{"data":1282,"marks":1283,"value":1285,"nodeType":247},{},[1284],{"type":269},"Case study: Google Search malvertising",{"data":1287,"content":1288,"nodeType":243},{},[1289,1292,1301],{"data":1290,"marks":1291,"value":29,"nodeType":247},{},[],{"data":1293,"content":1295,"nodeType":393},{"uri":1294},"https://pushsecurity.com/blog/investigating-a-recent-malvertising-campaign-targeting-onfido-customers/",[1296],{"data":1297,"marks":1298,"value":1300,"nodeType":247},{},[1299],{"type":401},"A company was hit with a targeted Google ad",{"data":1302,"marks":1303,"value":1304,"nodeType":247},{},[]," which was designed to look highly convincing, and positioned above the legitimate ad. This took advantage of the fact that many users will search for login pages rather than accessing the site via bookmark. ",{"data":1306,"content":1307,"nodeType":243},{},[1308,1312,1321],{"data":1309,"marks":1310,"value":1311,"nodeType":247},{},[],"In this case, the attacker had made use of a ",{"data":1313,"content":1315,"nodeType":393},{"uri":1314},"https://phishing-techniques.pushsecurity.com/techniques/rentable-subdomains/",[1316],{"data":1317,"marks":1318,"value":1320,"nodeType":247},{},[1319],{"type":401},"rentable subdomain",{"data":1322,"marks":1323,"value":1324,"nodeType":247},{},[]," (us[.]com) to make the link appear highly legitimate, with only small changes to the real URL that were easy to miss. ",{"data":1326,"content":1327,"nodeType":243},{},[1328],{"data":1329,"marks":1330,"value":1331,"nodeType":247},{},[],"Instead of the real login, the link took the victim to a session-stealing AITM page.  ",{"data":1333,"content":1334,"nodeType":243},{},[1335,1339,1348],{"data":1336,"marks":1337,"value":1338,"nodeType":247},{},[],"This was later traced back to a ",{"data":1340,"content":1342,"nodeType":393},{"uri":1341},"https://pushsecurity.com/blog/scattered-spider-ttp-evolution-in-2025/",[1343],{"data":1344,"marks":1345,"value":1347,"nodeType":247},{},[1346],{"type":401},"Scattered Spider",{"data":1349,"marks":1350,"value":1351,"nodeType":247},{},[]," campaign.",{"data":1353,"content":1357,"nodeType":272},{"target":1354},{"sys":1355},{"id":1356,"type":277,"linkType":278},"5o1LEkZfeYVjMZmROi3Yh",[],{"data":1359,"content":1363,"nodeType":272},{"target":1360},{"sys":1361},{"id":1362,"type":277,"linkType":278},"4RAXFNPdvUXjMDUE7tc10a",[],{"data":1365,"content":1366,"nodeType":288},{},[],{"data":1368,"content":1369,"nodeType":292},{},[1370],{"data":1371,"marks":1372,"value":1374,"nodeType":247},{},[1373],{"type":269},"What can an attacker do with a compromised account? ",{"data":1376,"content":1377,"nodeType":243},{},[1378],{"data":1379,"marks":1380,"value":1381,"nodeType":247},{},[],"It’s important to think about the bigger picture when it comes to a modern phishing compromise. ",{"data":1383,"content":1384,"nodeType":243},{},[1385],{"data":1386,"marks":1387,"value":1388,"nodeType":247},{},[],"Most phishing attacks focus on core enterprise cloud platforms such as Microsoft and Google, or specialist Identity Providers like Okta. Taking over one of these accounts doesn’t just give access to the core apps and data within the respective app, but also enables the attacker to leverage SSO to sign into any connected app that the employee logs into with their account. ",{"data":1390,"content":1391,"nodeType":243},{},[1392,1396,1405,1409,1418],{"data":1393,"marks":1394,"value":1395,"nodeType":247},{},[],"This gives an attacker access to just about every core business function and dataset in your organization. And from this point, it’s much easier to target other users of these internal apps — using internal messenger apps like ",{"data":1397,"content":1399,"nodeType":393},{"uri":1398},"https://pushsecurity.com/blog/phishing-slack-persistence/",[1400],{"data":1401,"marks":1402,"value":1404,"nodeType":247},{},[1403],{"type":401},"Slack or Teams",{"data":1406,"marks":1407,"value":1408,"nodeType":247},{},[],", or techniques like ",{"data":1410,"content":1412,"nodeType":393},{"uri":1411},"https://github.com/pushsecurity/saas-attacks/blob/main/techniques/samljacking/description.md",[1413],{"data":1414,"marks":1415,"value":1417,"nodeType":247},{},[1416],{"type":401},"SAMLjacking",{"data":1419,"marks":1420,"value":1421,"nodeType":247},{},[]," to turn an app into a watering hole for other users trying to log in. ",{"data":1423,"content":1424,"nodeType":243},{},[1425],{"data":1426,"marks":1427,"value":1428,"nodeType":247},{},[],"A single account compromise can quickly snowball into a multi-million dollar, business-wide breach.",{"data":1430,"content":1431,"nodeType":288},{},[],{"data":1433,"content":1434,"nodeType":292},{},[1435],{"data":1436,"marks":1437,"value":1439,"nodeType":247},{},[1438],{"type":269},"What can organizations do about non-email phishing? ",{"data":1441,"content":1442,"nodeType":243},{},[1443],{"data":1444,"marks":1445,"value":1446,"nodeType":247},{},[],"It’s clear that the traditional anti-phishing toolset hasn’t kept up with phishing innovation. ",{"data":1448,"content":1449,"nodeType":243},{},[1450],{"data":1451,"marks":1452,"value":1453,"nodeType":247},{},[],"To tackle modern phishing attacks, organizations need a solution that detects and blocks phishing across all apps and delivery vectors. ",{"data":1455,"content":1456,"nodeType":243},{},[1457],{"data":1458,"marks":1459,"value":1460,"nodeType":247},{},[],"Push Security doesn’t detect the redirect tricks, or rely on outdated domain TI feeds. It doesn’t matter what delivery channel or camouflage methods are used, Push detects and blocks attacks by identifying the attack in real time, as the user loads and interacts with the page in their web browser.",{"data":1462,"content":1463,"nodeType":243},{},[1464],{"data":1465,"marks":1466,"value":1467,"nodeType":247},{},[],"Push’s browser-based security platform provides comprehensive identity attack detection and response capabilities against techniques like AiTM phishing, credential stuffing, ClickFixing, malicious browser extensions, and session hijacking using stolen session tokens. ",{"data":1469,"content":1470,"nodeType":243},{},[1471,1474,1481,1484,1491],{"data":1472,"marks":1473,"value":797,"nodeType":247},{},[],{"data":1475,"content":1476,"nodeType":393},{"uri":802},[1477],{"data":1478,"marks":1479,"value":805,"nodeType":247},{},[1480],{"type":401},{"data":1482,"marks":1483,"value":810,"nodeType":247},{},[],{"data":1485,"content":1486,"nodeType":393},{"uri":815},[1487],{"data":1488,"marks":1489,"value":818,"nodeType":247},{},[1490],{"type":401},{"data":1492,"marks":1493,"value":823,"nodeType":247},{},[],"Why attackers are moving beyond email-based phishing","Why phishing attacks are moving away from exclusively email-based delivery, and what this means for security teams. \n","2025-09-18T00:00:00.000Z","why-attackers-are-moving-beyond-email-based-phishing",{"items":1499},[1500,1504],{"sys":1501,"name":1503},{"id":1502},"6A5RXS31ZQx3PwryGb1IMy","Browser-based attacks",{"sys":1505,"name":1507},{"id":1506},"4ksQNCFeBf8H4QIORqpRLw","Detection & response",{"items":1509},[1510],{"fullName":232,"firstName":233,"jobTitle":234,"profilePicture":1511},{"url":236},{"__typename":927,"sys":1513,"content":1515,"title":2138,"synopsis":2139,"hashTags":62,"publishedDate":2140,"slug":2141,"tagsCollection":2142,"authorsCollection":2148},{"id":1514},"1u8RJxC00HbBhCBVxcDnkK",{"json":1516},{"nodeType":239,"data":1517,"content":1518},{},[1519,1565,1622,1637,1642,1649,1652,1660,1667,1674,1681,1701,1708,1714,1732,1738,1741,1749,1756,1765,1785,1792,1799,1806,1814,1821,1828,1834,1841,1874,1880,1888,1907,1914,1937,1944,1951,1957,1964,1967,1975,1989,2009,2016,2023,2030,2035,2043,2062,2065,2073,2080,2087,2094,2101,2127,2132],{"nodeType":243,"data":1520,"content":1521},{},[1522,1526,1535,1539,1548,1552,1561],{"nodeType":247,"value":1523,"marks":1524,"data":1525},"One of the biggest security trends in the past year has been the emergence of the attack technique known as ",[],{},{"nodeType":393,"data":1527,"content":1529},{"uri":1528},"https://www.microsoft.com/en-us/security/blog/2025/08/21/think-before-you-clickfix-analyzing-the-clickfix-social-engineering-technique/",[1530],{"nodeType":247,"value":1531,"marks":1532,"data":1534},"ClickFix",[1533],{"type":401},{},{"nodeType":247,"value":1536,"marks":1537,"data":1538},". Various reports indicate that ClickFix is fast becoming one of the most prevalent attack techniques this year, with ",[],{},{"nodeType":393,"data":1540,"content":1542},{"uri":1541},"https://www.scworld.com/news/clickfix-phishing-links-increased-nearly-400-in-12-months-report-says",[1543],{"nodeType":247,"value":1544,"marks":1545,"data":1547},"one study",[1546],{"type":401},{},{"nodeType":247,"value":1549,"marks":1550,"data":1551}," reporting that email-based ClickFix attacks have increased by 400% YOY, and ",[],{},{"nodeType":393,"data":1553,"content":1555},{"uri":1554},"https://web-assets.esetstatic.com/wls/en/papers/threat-reports/eset-threat-report-h12025.pdf",[1556],{"nodeType":247,"value":1557,"marks":1558,"data":1560},"another",[1559],{"type":401},{},{"nodeType":247,"value":1562,"marks":1563,"data":1564}," highlighting a 517% increase in the past 6 months. ",[],{},{"nodeType":243,"data":1566,"content":1567},{},[1568,1572,1581,1584,1593,1596,1605,1609,1618],{"nodeType":247,"value":1569,"marks":1570,"data":1571},"ClickFix is known to be regularly used by the Interlock ransomware group and other prolific threat actors. A number of recent public data breaches have been linked to ClickFix attacks as the attack vector, such as ",[],{},{"nodeType":393,"data":1573,"content":1575},{"uri":1574},"https://www.bleepingcomputer.com/news/security/kettering-health-confirms-interlock-ransomware-behind-cyberattack/",[1576],{"nodeType":247,"value":1577,"marks":1578,"data":1580},"Kettering Health",[1579],{"type":401},{},{"nodeType":247,"value":1030,"marks":1582,"data":1583},[],{},{"nodeType":393,"data":1585,"content":1587},{"uri":1586},"https://www.bleepingcomputer.com/news/security/interlock-ransomware-claims-davita-attack-leaks-stolen-data/",[1588],{"nodeType":247,"value":1589,"marks":1590,"data":1592},"DaVita",[1591],{"type":401},{},{"nodeType":247,"value":1030,"marks":1594,"data":1595},[],{},{"nodeType":393,"data":1597,"content":1599},{"uri":1598},"https://www.infosecurity-magazine.com/news/st-paul-mayor-interlock-data-leak/",[1600],{"nodeType":247,"value":1601,"marks":1602,"data":1604},"City of St. Paul, Minnesota",[1603],{"type":401},{},{"nodeType":247,"value":1606,"marks":1607,"data":1608},", and the ",[],{},{"nodeType":393,"data":1610,"content":1612},{"uri":1611},"https://www.blackfog.com/texas-tech-cyberattack-1-4m-records-compromised/",[1613],{"nodeType":247,"value":1614,"marks":1615,"data":1617},"Texas Tech University Health Sciences Centers",[1616],{"type":401},{},{"nodeType":247,"value":1619,"marks":1620,"data":1621}," (with many more breaches likely to involve ClickFix where the attack vector wasn’t known or disclosed).",[],{},{"nodeType":243,"data":1623,"content":1624},{},[1625,1629,1633],{"nodeType":247,"value":1626,"marks":1627,"data":1628},"Push’s latest feature, ",[],{},{"nodeType":247,"value":734,"marks":1630,"data":1632},[1631],{"type":269},{},{"nodeType":247,"value":1634,"marks":1635,"data":1636},", tackles ClickFix-style attacks at the earliest opportunity through browser-based detection, with a universally effective control that works regardless of the lure delivery channel, or page style and structure. ",[],{},{"nodeType":272,"data":1638,"content":1641},{"target":1639},{"sys":1640},{"id":760,"type":277,"linkType":278},[],{"nodeType":243,"data":1643,"content":1644},{},[1645],{"nodeType":247,"value":1646,"marks":1647,"data":1648},"Before we get into the specifics of the feature, let’s take a look at what ClickFix is and why it poses a detection and response challenge to security teams.",[],{},{"nodeType":288,"data":1650,"content":1651},{},[],{"nodeType":292,"data":1653,"content":1654},{},[1655],{"nodeType":247,"value":1656,"marks":1657,"data":1659},"ClickFix 101",[1658],{"type":269},{},{"nodeType":243,"data":1661,"content":1662},{},[1663],{"nodeType":247,"value":1664,"marks":1665,"data":1666},"ClickFix attacks prompt the user to solve some kind of problem or challenge in the browser — most commonly a CAPTCHA, but also things like fixing an error on a webpage. The name is a little misleading though — the key factor in the attack is that they trick users into running malicious commands on their device by copying malicious code from the page clipboard and running it locally. (For simplicity we’ll keep calling it ClickFix, but we’re not happy about it.)",[],{},{"nodeType":243,"data":1668,"content":1669},{},[1670],{"nodeType":247,"value":1671,"marks":1672,"data":1673},"The copy action is either performed manually by the user, or automatically by the page. Manual copies typically include additional social engineering to lure the victim into hitting CTRL+C, while automatic copies are performed using JavaScript running on the page. Most ClickFix pages we've seen are automatic copies, which makes sense — fewer steps means the user is more likely to follow the instruction.",[],{},{"nodeType":243,"data":1675,"content":1676},{},[1677],{"nodeType":247,"value":1678,"marks":1679,"data":1680},"Most commonly, these attacks are used to deliver remote access software or infostealer malware using stolen session cookies and credentials to facilitate attacks on business apps and services. From there, the attacker simply dumps the data and holds the victim to ransom for its deletion — often dropping ransomware afterwards for double the extortion. ",[],{},{"nodeType":243,"data":1682,"content":1683},{},[1684,1688,1697],{"nodeType":247,"value":1685,"marks":1686,"data":1687},"The attack gives the victim instructions that involve clicking prompts and copying, pasting, and running commands directly in the Windows Run dialog box, Terminal, or PowerShell in order to “fix” the fake problem that they’re experiencing. Variants such as ",[],{},{"nodeType":393,"data":1689,"content":1691},{"uri":1690},"https://mrd0x.com/filefix-clickfix-alternative/",[1692],{"nodeType":247,"value":1693,"marks":1694,"data":1696},"FileFix",[1695],{"type":401},{},{"nodeType":247,"value":1698,"marks":1699,"data":1700}," have also emerged which instead use the File Explorer Address Bar to execute OS commands.",[],{},{"nodeType":243,"data":1702,"content":1703},{},[1704],{"nodeType":247,"value":1705,"marks":1706,"data":1707},"Links to malicious ClickFix pages are distributed over various delivery channels, with attacks shifting from traditional email-based delivery to social media, instant messaging apps, malicious ads in places like Google Search, and using in-app notifications and messages across numerous SaaS services. ",[],{},{"nodeType":272,"data":1709,"content":1713},{"target":1710},{"sys":1711},{"id":1712,"type":277,"linkType":278},"1I9ERDY2tuspw5zVMV5DbY",[],{"nodeType":243,"data":1715,"content":1716},{},[1717,1721,1728],{"nodeType":247,"value":1718,"marks":1719,"data":1720},"ClickFix comes in a variety of lures, including impersonating CAPTCHA, Cloudflare Turnstile, simulating an error loading a webpage, and many more. They have also been observed targeting a ",[],{},{"nodeType":393,"data":1722,"content":1723},{"uri":512},[1724],{"nodeType":247,"value":1725,"marks":1726,"data":1727},"wide range of services",[],{},{"nodeType":247,"value":1729,"marks":1730,"data":1731}," to execute code. ",[],{},{"nodeType":272,"data":1733,"content":1737},{"target":1734},{"sys":1735},{"id":1736,"type":277,"linkType":278},"1SG52ta1hcBZ3gYDsSJvsm",[],{"nodeType":288,"data":1739,"content":1740},{},[],{"nodeType":292,"data":1742,"content":1743},{},[1744],{"nodeType":247,"value":1745,"marks":1746,"data":1748},"Why are ClickFix attacks so effective?",[1747],{"type":269},{},{"nodeType":243,"data":1750,"content":1751},{},[1752],{"nodeType":247,"value":1753,"marks":1754,"data":1755},"To understand the effectiveness of ClickFix-style attacks, we need to look more closely at the mechanisms that security teams have at their disposal to counter these attacks. ",[],{},{"nodeType":1757,"data":1758,"content":1759},"heading-2",{},[1760],{"nodeType":247,"value":1761,"marks":1762,"data":1764},"Detection challenges during delivery",[1763],{"type":269},{},{"nodeType":243,"data":1766,"content":1767},{},[1768,1772,1781],{"nodeType":247,"value":1769,"marks":1770,"data":1771},"We’ve written extensively about ",[],{},{"nodeType":393,"data":1773,"content":1775},{"uri":1774},"https://pushsecurity.com/blog/phishing-detection-evasion-launch/",[1776],{"nodeType":247,"value":1777,"marks":1778,"data":1780},"the evolution in phishing techniques and tooling",[1779],{"type":401},{},{"nodeType":247,"value":1782,"marks":1783,"data":1784},", and what this means for the reliability of traditional detections at the network and endpoint layer. ",[],{},{"nodeType":243,"data":1786,"content":1787},{},[1788],{"nodeType":247,"value":1789,"marks":1790,"data":1791},"The latest generation of phishing pages are dynamically obfuscating the code that loads the web page, implementing custom bot protection (e.g. CAPTCHA or Cloudflare Turnstile), using runtime anti-analysis features, and using legitimate SaaS and cloud services to host and deliver phishing links to cover their tracks.",[],{},{"nodeType":243,"data":1793,"content":1794},{},[1795],{"nodeType":247,"value":1796,"marks":1797,"data":1798},"This means that traditional anti-phishing tools at the email and network layer are struggling to keep up, with many attacks evading email-based detections (or bypassing email altogether). At the same time, proxy-based solutions now see a garbled mess of JavaScript code without the necessary context of what is actually happening in the browser to be able to piece it together effectively. Even if they don’t realize it, this means many organizations are now relying solely on blocking known-bad sites and hosts — a wildly ineffective solution in 2025 with the rate that attackers refresh and rotate their phishing infrastructure. ",[],{},{"nodeType":243,"data":1800,"content":1801},{},[1802],{"nodeType":247,"value":1803,"marks":1804,"data":1805},"In addition to the fact that ClickFix page styles and content can vary significantly, this means that detecting ClickFix delivery using traditional tooling is highly unreliable. ",[],{},{"nodeType":1757,"data":1807,"content":1808},{},[1809],{"nodeType":247,"value":1810,"marks":1811,"data":1813},"Detection challenges during execution",[1812],{"type":269},{},{"nodeType":243,"data":1815,"content":1816},{},[1817],{"nodeType":247,"value":1818,"marks":1819,"data":1820},"Most of the detection heavy lifting is being done at the endpoint, looking for user-level code execution and malware running on a device. ",[],{},{"nodeType":243,"data":1822,"content":1823},{},[1824],{"nodeType":247,"value":1825,"marks":1826,"data":1827},"However, the number of ClickFix-related headlines in the news would indicate that endpoint controls are being routinely bypassed, or perhaps evaded altogether by targeting personal or BYOD devices. ",[],{},{"nodeType":272,"data":1829,"content":1833},{"target":1830},{"sys":1831},{"id":1832,"type":277,"linkType":278},"pocty4OhER5EXr8BDwdzo",[],{"nodeType":243,"data":1835,"content":1836},{},[1837],{"nodeType":247,"value":1838,"marks":1839,"data":1840},"There are a number of reasons that endpoint-level ClickFix detections can be bypassed:",[],{},{"nodeType":337,"data":1842,"content":1843},{},[1844,1854,1864],{"nodeType":341,"data":1845,"content":1846},{},[1847],{"nodeType":243,"data":1848,"content":1849},{},[1850],{"nodeType":247,"value":1851,"marks":1852,"data":1853},"The step of downloading a file from the web is bypassed altogether. In a ClickFix/FileFix attack, the initial “dropper” is essentially a command string provided by the attacker and executed by legitimate system utilities. There is often no new executable file written to disk when the user runs the command. The final payload may be loaded directly into memory or injected into trusted programs (using living-off-the-land techniques). Without a file to quarantine, there's no \"Mark of the Web\" to make it appear suspicious. ",[],{},{"nodeType":341,"data":1855,"content":1856},{},[1857],{"nodeType":243,"data":1858,"content":1859},{},[1860],{"nodeType":247,"value":1861,"marks":1862,"data":1863},"From the EDR’s point of view, a trusted parent process is launching a script – which might not immediately be judged as malicious, especially if the command is obfuscated or uses allowed system functions. Since the action is initiated by the user, it blends in with normal user-driven administration tasks. ",[],{},{"nodeType":341,"data":1865,"content":1866},{},[1867],{"nodeType":243,"data":1868,"content":1869},{},[1870],{"nodeType":247,"value":1871,"marks":1872,"data":1873},"The PowerShell commands themselves might be obfuscated or broken into stages to avoid easy detection by heuristic rules. EDR telemetry might record that a PowerShell process ran, but without a known bad signature or a clear policy violation, it may not flag it immediately. ",[],{},{"nodeType":272,"data":1875,"content":1879},{"target":1876},{"sys":1877},{"id":1878,"type":277,"linkType":278},"6djGsqBFTHlLLITpTK7IMk",[],{"nodeType":1757,"data":1881,"content":1882},{},[1883],{"nodeType":247,"value":1884,"marks":1885,"data":1887},"Accessing ClickFix-style capabilities is easier than ever",[1886],{"type":269},{},{"nodeType":243,"data":1889,"content":1890},{},[1891,1895,1903],{"nodeType":247,"value":1892,"marks":1893,"data":1894},"This capability is increasingly available to all levels of threat actor, with ",[],{},{"nodeType":393,"data":1896,"content":1897},{"uri":1528},[1898],{"nodeType":247,"value":1899,"marks":1900,"data":1902},"off-the-shelf options available",[1901],{"type":401},{},{"nodeType":247,"value":1904,"marks":1905,"data":1906}," in the form of ClickFix builders (also called “Win + R”) on popular hacker forums since late 2024. ",[],{},{"nodeType":243,"data":1908,"content":1909},{},[1910],{"nodeType":247,"value":1911,"marks":1912,"data":1913},"Attackers are bundling ClickFix builders into their existing kits to:",[],{},{"nodeType":337,"data":1915,"content":1916},{},[1917,1927],{"nodeType":341,"data":1918,"content":1919},{},[1920],{"nodeType":243,"data":1921,"content":1922},{},[1923],{"nodeType":247,"value":1924,"marks":1925,"data":1926},"Use pre-canned landing pages with various lures including Cloudflare. ",[],{},{"nodeType":341,"data":1928,"content":1929},{},[1930],{"nodeType":243,"data":1931,"content":1932},{},[1933],{"nodeType":247,"value":1934,"marks":1935,"data":1936},"Offer construction of malicious commands that users will paste into the Windows Run dialog. ",[],{},{"nodeType":243,"data":1938,"content":1939},{},[1940],{"nodeType":247,"value":1941,"marks":1942,"data":1943},"These kits claim to guarantee antivirus and web protection bypass (some even promise that they can bypass Microsoft Defender SmartScreen), as well as payload persistence. The cost of subscription to such a service might be between US$200 to US$1,500 per month. ",[],{},{"nodeType":243,"data":1945,"content":1946},{},[1947],{"nodeType":247,"value":1948,"marks":1949,"data":1950},"In short, these capabilities are increasingly accessible to the general population of hackers, and it is increasingly in the interests of malware developers to offer premium hacker tools designed to bypass current detections. ",[],{},{"nodeType":272,"data":1952,"content":1956},{"target":1953},{"sys":1954},{"id":1955,"type":277,"linkType":278},"5hkRsOBZCOABAShCo8RjJg",[],{"nodeType":243,"data":1958,"content":1959},{},[1960],{"nodeType":247,"value":1961,"marks":1962,"data":1963},"In any case, relying on just-in-time detection at the point of execution is increasingly unreliable and will always be at the mercy of the cat-and-mouse game between attackers and defenders. Organizations employing custom detections looking for specific malware behavior are likely to have better success than those relying on out-of-the-box EDR configs, but this requires continual maintenance to be effective. ",[],{},{"nodeType":288,"data":1965,"content":1966},{},[],{"nodeType":292,"data":1968,"content":1969},{},[1970],{"nodeType":247,"value":1971,"marks":1972,"data":1974},"Solving ClickFix detection in the browser with Push",[1973],{"type":269},{},{"nodeType":243,"data":1976,"content":1977},{},[1978,1981,1985],{"nodeType":247,"value":1626,"marks":1979,"data":1980},[],{},{"nodeType":247,"value":734,"marks":1982,"data":1984},[1983],{"type":269},{},{"nodeType":247,"value":1986,"marks":1987,"data":1988},", tackles ClickFix-style attacks at the earliest opportunity through browser-based detection and blocking, with a universally effective control that works regardless of the lure delivery channel, page style and structure, or the specifics of the malware type and execution.",[],{},{"nodeType":243,"data":1990,"content":1991},{},[1992,1996,2005],{"nodeType":247,"value":1993,"marks":1994,"data":1995},"A key part of our design philosophy is to find ways to universally detect attacker TTPs by analyzing generic attacker actions that can’t be avoided by the attacker. One of our best prior examples of this is with our ",[],{},{"nodeType":393,"data":1997,"content":1999},{"uri":1998},"https://pushsecurity.com/blog/introducing-sso-password-protection/",[2000],{"nodeType":247,"value":2001,"marks":2002,"data":2004},"password protection feature",[2003],{"type":401},{},{"nodeType":247,"value":2006,"marks":2007,"data":2008},", which detects and blocks phishing attacks by triggering when a user attempts to enter a password that belongs to one domain on a different domain. ",[],{},{"nodeType":243,"data":2010,"content":2011},{},[2012],{"nodeType":247,"value":2013,"marks":2014,"data":2015},"In the case of ClickFix, every attack involves copying a malicious script from a page — a behavior the attacker can’t avoid.",[],{},{"nodeType":243,"data":2017,"content":2018},{},[2019],{"nodeType":247,"value":2020,"marks":2021,"data":2022},"Unlike heavy-handed DLP solutions that block copy-paste altogether, Push protects your employees without disrupting their user experience or hampering productivity. ",[],{},{"nodeType":243,"data":2024,"content":2025},{},[2026],{"nodeType":247,"value":2027,"marks":2028,"data":2029},"Check out the video below to see Push in action. ",[],{},{"nodeType":272,"data":2031,"content":2034},{"target":2032},{"sys":2033},{"id":760,"type":277,"linkType":278},[],{"nodeType":1757,"data":2036,"content":2037},{},[2038],{"nodeType":247,"value":2039,"marks":2040,"data":2042},"Enable ClickFix detection in just a few clicks",[2041],{"type":269},{},{"nodeType":243,"data":2044,"content":2045},{},[2046,2050,2058],{"nodeType":247,"value":2047,"marks":2048,"data":2049},"Check out the ",[],{},{"nodeType":393,"data":2051,"content":2053},{"uri":2052},"https://pushsecurity.com/help/10141/#start",[2054],{"nodeType":247,"value":2055,"marks":2056,"data":2057},"help article",[],{},{"nodeType":247,"value":2059,"marks":2060,"data":2061}," for step-by-step instructions on how to enable the control. ",[],{},{"nodeType":288,"data":2063,"content":2064},{},[],{"nodeType":292,"data":2066,"content":2067},{},[2068],{"nodeType":247,"value":2069,"marks":2070,"data":2072},"Learn more about Push",[2071],{"type":269},{},{"nodeType":243,"data":2074,"content":2075},{},[2076],{"nodeType":247,"value":2077,"marks":2078,"data":2079},"Push provides last mile protection against browser-based attacks, adding a net-new layer of technical protection in the browser. ",[],{},{"nodeType":243,"data":2081,"content":2082},{},[2083],{"nodeType":247,"value":2084,"marks":2085,"data":2086},"Right now, most organizations are left relying on user awareness. Faced with increasingly novel attack types, encountered all over the internet, users are being caught unawares — further reducing the efficacy of an already fragile control. ",[],{},{"nodeType":243,"data":2088,"content":2089},{},[2090],{"nodeType":247,"value":2091,"marks":2092,"data":2093},"By seeing what the user sees in the browser, as they see it, as well as monitoring for risky behaviors, Push provides a strong backstop against an ever-expanding landscape of browser-based exploits. ",[],{},{"nodeType":243,"data":2095,"content":2096},{},[2097],{"nodeType":247,"value":2098,"marks":2099,"data":2100},"Push’s browser-based security platform provides comprehensive identity attack detection and response capabilities against techniques like AiTM phishing, credential stuffing, ClickFixing, malicious browser extensions, and session hijacking using stolen session tokens. You can also use Push to find and fix vulnerabilities across the apps that your employees use, like ghost logins, SSO coverage gaps, MFA gaps, vulnerable passwords, risky OAuth integrations, and more to harden your identity attack surface.",[],{},{"nodeType":243,"data":2102,"content":2103},{},[2104,2107,2114,2117,2124],{"nodeType":247,"value":797,"marks":2105,"data":2106},[],{},{"nodeType":393,"data":2108,"content":2109},{"uri":802},[2110],{"nodeType":247,"value":805,"marks":2111,"data":2113},[2112],{"type":401},{},{"nodeType":247,"value":810,"marks":2115,"data":2116},[],{},{"nodeType":393,"data":2118,"content":2119},{"uri":815},[2120],{"nodeType":247,"value":818,"marks":2121,"data":2123},[2122],{"type":401},{},{"nodeType":247,"value":823,"marks":2125,"data":2126},[],{},{"nodeType":272,"data":2128,"content":2131},{"target":2129},{"sys":2130},{"id":1878,"type":277,"linkType":278},[],{"nodeType":243,"data":2133,"content":2134},{},[2135],{"nodeType":247,"value":29,"marks":2136,"data":2137},[],{},"Introducing malicious copy and paste detection","Push now detects malware delivery in the browser, supporting a layered defense against endpoint attacks. ","2025-10-09T00:00:00.000Z","introducing-malicious-copy-paste-detection",{"items":2143},[2144,2146],{"sys":2145,"name":1507},{"id":1506},{"sys":2147,"name":1503},{"id":1502},{"items":2149},[2150],{"fullName":232,"firstName":233,"jobTitle":234,"profilePicture":2151},{"url":236},{"__typename":927,"sys":2153,"content":2155,"title":2800,"synopsis":2801,"hashTags":62,"publishedDate":2802,"slug":2803,"tagsCollection":2804,"authorsCollection":2810},{"id":2154},"62Zyr35VUmijkpupWk3hoD",{"json":2156},{"data":2157,"content":2158,"nodeType":239},{},[2159,2175,2182,2185,2193,2200,2207,2227,2233,2240,2247,2254,2261,2264,2272,2279,2285,2292,2300,2307,2314,2320,2340,2346,2353,2359,2366,2371,2374,2382,2398,2405,2435,2442,2449,2455,2462,2469,2476,2479,2487,2506,2512,2519,2526,2532,2539,2546,2549,2557,2564,2584,2628,2635,2642,2649,2652,2660,2667,2674,2681,2684,2692,2699,2730,2750,2757,2760,2768,2775,2782],{"data":2160,"content":2161,"nodeType":243},{},[2162,2166,2171],{"data":2163,"marks":2164,"value":2165,"nodeType":247},{},[],"The view that \"the browser is the new endpoint\" and \"the new battleground for cyber attacks\" is becoming increasingly advocated by security leaders. But what does this ",{"data":2167,"marks":2168,"value":2170,"nodeType":247},{},[2169],{"type":1005},"actually",{"data":2172,"marks":2173,"value":2174,"nodeType":247},{},[]," mean for security teams? ",{"data":2176,"content":2177,"nodeType":243},{},[2178],{"data":2179,"marks":2180,"value":2181,"nodeType":247},{},[],"In this article, we’re cutting out the jargon to explore what a browser-based attack is, and what’s required for effective detection and response. ",{"data":2183,"content":2184,"nodeType":288},{},[],{"data":2186,"content":2187,"nodeType":292},{},[2188],{"data":2189,"marks":2190,"value":2192,"nodeType":247},{},[2191],{"type":269},"What is the goal of a browser-based attack?   ",{"data":2194,"content":2195,"nodeType":243},{},[2196],{"data":2197,"marks":2198,"value":2199,"nodeType":247},{},[],"First, it’s important to establish what the point of a browser-based attack is.",{"data":2201,"content":2202,"nodeType":243},{},[2203],{"data":2204,"marks":2205,"value":2206,"nodeType":247},{},[],"In most scenarios, attackers don’t think of themselves as attacking your web browser. Their end-goal is to compromise your business apps and data. That means going after the third-party apps and services that are now the backbone of business IT — and therefore the top target for attackers. ",{"data":2208,"content":2209,"nodeType":243},{},[2210,2214,2223],{"data":2211,"marks":2212,"value":2213,"nodeType":247},{},[],"The most common attack path today sees attackers log into third-party services, dump the data, and monetize it through extortion. You need only look at last year’s ",{"data":2215,"content":2217,"nodeType":393},{"uri":2216},"https://pushsecurity.com/blog/snowflake-retro?utm_source=bleeping-computer&utm_medium=sponsored-content&utm_term=article",[2218],{"data":2219,"marks":2220,"value":2222,"nodeType":247},{},[2221],{"type":401},"Snowflake",{"data":2224,"marks":2225,"value":2226,"nodeType":247},{},[]," customer breaches or the still-ongoing Salesforce attacks to see the impact.",{"data":2228,"content":2232,"nodeType":272},{"target":2229},{"sys":2230},{"id":2231,"type":277,"linkType":278},"5agrVXzEdwALmew2F5SPDp",[],{"data":2234,"content":2235,"nodeType":243},{},[2236],{"data":2237,"marks":2238,"value":2239,"nodeType":247},{},[],"The most logical way to do this is by targeting users of those apps. And because of the changes to working practices, your users are more accessible than ever to external attackers.",{"data":2241,"content":2242,"nodeType":243},{},[2243],{"data":2244,"marks":2245,"value":2246,"nodeType":247},{},[],"Once upon a time, email was the primary communication channel with the wider world, and work happened locally — on your device, and inside your locked-down network environment. This made email and the endpoint the highest priority from a security perspective. But now, with modern work happening across a network of decentralized internet apps, and more varied communication channels outside of email, it’s harder to stop users from interacting with malicious content (at least, without significantly impeding their ability to do their jobs).",{"data":2248,"content":2249,"nodeType":243},{},[2250],{"data":2251,"marks":2252,"value":2253,"nodeType":247},{},[],"Given that the browser is the place where business apps are accessed and used, it makes sense that attacks are increasingly playing out there too. ",{"data":2255,"content":2256,"nodeType":243},{},[2257],{"data":2258,"marks":2259,"value":2260,"nodeType":247},{},[],"With that covered off, let’s take a closer look at the most prevalent browser-based attack techniques being used by attackers in the wild today.",{"data":2262,"content":2263,"nodeType":288},{},[],{"data":2265,"content":2266,"nodeType":292},{},[2267],{"data":2268,"marks":2269,"value":2271,"nodeType":247},{},[2270],{"type":269},"The 6 key browser-based attacks that security teams need to know about",{"data":2273,"content":2274,"nodeType":243},{},[2275],{"data":2276,"marks":2277,"value":2278,"nodeType":247},{},[],"Attacks that target users in their web browsers have seen an unprecedented rise in recent years. ",{"data":2280,"content":2284,"nodeType":272},{"target":2281},{"sys":2282},{"id":2283,"type":277,"linkType":278},"4ogNqZdObSIJXavHP44lom",[],{"data":2286,"content":2287,"nodeType":243},{},[2288],{"data":2289,"marks":2290,"value":2291,"nodeType":247},{},[],"Here's our breakdown of the top 6 browser-based attacks that should be on every security team's radar right now. ",{"data":2293,"content":2294,"nodeType":1757},{},[2295],{"data":2296,"marks":2297,"value":2299,"nodeType":247},{},[2298],{"type":269},"1. Phishing for credentials and sessions",{"data":2301,"content":2302,"nodeType":243},{},[2303],{"data":2304,"marks":2305,"value":2306,"nodeType":247},{},[],"The most direct way for an attacker to compromise a business application is to phish a user of that app. You might not necessarily think of phishing as a browser-based attack, but that’s exactly what it is today. ",{"data":2308,"content":2309,"nodeType":243},{},[2310],{"data":2311,"marks":2312,"value":2313,"nodeType":247},{},[],"Phishing tooling and infrastructure has evolved a lot in the past decade, while the changes to business IT means there are both many more vectors for phishing attack delivery, and apps and identities to target. Attackers can deliver links over instant messenger apps, social media, SMS, malicious ads, and using in-app messenger functionality, as well as sending emails directly from SaaS services to bypass email-based checks. Likewise, there are now hundreds of apps per enterprise to target, with varying levels of account security configuration. ",{"data":2315,"content":2319,"nodeType":272},{"target":2316},{"sys":2317},{"id":2318,"type":277,"linkType":278},"3SrKOgpedLMQRpKIZqUQur",[],{"data":2321,"content":2322,"nodeType":243},{},[2323,2327,2336],{"data":2324,"marks":2325,"value":2326,"nodeType":247},{},[],"Whereas phishing was once entirely focused on credential theft, modern phishing attacks see the attacker intercept the victim’s session on the target app, using reverse-proxy Attacker-in-the-Middle kits that are the standard choice for attackers today. This means most forms of MFA can be bypassed, with the exception of passkeys (though attackers are finding ways to work around passkeys using ",{"data":2328,"content":2330,"nodeType":393},{"uri":2329},"https://pushsecurity.com/blog/mfa-downgrade-attacks/?utm_source=bleeping-computer&utm_medium=sponsored-content&utm_term=article",[2331],{"data":2332,"marks":2333,"value":2335,"nodeType":247},{},[2334],{"type":401},"downgrade attacks",{"data":2337,"marks":2338,"value":2339,"nodeType":247},{},[],"). ",{"data":2341,"content":2345,"nodeType":272},{"target":2342},{"sys":2343},{"id":2344,"type":277,"linkType":278},"2sOFEdAwQZjWOGzNAlGavb",[],{"data":2347,"content":2348,"nodeType":243},{},[2349],{"data":2350,"marks":2351,"value":2352,"nodeType":247},{},[],"There are other key differences to be aware of too. Today, phishing operates on an industrial scale, using an array of obfuscation and detection evasion techniques. The latest generation of fully customized AitM phishing kits are dynamically obfuscating the code that loads the web page, implementing custom bot protection (e.g. CAPTCHA or Cloudflare Turnstile), using runtime anti-analysis features, and using legitimate SaaS and cloud services to host and deliver phishing links to cover their tracks.",{"data":2354,"content":2355,"nodeType":243},{},[2356],{"data":2357,"marks":2358,"value":1796,"nodeType":247},{},[],{"data":2360,"content":2361,"nodeType":243},{},[2362],{"data":2363,"marks":2364,"value":2365,"nodeType":247},{},[],"These changes make phishing more effective than ever, and increasingly difficult to detect and block without being able to observe and analyze web pages that a user interacts with in real time — something only possible with browser-level visibility. ",{"data":2367,"content":2370,"nodeType":272},{"target":2368},{"sys":2369},{"id":1097,"type":277,"linkType":278},[],{"data":2372,"content":2373,"nodeType":288},{},[],{"data":2375,"content":2376,"nodeType":1757},{},[2377],{"data":2378,"marks":2379,"value":2381,"nodeType":247},{},[2380],{"type":269},"2. Malicious copy and paste (aka. ClickFix, FileFix, etc.)",{"data":2383,"content":2384,"nodeType":243},{},[2385,2388,2395],{"data":2386,"marks":2387,"value":1523,"nodeType":247},{},[],{"data":2389,"content":2390,"nodeType":393},{"uri":1528},[2391],{"data":2392,"marks":2393,"value":1531,"nodeType":247},{},[2394],{"type":401},{"data":2396,"marks":2397,"value":443,"nodeType":247},{},[],{"data":2399,"content":2400,"nodeType":243},{},[2401],{"data":2402,"marks":2403,"value":2404,"nodeType":247},{},[],"Originally known as “Fake CAPTCHA”, these attacks attempt to trick users into running malicious commands on their device — typically by solving some form of verification challenge in the browser. ",{"data":2406,"content":2407,"nodeType":243},{},[2408,2412,2419,2423,2432],{"data":2409,"marks":2410,"value":2411,"nodeType":247},{},[],"In reality, by solving the challenge, the victim is actually copying malicious code from the page clipboard and running it on their device. It typically gives the victim instructions that involve clicking prompts and copying, pasting, and running commands directly in the Windows Run dialog box, Terminal, or PowerShell. Variants such as ",{"data":2413,"content":2414,"nodeType":393},{"uri":1690},[2415],{"data":2416,"marks":2417,"value":1693,"nodeType":247},{},[2418],{"type":401},{"data":2420,"marks":2421,"value":2422,"nodeType":247},{},[]," have also emerged which instead uses the File Explorer Address Bar to execute OS commands, while recent examples have seen this attack branch out to ",{"data":2424,"content":2426,"nodeType":393},{"uri":2425},"https://www.bleepingcomputer.com/news/security/fake-mac-fixes-trick-users-into-installing-new-shamos-infostealer/",[2427],{"data":2428,"marks":2429,"value":2431,"nodeType":247},{},[2430],{"type":401},"Mac via the macOS terminal",{"data":2433,"marks":2434,"value":823,"nodeType":247},{},[],{"data":2436,"content":2437,"nodeType":243},{},[2438],{"data":2439,"marks":2440,"value":2441,"nodeType":247},{},[],"Most commonly, these attacks are used to deliver infostealer malware, using stolen session cookies and credentials to access business apps and services. ",{"data":2443,"content":2444,"nodeType":243},{},[2445],{"data":2446,"marks":2447,"value":2448,"nodeType":247},{},[],"Like modern credential and session phishing, links to malicious pages are distributed over various delivery channels and using a variety of lures, including impersonating CAPTCHA, Cloudflare Turnstile, simulating an error loading a webpage, and many more. ",{"data":2450,"content":2454,"nodeType":272},{"target":2451},{"sys":2452},{"id":2453,"type":277,"linkType":278},"6O9YiOfhpGFCDsTil9F3On",[],{"data":2456,"content":2457,"nodeType":243},{},[2458],{"data":2459,"marks":2460,"value":2461,"nodeType":247},{},[],"The variance in lure, and differences between different versions of the same lure, can make it difficult to fingerprint and detect based on visual elements alone. Also, many of the same protections being used to obfuscate and prevent analysis of phishing pages also apply to ClickFix pages, making it equally challenging to detect and block them. ",{"data":2463,"content":2464,"nodeType":243},{},[2465],{"data":2466,"marks":2467,"value":2468,"nodeType":247},{},[],"This leaves most of the detection and blocking down to endpoint-layer controls around user-level code execution and malware running on a device. The quantity of ClickFix-related headlines in the news would indicate that endpoint controls are being routinely bypassed, or perhaps evaded altogether by targeting personal or BYOD devices. ",{"data":2470,"content":2471,"nodeType":243},{},[2472],{"data":2473,"marks":2474,"value":2475,"nodeType":247},{},[],"There is a significant opportunity to detect these attacks in the browser and stop them at the earliest opportunity, before they reach the endpoint. Every ClickFix attack and variant has a key action in common — malicious code is copied from the page’s clipboard. In some cases, this happens without any user interaction (where the only requirement on the user is to run code that has been silently copied behind the scenes), presenting a strong indicator of malicious behavior that can be observed in the browser. ",{"data":2477,"content":2478,"nodeType":288},{},[],{"data":2480,"content":2481,"nodeType":1757},{},[2482],{"data":2483,"marks":2484,"value":2486,"nodeType":247},{},[2485],{"type":269},"3. Malicious OAuth integrations",{"data":2488,"content":2489,"nodeType":243},{},[2490,2494,2502],{"data":2491,"marks":2492,"value":2493,"nodeType":247},{},[],"Malicious OAuth integrations are another way for attackers to compromise an app by tricking a user into authorizing an integration with a malicious, attacker-controlled app, with the level of data access and functionality dictated by the scopes authorized in the request. This is also known as ",{"data":2495,"content":2497,"nodeType":393},{"uri":2496},"https://github.com/pushsecurity/saas-attacks/blob/main/techniques/consent_phishing/description.md",[2498],{"data":2499,"marks":2500,"value":2501,"nodeType":247},{},[],"consent phishing",{"data":2503,"marks":2504,"value":2505,"nodeType":247},{},[],". ",{"data":2507,"content":2511,"nodeType":272},{"target":2508},{"sys":2509},{"id":2510,"type":277,"linkType":278},"5JaP4WSfFsFSbvaa9BQBOq",[],{"data":2513,"content":2514,"nodeType":243},{},[2515],{"data":2516,"marks":2517,"value":2518,"nodeType":247},{},[],"This is an effective way for attackers to bypass hardened authentication and access controls by sidestepping the typical login process to take over an account and compromise business apps. This includes phishing-resistant MFA methods like passkeys — since the standard login process does not apply. ",{"data":2520,"content":2521,"nodeType":243},{},[2522],{"data":2523,"marks":2524,"value":2525,"nodeType":247},{},[],"A variant of this attack has dominated the headlines recently with the ongoing Salesforce breaches. In this scenario, the attacker tricked the victim into authorizing an attacker-controlled OAuth app via the device code authorization flow in Salesforce, which requires the user to enter an 8-digit code in place of a password or MFA factor.",{"data":2527,"content":2531,"nodeType":272},{"target":2528},{"sys":2529},{"id":2530,"type":277,"linkType":278},"3odEFcUcpKN553gHh2P5yr",[],{"data":2533,"content":2534,"nodeType":243},{},[2535],{"data":2536,"marks":2537,"value":2538,"nodeType":247},{},[],"Preventing malicious OAuth grants being authorized requires tight in-app management of user permissions and tenant security settings. This is no mean feat when considering the 100s of apps in use across the modern enterprise, many of which are not centrally managed by IT and security teams (or in some cases, are completely unknown to them). Even then, you’re limited by the controls made available by the app vendor. In this case, Salesforce has announced planned changes to OAuth app authorization in order to improve security prompted by these attacks — but many more apps with insecure configs exist for attackers to take advantage of in future. ",{"data":2540,"content":2541,"nodeType":243},{},[2542],{"data":2543,"marks":2544,"value":2545,"nodeType":247},{},[],"However, unlike app-specific integrations, browser-based security tools are well positioned to observe OAuth grants across all apps accessed in the browser — even the ones the security team doesn’t manage or know about, or without needing to pay for the app’s special security add-on to get visibility.",{"data":2547,"content":2548,"nodeType":288},{},[],{"data":2550,"content":2551,"nodeType":1757},{},[2552],{"data":2553,"marks":2554,"value":2556,"nodeType":247},{},[2555],{"type":269},"4. Malicious browser extensions",{"data":2558,"content":2559,"nodeType":243},{},[2560],{"data":2561,"marks":2562,"value":2563,"nodeType":247},{},[],"Malicious browser extensions are another way for attackers to compromise your business apps by observing and capturing logins as they happen, and/or extracting session cookies and credentials saved in the browser cache and password manager. ",{"data":2565,"content":2566,"nodeType":243},{},[2567,2571,2580],{"data":2568,"marks":2569,"value":2570,"nodeType":247},{},[],"Attackers do this by creating their own malicious extension and tricking your users into installing it, or taking over an existing extension to gain access to browsers where it is already installed (",{"data":2572,"content":2574,"nodeType":393},{"uri":2573},"https://secureannex.com/blog/buying-browser-extensions/",[2575],{"data":2576,"marks":2577,"value":2579,"nodeType":247},{},[2578],{"type":401},"it’s very easy for attackers to buy and add malicious updates to existing extensions",{"data":2581,"marks":2582,"value":2583,"nodeType":247},{},[],", easily passing extension web store security checks). ",{"data":2585,"content":2586,"nodeType":243},{},[2587,2591,2600,2604,2613,2616,2625],{"data":2588,"marks":2589,"value":2590,"nodeType":247},{},[],"The news around extension-based compromises has been on the rise since the ",{"data":2592,"content":2594,"nodeType":393},{"uri":2593},"https://www.bleepingcomputer.com/news/security/new-details-reveal-how-hackers-hijacked-35-google-chrome-extensions/",[2595],{"data":2596,"marks":2597,"value":2599,"nodeType":247},{},[2598],{"type":401},"Cyberhaven extension",{"data":2601,"marks":2602,"value":2603,"nodeType":247},{},[]," was hacked in December 2024, along with at least 35 other extensions. Since then, there has been regular reporting on data-stealing extensions ",{"data":2605,"content":2607,"nodeType":393},{"uri":2606},"https://www.bleepingcomputer.com/news/security/data-stealing-chrome-extensions-impersonate-fortinet-youtube-vpns/",[2608],{"data":2609,"marks":2610,"value":2612,"nodeType":247},{},[2611],{"type":401},"impersonating legitimate brands",{"data":2614,"marks":2615,"value":1043,"nodeType":247},{},[],{"data":2617,"content":2619,"nodeType":393},{"uri":2618},"https://www.bleepingcomputer.com/news/security/chrome-extensions-with-6-million-installs-have-hidden-tracking-code/",[2620],{"data":2621,"marks":2622,"value":2624,"nodeType":247},{},[2623],{"type":401},"impacting millions of users",{"data":2626,"marks":2627,"value":823,"nodeType":247},{},[],{"data":2629,"content":2630,"nodeType":243},{},[2631],{"data":2632,"marks":2633,"value":2634,"nodeType":247},{},[],"Risky browser extension permissions include broad data access, the ability to modify website content, track user activity, capture screenshots, and manage tabs or network requests. Permissions like \"read and change all data on all websites\" or access to cookies and browsing history are particularly dangerous as they can be exploited for session hijacking, data theft, malware injection, or phishing.",{"data":2636,"content":2637,"nodeType":243},{},[2638],{"data":2639,"marks":2640,"value":2641,"nodeType":247},{},[],"Generally, your employees should not be randomly installing browser extensions unless pre-approved by your security team. The reality, however, is that many organizations have very little visibility of the extensions their employees are using, and the potential risk they’re exposed to as a result. ",{"data":2643,"content":2644,"nodeType":243},{},[2645],{"data":2646,"marks":2647,"value":2648,"nodeType":247},{},[],"To tackle malicious extensions, security tools operating in the browser can track the browser extensions deployed, highlight risky permissions, compare with known-malicious extensions, identify fraudulent/unofficial versions of a legitimate extension, and highlight other risky properties commonly associated with malicious extensions (e.g. “Developer” extensions). ",{"data":2650,"content":2651,"nodeType":288},{},[],{"data":2653,"content":2654,"nodeType":1757},{},[2655],{"data":2656,"marks":2657,"value":2659,"nodeType":247},{},[2658],{"type":269},"5. Malicious file delivery",{"data":2661,"content":2662,"nodeType":243},{},[2663],{"data":2664,"marks":2665,"value":2666,"nodeType":247},{},[],"Malicious files have been a core part of malware delivery and credential theft for many years. Just as non-email channels like malvertising and drive-by attacks are used to deliver phishing and ClickFix lures, malicious files are also distributed through similar means — leaving malicious file detection to basic known-bad checks, sandbox analysis using a proxy (not that useful in the context of sandbox-aware malware) or runtime analysis on the endpoint. ",{"data":2668,"content":2669,"nodeType":243},{},[2670],{"data":2671,"marks":2672,"value":2673,"nodeType":247},{},[],"This doesn’t just have to be malicious executables directly dropping malware onto the device. File downloads can also contain additional links taking the user to malicious content. In fact, one of the most common types of downloadable content are HTML Applications (HTAs), commonly used to spawn local phishing pages to stealthily capture credentials. More recently, attackers have been weaponizing SVG files for a similar purpose, running as self-contained phishing pages that render fake login portals entirely client-side. ",{"data":2675,"content":2676,"nodeType":243},{},[2677],{"data":2678,"marks":2679,"value":2680,"nodeType":247},{},[],"Even if malicious content cannot always be flagged from surface-level inspection of a file, recording file downloads in the browser is a useful addition to endpoint-based malware protection, and provides another layer of defense against file downloads that perform client-side attacks, or redirect the user to malicious web-based content. ",{"data":2682,"content":2683,"nodeType":288},{},[],{"data":2685,"content":2686,"nodeType":1757},{},[2687],{"data":2688,"marks":2689,"value":2691,"nodeType":247},{},[2690],{"type":269},"6. Stolen credentials and MFA gaps",{"data":2693,"content":2694,"nodeType":243},{},[2695],{"data":2696,"marks":2697,"value":2698,"nodeType":247},{},[],"This last one isn’t so much a browser-based attack, but it is a product of them. When credentials are stolen through phishing or infostealer malware they can be used to take over accounts missing MFA. ",{"data":2700,"content":2701,"nodeType":243},{},[2702,2706,2713,2717,2726],{"data":2703,"marks":2704,"value":2705,"nodeType":247},{},[],"This isn’t the most sophisticated attack, but it’s very effective. You need only look at last year’s ",{"data":2707,"content":2708,"nodeType":393},{"uri":2216},[2709],{"data":2710,"marks":2711,"value":2222,"nodeType":247},{},[2712],{"type":401},{"data":2714,"marks":2715,"value":2716,"nodeType":247},{},[]," account compromises or the ",{"data":2718,"content":2720,"nodeType":393},{"uri":2719},"https://pushsecurity.com/blog/why-attackers-are-targeting-jira-with-stolen-credentials?utm_source=bleeping-computer&utm_medium=sponsored-content&utm_term=article",[2721],{"data":2722,"marks":2723,"value":2725,"nodeType":247},{},[2724],{"type":401},"Jira",{"data":2727,"marks":2728,"value":2729,"nodeType":247},{},[]," attacks earlier this year to see how attackers harness stolen credentials at scale. ",{"data":2731,"content":2732,"nodeType":243},{},[2733,2737,2746],{"data":2734,"marks":2735,"value":2736,"nodeType":247},{},[],"With the modern enterprise using hundreds of apps, the likelihood that an app hasn’t been configured for mandatory MFA (if possible) is high. And even when an app has been configured for SSO and connected to your primary corporate identity, ",{"data":2738,"content":2740,"nodeType":393},{"uri":2739},"https://pushsecurity.com/blog/how-many-vulnerable-identities-do-you-have/?utm_source=bleeping-computer&utm_medium=sponsored-content&utm_term=sidebar",[2741],{"data":2742,"marks":2743,"value":2745,"nodeType":247},{},[2744],{"type":401},"local “ghost logins” can continue to exist",{"data":2747,"marks":2748,"value":2749,"nodeType":247},{},[],", accepting passwords with no MFA required. Just having visibility of your primary Identity Provider accounts (e.g. Google, Microsoft, Okta) and SSO-connected apps doesn't give you a full picture of your identity surface.",{"data":2751,"content":2752,"nodeType":243},{},[2753],{"data":2754,"marks":2755,"value":2756,"nodeType":247},{},[],"Logins can also be observed in the browser — in fact, it’s as close to a universal source of truth as you’re going to get about how your employees are actually logging in, which apps they’re using, and whether MFA is present, enabling security teams to find and fix vulnerable logins before they can be exploited by attackers. ",{"data":2758,"content":2759,"nodeType":288},{},[],{"data":2761,"content":2762,"nodeType":292},{},[2763],{"data":2764,"marks":2765,"value":2767,"nodeType":247},{},[2766],{"type":269},"Conclusion",{"data":2769,"content":2770,"nodeType":243},{},[2771],{"data":2772,"marks":2773,"value":2774,"nodeType":247},{},[],"Attacks are increasingly happening in the browser. That makes it the perfect place to detect and respond to these attacks. But right now, the browser is a blind-spot for most security teams. ",{"data":2776,"content":2777,"nodeType":243},{},[2778],{"data":2779,"marks":2780,"value":2781,"nodeType":247},{},[],"Push Security’s browser-based security platform provides comprehensive detection and response capabilities against the leading cause of breaches. Push blocks browser-based attacks like AiTM phishing, credential stuffing, password spraying and session hijacking using stolen session tokens. You can also use Push to find and fix vulnerabilities across the apps that your employees use, like ghost logins, SSO coverage gaps, MFA gaps, vulnerable passwords, risky OAuth integrations, and more to harden your identity attack surface.",{"data":2783,"content":2784,"nodeType":243},{},[2785,2789,2797],{"data":2786,"marks":2787,"value":2788,"nodeType":247},{},[],"If you want to learn more about how Push helps you to detect and stop attacks in the browser, ",{"data":2790,"content":2792,"nodeType":393},{"uri":2791},"https://pushsecurity.com/demo?utm_source=bleeping-computer&utm_medium=sponsored-content&utm_term=article",[2793],{"data":2794,"marks":2795,"value":818,"nodeType":247},{},[2796],{"type":401},{"data":2798,"marks":2799,"value":823,"nodeType":247},{},[],"6 browser-based attacks every security team should be prepared for","What security teams need to know about the browser-based attack techniques that are the leading cause of breaches.","2025-09-05T00:00:00.000Z","6-browser-based-attacks-every-security-team-should-be-prepared-for",{"items":2805},[2806,2808],{"sys":2807,"name":1503},{"id":1502},{"sys":2809,"name":1507},{"id":1506},{"items":2811},[2812],{"fullName":232,"firstName":233,"jobTitle":234,"profilePicture":2813},{"url":236},"the-most-advanced-clickfix-yet","blog/the-most-advanced-clickfix-yet",{"json":2817},{"data":2818,"content":2819,"nodeType":239},{},[2820],{"data":2821,"content":2822,"nodeType":243},{},[2823],{"data":2824,"marks":2825,"value":2826,"nodeType":247},{},[],"Breaking down the most sophisticated ClickFix page we’ve seen in the wild — and what it tells us about the future of malicious copy-and-paste attacks. ",{"id":2828,"publishedAt":2829},"7rVNBW6rYXnXMpI0JEwzgR","2025-11-06T10:00:13.092Z",{"items":2831},[2832,2834],{"sys":2833,"name":1507},{"id":1506},{"sys":2835,"name":1503},{"id":1502},"1qHzuOh-OJsJZPLCM8emLRhaMcKcIfublQzLk3GrSiY",1784196718394]