[{"data":1,"prerenderedAt":2550},["ShallowReactive",2],{"application-flags":3,"navbar":7,"always-visible-banner":36,"navbar-about-highlight":108,"navbar-resource-highlight":182,"blog/what-the-expansion-of-nydfs-nycrr-part-500-means-for-mfa-compliance":226},[4],{"name":5,"enabled":6},"maintenanceMode",false,[8],{"createdDate":9,"id":10,"name":11,"modelId":12,"published":13,"query":14,"data":15,"variations":20,"lastUpdated":21,"firstPublished":22,"testRatio":23,"createdBy":24,"lastUpdatedBy":25,"folders":26,"meta":27,"rev":35},1742208588866,"1c7a4e423bf54ac1a328bb4063459ef2","Banner","1c6207a5f24948ab82d4a0b17f251193","published",[],{"type":16,"url":17,"text":18,"link":19},"web-banner","https://pushsecurity.com/resources/browser-attacks-report","Get our latest report analyzing browser attack techniques in 2026",{},{},1774258294825,1742208637545,1,"CydmZnOWU1XuAaLhEDCoYNM4Z8W2","jKjF9r5jcvXU8tzZEfFQm31Iyvr2",[],{"kind":28,"lastPreviewUrl":29,"breakpoints":30,"hasAutosaves":34},"data","",{"xsmall":31,"small":32,"medium":33},320,640,768,true,"ga0kpxjhh76",{"createdDate":37,"id":38,"name":39,"modelId":40,"published":13,"stageModifiedSincePublish":6,"query":41,"data":42,"variations":97,"lastUpdated":98,"firstPublished":99,"testRatio":23,"createdBy":100,"lastUpdatedBy":101,"folders":102,"meta":103,"rev":107},1774965361051,"fd266d0172cc47429be7ad10f48c99ad","always visible banner","0678d178ec8b41efb8a23c09dba7874d",[],{"ctaText":43,"text":44,"url":29,"blocks":45,"state":93},"ewrererw","testrfesssssssssss",[46,73,81],{"@type":47,"@version":48,"id":49,"component":50,"responsiveStyles":63},"@builder.io/sdk:Element",2,"builder-ca12c06a52de41d7b8743da53118cd38",{"name":51,"tag":51,"options":52,"isRSC":62},"TopBannerContent",{"text":53,"ctaText":54,"url":55,"mainText":56,"cta":59},"New Webinar Series: Join John Hammond, Troy Hunt, and Matt Johansen for the State of Browser Attacks","Save Your Spot","https://pushsecurity.com/webinar/state-of-browser-security",{"content":57,"fontSize":58},"\u003Cp>Meet Push's browser security experts at BlackHat 2026.\u003C/p>","text-base",{"content":60,"fontSize":58,"url":61},"\u003Cp>Book a meeting →\u003C/p>","https://pushsecurity.com/events/blackhat-2026-meeting",null,{"large":64},{"display":65,"flexDirection":66,"position":67,"flexShrink":68,"boxSizing":69,"marginTop":70,"marginBottom":70,"fontSize":71,"fontWeight":72},"flex","column","relative","0","border-box",".56rem","1.125rem","700",{"@type":47,"@version":48,"id":74,"component":75,"responsiveStyles":79},"builder-a2e1f4b9f30b464bb814d7f5de5b0aa7",{"name":76,"options":77,"isRSC":62},"Custom Code",{"code":78,"scriptsClientOnly":6},"\u003Cstyle>\n  .top-banner.bg-web-orange{background:rgb(114, 79, 255);}\n\u003C/style>\n",{"large":80},{"display":65,"flexDirection":66,"position":67,"flexShrink":68,"boxSizing":69},{"id":82,"@type":47,"tagName":83,"properties":84,"responsiveStyles":88},"builder-pixel-o503s4fpvk","img",{"src":85,"aria-hidden":86,"alt":29,"role":87,"width":68,"height":68},"https://cdn.builder.io/api/v1/pixel?apiKey=f3a1111ff5be48cdbb123cd9f5795a05","true","presentation",{"large":89},{"height":68,"width":68,"display":90,"opacity":68,"overflow":91,"pointerEvents":92},"block","hidden","none",{"deviceSize":94,"location":95},"large",{"path":29,"query":96},{},{},1783541846936,1774968080803,"ST0tXQM8slWpFrmioqKHmENB2qe2","kYgMv6WsbvfmlOUYqR2SFwGzw6e2",[],{"kind":104,"lastPreviewUrl":105,"hasLinks":6,"breakpoints":106,"hasErrors":6,"hasAutosaves":6},"component","https://pushsecurity.com/?builder.space=f3a1111ff5be48cdbb123cd9f5795a05&builder.user.permissions=read%2Ccreate%2Cpublish%2CeditDesigns%2CeditLayouts%2CeditLayers%2CeditContentPriority%2CeditFolders%2CcreateProjects%2CsendPullRequests&builder.user.role.name=Designer&builder.user.role.id=creator&builder.cachebust=true&builder.preview=always-visible-banner&builder.noCache=true&builder.allowTextEdit=true&__builder_editing__=true&builder.overrides.always-visible-banner=fd266d0172cc47429be7ad10f48c99ad&builder.overrides.fd266d0172cc47429be7ad10f48c99ad=fd266d0172cc47429be7ad10f48c99ad&builder.options.locale=Default",{"xsmall":31,"small":32,"medium":33},"kyujw1aptq",[109,145],{"createdDate":110,"id":111,"name":112,"modelId":113,"published":13,"stageModifiedSincePublish":6,"query":114,"data":115,"variations":138,"lastUpdated":139,"firstPublished":140,"testRatio":23,"createdBy":24,"lastUpdatedBy":24,"folders":141,"meta":142,"rev":144},1776247359804,"9136a8f18b3b4a6ba29b8653a99372b1","testimonial-inductive-automation","20d9eaa352304613b3d1a794b400703d",[],{"link":116,"type":117,"testimonialLink":118,"testimonial":119},{},"testimonial","/customer-stories/inductive-automation",{"@type":120,"id":121,"model":117,"value":122},"@builder.io/core:Reference","f028f2b685bb47cd8bf9e82a26dd5a79",{"query":123,"folders":124,"createdDate":125,"id":121,"name":126,"modelId":127,"published":13,"data":128,"variations":132,"lastUpdated":133,"firstPublished":134,"testRatio":23,"createdBy":100,"lastUpdatedBy":100,"meta":135,"rev":137},[],[],1735823466309,"We found Push to be more accurate when compared to competitors and the browser agent offered features that others couldn’t match.","42035571a56940ac98bff4544aa79aa5",{"author":129,"jobTitle":130,"quote":126,"image":131},"Jason Waits","\u003Cp>CISO at Inductive Automation\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Ff04c0c0689ce4a89ac0f0708d78c0a07",{},1735910703862,1735823501152,{"kind":28,"lastPreviewUrl":29,"breakpoints":136,"hasAutosaves":34},{"small":32,"medium":33},"e8bsg4qrgtu",{},1776247404986,1776247404973,[],{"breakpoints":143,"kind":28,"lastPreviewUrl":29,"hasAutosaves":6},{"xsmall":31,"small":32,"medium":33},"g9lqcuxphw7",{"createdDate":146,"id":147,"name":148,"modelId":113,"published":13,"meta":149,"stageModifiedSincePublish":6,"query":151,"data":152,"variations":178,"lastUpdated":179,"firstPublished":180,"testRatio":23,"createdBy":24,"lastUpdatedBy":24,"folders":181,"rev":144},1776255761419,"05a9322735fc427db12e2740e4302300","Report: 2026 Browser Attack Techniques",{"breakpoints":150,"kind":28,"lastPreviewUrl":29,"hasAutosaves":6},{"xsmall":31,"small":32,"medium":33},[],{"testimonial":153,"link":172,"type":175,"title":148,"description":176,"image":177},{"@type":120,"id":154,"model":117,"value":155},"192acbb1f9ca4cac918c0ec435a8bae3",{"query":156,"folders":157,"createdDate":158,"id":154,"name":159,"modelId":127,"published":13,"data":160,"variations":166,"lastUpdated":167,"firstPublished":168,"testRatio":23,"createdBy":100,"lastUpdatedBy":24,"meta":169,"rev":171},[],[],1728981467463,"Push does for identity what CrowdStrike did for the endpoint",{"video":161,"jobTitle":162,"author":163,"qoute":29,"quote":164,"image":165},"https://cdn.builder.io/o/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F8b30e8ca50064058bbaef0f3c6164575%2Fcompressed?apiKey=f3a1111ff5be48cdbb123cd9f5795a05&token=8b30e8ca50064058bbaef0f3c6164575&alt=media&optimized=true","\u003Cp>Deputy CISO at Microsoft\u003C/p>\u003Cp>Former LinkedIn, Slack, Palantir\u003C/p>","Geoff Belknap","Push does for identity what CrowdStrike did for the endpoint.","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F748f0ad0a5064a00a13f4721fcc8dea1",{},1742902158597,1728981782923,{"kind":28,"lastPreviewUrl":29,"breakpoints":170,"hasAutosaves":34},{"small":32,"medium":33},"ulhc0im1hfo",{"text":173,"url":174},"Download now","/resources/browser-attacks-report","resource","Learn about the latest techniques being used in the wild.","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F7b4a5ebf81d64e8c9d7fc35f6c96c4a9",{},1776255810913,1776255810900,[],[183,205],{"createdDate":184,"id":185,"name":148,"modelId":186,"published":13,"meta":187,"stageModifiedSincePublish":6,"query":189,"data":190,"variations":200,"lastUpdated":201,"firstPublished":202,"testRatio":23,"createdBy":24,"lastUpdatedBy":24,"folders":203,"rev":204},1776256900280,"1f429607996e4e5fae8fe3f9b9610e55","4829faa81e7c4ee8bd2d000e160e8d3c",{"breakpoints":188,"kind":28,"lastPreviewUrl":29,"hasAutosaves":6},{"xsmall":31,"small":32,"medium":33},[],{"testimonial":191,"link":199,"type":175,"title":148,"description":176,"image":177},{"@type":120,"id":154,"model":117,"value":192},{"query":193,"folders":194,"createdDate":158,"id":154,"name":159,"modelId":127,"published":13,"data":195,"variations":196,"lastUpdated":167,"firstPublished":168,"testRatio":23,"createdBy":100,"lastUpdatedBy":24,"meta":197,"rev":171},[],[],{"video":161,"jobTitle":162,"author":163,"qoute":29,"quote":164,"image":165},{},{"kind":28,"lastPreviewUrl":29,"breakpoints":198,"hasAutosaves":34},{"small":32,"medium":33},{"text":173,"url":174},{},1776256937553,1776256937540,[],"xggsv10v1q9",{"createdDate":206,"id":207,"name":208,"modelId":186,"published":13,"stageModifiedSincePublish":6,"query":209,"data":210,"variations":220,"lastUpdated":221,"firstPublished":222,"testRatio":23,"createdBy":24,"lastUpdatedBy":24,"folders":223,"meta":224,"rev":204},1776256949234,"ce043785b71b4ece98eac811ecf4ba10","inductive-automation",[],{"link":211,"type":117,"testimonial":212,"testimonialLink":118},{},{"@type":120,"id":121,"model":117,"value":213},{"query":214,"folders":215,"createdDate":125,"id":121,"name":126,"modelId":127,"published":13,"data":216,"variations":217,"lastUpdated":133,"firstPublished":134,"testRatio":23,"createdBy":100,"lastUpdatedBy":100,"meta":218,"rev":137},[],[],{"author":129,"jobTitle":130,"quote":126,"image":131},{},{"kind":28,"lastPreviewUrl":29,"breakpoints":219,"hasAutosaves":34},{"small":32,"medium":33},{},1776256974140,1776256974130,[],{"breakpoints":225,"kind":28,"lastPreviewUrl":29,"hasAutosaves":6},{"xsmall":31,"small":32,"medium":33},{"id":227,"title":228,"authorsCollection":229,"content":237,"extension":867,"faqItemsCollection":868,"faqTitle":62,"featured":6,"hashTags":62,"meta":870,"metaTitle":871,"ogImage":62,"publishedDate":872,"relatedBlogPostsCollection":873,"slug":2524,"stem":2525,"subtitle":62,"summary":2526,"synopsis":2537,"sys":2538,"tagsCollection":2541,"__hash__":2549},"blog/blog/what-the-expansion-of-nydfs-nycrr-part-500-means-for-mfa-compliance.json","What the expansion of NYCRR Part 500 means for MFA regulation and compliance",{"items":230},[231],{"fullName":232,"firstName":233,"jobTitle":234,"profilePicture":235},"Mark Orlando","Mark","Field CTO",{"url":236},"https://images.ctfassets.net/y1cdw1ablpvd/592PMwIQQFaa24k5SKBEKF/a33090d0ad95d1e3081f5d16a46ba826/image__68_.png",{"json":238,"links":832},{"data":239,"content":240,"nodeType":831},{},[241,265,272,279,350,396,405,412,416,426,433,481,502,509,512,520,527,560,567,575,578,586,595,602,609,617,624,631,639,646,666,672,675,683,690,710,717,724,727,735,742,749,756,763,769,772,780,787,820,825],{"data":242,"content":243,"nodeType":264},{},[244,249,260],{"data":245,"marks":246,"value":247,"nodeType":248},{},[],"The ","text",{"data":250,"content":252,"nodeType":259},{"uri":251},"https://therecord.media/auto-insurance-companies-fined-ny-state-pre-fill-data-breaches",[253],{"data":254,"marks":255,"value":258,"nodeType":248},{},[256],{"type":257},"underline","latest regulatory enforcement","hyperlink",{"data":261,"marks":262,"value":263,"nodeType":248},{},[]," from NYDFS resulted in a total of $14.2m in fines across 8 insurance providers following data breaches that exposed the private information of more than 825,000 people, due to vulnerabilities affecting both its consumer-facing and internal quoting tools. ","paragraph",{"data":266,"content":267,"nodeType":264},{},[268],{"data":269,"marks":270,"value":271,"nodeType":248},{},[],"Several of the companies did not have multi-factor authentication in place for insurance agents who used the private version of the tool. ",{"data":273,"content":274,"nodeType":264},{},[275],{"data":276,"marks":277,"value":278,"nodeType":248},{},[],"This isn’t the first time that NYDFS has issued fines for missing MFA. NYDFS fined:",{"data":280,"content":281,"nodeType":349},{},[282,305,327],{"data":283,"content":284,"nodeType":304},{},[285],{"data":286,"content":287,"nodeType":264},{},[288,291,300],{"data":289,"marks":290,"value":29,"nodeType":248},{},[],{"data":292,"content":294,"nodeType":259},{"uri":293},"https://therecord.media/new-york-fines-auto-insurers-11-million-leaked-data",[295],{"data":296,"marks":297,"value":299,"nodeType":248},{},[298],{"type":257},"Travelers Insurance",{"data":301,"marks":302,"value":303,"nodeType":248},{},[]," $1.55m for failing to enforce MFA on its system used by insurance agents.","list-item",{"data":306,"content":307,"nodeType":304},{},[308],{"data":309,"content":310,"nodeType":264},{},[311,314,323],{"data":312,"marks":313,"value":29,"nodeType":248},{},[],{"data":315,"content":317,"nodeType":259},{"uri":316},"https://www.dfs.ny.gov/reports_and_publications/press_releases/pr202104141",[318],{"data":319,"marks":320,"value":322,"nodeType":248},{},[321],{"type":257},"National Securities Corporation",{"data":324,"marks":325,"value":326,"nodeType":248},{},[]," $3m for failing to implement MFA.",{"data":328,"content":329,"nodeType":304},{},[330],{"data":331,"content":332,"nodeType":264},{},[333,336,345],{"data":334,"marks":335,"value":29,"nodeType":248},{},[],{"data":337,"content":339,"nodeType":259},{"uri":338},"https://www.dfs.ny.gov/system/files/documents/2023/05/ea20230524_co_onemain.pdf",[340],{"data":341,"marks":342,"value":344,"nodeType":248},{},[343],{"type":257},"OneMain Financial",{"data":346,"marks":347,"value":348,"nodeType":248},{},[]," $4.2m for working with third-party service providers that did not enforce MFA.","unordered-list",{"data":351,"content":352,"nodeType":264},{},[353,357,366,370,379,383,392],{"data":354,"marks":355,"value":356,"nodeType":248},{},[],"NYDFS is not alone in issuing enforcements for missing MFA. Fines levied under ",{"data":358,"content":360,"nodeType":259},{"uri":359},"https://compliancy-group.com/childrens-hospital-colorado-fined-by-ocr/",[361],{"data":362,"marks":363,"value":365,"nodeType":248},{},[364],{"type":257},"HIPAA",{"data":367,"marks":368,"value":369,"nodeType":248},{},[]," and ",{"data":371,"content":373,"nodeType":259},{"uri":372},"https://ico.org.uk/about-the-ico/media-centre/news-and-blogs/2025/03/software-provider-fined-3m-following-2022-ransomware-attack/",[374],{"data":375,"marks":376,"value":378,"nodeType":248},{},[377],{"type":257},"GDPR",{"data":380,"marks":381,"value":382,"nodeType":248},{},[]," have also penalised MFA gaps. There are also recent examples of ",{"data":384,"content":386,"nodeType":259},{"uri":385},"https://www.cbc.ca/news/canada/hamilton/cybersecurity-breach-1.7597713",[387],{"data":388,"marks":389,"value":391,"nodeType":248},{},[390],{"type":257},"insurance claim denial",{"data":393,"marks":394,"value":395,"nodeType":248},{},[]," due to the lack of MFA. ",{"data":397,"content":403,"nodeType":404},{"target":398},{"sys":399},{"id":400,"type":401,"linkType":402},"29fhgKLvjD3OJfJF1ZgC5g","Link","Entry",[],"embedded-entry-block",{"data":406,"content":407,"nodeType":264},{},[408],{"data":409,"marks":410,"value":411,"nodeType":248},{},[],"This serves as the backdrop for upcoming changes to NYCRR Part 500 that will further tighten the requirements around MFA and asset inventory procedures. ",{"data":413,"content":414,"nodeType":415},{},[],"hr",{"data":417,"content":418,"nodeType":425},{},[419],{"data":420,"marks":421,"value":424,"nodeType":248},{},[422],{"type":423},"bold","How NYCRR Part 500 is getting stricter on MFA","heading-1",{"data":427,"content":428,"nodeType":264},{},[429],{"data":430,"marks":431,"value":432,"nodeType":248},{},[],"As demonstrated by the enforcements relating to MFA gaps, NYCRR Part 500 is already quite strict on its MFA requirements. Section 500.12 mandates MFA for:",{"data":434,"content":435,"nodeType":349},{},[436,451,466],{"data":437,"content":438,"nodeType":304},{},[439],{"data":440,"content":441,"nodeType":264},{},[442,447],{"data":443,"marks":444,"value":446,"nodeType":248},{},[445],{"type":423},"Remote access to internal systems:",{"data":448,"marks":449,"value":450,"nodeType":248},{},[]," Any user connecting from outside the organization’s network (e.g. over the internet or other external networks) must authenticate with MFA.",{"data":452,"content":453,"nodeType":304},{},[454],{"data":455,"content":456,"nodeType":264},{},[457,462],{"data":458,"marks":459,"value":461,"nodeType":248},{},[460],{"type":423},"Remote access to third-party or cloud applications holding non-public information: ",{"data":463,"marks":464,"value":465,"nodeType":248},{},[],"Covered entities must also use MFA for access to external applications (such as cloud services) that contain non-public Information. NYDFS explicitly considers platforms like Office 365, Google Workspace, Salesforce, AWS/Azure cloud resources, fintech or AI platforms, and any other third-party service provider systems that handle the company’s data as part of a firm’s “internal network”.",{"data":467,"content":468,"nodeType":304},{},[469],{"data":470,"content":471,"nodeType":264},{},[472,477],{"data":473,"marks":474,"value":476,"nodeType":248},{},[475],{"type":423},"Privileged accounts: ",{"data":478,"marks":479,"value":480,"nodeType":248},{},[],"MFA is required for all privileged accounts (administrative or elevated privilege accounts) to prevent unauthorized use. ",{"data":482,"content":483,"nodeType":264},{},[484,488,493,497],{"data":485,"marks":486,"value":487,"nodeType":248},{},[],"The changes coming into place on November 1st broaden the scope of MFA to ",{"data":489,"marks":490,"value":492,"nodeType":248},{},[491],{"type":423},"all access",{"data":494,"marks":495,"value":496,"nodeType":248},{},[],": covered entities must require multi-factor authentication for any individual accessing any of the entity’s information systems, regardless of user type, location, or the sensitivity of the system. In other words, ",{"data":498,"marks":499,"value":501,"nodeType":248},{},[500],{"type":423},"MFA is no longer limited to remote logins or systems containing non-public information – it now applies enterprise-wide, even for internal or on-premises access and for systems that may not hold sensitive data.",{"data":503,"content":504,"nodeType":264},{},[505],{"data":506,"marks":507,"value":508,"nodeType":248},{},[],"The newly introduced requirement for a maintained and periodically reviewed asset inventory of all information systems also directly impacts the scope of MFA enforcement. NYDFS has consistently included outsourced, third-party, and cloud applications services used by an organization within its scope.",{"data":510,"content":511,"nodeType":415},{},[],{"data":513,"content":514,"nodeType":425},{},[515],{"data":516,"marks":517,"value":519,"nodeType":248},{},[518],{"type":423},"What this means for compliance",{"data":521,"content":522,"nodeType":264},{},[523],{"data":524,"marks":525,"value":526,"nodeType":248},{},[],"To be able to maintain compliance with NYCRR Part 500, organizations must:",{"data":528,"content":529,"nodeType":349},{},[530,540,550],{"data":531,"content":532,"nodeType":304},{},[533],{"data":534,"content":535,"nodeType":264},{},[536],{"data":537,"marks":538,"value":539,"nodeType":248},{},[],"Inventory all apps and services that are accessed over the internet.",{"data":541,"content":542,"nodeType":304},{},[543],{"data":544,"content":545,"nodeType":264},{},[546],{"data":547,"marks":548,"value":549,"nodeType":248},{},[],"Achieve MFA compliance across all apps. ",{"data":551,"content":552,"nodeType":304},{},[553],{"data":554,"content":555,"nodeType":264},{},[556],{"data":557,"marks":558,"value":559,"nodeType":248},{},[],"Regularly demonstrate an up-to-date app inventory and MFA coverage. ",{"data":561,"content":562,"nodeType":264},{},[563],{"data":564,"marks":565,"value":566,"nodeType":248},{},[],"If this cannot be achieved or a breach occurs that demonstrates inadequate visibility or coverage, precedent indicates that regulatory enforcement will follow. ",{"data":568,"content":569,"nodeType":264},{},[570],{"data":571,"marks":572,"value":574,"nodeType":248},{},[573],{"type":423},"Unfortunately, this is easier said than done for most organizations. ",{"data":576,"content":577,"nodeType":415},{},[],{"data":579,"content":580,"nodeType":425},{},[581],{"data":582,"marks":583,"value":585,"nodeType":248},{},[584],{"type":423},"Why is this a problem?",{"data":587,"content":588,"nodeType":594},{},[589],{"data":590,"marks":591,"value":593,"nodeType":248},{},[592],{"type":423},"App sprawl and shadow SaaS","heading-2",{"data":596,"content":597,"nodeType":264},{},[598],{"data":599,"marks":600,"value":601,"nodeType":248},{},[],"Most organizations now use hundreds of SaaS applications, which translates into thousands of sprawling user identities, login methods, and ways to access company systems and data. True MFA coverage expands beyond your centrally managed, SSO-connected apps or your primary enterprise login to any and every app used by your employees for work.",{"data":603,"content":604,"nodeType":264},{},[605],{"data":606,"marks":607,"value":608,"nodeType":248},{},[],"But with many apps not directly managed by IT or properly onboarded, it’s all too common for shadow apps to sit outside the scope of typical audits — but inside the reach of attackers.",{"data":610,"content":611,"nodeType":594},{},[612],{"data":613,"marks":614,"value":616,"nodeType":248},{},[615],{"type":423},"Configuration challenges",{"data":618,"content":619,"nodeType":264},{},[620],{"data":621,"marks":622,"value":623,"nodeType":248},{},[],"Even when apps are known about, each app is built differently. Design choices can have a big impact on how authentication and account management is handled. This leads to situations where, for example, apps allow simultaneous login methods, don’t provide admin-level controls to enforce MFA, or allow account config changes on behalf of users in your app tenant.",{"data":625,"content":626,"nodeType":264},{},[627],{"data":628,"marks":629,"value":630,"nodeType":248},{},[],"This isn’t just an app sprawl problem either — even when it comes to core environments the complexities of configuration can lead to coverage gaps. Anyone that’s had to manage group policy in Microsoft, for example, can attest to how convoluted and error-prone this is. ",{"data":632,"content":633,"nodeType":594},{},[634],{"data":635,"marks":636,"value":638,"nodeType":248},{},[637],{"type":423},"Ghost logins",{"data":640,"content":641,"nodeType":264},{},[642],{"data":643,"marks":644,"value":645,"nodeType":248},{},[],"When an app is first used, particularly if self-adopted, a username and password is typically created. Even when an SSO login is created, it’s usually added on top of password authentication instead of replacing it. And unless specifically disabled or removed, these password-based login methods can continue to be used. ",{"data":647,"content":648,"nodeType":264},{},[649,653,662],{"data":650,"marks":651,"value":652,"nodeType":248},{},[],"Because most organizations rely on configuring MFA at their IdP login, local logins without MFA can go unnoticed. These “ghost logins” can lead to unexpected MFA gaps that leave accounts exposed. According to Push data, ",{"data":654,"content":656,"nodeType":259},{"uri":655},"https://pushsecurity.com/blog/how-many-vulnerable-identities-do-you-have/",[657],{"data":658,"marks":659,"value":661,"nodeType":248},{},[660],{"type":257},"2 in 5 accounts are missing MFA",{"data":663,"marks":664,"value":665,"nodeType":248},{},[],", and many also have a password vulnerability (such as appearing in a password breach or compromised credential feed) that means they’re sitting ducks for an attacker, waiting to be exploited.",{"data":667,"content":671,"nodeType":404},{"target":668},{"sys":669},{"id":670,"type":401,"linkType":402},"3ZLHFb7DD3Q3f8oH5f3l9X",[],{"data":673,"content":674,"nodeType":415},{},[],{"data":676,"content":677,"nodeType":425},{},[678],{"data":679,"marks":680,"value":682,"nodeType":248},{},[681],{"type":423},"The future of compliance",{"data":684,"content":685,"nodeType":264},{},[686],{"data":687,"marks":688,"value":689,"nodeType":248},{},[],"NYDFS is leading the way in terms of its stance on MFA and understanding of the modern, decentralized, SaaS-centric IT landscape. But they’re not alone, and other regulators will follow suit as breaches continue to dominate the headlines. ",{"data":691,"content":692,"nodeType":264},{},[693,697,706],{"data":694,"marks":695,"value":696,"nodeType":248},{},[],"It can take a while for a major breach to translate into regulatory enforcement. ",{"data":698,"content":700,"nodeType":259},{"uri":699},"https://pushsecurity.com/blog/snowflake-retro/",[701],{"data":702,"marks":703,"value":705,"nodeType":248},{},[704],{"type":257},"2024’s Snowflake breaches",{"data":707,"marks":708,"value":709,"nodeType":248},{},[]," are a great example of this. Attackers exploited widespread MFA gaps to log into customer Snowflake tenants and steal hundreds of millions of customer records. This was made worse by the fact that the credentials used to access these accounts were found in infostealer credential dumps dating back to 2020 — just sitting around waiting for attackers to exploit them. ",{"data":711,"content":712,"nodeType":264},{},[713],{"data":714,"marks":715,"value":716,"nodeType":248},{},[],"In the wake of Snowflake, multiple regulatory bodies have yet to make a judgement. The Spanish data protection authority (AEPD), the U.S. FCC, FTC, and various state data protection authorities all have investigations ongoing, with class action lawsuits also taking place against many of the impacted businesses. ",{"data":718,"content":719,"nodeType":264},{},[720],{"data":721,"marks":722,"value":723,"nodeType":248},{},[],"As we’ve seen with NYDFS’s post-breach enforcement, even if you think you’ve complied by rolling out MFA at the application level, but still have vulnerable accounts, you will be penalised in the event of a breach. This is why a policy or control based view of MFA compliance is no longer sufficient — you need to be able to audit and validate MFA configuration at the account level.",{"data":725,"content":726,"nodeType":415},{},[],{"data":728,"content":729,"nodeType":425},{},[730],{"data":731,"marks":732,"value":734,"nodeType":248},{},[733],{"type":423},"How Push Security can help",{"data":736,"content":737,"nodeType":264},{},[738],{"data":739,"marks":740,"value":741,"nodeType":248},{},[],"Push Security’s browser-based security platform observes logins directly in employee browsers, building a comprehensive picture of user identities and login methods across every app.",{"data":743,"content":744,"nodeType":264},{},[745],{"data":746,"marks":747,"value":748,"nodeType":248},{},[],"Push shows you every app your employees are using (even the unmanaged ones you don’t know about), providing detailed information about how users are logging in, and where vulnerabilities exist. This includes accounts missing MFA, where users are logging in with a username and password over SSO, and where a user’s password has appeared in a compromised credential feed. You can also use Push to deliver in-browser guidance to users to prompt them to remediate insecure logins.",{"data":750,"content":751,"nodeType":264},{},[752],{"data":753,"marks":754,"value":755,"nodeType":248},{},[],"With Push, you can build a full picture of your app estate and MFA posture down to the individual account level, with real-time, continuous monitoring of identities to catch and course-correct any drift that could be exploited by attackers — helping you to achieve and maintain compliance with regulations like NYCRR Part 500.",{"data":757,"content":758,"nodeType":264},{},[759],{"data":760,"marks":761,"value":762,"nodeType":248},{},[],"Check out the video below for more information.",{"data":764,"content":768,"nodeType":404},{"target":765},{"sys":766},{"id":767,"type":401,"linkType":402},"1axELRNRyXglrf81FEkDhb",[],{"data":770,"content":771,"nodeType":415},{},[],{"data":773,"content":774,"nodeType":425},{},[775],{"data":776,"marks":777,"value":779,"nodeType":248},{},[778],{"type":423},"Learn more",{"data":781,"content":782,"nodeType":264},{},[783],{"data":784,"marks":785,"value":786,"nodeType":248},{},[],"This isn’t all we do: Push’s browser-based security platform provides comprehensive detection and response capabilities against the leading cause of breaches. Push blocks browser-based attacks like AiTM phishing, credential stuffing, malicious browser extensions, malicious OAuth grants, ClickFix, and session hijacking. You don’t need to wait until it all goes wrong — you can also use Push to proactively find and fix vulnerabilities across the apps that your employees use, like ghost logins, SSO coverage gaps, MFA gaps, vulnerable passwords, and more to harden your identity attack surface.",{"data":788,"content":789,"nodeType":264},{},[790,794,803,807,816],{"data":791,"marks":792,"value":793,"nodeType":248},{},[],"To learn more about Push, ",{"data":795,"content":797,"nodeType":259},{"uri":796},"https://pushsecurity.com/resources/product-brochure",[798],{"data":799,"marks":800,"value":802,"nodeType":248},{},[801],{"type":257},"check out our latest product overview",{"data":804,"marks":805,"value":806,"nodeType":248},{},[]," or ",{"data":808,"content":810,"nodeType":259},{"uri":809},"https://pushsecurity.com/demo",[811],{"data":812,"marks":813,"value":815,"nodeType":248},{},[814],{"type":257},"book some time with one of our team for a live demo",{"data":817,"marks":818,"value":819,"nodeType":248},{},[],".",{"data":821,"content":824,"nodeType":404},{"target":822},{"sys":823},{"id":400,"type":401,"linkType":402},[],{"data":826,"content":827,"nodeType":264},{},[828],{"data":829,"marks":830,"value":29,"nodeType":248},{},[],"document",{"entries":833},{"hyperlink":834,"inline":835,"block":836},[],[],[837,845,861],{"sys":838,"__typename":839,"type":840,"ctaText":841,"buttonLabel":842,"buttonColour":843,"buttonUrl":844},{"id":400},"CtaWidget","Custom","Read our whitepaper for more information on the state of MFA regulation and compliance.","Download Now","sunny orange","https://pushsecurity.com/resources/mfa-regulation-compliance",{"sys":846,"__typename":847,"content":848,"name":860,"title":62},{"id":670},"InsightTextBlockComponent",{"json":849},{"nodeType":831,"data":850,"content":851},{},[852],{"nodeType":264,"data":853,"content":854},{},[855],{"nodeType":248,"value":856,"marks":857,"data":859},"So even if you think you’ve configured MFA for a given app, or that all employees log in via SSO, the reality can be way different. It’s tempting to think of MFA as binary: enabled or not. The reality is that MFA needs to be enabled and validated across every app and login. This is no small task. ",[858],{"type":423},{},"NYDFS blog insight box 1",{"sys":862,"__typename":863,"title":864,"arcadeDemoUrl":865,"playText":866},{"id":767},"ArcadeDemo","Find and close MFA gaps with Push Security","https://demo.arcade.software/qEDIGb9n7EEPCWFntm56?embed","2 mins","json",{"items":869},[],{},"What the expansion of NYCRR 500 means for MFA regulation","2025-10-31T00:00:00.000Z",{"items":874},[875,1387,2061],{"__typename":876,"sys":877,"content":879,"title":1369,"synopsis":1370,"hashTags":62,"publishedDate":1371,"slug":1372,"tagsCollection":1373,"authorsCollection":1383},"BlogPosts",{"id":878},"6jYmU1ROpwI41mmzk7ioKd",{"json":880},{"nodeType":831,"data":881,"content":882},{},[883,890,897,900,907,942,954,979,986,989,996,1003,1010,1016,1023,1055,1061,1068,1088,1094,1101,1107,1110,1117,1154,1161,1204,1211,1217,1224,1231,1234,1241,1248,1255,1275,1281,1288,1295,1302,1308,1315,1321,1324,1331,1338,1345],{"nodeType":264,"data":884,"content":885},{},[886],{"nodeType":248,"value":887,"marks":888,"data":889},"After more than two decades in cybersecurity, I’ve witnessed the evolution (and at times, devolution) of detection and response capabilities. I’ve sat in countless SOCs watching analysts drown in a sea of alerts, spent hours chasing false positives, and seen talented security professionals burn out from the relentless noise of low-fidelity detection systems. ",[],{},{"nodeType":264,"data":891,"content":892},{},[893],{"nodeType":248,"value":894,"marks":895,"data":896},"It’s a problem that’s reached crisis proportions, and it’s exactly why our approach to browser security represents not just a technological shift, but a philosophical one.",[],{},{"nodeType":415,"data":898,"content":899},{},[],{"nodeType":425,"data":901,"content":902},{},[903],{"nodeType":248,"value":904,"marks":905,"data":906},"The alert fatigue epidemic",[],{},{"nodeType":264,"data":908,"content":909},{},[910,914,920,924,929,933,938],{"nodeType":248,"value":911,"marks":912,"data":913},"Early in my career, getting ",[],{},{"nodeType":248,"value":915,"marks":916,"data":919},"any",[917],{"type":918},"italic",{},{"nodeType":248,"value":921,"marks":922,"data":923}," alert felt like a victory. We were flying blind outside of our small windows of network traffic. But as the industry matured, something troubling happened: we began equating ",[],{},{"nodeType":248,"value":925,"marks":926,"data":928},"volume",[927],{"type":423},{},{"nodeType":248,"value":930,"marks":931,"data":932}," with ",[],{},{"nodeType":248,"value":934,"marks":935,"data":937},"value",[936],{"type":423},{},{"nodeType":248,"value":939,"marks":940,"data":941},". Vendors started competing on how many alerts they could generate, how much data they could collect, and how comprehensive their “visibility” could be. ",[],{},{"nodeType":264,"data":943,"content":944},{},[945,949],{"nodeType":248,"value":946,"marks":947,"data":948},"Security teams followed suit with operational metrics that captured how many alerts they’d resolved, how many “attacks” they’d stopped, and how many tickets they’d opened and closed in a given work cycle. But as many teams have now realized, ",[],{},{"nodeType":248,"value":950,"marks":951,"data":953},"volume is a vanity metric; fidelity is what keeps you safe.",[952],{"type":423},{},{"nodeType":264,"data":955,"content":956},{},[957,961,970,974],{"nodeType":248,"value":958,"marks":959,"data":960},"In my course on ",[],{},{"nodeType":259,"data":962,"content":964},{"uri":963},"https://www.sans.org/cyber-security-courses/building-leading-security-operations-centers",[965],{"nodeType":248,"value":966,"marks":967,"data":969},"Building and Leading Security Operations teams",[968],{"type":257},{},{"nodeType":248,"value":971,"marks":972,"data":973},", we discuss the importance of analytic outcomes and addressing ineffective alerts to continuously improve fidelity. My students often find it hard to believe how much time and effort it takes to audit alert quality and implement continuous improvements on a large scale. This isn’t just an operational problem — it’s an existential threat to effective security. ",[],{},{"nodeType":248,"value":975,"marks":976,"data":978},"When everything is an alert, nothing is. ",[977],{"type":423},{},{"nodeType":264,"data":980,"content":981},{},[982],{"nodeType":248,"value":983,"marks":984,"data":985},"And while we have been busy focusing on more (and occasionally, better) detections at the endpoint and network layers, attackers have shifted to infrastructure that isn’t as well-instrumented: SaaS and the browser.",[],{},{"nodeType":415,"data":987,"content":988},{},[],{"nodeType":425,"data":990,"content":991},{},[992],{"nodeType":248,"value":993,"marks":994,"data":995},"The browser: a new frontier in detection and response",[],{},{"nodeType":264,"data":997,"content":998},{},[999],{"nodeType":248,"value":1000,"marks":1001,"data":1002},"Today, the browser is the place where most cyber attacks happen. It’s where users interact with the applications that your business runs on, handle sensitive data, and unfortunately, where they encounter sophisticated phishing campaigns, credential harvesting attacks, and malicious downloads. ",[],{},{"nodeType":264,"data":1004,"content":1005},{},[1006],{"nodeType":248,"value":1007,"marks":1008,"data":1009},"Yet for most security teams, the browser remains a black box, obscured from the view from the network and the endpoint. Even worse, attack models often applied to detection engineering for endpoint or network-centric threats don’t really apply; modern identity attacks skip entire phases of the attack chain, eliminating many detection opportunities along the way. The modern attack path doesn’t need to touch the endpoint or your network at all — it can happen entirely over the internet. ",[],{},{"nodeType":404,"data":1011,"content":1015},{"target":1012},{"sys":1013},{"id":1014,"type":401,"linkType":402},"4wYYgbKmmVAZTF7niXJEGc",[],{"nodeType":594,"data":1017,"content":1018},{},[1019],{"nodeType":248,"value":1020,"marks":1021,"data":1022},"Attackers are exploiting the detection gap",[],{},{"nodeType":264,"data":1024,"content":1025},{},[1026,1030,1038,1042,1051],{"nodeType":248,"value":1027,"marks":1028,"data":1029},"You only need to look at in-the-wild breaches such as last year’s ",[],{},{"nodeType":259,"data":1031,"content":1032},{"uri":699},[1033],{"nodeType":248,"value":1034,"marks":1035,"data":1037},"Snowflake",[1036],{"type":257},{},{"nodeType":248,"value":1039,"marks":1040,"data":1041}," attacks, or the recent ",[],{},{"nodeType":259,"data":1043,"content":1045},{"uri":1044},"https://www.bleepingcomputer.com/news/security/shinyhunters-claims-15-billion-salesforce-records-stolen-in-drift-hacks/",[1046],{"nodeType":248,"value":1047,"marks":1048,"data":1050},"Salesforce",[1049],{"type":257},{},{"nodeType":248,"value":1052,"marks":1053,"data":1054}," breaches to see the impact that attackers can have by executing attacks entirely over the internet, without touching traditional network devices or user endpoints. ",[],{},{"nodeType":404,"data":1056,"content":1060},{"target":1057},{"sys":1058},{"id":1059,"type":401,"linkType":402},"VfTps3SGKJDlhFcmh42d9",[],{"nodeType":264,"data":1062,"content":1063},{},[1064],{"nodeType":248,"value":1065,"marks":1066,"data":1067},"But even in the context of more “conventional” attacks (e.g. the classic route of compromising an endpoint, moving laterally through an environment, taking control of a domain, and deploying ransomware), most of the time, these attacks begin in the browser with identities and cloud apps rather than exploit-driven initial access — such as with the recent attacks on Marks & Spencer, Co-op, and Jaguar Land Rover. ",[],{},{"nodeType":264,"data":1069,"content":1070},{},[1071,1075,1084],{"nodeType":248,"value":1072,"marks":1073,"data":1074},"While the ",[],{},{"nodeType":259,"data":1076,"content":1078},{"uri":1077},"https://cloud.google.com/security/resources/insights/targeted-attack-lifecycle",[1079],{"nodeType":248,"value":1080,"marks":1081,"data":1083},"attack cycle",[1082],{"type":257},{},{"nodeType":248,"value":1085,"marks":1086,"data":1087}," and similar mental models are valuable for planning in-depth detections of sophisticated, multi-stage attacks, focusing too heavily on them can lead to overlooked scenarios. These high-profile incidents have demonstrated the opportunity cost of neglecting visibility into attacks that don't perfectly align with these models. ",[],{},{"nodeType":404,"data":1089,"content":1093},{"target":1090},{"sys":1091},{"id":1092,"type":401,"linkType":402},"3TsKtoWuxQMFl1xd3w1j86",[],{"nodeType":264,"data":1095,"content":1096},{},[1097],{"nodeType":248,"value":1098,"marks":1099,"data":1100},"Just as endpoint detection and response revolutionized host-based security by providing visibility and control directly at the point of attack, browser-based security platforms can do the same for web-borne threats. It’s an important addition to the detection and response stack that illuminates a “missing middle” in modern attack investigations, and intervenes in real time, much like traditional EDR did for the endpoint years ago.",[],{},{"nodeType":404,"data":1102,"content":1106},{"target":1103},{"sys":1104},{"id":1105,"type":401,"linkType":402},"1eCXGC6U6SdzHmOH1gv24O",[],{"nodeType":415,"data":1108,"content":1109},{},[],{"nodeType":425,"data":1111,"content":1112},{},[1113],{"nodeType":248,"value":1114,"marks":1115,"data":1116},"High-fidelity detection: quality over quantity",[],{},{"nodeType":264,"data":1118,"content":1119},{},[1120,1124,1132,1136,1141,1145,1150],{"nodeType":248,"value":1121,"marks":1122,"data":1123},"Our ",[],{},{"nodeType":259,"data":1125,"content":1127},{"uri":1126},"https://pushsecurity.com/blog/our-design-philosophy-detecting-what-matters/",[1128],{"nodeType":248,"value":1129,"marks":1130,"data":1131},"design philosophy",[],{},{"nodeType":248,"value":1133,"marks":1134,"data":1135}," centers on a principle often overlooked in the security industry: prioritizing actionable problems for security teams. This involves differentiating between \"",[],{},{"nodeType":248,"value":1137,"marks":1138,"data":1140},"events",[1139],{"type":423},{},{"nodeType":248,"value":1142,"marks":1143,"data":1144},"\" – environment data that may or may not be useful – and \"",[],{},{"nodeType":248,"value":1146,"marks":1147,"data":1149},"detections",[1148],{"type":423},{},{"nodeType":248,"value":1151,"marks":1152,"data":1153},"\" – high-fidelity, actionable signals with a negligible false positive rate. We also empower our customers with the ability to intervene in real-time when there are high-confidence indicators of an attack. We focus on detecting not atomic indicators, but on attacker tooling and behaviors.",[],{},{"nodeType":264,"data":1155,"content":1156},{},[1157],{"nodeType":248,"value":1158,"marks":1159,"data":1160},"Compare this to traditional approaches that might generate alerts for:",[],{},{"nodeType":349,"data":1162,"content":1163},{},[1164,1174,1184,1194],{"nodeType":304,"data":1165,"content":1166},{},[1167],{"nodeType":264,"data":1168,"content":1169},{},[1170],{"nodeType":248,"value":1171,"marks":1172,"data":1173},"Visiting domains with low reputation scores (but not necessarily malicious)",[],{},{"nodeType":304,"data":1175,"content":1176},{},[1177],{"nodeType":264,"data":1178,"content":1179},{},[1180],{"nodeType":248,"value":1181,"marks":1182,"data":1183},"Downloading files that match certain heuristics (but may be legitimate)",[],{},{"nodeType":304,"data":1185,"content":1186},{},[1187],{"nodeType":264,"data":1188,"content":1189},{},[1190],{"nodeType":248,"value":1191,"marks":1192,"data":1193},"Accessing new web applications (that may be approved, or tacitly allowed, shadow IT)",[],{},{"nodeType":304,"data":1195,"content":1196},{},[1197],{"nodeType":264,"data":1198,"content":1199},{},[1200],{"nodeType":248,"value":1201,"marks":1202,"data":1203},"Employee usernames, passwords, and email addresses for sale on the dark web (which may no longer be valid)",[],{},{"nodeType":264,"data":1205,"content":1206},{},[1207],{"nodeType":248,"value":1208,"marks":1209,"data":1210},"These low-fidelity alerts create work without providing solutions. They force analysts to become investigators rather than responders, spending precious time determining whether an alert represents a genuine threat rather than focusing on mitigation and recovery. ",[],{},{"nodeType":404,"data":1212,"content":1216},{"target":1213},{"sys":1214},{"id":1215,"type":401,"linkType":402},"4MydcqvHnWsziCOPUNC3YS",[],{"nodeType":264,"data":1218,"content":1219},{},[1220],{"nodeType":248,"value":1221,"marks":1222,"data":1223},"Poor quality detections also present an easy opportunity for security teams to commit a cardinal sin: disrupting users and business processes without a clear justification for doing so. User trust and support should always be treated as a finite resource, and every account locked, website blocked, and laptop reimaged chips away at that resource. ",[],{},{"nodeType":264,"data":1225,"content":1226},{},[1227],{"nodeType":248,"value":1228,"marks":1229,"data":1230},"Likewise, the more disruptive, the more likely users will look for ways around said controls. If your users are actively working against you, and feel you are preventing them from doing their jobs, they’ll always find new and unexpected ways around security blocks. ",[],{},{"nodeType":415,"data":1232,"content":1233},{},[],{"nodeType":425,"data":1235,"content":1236},{},[1237],{"nodeType":248,"value":1238,"marks":1239,"data":1240},"The SOC analyst's perspective",[],{},{"nodeType":264,"data":1242,"content":1243},{},[1244],{"nodeType":248,"value":1245,"marks":1246,"data":1247},"The most successful SOC analysts share a common trait: they’re extraordinarily good at quickly distinguishing signal from noise. But this skill shouldn’t be required! It’s a failure of our detection systems that we’re forcing human analysts to perform pattern matching that our technology should handle. ",[],{},{"nodeType":264,"data":1249,"content":1250},{},[1251],{"nodeType":248,"value":1252,"marks":1253,"data":1254},"But even for the most skilled analyst, it’s a tall order to ask your security team to also be experts in every cloud app your business relies on, making it even harder than normal to build context-driven alerts. Most of the time, the information required simply doesn't exist, with logs simply not available (generally, or at your product tier) or the work required to extract the logs and turn them into context-driven alerts hasn’t happened yet. If your team is under-resourced and drowning in low-fidelity alerts already, then realistically it might never happen. ",[],{},{"nodeType":264,"data":1256,"content":1257},{},[1258,1262,1271],{"nodeType":248,"value":1259,"marks":1260,"data":1261},"Effective browser security changes this dynamic. Instead of presenting analysts with hundreds of “suspicious web activity” alerts that require investigation, ",[],{},{"nodeType":259,"data":1263,"content":1265},{"uri":1264},"https://pushsecurity.com/blog/detecting-and-blocking-phishing-attacks-in-the-browser/",[1266],{"nodeType":248,"value":1267,"marks":1268,"data":1270},"our platform focuses on high-reliability indicators",[1269],{"type":257},{},{"nodeType":248,"value":1272,"marks":1273,"data":1274}," like whether a phishing kit was observed running on the page, or whether the page was cloned from a legitimate site. We even detect user behaviors that could indicate a risk in the context of a phishing attack, like when a user attempts to authenticate with credentials that have been previously used on another page — either a sign of credential reuse (bad) or a phishing attack (even worse) — at which point Push can be set to block the attack in real time. ",[],{},{"nodeType":404,"data":1276,"content":1280},{"target":1277},{"sys":1278},{"id":1279,"type":401,"linkType":402},"3998Iy2kp9MW0HFeqmo900",[],{"nodeType":594,"data":1282,"content":1283},{},[1284],{"nodeType":248,"value":1285,"marks":1286,"data":1287},"Browser security provides a new layer of protection, reducing the risk of breach",[],{},{"nodeType":264,"data":1289,"content":1290},{},[1291],{"nodeType":248,"value":1292,"marks":1293,"data":1294},"Attack detection has always been a cat-and-mouse game. For years, attackers have grappled with endpoint and network security vendors. And sometimes, the attackers win. The fact is that a lot of attacker innovation has gone into sandbox aware malware, breaking detection signatures, disabling security tools, and so on.    ",[],{},{"nodeType":264,"data":1296,"content":1297},{},[1298],{"nodeType":248,"value":1299,"marks":1300,"data":1301},"But with so many attacks now passing through the browser, defending it enables badness to be filtered out before it reaches the endpoint or network controls that attackers are looking to consciously evade. By preventing malware being delivered, or identities from being compromised, attacks otherwise crafted to evade traditional security controls can be intercepted early — making the crucial difference in whether a breach happens or not.",[],{},{"nodeType":404,"data":1303,"content":1307},{"target":1304},{"sys":1305},{"id":1306,"type":401,"linkType":402},"4Bh7uOkeguNJFmJ1XUQ317",[],{"nodeType":264,"data":1309,"content":1310},{},[1311],{"nodeType":248,"value":1312,"marks":1313,"data":1314},"And when it comes to the cloud-centric attacks that attackers are finding so much success with today, this is in effect a net new capability. ",[],{},{"nodeType":404,"data":1316,"content":1320},{"target":1317},{"sys":1318},{"id":1319,"type":401,"linkType":402},"4JdaY8I3f6Ub2Kifc9Rsj9",[],{"nodeType":415,"data":1322,"content":1323},{},[],{"nodeType":425,"data":1325,"content":1326},{},[1327],{"nodeType":248,"value":1328,"marks":1329,"data":1330},"Learn more about Push Security",[],{},{"nodeType":264,"data":1332,"content":1333},{},[1334],{"nodeType":248,"value":1335,"marks":1336,"data":1337},"The browser represents one of the most significant opportunities in cybersecurity today. As we continue to expand our browser-based security capabilities, we remain committed to this high-fidelity approach. We’re building features that not only detect and prevent attacks but also provide security teams with the rich telemetry they need to develop custom queries and detections.",[],{},{"nodeType":264,"data":1339,"content":1340},{},[1341],{"nodeType":248,"value":1342,"marks":1343,"data":1344},"Push Security’s browser-based security platform provides comprehensive detection and response capabilities against techniques like AiTM phishing, credential stuffing, ClickFixing, malicious browser extensions, and session hijacking using stolen session tokens. You can also use Push to find and fix vulnerabilities across the apps that your employees use, like ghost logins, SSO coverage gaps, MFA gaps, vulnerable passwords, risky OAuth integrations, and more to harden your identity attack surface.",[],{},{"nodeType":264,"data":1346,"content":1347},{},[1348,1351,1357,1360,1366],{"nodeType":248,"value":793,"marks":1349,"data":1350},[],{},{"nodeType":259,"data":1352,"content":1353},{"uri":796},[1354],{"nodeType":248,"value":802,"marks":1355,"data":1356},[],{},{"nodeType":248,"value":806,"marks":1358,"data":1359},[],{},{"nodeType":259,"data":1361,"content":1362},{"uri":809},[1363],{"nodeType":248,"value":815,"marks":1364,"data":1365},[],{},{"nodeType":248,"value":819,"marks":1367,"data":1368},[],{},"Fixing SecOps alert fatigue with browser telemetry","How browser data can improve detection fidelity and reduce alert fatigue, enabling SecOps teams to save time and detect more attacks.","2025-10-07T00:00:00.000Z","fixing-secops-alert-fatigue-with-browser-telemetry",{"items":1374},[1375,1379],{"sys":1376,"name":1378},{"id":1377},"4ksQNCFeBf8H4QIORqpRLw","Detection & response",{"sys":1380,"name":1382},{"id":1381},"6A5RXS31ZQx3PwryGb1IMy","Browser-based attacks",{"items":1384},[1385],{"fullName":232,"firstName":233,"jobTitle":234,"profilePicture":1386},{"url":236},{"__typename":876,"sys":1388,"content":1390,"title":2043,"synopsis":2044,"hashTags":62,"publishedDate":2045,"slug":2046,"tagsCollection":2047,"authorsCollection":2053},{"id":1389},"62Zyr35VUmijkpupWk3hoD",{"json":1391},{"data":1392,"content":1393,"nodeType":831},{},[1394,1410,1417,1420,1428,1435,1442,1461,1467,1474,1481,1488,1495,1498,1506,1513,1519,1526,1534,1541,1548,1554,1574,1580,1587,1594,1601,1607,1610,1618,1638,1645,1677,1684,1691,1697,1704,1711,1718,1721,1729,1748,1754,1761,1768,1774,1781,1788,1791,1799,1806,1826,1871,1878,1885,1892,1895,1903,1910,1917,1924,1927,1935,1942,1973,1993,2000,2003,2011,2018,2025],{"data":1395,"content":1396,"nodeType":264},{},[1397,1401,1406],{"data":1398,"marks":1399,"value":1400,"nodeType":248},{},[],"The view that \"the browser is the new endpoint\" and \"the new battleground for cyber attacks\" is becoming increasingly advocated by security leaders. But what does this ",{"data":1402,"marks":1403,"value":1405,"nodeType":248},{},[1404],{"type":918},"actually",{"data":1407,"marks":1408,"value":1409,"nodeType":248},{},[]," mean for security teams? ",{"data":1411,"content":1412,"nodeType":264},{},[1413],{"data":1414,"marks":1415,"value":1416,"nodeType":248},{},[],"In this article, we’re cutting out the jargon to explore what a browser-based attack is, and what’s required for effective detection and response. ",{"data":1418,"content":1419,"nodeType":415},{},[],{"data":1421,"content":1422,"nodeType":425},{},[1423],{"data":1424,"marks":1425,"value":1427,"nodeType":248},{},[1426],{"type":423},"What is the goal of a browser-based attack?   ",{"data":1429,"content":1430,"nodeType":264},{},[1431],{"data":1432,"marks":1433,"value":1434,"nodeType":248},{},[],"First, it’s important to establish what the point of a browser-based attack is.",{"data":1436,"content":1437,"nodeType":264},{},[1438],{"data":1439,"marks":1440,"value":1441,"nodeType":248},{},[],"In most scenarios, attackers don’t think of themselves as attacking your web browser. Their end-goal is to compromise your business apps and data. That means going after the third-party apps and services that are now the backbone of business IT — and therefore the top target for attackers. ",{"data":1443,"content":1444,"nodeType":264},{},[1445,1449,1457],{"data":1446,"marks":1447,"value":1448,"nodeType":248},{},[],"The most common attack path today sees attackers log into third-party services, dump the data, and monetize it through extortion. You need only look at last year’s ",{"data":1450,"content":1452,"nodeType":259},{"uri":1451},"https://pushsecurity.com/blog/snowflake-retro?utm_source=bleeping-computer&utm_medium=sponsored-content&utm_term=article",[1453],{"data":1454,"marks":1455,"value":1034,"nodeType":248},{},[1456],{"type":257},{"data":1458,"marks":1459,"value":1460,"nodeType":248},{},[]," customer breaches or the still-ongoing Salesforce attacks to see the impact.",{"data":1462,"content":1466,"nodeType":404},{"target":1463},{"sys":1464},{"id":1465,"type":401,"linkType":402},"5agrVXzEdwALmew2F5SPDp",[],{"data":1468,"content":1469,"nodeType":264},{},[1470],{"data":1471,"marks":1472,"value":1473,"nodeType":248},{},[],"The most logical way to do this is by targeting users of those apps. And because of the changes to working practices, your users are more accessible than ever to external attackers.",{"data":1475,"content":1476,"nodeType":264},{},[1477],{"data":1478,"marks":1479,"value":1480,"nodeType":248},{},[],"Once upon a time, email was the primary communication channel with the wider world, and work happened locally — on your device, and inside your locked-down network environment. This made email and the endpoint the highest priority from a security perspective. But now, with modern work happening across a network of decentralized internet apps, and more varied communication channels outside of email, it’s harder to stop users from interacting with malicious content (at least, without significantly impeding their ability to do their jobs).",{"data":1482,"content":1483,"nodeType":264},{},[1484],{"data":1485,"marks":1486,"value":1487,"nodeType":248},{},[],"Given that the browser is the place where business apps are accessed and used, it makes sense that attacks are increasingly playing out there too. ",{"data":1489,"content":1490,"nodeType":264},{},[1491],{"data":1492,"marks":1493,"value":1494,"nodeType":248},{},[],"With that covered off, let’s take a closer look at the most prevalent browser-based attack techniques being used by attackers in the wild today.",{"data":1496,"content":1497,"nodeType":415},{},[],{"data":1499,"content":1500,"nodeType":425},{},[1501],{"data":1502,"marks":1503,"value":1505,"nodeType":248},{},[1504],{"type":423},"The 6 key browser-based attacks that security teams need to know about",{"data":1507,"content":1508,"nodeType":264},{},[1509],{"data":1510,"marks":1511,"value":1512,"nodeType":248},{},[],"Attacks that target users in their web browsers have seen an unprecedented rise in recent years. ",{"data":1514,"content":1518,"nodeType":404},{"target":1515},{"sys":1516},{"id":1517,"type":401,"linkType":402},"4ogNqZdObSIJXavHP44lom",[],{"data":1520,"content":1521,"nodeType":264},{},[1522],{"data":1523,"marks":1524,"value":1525,"nodeType":248},{},[],"Here's our breakdown of the top 6 browser-based attacks that should be on every security team's radar right now. ",{"data":1527,"content":1528,"nodeType":594},{},[1529],{"data":1530,"marks":1531,"value":1533,"nodeType":248},{},[1532],{"type":423},"1. Phishing for credentials and sessions",{"data":1535,"content":1536,"nodeType":264},{},[1537],{"data":1538,"marks":1539,"value":1540,"nodeType":248},{},[],"The most direct way for an attacker to compromise a business application is to phish a user of that app. You might not necessarily think of phishing as a browser-based attack, but that’s exactly what it is today. ",{"data":1542,"content":1543,"nodeType":264},{},[1544],{"data":1545,"marks":1546,"value":1547,"nodeType":248},{},[],"Phishing tooling and infrastructure has evolved a lot in the past decade, while the changes to business IT means there are both many more vectors for phishing attack delivery, and apps and identities to target. Attackers can deliver links over instant messenger apps, social media, SMS, malicious ads, and using in-app messenger functionality, as well as sending emails directly from SaaS services to bypass email-based checks. Likewise, there are now hundreds of apps per enterprise to target, with varying levels of account security configuration. ",{"data":1549,"content":1553,"nodeType":404},{"target":1550},{"sys":1551},{"id":1552,"type":401,"linkType":402},"3SrKOgpedLMQRpKIZqUQur",[],{"data":1555,"content":1556,"nodeType":264},{},[1557,1561,1570],{"data":1558,"marks":1559,"value":1560,"nodeType":248},{},[],"Whereas phishing was once entirely focused on credential theft, modern phishing attacks see the attacker intercept the victim’s session on the target app, using reverse-proxy Attacker-in-the-Middle kits that are the standard choice for attackers today. This means most forms of MFA can be bypassed, with the exception of passkeys (though attackers are finding ways to work around passkeys using ",{"data":1562,"content":1564,"nodeType":259},{"uri":1563},"https://pushsecurity.com/blog/mfa-downgrade-attacks/?utm_source=bleeping-computer&utm_medium=sponsored-content&utm_term=article",[1565],{"data":1566,"marks":1567,"value":1569,"nodeType":248},{},[1568],{"type":257},"downgrade attacks",{"data":1571,"marks":1572,"value":1573,"nodeType":248},{},[],"). ",{"data":1575,"content":1579,"nodeType":404},{"target":1576},{"sys":1577},{"id":1578,"type":401,"linkType":402},"2sOFEdAwQZjWOGzNAlGavb",[],{"data":1581,"content":1582,"nodeType":264},{},[1583],{"data":1584,"marks":1585,"value":1586,"nodeType":248},{},[],"There are other key differences to be aware of too. Today, phishing operates on an industrial scale, using an array of obfuscation and detection evasion techniques. The latest generation of fully customized AitM phishing kits are dynamically obfuscating the code that loads the web page, implementing custom bot protection (e.g. CAPTCHA or Cloudflare Turnstile), using runtime anti-analysis features, and using legitimate SaaS and cloud services to host and deliver phishing links to cover their tracks.",{"data":1588,"content":1589,"nodeType":264},{},[1590],{"data":1591,"marks":1592,"value":1593,"nodeType":248},{},[],"This means that traditional anti-phishing tools at the email and network layer are struggling to keep up, with many attacks evading email-based detections (or bypassing email altogether). At the same time, proxy-based solutions now see a garbled mess of JavaScript code without the necessary context of what is actually happening in the browser to be able to piece it together effectively. Even if they don’t realize it, this means many organizations are now relying solely on blocking known-bad sites and hosts — a wildly ineffective solution in 2025 with the rate that attackers refresh and rotate their phishing infrastructure. ",{"data":1595,"content":1596,"nodeType":264},{},[1597],{"data":1598,"marks":1599,"value":1600,"nodeType":248},{},[],"These changes make phishing more effective than ever, and increasingly difficult to detect and block without being able to observe and analyze web pages that a user interacts with in real time — something only possible with browser-level visibility. ",{"data":1602,"content":1606,"nodeType":404},{"target":1603},{"sys":1604},{"id":1605,"type":401,"linkType":402},"1II2kHyOZcShLsexx1TAgy",[],{"data":1608,"content":1609,"nodeType":415},{},[],{"data":1611,"content":1612,"nodeType":594},{},[1613],{"data":1614,"marks":1615,"value":1617,"nodeType":248},{},[1616],{"type":423},"2. Malicious copy and paste (aka. ClickFix, FileFix, etc.)",{"data":1619,"content":1620,"nodeType":264},{},[1621,1625,1634],{"data":1622,"marks":1623,"value":1624,"nodeType":248},{},[],"One of the biggest security trends in the past year has been the emergence of the attack technique known as ",{"data":1626,"content":1628,"nodeType":259},{"uri":1627},"https://www.microsoft.com/en-us/security/blog/2025/08/21/think-before-you-clickfix-analyzing-the-clickfix-social-engineering-technique/",[1629],{"data":1630,"marks":1631,"value":1633,"nodeType":248},{},[1632],{"type":257},"ClickFix",{"data":1635,"marks":1636,"value":1637,"nodeType":248},{},[],". ",{"data":1639,"content":1640,"nodeType":264},{},[1641],{"data":1642,"marks":1643,"value":1644,"nodeType":248},{},[],"Originally known as “Fake CAPTCHA”, these attacks attempt to trick users into running malicious commands on their device — typically by solving some form of verification challenge in the browser. ",{"data":1646,"content":1647,"nodeType":264},{},[1648,1652,1661,1665,1674],{"data":1649,"marks":1650,"value":1651,"nodeType":248},{},[],"In reality, by solving the challenge, the victim is actually copying malicious code from the page clipboard and running it on their device. It typically gives the victim instructions that involve clicking prompts and copying, pasting, and running commands directly in the Windows Run dialog box, Terminal, or PowerShell. Variants such as ",{"data":1653,"content":1655,"nodeType":259},{"uri":1654},"https://mrd0x.com/filefix-clickfix-alternative/",[1656],{"data":1657,"marks":1658,"value":1660,"nodeType":248},{},[1659],{"type":257},"FileFix",{"data":1662,"marks":1663,"value":1664,"nodeType":248},{},[]," have also emerged which instead uses the File Explorer Address Bar to execute OS commands, while recent examples have seen this attack branch out to ",{"data":1666,"content":1668,"nodeType":259},{"uri":1667},"https://www.bleepingcomputer.com/news/security/fake-mac-fixes-trick-users-into-installing-new-shamos-infostealer/",[1669],{"data":1670,"marks":1671,"value":1673,"nodeType":248},{},[1672],{"type":257},"Mac via the macOS terminal",{"data":1675,"marks":1676,"value":819,"nodeType":248},{},[],{"data":1678,"content":1679,"nodeType":264},{},[1680],{"data":1681,"marks":1682,"value":1683,"nodeType":248},{},[],"Most commonly, these attacks are used to deliver infostealer malware, using stolen session cookies and credentials to access business apps and services. ",{"data":1685,"content":1686,"nodeType":264},{},[1687],{"data":1688,"marks":1689,"value":1690,"nodeType":248},{},[],"Like modern credential and session phishing, links to malicious pages are distributed over various delivery channels and using a variety of lures, including impersonating CAPTCHA, Cloudflare Turnstile, simulating an error loading a webpage, and many more. ",{"data":1692,"content":1696,"nodeType":404},{"target":1693},{"sys":1694},{"id":1695,"type":401,"linkType":402},"6O9YiOfhpGFCDsTil9F3On",[],{"data":1698,"content":1699,"nodeType":264},{},[1700],{"data":1701,"marks":1702,"value":1703,"nodeType":248},{},[],"The variance in lure, and differences between different versions of the same lure, can make it difficult to fingerprint and detect based on visual elements alone. Also, many of the same protections being used to obfuscate and prevent analysis of phishing pages also apply to ClickFix pages, making it equally challenging to detect and block them. ",{"data":1705,"content":1706,"nodeType":264},{},[1707],{"data":1708,"marks":1709,"value":1710,"nodeType":248},{},[],"This leaves most of the detection and blocking down to endpoint-layer controls around user-level code execution and malware running on a device. The quantity of ClickFix-related headlines in the news would indicate that endpoint controls are being routinely bypassed, or perhaps evaded altogether by targeting personal or BYOD devices. ",{"data":1712,"content":1713,"nodeType":264},{},[1714],{"data":1715,"marks":1716,"value":1717,"nodeType":248},{},[],"There is a significant opportunity to detect these attacks in the browser and stop them at the earliest opportunity, before they reach the endpoint. Every ClickFix attack and variant has a key action in common — malicious code is copied from the page’s clipboard. In some cases, this happens without any user interaction (where the only requirement on the user is to run code that has been silently copied behind the scenes), presenting a strong indicator of malicious behavior that can be observed in the browser. ",{"data":1719,"content":1720,"nodeType":415},{},[],{"data":1722,"content":1723,"nodeType":594},{},[1724],{"data":1725,"marks":1726,"value":1728,"nodeType":248},{},[1727],{"type":423},"3. Malicious OAuth integrations",{"data":1730,"content":1731,"nodeType":264},{},[1732,1736,1744],{"data":1733,"marks":1734,"value":1735,"nodeType":248},{},[],"Malicious OAuth integrations are another way for attackers to compromise an app by tricking a user into authorizing an integration with a malicious, attacker-controlled app, with the level of data access and functionality dictated by the scopes authorized in the request. This is also known as ",{"data":1737,"content":1739,"nodeType":259},{"uri":1738},"https://github.com/pushsecurity/saas-attacks/blob/main/techniques/consent_phishing/description.md",[1740],{"data":1741,"marks":1742,"value":1743,"nodeType":248},{},[],"consent phishing",{"data":1745,"marks":1746,"value":1747,"nodeType":248},{},[],". ",{"data":1749,"content":1753,"nodeType":404},{"target":1750},{"sys":1751},{"id":1752,"type":401,"linkType":402},"5JaP4WSfFsFSbvaa9BQBOq",[],{"data":1755,"content":1756,"nodeType":264},{},[1757],{"data":1758,"marks":1759,"value":1760,"nodeType":248},{},[],"This is an effective way for attackers to bypass hardened authentication and access controls by sidestepping the typical login process to take over an account and compromise business apps. This includes phishing-resistant MFA methods like passkeys — since the standard login process does not apply. ",{"data":1762,"content":1763,"nodeType":264},{},[1764],{"data":1765,"marks":1766,"value":1767,"nodeType":248},{},[],"A variant of this attack has dominated the headlines recently with the ongoing Salesforce breaches. In this scenario, the attacker tricked the victim into authorizing an attacker-controlled OAuth app via the device code authorization flow in Salesforce, which requires the user to enter an 8-digit code in place of a password or MFA factor.",{"data":1769,"content":1773,"nodeType":404},{"target":1770},{"sys":1771},{"id":1772,"type":401,"linkType":402},"3odEFcUcpKN553gHh2P5yr",[],{"data":1775,"content":1776,"nodeType":264},{},[1777],{"data":1778,"marks":1779,"value":1780,"nodeType":248},{},[],"Preventing malicious OAuth grants being authorized requires tight in-app management of user permissions and tenant security settings. This is no mean feat when considering the 100s of apps in use across the modern enterprise, many of which are not centrally managed by IT and security teams (or in some cases, are completely unknown to them). Even then, you’re limited by the controls made available by the app vendor. In this case, Salesforce has announced planned changes to OAuth app authorization in order to improve security prompted by these attacks — but many more apps with insecure configs exist for attackers to take advantage of in future. ",{"data":1782,"content":1783,"nodeType":264},{},[1784],{"data":1785,"marks":1786,"value":1787,"nodeType":248},{},[],"However, unlike app-specific integrations, browser-based security tools are well positioned to observe OAuth grants across all apps accessed in the browser — even the ones the security team doesn’t manage or know about, or without needing to pay for the app’s special security add-on to get visibility.",{"data":1789,"content":1790,"nodeType":415},{},[],{"data":1792,"content":1793,"nodeType":594},{},[1794],{"data":1795,"marks":1796,"value":1798,"nodeType":248},{},[1797],{"type":423},"4. Malicious browser extensions",{"data":1800,"content":1801,"nodeType":264},{},[1802],{"data":1803,"marks":1804,"value":1805,"nodeType":248},{},[],"Malicious browser extensions are another way for attackers to compromise your business apps by observing and capturing logins as they happen, and/or extracting session cookies and credentials saved in the browser cache and password manager. ",{"data":1807,"content":1808,"nodeType":264},{},[1809,1813,1822],{"data":1810,"marks":1811,"value":1812,"nodeType":248},{},[],"Attackers do this by creating their own malicious extension and tricking your users into installing it, or taking over an existing extension to gain access to browsers where it is already installed (",{"data":1814,"content":1816,"nodeType":259},{"uri":1815},"https://secureannex.com/blog/buying-browser-extensions/",[1817],{"data":1818,"marks":1819,"value":1821,"nodeType":248},{},[1820],{"type":257},"it’s very easy for attackers to buy and add malicious updates to existing extensions",{"data":1823,"marks":1824,"value":1825,"nodeType":248},{},[],", easily passing extension web store security checks). ",{"data":1827,"content":1828,"nodeType":264},{},[1829,1833,1842,1846,1855,1859,1868],{"data":1830,"marks":1831,"value":1832,"nodeType":248},{},[],"The news around extension-based compromises has been on the rise since the ",{"data":1834,"content":1836,"nodeType":259},{"uri":1835},"https://www.bleepingcomputer.com/news/security/new-details-reveal-how-hackers-hijacked-35-google-chrome-extensions/",[1837],{"data":1838,"marks":1839,"value":1841,"nodeType":248},{},[1840],{"type":257},"Cyberhaven extension",{"data":1843,"marks":1844,"value":1845,"nodeType":248},{},[]," was hacked in December 2024, along with at least 35 other extensions. Since then, there has been regular reporting on data-stealing extensions ",{"data":1847,"content":1849,"nodeType":259},{"uri":1848},"https://www.bleepingcomputer.com/news/security/data-stealing-chrome-extensions-impersonate-fortinet-youtube-vpns/",[1850],{"data":1851,"marks":1852,"value":1854,"nodeType":248},{},[1853],{"type":257},"impersonating legitimate brands",{"data":1856,"marks":1857,"value":1858,"nodeType":248},{},[],", and ",{"data":1860,"content":1862,"nodeType":259},{"uri":1861},"https://www.bleepingcomputer.com/news/security/chrome-extensions-with-6-million-installs-have-hidden-tracking-code/",[1863],{"data":1864,"marks":1865,"value":1867,"nodeType":248},{},[1866],{"type":257},"impacting millions of users",{"data":1869,"marks":1870,"value":819,"nodeType":248},{},[],{"data":1872,"content":1873,"nodeType":264},{},[1874],{"data":1875,"marks":1876,"value":1877,"nodeType":248},{},[],"Risky browser extension permissions include broad data access, the ability to modify website content, track user activity, capture screenshots, and manage tabs or network requests. Permissions like \"read and change all data on all websites\" or access to cookies and browsing history are particularly dangerous as they can be exploited for session hijacking, data theft, malware injection, or phishing.",{"data":1879,"content":1880,"nodeType":264},{},[1881],{"data":1882,"marks":1883,"value":1884,"nodeType":248},{},[],"Generally, your employees should not be randomly installing browser extensions unless pre-approved by your security team. The reality, however, is that many organizations have very little visibility of the extensions their employees are using, and the potential risk they’re exposed to as a result. ",{"data":1886,"content":1887,"nodeType":264},{},[1888],{"data":1889,"marks":1890,"value":1891,"nodeType":248},{},[],"To tackle malicious extensions, security tools operating in the browser can track the browser extensions deployed, highlight risky permissions, compare with known-malicious extensions, identify fraudulent/unofficial versions of a legitimate extension, and highlight other risky properties commonly associated with malicious extensions (e.g. “Developer” extensions). ",{"data":1893,"content":1894,"nodeType":415},{},[],{"data":1896,"content":1897,"nodeType":594},{},[1898],{"data":1899,"marks":1900,"value":1902,"nodeType":248},{},[1901],{"type":423},"5. Malicious file delivery",{"data":1904,"content":1905,"nodeType":264},{},[1906],{"data":1907,"marks":1908,"value":1909,"nodeType":248},{},[],"Malicious files have been a core part of malware delivery and credential theft for many years. Just as non-email channels like malvertising and drive-by attacks are used to deliver phishing and ClickFix lures, malicious files are also distributed through similar means — leaving malicious file detection to basic known-bad checks, sandbox analysis using a proxy (not that useful in the context of sandbox-aware malware) or runtime analysis on the endpoint. ",{"data":1911,"content":1912,"nodeType":264},{},[1913],{"data":1914,"marks":1915,"value":1916,"nodeType":248},{},[],"This doesn’t just have to be malicious executables directly dropping malware onto the device. File downloads can also contain additional links taking the user to malicious content. In fact, one of the most common types of downloadable content are HTML Applications (HTAs), commonly used to spawn local phishing pages to stealthily capture credentials. More recently, attackers have been weaponizing SVG files for a similar purpose, running as self-contained phishing pages that render fake login portals entirely client-side. ",{"data":1918,"content":1919,"nodeType":264},{},[1920],{"data":1921,"marks":1922,"value":1923,"nodeType":248},{},[],"Even if malicious content cannot always be flagged from surface-level inspection of a file, recording file downloads in the browser is a useful addition to endpoint-based malware protection, and provides another layer of defense against file downloads that perform client-side attacks, or redirect the user to malicious web-based content. ",{"data":1925,"content":1926,"nodeType":415},{},[],{"data":1928,"content":1929,"nodeType":594},{},[1930],{"data":1931,"marks":1932,"value":1934,"nodeType":248},{},[1933],{"type":423},"6. Stolen credentials and MFA gaps",{"data":1936,"content":1937,"nodeType":264},{},[1938],{"data":1939,"marks":1940,"value":1941,"nodeType":248},{},[],"This last one isn’t so much a browser-based attack, but it is a product of them. When credentials are stolen through phishing or infostealer malware they can be used to take over accounts missing MFA. ",{"data":1943,"content":1944,"nodeType":264},{},[1945,1949,1956,1960,1969],{"data":1946,"marks":1947,"value":1948,"nodeType":248},{},[],"This isn’t the most sophisticated attack, but it’s very effective. You need only look at last year’s ",{"data":1950,"content":1951,"nodeType":259},{"uri":1451},[1952],{"data":1953,"marks":1954,"value":1034,"nodeType":248},{},[1955],{"type":257},{"data":1957,"marks":1958,"value":1959,"nodeType":248},{},[]," account compromises or the ",{"data":1961,"content":1963,"nodeType":259},{"uri":1962},"https://pushsecurity.com/blog/why-attackers-are-targeting-jira-with-stolen-credentials?utm_source=bleeping-computer&utm_medium=sponsored-content&utm_term=article",[1964],{"data":1965,"marks":1966,"value":1968,"nodeType":248},{},[1967],{"type":257},"Jira",{"data":1970,"marks":1971,"value":1972,"nodeType":248},{},[]," attacks earlier this year to see how attackers harness stolen credentials at scale. ",{"data":1974,"content":1975,"nodeType":264},{},[1976,1980,1989],{"data":1977,"marks":1978,"value":1979,"nodeType":248},{},[],"With the modern enterprise using hundreds of apps, the likelihood that an app hasn’t been configured for mandatory MFA (if possible) is high. And even when an app has been configured for SSO and connected to your primary corporate identity, ",{"data":1981,"content":1983,"nodeType":259},{"uri":1982},"https://pushsecurity.com/blog/how-many-vulnerable-identities-do-you-have/?utm_source=bleeping-computer&utm_medium=sponsored-content&utm_term=sidebar",[1984],{"data":1985,"marks":1986,"value":1988,"nodeType":248},{},[1987],{"type":257},"local “ghost logins” can continue to exist",{"data":1990,"marks":1991,"value":1992,"nodeType":248},{},[],", accepting passwords with no MFA required. Just having visibility of your primary Identity Provider accounts (e.g. Google, Microsoft, Okta) and SSO-connected apps doesn't give you a full picture of your identity surface.",{"data":1994,"content":1995,"nodeType":264},{},[1996],{"data":1997,"marks":1998,"value":1999,"nodeType":248},{},[],"Logins can also be observed in the browser — in fact, it’s as close to a universal source of truth as you’re going to get about how your employees are actually logging in, which apps they’re using, and whether MFA is present, enabling security teams to find and fix vulnerable logins before they can be exploited by attackers. ",{"data":2001,"content":2002,"nodeType":415},{},[],{"data":2004,"content":2005,"nodeType":425},{},[2006],{"data":2007,"marks":2008,"value":2010,"nodeType":248},{},[2009],{"type":423},"Conclusion",{"data":2012,"content":2013,"nodeType":264},{},[2014],{"data":2015,"marks":2016,"value":2017,"nodeType":248},{},[],"Attacks are increasingly happening in the browser. That makes it the perfect place to detect and respond to these attacks. But right now, the browser is a blind-spot for most security teams. ",{"data":2019,"content":2020,"nodeType":264},{},[2021],{"data":2022,"marks":2023,"value":2024,"nodeType":248},{},[],"Push Security’s browser-based security platform provides comprehensive detection and response capabilities against the leading cause of breaches. Push blocks browser-based attacks like AiTM phishing, credential stuffing, password spraying and session hijacking using stolen session tokens. You can also use Push to find and fix vulnerabilities across the apps that your employees use, like ghost logins, SSO coverage gaps, MFA gaps, vulnerable passwords, risky OAuth integrations, and more to harden your identity attack surface.",{"data":2026,"content":2027,"nodeType":264},{},[2028,2032,2040],{"data":2029,"marks":2030,"value":2031,"nodeType":248},{},[],"If you want to learn more about how Push helps you to detect and stop attacks in the browser, ",{"data":2033,"content":2035,"nodeType":259},{"uri":2034},"https://pushsecurity.com/demo?utm_source=bleeping-computer&utm_medium=sponsored-content&utm_term=article",[2036],{"data":2037,"marks":2038,"value":815,"nodeType":248},{},[2039],{"type":257},{"data":2041,"marks":2042,"value":819,"nodeType":248},{},[],"6 browser-based attacks every security team should be prepared for","What security teams need to know about the browser-based attack techniques that are the leading cause of breaches.","2025-09-05T00:00:00.000Z","6-browser-based-attacks-every-security-team-should-be-prepared-for",{"items":2048},[2049,2051],{"sys":2050,"name":1382},{"id":1381},{"sys":2052,"name":1378},{"id":1377},{"items":2054},[2055],{"fullName":2056,"firstName":2057,"jobTitle":2058,"profilePicture":2059},"Dan Green","Dan","Threat Research",{"url":2060},"https://images.ctfassets.net/y1cdw1ablpvd/7jik1VhFgA3kgzXBXTm2Vw/fcd8c171da644903d0827eafcfbcaad0/Dan_Headshot_2025.png",{"__typename":876,"sys":2062,"content":2064,"title":2510,"synopsis":2511,"hashTags":62,"publishedDate":2512,"slug":2513,"tagsCollection":2514,"authorsCollection":2520},{"id":2063},"4vPEPmjd8MOlARD7oXfOrj",{"json":2065},{"nodeType":831,"data":2066,"content":2067},{},[2068,2087,2103,2109,2116,2123,2126,2134,2153,2160,2166,2173,2179,2186,2192,2199,2205,2212,2218,2221,2229,2247,2253,2261,2281,2289,2322,2329,2337,2357,2365,2385,2391,2394,2402,2422,2429,2435,2438,2446,2465,2471,2478,2484],{"nodeType":264,"data":2069,"content":2070},{},[2071,2075,2084],{"nodeType":248,"value":2072,"marks":2073,"data":2074},"Push recently detected and blocked a high-risk LinkedIn phishing attack that demonstrated a number of crafty (and increasingly common) ",[],{},{"nodeType":259,"data":2076,"content":2078},{"uri":2077},"https://phishing-techniques.pushsecurity.com/",[2079],{"nodeType":248,"value":2080,"marks":2081,"data":2083},"detection evasion techniques",[2082],{"type":257},{},{"nodeType":248,"value":1637,"marks":2085,"data":2086},[],{},{"nodeType":264,"data":2088,"content":2089},{},[2090,2094,2099],{"nodeType":248,"value":2091,"marks":2092,"data":2093},"Phishing via LinkedIn is increasingly common, although it often goes undetected and unreported. This is to be expected when most of the industry’s data on phishing attacks comes from email security vendors and tools. In contrast to email-centric reporting, ",[],{},{"nodeType":248,"value":2095,"marks":2096,"data":2098},"34% of the phishing attacks intercepted by Push last month came through non-email channels",[2097],{"type":423},{},{"nodeType":248,"value":2100,"marks":2101,"data":2102}," like social media, IM platforms, malicious search engine ads, and in-app communications. ",[],{},{"nodeType":404,"data":2104,"content":2108},{"target":2105},{"sys":2106},{"id":2107,"type":401,"linkType":402},"7i8panfdFUqW9wqYkd9uDc",[],{"nodeType":264,"data":2110,"content":2111},{},[2112],{"nodeType":248,"value":2113,"marks":2114,"data":2115},"Phishing via LinkedIn is a great way to catch victims unawares and evade traditionally email-based anti-phishing controls. While often used for work and commonly accessed from corporate devices, it sits outside the purview of enterprise security tools, exploiting a visibility and control blind spot. ",[],{},{"nodeType":264,"data":2117,"content":2118},{},[2119],{"nodeType":248,"value":2120,"marks":2121,"data":2122},"Let’s break it down. ",[],{},{"nodeType":415,"data":2124,"content":2125},{},[],{"nodeType":425,"data":2127,"content":2128},{},[2129],{"nodeType":248,"value":2130,"marks":2131,"data":2133},"Phishing attack breakdown",[2132],{"type":423},{},{"nodeType":264,"data":2135,"content":2136},{},[2137,2141,2149],{"nodeType":248,"value":2138,"marks":2139,"data":2140},"The victim was sent a malicious link via LinkedIn DM relating to a fake investment opportunity for executives ",[],{},{"nodeType":259,"data":2142,"content":2144},{"uri":2143},"https://www.bleepingcomputer.com/news/security/linkedin-phishing-targets-finance-execs-with-fake-board-invites/",[2145],{"nodeType":248,"value":2146,"marks":2147,"data":2148},"to join the executive board of a newly created \"Common Wealth\" investment fund.",[],{},{"nodeType":248,"value":2150,"marks":2151,"data":2152}," ",[],{},{"nodeType":264,"data":2154,"content":2155},{},[2156],{"nodeType":248,"value":2157,"marks":2158,"data":2159},"After clicking the link, they were redirected three times — via Google Search, and then payrails-canaccord[.]icu/(redacted) — before being sent to a custom landing page hosted on firebasestorage.googleapis[.]com/(redacted). ",[],{},{"nodeType":404,"data":2161,"content":2165},{"target":2162},{"sys":2163},{"id":2164,"type":401,"linkType":402},"65PeJOKzn6Ba7FDUQRae3Q",[],{"nodeType":264,"data":2167,"content":2168},{},[2169],{"nodeType":248,"value":2170,"marks":2171,"data":2172},"Upon clicking on one of the document links on the page, the victim is prompted to “view with Microsoft”. ",[],{},{"nodeType":404,"data":2174,"content":2178},{"target":2175},{"sys":2176},{"id":2177,"type":401,"linkType":402},"4f27KuwTRx1Do59rs3JoVl",[],{"nodeType":264,"data":2180,"content":2181},{},[2182],{"nodeType":248,"value":2183,"marks":2184,"data":2185},"The user is then met with a Cloudflare Turnstile gate challenge at login.kggpho[.]icu before the page will fully render, and malicious content is loaded. ",[],{},{"nodeType":404,"data":2187,"content":2191},{"target":2188},{"sys":2189},{"id":2190,"type":401,"linkType":402},"3lpVmLBZSocOSGdlCKhKnD",[],{"nodeType":264,"data":2193,"content":2194},{},[2195],{"nodeType":248,"value":2196,"marks":2197,"data":2198},"The Microsoft-impersonating AITM phishing page is then served to the victim. Entering credentials and completing the MFA check will result in their Microsoft session being stolen by the attacker. ",[],{},{"nodeType":404,"data":2200,"content":2204},{"target":2201},{"sys":2202},{"id":2203,"type":401,"linkType":402},"5FCa4EJwyux13K9KBT3nd4",[],{"nodeType":264,"data":2206,"content":2207},{},[2208],{"nodeType":248,"value":2209,"marks":2210,"data":2211},"You can see the full timeline of events in the Detection Timeline below. ",[],{},{"nodeType":404,"data":2213,"content":2217},{"target":2214},{"sys":2215},{"id":2216,"type":401,"linkType":402},"8lizkPJcGdZhtWFV2QEwQ",[],{"nodeType":415,"data":2219,"content":2220},{},[],{"nodeType":425,"data":2222,"content":2223},{},[2224],{"nodeType":248,"value":2225,"marks":2226,"data":2228},"Detection evasion techniques observed",[2227],{"type":423},{},{"nodeType":264,"data":2230,"content":2231},{},[2232,2236,2243],{"nodeType":248,"value":2233,"marks":2234,"data":2235},"The attacker used a number of ",[],{},{"nodeType":259,"data":2237,"content":2238},{"uri":2077},[2239],{"nodeType":248,"value":2080,"marks":2240,"data":2242},[2241],{"type":257},{},{"nodeType":248,"value":2244,"marks":2245,"data":2246}," to prevent the phishing site being analysed and detected by security tools. ",[],{},{"nodeType":404,"data":2248,"content":2252},{"target":2249},{"sys":2250},{"id":2251,"type":401,"linkType":402},"7q9D1MREwTCCpnjvZZ5wk1",[],{"nodeType":594,"data":2254,"content":2255},{},[2256],{"nodeType":248,"value":2257,"marks":2258,"data":2260},"LinkedIn delivery",[2259],{"type":423},{},{"nodeType":264,"data":2262,"content":2263},{},[2264,2268,2277],{"nodeType":248,"value":2265,"marks":2266,"data":2267},"As we mentioned above, sending phishing lures via ",[],{},{"nodeType":259,"data":2269,"content":2271},{"uri":2270},"https://phishing-techniques.pushsecurity.com/techniques/social-media/",[2272],{"nodeType":248,"value":2273,"marks":2274,"data":2276},"social media apps",[2275],{"type":257},{},{"nodeType":248,"value":2278,"marks":2279,"data":2280}," like LinkedIn is a great way to reach employees in a place that they expect to be contacted by people outside of their organization. By evading the traditional phishing control point altogether (email) attackers significantly reduce the risk of interception. ",[],{},{"nodeType":594,"data":2282,"content":2283},{},[2284],{"nodeType":248,"value":2285,"marks":2286,"data":2288},"Lengthy redirect chain through trusted sites",[2287],{"type":423},{},{"nodeType":264,"data":2290,"content":2291},{},[2292,2296,2305,2309,2318],{"nodeType":248,"value":2293,"marks":2294,"data":2295},"Attackers use ",[],{},{"nodeType":259,"data":2297,"content":2299},{"uri":2298},"https://phishing-techniques.pushsecurity.com/techniques/domain-rotation-redirection/",[2300],{"nodeType":248,"value":2301,"marks":2302,"data":2304},"lengthy redirect chains",[2303],{"type":257},{},{"nodeType":248,"value":2306,"marks":2307,"data":2308}," in combination with hosting pages on ",[],{},{"nodeType":259,"data":2310,"content":2312},{"uri":2311},"https://phishing-techniques.pushsecurity.com/techniques/trusted-website-hosting/",[2313],{"nodeType":248,"value":2314,"marks":2315,"data":2317},"legitimate, trusted sites",[2316],{"type":257},{},{"nodeType":248,"value":2319,"marks":2320,"data":2321}," (in this case Firebase, Google’s app development platform). This is a technique we see a lot, with various Google and Microsoft sites cropping up time and again, including Google Forms, Google Sites, Google Script, Google AMP, Microsoft Dynamics, SharePoint, Azure Front Door, and many more, all used by attackers as part of their phishing attacks. ",[],{},{"nodeType":264,"data":2323,"content":2324},{},[2325],{"nodeType":248,"value":2326,"marks":2327,"data":2328},"Legitimate services are less likely to be flagged by link analysis tools and effectively cloak the initial URL delivered to the victim to increase the chance of successful delivery of and access to the link, while many services are excluded from page scanning tools owing to their association with trusted domains. ",[],{},{"nodeType":594,"data":2330,"content":2331},{},[2332],{"nodeType":248,"value":2333,"marks":2334,"data":2336},"Bot protection",[2335],{"type":423},{},{"nodeType":264,"data":2338,"content":2339},{},[2340,2344,2353],{"nodeType":248,"value":2341,"marks":2342,"data":2343},"Attackers are using common ",[],{},{"nodeType":259,"data":2345,"content":2347},{"uri":2346},"https://phishing-techniques.pushsecurity.com/techniques/bot-protection/",[2348],{"nodeType":248,"value":2349,"marks":2350,"data":2352},"bot protection",[2351],{"type":257},{},{"nodeType":248,"value":2354,"marks":2355,"data":2356}," technologies like CAPTCHA and Cloudflare Turnstile to prevent security bots from accessing their web pages to be able to analyse them (and therefore block pages from being automatically flagged). This requires anyone visiting the page to pass a bot check/challenge before the page can be loaded, meaning the full page cannot be analysed by automated tools. ",[],{},{"nodeType":594,"data":2358,"content":2359},{},[2360],{"nodeType":248,"value":2361,"marks":2362,"data":2364},"Page obfuscation",[2363],{"type":423},{},{"nodeType":264,"data":2366,"content":2367},{},[2368,2372,2381],{"nodeType":248,"value":2369,"marks":2370,"data":2371},"Phishing pages ",[],{},{"nodeType":259,"data":2373,"content":2375},{"uri":2374},"https://phishing-techniques.pushsecurity.com/techniques/page-obfuscation/",[2376],{"nodeType":248,"value":2377,"marks":2378,"data":2380},"change and even randomize elements of the page",[2379],{"type":257},{},{"nodeType":248,"value":2382,"marks":2383,"data":2384}," to avoid static fingerprints and defeat comparison-based checks against real pages. This includes the page title, text, images, backgrounds, logos, favicons, etc. — all of which may be signatured components using web page analysis tools. These elements can even be embedded in an encoded form so it isn’t present in the initial HTML, and is instead dynamically set at runtime when loaded. As an example, you can see that the page randomly generated the tab header text.",[],{},{"nodeType":404,"data":2386,"content":2390},{"target":2387},{"sys":2388},{"id":2389,"type":401,"linkType":402},"2bbOZC9M4y69ACDy7bn209",[],{"nodeType":415,"data":2392,"content":2393},{},[],{"nodeType":425,"data":2395,"content":2396},{},[2397],{"nodeType":248,"value":2398,"marks":2399,"data":2401},"Impact analysis",[2400],{"type":423},{},{"nodeType":264,"data":2403,"content":2404},{},[2405,2409,2418],{"nodeType":248,"value":2406,"marks":2407,"data":2408},"We’re seeing ",[],{},{"nodeType":259,"data":2410,"content":2412},{"uri":2411},"https://pushsecurity.com/blog/how-push-stopped-a-high-risk-linkedin-spear-phishing-attack/",[2413],{"nodeType":248,"value":2414,"marks":2415,"data":2417},"many phishing campaigns pivoting to social media apps like LinkedIn",[2416],{"type":257},{},{"nodeType":248,"value":2419,"marks":2420,"data":2421}," and organizations should be on guard against this attack vector, which is highly effective at evading common anti-phishing controls.  ",[],{},{"nodeType":264,"data":2423,"content":2424},{},[2425],{"nodeType":248,"value":2426,"marks":2427,"data":2428},"Just because the attack happens over LinkedIn doesn’t lessen the impact — these are corporate credentials and accounts being targeted, even if it is nominally a “personal” application. Taking over a core identity like a Microsoft or Google account can have wide-ranging consequences, putting data at risk in both core apps and any downstream apps that can be accessed via SSO from the compromised account. ",[],{},{"nodeType":404,"data":2430,"content":2434},{"target":2431},{"sys":2432},{"id":2433,"type":401,"linkType":402},"6QzB0BlVC5mstXwXHvy2c3",[],{"nodeType":415,"data":2436,"content":2437},{},[],{"nodeType":425,"data":2439,"content":2440},{},[2441],{"nodeType":248,"value":2442,"marks":2443,"data":2445},"How Push stopped the attack",[2444],{"type":423},{},{"nodeType":264,"data":2447,"content":2448},{},[2449,2453,2461],{"nodeType":248,"value":2450,"marks":2451,"data":2452},"Push doesn’t detect the redirect tricks or rely on outdated domain TI feeds. The reason we detect these attacks (which make it through all the other layers of phishing protection) is that Push sees what your users see. It doesn’t matter what ",[],{},{"nodeType":259,"data":2454,"content":2455},{"uri":2077},[2456],{"nodeType":248,"value":2457,"marks":2458,"data":2460},"delivery channel or camouflage methods are used",[2459],{"type":257},{},{"nodeType":248,"value":2462,"marks":2463,"data":2464},", Push shuts the attack down in real time, as the user loads the malicious page in their web browser.",[],{},{"nodeType":264,"data":2466,"content":2467},{},[2468],{"nodeType":248,"value":786,"marks":2469,"data":2470},[],{},{"nodeType":264,"data":2472,"content":2473},{},[2474],{"nodeType":248,"value":2475,"marks":2476,"data":2477},"Check out the demo below to see Push detect and block this attack in real-time. ",[],{},{"nodeType":404,"data":2479,"content":2483},{"target":2480},{"sys":2481},{"id":2482,"type":401,"linkType":402},"5VsFECWlJ1HNGtC0jUcPjH",[],{"nodeType":264,"data":2485,"content":2486},{},[2487,2490,2497,2500,2507],{"nodeType":248,"value":793,"marks":2488,"data":2489},[],{},{"nodeType":259,"data":2491,"content":2492},{"uri":796},[2493],{"nodeType":248,"value":802,"marks":2494,"data":2496},[2495],{"type":257},{},{"nodeType":248,"value":806,"marks":2498,"data":2499},[],{},{"nodeType":259,"data":2501,"content":2502},{"uri":809},[2503],{"nodeType":248,"value":815,"marks":2504,"data":2506},[2505],{"type":257},{},{"nodeType":248,"value":819,"marks":2508,"data":2509},[],{},"New phishing campaign identified targeting LinkedIn users","Diving into the latest sophisticated LinkedIn phishing campaign intercepted by Push. ","2025-10-30T00:00:00.000Z","new-phishing-campaign-identified-targeting-linkedin-users",{"items":2515},[2516,2518],{"sys":2517,"name":1378},{"id":1377},{"sys":2519,"name":1382},{"id":1381},{"items":2521},[2522],{"fullName":2056,"firstName":2057,"jobTitle":2058,"profilePicture":2523},{"url":2060},"what-the-expansion-of-nydfs-nycrr-part-500-means-for-mfa-compliance","blog/what-the-expansion-of-nydfs-nycrr-part-500-means-for-mfa-compliance",{"json":2527},{"data":2528,"content":2529,"nodeType":831},{},[2530],{"data":2531,"content":2532,"nodeType":264},{},[2533],{"data":2534,"marks":2535,"value":2536,"nodeType":248},{},[],"Earlier this month, New York State’s Department of Financial Services (NYDFS) levied $14 million in fines across 8 insurance companies under its cybersecurity regulation, NYCRR Part 500. From November 1st, the requirements for MFA and asset management are being tightened even further. Here’s what you need to know. ","NYCRR Part 500 is tightening its MFA and asset management requirements. Here's what the changes means for compliance. ",{"id":2539,"publishedAt":2540},"7pU8f4ojNr8rttiSNS2qSU","2025-10-31T14:32:49.364Z",{"items":2542},[2543,2547],{"sys":2544,"name":2546},{"id":2545},"1gZi8NrRy2v9OqPV7C4dwD","Risk management",{"sys":2548,"name":1382},{"id":1381},"Ff6HoTZQgd_Sd4udMm7a8li1B7TQxdX3FnguLkHyMmQ",1784196718813]