[{"data":1,"prerenderedAt":2637},["ShallowReactive",2],{"application-flags":3,"navbar":7,"always-visible-banner":36,"navbar-about-highlight":108,"navbar-resource-highlight":182,"blog/why-attackers-are-moving-beyond-email-based-phishing":226},[4],{"name":5,"enabled":6},"maintenanceMode",false,[8],{"createdDate":9,"id":10,"name":11,"modelId":12,"published":13,"query":14,"data":15,"variations":20,"lastUpdated":21,"firstPublished":22,"testRatio":23,"createdBy":24,"lastUpdatedBy":25,"folders":26,"meta":27,"rev":35},1742208588866,"1c7a4e423bf54ac1a328bb4063459ef2","Banner","1c6207a5f24948ab82d4a0b17f251193","published",[],{"type":16,"url":17,"text":18,"link":19},"web-banner","https://pushsecurity.com/resources/browser-attacks-report","Get our latest report analyzing browser attack techniques in 2026",{},{},1774258294825,1742208637545,1,"CydmZnOWU1XuAaLhEDCoYNM4Z8W2","jKjF9r5jcvXU8tzZEfFQm31Iyvr2",[],{"kind":28,"lastPreviewUrl":29,"breakpoints":30,"hasAutosaves":34},"data","",{"xsmall":31,"small":32,"medium":33},320,640,768,true,"ga0kpxjhh76",{"createdDate":37,"id":38,"name":39,"modelId":40,"published":13,"stageModifiedSincePublish":6,"query":41,"data":42,"variations":97,"lastUpdated":98,"firstPublished":99,"testRatio":23,"createdBy":100,"lastUpdatedBy":101,"folders":102,"meta":103,"rev":107},1774965361051,"fd266d0172cc47429be7ad10f48c99ad","always visible banner","0678d178ec8b41efb8a23c09dba7874d",[],{"ctaText":43,"text":44,"url":29,"blocks":45,"state":93},"ewrererw","testrfesssssssssss",[46,73,81],{"@type":47,"@version":48,"id":49,"component":50,"responsiveStyles":63},"@builder.io/sdk:Element",2,"builder-ca12c06a52de41d7b8743da53118cd38",{"name":51,"tag":51,"options":52,"isRSC":62},"TopBannerContent",{"text":53,"ctaText":54,"url":55,"mainText":56,"cta":59},"New Webinar Series: Join John Hammond, Troy Hunt, and Matt Johansen for the State of Browser Attacks","Save Your Spot","https://pushsecurity.com/webinar/state-of-browser-security",{"content":57,"fontSize":58},"\u003Cp>Meet Push's browser security experts at BlackHat 2026.\u003C/p>","text-base",{"content":60,"fontSize":58,"url":61},"\u003Cp>Book a meeting →\u003C/p>","https://pushsecurity.com/events/blackhat-2026-meeting",null,{"large":64},{"display":65,"flexDirection":66,"position":67,"flexShrink":68,"boxSizing":69,"marginTop":70,"marginBottom":70,"fontSize":71,"fontWeight":72},"flex","column","relative","0","border-box",".56rem","1.125rem","700",{"@type":47,"@version":48,"id":74,"component":75,"responsiveStyles":79},"builder-a2e1f4b9f30b464bb814d7f5de5b0aa7",{"name":76,"options":77,"isRSC":62},"Custom Code",{"code":78,"scriptsClientOnly":6},"\u003Cstyle>\n  .top-banner.bg-web-orange{background:rgb(114, 79, 255);}\n\u003C/style>\n",{"large":80},{"display":65,"flexDirection":66,"position":67,"flexShrink":68,"boxSizing":69},{"id":82,"@type":47,"tagName":83,"properties":84,"responsiveStyles":88},"builder-pixel-o503s4fpvk","img",{"src":85,"aria-hidden":86,"alt":29,"role":87,"width":68,"height":68},"https://cdn.builder.io/api/v1/pixel?apiKey=f3a1111ff5be48cdbb123cd9f5795a05","true","presentation",{"large":89},{"height":68,"width":68,"display":90,"opacity":68,"overflow":91,"pointerEvents":92},"block","hidden","none",{"deviceSize":94,"location":95},"large",{"path":29,"query":96},{},{},1783541846936,1774968080803,"ST0tXQM8slWpFrmioqKHmENB2qe2","kYgMv6WsbvfmlOUYqR2SFwGzw6e2",[],{"kind":104,"lastPreviewUrl":105,"hasLinks":6,"breakpoints":106,"hasErrors":6,"hasAutosaves":6},"component","https://pushsecurity.com/?builder.space=f3a1111ff5be48cdbb123cd9f5795a05&builder.user.permissions=read%2Ccreate%2Cpublish%2CeditDesigns%2CeditLayouts%2CeditLayers%2CeditContentPriority%2CeditFolders%2CcreateProjects%2CsendPullRequests&builder.user.role.name=Designer&builder.user.role.id=creator&builder.cachebust=true&builder.preview=always-visible-banner&builder.noCache=true&builder.allowTextEdit=true&__builder_editing__=true&builder.overrides.always-visible-banner=fd266d0172cc47429be7ad10f48c99ad&builder.overrides.fd266d0172cc47429be7ad10f48c99ad=fd266d0172cc47429be7ad10f48c99ad&builder.options.locale=Default",{"xsmall":31,"small":32,"medium":33},"kyujw1aptq",[109,145],{"createdDate":110,"id":111,"name":112,"modelId":113,"published":13,"stageModifiedSincePublish":6,"query":114,"data":115,"variations":138,"lastUpdated":139,"firstPublished":140,"testRatio":23,"createdBy":24,"lastUpdatedBy":24,"folders":141,"meta":142,"rev":144},1776247359804,"9136a8f18b3b4a6ba29b8653a99372b1","testimonial-inductive-automation","20d9eaa352304613b3d1a794b400703d",[],{"link":116,"type":117,"testimonialLink":118,"testimonial":119},{},"testimonial","/customer-stories/inductive-automation",{"@type":120,"id":121,"model":117,"value":122},"@builder.io/core:Reference","f028f2b685bb47cd8bf9e82a26dd5a79",{"query":123,"folders":124,"createdDate":125,"id":121,"name":126,"modelId":127,"published":13,"data":128,"variations":132,"lastUpdated":133,"firstPublished":134,"testRatio":23,"createdBy":100,"lastUpdatedBy":100,"meta":135,"rev":137},[],[],1735823466309,"We found Push to be more accurate when compared to competitors and the browser agent offered features that others couldn’t match.","42035571a56940ac98bff4544aa79aa5",{"author":129,"jobTitle":130,"quote":126,"image":131},"Jason Waits","\u003Cp>CISO at Inductive Automation\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Ff04c0c0689ce4a89ac0f0708d78c0a07",{},1735910703862,1735823501152,{"kind":28,"lastPreviewUrl":29,"breakpoints":136,"hasAutosaves":34},{"small":32,"medium":33},"e8bsg4qrgtu",{},1776247404986,1776247404973,[],{"breakpoints":143,"kind":28,"lastPreviewUrl":29,"hasAutosaves":6},{"xsmall":31,"small":32,"medium":33},"g9lqcuxphw7",{"createdDate":146,"id":147,"name":148,"modelId":113,"published":13,"meta":149,"stageModifiedSincePublish":6,"query":151,"data":152,"variations":178,"lastUpdated":179,"firstPublished":180,"testRatio":23,"createdBy":24,"lastUpdatedBy":24,"folders":181,"rev":144},1776255761419,"05a9322735fc427db12e2740e4302300","Report: 2026 Browser Attack Techniques",{"breakpoints":150,"kind":28,"lastPreviewUrl":29,"hasAutosaves":6},{"xsmall":31,"small":32,"medium":33},[],{"testimonial":153,"link":172,"type":175,"title":148,"description":176,"image":177},{"@type":120,"id":154,"model":117,"value":155},"192acbb1f9ca4cac918c0ec435a8bae3",{"query":156,"folders":157,"createdDate":158,"id":154,"name":159,"modelId":127,"published":13,"data":160,"variations":166,"lastUpdated":167,"firstPublished":168,"testRatio":23,"createdBy":100,"lastUpdatedBy":24,"meta":169,"rev":171},[],[],1728981467463,"Push does for identity what CrowdStrike did for the endpoint",{"video":161,"jobTitle":162,"author":163,"qoute":29,"quote":164,"image":165},"https://cdn.builder.io/o/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F8b30e8ca50064058bbaef0f3c6164575%2Fcompressed?apiKey=f3a1111ff5be48cdbb123cd9f5795a05&token=8b30e8ca50064058bbaef0f3c6164575&alt=media&optimized=true","\u003Cp>Deputy CISO at Microsoft\u003C/p>\u003Cp>Former LinkedIn, Slack, Palantir\u003C/p>","Geoff Belknap","Push does for identity what CrowdStrike did for the endpoint.","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F748f0ad0a5064a00a13f4721fcc8dea1",{},1742902158597,1728981782923,{"kind":28,"lastPreviewUrl":29,"breakpoints":170,"hasAutosaves":34},{"small":32,"medium":33},"ulhc0im1hfo",{"text":173,"url":174},"Download now","/resources/browser-attacks-report","resource","Learn about the latest techniques being used in the wild.","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F7b4a5ebf81d64e8c9d7fc35f6c96c4a9",{},1776255810913,1776255810900,[],[183,205],{"createdDate":184,"id":185,"name":148,"modelId":186,"published":13,"meta":187,"stageModifiedSincePublish":6,"query":189,"data":190,"variations":200,"lastUpdated":201,"firstPublished":202,"testRatio":23,"createdBy":24,"lastUpdatedBy":24,"folders":203,"rev":204},1776256900280,"1f429607996e4e5fae8fe3f9b9610e55","4829faa81e7c4ee8bd2d000e160e8d3c",{"breakpoints":188,"kind":28,"lastPreviewUrl":29,"hasAutosaves":6},{"xsmall":31,"small":32,"medium":33},[],{"testimonial":191,"link":199,"type":175,"title":148,"description":176,"image":177},{"@type":120,"id":154,"model":117,"value":192},{"query":193,"folders":194,"createdDate":158,"id":154,"name":159,"modelId":127,"published":13,"data":195,"variations":196,"lastUpdated":167,"firstPublished":168,"testRatio":23,"createdBy":100,"lastUpdatedBy":24,"meta":197,"rev":171},[],[],{"video":161,"jobTitle":162,"author":163,"qoute":29,"quote":164,"image":165},{},{"kind":28,"lastPreviewUrl":29,"breakpoints":198,"hasAutosaves":34},{"small":32,"medium":33},{"text":173,"url":174},{},1776256937553,1776256937540,[],"xggsv10v1q9",{"createdDate":206,"id":207,"name":208,"modelId":186,"published":13,"stageModifiedSincePublish":6,"query":209,"data":210,"variations":220,"lastUpdated":221,"firstPublished":222,"testRatio":23,"createdBy":24,"lastUpdatedBy":24,"folders":223,"meta":224,"rev":204},1776256949234,"ce043785b71b4ece98eac811ecf4ba10","inductive-automation",[],{"link":211,"type":117,"testimonial":212,"testimonialLink":118},{},{"@type":120,"id":121,"model":117,"value":213},{"query":214,"folders":215,"createdDate":125,"id":121,"name":126,"modelId":127,"published":13,"data":216,"variations":217,"lastUpdated":133,"firstPublished":134,"testRatio":23,"createdBy":100,"lastUpdatedBy":100,"meta":218,"rev":137},[],[],{"author":129,"jobTitle":130,"quote":126,"image":131},{},{"kind":28,"lastPreviewUrl":29,"breakpoints":219,"hasAutosaves":34},{"small":32,"medium":33},{},1776256974140,1776256974130,[],{"breakpoints":225,"kind":28,"lastPreviewUrl":29,"hasAutosaves":6},{"xsmall":31,"small":32,"medium":33},{"id":227,"title":228,"authorsCollection":229,"content":237,"extension":874,"faqItemsCollection":875,"faqTitle":62,"featured":6,"hashTags":62,"meta":877,"metaTitle":228,"ogImage":62,"publishedDate":878,"relatedBlogPostsCollection":879,"slug":2613,"stem":2614,"subtitle":62,"summary":2615,"synopsis":2626,"sys":2627,"tagsCollection":2630,"__hash__":2636},"blog/blog/why-attackers-are-moving-beyond-email-based-phishing.json","Why attackers are moving beyond email-based phishing",{"items":230},[231],{"fullName":232,"firstName":233,"jobTitle":234,"profilePicture":235},"Dan Green","Dan","Threat Research",{"url":236},"https://images.ctfassets.net/y1cdw1ablpvd/7jik1VhFgA3kgzXBXTm2Vw/fcd8c171da644903d0827eafcfbcaad0/Dan_Headshot_2025.png",{"json":238,"links":819},{"data":239,"content":240,"nodeType":818},{},[241,252,260,267,274,283,287,295,302,309,326,374,380,387,403,410,416,419,427,434,450,470,490,510,517,520,528,547,580,586,592,595,603,622,642,649,669,675,681,684,692,699,706,739,746,749,757,764,771,778,785],{"data":242,"content":243,"nodeType":251},{},[244],{"data":245,"marks":246,"value":249,"nodeType":250},{},[247],{"type":248},"bold","Phishing has moved outside of the mailbox","text","heading-1",{"data":253,"content":254,"nodeType":259},{},[255],{"data":256,"marks":257,"value":258,"nodeType":250},{},[],"Because of the changes to working practices, employees are more accessible than ever to external attackers. Once upon a time, email was the primary communication channel with the wider world, and work happened locally — on your device, and inside your locked-down network environment. This made email and the endpoint the highest priority from a security perspective. ","paragraph",{"data":261,"content":262,"nodeType":259},{},[263],{"data":264,"marks":265,"value":266,"nodeType":250},{},[],"But now, with modern work happening across a network of decentralized internet apps, and more varied communication channels outside of email, it’s harder to stop users from interacting with malicious content.",{"data":268,"content":269,"nodeType":259},{},[270],{"data":271,"marks":272,"value":273,"nodeType":250},{},[],"Attackers can deliver links over instant messenger apps, social media, SMS, malicious ads, and using in-app messenger functionality, as well as sending emails directly from SaaS services to bypass email-based checks. Likewise, there are now hundreds of apps per enterprise to target, with varying levels of account security configuration.",{"data":275,"content":281,"nodeType":282},{"target":276},{"sys":277},{"id":278,"type":279,"linkType":280},"1tDciIJqKnNoR4FqZChjTy","Link","Entry",[],"embedded-entry-block",{"data":284,"content":285,"nodeType":286},{},[],"hr",{"data":288,"content":289,"nodeType":251},{},[290],{"data":291,"marks":292,"value":294,"nodeType":250},{},[293],{"type":248},"Why am I not hearing about this more? ",{"data":296,"content":297,"nodeType":259},{},[298],{"data":299,"marks":300,"value":301,"nodeType":250},{},[],"Phishing attacks outside of email usually go unreported. This is to be expected when most of the industry’s data on phishing attacks comes from email security vendors and tools. ",{"data":303,"content":304,"nodeType":259},{},[305],{"data":306,"marks":307,"value":308,"nodeType":250},{},[],"If phishing bypasses the email layer, most organizations are left relying on user reported attacks. Some organizations might supplement this with a web proxy, but these are being increasingly defeated by modern phishing kits, which use an array of obfuscation and detection evasion techniques to bypass these detections. ",{"data":310,"content":311,"nodeType":259},{},[312,316,322],{"data":313,"marks":314,"value":315,"nodeType":250},{},[],"The most valuable information for security teams today is the webpage that is loaded ",{"data":317,"marks":318,"value":321,"nodeType":250},{},[319],{"type":320},"italic","through",{"data":323,"marks":324,"value":325,"nodeType":250},{},[]," the network traffic: What does the HTML body look like? What is the user likely seeing on the page? To do this, you need to stitch together and reconstruct what the browser is doing by looking at the network data. Except for very simple websites, this happens through JavaScript on the client side. ",{"data":327,"content":328,"nodeType":259},{},[329,333,344,348,357,361,370],{"data":330,"marks":331,"value":332,"nodeType":250},{},[],"This is hard enough when analysing a typical SaaS app. But the latest generation of fully customized Attacker-in-the-Middle (AitM) phishing kits are going out of their way to make this as challenging as possible, using techniques like ",{"data":334,"content":336,"nodeType":343},{"uri":335},"https://phishing-techniques.pushsecurity.com/techniques/dom-obfuscation/",[337],{"data":338,"marks":339,"value":342,"nodeType":250},{},[340],{"type":341},"underline","DOM obfuscation","hyperlink",{"data":345,"marks":346,"value":347,"nodeType":250},{},[],", ",{"data":349,"content":351,"nodeType":343},{"uri":350},"https://phishing-techniques.pushsecurity.com/techniques/page-obfuscation/",[352],{"data":353,"marks":354,"value":356,"nodeType":250},{},[355],{"type":341},"Page obfuscation",{"data":358,"marks":359,"value":360,"nodeType":250},{},[],", and ",{"data":362,"content":364,"nodeType":343},{"uri":363},"https://phishing-techniques.pushsecurity.com/techniques/code-obfuscation/",[365],{"data":366,"marks":367,"value":369,"nodeType":250},{},[368],{"type":341},"Code obfuscation",{"data":371,"marks":372,"value":373,"nodeType":250},{},[]," so all you see at a network layer is a garbled, obfuscated mess of JS code.",{"data":375,"content":379,"nodeType":282},{"target":376},{"sys":377},{"id":378,"type":279,"linkType":280},"71QsaPju68i5QiJcgQlHDs",[],{"data":381,"content":382,"nodeType":259},{},[383],{"data":384,"marks":385,"value":386,"nodeType":250},{},[],"So, non-email phishing is going broadly undetected through technical controls. And even when spotted and reported by a user — what can you really do about it?",{"data":388,"content":389,"nodeType":259},{},[390,394,399],{"data":391,"marks":392,"value":393,"nodeType":250},{},[],"Take a social media phish. You can’t see which other accounts were targeted or hit in your user base. Unlike email, there’s no way to recall or quarantine the same message hitting multiple users. There’s no rule you can modify, or senders you can block. You can report the account, and ",{"data":395,"marks":396,"value":398,"nodeType":250},{},[397],{"type":320},"maybe",{"data":400,"marks":401,"value":402,"nodeType":250},{},[]," something will happen when the site owner gets around to it — but the attacker has probably got what they needed by then and moved on. ",{"data":404,"content":405,"nodeType":259},{},[406],{"data":407,"marks":408,"value":409,"nodeType":250},{},[],"Most organizations simply block the URLs involved. But this doesn’t really help when attackers are rapidly rotating their phishing domains — by the time you block one site, another three have already taken its place. ",{"data":411,"content":415,"nodeType":282},{"target":412},{"sys":413},{"id":414,"type":279,"linkType":280},"1II2kHyOZcShLsexx1TAgy",[],{"data":417,"content":418,"nodeType":286},{},[],{"data":420,"content":421,"nodeType":251},{},[422],{"data":423,"marks":424,"value":426,"nodeType":250},{},[425],{"type":248},"But aren’t these just personal accounts?",{"data":428,"content":429,"nodeType":259},{},[430],{"data":431,"marks":432,"value":433,"nodeType":250},{},[],"Modern phishing attacks blur the boundary between corporate and personal. The fact is that your employees are routinely accessing personal messaging and social media apps on their corporate devices. Users are signed into apps like LinkedIn, X, WhatsApp, Signal, even message boards like Reddit on their work laptop and/or mobile devices. And with malicious links being found on search engines (aka. malvertising), they can even stumble upon them while browsing the web normally.",{"data":435,"content":436,"nodeType":259},{},[437,441,446],{"data":438,"marks":439,"value":440,"nodeType":250},{},[],"In short: anywhere that your users can be contacted by someone outside of your organization presents an opportunity for phishing. In fact, in most of these cases people ",{"data":442,"marks":443,"value":445,"nodeType":250},{},[444],{"type":248},"expect ",{"data":447,"marks":448,"value":449,"nodeType":250},{},[],"to be contacted by people they don’t know. ",{"data":451,"content":452,"nodeType":259},{},[453,457,466],{"data":454,"marks":455,"value":456,"nodeType":250},{},[],"It’s also a myth that campaigns can’t be targeted in the same way on these platforms, that they’re somehow more random and therefore less dangerous. For example, social media accounts are some of the easiest for attackers to create en masse — or take over. According to the most recent ",{"data":458,"content":460,"nodeType":343},{"uri":459},"https://www.verizon.com/business/resources/T149/reports/2025-dbir-data-breach-investigations-report.pdf",[461],{"data":462,"marks":463,"value":465,"nodeType":250},{},[464],{"type":341},"Verizon DBIR",{"data":467,"marks":468,"value":469,"nodeType":250},{},[],", 60%+ of creds found in infostealer logs were from social media sites. They’re also likely to use single-factor logins. If an attacker can take over one account, and use it to credibly communicate with one of your employees, they have a way higher likelihood of being successful than with your average unsolicited email. ",{"data":471,"content":472,"nodeType":259},{},[473,477,486],{"data":474,"marks":475,"value":476,"nodeType":250},{},[],"Malicious ads can also be targeted. For example, Google Ads can be targeted to searches coming from specific geographic locations, tailored to specific email domain matches, or specific device types (e.g. desktop, mobile, etc.). If you know where your target organization is located, you can tailor the ad to that location. Phishing sites also often come with ",{"data":478,"content":480,"nodeType":343},{"uri":479},"https://phishing-techniques.pushsecurity.com/techniques/conditional-loading/",[481],{"data":482,"marks":483,"value":485,"nodeType":250},{},[484],{"type":341},"conditional loading",{"data":487,"marks":488,"value":489,"nodeType":250},{},[]," parameters to only deliver the malicious payload under specific conditions — for example, only if the visitor came from a particular email campaign link, or only if they are in a certain organization, using a certain browser, from a specific IP range, etc. ",{"data":491,"content":492,"nodeType":259},{},[493,497,506],{"data":494,"marks":495,"value":496,"nodeType":250},{},[],"And even if the attacker only manages to reach your employee on their personal device, this can still be laundered into a corporate account compromise. Just look at the ",{"data":498,"content":500,"nodeType":343},{"uri":499},"https://sec.okta.com/articles/2023/11/unauthorized-access-oktas-support-case-management-system-root-cause",[501],{"data":502,"marks":503,"value":505,"nodeType":250},{},[504],{"type":341},"2023 Okta breach",{"data":507,"marks":508,"value":509,"nodeType":250},{},[],", where an attacker exploited the fact that an Okta employee had signed into a personal Google profile on their work device. This meant any credentials saved in their browser were synced to their personal device — including a customer support system service account providing access to 134 customer tenants. When their personal device got hacked, so too did all of their work credentials.",{"data":511,"content":512,"nodeType":259},{},[513],{"data":514,"marks":515,"value":516,"nodeType":250},{},[],"So, there’s plenty of scope for non-email phishing to result in targeted phishing campaigns. If anything, it’s arguably less work for the attacker to spin up these non-email campaigns than it is to do the necessary legwork to create and build up email sender reputation!",{"data":518,"content":519,"nodeType":286},{},[],{"data":521,"content":522,"nodeType":251},{},[523],{"data":524,"marks":525,"value":527,"nodeType":250},{},[526],{"type":248},"Case study: LinkedIn spear-phishing",{"data":529,"content":530,"nodeType":259},{},[531,534,543],{"data":532,"marks":533,"value":29,"nodeType":250},{},[],{"data":535,"content":537,"nodeType":343},{"uri":536},"https://pushsecurity.com/blog/how-push-stopped-a-high-risk-linkedin-spear-phishing-attack/",[538],{"data":539,"marks":540,"value":542,"nodeType":250},{},[541],{"type":341},"Attackers recently ran a LinkedIn spear-phishing campaign targeting tech company execs.",{"data":544,"marks":545,"value":546,"nodeType":250},{},[]," The victims were targeted via LinkedIn direct message from another exec about a fake investment opportunity. The sender’s account had been compromised and used to approach high-value targets. ",{"data":548,"content":549,"nodeType":259},{},[550,554,563,567,576],{"data":551,"marks":552,"value":553,"nodeType":250},{},[],"The attack led the victim through a chain of custom pages hosted on ",{"data":555,"content":557,"nodeType":343},{"uri":556},"https://phishing-techniques.pushsecurity.com/techniques/trusted-website-hosting/",[558],{"data":559,"marks":560,"value":562,"nodeType":250},{},[561],{"type":341},"legitimate sites",{"data":564,"marks":565,"value":566,"nodeType":250},{},[]," (a well-known ",{"data":568,"content":570,"nodeType":343},{"uri":569},"https://pushsecurity.com/resources/phishing-evolution?",[571],{"data":572,"marks":573,"value":575,"nodeType":250},{},[574],{"type":341},"detection evasion technique",{"data":577,"marks":578,"value":579,"nodeType":250},{},[],") such as Google Sites, Google Search, and Microsoft Dynamics, before serving up an Attacker-in-the-Middle phishing page impersonating Google Workspace, before serving up a session-stealing AitM phishing page. ",{"data":581,"content":585,"nodeType":282},{"target":582},{"sys":583},{"id":584,"type":279,"linkType":280},"1cEvEzLdKIuj6zuGn9aWJB",[],{"data":587,"content":591,"nodeType":282},{"target":588},{"sys":589},{"id":590,"type":279,"linkType":280},"6LfBXkDKqh1ogCMxaxyV6x",[],{"data":593,"content":594,"nodeType":286},{},[],{"data":596,"content":597,"nodeType":251},{},[598],{"data":599,"marks":600,"value":602,"nodeType":250},{},[601],{"type":248},"Case study: Google Search malvertising",{"data":604,"content":605,"nodeType":259},{},[606,609,618],{"data":607,"marks":608,"value":29,"nodeType":250},{},[],{"data":610,"content":612,"nodeType":343},{"uri":611},"https://pushsecurity.com/blog/investigating-a-recent-malvertising-campaign-targeting-onfido-customers/",[613],{"data":614,"marks":615,"value":617,"nodeType":250},{},[616],{"type":341},"A company was hit with a targeted Google ad",{"data":619,"marks":620,"value":621,"nodeType":250},{},[]," which was designed to look highly convincing, and positioned above the legitimate ad. This took advantage of the fact that many users will search for login pages rather than accessing the site via bookmark. ",{"data":623,"content":624,"nodeType":259},{},[625,629,638],{"data":626,"marks":627,"value":628,"nodeType":250},{},[],"In this case, the attacker had made use of a ",{"data":630,"content":632,"nodeType":343},{"uri":631},"https://phishing-techniques.pushsecurity.com/techniques/rentable-subdomains/",[633],{"data":634,"marks":635,"value":637,"nodeType":250},{},[636],{"type":341},"rentable subdomain",{"data":639,"marks":640,"value":641,"nodeType":250},{},[]," (us[.]com) to make the link appear highly legitimate, with only small changes to the real URL that were easy to miss. ",{"data":643,"content":644,"nodeType":259},{},[645],{"data":646,"marks":647,"value":648,"nodeType":250},{},[],"Instead of the real login, the link took the victim to a session-stealing AITM page.  ",{"data":650,"content":651,"nodeType":259},{},[652,656,665],{"data":653,"marks":654,"value":655,"nodeType":250},{},[],"This was later traced back to a ",{"data":657,"content":659,"nodeType":343},{"uri":658},"https://pushsecurity.com/blog/scattered-spider-ttp-evolution-in-2025/",[660],{"data":661,"marks":662,"value":664,"nodeType":250},{},[663],{"type":341},"Scattered Spider",{"data":666,"marks":667,"value":668,"nodeType":250},{},[]," campaign.",{"data":670,"content":674,"nodeType":282},{"target":671},{"sys":672},{"id":673,"type":279,"linkType":280},"5o1LEkZfeYVjMZmROi3Yh",[],{"data":676,"content":680,"nodeType":282},{"target":677},{"sys":678},{"id":679,"type":279,"linkType":280},"4RAXFNPdvUXjMDUE7tc10a",[],{"data":682,"content":683,"nodeType":286},{},[],{"data":685,"content":686,"nodeType":251},{},[687],{"data":688,"marks":689,"value":691,"nodeType":250},{},[690],{"type":248},"What can an attacker do with a compromised account? ",{"data":693,"content":694,"nodeType":259},{},[695],{"data":696,"marks":697,"value":698,"nodeType":250},{},[],"It’s important to think about the bigger picture when it comes to a modern phishing compromise. ",{"data":700,"content":701,"nodeType":259},{},[702],{"data":703,"marks":704,"value":705,"nodeType":250},{},[],"Most phishing attacks focus on core enterprise cloud platforms such as Microsoft and Google, or specialist Identity Providers like Okta. Taking over one of these accounts doesn’t just give access to the core apps and data within the respective app, but also enables the attacker to leverage SSO to sign into any connected app that the employee logs into with their account. ",{"data":707,"content":708,"nodeType":259},{},[709,713,722,726,735],{"data":710,"marks":711,"value":712,"nodeType":250},{},[],"This gives an attacker access to just about every core business function and dataset in your organization. And from this point, it’s much easier to target other users of these internal apps — using internal messenger apps like ",{"data":714,"content":716,"nodeType":343},{"uri":715},"https://pushsecurity.com/blog/phishing-slack-persistence/",[717],{"data":718,"marks":719,"value":721,"nodeType":250},{},[720],{"type":341},"Slack or Teams",{"data":723,"marks":724,"value":725,"nodeType":250},{},[],", or techniques like ",{"data":727,"content":729,"nodeType":343},{"uri":728},"https://github.com/pushsecurity/saas-attacks/blob/main/techniques/samljacking/description.md",[730],{"data":731,"marks":732,"value":734,"nodeType":250},{},[733],{"type":341},"SAMLjacking",{"data":736,"marks":737,"value":738,"nodeType":250},{},[]," to turn an app into a watering hole for other users trying to log in. ",{"data":740,"content":741,"nodeType":259},{},[742],{"data":743,"marks":744,"value":745,"nodeType":250},{},[],"A single account compromise can quickly snowball into a multi-million dollar, business-wide breach.",{"data":747,"content":748,"nodeType":286},{},[],{"data":750,"content":751,"nodeType":251},{},[752],{"data":753,"marks":754,"value":756,"nodeType":250},{},[755],{"type":248},"What can organizations do about non-email phishing? ",{"data":758,"content":759,"nodeType":259},{},[760],{"data":761,"marks":762,"value":763,"nodeType":250},{},[],"It’s clear that the traditional anti-phishing toolset hasn’t kept up with phishing innovation. ",{"data":765,"content":766,"nodeType":259},{},[767],{"data":768,"marks":769,"value":770,"nodeType":250},{},[],"To tackle modern phishing attacks, organizations need a solution that detects and blocks phishing across all apps and delivery vectors. ",{"data":772,"content":773,"nodeType":259},{},[774],{"data":775,"marks":776,"value":777,"nodeType":250},{},[],"Push Security doesn’t detect the redirect tricks, or rely on outdated domain TI feeds. It doesn’t matter what delivery channel or camouflage methods are used, Push detects and blocks attacks by identifying the attack in real time, as the user loads and interacts with the page in their web browser.",{"data":779,"content":780,"nodeType":259},{},[781],{"data":782,"marks":783,"value":784,"nodeType":250},{},[],"Push’s browser-based security platform provides comprehensive identity attack detection and response capabilities against techniques like AiTM phishing, credential stuffing, ClickFixing, malicious browser extensions, and session hijacking using stolen session tokens. ",{"data":786,"content":787,"nodeType":259},{},[788,792,801,805,814],{"data":789,"marks":790,"value":791,"nodeType":250},{},[],"To learn more about Push, ",{"data":793,"content":795,"nodeType":343},{"uri":794},"https://pushsecurity.com/resources/product-brochure",[796],{"data":797,"marks":798,"value":800,"nodeType":250},{},[799],{"type":341},"check out our latest product overview",{"data":802,"marks":803,"value":804,"nodeType":250},{},[]," or ",{"data":806,"content":808,"nodeType":343},{"uri":807},"https://pushsecurity.com/demo",[809],{"data":810,"marks":811,"value":813,"nodeType":250},{},[812],{"type":341},"book some time with one of our team for a live demo",{"data":815,"marks":816,"value":817,"nodeType":250},{},[],".","document",{"entries":820},{"hyperlink":821,"inline":822,"block":823},[],[],[824,832,839,847,854,860,868],{"sys":825,"__typename":826,"title":827,"caption":827,"layoutMode":62,"file":828},{"id":278},"Image","Phishing is now delivered over multiple channels, not just email, targeting a wide range of cloud and SaaS apps.",{"url":829,"width":830,"height":831},"https://images.ctfassets.net/y1cdw1ablpvd/1Fq4iSo4ssD0bdINZ4M31q/28d89ce5b8af767b37d2acb54a1c78cf/2.png",1999,1003,{"sys":833,"__typename":826,"title":834,"caption":834,"layoutMode":62,"file":835},{"id":378},"What a web proxy sees when analyzing a network request for a modern phishing page — this is meant to show you that a fake Microsoft login page was rendered.",{"url":836,"width":837,"height":838},"https://images.ctfassets.net/y1cdw1ablpvd/1dqlvz1plkQ78fSfXkQPoC/ddbc9ddec94672f10a33e483b11f0da4/2.png",1776,1780,{"sys":840,"__typename":841,"type":842,"ctaText":843,"buttonLabel":844,"buttonColour":845,"buttonUrl":846},{"id":414},"CtaWidget","Custom","Learn more about how phishing attacks have evolved and why they're so effective at evading detection controls.","Get the Whitepaper","sunny orange","https://pushsecurity.com/resources/phishing-evolution",{"sys":848,"__typename":826,"title":849,"caption":849,"layoutMode":62,"file":850},{"id":584},"Google Sites page styled to look like a private equity fund opportunity.",{"url":851,"width":852,"height":853},"https://images.ctfassets.net/y1cdw1ablpvd/1HGAL4CypIZ0BRlUT3jn74/b9f6144ee6d3c4b93868ff0b3236a3e8/Group_555.png",3444,2066,{"sys":855,"__typename":826,"title":856,"caption":856,"layoutMode":62,"file":857},{"id":590},"The AitM phishing page presented as a standard Google login page.",{"url":858,"width":830,"height":859},"https://images.ctfassets.net/y1cdw1ablpvd/5SgufpH8y8W1GunlFzkVDp/68d702ffb904b2e5732b8fecfdda3b37/image5.png",1200,{"sys":861,"__typename":826,"title":862,"caption":863,"layoutMode":62,"file":864},{"id":673},"Onfido malicious google ad","Malicious Google ad mimicking the Onfido login page link.",{"url":865,"width":866,"height":867},"https://images.ctfassets.net/y1cdw1ablpvd/6Wo4Dnaftaq4kNp7z2Jlkb/9db5606b545d29e5f603ebf86e68756a/image7.png",877,536,{"sys":869,"__typename":826,"title":870,"caption":870,"layoutMode":62,"file":871},{"id":679},"Malicious cloned login page impersonating Onfido.",{"url":872,"width":830,"height":873},"https://images.ctfassets.net/y1cdw1ablpvd/2mAuRHATA7n4sIEZd5pM1N/2e53a5d5a43c3bc72741c2c69445efe0/6.png",1089,"json",{"items":876},[],{},"2025-09-18T00:00:00.000Z",{"items":880},[881,1456,2017],{"__typename":882,"sys":883,"content":885,"title":1438,"synopsis":1439,"hashTags":62,"publishedDate":1440,"slug":1441,"tagsCollection":1442,"authorsCollection":1452},"BlogPosts",{"id":884},"6QLonRmBzbj9h88Y7jD0LU",{"json":886},{"nodeType":818,"data":887,"content":888},{},[889,896,903,935,942,949,956,959,967,987,994,1000,1007,1013,1020,1026,1033,1039,1046,1052,1059,1066,1072,1075,1083,1103,1110,1117,1123,1141,1150,1170,1178,1196,1203,1209,1242,1250,1282,1290,1310,1316,1319,1327,1347,1353,1356,1364,1371,1378,1381,1389,1396,1403,1427,1432],{"nodeType":259,"data":890,"content":891},{},[892],{"nodeType":250,"value":893,"marks":894,"data":895},"PhaaS kits make up the vast majority of phishing sites intercepted by Push and dominate the phishing landscape, with kits like Tycoon, NakedPages, Flowerstorm, Salty2FA, and various Evilginx variations proving very popular among attackers targeting Push customers.",[],{},{"nodeType":259,"data":897,"content":898},{},[899],{"nodeType":250,"value":900,"marks":901,"data":902},"PhaaS kits are incredibly important to cybercrime because they make sophisticated and continuously evolving capabilities available to the criminal marketplace, lowering the barrier to entry for criminals running advanced phishing campaigns. This is not unique to phishing: Ransomware-as-a-Service, Credential Stuffing-as-a-Service, and many more for-hire tools and services exist for criminals to use for a fee. ",[],{},{"nodeType":259,"data":904,"content":905},{},[906,910,919,922,931],{"nodeType":250,"value":907,"marks":908,"data":909},"This competitive environment has fuelled attacker innovation, resulting in an environment in which MFA-bypass is table stakes, phishing-resistant authentication is being circumvented through ",[],{},{"nodeType":343,"data":911,"content":913},{"uri":912},"https://pushsecurity.com/blog/mfa-downgrade-attacks/",[914],{"nodeType":250,"value":915,"marks":916,"data":918},"downgrade attacks",[917],{"type":341},{},{"nodeType":250,"value":360,"marks":920,"data":921},[],{},{"nodeType":343,"data":923,"content":925},{"uri":924},"https://phishing-techniques.pushsecurity.com/",[926],{"nodeType":250,"value":927,"marks":928,"data":930},"detection evasion techniques",[929],{"type":341},{},{"nodeType":250,"value":932,"marks":933,"data":934}," are being used to circumvent security tools — from email scanners, to web-crawling security tools, to web proxies analyzing network traffic.",[],{},{"nodeType":259,"data":936,"content":937},{},[938],{"nodeType":250,"value":939,"marks":940,"data":941},"Recently, we’ve noticed an increase in detections relating to Sneaky2FA, which operates through a fully-featured bot on Telegram. Customers reportedly receive access to a licensed, obfuscated version of the source code and deploy it independently.",[],{},{"nodeType":259,"data":943,"content":944},{},[945],{"nodeType":250,"value":946,"marks":947,"data":948},"This makes Sneaky2FA something that can be reliably profiled and tracked due to these codebase similarities — which is what we’re actively doing at Push. ",[],{},{"nodeType":259,"data":950,"content":951},{},[952],{"nodeType":250,"value":953,"marks":954,"data":955},"Why is this relevant? Well, the latest Sneaky2FA phish we identified was pretty interesting. ",[],{},{"nodeType":286,"data":957,"content":958},{},[],{"nodeType":251,"data":960,"content":961},{},[962],{"nodeType":250,"value":963,"marks":964,"data":966},"Sneaky2FA adds BITB to its phishing toolkit",[965],{"type":248},{},{"nodeType":259,"data":968,"content":969},{},[970,974,983],{"nodeType":250,"value":971,"marks":972,"data":973},"We recently detected a Sneaky2FA server that is a bit different from the typical reverse-proxy ",[],{},{"nodeType":343,"data":975,"content":977},{"uri":976},"https://pushsecurity.com/blog/phishing-2-0-how-phishing-toolkits-are-evolving-with-aitm/",[978],{"nodeType":250,"value":979,"marks":980,"data":982},"Attacker-in-the-Middle",[981],{"type":341},{},{"nodeType":250,"value":984,"marks":985,"data":986}," site, featuring an embedded browser window that contained the actual phishing page. ",[],{},{"nodeType":259,"data":988,"content":989},{},[990],{"nodeType":250,"value":991,"marks":992,"data":993},"You can see how the page loaded below in the video below.",[],{},{"nodeType":282,"data":995,"content":999},{"target":996},{"sys":997},{"id":998,"type":279,"linkType":280},"6L6Ban2xptI1uNA8OPJQzq",[],{"nodeType":259,"data":1001,"content":1002},{},[1003],{"nodeType":250,"value":1004,"marks":1005,"data":1006},"When the URL previewdoc[.]us is first accessed, a Cloudflare Turnstile check must be completed before the page loads. ",[],{},{"nodeType":282,"data":1008,"content":1012},{"target":1009},{"sys":1010},{"id":1011,"type":279,"linkType":280},"QscI1SZ6dOpgMkrJPtqLD",[],{"nodeType":259,"data":1014,"content":1015},{},[1016],{"nodeType":250,"value":1017,"marks":1018,"data":1019},"The page then redirects to a subdomain of previewdoc[.]us, which prompts the user to “Sign in with Microsoft” in order to view a document, styled to look like Adobe Acrobat Reader. ",[],{},{"nodeType":282,"data":1021,"content":1025},{"target":1022},{"sys":1023},{"id":1024,"type":279,"linkType":280},"7pkfAQquHrA6aUnCtj74iu",[],{"nodeType":259,"data":1027,"content":1028},{},[1029],{"nodeType":250,"value":1030,"marks":1031,"data":1032},"Upon clicking ‘Sign in with Microsoft” a reverse-proxy phishing page resembling a Microsoft login form is loaded in an embedded browser, with a custom background image designed to resemble a document library. ",[],{},{"nodeType":282,"data":1034,"content":1038},{"target":1035},{"sys":1036},{"id":1037,"type":279,"linkType":280},"782tw14AqgJ9mqneVaOdHc",[],{"nodeType":259,"data":1040,"content":1041},{},[1042],{"nodeType":250,"value":1043,"marks":1044,"data":1045},"Interestingly, the pop-up window adjusts to the visitor’s OS and browser — you can see some different examples below.",[],{},{"nodeType":282,"data":1047,"content":1051},{"target":1048},{"sys":1049},{"id":1050,"type":279,"linkType":280},"6lN9agEyeQ63LDHM1kaSqX",[],{"nodeType":259,"data":1053,"content":1054},{},[1055],{"nodeType":250,"value":1056,"marks":1057,"data":1058},"Completing authentication will result in the user’s Microsoft credentials and active session being stolen by the attacker, facilitating account takeover. ",[],{},{"nodeType":259,"data":1060,"content":1061},{},[1062],{"nodeType":250,"value":1063,"marks":1064,"data":1065},"You can see the sequence of pages loaded and Push detection events in the timeline below.",[],{},{"nodeType":282,"data":1067,"content":1071},{"target":1068},{"sys":1069},{"id":1070,"type":279,"linkType":280},"1oPpha39PMiJGUaZSptx1f",[],{"nodeType":286,"data":1073,"content":1074},{},[],{"nodeType":251,"data":1076,"content":1077},{},[1078],{"nodeType":250,"value":1079,"marks":1080,"data":1082},"Why Browser-in-the-Browser?",[1081],{"type":248},{},{"nodeType":259,"data":1084,"content":1085},{},[1086,1090,1099],{"nodeType":250,"value":1087,"marks":1088,"data":1089},"BITB was first coined as a technique in 2022 by ",[],{},{"nodeType":343,"data":1091,"content":1093},{"uri":1092},"https://mrd0x.com/browser-in-the-browser-phishing-attack/",[1094],{"nodeType":250,"value":1095,"marks":1096,"data":1098},"mr.d0x",[1097],{"type":341},{},{"nodeType":250,"value":1100,"marks":1101,"data":1102},", but standard AITM phishing pages are far more frequently encountered in the wild, particularly when it comes to enterprise business targets.",[],{},{"nodeType":259,"data":1104,"content":1105},{},[1106],{"nodeType":250,"value":1107,"marks":1108,"data":1109},"BITB is principally designed to mask suspicious phishing URLs by simulating a pretty normal function of in-browser authentication — a pop-up login form. BITB phishing pages replicate the design of a pop-up window with an iframe pointing to a malicious server. ",[],{},{"nodeType":259,"data":1111,"content":1112},{},[1113],{"nodeType":250,"value":1114,"marks":1115,"data":1116},"The pop-up browser window shows a legitimate Microsoft login URL — this is in fact a fake URL that is designed to fool the user. ",[],{},{"nodeType":282,"data":1118,"content":1122},{"target":1119},{"sys":1120},{"id":1121,"type":279,"linkType":280},"7kI5PHTr9XYQJ0xVJUnUDu",[],{"nodeType":259,"data":1124,"content":1125},{},[1126,1130,1137],{"nodeType":250,"value":1127,"marks":1128,"data":1129},"This BITB example shares many of the advantages of typical reverse-proxy based phishing pages, as well as the ",[],{},{"nodeType":343,"data":1131,"content":1132},{"uri":924},[1133],{"nodeType":250,"value":927,"marks":1134,"data":1136},[1135],{"type":341},{},{"nodeType":250,"value":1138,"marks":1139,"data":1140}," that are commonly used by attackers (and baked into PhaaS kits off-the-shelf). This includes:",[],{},{"nodeType":1142,"data":1143,"content":1144},"heading-2",{},[1145],{"nodeType":250,"value":1146,"marks":1147,"data":1149},"Bot protection to defeat web scraping tools",[1148],{"type":248},{},{"nodeType":259,"data":1151,"content":1152},{},[1153,1157,1166],{"nodeType":250,"value":1154,"marks":1155,"data":1156},"Attackers are using common ",[],{},{"nodeType":343,"data":1158,"content":1160},{"uri":1159},"https://phishing-techniques.pushsecurity.com/techniques/bot-protection/",[1161],{"nodeType":250,"value":1162,"marks":1163,"data":1165},"bot protection",[1164],{"type":341},{},{"nodeType":250,"value":1167,"marks":1168,"data":1169}," technologies like CAPTCHA and Cloudflare Turnstile to prevent security bots from accessing their web pages to be able to analyse them (and therefore block pages from being automatically flagged). This requires anyone visiting the page to pass a bot check/challenge before the page can be loaded, meaning the full page cannot be analysed by automated tools. ",[],{},{"nodeType":1142,"data":1171,"content":1172},{},[1173],{"nodeType":250,"value":1174,"marks":1175,"data":1177},"Stop unwanted visitors with conditional loading",[1176],{"type":248},{},{"nodeType":259,"data":1179,"content":1180},{},[1181,1184,1192],{"nodeType":250,"value":29,"marks":1182,"data":1183},[],{},{"nodeType":343,"data":1185,"content":1186},{"uri":479},[1187],{"nodeType":250,"value":1188,"marks":1189,"data":1191},"Conditional loading",[1190],{"type":341},{},{"nodeType":250,"value":1193,"marks":1194,"data":1195}," techniques are used to prevent unwanted visitors from accessing the phishing page — reducing the chance that it is detected and flagged and extending the longevity of the phish. This often includes known security vendor IPs, VPN/proxy services, but is often used to target specific organizations (or even specific users within an organization). ",[],{},{"nodeType":259,"data":1197,"content":1198},{},[1199],{"nodeType":250,"value":1200,"marks":1201,"data":1202},"In this case, where the correct parameters are not supplied or the phishing site detects an unwanted variable, it will redirect to a benign wikibooks page. ",[],{},{"nodeType":282,"data":1204,"content":1208},{"target":1205},{"sys":1206},{"id":1207,"type":279,"linkType":280},"fN2XugiDIef8haTDapViT",[],{"nodeType":259,"data":1210,"content":1211},{},[1212,1216,1225,1229,1238],{"nodeType":250,"value":1213,"marks":1214,"data":1215},"Sneaky2FA has also been commonly observed using ",[],{},{"nodeType":343,"data":1217,"content":1219},{"uri":1218},"https://phishing-techniques.pushsecurity.com/techniques/anti-sandbox/",[1220],{"nodeType":250,"value":1221,"marks":1222,"data":1224},"anti-analysis",[1223],{"type":341},{},{"nodeType":250,"value":1226,"marks":1227,"data":1228}," techniques to detect or ",[],{},{"nodeType":343,"data":1230,"content":1232},{"uri":1231},"https://blog.sekoia.io/sneaky-2fa-exposing-a-new-aitm-phishing-as-a-service/#:~:text=Sneaky%202FA%20pages%20use%20anti,we%20identified%20as%20Sneaky%202FA",[1233],{"nodeType":250,"value":1234,"marks":1235,"data":1237},"disable browser developer tools",[1236],{"type":341},{},{"nodeType":250,"value":1239,"marks":1240,"data":1241}," to block attempts to analyse the page for malicious content. ",[],{},{"nodeType":1142,"data":1243,"content":1244},{},[1245],{"nodeType":250,"value":1246,"marks":1247,"data":1249},"Page and code obfuscation",[1248],{"type":248},{},{"nodeType":259,"data":1251,"content":1252},{},[1253,1257,1265,1269,1278],{"nodeType":250,"value":1254,"marks":1255,"data":1256},"The HTML and JavaScript of Sneaky2FA pages are ",[],{},{"nodeType":343,"data":1258,"content":1259},{"uri":350},[1260],{"nodeType":250,"value":1261,"marks":1262,"data":1264},"heavily obfuscated",[1263],{"type":341},{},{"nodeType":250,"value":1266,"marks":1267,"data":1268}," to evade static detection and pattern-matching, ",[],{},{"nodeType":343,"data":1270,"content":1272},{"uri":1271},"https://blog.sekoia.io/sneaky-2fa-exposing-a-new-aitm-phishing-as-a-service/#:~:text=,%E2%80%9CNo%20account%3F%E2%80%9D%20and%20%E2%80%9CSign%20in%E2%80%9D",[1273],{"nodeType":250,"value":1274,"marks":1275,"data":1277},"such as",[1276],{"type":341},{},{"nodeType":250,"value":1279,"marks":1280,"data":1281}," breaking up UI text with invisible tags, embedding background and interface elements as encoded images instead of text, and other changes that are invisible to the user, but make it hard for scanning tools to fingerprint the page. ",[],{},{"nodeType":1142,"data":1283,"content":1284},{},[1285],{"nodeType":250,"value":1286,"marks":1287,"data":1289},"Domain rotation and URL masking",[1288],{"type":248},{},{"nodeType":259,"data":1291,"content":1292},{},[1293,1297,1306],{"nodeType":250,"value":1294,"marks":1295,"data":1296},"In addition to masking the phishing site URL presented to the user via the BITB window, Sneaky2FA has been seen using ",[],{},{"nodeType":343,"data":1298,"content":1300},{"uri":1299},"https://www.centripetal.ai/threat-research/typhoon-versus-sneaky",[1301],{"nodeType":250,"value":1302,"marks":1303,"data":1305},"stealthy hosting and domain tactics",[1304],{"type":341},{},{"nodeType":250,"value":1307,"marks":1308,"data":1309},". Each campaign uses a fresh, long, randomized URL (typically a 150-character path) on a benign-looking domain (often an old or compromised site). These domains are usually short-lived: many are taken down after just a few days or weeks. Analysts have observed that Sneaky2FA domains often lie dormant or serve harmless content until right before an attack, then quickly vanish after use. This “burn-and-replace” approach makes traditional defenses (which rely on domain reputation or pattern-matching) much weaker.",[],{},{"nodeType":282,"data":1311,"content":1315},{"target":1312},{"sys":1313},{"id":1314,"type":279,"linkType":280},"6QzB0BlVC5mstXwXHvy2c3",[],{"nodeType":286,"data":1317,"content":1318},{},[],{"nodeType":251,"data":1320,"content":1321},{},[1322],{"nodeType":250,"value":1323,"marks":1324,"data":1326},"Are attackers moving to BITB? ",[1325],{"type":248},{},{"nodeType":259,"data":1328,"content":1329},{},[1330,1334,1343],{"nodeType":250,"value":1331,"marks":1332,"data":1333},"There is evidence that Sneaky2FAs shift to BITB might not be an isolated change. Raccoon0365 is another PhaaS service that has been seen utilizing BITB functionality after ",[],{},{"nodeType":343,"data":1335,"content":1337},{"uri":1336},"https://www.cloudflare.com/en-gb/threat-intelligence/research/report/cloudflare-participates-in-global-operation-to-disrupt-raccoono365/",[1338],{"nodeType":250,"value":1339,"marks":1340,"data":1342},"announcing a “BITB mini-panel”",[1341],{"type":341},{},{"nodeType":250,"value":1344,"marks":1345,"data":1346}," would be added as part of a service revamp. ",[],{},{"nodeType":282,"data":1348,"content":1352},{"target":1349},{"sys":1350},{"id":1351,"type":279,"linkType":280},"2sJUR9TVbZMU1v10Tq94Pz",[],{"nodeType":286,"data":1354,"content":1355},{},[],{"nodeType":251,"data":1357,"content":1358},{},[1359],{"nodeType":250,"value":1360,"marks":1361,"data":1363},"Conclusion",[1362],{"type":248},{},{"nodeType":259,"data":1365,"content":1366},{},[1367],{"nodeType":250,"value":1368,"marks":1369,"data":1370},"Attackers are continuously innovating their phishing techniques, particularly in the context of an increasingly professionalized PhaaS ecosystem. With identity-based attacks continuing to be the leading cause of breaches, attackers are incentivized to refine and enhance their phishing infrastructure. ",[],{},{"nodeType":259,"data":1372,"content":1373},{},[1374],{"nodeType":250,"value":1375,"marks":1376,"data":1377},"The addition of BITB, with the frequent iteration and improvement of detection evasion techniques, means that traditional security controls such as email gateways, web filters, and signature-based defenses will continue to be reliably bypassed. ",[],{},{"nodeType":286,"data":1379,"content":1380},{},[],{"nodeType":251,"data":1382,"content":1383},{},[1384],{"nodeType":250,"value":1385,"marks":1386,"data":1388},"How Push can help",[1387],{"type":248},{},{"nodeType":259,"data":1390,"content":1391},{},[1392],{"nodeType":250,"value":1393,"marks":1394,"data":1395},"Push researchers are continuously analysing and developing new detections based on the latest phishing kits and TTPs which enables us to stay two steps ahead of attackers.",[],{},{"nodeType":259,"data":1397,"content":1398},{},[1399],{"nodeType":250,"value":1400,"marks":1401,"data":1402},"Despite the various detection evasion techniques, and the use of BITB methods, Push still detected this toolkit running on the page, enabling any attack to be detected and blocked before the user could be phished. Because we can inspect the live page, we detect malicious content loaded in the browser in real time. ",[],{},{"nodeType":259,"data":1404,"content":1405},{},[1406,1409,1415,1418,1424],{"nodeType":250,"value":791,"marks":1407,"data":1408},[],{},{"nodeType":343,"data":1410,"content":1411},{"uri":794},[1412],{"nodeType":250,"value":800,"marks":1413,"data":1414},[],{},{"nodeType":250,"value":804,"marks":1416,"data":1417},[],{},{"nodeType":343,"data":1419,"content":1420},{"uri":807},[1421],{"nodeType":250,"value":813,"marks":1422,"data":1423},[],{},{"nodeType":250,"value":817,"marks":1425,"data":1426},[],{},{"nodeType":282,"data":1428,"content":1431},{"target":1429},{"sys":1430},{"id":1314,"type":279,"linkType":280},[],{"nodeType":259,"data":1433,"content":1434},{},[1435],{"nodeType":250,"value":29,"marks":1436,"data":1437},[],{},"Analyzing the latest Sneaky2FA Browser-in-the-Browser phishing page","Analyzing a BITB phishing page linked to the Sneaky2FA Phishing-as-a-Service operation. ","2025-11-18T00:00:00.000Z","analyzing-the-latest-sneaky2fa-phishing-page",{"items":1443},[1444,1448],{"sys":1445,"name":1447},{"id":1446},"6A5RXS31ZQx3PwryGb1IMy","Browser-based attacks",{"sys":1449,"name":1451},{"id":1450},"4ksQNCFeBf8H4QIORqpRLw","Detection & response",{"items":1453},[1454],{"fullName":232,"firstName":233,"jobTitle":234,"profilePicture":1455},{"url":236},{"__typename":882,"sys":1457,"content":1459,"title":2003,"synopsis":2004,"hashTags":62,"publishedDate":2005,"slug":2006,"tagsCollection":2007,"authorsCollection":2013},{"id":1458},"2yEhB2gFC2TJDLquVP3cg2",{"json":1460},{"nodeType":818,"data":1461,"content":1462},{},[1463,1469,1476,1483,1490,1493,1501,1508,1528,1533,1540,1546,1553,1560,1566,1582,1587,1594,1600,1603,1611,1618,1626,1646,1653,1660,1668,1687,1695,1714,1722,1742,1747,1750,1758,1765,1810,1817,1824,1827,1835,1842,1887,1890,1898,1905,1950,1978,1985],{"nodeType":282,"data":1464,"content":1468},{"target":1465},{"sys":1466},{"id":1467,"type":279,"linkType":280},"2pi21QGUvtdsDTbZYIF5Pr",[],{"nodeType":259,"data":1470,"content":1471},{},[1472],{"nodeType":250,"value":1473,"marks":1474,"data":1475},"Push recently detected and blocked a high-risk phishing attack targeting a company executive's Google Workspace account. ",[],{},{"nodeType":259,"data":1477,"content":1478},{},[1479],{"nodeType":250,"value":1480,"marks":1481,"data":1482},"This attack demonstrated a range of advanced detection evasion techniques designed to circumvent traditional detection controls. ",[],{},{"nodeType":259,"data":1484,"content":1485},{},[1486],{"nodeType":250,"value":1487,"marks":1488,"data":1489},"Given this was a highly targeted attack against a company executive, the impact of a successful phish would have been extremely high. Push’s browser-based detection and response solution intercepted and blocked the phish in real-time, preventing the Microsoft session or credentials being captured by the attacker.",[],{},{"nodeType":286,"data":1491,"content":1492},{},[],{"nodeType":251,"data":1494,"content":1495},{},[1496],{"nodeType":250,"value":1497,"marks":1498,"data":1500},"What happened",[1499],{"type":248},{},{"nodeType":259,"data":1502,"content":1503},{},[1504],{"nodeType":250,"value":1505,"marks":1506,"data":1507},"A Push customer’s exec was targeted on LinkedIn via a direct message from another exec about an investment opportunity. The sender’s account had been compromised and used to approach high-value targets. ",[],{},{"nodeType":259,"data":1509,"content":1510},{},[1511,1515,1524],{"nodeType":250,"value":1512,"marks":1513,"data":1514},"The victim was sent a link to a basic page hosted on ",[],{},{"nodeType":343,"data":1516,"content":1518},{"uri":1517},"http://sites.google.com",[1519],{"nodeType":250,"value":1520,"marks":1521,"data":1523},"sites.google.com",[1522],{"type":341},{},{"nodeType":250,"value":1525,"marks":1526,"data":1527},", styled as a landing page for a private equity fund investment opportunity. The page had buttons to handle both Microsoft and Google users. ",[],{},{"nodeType":282,"data":1529,"content":1532},{"target":1530},{"sys":1531},{"id":584,"type":279,"linkType":280},[],{"nodeType":259,"data":1534,"content":1535},{},[1536],{"nodeType":250,"value":1537,"marks":1538,"data":1539},"Upon clicking a button, Google Search was used as a redirect before taking the victim to a second page hosted on Microsoft Dynamics. This page was styled to look like Google Drive, where the victim was prompted to enter their last name and email into the form. ",[],{},{"nodeType":282,"data":1541,"content":1545},{"target":1542},{"sys":1543},{"id":1544,"type":279,"linkType":280},"4fJ3JUdGcuRTa2Nza9QhkU",[],{"nodeType":259,"data":1547,"content":1548},{},[1549],{"nodeType":250,"value":1550,"marks":1551,"data":1552},"Upon entering their details and clicking submit, the victim was finally sent to an  Attacker-in-the-Middle (AitM) phishing page. ",[],{},{"nodeType":259,"data":1554,"content":1555},{},[1556],{"nodeType":250,"value":1557,"marks":1558,"data":1559},"To access the page, the victim had to solve a custom CAPTCHA challenge, which we’ve observed in a number of recent phishing attacks that we’ve linked to the Tycoon 2FA phishing kit.  ",[],{},{"nodeType":282,"data":1561,"content":1565},{"target":1562},{"sys":1563},{"id":1564,"type":279,"linkType":280},"4Yu36QHTzSBZSg00QpbD1o",[],{"nodeType":259,"data":1567,"content":1568},{},[1569,1573,1578],{"nodeType":250,"value":1570,"marks":1571,"data":1572},"Because the customer had configured Push’s ",[],{},{"nodeType":250,"value":1574,"marks":1575,"data":1577},"phishing tool detection control",[1576],{"type":248},{},{"nodeType":250,"value":1579,"marks":1580,"data":1581}," in block mode, the Push browser agent flagged the page as malicious to the user and prevented the attack from continuing. ",[],{},{"nodeType":282,"data":1583,"content":1586},{"target":1584},{"sys":1585},{"id":590,"type":279,"linkType":280},[],{"nodeType":259,"data":1588,"content":1589},{},[1590],{"nodeType":250,"value":1591,"marks":1592,"data":1593},"This detection was hooked by the customer’s security lake to trigger their security incident response workflow for further investigation. Push’s timelines feature ensured that the full chain of URLs accessed and actions performed on different pages could be analyzed by the security team. ",[],{},{"nodeType":282,"data":1595,"content":1599},{"target":1596},{"sys":1597},{"id":1598,"type":279,"linkType":280},"4S8J7zmi6Q5wOt9vQHUe6l",[],{"nodeType":286,"data":1601,"content":1602},{},[],{"nodeType":251,"data":1604,"content":1605},{},[1606],{"nodeType":250,"value":1607,"marks":1608,"data":1610},"Notable techniques",[1609],{"type":248},{},{"nodeType":259,"data":1612,"content":1613},{},[1614],{"nodeType":250,"value":1615,"marks":1616,"data":1617},"This attack featured a number of notable attacker techniques designed to evade common phishing detection controls. ",[],{},{"nodeType":1142,"data":1619,"content":1620},{},[1621],{"nodeType":250,"value":1622,"marks":1623,"data":1625},"Delivering the phishing lure via LinkedIn",[1624],{"type":248},{},{"nodeType":259,"data":1627,"content":1628},{},[1629,1633,1642],{"nodeType":250,"value":1630,"marks":1631,"data":1632},"Using ",[],{},{"nodeType":343,"data":1634,"content":1636},{"uri":1635},"https://phishing-techniques.pushsecurity.com/techniques/social-media/",[1637],{"nodeType":250,"value":1638,"marks":1639,"data":1641},"social media sites like LinkedIn",[1640],{"type":341},{},{"nodeType":250,"value":1643,"marks":1644,"data":1645}," to deliver a phishing message has a number of advantages for the attacker. Generally, users are less alert to phishing attempts on social platforms, particularly those like LinkedIn which are used for personal as well as work purposes. ",[],{},{"nodeType":259,"data":1647,"content":1648},{},[1649],{"nodeType":250,"value":1650,"marks":1651,"data":1652},"However, the primary benefit of delivering phishing over LinkedIn is to evade email-based detection controls. With modern email security tools conducting various stages of analysis, such as analysing the URL, attempting to inspect the page in a web sandbox, and analyzing the written content of an email for possible malicious intent, it can be easier for attackers to simply bypass email altogether. ",[],{},{"nodeType":259,"data":1654,"content":1655},{},[1656],{"nodeType":250,"value":1657,"marks":1658,"data":1659},"With modern work communications now happening over several platforms, sites like LinkedIn where users can be directly messaged by people outside the organization, but are often accessed from work devices, are a prime target. ",[],{},{"nodeType":1142,"data":1661,"content":1662},{},[1663],{"nodeType":250,"value":1664,"marks":1665,"data":1667},"Using legitimate, trusted sites to host links",[1666],{"type":248},{},{"nodeType":259,"data":1669,"content":1670},{},[1671,1675,1683],{"nodeType":250,"value":1672,"marks":1673,"data":1674},"Attackers are increasingly ",[],{},{"nodeType":343,"data":1676,"content":1677},{"uri":556},[1678],{"nodeType":250,"value":1679,"marks":1680,"data":1682},"using legitimate sites to host their phishing links",[1681],{"type":341},{},{"nodeType":250,"value":1684,"marks":1685,"data":1686}," and perform redirections. Fronting phishing attacks with pages hosted on legitimate sites, in combination with lengthy redirect chains, can make it harder for security tools which rely on analysing the initial page served to the victim. In this example, Google Sites, Google Search, and Microsoft Dynamics were used. ",[],{},{"nodeType":1142,"data":1688,"content":1689},{},[1690],{"nodeType":250,"value":1691,"marks":1692,"data":1694},"Using bot protection to defeat sandbox analysis tools",[1693],{"type":248},{},{"nodeType":259,"data":1696,"content":1697},{},[1698,1702,1710],{"nodeType":250,"value":1699,"marks":1700,"data":1701},"Email and proxy security tools rely on loading a page in a web sandbox to analyze it for properties matching their detection signatures. However, dynamic elements that require user interaction to proceed are known to break these sandboxes. The most common way of attackers doing this is by ",[],{},{"nodeType":343,"data":1703,"content":1704},{"uri":1159},[1705],{"nodeType":250,"value":1706,"marks":1707,"data":1709},"using legitimate bot protection",[1708],{"type":341},{},{"nodeType":250,"value":1711,"marks":1712,"data":1713}," technologies such as CAPTCHA and CloudFlare Turnstile. ",[],{},{"nodeType":1142,"data":1715,"content":1716},{},[1717],{"nodeType":250,"value":1718,"marks":1719,"data":1721},"Performing layered redirects at different stages",[1720],{"type":248},{},{"nodeType":259,"data":1723,"content":1724},{},[1725,1729,1738],{"nodeType":250,"value":1726,"marks":1727,"data":1728},"As already mentioned, the ",[],{},{"nodeType":343,"data":1730,"content":1732},{"uri":1731},"https://phishing-techniques.pushsecurity.com/techniques/domain-rotation-redirection/",[1733],{"nodeType":250,"value":1734,"marks":1735,"data":1737},"chain of redirects",[1736],{"type":341},{},{"nodeType":250,"value":1739,"marks":1740,"data":1741}," across different sites was particularly notable in this case (you can see this in the timeline screenshot provided above). To maximize the lifespan of a malicious domain, attackers are known to use various redirection tricks (often though legit sites that are often excluded from scanning tools). Using several redirections before serving the malicious page to break referrer-based checks that are common in proxy solutions and prevent the initial URLs seeded out from being discovered. By obfuscating the initial URL delivered to victims, and both masking and rotating the phishing URLs, it is much harder for organizations to blocklist known-bad sites effectively.",[],{},{"nodeType":282,"data":1743,"content":1746},{"target":1744},{"sys":1745},{"id":1314,"type":279,"linkType":280},[],{"nodeType":286,"data":1748,"content":1749},{},[],{"nodeType":251,"data":1751,"content":1752},{},[1753],{"nodeType":250,"value":1754,"marks":1755,"data":1757},"Indicators of Compromise",[1756],{"type":248},{},{"nodeType":259,"data":1759,"content":1760},{},[1761],{"nodeType":250,"value":1762,"marks":1763,"data":1764},"Static IoCs are of limited value in this case due to the use of disposable pages designed to be used once and then rotated. In this case, the page hosting the malicious AITM kit has now been flagged by Google after being reported. This makes blocking specific malicious subdomains hosted on otherwise legitimate sites difficult. However, we have observed a consistent pattern in the attacks identified by Push:",[],{},{"nodeType":1766,"data":1767,"content":1768},"unordered-list",{},[1769,1780,1790,1800],{"nodeType":1770,"data":1771,"content":1772},"list-item",{},[1773],{"nodeType":259,"data":1774,"content":1775},{},[1776],{"nodeType":250,"value":1777,"marks":1778,"data":1779},"Phishing lure delivered over LinkedIn",[],{},{"nodeType":1770,"data":1781,"content":1782},{},[1783],{"nodeType":259,"data":1784,"content":1785},{},[1786],{"nodeType":250,"value":1787,"marks":1788,"data":1789},"Link to sites.google.com page (e.g. sites.google.com/view/\u003CINVESTMENTCOMPANY>-ai/home)",[],{},{"nodeType":1770,"data":1791,"content":1792},{},[1793],{"nodeType":259,"data":1794,"content":1795},{},[1796],{"nodeType":250,"value":1797,"marks":1798,"data":1799},"Link to Microsoft Dynamics page (e.g. [assets-usa.mkt].dynamics.com/...)",[],{},{"nodeType":1770,"data":1801,"content":1802},{},[1803],{"nodeType":259,"data":1804,"content":1805},{},[1806],{"nodeType":250,"value":1807,"marks":1808,"data":1809},"Link to (*).sa.com phishing page",[],{},{"nodeType":259,"data":1811,"content":1812},{},[1813],{"nodeType":250,"value":1814,"marks":1815,"data":1816},"Given the targeted nature of the attack, we recommend hunting for executive-level users accessing some combination of these URLs (and variants) in a short timespan.",[],{},{"nodeType":259,"data":1818,"content":1819},{},[1820],{"nodeType":250,"value":1821,"marks":1822,"data":1823},"We also recommend informing your executive team about the rise in LinkedIn phishing attacks and the specific nature of the investment opportunity lure.",[],{},{"nodeType":286,"data":1825,"content":1826},{},[],{"nodeType":251,"data":1828,"content":1829},{},[1830],{"nodeType":250,"value":1831,"marks":1832,"data":1834},"Impact analysis",[1833],{"type":248},{},{"nodeType":259,"data":1836,"content":1837},{},[1838],{"nodeType":250,"value":1839,"marks":1840,"data":1841},"There aren’t many more valuable accounts than those belonging to your company executives. Compromising a Google Workspace account doesn’t just give the attacker access to the Workspace tenant, emails, chat, etc. — it also grants access to any accounts on downstream apps configured for SSO. The blast radius of such a compromise is pretty widespread, giving plenty of scope for further exploitation for an attacker with a clear idea of what they want to achieve. ",[],{},{"nodeType":259,"data":1843,"content":1844},{},[1845,1849,1858,1861,1870,1874,1883],{"nodeType":250,"value":1846,"marks":1847,"data":1848},"In short, stopping this attack at the earliest opportunity was a significant benefit. Even if the attack had been later stopped following the compromise and the stolen account reset, unpicking the web of potentially compromised downstream accounts that may have been accessed and backdoored by the attacker (such as by configuring stealthy persistence mechanisms like ",[],{},{"nodeType":343,"data":1850,"content":1852},{"uri":1851},"https://github.com/pushsecurity/saas-attacks/blob/main/techniques/evil_twin_integrations/description.md",[1853],{"nodeType":250,"value":1854,"marks":1855,"data":1857},"evil twin integrations",[1856],{"type":341},{},{"nodeType":250,"value":347,"marks":1859,"data":1860},[],{},{"nodeType":343,"data":1862,"content":1864},{"uri":1863},"https://github.com/pushsecurity/saas-attacks/blob/main/techniques/api_keys/description.md",[1865],{"nodeType":250,"value":1866,"marks":1867,"data":1869},"API keys",[1868],{"type":341},{},{"nodeType":250,"value":1871,"marks":1872,"data":1873}," or other ",[],{},{"nodeType":343,"data":1875,"content":1877},{"uri":1876},"https://github.com/pushsecurity/saas-attacks/blob/main/techniques/ghost_logins/description.md",[1878],{"nodeType":250,"value":1879,"marks":1880,"data":1882},"ghost login",[1881],{"type":341},{},{"nodeType":250,"value":1884,"marks":1885,"data":1886}," methods) presents a sizable overhead for the security team.     ",[],{},{"nodeType":286,"data":1888,"content":1889},{},[],{"nodeType":251,"data":1891,"content":1892},{},[1893],{"nodeType":250,"value":1894,"marks":1895,"data":1897},"Learn more about Push",[1896],{"type":248},{},{"nodeType":259,"data":1899,"content":1900},{},[1901],{"nodeType":250,"value":1902,"marks":1903,"data":1904},"Two key features played a part in this detection, which you can read more about below:",[],{},{"nodeType":1766,"data":1906,"content":1907},{},[1908,1929],{"nodeType":1770,"data":1909,"content":1910},{},[1911],{"nodeType":259,"data":1912,"content":1913},{},[1914,1917,1926],{"nodeType":250,"value":29,"marks":1915,"data":1916},[],{},{"nodeType":343,"data":1918,"content":1920},{"uri":1919},"https://pushsecurity.com/blog/detecting-and-blocking-phishing-attacks-in-the-browser/",[1921],{"nodeType":250,"value":1922,"marks":1923,"data":1925},"Phishing attack detection",[1924],{"type":341},{},{"nodeType":250,"value":29,"marks":1927,"data":1928},[],{},{"nodeType":1770,"data":1930,"content":1931},{},[1932],{"nodeType":259,"data":1933,"content":1934},{},[1935,1938,1947],{"nodeType":250,"value":29,"marks":1936,"data":1937},[],{},{"nodeType":343,"data":1939,"content":1941},{"uri":1940},"https://pushsecurity.com/blog/introducing-push-detections/",[1942],{"nodeType":250,"value":1943,"marks":1944,"data":1946},"Push detection and response capabilities inc. timeline visibility ",[1945],{"type":341},{},{"nodeType":250,"value":29,"marks":1948,"data":1949},[],{},{"nodeType":259,"data":1951,"content":1952},{},[1953,1957,1962,1966,1974],{"nodeType":250,"value":1954,"marks":1955,"data":1956},"Push doesn’t detect the redirect tricks or rely on outdated domain TI feeds. The reason we detect these attacks (which make it through all the other layers of phishing protection) is that ",[],{},{"nodeType":250,"value":1958,"marks":1959,"data":1961},"Push sees what your users see",[1960],{"type":248},{},{"nodeType":250,"value":1963,"marks":1964,"data":1965},". It doesn’t matter what ",[],{},{"nodeType":343,"data":1967,"content":1968},{"uri":924},[1969],{"nodeType":250,"value":1970,"marks":1971,"data":1973},"delivery channel or camouflage methods are used",[1972],{"type":341},{},{"nodeType":250,"value":1975,"marks":1976,"data":1977},", Push detects and blocks attacks by identifying the attack in real time, as the user loads the page in their web browser.",[],{},{"nodeType":259,"data":1979,"content":1980},{},[1981],{"nodeType":250,"value":1982,"marks":1983,"data":1984},"This isn’t all we do: Push’s browser-based security platform provides comprehensive detection and response capabilities against the leading cause of breaches. Push blocks browser-based attacks like AiTM phishing, credential stuffing, password spraying and session hijacking using stolen session tokens. You don’t need to wait until it all goes wrong — you can also use Push to find and fix vulnerabilities across the apps that your employees use, like ghost logins, SSO coverage gaps, MFA gaps, vulnerable passwords, risky OAuth integrations, and more to harden your identity attack surface.",[],{},{"nodeType":259,"data":1986,"content":1987},{},[1988,1992,2000],{"nodeType":250,"value":1989,"marks":1990,"data":1991},"If you want to learn more about how Push helps you to detect and stop attacks in the browser, ",[],{},{"nodeType":343,"data":1993,"content":1995},{"uri":1994},"https://pushsecurity.com/demo/",[1996],{"nodeType":250,"value":813,"marks":1997,"data":1999},[1998],{"type":341},{},{"nodeType":250,"value":817,"marks":2001,"data":2002},[],{},"How Push stopped a high risk LinkedIn spear-phishing attack against a company exec","How Push saved a company exec from a sophisticated Attacker-in-the-Middle phishing attack delivered via a LinkedIn direct message.","2025-09-08T00:00:00.000Z","how-push-stopped-a-high-risk-linkedin-spear-phishing-attack",{"items":2008},[2009,2011],{"sys":2010,"name":1451},{"id":1450},{"sys":2012,"name":1447},{"id":1446},{"items":2014},[2015],{"fullName":232,"firstName":233,"jobTitle":234,"profilePicture":2016},{"url":236},{"__typename":882,"sys":2018,"content":2020,"title":2599,"synopsis":2600,"hashTags":62,"publishedDate":2601,"slug":2602,"tagsCollection":2603,"authorsCollection":2609},{"id":2019},"7rVNBW6rYXnXMpI0JEwzgR",{"json":2021},{"nodeType":818,"data":2022,"content":2023},{},[2024,2031,2038,2050,2056,2063,2066,2074,2081,2087,2103,2110,2133,2140,2146,2149,2157,2190,2196,2216,2222,2241,2248,2254,2257,2265,2272,2292,2299,2319,2326,2332,2335,2343,2350,2383,2390,2397,2443,2462,2473,2480,2483,2491,2511,2518,2525,2531,2534,2542,2562,2588,2593],{"nodeType":259,"data":2025,"content":2026},{},[2027],{"nodeType":250,"value":2028,"marks":2029,"data":2030},"ClickFix attacks have skyrocketed in the last year. This social engineering attack has established itself as a key part of the modern attacker’s toolkit, tricking victims into running malicious code on their device.",[],{},{"nodeType":259,"data":2032,"content":2033},{},[2034],{"nodeType":250,"value":2035,"marks":2036,"data":2037},"As we showcased in our last webinar and at our threat briefing in London earlier this month, ClickFix is evolving fast, in terms of the web pages themselves, the delivery mechanisms by which they are sent to victims, and the nature of the payload and its execution.",[],{},{"nodeType":259,"data":2039,"content":2040},{},[2041,2045],{"nodeType":250,"value":2042,"marks":2043,"data":2044},"One particular example stood out to us in our research. ",[],{},{"nodeType":250,"value":2046,"marks":2047,"data":2049},"So, is this the most advanced ClickFix you’ve seen?",[2048],{"type":248},{},{"nodeType":282,"data":2051,"content":2055},{"target":2052},{"sys":2053},{"id":2054,"type":279,"linkType":280},"ID7VKJNOZk729P5zBOBjZ",[],{"nodeType":259,"data":2057,"content":2058},{},[2059],{"nodeType":250,"value":2060,"marks":2061,"data":2062},"Let’s break it down further.",[],{},{"nodeType":286,"data":2064,"content":2065},{},[],{"nodeType":251,"data":2067,"content":2068},{},[2069],{"nodeType":250,"value":2070,"marks":2071,"data":2073},"How ClickFix pages are evolving",[2072],{"type":248},{},{"nodeType":259,"data":2075,"content":2076},{},[2077],{"nodeType":250,"value":2078,"marks":2079,"data":2080},"The CloudFlare-based lure is a great example of how ClickFix pages themselves are evolving — and becoming increasingly convincing to users. ",[],{},{"nodeType":282,"data":2082,"content":2086},{"target":2083},{"sys":2084},{"id":2085,"type":279,"linkType":280},"4wJOgtofImjbsekyXMc5Ec",[],{"nodeType":259,"data":2088,"content":2089},{},[2090,2094,2099],{"nodeType":250,"value":2091,"marks":2092,"data":2093},"This is an incredibly slick example — ",[],{},{"nodeType":250,"value":2095,"marks":2096,"data":2098},"it almost looks like Cloudflare shipped a new kind of bot check service. ",[2097],{"type":248},{},{"nodeType":250,"value":2100,"marks":2101,"data":2102},"The embedded video, countdown timer, and counter for “users verified in the last hour” all serve to increase the sense of authenticity, and put extra pressure on the victim to complete the check. ",[],{},{"nodeType":259,"data":2104,"content":2105},{},[2106],{"nodeType":250,"value":2107,"marks":2108,"data":2109},"There are a couple of extra things happening under the hood here, too:",[],{},{"nodeType":1766,"data":2111,"content":2112},{},[2113,2123],{"nodeType":1770,"data":2114,"content":2115},{},[2116],{"nodeType":259,"data":2117,"content":2118},{},[2119],{"nodeType":250,"value":2120,"marks":2121,"data":2122},"The page is adapting to the device that you’re visiting from, serving up instructions specific to the user’s Mac (increasingly common as ClickFix expands to support different Operating Systems).",[],{},{"nodeType":1770,"data":2124,"content":2125},{},[2126],{"nodeType":259,"data":2127,"content":2128},{},[2129],{"nodeType":250,"value":2130,"marks":2131,"data":2132},"The page is automatically copying the malicious code to the user’s clipboard via JavaScript (which we see in 9/10 cases).",[],{},{"nodeType":259,"data":2134,"content":2135},{},[2136],{"nodeType":250,"value":2137,"marks":2138,"data":2139},"For the past decade or more, user awareness has focused on stopping users from clicking links in suspicious emails, downloading risky files, and entering their username and password into random websites. It hasn’t focused on opening up a program and running a command — so it’s no surprise that this kind of highly convincing page is so effective at duping victims into following the instructions. ",[],{},{"nodeType":282,"data":2141,"content":2145},{"target":2142},{"sys":2143},{"id":2144,"type":279,"linkType":280},"LiVIyGxdAaUXUfvKjD6ON",[],{"nodeType":286,"data":2147,"content":2148},{},[],{"nodeType":251,"data":2150,"content":2151},{},[2152],{"nodeType":250,"value":2153,"marks":2154,"data":2156},"How ClickFix delivery methods are evolving",[2155],{"type":248},{},{"nodeType":259,"data":2158,"content":2159},{},[2160,2164,2173,2177,2186],{"nodeType":250,"value":2161,"marks":2162,"data":2163},"There’s also the fact that this page wasn’t accessed via email. The top delivery vector for ClickFix attacks that we’ve observed is, in fact, Google Search — in the form of ",[],{},{"nodeType":343,"data":2165,"content":2167},{"uri":2166},"https://phishing-techniques.pushsecurity.com/techniques/malvertising/",[2168],{"nodeType":250,"value":2169,"marks":2170,"data":2172},"poisoned search results and malicious advertising (malvertising)",[2171],{"type":341},{},{"nodeType":250,"value":2174,"marks":2175,"data":2176},". Attackers are either taking over legitimate sites (there’s a ",[],{},{"nodeType":343,"data":2178,"content":2180},{"uri":2179},"https://www.bleepingcomputer.com/news/security/hackers-launch-mass-attacks-exploiting-outdated-wordpress-plugins/",[2181],{"nodeType":250,"value":2182,"marks":2183,"data":2185},"steady supply of website hosting and CMS vulnerabilities",[2184],{"type":341},{},{"nodeType":250,"value":2187,"marks":2188,"data":2189}," to take advantage of) or simply vibe-coding their own sites and optimizing them for various search terms. ",[],{},{"nodeType":282,"data":2191,"content":2195},{"target":2192},{"sys":2193},{"id":2194,"type":279,"linkType":280},"6N9EmH6AaN6Hr4xk6ozATR",[],{"nodeType":259,"data":2197,"content":2198},{},[2199,2203,2212],{"nodeType":250,"value":2200,"marks":2201,"data":2202},"And because most anti-phishing controls are implemented via email, by using ",[],{},{"nodeType":343,"data":2204,"content":2206},{"uri":2205},"https://pushsecurity.com/blog/why-attackers-are-moving-beyond-email-based-phishing?utm_source=thehackernews&utm_medium=sponsored-content&utm_term=article",[2207],{"nodeType":250,"value":2208,"marks":2209,"data":2211},"non-email delivery vectors, an entire layer of detection opportunity is cut out",[2210],{"type":341},{},{"nodeType":250,"value":2213,"marks":2214,"data":2215},". ",[],{},{"nodeType":282,"data":2217,"content":2221},{"target":2218},{"sys":2219},{"id":2220,"type":279,"linkType":280},"1CWsZlLFX9TS53J1uamOG8",[],{"nodeType":259,"data":2223,"content":2224},{},[2225,2229,2237],{"nodeType":250,"value":2226,"marks":2227,"data":2228},"But even when they are sent via email, ClickFix pages, like other modern phishing sites, are using a range of ",[],{},{"nodeType":343,"data":2230,"content":2232},{"uri":2231},"https://pushsecurity.com/blog/phishing-detection-evasion-launch?utm_source=thehackernews&utm_medium=sponsored-content&utm_term=article",[2233],{"nodeType":250,"value":927,"marks":2234,"data":2236},[2235],{"type":341},{},{"nodeType":250,"value":2238,"marks":2239,"data":2240}," that prevent them being flagged by security tools — from email scanners, to web-crawling security tools, to web proxies analyzing network traffic. Detection evasion mainly involves camouflaging and rotating domains to stay ahead of known-bad detections (i.e. blocklists), using bot protection to prevent analysis, and heavily obfuscating page content to stop detection signatures firing. ",[],{},{"nodeType":259,"data":2242,"content":2243},{},[2244],{"nodeType":250,"value":2245,"marks":2246,"data":2247},"Finally, because the code is copied inside the browser sandbox, typical security tools are unable to observe and flag this action as potentially malicious. This means that the last — and only — opportunity for organizations to stop ClickFix is on the endpoint, after the user has attempted to run the malicious code.",[],{},{"nodeType":282,"data":2249,"content":2253},{"target":2250},{"sys":2251},{"id":2252,"type":279,"linkType":280},"3HiqpIBWWMr5FMi3IBzXcc",[],{"nodeType":286,"data":2255,"content":2256},{},[],{"nodeType":251,"data":2258,"content":2259},{},[2260],{"nodeType":250,"value":2261,"marks":2262,"data":2264},"How ClickFix payloads are evolving",[2263],{"type":248},{},{"nodeType":259,"data":2266,"content":2267},{},[2268],{"nodeType":250,"value":2269,"marks":2270,"data":2271},"It’s not just the ClickFix page and delivery mechanisms that are evolving — the services where code is being run, and the type of payload, are also increasingly varied. ",[],{},{"nodeType":259,"data":2273,"content":2274},{},[2275,2279,2288],{"nodeType":250,"value":2276,"marks":2277,"data":2278},"While the main payloads observed by Push are mshta and PowerShell, ",[],{},{"nodeType":343,"data":2280,"content":2282},{"uri":2281},"https://mhaggis.github.io/ClickGrab/techniques.html",[2283],{"nodeType":250,"value":2284,"marks":2285,"data":2287},"attackers are abusing a wide range of LOLBINS",[2286],{"type":341},{},{"nodeType":250,"value":2289,"marks":2290,"data":2291}," targeting different services across Operating Systems.",[],{},{"nodeType":259,"data":2293,"content":2294},{},[2295],{"nodeType":250,"value":2296,"marks":2297,"data":2298},"While it is possible to disable the Win+R dialog box and limit the applications that can be run from the File Explorer address bar, it is not possible to similarly restrict users from interacting with other legitimate services to run malicious commands. ",[],{},{"nodeType":259,"data":2300,"content":2301},{},[2302,2306,2315],{"nodeType":250,"value":2303,"marks":2304,"data":2305},"Another recent example termed ",[],{},{"nodeType":343,"data":2307,"content":2309},{"uri":2308},"https://expel.com/blog/cache-smuggling-when-a-picture-isnt-a-thousand-words/",[2310],{"nodeType":250,"value":2311,"marks":2312,"data":2314},"cache smuggling",[2313],{"type":341},{},{"nodeType":250,"value":2316,"marks":2317,"data":2318}," was also identified by security researchers. This technique combines a ClickFix approach with JavaScript that caches a malicious file posing as a JPG. This means that the ClickFix command executes locally — effectively getting an entire zip file onto the local system without the PowerShell command needing to make any web requests.",[],{},{"nodeType":259,"data":2320,"content":2321},{},[2322],{"nodeType":250,"value":2323,"marks":2324,"data":2325},"Finally, it’s worth considering the future of ClickFix. The current attack path straddles browser and endpoint — what if it could take place entirely in the browser and evade EDR altogether? ",[],{},{"nodeType":282,"data":2327,"content":2331},{"target":2328},{"sys":2329},{"id":2330,"type":279,"linkType":280},"2rUDKawJnrmZVtxfNcSNha",[],{"nodeType":286,"data":2333,"content":2334},{},[],{"nodeType":251,"data":2336,"content":2337},{},[2338],{"nodeType":250,"value":2339,"marks":2340,"data":2342},"What’s the impact of ClickFix evolution?",[2341],{"type":248},{},{"nodeType":259,"data":2344,"content":2345},{},[2346],{"nodeType":250,"value":2347,"marks":2348,"data":2349},"To summarize:",[],{},{"nodeType":1766,"data":2351,"content":2352},{},[2353,2363,2373],{"nodeType":1770,"data":2354,"content":2355},{},[2356],{"nodeType":259,"data":2357,"content":2358},{},[2359],{"nodeType":250,"value":2360,"marks":2361,"data":2362},"ClickFix pages are becoming increasingly sophisticated, making it more likely that victims will fall for the social engineering.",[],{},{"nodeType":1770,"data":2364,"content":2365},{},[2366],{"nodeType":259,"data":2367,"content":2368},{},[2369],{"nodeType":250,"value":2370,"marks":2371,"data":2372},"ClickFix delivery is evading traditional monitoring controls at the email layer to reach victims. ",[],{},{"nodeType":1770,"data":2374,"content":2375},{},[2376],{"nodeType":259,"data":2377,"content":2378},{},[2379],{"nodeType":250,"value":2380,"marks":2381,"data":2382},"ClickFix payloads are becoming more varied and are finding new ways to evade security controls. ",[],{},{"nodeType":259,"data":2384,"content":2385},{},[2386],{"nodeType":250,"value":2387,"marks":2388,"data":2389},"This means that EDR-based interception of malware execution is the last — and only — real line of defense for most organizations, kicking in after the initial script has been run (typically acting as a stager for the real malware). ",[],{},{"nodeType":259,"data":2391,"content":2392},{},[2393],{"nodeType":250,"value":2394,"marks":2395,"data":2396},"Malware execution can and should be intercepted by EDR, but it’s not foolproof. ",[],{},{"nodeType":1766,"data":2398,"content":2399},{},[2400,2423,2433],{"nodeType":1770,"data":2401,"content":2402},{},[2403],{"nodeType":259,"data":2404,"content":2405},{},[2406,2410,2419],{"nodeType":250,"value":2407,"marks":2408,"data":2409},"Attackers are constantly ",[],{},{"nodeType":343,"data":2411,"content":2413},{"uri":2412},"https://www.infostealers.com/article/logins-zip-leverages-chromium-zero-day-stealthy-infostealer-builder-promises-99-credential-theft-in-under-12-seconds/",[2414],{"nodeType":250,"value":2415,"marks":2416,"data":2418},"developing new tools and capabilities",[2417],{"type":341},{},{"nodeType":250,"value":2420,"marks":2421,"data":2422}," to bypass EDR in the cat-and-mouse game between attackers and defenders.",[],{},{"nodeType":1770,"data":2424,"content":2425},{},[2426],{"nodeType":259,"data":2427,"content":2428},{},[2429],{"nodeType":250,"value":2430,"marks":2431,"data":2432},"Because ClickFix attacks are user initiated, context might be missing that lead to the alert being misclassified. This can mean the difference between the level of priority alert that is raised, and whether or not it is automatically blocked.",[],{},{"nodeType":1770,"data":2434,"content":2435},{},[2436],{"nodeType":259,"data":2437,"content":2438},{},[2439],{"nodeType":250,"value":2440,"marks":2441,"data":2442},"If you’re an organization that allows employees and contractors to use unmanaged BYOD devices, there’s a strong chance that there are gaps in your EDR coverage.",[],{},{"nodeType":259,"data":2444,"content":2445},{},[2446,2450,2458],{"nodeType":250,"value":2447,"marks":2448,"data":2449},"This is why attackers are doubling down. According to the ",[],{},{"nodeType":343,"data":2451,"content":2453},{"uri":2452},"https://cdn-dynmedia-1.microsoft.com/is/content/microsoftcorp/microsoft/msc/documents/presentations/CSR/Microsoft-Digital-Defense-Report-2025.pdf#page=1",[2454],{"nodeType":250,"value":2455,"marks":2456,"data":2457},"2025 Microsoft Digital Defense report",[],{},{"nodeType":250,"value":2459,"marks":2460,"data":2461},", ClickFix was the most common initial access method in the last year, accounting for 47% of attacks. That's a pretty significant stat.",[],{},{"nodeType":2463,"data":2464,"content":2465},"blockquote",{},[2466],{"nodeType":259,"data":2467,"content":2468},{},[2469],{"nodeType":250,"value":2470,"marks":2471,"data":2472},"47% of attacks started with ClickFix in the last year, according to Microsoft.",[],{},{"nodeType":259,"data":2474,"content":2475},{},[2476],{"nodeType":250,"value":2477,"marks":2478,"data":2479},"Ultimately, organizations are leaving themselves relying on a single line of defense — if the attack isn’t detected and blocked by EDR, it isn’t spotted at all. ",[],{},{"nodeType":286,"data":2481,"content":2482},{},[],{"nodeType":251,"data":2484,"content":2485},{},[2486],{"nodeType":250,"value":2487,"marks":2488,"data":2490},"Don’t gamble on a single point of failure ",[2489],{"type":248},{},{"nodeType":259,"data":2492,"content":2493},{},[2494,2498,2507],{"nodeType":250,"value":2495,"marks":2496,"data":2497},"Push Security’s latest feature, ",[],{},{"nodeType":343,"data":2499,"content":2501},{"uri":2500},"https://pushsecurity.com/blog/introducing-malicious-copy-paste-detection?utm_source=thehackernews&utm_medium=sponsored-content&utm_term=article",[2502],{"nodeType":250,"value":2503,"marks":2504,"data":2506},"malicious copy and paste detection",[2505],{"type":341},{},{"nodeType":250,"value":2508,"marks":2509,"data":2510},", tackles ClickFix-style attacks at the earliest opportunity through browser-based detection and blocking. This is a universally effective control that works regardless of the lure delivery channel, page style and structure, or the specifics of the malware type and execution.",[],{},{"nodeType":259,"data":2512,"content":2513},{},[2514],{"nodeType":250,"value":2515,"marks":2516,"data":2517},"Unlike heavy-handed DLP solutions that block copy-paste altogether, Push protects your employees without disrupting their user experience or hampering productivity.",[],{},{"nodeType":259,"data":2519,"content":2520},{},[2521],{"nodeType":250,"value":2522,"marks":2523,"data":2524},"By adding a new layer of protection in the browser, security teams can reduce the strain on their EDR and reduce the risk of host-based controls being bypassed through misconfiguration or attacker innovation. ",[],{},{"nodeType":282,"data":2526,"content":2530},{"target":2527},{"sys":2528},{"id":2529,"type":279,"linkType":280},"sALkMt8UbTZ2f34hKvGLj",[],{"nodeType":286,"data":2532,"content":2533},{},[],{"nodeType":251,"data":2535,"content":2536},{},[2537],{"nodeType":250,"value":2538,"marks":2539,"data":2541},"Learn more",[2540],{"type":248},{},{"nodeType":259,"data":2543,"content":2544},{},[2545,2549,2558],{"nodeType":250,"value":2546,"marks":2547,"data":2548},"If you want to learn more about ClickFix attacks and how they’re evolving, ",[],{},{"nodeType":343,"data":2550,"content":2552},{"uri":2551},"https://pushsecurity.com/resources/clickfix",[2553],{"nodeType":250,"value":2554,"marks":2555,"data":2557},"check out our latest webinar (now available on-demand!)",[2556],{"type":341},{},{"nodeType":250,"value":2559,"marks":2560,"data":2561}," where we dive into real-world ClickFix examples and demonstrate how ClickFix sites work under the hood. ",[],{},{"nodeType":259,"data":2563,"content":2564},{},[2565,2568,2575,2578,2585],{"nodeType":250,"value":791,"marks":2566,"data":2567},[],{},{"nodeType":343,"data":2569,"content":2570},{"uri":794},[2571],{"nodeType":250,"value":800,"marks":2572,"data":2574},[2573],{"type":341},{},{"nodeType":250,"value":804,"marks":2576,"data":2577},[],{},{"nodeType":343,"data":2579,"content":2580},{"uri":807},[2581],{"nodeType":250,"value":813,"marks":2582,"data":2584},[2583],{"type":341},{},{"nodeType":250,"value":817,"marks":2586,"data":2587},[],{},{"nodeType":282,"data":2589,"content":2592},{"target":2590},{"sys":2591},{"id":2144,"type":279,"linkType":280},[],{"nodeType":259,"data":2594,"content":2595},{},[2596],{"nodeType":250,"value":29,"marks":2597,"data":2598},[],{},"The most advanced ClickFix yet?","Breaking down the most sophisticated ClickFix page we’ve seen in the wild — and what it tells us about the future of malicious copy-and-paste attacks. ","2025-11-06T00:00:00.000Z","the-most-advanced-clickfix-yet",{"items":2604},[2605,2607],{"sys":2606,"name":1451},{"id":1450},{"sys":2608,"name":1447},{"id":1446},{"items":2610},[2611],{"fullName":232,"firstName":233,"jobTitle":234,"profilePicture":2612},{"url":236},"why-attackers-are-moving-beyond-email-based-phishing","blog/why-attackers-are-moving-beyond-email-based-phishing",{"json":2616},{"data":2617,"content":2618,"nodeType":818},{},[2619],{"data":2620,"content":2621,"nodeType":259},{},[2622],{"data":2623,"marks":2624,"value":2625,"nodeType":250},{},[],"Attackers are increasingly sending phishing links over non-email delivery channels like social media, instant messaging apps, and malicious search engine ads. In this article, we explore why phishing attacks are moving away from exclusively email-based delivery, and what this means for security teams. ","Why phishing attacks are moving away from exclusively email-based delivery, and what this means for security teams. \n",{"id":2628,"publishedAt":2629},"4wtqKNN8D4tvbICAQ17L1Z","2025-11-18T09:33:14.463Z",{"items":2631},[2632,2634],{"sys":2633,"name":1447},{"id":1446},{"sys":2635,"name":1451},{"id":1450},"Ka-1iRlWyG73GyosHT-BBeQpgGM_suzTsF8pvNQueIc",1784196724065]