[{"data":1,"prerenderedAt":4341},["ShallowReactive",2],{"application-flags":3,"browser-identity-attacks-techniques":7,"navbar":4126,"always-visible-banner":4153,"navbar-about-highlight":4223,"navbar-resource-highlight":4297},[4],{"name":5,"enabled":6},"maintenanceMode",false,[8,95,158,215,313,373,442,507,599,645,710,804,905,1002,1066,1137,1249,1350,1414,1470,1536,1631,1738,1820,1924,2053,2126,2234,2308,2380,2444,2557,2658,2724,2792,2853,2942,3036,3102,3197,3262,3356,3449,3569,3638,3703,3776,3830,3927,4000,4056],{"id":9,"title":10,"body":11,"description":21,"examples":80,"extension":83,"githubDir":84,"meta":85,"name":10,"navigation":86,"path":87,"references":88,"seo":89,"slug":17,"stem":90,"summaryHtml":91,"tactics":92,"techniqueId":93,"__hash__":94},"browserIdentityAttacksTechniques/techniques/abuse_existing_oauth_integrations/description.md","Abuse existing OAuth integrations",{"type":12,"value":13,"toc":72},"minimark",[14,18,22,27,37,41,44,47,55,59,68],[15,16,10],"h1",{"id":17},"abuse-existing-oauth-integrations",[19,20,21],"p",{},"ID: SAT1001",[23,24,26],"h2",{"id":25},"tactics","Tactics",[28,29,30,34],"ul",{},[31,32,33],"li",{},"Privilege Escalation",[31,35,36],{},"Lateral Movement",[23,38,40],{"id":39},"summary","Summary",[19,42,43],{},"Some SaaS apps allow OAuth integrations to other apps, which allow the app to gain access to certain data and additional functionality. If an adversary compromises an SaaS account  integrated with other apps, they can escalate privileges and move laterally to other apps.",[19,45,46],{},"To abuse apps with existing integrations, that app must expose some usable functionality though the integration back to the user. As an example, an integration with email access scopes, but which does not actually display emails to the user (of the integration) is not very useful to the adversary.",[19,48,49,50,54],{},"The challenge then is to identify apps that an employee is using that are both likely to have existing integrations, and expose offensively useful functionality through those integrations. Typical apps that fit this bill are workflow automation apps (see ",[51,52,53],"span",{},"Shadow automations",") which provide highly flexible integrations. Many sales and marketing apps that integrate with email would grant an adversary effective “webmail” access to integrated mailboxes.",[23,56,58],{"id":57},"examples","Examples",[28,60,61],{},[31,62,63],{},[64,65,67],"a",{"href":66},"examples/zapier","Zapier",[23,69,71],{"id":70},"references","References",{"title":73,"searchDepth":74,"depth":74,"links":75},"",2,[76,77,78,79],{"id":25,"depth":74,"text":26},{"id":39,"depth":74,"text":40},{"id":57,"depth":74,"text":58},{"id":70,"depth":74,"text":71},[81],{"text":67,"url":82},"https://github.com/pushsecurity/browser-identity-attacks-matrix/blob/main/techniques/abuse_existing_oauth_integrations/examples/zapier.md","md","abuse_existing_oauth_integrations",{},true,"/techniques/abuse_existing_oauth_integrations/description",[],{"title":10,"description":21},"techniques/abuse_existing_oauth_integrations/description","\u003Cp>Some SaaS apps allow OAuth integrations to other apps, which allow the app to gain access to certain data and additional functionality. If an adversary compromises an SaaS account  integrated with other apps, they can escalate privileges and move laterally to other apps.\u003C/p>\n\u003Cp>To abuse apps with existing integrations, that app must expose some usable functionality though the integration back to the user. As an example, an integration with email access scopes, but which does not actually display emails to the user (of the integration) is not very useful to the adversary.\u003C/p>\n\u003Cp>The challenge then is to identify apps that an employee is using that are both likely to have existing integrations, and expose offensively useful functionality through those integrations. Typical apps that fit this bill are workflow automation apps (see [Shadow automations]) which provide highly flexible integrations. Many sales and marketing apps that integrate with email would grant an adversary effective “webmail” access to integrated mailboxes.\u003C/p>\n",[33,36],"SAT1001","h5PVCBllmz4Dd-AGaRfNnsHwWoWbplOZofmlnMsTsVA",{"id":96,"title":97,"body":98,"description":105,"examples":145,"extension":83,"githubDir":148,"meta":149,"name":97,"navigation":86,"path":150,"references":151,"seo":152,"slug":102,"stem":153,"summaryHtml":154,"tactics":155,"techniqueId":156,"__hash__":157},"browserIdentityAttacksTechniques/techniques/account_ambushing/description.md","Account ambushing",{"type":12,"value":99,"toc":139},[100,103,106,108,113,115,118,121,124,127,129,137],[15,101,97],{"id":102},"account-ambushing",[19,104,105],{},"ID: SAT1002",[23,107,26],{"id":25},[28,109,110],{},[31,111,112],{},"Initial Access",[23,114,40],{"id":39},[19,116,117],{},"Many SaaS apps have features that can be used to effectively backdoor an account, such as the ability to configure multiple login methods or create API keys to access the account programmatically. This makes it possible for an adversary to backdoor user accounts before they are first used by the legitimate user.",[19,119,120],{},"As some apps do not perform email verification during registration, it is often possible for an adversary to sign up for accounts using the potential target user’s email address.",[19,122,123],{},"When the real user attempts to sign up for the app, it will usually produce an error saying the account is already registered and prompt them to recover the account.",[19,125,126],{},"In such cases, the only way for the user to gain access to the app is to perform a password reset. If they do not discover the backdoor methods used by the adversary then the adversary will maintain access to their account and any sensitive data added to the app going forward.",[23,128,58],{"id":57},[28,130,131],{},[31,132,133],{},[64,134,136],{"href":135},"examples/ifttt","IFTTT",[23,138,71],{"id":70},{"title":73,"searchDepth":74,"depth":74,"links":140},[141,142,143,144],{"id":25,"depth":74,"text":26},{"id":39,"depth":74,"text":40},{"id":57,"depth":74,"text":58},{"id":70,"depth":74,"text":71},[146],{"text":136,"url":147},"https://github.com/pushsecurity/browser-identity-attacks-matrix/blob/main/techniques/account_ambushing/examples/ifttt.md","account_ambushing",{},"/techniques/account_ambushing/description",[],{"title":97,"description":105},"techniques/account_ambushing/description","\u003Cp>Many SaaS apps have features that can be used to effectively backdoor an account, such as the ability to configure multiple login methods or create API keys to access the account programmatically. This makes it possible for an adversary to backdoor user accounts before they are first used by the legitimate user.\u003C/p>\n\u003Cp>As some apps do not perform email verification during registration, it is often possible for an adversary to sign up for accounts using the potential target user’s email address.\u003C/p>\n\u003Cp>When the real user attempts to sign up for the app, it will usually produce an error saying the account is already registered and prompt them to recover the account.\u003C/p>\n\u003Cp>In such cases, the only way for the user to gain access to the app is to perform a password reset. If they do not discover the backdoor methods used by the adversary then the adversary will maintain access to their account and any sensitive data added to the app going forward.\u003C/p>\n",[112],"SAT1002","6tg7-2rOJz6mYciW1P_errhgYaBpkxksKifyGErvu34",{"id":159,"title":160,"body":161,"description":168,"examples":202,"extension":83,"githubDir":205,"meta":206,"name":160,"navigation":86,"path":207,"references":208,"seo":209,"slug":165,"stem":210,"summaryHtml":211,"tactics":212,"techniqueId":213,"__hash__":214},"browserIdentityAttacksTechniques/techniques/account_recovery/description.md","Account recovery",{"type":12,"value":162,"toc":196},[163,166,169,171,175,177,180,183,186,188,194],[15,164,160],{"id":165},"account-recovery",[19,167,168],{},"ID: SAT1003",[23,170,26],{"id":25},[28,172,173],{},[31,174,36],{},[23,176,40],{"id":39},[19,178,179],{},"Most SaaS apps allow accounts to be recovered via email. This can be through the use of forgotten password functionality via the directly registered email address or via a secondary recovery email address.",[19,181,182],{},"This presents an opportunity for an adversary to laterally move to other SaaS apps if they have gained access to a user’s mailbox and then triggering an account recovery process.",[19,184,185],{},"While this may alert the user through the appearance of password reset emails, a variety of other techniques, such as mail rules or automations, can be used to capture the emails. The adversary can then delete emails automatically before the user sees them.",[23,187,58],{"id":57},[28,189,190],{},[31,191,192],{},[64,193,136],{"href":135},[23,195,71],{"id":70},{"title":73,"searchDepth":74,"depth":74,"links":197},[198,199,200,201],{"id":25,"depth":74,"text":26},{"id":39,"depth":74,"text":40},{"id":57,"depth":74,"text":58},{"id":70,"depth":74,"text":71},[203],{"text":136,"url":204},"https://github.com/pushsecurity/browser-identity-attacks-matrix/blob/main/techniques/account_recovery/examples/ifttt.md","account_recovery",{},"/techniques/account_recovery/description",[],{"title":160,"description":168},"techniques/account_recovery/description","\u003Cp>Most SaaS apps allow accounts to be recovered via email. This can be through the use of forgotten password functionality via the directly registered email address or via a secondary recovery email address.\u003C/p>\n\u003Cp>This presents an opportunity for an adversary to laterally move to other SaaS apps if they have gained access to a user’s mailbox and then triggering an account recovery process.\u003C/p>\n\u003Cp>While this may alert the user through the appearance of password reset emails, a variety of other techniques, such as mail rules or automations, can be used to capture the emails. The adversary can then delete emails automatically before the user sees them.\u003C/p>\n",[36],"SAT1003","-otVt6aGBKsdg42-UwGF2Npxp679fyjxHigxH2_WlGw",{"id":216,"title":217,"body":218,"description":225,"examples":297,"extension":83,"githubDir":298,"meta":299,"name":217,"navigation":86,"path":300,"references":301,"seo":307,"slug":222,"stem":308,"summaryHtml":309,"tactics":310,"techniqueId":311,"__hash__":312},"browserIdentityAttacksTechniques/techniques/aitm_phishing/description.md","AiTM Phishing",{"type":12,"value":219,"toc":291},[220,223,226,228,232,234,237,240,243,246,249,251,253],[15,221,217],{"id":222},"aitm-phishing",[19,224,225],{},"ID: SAT1042",[23,227,26],{"id":25},[28,229,230],{},[31,231,112],{},[23,233,40],{"id":39},[19,235,236],{},"Attacker-in-the-Middle (AITM) phishing is a newer variant of phishing that uses dedicated tooling to act as a web proxy between the victim and a legitimate login portal for an application the victim has access to, principally to make it easier to defeat MFA protection.",[19,238,239],{},"As MFA has become more universal, classic password harvesting focused phishing attacks have reduced in effectiveness. Typically, for a full account compromise an MFA push notification or a one-time-passcode (OTP) needs to be entered at the time of login.",[19,241,242],{},"AITM phishing solves this issue by proxying in real-time to the target login portal, making use of entered OTP codes or accepted MFA push notifications to achieve a full authenticated session. This leaves the adversary with access to both a valid password and valid session cookies they can steal and use to hijack the session.",[19,244,245],{},"Additional benefits are that it is relatively quick and easy to target a new application and, once logged-in, a victim user will see all the real data they would expect to see ordinarily (e.g. their own emails/files etc) as it is a proxy of the real application. This reduces their chances of realizing they have been compromised due to the authentic working nature of the proxied application.",[19,247,248],{},"Typical techniques to implement this involve either transparent web proxy techniques that seek to present the application with no noticeable changes (e.g. Evilginx2), or the use of desktop-control techniques to have the victim unknowingly interact with an attacker’s own browser instance (e.g. noVNC based techniques).",[23,250,58],{"id":57},[23,252,71],{"id":70},[28,254,255,263,270,277,284],{},[31,256,257],{},[64,258,262],{"href":259,"rel":260},"https://github.com/kgretzky/evilginx2",[261],"nofollow","Evilginx - AITM web proxy",[31,264,265],{},[64,266,269],{"href":267,"rel":268},"https://github.com/JoelGMSec/EvilnoVNC",[261],"EvilnoVNC - AITM noVNC proxy",[31,271,272],{},[64,273,276],{"href":274,"rel":275},"https://github.com/drk1wi/Modlishka",[261],"Modlishka- AITM web proxy",[31,278,279],{},[64,280,283],{"href":281,"rel":282},"https://github.com/muraenateam/muraena",[261],"Muraena - AITM web proxy",[31,285,286],{},[64,287,290],{"href":288,"rel":289},"https://github.com/powerseb/NoPhish",[261],"NoPhish - AITM noVNC proxy",{"title":73,"searchDepth":74,"depth":74,"links":292},[293,294,295,296],{"id":25,"depth":74,"text":26},{"id":39,"depth":74,"text":40},{"id":57,"depth":74,"text":58},{"id":70,"depth":74,"text":71},[],"aitm_phishing",{},"/techniques/aitm_phishing/description",[302,303,304,305,306],{"text":262,"url":259},{"text":269,"url":267},{"text":276,"url":274},{"text":283,"url":281},{"text":290,"url":288},{"title":217,"description":225},"techniques/aitm_phishing/description","\u003Cp>Attacker-in-the-Middle (AITM) phishing is a newer variant of phishing that uses dedicated tooling to act as a web proxy between the victim and a legitimate login portal for an application the victim has access to, principally to make it easier to defeat MFA protection. \u003C/p>\n\u003Cp>As MFA has become more universal, classic password harvesting focused phishing attacks have reduced in effectiveness. Typically, for a full account compromise an MFA push notification or a one-time-passcode (OTP) needs to be entered at the time of login. \u003C/p>\n\u003Cp>AITM phishing solves this issue by proxying in real-time to the target login portal, making use of entered OTP codes or accepted MFA push notifications to achieve a full authenticated session. This leaves the adversary with access to both a valid password and valid session cookies they can steal and use to hijack the session. \u003C/p>\n\u003Cp>Additional benefits are that it is relatively quick and easy to target a new application and, once logged-in, a victim user will see all the real data they would expect to see ordinarily (e.g. their own emails/files etc) as it is a proxy of the real application. This reduces their chances of realizing they have been compromised due to the authentic working nature of the proxied application. \u003C/p>\n\u003Cp>Typical techniques to implement this involve either transparent web proxy techniques that seek to present the application with no noticeable changes (e.g. Evilginx2), or the use of desktop-control techniques to have the victim unknowingly interact with an attacker’s own browser instance (e.g. noVNC based techniques).\u003C/p>\n",[112],"SAT1042","nubhmuGBcveLlTWueBtc-jxrSz11ACSSDGUrjQUpxic",{"id":314,"title":315,"body":316,"description":323,"examples":360,"extension":83,"githubDir":363,"meta":364,"name":315,"navigation":86,"path":365,"references":366,"seo":367,"slug":320,"stem":368,"summaryHtml":369,"tactics":370,"techniqueId":371,"__hash__":372},"browserIdentityAttacksTechniques/techniques/api_keys/description.md","API keys",{"type":12,"value":317,"toc":354},[318,321,324,326,334,336,339,342,344,352],[15,319,315],{"id":320},"api-keys",[19,322,323],{},"ID: SAT1004",[23,325,26],{"id":25},[28,327,328,331],{},[31,329,330],{},"Persistence",[31,332,333],{},"Defense Evasion",[23,335,40],{"id":39},[19,337,338],{},"Many SaaS apps let you configure an API key to enable programmatic access. These keys generally do not expire, are not affected by password resets, are not covered by MFA, and are often not even tied to user accounts. As such, they’re an ideal persistence mechanism as they survive the deletion of a compromised account. API actions are also often logged differently to normal user access, which makes them useful for evading monitoring of sensitive actions.",[19,340,341],{},"An adversary that has compromised an account could then read existing API keys from the app settings, if the app allows this, or create a new API key.",[23,343,58],{"id":57},[28,345,346],{},[31,347,348],{},[64,349,351],{"href":350},"examples/shortcut","Shortcut",[23,353,71],{"id":70},{"title":73,"searchDepth":74,"depth":74,"links":355},[356,357,358,359],{"id":25,"depth":74,"text":26},{"id":39,"depth":74,"text":40},{"id":57,"depth":74,"text":58},{"id":70,"depth":74,"text":71},[361],{"text":351,"url":362},"https://github.com/pushsecurity/browser-identity-attacks-matrix/blob/main/techniques/api_keys/examples/shortcut.md","api_keys",{},"/techniques/api_keys/description",[],{"title":315,"description":323},"techniques/api_keys/description","\u003Cp>Many SaaS apps let you configure an API key to enable programmatic access. These keys generally do not expire, are not affected by password resets, are not covered by MFA, and are often not even tied to user accounts. As such, they’re an ideal persistence mechanism as they survive the deletion of a compromised account. API actions are also often logged differently to normal user access, which makes them useful for evading monitoring of sensitive actions.\u003C/p>\n\u003Cp>An adversary that has compromised an account could then read existing API keys from the app settings, if the app allows this, or create a new API key.\u003C/p>\n",[330,333],"SAT1004","SsiF0PIEn-46-CjelyeSGSMiiY4QN-FCnmBChkJQjuI",{"id":374,"title":375,"body":376,"description":383,"examples":428,"extension":83,"githubDir":431,"meta":432,"name":375,"navigation":86,"path":433,"references":434,"seo":436,"slug":380,"stem":437,"summaryHtml":438,"tactics":439,"techniqueId":440,"__hash__":441},"browserIdentityAttacksTechniques/techniques/api_secret_theft/description.md","API secret theft",{"type":12,"value":377,"toc":422},[378,381,384,386,393,395,398,401,403,411,413],[15,379,375],{"id":380},"api-secret-theft",[19,382,383],{},"ID: SAT1005",[23,385,26],{"id":25},[28,387,388,391],{},[31,389,390],{},"Credential Access",[31,392,36],{},[23,394,40],{"id":39},[19,396,397],{},"Apps that support integrations through API keys (rather than the more common OAuth integrations) will sometimes allow those keys to be read after being set. Adversaries who gain access to apps where these integrations have been created can extract these secrets and use them to laterally move to different apps or contexts.",[19,399,400],{},"In apps that don’t explicitly make these secrets readable to the user, it might be possible to leak them out of the application. This is a typical scenario for build automation or CI/CD apps where build and deployment secrets are often exposed in clear-text inside the build environment.",[23,402,58],{"id":57},[28,404,405],{},[31,406,407],{},[64,408,410],{"href":409},"examples/postman","Postman",[23,412,71],{"id":70},[28,414,415],{},[31,416,417],{},[64,418,421],{"href":419,"rel":420},"https://attack.mitre.org/techniques/T1528/",[261],"MITRE ATT&CK - Steal Application Access Token",{"title":73,"searchDepth":74,"depth":74,"links":423},[424,425,426,427],{"id":25,"depth":74,"text":26},{"id":39,"depth":74,"text":40},{"id":57,"depth":74,"text":58},{"id":70,"depth":74,"text":71},[429],{"text":410,"url":430},"https://github.com/pushsecurity/browser-identity-attacks-matrix/blob/main/techniques/api_secret_theft/examples/postman.md","api_secret_theft",{},"/techniques/api_secret_theft/description",[435],{"text":421,"url":419},{"title":375,"description":383},"techniques/api_secret_theft/description","\u003Cp>Apps that support integrations through API keys (rather than the more common OAuth integrations) will sometimes allow those keys to be read after being set. Adversaries who gain access to apps where these integrations have been created can extract these secrets and use them to laterally move to different apps or contexts.\u003C/p>\n\u003Cp>In apps that don’t explicitly make these secrets readable to the user, it might be possible to leak them out of the application. This is a typical scenario for build automation or CI/CD apps where build and deployment secrets are often exposed in clear-text inside the build environment.\u003C/p>\n",[390,36],"SAT1005","6hA0ilbz5pOaXEALLQIvB01AbmfFEvSnyuM_Nrg3gcY",{"id":443,"title":444,"body":445,"description":452,"examples":493,"extension":83,"githubDir":496,"meta":497,"name":444,"navigation":86,"path":498,"references":499,"seo":501,"slug":449,"stem":502,"summaryHtml":503,"tactics":504,"techniqueId":505,"__hash__":506},"browserIdentityAttacksTechniques/techniques/app_directory_lookup/description.md","App directory lookup",{"type":12,"value":446,"toc":487},[447,450,453,455,460,462,465,468,470,476,478],[15,448,444],{"id":449},"app-directory-lookup",[19,451,452],{},"ID: SAT1006",[23,454,26],{"id":25},[28,456,457],{},[31,458,459],{},"Discovery",[23,461,40],{"id":39},[19,463,464],{},"SaaS apps will generally have a user directory and often this is visible to any user of the app. It may be a direct list of all users of the app or a result of visible group memberships or similar.",[19,466,467],{},"An adversary who has gained a foothold via a SaaS app could download the list of users accessible to them in order to better target attacks against other users. Commonly, usernames or emails for users will be identical on other SaaS apps, potentially helping target users of those apps.",[23,469,58],{"id":57},[28,471,472],{},[31,473,474],{},[64,475,351],{"href":350},[23,477,71],{"id":70},[28,479,480],{},[31,481,482],{},[64,483,486],{"href":484,"rel":485},"https://attack.mitre.org/techniques/T1087/",[261],"MITRE ATT&CK - Account Discovery",{"title":73,"searchDepth":74,"depth":74,"links":488},[489,490,491,492],{"id":25,"depth":74,"text":26},{"id":39,"depth":74,"text":40},{"id":57,"depth":74,"text":58},{"id":70,"depth":74,"text":71},[494],{"text":351,"url":495},"https://github.com/pushsecurity/browser-identity-attacks-matrix/blob/main/techniques/app_directory_lookup/examples/shortcut.md","app_directory_lookup",{},"/techniques/app_directory_lookup/description",[500],{"text":486,"url":484},{"title":444,"description":452},"techniques/app_directory_lookup/description","\u003Cp>SaaS apps will generally have a user directory and often this is visible to any user of the app. It may be a direct list of all users of the app or a result of visible group memberships or similar.\u003C/p>\n\u003Cp>An adversary who has gained a foothold via a SaaS app could download the list of users accessible to them in order to better target attacks against other users. Commonly, usernames or emails for users will be identical on other SaaS apps, potentially helping target users of those apps.\u003C/p>\n",[459],"SAT1006","_nMlkd6KDVi9cBFaDXC55wPPZKmcXR4W-z1YPuwDa58",{"id":508,"title":509,"body":510,"description":517,"examples":585,"extension":83,"githubDir":588,"meta":589,"name":509,"navigation":86,"path":590,"references":591,"seo":593,"slug":514,"stem":594,"summaryHtml":595,"tactics":596,"techniqueId":597,"__hash__":598},"browserIdentityAttacksTechniques/techniques/app_specific_password_phishing/description.md","App-specific password phishing",{"type":12,"value":511,"toc":579},[512,515,518,520,526,528,531,534,537,545,558,560,568,570],[15,513,509],{"id":514},"app-specific-password-phishing",[19,516,517],{},"ID: SAT1050",[23,519,26],{"id":25},[28,521,522,524],{},[31,523,112],{},[31,525,330],{},[23,527,40],{"id":39},[19,529,530],{},"App-Specific password phishing is a social engineering technique where an adversary tricks a user into generating an \"app-specific password\" for their account and then sharing it with the attacker. These legacy passwords are a feature in some major SaaS providers (like Google and Apple) designed to allow older applications that do not support modern authentication (like OAuth 2.0) to access account data.",[19,532,533],{},"The attack flow typically involves a pretext where the attacker, posing as a trusted entity (e.g., tech support, a service provider), directs the user to their account's security settings. The user is then guided through the process of creating a new app-specific password and is instructed to paste this password into a form or chat window controlled by the attacker.",[19,535,536],{},"Because app-specific passwords are created by an already-authenticated user, they often bypass standard multi-factor authentication (MFA) prompts upon creation. Once the attacker possesses this password, they can gain persistent, programmatic access to the user's account data (e.g., emails, contacts, files) via APIs, often without triggering the same level of security alerts as a traditional interactive login from an unrecognized device. This makes the access stealthier and more durable than a session token, as these passwords typically remain valid until manually revoked by the user.",[19,538,539,540,544],{},"This technique is a variant of phishing that targets a specific, often overlooked, credential type. It is similar to ",[64,541,543],{"href":542},"/techniques/consent_phishing/description.md","consent phishing"," in that it abuses a legitimate feature, but it targets a direct password credential rather than an OAuth consent grant.",[19,546,547,548,552,553,557],{},"They can also be abused at the persistent phase to maintain access to a compromised account in a similar way to ",[64,549,551],{"href":550},"/techniques/ghost_logins/description.md","ghost logins"," and ",[64,554,556],{"href":555},"/techniques/api_keys/description.md","api keys",".",[23,559,58],{"id":57},[28,561,562],{},[31,563,564],{},[64,565,567],{"href":566},"/techniques/app_specific_password_phishing/examples/google.md","Google",[23,569,71],{"id":70},[28,571,572],{},[31,573,574],{},[64,575,578],{"href":576,"rel":577},"https://citizenlab.ca/2025/06/russian-government-linked-social-engineering-targets-app-specific-passwords/",[261],"Technical blog - Russian Government-Linked Social Engineering Targets App-Specific Passwords",{"title":73,"searchDepth":74,"depth":74,"links":580},[581,582,583,584],{"id":25,"depth":74,"text":26},{"id":39,"depth":74,"text":40},{"id":57,"depth":74,"text":58},{"id":70,"depth":74,"text":71},[586],{"text":567,"url":587},"https://github.com/pushsecurity/browser-identity-attacks-matrix/blob/main/techniques/app_specific_password_phishing//techniques/app_specific_password_phishing/examples/google.md","app_specific_password_phishing",{},"/techniques/app_specific_password_phishing/description",[592],{"text":578,"url":576},{"title":509,"description":517},"techniques/app_specific_password_phishing/description","\u003Cp>App-Specific password phishing is a social engineering technique where an adversary tricks a user into generating an &quot;app-specific password&quot; for their account and then sharing it with the attacker. These legacy passwords are a feature in some major SaaS providers (like Google and Apple) designed to allow older applications that do not support modern authentication (like OAuth 2.0) to access account data.\u003C/p>\n\u003Cp>The attack flow typically involves a pretext where the attacker, posing as a trusted entity (e.g., tech support, a service provider), directs the user to their account&#39;s security settings. The user is then guided through the process of creating a new app-specific password and is instructed to paste this password into a form or chat window controlled by the attacker.\u003C/p>\n\u003Cp>Because app-specific passwords are created by an already-authenticated user, they often bypass standard multi-factor authentication (MFA) prompts upon creation. Once the attacker possesses this password, they can gain persistent, programmatic access to the user&#39;s account data (e.g., emails, contacts, files) via APIs, often without triggering the same level of security alerts as a traditional interactive login from an unrecognized device. This makes the access stealthier and more durable than a session token, as these passwords typically remain valid until manually revoked by the user.\u003C/p>\n\u003Cp>This technique is a variant of phishing that targets a specific, often overlooked, credential type. It is similar to \u003Ca href=\"/resources/browser-identity-attacks-matrix/consent-phishing\">consent phishing\u003C/a> in that it abuses a legitimate feature, but it targets a direct password credential rather than an OAuth consent grant.\u003C/p>\n\u003Cp>They can also be abused at the persistent phase to maintain access to a compromised account in a similar way to \u003Ca href=\"/resources/browser-identity-attacks-matrix/ghost-logins\">ghost logins\u003C/a> and \u003Ca href=\"/resources/browser-identity-attacks-matrix/api-keys\">api keys\u003C/a>.\u003C/p>\n",[112,330],"SAT1050","2oqBRr2C71x2NXSxr4gi94qlcIiCzCfhx_cghhzf-e4",{"id":600,"title":601,"body":602,"description":609,"examples":634,"extension":83,"githubDir":635,"meta":636,"name":601,"navigation":86,"path":637,"references":638,"seo":639,"slug":606,"stem":640,"summaryHtml":641,"tactics":642,"techniqueId":643,"__hash__":644},"browserIdentityAttacksTechniques/techniques/app_spraying/description.md","App spraying",{"type":12,"value":603,"toc":628},[604,607,610,612,616,618,621,624,626],[15,605,601],{"id":606},"app-spraying",[19,608,609],{},"ID: SAT1007",[23,611,26],{"id":25},[28,613,614],{},[31,615,112],{},[23,617,40],{"id":39},[19,619,620],{},"An adversary may attempt to authenticate to a SaaS account by guessing a large number of passwords. However, many apps limit the rate or number of passwords that can be guessed. If you assume a user shares passwords between SaaS apps, the set of passwords to be guessed can be split between all the apps the user has accounts for, circumventing the rate-limits on any one SaaS app.",[19,622,623],{},"This can be particularly effective against heavy SaaS users as it allows an adversary to spread the attack across a large number of SaaS apps.",[23,625,58],{"id":57},[23,627,71],{"id":70},{"title":73,"searchDepth":74,"depth":74,"links":629},[630,631,632,633],{"id":25,"depth":74,"text":26},{"id":39,"depth":74,"text":40},{"id":57,"depth":74,"text":58},{"id":70,"depth":74,"text":71},[],"app_spraying",{},"/techniques/app_spraying/description",[],{"title":601,"description":609},"techniques/app_spraying/description","\u003Cp>An adversary may attempt to authenticate to a SaaS account by guessing a large number of passwords. However, many apps limit the rate or number of passwords that can be guessed. If you assume a user shares passwords between SaaS apps, the set of passwords to be guessed can be split between all the apps the user has accounts for, circumventing the rate-limits on any one SaaS app.\u003C/p>\n\u003Cp>This can be particularly effective against heavy SaaS users as it allows an adversary to spread the attack across a large number of SaaS apps.\u003C/p>\n",[112],"SAT1007","LIxKsmFpdfkHQ2ZcHd49JJvwP_AXrRi-IG81qUD-zbw",{"id":646,"title":647,"body":648,"description":655,"examples":697,"extension":83,"githubDir":700,"meta":701,"name":647,"navigation":86,"path":702,"references":703,"seo":704,"slug":652,"stem":705,"summaryHtml":706,"tactics":707,"techniqueId":708,"__hash__":709},"browserIdentityAttacksTechniques/techniques/automation_workflow_sharing/description.md","Automation workflow sharing",{"type":12,"value":649,"toc":691},[650,653,656,658,665,667,670,673,676,679,681,689],[15,651,647],{"id":652},"automation-workflow-sharing",[19,654,655],{},"ID: SAT1008",[23,657,26],{"id":25},[28,659,660,663],{},[31,661,662],{},"Execution",[31,664,36],{},[23,666,40],{"id":39},[19,668,669],{},"Some SaaS automation apps allow pre-configured automations to be shared with other users. These can sometimes be shared directly within the app with other app users.",[19,671,672],{},"Since automations are incredibly powerful, it is possible for an adversary to create an automation that is designed to appear safe but to backdoor it in a way that performs a malicious action on behalf of the target user. If a user does not inspect the configuration of the automation at all, the automation can be more overtly malicious.",[19,674,675],{},"However, by making complicated multi-step automations and making use of built-in logging functionality, it is possible to make automations that can easily pass a cursory examination, while still achieving the adversary’s goals.",[19,677,678],{},"This is the SaaS equivalent of convincing a user to open a malicious attachment or run an executable file.",[23,680,58],{"id":57},[28,682,683],{},[31,684,685],{},[64,686,688],{"href":687},"examples/microsoft_power_automate","Microsoft Power Automate",[23,690,71],{"id":70},{"title":73,"searchDepth":74,"depth":74,"links":692},[693,694,695,696],{"id":25,"depth":74,"text":26},{"id":39,"depth":74,"text":40},{"id":57,"depth":74,"text":58},{"id":70,"depth":74,"text":71},[698],{"text":688,"url":699},"https://github.com/pushsecurity/browser-identity-attacks-matrix/blob/main/techniques/automation_workflow_sharing/examples/microsoft_power_automate.md","automation_workflow_sharing",{},"/techniques/automation_workflow_sharing/description",[],{"title":647,"description":655},"techniques/automation_workflow_sharing/description","\u003Cp>Some SaaS automation apps allow pre-configured automations to be shared with other users. These can sometimes be shared directly within the app with other app users.\u003C/p>\n\u003Cp>Since automations are incredibly powerful, it is possible for an adversary to create an automation that is designed to appear safe but to backdoor it in a way that performs a malicious action on behalf of the target user. If a user does not inspect the configuration of the automation at all, the automation can be more overtly malicious.\u003C/p>\n\u003Cp>However, by making complicated multi-step automations and making use of built-in logging functionality, it is possible to make automations that can easily pass a cursory examination, while still achieving the adversary’s goals.\u003C/p>\n\u003Cp>This is the SaaS equivalent of convincing a user to open a malicious attachment or run an executable file.\u003C/p>\n",[662,36],"SAT1008","y4Fj_ri27I5ja3ANvSuBxkb35PVt1IwEXpEUZ61Cw_c",{"id":711,"title":712,"body":713,"description":720,"examples":788,"extension":83,"githubDir":793,"meta":794,"name":712,"navigation":86,"path":795,"references":796,"seo":798,"slug":717,"stem":799,"summaryHtml":800,"tactics":801,"techniqueId":802,"__hash__":803},"browserIdentityAttacksTechniques/techniques/client-side_app_spoofing/description.md","Client-side app spoofing",{"type":12,"value":714,"toc":782},[715,718,721,723,731,733,742,745,748,755,757,771,773],[15,716,712],{"id":717},"client-side-app-spoofing",[19,719,720],{},"ID: SAT1009",[23,722,26],{"id":25},[28,724,725,727,729],{},[31,726,662],{},[31,728,330],{},[31,730,333],{},[23,732,40],{"id":39},[19,734,735,736,741],{},"Some OAuth integrations intended for use by desktop or mobile clients (rather than typical SaaS-to-SaaS integrations) can be controlled by adversaries. These client integrations tend to either make use of the ",[64,737,740],{"href":738,"rel":739},"https://oauth.net/2/client-types/",[261],"public client type"," for OAuth (the correct intended flow for this scenario), or the client secret for the OAuth app is directly embedded in the code, which is not considered good security practice and can be extracted by an adversary.",[19,743,744],{},"While an adversary will generally not be able to control the reply/callback URLs to utilize these legitimate integrations in a consent phishing attack, they can perform localhost callbacks to manually consent to permissions themselves for accounts they have already compromised. This is sufficient to conduct a persistence attack to maintain long-term control of the user account, leaving the adversary with tokens they can use to maintain access.",[19,746,747],{},"The adversary can customize the level of access they would like to maintain by requesting more permissions than would be usually used for the integration.",[19,749,750,751,557],{},"This technique has the added benefit of appearing more legitimate as the OAuth integration itself will be one known to be associated with a legitimate client of some kind. If the target user already uses the client in question, it will be even more stealthy as the OAuth integration already exists - effectively an ",[64,752,754],{"href":753},"../evil_twin_integrations/description","evil twin integration",[23,756,58],{"id":57},[28,758,759,765],{},[31,760,761],{},[64,762,764],{"href":763},"examples/thunderbird","Thunderbird",[31,766,767],{},[64,768,770],{"href":769},"examples/github_vscode","GitHub VSCode extension",[23,772,71],{"id":70},[28,774,775],{},[31,776,777],{},[64,778,781],{"href":779,"rel":780},"https://pushsecurity.com/blog/maintaining-persistent-access-in-a-saas-first-world",[261],"Maintaining persistent access in a SaaS-first world",{"title":73,"searchDepth":74,"depth":74,"links":783},[784,785,786,787],{"id":25,"depth":74,"text":26},{"id":39,"depth":74,"text":40},{"id":57,"depth":74,"text":58},{"id":70,"depth":74,"text":71},[789,791],{"text":764,"url":790},"https://github.com/pushsecurity/browser-identity-attacks-matrix/blob/main/techniques/client-side_app_spoofing/examples/thunderbird.md",{"text":770,"url":792},"https://github.com/pushsecurity/browser-identity-attacks-matrix/blob/main/techniques/client-side_app_spoofing/examples/github_vscode.md","client-side_app_spoofing",{},"/techniques/client-side_app_spoofing/description",[797],{"text":781,"url":779},{"title":712,"description":720},"techniques/client-side_app_spoofing/description","\u003Cp>Some OAuth integrations intended for use by desktop or mobile clients (rather than typical SaaS-to-SaaS integrations) can be controlled by adversaries. These client integrations tend to either make use of the \u003Ca href=\"https://oauth.net/2/client-types/\" target=\"_blank\" rel=\"noopener noreferrer\">public client type\u003C/a> for OAuth (the correct intended flow for this scenario), or the client secret for the OAuth app is directly embedded in the code, which is not considered good security practice and can be extracted by an adversary.\u003C/p>\n\u003Cp>While an adversary will generally not be able to control the reply/callback URLs to utilize these legitimate integrations in a consent phishing attack, they can perform localhost callbacks to manually consent to permissions themselves for accounts they have already compromised. This is sufficient to conduct a persistence attack to maintain long-term control of the user account, leaving the adversary with tokens they can use to maintain access.\u003C/p>\n\u003Cp>The adversary can customize the level of access they would like to maintain by requesting more permissions than would be usually used for the integration.\u003C/p>\n\u003Cp>This technique has the added benefit of appearing more legitimate as the OAuth integration itself will be one known to be associated with a legitimate client of some kind. If the target user already uses the client in question, it will be even more stealthy as the OAuth integration already exists - effectively an \u003Ca href=\"https://github.com/pushsecurity/browser-identity-attacks-matrix/blob/main/techniques/client-side_app_spoofing/../evil_twin_integrations/description.md\" target=\"_blank\" rel=\"noopener noreferrer\">evil twin integration\u003C/a>.\u003C/p>\n",[662,330,333],"SAT1009","nmxDeUCGh9YFXW9KOtpMjHs5nIWUi0LuvWbG5V_zQKM",{"id":805,"title":806,"body":807,"description":814,"examples":887,"extension":83,"githubDir":891,"meta":892,"name":806,"navigation":86,"path":893,"references":894,"seo":899,"slug":811,"stem":900,"summaryHtml":901,"tactics":902,"techniqueId":903,"__hash__":904},"browserIdentityAttacksTechniques/techniques/consent_phishing/description.md","Consent phishing",{"type":12,"value":808,"toc":881},[809,812,815,817,821,823,826,829,832,834,849,851],[15,810,806],{"id":811},"consent-phishing",[19,813,814],{},"ID: SAT1010",[23,816,26],{"id":25},[28,818,819],{},[31,820,112],{},[23,822,40],{"id":39},[19,824,825],{},"OAuth allows users to grant third-party apps permissions to access their data. Adversaries can abuse this functionality by tricking users into authorizing access for malicious OAuth apps.",[19,827,828],{},"In a consent phishing attack, an adversary sends a phishing link to a target that requests permissions to access sensitive data or permissions to perform dangerous actions. If the target grants consent for the permissions, the adversary gains that level of access over the target’s account. This level of access will bypass MFA and persist through password changes.",[19,830,831],{},"Consent phishing is most commonly associated with attacks aimed at getting access to Microsoft Azure or Google Workspace tenants. However, it has become more common for SaaS apps to implement their own OAuth-authenticated APIs and app stores that can be targeted in the same way.",[23,833,58],{"id":57},[28,835,836,842],{},[31,837,838],{},[64,839,841],{"href":840},"examples/microsoft","Microsoft",[31,843,844],{},[64,845,848],{"href":846,"rel":847},"https://www.bleepingcomputer.com/news/security/gitloker-attacks-abuse-github-notifications-to-push-malicious-oauth-apps/",[261],"GitHub",[23,850,71],{"id":70},[28,852,853,860,867,874],{},[31,854,855],{},[64,856,859],{"href":857,"rel":858},"https://www.mwrcybersec.com/decoding-consent-phishing",[261],"Decoding consent phishing - technical blog post",[31,861,862],{},[64,863,866],{"href":864,"rel":865},"https://github.com/mdsecactivebreach/o365-attack-toolkit",[261],"O365 attack toolkit - perform consent phishing attacks against O365",[31,868,869],{},[64,870,873],{"href":871,"rel":872},"https://attack.mitre.org/techniques/T1566/002/",[261],"MITRE ATT&CK - Phishing: Speakphishing Link",[31,875,876],{},[64,877,880],{"href":878,"rel":879},"https://www.bleepingcomputer.com/news/security/microsoft-disables-verified-partner-accounts-used-for-oauth-phishing/",[261],"Compromised Microsoft Partner Network accounts used for consent phishing",{"title":73,"searchDepth":74,"depth":74,"links":882},[883,884,885,886],{"id":25,"depth":74,"text":26},{"id":39,"depth":74,"text":40},{"id":57,"depth":74,"text":58},{"id":70,"depth":74,"text":71},[888,890],{"text":841,"url":889},"https://github.com/pushsecurity/browser-identity-attacks-matrix/blob/main/techniques/consent_phishing/examples/microsoft.md",{"text":848,"url":846},"consent_phishing",{},"/techniques/consent_phishing/description",[895,896,897,898],{"text":859,"url":857},{"text":866,"url":864},{"text":873,"url":871},{"text":880,"url":878},{"title":806,"description":814},"techniques/consent_phishing/description","\u003Cp>OAuth allows users to grant third-party apps permissions to access their data. Adversaries can abuse this functionality by tricking users into authorizing access for malicious OAuth apps.\u003C/p>\n\u003Cp>In a consent phishing attack, an adversary sends a phishing link to a target that requests permissions to access sensitive data or permissions to perform dangerous actions. If the target grants consent for the permissions, the adversary gains that level of access over the target’s account. This level of access will bypass MFA and persist through password changes.\u003C/p>\n\u003Cp>Consent phishing is most commonly associated with attacks aimed at getting access to Microsoft Azure or Google Workspace tenants. However, it has become more common for SaaS apps to implement their own OAuth-authenticated APIs and app stores that can be targeted in the same way.\u003C/p>\n",[112],"SAT1010","o0ugcmL3zGGMUx_9xiTHdIWfC3i4AYIzfA-UPpnjoBI",{"id":906,"title":907,"body":908,"description":915,"examples":988,"extension":83,"githubDir":912,"meta":991,"name":907,"navigation":86,"path":992,"references":993,"seo":996,"slug":912,"stem":997,"summaryHtml":998,"tactics":999,"techniqueId":1000,"__hash__":1001},"browserIdentityAttacksTechniques/techniques/consentfix/description.md","ConsentFix",{"type":12,"value":909,"toc":982},[910,913,916,918,924,926,929,932,940,943,946,957,959,965,967],[15,911,907],{"id":912},"consentfix",[19,914,915],{},"ID: SAT1051",[23,917,26],{"id":25},[28,919,920,922],{},[31,921,112],{},[31,923,333],{},[23,925,40],{"id":39},[19,927,928],{},"ConsentFix is a social engineering technique that combines ClickFix-style deception with OAuth authorization code theft. An adversary presents a fake verification screen — often impersonating a Cloudflare Turnstile or similar challenge — that prompts the target to sign in via a legitimate OAuth flow. The attack abuses a trusted first-party OAuth application (such as Azure CLI) to avoid consent prompts, making the login page appear entirely legitimate.",[19,930,931],{},"After the target authenticates, their browser is redirected to a redirect URI registered with the OAuth app, which generates a URL in the browser's address bar that contains an OAuth authorization code. The phishing page instructs the target to paste this URL back as part of the \"verification\" process. The attacker extracts the authorization code from the pasted URL and exchanges it for an access token, gaining full access to the target's account.",[19,933,934,935,939],{},"The original attack used a ",[936,937,938],"code",{},"localhost"," redirect URI because the browser typically shows a connection-refused error and leaves the code visible in the address bar long enough to copy. However, the technique isn't limited to localhost — any redirect URI permitted by the target OAuth app can work, provided the code remains visible long enough for the target to copy it (many legitimate redirect endpoints consume or redirect away from the code too quickly to be useful).",[19,941,942],{},"Because the target authenticates through a legitimate identity provider and no credentials or MFA tokens are ever exposed to the attacker, this technique bypasses MFA including phishing-resistant methods such as passkeys.",[19,944,945],{},"A demo video explaining how ConsentFix works is given below:",[19,947,948],{},[64,949,952],{"href":950,"rel":951},"https://www.youtube.com/watch?v=AAiiIY-Soak",[261],[953,954],"img",{"alt":955,"src":956},"demo video","https://img.youtube.com/vi/AAiiIY-Soak/0.jpg",[23,958,58],{"id":57},[28,960,961],{},[31,962,963],{},[64,964,841],{"href":840},[23,966,71],{"id":70},[28,968,969,976],{},[31,970,971],{},[64,972,975],{"href":973,"rel":974},"https://pushsecurity.com/blog/consentfix/",[261],"ConsentFix - Push Security blog",[31,977,978],{},[64,979,981],{"href":871,"rel":980},[261],"MITRE ATT&CK - Phishing: Spearphishing Link",{"title":73,"searchDepth":74,"depth":74,"links":983},[984,985,986,987],{"id":25,"depth":74,"text":26},{"id":39,"depth":74,"text":40},{"id":57,"depth":74,"text":58},{"id":70,"depth":74,"text":71},[989],{"text":841,"url":990},"https://github.com/pushsecurity/browser-identity-attacks-matrix/blob/main/techniques/consentfix/examples/microsoft.md",{},"/techniques/consentfix/description",[994,995],{"text":975,"url":973},{"text":981,"url":871},{"title":907,"description":915},"techniques/consentfix/description","\u003Cp>ConsentFix is a social engineering technique that combines ClickFix-style deception with OAuth authorization code theft. An adversary presents a fake verification screen — often impersonating a Cloudflare Turnstile or similar challenge — that prompts the target to sign in via a legitimate OAuth flow. The attack abuses a trusted first-party OAuth application (such as Azure CLI) to avoid consent prompts, making the login page appear entirely legitimate.\u003C/p>\n\u003Cp>After the target authenticates, their browser is redirected to a redirect URI registered with the OAuth app, which generates a URL in the browser&#39;s address bar that contains an OAuth authorization code. The phishing page instructs the target to paste this URL back as part of the &quot;verification&quot; process. The attacker extracts the authorization code from the pasted URL and exchanges it for an access token, gaining full access to the target&#39;s account.\u003C/p>\n\u003Cp>The original attack used a \u003Ccode>localhost\u003C/code> redirect URI because the browser typically shows a connection-refused error and leaves the code visible in the address bar long enough to copy. However, the technique isn&#39;t limited to localhost — any redirect URI permitted by the target OAuth app can work, provided the code remains visible long enough for the target to copy it (many legitimate redirect endpoints consume or redirect away from the code too quickly to be useful).\u003C/p>\n\u003Cp>Because the target authenticates through a legitimate identity provider and no credentials or MFA tokens are ever exposed to the attacker, this technique bypasses MFA including phishing-resistant methods such as passkeys.\u003C/p>\n\u003Cp>A demo video explaining how ConsentFix works is given below:\u003C/p>\n\u003Cp>\u003Ca href=\"https://www.youtube.com/watch?v=AAiiIY-Soak\" target=\"_blank\" rel=\"noopener noreferrer\">demo video ↗\u003C/a>\u003C/p>\n",[112,333],"SAT1051","zYCrwHXbKV3pdkW3XPc_tGOKfWo5Fzivs1ES5FEIn2s",{"id":1003,"title":1004,"body":1005,"description":1012,"examples":1054,"extension":83,"githubDir":1055,"meta":1056,"name":1004,"navigation":86,"path":1057,"references":1058,"seo":1060,"slug":1009,"stem":1061,"summaryHtml":1062,"tactics":1063,"techniqueId":1064,"__hash__":1065},"browserIdentityAttacksTechniques/techniques/credential_stuffing/description.md","Credential stuffing",{"type":12,"value":1006,"toc":1048},[1007,1010,1013,1015,1019,1021,1024,1027,1030,1035,1037,1039],[15,1008,1004],{"id":1009},"credential-stuffing",[19,1011,1012],{},"ID: SAT1011",[23,1014,26],{"id":25},[28,1016,1017],{},[31,1018,112],{},[23,1020,40],{"id":39},[19,1022,1023],{},"Credential stuffing is the re-use of stolen credentials, often from leaked password databases, in an attempt to authenticate to other apps. This is often successful due to the tendency of users to share passwords between multiple systems and accounts.",[19,1025,1026],{},"This can be particularly effective against heavy users of SaaS apps as the higher the number of systems in use, the greater the chance that a compromised password hasn’t been changed.",[19,1028,1029],{},"These attacks can be make more effective by matching personal and corporate email addresses, as well as guessing likely similar/incremental passwords.",[19,1031,1032],{},[953,1033],{"alt":1004,"src":1034},"credential_stuffing.png",[23,1036,58],{"id":57},[23,1038,71],{"id":70},[28,1040,1041],{},[31,1042,1043],{},[64,1044,1047],{"href":1045,"rel":1046},"https://attack.mitre.org/techniques/T1110/004/",[261],"MITRE ATT&CK - Brute Force: Credential Stuffing",{"title":73,"searchDepth":74,"depth":74,"links":1049},[1050,1051,1052,1053],{"id":25,"depth":74,"text":26},{"id":39,"depth":74,"text":40},{"id":57,"depth":74,"text":58},{"id":70,"depth":74,"text":71},[],"credential_stuffing",{},"/techniques/credential_stuffing/description",[1059],{"text":1047,"url":1045},{"title":1004,"description":1012},"techniques/credential_stuffing/description","\u003Cp>Credential stuffing is the re-use of stolen credentials, often from leaked password databases, in an attempt to authenticate to other apps. This is often successful due to the tendency of users to share passwords between multiple systems and accounts.\u003C/p>\n\u003Cp>This can be particularly effective against heavy users of SaaS apps as the higher the number of systems in use, the greater the chance that a compromised password hasn’t been changed.\u003C/p>\n\u003Cp>These attacks can be make more effective by matching personal and corporate email addresses, as well as guessing likely similar/incremental passwords.\u003C/p>\n\u003Cp>\u003Ca href=\"https://github.com/pushsecurity/browser-identity-attacks-matrix/blob/main/techniques/credential_stuffing/credential_stuffing.png\" target=\"_blank\" rel=\"noopener noreferrer\">Credential stuffing ↗\u003C/a>\u003C/p>\n",[112],"SAT1011","-tAS9FdiLotJVH7Fdz-Nqjzocnk0FcmKLGjYgiJnXOo",{"id":1067,"title":1068,"body":1069,"description":1076,"examples":1124,"extension":83,"githubDir":1125,"meta":1126,"name":1068,"navigation":86,"path":1127,"references":1128,"seo":1131,"slug":1073,"stem":1132,"summaryHtml":1133,"tactics":1134,"techniqueId":1135,"__hash__":1136},"browserIdentityAttacksTechniques/techniques/cross-idp_impersonation/description.md","Cross-IdP Impersonation",{"type":12,"value":1070,"toc":1119},[1071,1074,1077,1079,1085,1087,1090,1101,1103],[15,1072,1068],{"id":1073},"cross-idp-impersonation",[19,1075,1076],{},"ID: SAT1047",[23,1078,26],{"id":25},[28,1080,1081,1083],{},[31,1082,112],{},[31,1084,330],{},[23,1086,40],{"id":39},[19,1088,1089],{},"Cross-IdP impersonation is when an adversary uses an account with the correct target email address but registered with an identity provider that is not in use by the target organization to authenticate to a target SaaS application. This can allow strong SSO authentication measures to be circumvented.",[19,1091,1092,1093,1097,1098,1100],{},"For example, if a target organization has ",[64,1094,1096],{"href":1095},"mailto:user@example.com","user@example.com"," email addresses and uses Microsoft Entra as their identity provider, but an attacker is able to create a ",[64,1099,1096],{"href":1095}," account with Google somehow, then they can potentially circumvent SSO logins to downstream SaaS applications by using \"Login with Google\" social logins instead of \"Login with Microsoft\" or a SAML-based SSO login. This is also affected by the configuration of the downstream SaaS application.",[23,1102,71],{"id":70},[28,1104,1105,1112],{},[31,1106,1107],{},[64,1108,1111],{"href":1109,"rel":1110},"https://pushsecurity.com/blog/a-new-class-of-phishing-verification-phishing-and-cross-idp-impersonation/",[261],"Technical blog post - Verification phishing and cross-idp impersonation",[31,1113,1114],{},[64,1115,1118],{"href":1116,"rel":1117},"https://cyberinsider.com/zendesk-vulnerability-allows-slack-takeovers-through-apple-oauth-exploit/",[261],"Zendesk vulnerability allows Slack compromise",{"title":73,"searchDepth":74,"depth":74,"links":1120},[1121,1122,1123],{"id":25,"depth":74,"text":26},{"id":39,"depth":74,"text":40},{"id":70,"depth":74,"text":71},[],"cross-idp_impersonation",{},"/techniques/cross-idp_impersonation/description",[1129,1130],{"text":1111,"url":1109},{"text":1118,"url":1116},{"title":1068,"description":1076},"techniques/cross-idp_impersonation/description","\u003Cp>Cross-IdP impersonation is when an adversary uses an account with the correct target email address but registered with an identity provider that is not in use by the target organization to authenticate to a target SaaS application. This can allow strong SSO authentication measures to be circumvented.\u003C/p>\n\u003Cp>For example, if a target organization has \u003Ca href=\"mailto:user@example.com\">&#117;&#115;&#101;&#x72;&#64;&#x65;&#x78;&#97;&#109;&#x70;&#x6c;&#x65;&#46;&#99;&#111;&#x6d;\u003C/a> email addresses and uses Microsoft Entra as their identity provider, but an attacker is able to create a \u003Ca href=\"mailto:user@example.com\">&#x75;&#x73;&#x65;&#114;&#x40;&#101;&#120;&#97;&#109;&#x70;&#x6c;&#x65;&#x2e;&#x63;&#111;&#109;\u003C/a> account with Google somehow, then they can potentially circumvent SSO logins to downstream SaaS applications by using &quot;Login with Google&quot; social logins instead of &quot;Login with Microsoft&quot; or a SAML-based SSO login. This is also affected by the configuration of the downstream SaaS application.\u003C/p>\n",[112,330],"SAT1047","u6qegvpGFGr3QLgn7j0pY79vPVG61ifilvpk1kvslaQ",{"id":1138,"title":1139,"body":1140,"description":1147,"examples":1230,"extension":83,"githubDir":1234,"meta":1235,"name":1139,"navigation":86,"path":1236,"references":1237,"seo":1243,"slug":1144,"stem":1244,"summaryHtml":1245,"tactics":1246,"techniqueId":1247,"__hash__":1248},"browserIdentityAttacksTechniques/techniques/device_code_phishing/description.md","Device code phishing",{"type":12,"value":1141,"toc":1224},[1142,1145,1148,1150,1156,1158,1161,1164,1167,1170,1173,1175,1187,1189],[15,1143,1139],{"id":1144},"device-code-phishing",[19,1146,1147],{},"ID: SAT1012",[23,1149,26],{"id":25},[28,1151,1152,1154],{},[31,1153,112],{},[31,1155,333],{},[23,1157,40],{"id":39},[19,1159,1160],{},"OAuth supports multiple different authentication flows that can be used to grant access to an app. One of these is the device authorization grant, which is intended for use with input-constrained devices, such as smart TVs and printers.",[19,1162,1163],{},"This flow operates by supplying a user with a unique code and instructing them to visit a webpage in a browser on a different device to enter the code in order to authorize the device.",[19,1165,1166],{},"This can be used by an adversary to conduct a phishing attack against a target by convincing them to visit their authentication provider website and enter a code supplied by the adversary, thereby granting access to their account.",[19,1168,1169],{},"This shares similar advantages to a consent phishing attack in that it allows access to a target's account without requiring their password or MFA tokens.",[19,1171,1172],{},"It also has other advantages in that the link the target needs to visit is a legitimate URL and there is no prompt to consent to explicit permissions beyond entering the device code and signing in. Additionally, verified apps can be impersonated in some cases.",[23,1174,58],{"id":57},[28,1176,1177,1181],{},[31,1178,1179],{},[64,1180,841],{"href":840},[31,1182,1183],{},[64,1184,848],{"href":1185,"rel":1186},"https://www.praetorian.com/blog/introducing-github-device-code-phishing/",[261],[23,1188,71],{"id":70},[28,1190,1191,1198,1205,1212,1219],{},[31,1192,1193],{},[64,1194,1197],{"href":1195,"rel":1196},"https://aadinternals.com/post/phishing/",[261],"Introducing a new phishing technique for compromising Office 365 accounts",[31,1199,1200],{},[64,1201,1204],{"href":1202,"rel":1203},"https://www.inversecos.com/2022/12/how-to-detect-malicious-oauth-device.html",[261],"How to Detect Malicious OAuth Device Code Phishing",[31,1206,1207],{},[64,1208,1211],{"href":1209,"rel":1210},"https://github.com/secureworks/PhishInSuits",[261],"PhishInSuits - a tool for device code phishing vs SMS",[31,1213,1214],{},[64,1215,1218],{"href":1216,"rel":1217},"https://learn.microsoft.com/en-us/azure/active-directory/develop/v2-oauth2-device-code",[261],"Microsoft device code documentation",[31,1220,1221],{},[64,1222,873],{"href":871,"rel":1223},[261],{"title":73,"searchDepth":74,"depth":74,"links":1225},[1226,1227,1228,1229],{"id":25,"depth":74,"text":26},{"id":39,"depth":74,"text":40},{"id":57,"depth":74,"text":58},{"id":70,"depth":74,"text":71},[1231,1233],{"text":841,"url":1232},"https://github.com/pushsecurity/browser-identity-attacks-matrix/blob/main/techniques/device_code_phishing/examples/microsoft.md",{"text":848,"url":1185},"device_code_phishing",{},"/techniques/device_code_phishing/description",[1238,1239,1240,1241,1242],{"text":1197,"url":1195},{"text":1204,"url":1202},{"text":1211,"url":1209},{"text":1218,"url":1216},{"text":873,"url":871},{"title":1139,"description":1147},"techniques/device_code_phishing/description","\u003Cp>OAuth supports multiple different authentication flows that can be used to grant access to an app. One of these is the device authorization grant, which is intended for use with input-constrained devices, such as smart TVs and printers.\u003C/p>\n\u003Cp>This flow operates by supplying a user with a unique code and instructing them to visit a webpage in a browser on a different device to enter the code in order to authorize the device. \u003C/p>\n\u003Cp>This can be used by an adversary to conduct a phishing attack against a target by convincing them to visit their authentication provider website and enter a code supplied by the adversary, thereby granting access to their account.\u003C/p>\n\u003Cp>This shares similar advantages to a consent phishing attack in that it allows access to a target&#39;s account without requiring their password or MFA tokens.\u003C/p>\n\u003Cp>It also has other advantages in that the link the target needs to visit is a legitimate URL and there is no prompt to consent to explicit permissions beyond entering the device code and signing in. Additionally, verified apps can be impersonated in some cases.\u003C/p>\n",[112,333],"SAT1012","35RJdi1pt9S_w7L43T5D-Y_ZxW5XMYMIGIcoJQJXPjY",{"id":1250,"title":1251,"body":1252,"description":1259,"examples":1335,"extension":83,"githubDir":1336,"meta":1337,"name":1251,"navigation":86,"path":1338,"references":1339,"seo":1344,"slug":1256,"stem":1345,"summaryHtml":1346,"tactics":1347,"techniqueId":1348,"__hash__":1349},"browserIdentityAttacksTechniques/techniques/device_enrollment/description.md","Device Enrollment",{"type":12,"value":1253,"toc":1329},[1254,1257,1260,1262,1268,1270,1273,1276,1289,1298,1300,1302],[15,1255,1251],{"id":1256},"device-enrollment",[19,1258,1259],{},"ID: SAT1043",[23,1261,26],{"id":25},[28,1263,1264,1266],{},[31,1265,112],{},[31,1267,330],{},[23,1269,40],{"id":39},[19,1271,1272],{},"Some attack techniques result in temporary access to an account being obtained, possibly including knowledge of the account password, such as through AiTM phishing that proxies MFA codes or similar. In these situations, the ability to enroll a new device for an account can allow an adversary to maintain long-term access to the account.",[19,1274,1275],{},"Most commonly, this would be the enrollment of a new MFA device in order to allow the adversary to complete MFA challenges for future authentication. However, it could also involve enrolling adversary-controlled devices into device management software to bypass other controls.",[19,1277,1278,1279,552,1284],{},"This persistence form of device enrollment has been observed as a technique used by both ",[64,1280,1283],{"href":1281,"rel":1282},"https://www.ncsc.gov.uk/news/svr-cyber-actors-adapt-tactics-for-initial-cloud-access",[261],"APT29",[64,1285,1288],{"href":1286,"rel":1287},"https://www.reliaquest.com/blog/scattered-spider-attack-analysis-account-compromise/",[261],"Scattered Spider",[19,1290,1291,1292,1297],{},"In some cases, this can even form part of the initial access phase. For example, if compromising a dormant account using a credential stuffing attack, this may have been previously configured without MFA and newer security settings may prompt for MFA enrollment during the authentication process. In this case, the adversary will need to perform MFA device enrollment in order to successfully complete the attack and gain access to the account. This has been observed in ",[64,1293,1296],{"href":1294,"rel":1295},"https://www.mandiant.com/resources/blog/apt29-continues-targeting-microsoft",[261],"attacks by APT29 against Azure"," in the past.",[23,1299,58],{"id":57},[23,1301,71],{"id":70},[28,1303,1304,1310,1316,1322],{},[31,1305,1306],{},[64,1307,1309],{"href":1281,"rel":1308},[261],"NCSC advisory on cloud attacks by APT29",[31,1311,1312],{},[64,1313,1315],{"href":1286,"rel":1314},[261],"Scattered Spider Attack Analysis - Technical Blog",[31,1317,1318],{},[64,1319,1321],{"href":1294,"rel":1320},[261],"APT29 Attack Analysis - Technical Blog",[31,1323,1324],{},[64,1325,1328],{"href":1326,"rel":1327},"https://attack.mitre.org/techniques/T1098/005/",[261],"MITRE - Account Manipulation: Device Registration",{"title":73,"searchDepth":74,"depth":74,"links":1330},[1331,1332,1333,1334],{"id":25,"depth":74,"text":26},{"id":39,"depth":74,"text":40},{"id":57,"depth":74,"text":58},{"id":70,"depth":74,"text":71},[],"device_enrollment",{},"/techniques/device_enrollment/description",[1340,1341,1342,1343],{"text":1309,"url":1281},{"text":1315,"url":1286},{"text":1321,"url":1294},{"text":1328,"url":1326},{"title":1251,"description":1259},"techniques/device_enrollment/description","\u003Cp>Some attack techniques result in temporary access to an account being obtained, possibly including knowledge of the account password, such as through AiTM phishing that proxies MFA codes or similar. In these situations, the ability to enroll a new device for an account can allow an adversary to maintain long-term access to the account. \u003C/p>\n\u003Cp>Most commonly, this would be the enrollment of a new MFA device in order to allow the adversary to complete MFA challenges for future authentication. However, it could also involve enrolling adversary-controlled devices into device management software to bypass other controls. \u003C/p>\n\u003Cp>This persistence form of device enrollment has been observed as a technique used by both \u003Ca href=\"https://www.ncsc.gov.uk/news/svr-cyber-actors-adapt-tactics-for-initial-cloud-access\" target=\"_blank\" rel=\"noopener noreferrer\">APT29\u003C/a> and \u003Ca href=\"https://www.reliaquest.com/blog/scattered-spider-attack-analysis-account-compromise/\" target=\"_blank\" rel=\"noopener noreferrer\">Scattered Spider\u003C/a>\u003C/p>\n\u003Cp>In some cases, this can even form part of the initial access phase. For example, if compromising a dormant account using a credential stuffing attack, this may have been previously configured without MFA and newer security settings may prompt for MFA enrollment during the authentication process. In this case, the adversary will need to perform MFA device enrollment in order to successfully complete the attack and gain access to the account. This has been observed in \u003Ca href=\"https://www.mandiant.com/resources/blog/apt29-continues-targeting-microsoft\" target=\"_blank\" rel=\"noopener noreferrer\">attacks by APT29 against Azure\u003C/a> in the past.\u003C/p>\n",[112,330],"SAT1043","KMvPj1L33AhsL3GQwzRsTW91JbucCBWFs_JSAEtpd6Y",{"id":1351,"title":1352,"body":1353,"description":1360,"examples":1400,"extension":83,"githubDir":1403,"meta":1404,"name":1352,"navigation":86,"path":1405,"references":1406,"seo":1408,"slug":1357,"stem":1409,"summaryHtml":1410,"tactics":1411,"techniqueId":1412,"__hash__":1413},"browserIdentityAttacksTechniques/techniques/dns_reconnaissance/description.md","DNS reconnaissance",{"type":12,"value":1354,"toc":1394},[1355,1358,1361,1363,1368,1370,1373,1375,1383,1385],[15,1356,1352],{"id":1357},"dns-reconnaissance",[19,1359,1360],{},"ID: SAT1013",[23,1362,26],{"id":25},[28,1364,1365],{},[31,1366,1367],{},"Reconnaissance",[23,1369,40],{"id":39},[19,1371,1372],{},"Some SaaS apps require ownership verification for a domain as part of the setup process. A common way to verify ownership is to publish a specific string as a DNS TXT record that the SaaS vendor can verify as proof.\nQuerying DNS TXT records can reveal which SaaS apps the target organization might be using. MX and SPF records are also useful in discovering SaaS apps used to send and receive mail for the organization.",[23,1374,58],{"id":57},[28,1376,1377],{},[31,1378,1379],{},[64,1380,1382],{"href":1381},"examples/txt_hsbc","TXT records",[23,1384,71],{"id":70},[28,1386,1387],{},[31,1388,1389],{},[64,1390,1393],{"href":1391,"rel":1392},"https://attack.mitre.org/techniques/T1590/002/",[261],"MITRE ATT&CK - DNS",{"title":73,"searchDepth":74,"depth":74,"links":1395},[1396,1397,1398,1399],{"id":25,"depth":74,"text":26},{"id":39,"depth":74,"text":40},{"id":57,"depth":74,"text":58},{"id":70,"depth":74,"text":71},[1401],{"text":1382,"url":1402},"https://github.com/pushsecurity/browser-identity-attacks-matrix/blob/main/techniques/dns_reconnaissance/examples/txt_hsbc.md","dns_reconnaissance",{},"/techniques/dns_reconnaissance/description",[1407],{"text":1393,"url":1391},{"title":1352,"description":1360},"techniques/dns_reconnaissance/description","\u003Cp>Some SaaS apps require ownership verification for a domain as part of the setup process. A common way to verify ownership is to publish a specific string as a DNS TXT record that the SaaS vendor can verify as proof.\nQuerying DNS TXT records can reveal which SaaS apps the target organization might be using. MX and SPF records are also useful in discovering SaaS apps used to send and receive mail for the organization.\u003C/p>\n",[1367],"SAT1013","IFMEeJAd8xLGBQLf6BHjFORduNGP7Ww4Ua7q_1DwErk",{"id":1415,"title":1416,"body":1417,"description":1424,"examples":1457,"extension":83,"githubDir":1460,"meta":1461,"name":1416,"navigation":86,"path":1462,"references":1463,"seo":1464,"slug":1421,"stem":1465,"summaryHtml":1466,"tactics":1467,"techniqueId":1468,"__hash__":1469},"browserIdentityAttacksTechniques/techniques/email_discovery/description.md","Email discovery",{"type":12,"value":1418,"toc":1451},[1419,1422,1425,1427,1431,1433,1436,1439,1441,1449],[15,1420,1416],{"id":1421},"email-discovery",[19,1423,1424],{},"ID: SAT1014",[23,1426,26],{"id":25},[28,1428,1429],{},[31,1430,459],{},[23,1432,40],{"id":39},[19,1434,1435],{},"There is generally evidence in a user’s mailbox when they are actively using a SaaS app. At a minimum, there is usually some form of welcome or verification email, if not usage notifications",[19,1437,1438],{},"Email is a prime source of discovery of other SaaS apps the target is using. If an adversary gains access to a mailbox, they may use this information to perform further attacks and move laterally to other SaaS apps the compromised user is accessing. Email is also a source of  general knowledge an adversary can use to conduct further attacks against other users in the organization.",[23,1440,58],{"id":57},[28,1442,1443],{},[31,1444,1445],{},[64,1446,1448],{"href":1447},"examples/welcome_to","Welcome to search",[23,1450,71],{"id":70},{"title":73,"searchDepth":74,"depth":74,"links":1452},[1453,1454,1455,1456],{"id":25,"depth":74,"text":26},{"id":39,"depth":74,"text":40},{"id":57,"depth":74,"text":58},{"id":70,"depth":74,"text":71},[1458],{"text":1448,"url":1459},"https://github.com/pushsecurity/browser-identity-attacks-matrix/blob/main/techniques/email_discovery/examples/welcome_to.md","email_discovery",{},"/techniques/email_discovery/description",[],{"title":1416,"description":1424},"techniques/email_discovery/description","\u003Cp>There is generally evidence in a user’s mailbox when they are actively using a SaaS app. At a minimum, there is usually some form of welcome or verification email, if not usage notifications\u003C/p>\n\u003Cp>Email is a prime source of discovery of other SaaS apps the target is using. If an adversary gains access to a mailbox, they may use this information to perform further attacks and move laterally to other SaaS apps the compromised user is accessing. Email is also a source of  general knowledge an adversary can use to conduct further attacks against other users in the organization.\u003C/p>\n",[459],"SAT1014","KCu6kip0g2F8xcT1NYsA2dlEGa73QzZgQZHVO2uva6w",{"id":1471,"title":1472,"body":1473,"description":1480,"examples":1523,"extension":83,"githubDir":1524,"meta":1525,"name":1472,"navigation":86,"path":1526,"references":1527,"seo":1530,"slug":1477,"stem":1531,"summaryHtml":1532,"tactics":1533,"techniqueId":1534,"__hash__":1535},"browserIdentityAttacksTechniques/techniques/email_phishing/description.md","Email phishing",{"type":12,"value":1474,"toc":1517},[1475,1478,1481,1483,1487,1489,1492,1495,1498,1500,1502],[15,1476,1472],{"id":1477},"email-phishing",[19,1479,1480],{},"ID: SAT1015",[23,1482,26],{"id":25},[28,1484,1485],{},[31,1486,112],{},[23,1488,40],{"id":39},[19,1490,1491],{},"Email phishing is the classic social engineering attack that involves an email being sent to a target user with an embedded link or malicious attachment. The email is meant to either convince the target to enter their login credentials or open a malicious attachment.",[19,1493,1494],{},"SaaS-focused phishing attacks tend to be focused on capturing credentials and MFA codes where necessary, in order to gain access to SaaS apps.",[19,1496,1497],{},"Traditionally, many organizations would have only had one web-based external endpoint, such as Outlook Web Access. Often phishing attacks would target fake OWA portals and phishing training commonly focus on such scenarios. However, there is a higher number of potential scenarios that could be convincing to a target using a large number of SaaS apps.",[23,1499,58],{"id":57},[23,1501,71],{"id":70},[28,1503,1504,1510],{},[31,1505,1506],{},[64,1507,1509],{"href":259,"rel":1508},[261],"Evilginx - MITM framework for phishing login credentials",[31,1511,1512],{},[64,1513,1516],{"href":1514,"rel":1515},"https://attack.mitre.org/techniques/T1566",[261],"MITRE ATT&CK - Phishing",{"title":73,"searchDepth":74,"depth":74,"links":1518},[1519,1520,1521,1522],{"id":25,"depth":74,"text":26},{"id":39,"depth":74,"text":40},{"id":57,"depth":74,"text":58},{"id":70,"depth":74,"text":71},[],"email_phishing",{},"/techniques/email_phishing/description",[1528,1529],{"text":1509,"url":259},{"text":1516,"url":1514},{"title":1472,"description":1480},"techniques/email_phishing/description","\u003Cp>Email phishing is the classic social engineering attack that involves an email being sent to a target user with an embedded link or malicious attachment. The email is meant to either convince the target to enter their login credentials or open a malicious attachment.\u003C/p>\n\u003Cp>SaaS-focused phishing attacks tend to be focused on capturing credentials and MFA codes where necessary, in order to gain access to SaaS apps.\u003C/p>\n\u003Cp>Traditionally, many organizations would have only had one web-based external endpoint, such as Outlook Web Access. Often phishing attacks would target fake OWA portals and phishing training commonly focus on such scenarios. However, there is a higher number of potential scenarios that could be convincing to a target using a large number of SaaS apps.\u003C/p>\n",[112],"SAT1015","mE_1iEPPZoNc8kKiYZKYaUiwQnp3SRmUqX6m735Gsow",{"id":1537,"title":1538,"body":1539,"description":1546,"examples":1616,"extension":83,"githubDir":1619,"meta":1620,"name":1538,"navigation":86,"path":1621,"references":1622,"seo":1625,"slug":1543,"stem":1626,"summaryHtml":1627,"tactics":1628,"techniqueId":1629,"__hash__":1630},"browserIdentityAttacksTechniques/techniques/evil_twin_integrations/description.md","Evil twin integrations",{"type":12,"value":1540,"toc":1610},[1541,1544,1547,1549,1555,1557,1560,1563,1566,1574,1583,1585,1593,1595],[15,1542,1538],{"id":1543},"evil-twin-integrations",[19,1545,1546],{},"ID: SAT1016",[23,1548,26],{"id":25},[28,1550,1551,1553],{},[31,1552,330],{},[31,1554,333],{},[23,1556,40],{"id":39},[19,1558,1559],{},"OAuth apps provide a mechanism for maintaining long-term persistent access to compromised accounts that resist normal recovery actions, such as password resets. However, an in-depth investigation may lead to the discovery of OAuth integrations created by the adversary. Once these malicious integrations are deleted, the adversary would lose their persistence mechanism as soon as the access token expires (within hours or minutes).",[19,1561,1562],{},"Instead, the attacker could enumerate existing OAuth integrations the user has already granted/installed, find one that exposes useful scopes and functionality, and create a second instance or twin of that integration. These twin integrations look identical to the original integration as SaaS apps don’t display the details of the account on the other side of the integration, and are therefore unlikely to be discovered and deleted.",[19,1564,1565],{},"This attack relies on the victim having already installed or created an OAuth integration that would be useful to the attacker. Existing integrations with workflow automation / no-code automation platforms are typically the most useful, but other apps that access (and expose) sensitive data like email are common in marketing, sales and customer support tools.",[19,1567,1568,1569,1573],{},"A demo video of an attack chain combining ",[64,1570,1572],{"href":1571},"/techniques/shadow_workflows/description.md","shadow workflows"," with an evil twin integration is given below:",[19,1575,1576],{},[64,1577,1580],{"href":1578,"rel":1579},"https://www.youtube.com/watch?v=g2EITjjJH1s",[261],[953,1581],{"alt":955,"src":1582},"https://img.youtube.com/vi/g2EITjjJH1s/0.jpg",[23,1584,58],{"id":57},[28,1586,1587],{},[31,1588,1589],{},[64,1590,1592],{"href":1591},"examples/hubspot","Hubspot",[23,1594,71],{"id":70},[28,1596,1597,1603],{},[31,1598,1599],{},[64,1600,1602],{"href":779,"rel":1601},[261],"Maintaining persistent access in a SaaS-first world - Technical blog post",[31,1604,1605],{},[64,1606,1609],{"href":1607,"rel":1608},"https://pushsecurity.com/blog/nearly-invisible-attack-chain/",[261],"The shadow workflow's evil twin - Technical blog post",{"title":73,"searchDepth":74,"depth":74,"links":1611},[1612,1613,1614,1615],{"id":25,"depth":74,"text":26},{"id":39,"depth":74,"text":40},{"id":57,"depth":74,"text":58},{"id":70,"depth":74,"text":71},[1617],{"text":1592,"url":1618},"https://github.com/pushsecurity/browser-identity-attacks-matrix/blob/main/techniques/evil_twin_integrations/examples/hubspot.md","evil_twin_integrations",{},"/techniques/evil_twin_integrations/description",[1623,1624],{"text":1602,"url":779},{"text":1609,"url":1607},{"title":1538,"description":1546},"techniques/evil_twin_integrations/description","\u003Cp>OAuth apps provide a mechanism for maintaining long-term persistent access to compromised accounts that resist normal recovery actions, such as password resets. However, an in-depth investigation may lead to the discovery of OAuth integrations created by the adversary. Once these malicious integrations are deleted, the adversary would lose their persistence mechanism as soon as the access token expires (within hours or minutes).\u003C/p>\n\u003Cp>Instead, the attacker could enumerate existing OAuth integrations the user has already granted/installed, find one that exposes useful scopes and functionality, and create a second instance or twin of that integration. These twin integrations look identical to the original integration as SaaS apps don’t display the details of the account on the other side of the integration, and are therefore unlikely to be discovered and deleted.\u003C/p>\n\u003Cp>This attack relies on the victim having already installed or created an OAuth integration that would be useful to the attacker. Existing integrations with workflow automation / no-code automation platforms are typically the most useful, but other apps that access (and expose) sensitive data like email are common in marketing, sales and customer support tools.\u003C/p>\n\u003Cp>A demo video of an attack chain combining \u003Ca href=\"/resources/browser-identity-attacks-matrix/shadow-workflows\">shadow workflows\u003C/a> with an evil twin integration is given below:\u003C/p>\n\u003Cp>\u003Ca href=\"https://www.youtube.com/watch?v=g2EITjjJH1s\" target=\"_blank\" rel=\"noopener noreferrer\">demo video ↗\u003C/a>\u003C/p>\n",[330,333],"SAT1016","4WNwAly5tt8ppZi5EQOpuwLwgJ0u0pKl-XkNuQQS3Wc",{"id":1632,"title":1633,"body":1634,"description":1641,"examples":1719,"extension":83,"githubDir":1725,"meta":1726,"name":1633,"navigation":86,"path":1727,"references":1728,"seo":1732,"slug":1638,"stem":1733,"summaryHtml":1734,"tactics":1735,"techniqueId":1736,"__hash__":1737},"browserIdentityAttacksTechniques/techniques/ghost_logins/description.md","Ghost logins",{"type":12,"value":1635,"toc":1713},[1636,1639,1642,1644,1653,1655,1658,1661,1664,1667,1669,1688,1690],[15,1637,1633],{"id":1638},"ghost-logins",[19,1640,1641],{},"ID: SAT1017",[23,1643,26],{"id":25},[28,1645,1646,1649,1651],{},[31,1647,1648],{},"Initial access",[31,1650,330],{},[31,1652,333],{},[23,1654,40],{"id":39},[19,1656,1657],{},"A common SaaS app feature allows logins to the same account using multiple methods simultaneously – for example, a standard password-based authentication (local to the SaaS app) and an SSO mechanism, such as an OIDC social login or SAML login. This can be relevant for both initial access and persistence phases.",[19,1659,1660],{},"For initial access, it's possible users will have configured much weaker authentication mechanisms at some point. For example, a weak single-factor password before SSO was configured or a secondary/recovery address using a personal webmail account. They later migrate to strong SSO but the original methods remain active and attackers can find these weaknesses in future. This was a discussion point during the 2024 Snowflake credential breaches as local passwords were not disabled if migrating Snowflake to SAML SSO authentication.",[19,1662,1663],{},"For persistence, if an adversary gains access to a SaaS account temporarily, they can configure an alternative authentication method to maintain access to the account, alongside the legitimate user. If the user uses a social login to access the account, an adversary may be able to configure a separate username/password login to access the account or even (though much less commonly) connect a second social account that the adversary controls. This allows the adversary to maintain persistent access to the user account even in the event of password changes or MFA changes.",[19,1665,1666],{},"This attack will go unnoticed if the victim organization relies on SSO logs for auditing access to SaaS applications. The attack bypasses SSO as the login remains local to the SaaS app or, in the case of an OIDC SSO login, the adversary’s own social account.",[23,1668,58],{"id":57},[28,1670,1671,1678,1682],{},[31,1672,1673],{},[64,1674,1677],{"href":1675,"rel":1676},"https://www.youtube.com/watch?v=5yeOAM4YCAI",[261],"Snowflake",[31,1679,1680],{},[64,1681,351],{"href":350},[31,1683,1684],{},[64,1685,1687],{"href":1686},"examples/expensify","Expensify",[23,1689,71],{"id":70},[28,1691,1692,1699,1706],{},[31,1693,1694],{},[64,1695,1698],{"href":1696,"rel":1697},"https://attack.mitre.org/techniques/T1550/",[261],"MITRE ATT&CK - Use Alternate Authentication Material",[31,1700,1701],{},[64,1702,1705],{"href":1703,"rel":1704},"https://x.com/jukelennings/status/1801985628034281703",[261],"X thread explaining ghost logins with reference to Snowflake",[31,1707,1708],{},[64,1709,1712],{"href":1710,"rel":1711},"https://krebsonsecurity.com/2024/07/crooks-bypassed-googles-email-verification-to-create-workspace-accounts-access-3rd-party-services/",[261],"Google email verification flaw abused to compromise 3rd party SaaS services",{"title":73,"searchDepth":74,"depth":74,"links":1714},[1715,1716,1717,1718],{"id":25,"depth":74,"text":26},{"id":39,"depth":74,"text":40},{"id":57,"depth":74,"text":58},{"id":70,"depth":74,"text":71},[1720,1721,1723],{"text":1677,"url":1675},{"text":351,"url":1722},"https://github.com/pushsecurity/browser-identity-attacks-matrix/blob/main/techniques/ghost_logins/examples/shortcut.md",{"text":1687,"url":1724},"https://github.com/pushsecurity/browser-identity-attacks-matrix/blob/main/techniques/ghost_logins/examples/expensify.md","ghost_logins",{},"/techniques/ghost_logins/description",[1729,1730,1731],{"text":1698,"url":1696},{"text":1705,"url":1703},{"text":1712,"url":1710},{"title":1633,"description":1641},"techniques/ghost_logins/description","\u003Cp>A common SaaS app feature allows logins to the same account using multiple methods simultaneously – for example, a standard password-based authentication (local to the SaaS app) and an SSO mechanism, such as an OIDC social login or SAML login. This can be relevant for both initial access and persistence phases.\u003C/p>\n\u003Cp>For initial access, it&#39;s possible users will have configured much weaker authentication mechanisms at some point. For example, a weak single-factor password before SSO was configured or a secondary/recovery address using a personal webmail account. They later migrate to strong SSO but the original methods remain active and attackers can find these weaknesses in future. This was a discussion point during the 2024 Snowflake credential breaches as local passwords were not disabled if migrating Snowflake to SAML SSO authentication.\u003C/p>\n\u003Cp>For persistence, if an adversary gains access to a SaaS account temporarily, they can configure an alternative authentication method to maintain access to the account, alongside the legitimate user. If the user uses a social login to access the account, an adversary may be able to configure a separate username/password login to access the account or even (though much less commonly) connect a second social account that the adversary controls. This allows the adversary to maintain persistent access to the user account even in the event of password changes or MFA changes.\u003C/p>\n\u003Cp>This attack will go unnoticed if the victim organization relies on SSO logs for auditing access to SaaS applications. The attack bypasses SSO as the login remains local to the SaaS app or, in the case of an OIDC SSO login, the adversary’s own social account.\u003C/p>\n",[112,330,333],"SAT1017","XoGl-bMRdHPU3N97Jo7WBbSuniJtVJ_eh2vwhWvOby0",{"id":1739,"title":1740,"body":1741,"description":1748,"examples":1805,"extension":83,"githubDir":1808,"meta":1809,"name":1740,"navigation":86,"path":1810,"references":1811,"seo":1814,"slug":1745,"stem":1815,"summaryHtml":1816,"tactics":1817,"techniqueId":1818,"__hash__":1819},"browserIdentityAttacksTechniques/techniques/guest_access_abuse/description.md","Guest Access Abuse",{"type":12,"value":1742,"toc":1799},[1743,1746,1749,1751,1755,1757,1760,1763,1765,1781,1783],[15,1744,1740],{"id":1745},"guest-access-abuse",[19,1747,1748],{},"ID: SAT1046",[23,1750,26],{"id":25},[28,1752,1753],{},[31,1754,112],{},[23,1756,40],{"id":39},[19,1758,1759],{},"In SaaS platforms like Salesforce, ServiceNow, and Zendesk, misconfigurations related to guest user permissions can lead to unauthorized data access or escalation of privileges. These platforms often allow guest/unauthenticated users limited access for specific purposes. However, if the guest access is not correctly configured, it may grant broader permissions than intended.",[19,1761,1762],{},"An attacker can exploit such misconfigurations by accessing a guest account and leveraging the excessive permissions to access or manipulate sensitive data, potentially leading to a full account takeover or data breach.",[23,1764,58],{"id":57},[28,1766,1767,1774],{},[31,1768,1769,557],{},[64,1770,1773],{"href":1771,"rel":1772},"https://arstechnica.com/information-technology/2023/04/misconfigured-servers-running-salesforce-software-are-leaking-sensitive-data/",[261],"Salesforce guest user misconfiguration allowing data access",[31,1775,1776,557],{},[64,1777,1780],{"href":1778,"rel":1779},"https://www.csoonline.com/article/572239/nearly-70-of-servicenow-instances-leaking-data.html",[261],"ServiceNow instance where guest users could access PII Data",[23,1782,71],{"id":70},[28,1784,1785,1792],{},[31,1786,1787,557],{},[64,1788,1791],{"href":1789,"rel":1790},"https://help.salesforce.com/s/articleView?id=sf.networks_public_access.htm&type=5",[261],"Give Secure Access to Unauthenticated Users with the Guest User Profile",[31,1793,1794,557],{},[64,1795,1798],{"href":1796,"rel":1797},"https://support.servicenow.com/kb?id=kb_article_view&sysparm_article=KB1553688",[261],"General Information | Potential Public List Widget Misconfiguration",{"title":73,"searchDepth":74,"depth":74,"links":1800},[1801,1802,1803,1804],{"id":25,"depth":74,"text":26},{"id":39,"depth":74,"text":40},{"id":57,"depth":74,"text":58},{"id":70,"depth":74,"text":71},[1806,1807],{"text":1773,"url":1771},{"text":1780,"url":1778},"guest_access_abuse",{},"/techniques/guest_access_abuse/description",[1812,1813],{"text":1791,"url":1789},{"text":1798,"url":1796},{"title":1740,"description":1748},"techniques/guest_access_abuse/description","\u003Cp>In SaaS platforms like Salesforce, ServiceNow, and Zendesk, misconfigurations related to guest user permissions can lead to unauthorized data access or escalation of privileges. These platforms often allow guest/unauthenticated users limited access for specific purposes. However, if the guest access is not correctly configured, it may grant broader permissions than intended.\u003C/p>\n\u003Cp>An attacker can exploit such misconfigurations by accessing a guest account and leveraging the excessive permissions to access or manipulate sensitive data, potentially leading to a full account takeover or data breach.\u003C/p>\n",[112],"SAT1046","R7hNaZOQiCJvT8ZHGGb65xeNQ_K_MDpRNGAsPo6JdnU",{"id":1821,"title":1822,"body":1823,"description":1830,"examples":1908,"extension":83,"githubDir":1911,"meta":1912,"name":1822,"navigation":86,"path":1913,"references":1914,"seo":1918,"slug":1827,"stem":1919,"summaryHtml":1920,"tactics":1921,"techniqueId":1922,"__hash__":1923},"browserIdentityAttacksTechniques/techniques/hijack_oauth_flows/description.md","Hijack OAuth flows",{"type":12,"value":1824,"toc":1902},[1825,1828,1831,1833,1837,1839,1856,1859,1861,1877,1879],[15,1826,1822],{"id":1827},"hijack-oauth-flows",[19,1829,1830],{},"ID: SAT1040",[23,1832,26],{"id":25},[28,1834,1835],{},[31,1836,112],{},[23,1838,40],{"id":39},[19,1840,1841,1842,1846,1847,1849,1850,1852,1853,1855],{},"During the OAuth authorization code flow, after a user grants permission to a third-party application, the service provider generates an authorization code and redirects the user's browser back to the third-party application's specified ",[1843,1844,1845],"em",{},"redirect_uri",". This ",[1843,1848,1845],{}," is an endpoint on the third-party application's server where the authorization code will be sent. If the service provider has not been configured with an appropriately restricted allowlist of ",[1843,1851,1845],{}," values it is allowed to redirect to, an attacker could modify the ",[1843,1854,1845],{}," parameter sent during the initial authorization request to point to a malicious server they control.",[19,1857,1858],{},"This may allow an adversary to intercept the authorization code and use it to request an access token for the victim's account from the service provider. This access token can then be used to access the victim's resources without their consent.",[23,1860,58],{"id":57},[28,1862,1863,1870],{},[31,1864,1865],{},[64,1866,1869],{"href":1867,"rel":1868},"https://hackerone.com/reports/861940",[261],"HackerOne - OAuth redirect_uri bypass using IDN homograph attack resulting in user's access token leakage",[31,1871,1872],{},[64,1873,1876],{"href":1874,"rel":1875},"https://hackerone.com/reports/1861974",[261],"HackerOne - Stealing Users OAuth authorization code via redirect_uri",[23,1878,71],{"id":70},[28,1880,1881,1888,1895],{},[31,1882,1883],{},[64,1884,1887],{"href":1885,"rel":1886},"https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/05-Authorization_Testing/05.1-Testing_for_OAuth_Authorization_Server_Weaknesses",[261],"OWASP - Testing for OAuth Authorization Server Weaknesses",[31,1889,1890],{},[64,1891,1894],{"href":1892,"rel":1893},"https://portswigger.net/web-security/oauth#leaking-authorization-codes-and-access-tokens",[261],"PortSwigger - OAuth 2.0 authentication vulnerabilities",[31,1896,1897],{},[64,1898,1901],{"href":1899,"rel":1900},"https://portswigger.net/research/hidden-oauth-attack-vectors",[261],"PortSwigger - Hidden OAuth attack vectors",{"title":73,"searchDepth":74,"depth":74,"links":1903},[1904,1905,1906,1907],{"id":25,"depth":74,"text":26},{"id":39,"depth":74,"text":40},{"id":57,"depth":74,"text":58},{"id":70,"depth":74,"text":71},[1909,1910],{"text":1869,"url":1867},{"text":1876,"url":1874},"hijack_oauth_flows",{},"/techniques/hijack_oauth_flows/description",[1915,1916,1917],{"text":1887,"url":1885},{"text":1894,"url":1892},{"text":1901,"url":1899},{"title":1822,"description":1830},"techniques/hijack_oauth_flows/description","\u003Cp>During the OAuth authorization code flow, after a user grants permission to a third-party application, the service provider generates an authorization code and redirects the user&#39;s browser back to the third-party application&#39;s specified \u003Cem>redirect_uri\u003C/em>. This \u003Cem>redirect_uri\u003C/em> is an endpoint on the third-party application&#39;s server where the authorization code will be sent. If the service provider has not been configured with an appropriately restricted allowlist of \u003Cem>redirect_uri\u003C/em> values it is allowed to redirect to, an attacker could modify the \u003Cem>redirect_uri\u003C/em> parameter sent during the initial authorization request to point to a malicious server they control.\u003C/p>\n\u003Cp>This may allow an adversary to intercept the authorization code and use it to request an access token for the victim&#39;s account from the service provider. This access token can then be used to access the victim&#39;s resources without their consent.\u003C/p>\n",[112],"SAT1040","n3ATbYSWF1hDIj1VdFwuIOt0Wcw24DPvLotJs61MgUE",{"id":1925,"title":1926,"body":1927,"description":1934,"examples":2030,"extension":83,"githubDir":2035,"meta":2036,"name":1926,"navigation":86,"path":2037,"references":2038,"seo":2047,"slug":1931,"stem":2048,"summaryHtml":2049,"tactics":2050,"techniqueId":2051,"__hash__":2052},"browserIdentityAttacksTechniques/techniques/im_phishing/description.md","IM phishing",{"type":12,"value":1928,"toc":2024},[1929,1932,1935,1937,1941,1943,1946,1949,1951,1965,1967],[15,1930,1926],{"id":1931},"im-phishing",[19,1933,1934],{},"ID: SAT1018",[23,1936,26],{"id":25},[28,1938,1939],{},[31,1940,112],{},[23,1942,40],{"id":39},[19,1944,1945],{},"Traditionally, phishing attacks have been mostly email-based. While many organizations have been making use of SaaS-based instant messaging apps, these have been traditionally focused on internal communications, but this is changing rapidly.",[19,1947,1948],{},"Due to the ubiquity and effectiveness of instant messaging apps, communication with external parties has become more common. Instant messaging apps also lack many of the security controls around malicious links and attachments that have been common in email gateways for many years. This along with the immediacy and real-time nature of IM makes it a great vector for phishing attacks as users are less familiar with these apps as delivery vectors for phishing attacks.",[23,1950,58],{"id":57},[28,1952,1953,1959],{},[31,1954,1955],{},[64,1956,1958],{"href":1957},"examples/slack","Slack",[31,1960,1961],{},[64,1962,1964],{"href":1963},"examples/teams","MS Teams",[23,1966,71],{"id":70},[28,1968,1969,1976,1983,1990,1997,2004,2010,2017],{},[31,1970,1971],{},[64,1972,1975],{"href":1973,"rel":1974},"https://pushsecurity.com/blog/slack-phishing-for-initial-access/",[261],"Slack Attack: A phisher's guide to initial access",[31,1977,1978],{},[64,1979,1982],{"href":1980,"rel":1981},"https://pushsecurity.com/blog/phishing-slack-persistence/",[261],"Slack Attack: A phisher's guide to persistence and lateral movement",[31,1984,1985],{},[64,1986,1989],{"href":1987,"rel":1988},"https://labs.jumpsec.com/advisory-idor-in-microsoft-teams-allows-for-external-tenants-to-introduce-malware/",[261],"Jumpsec Advisory: IDOR in Microsoft Teams Allows for External Tenants to Introduce Malware",[31,1991,1992],{},[64,1993,1996],{"href":1994,"rel":1995},"https://github.com/Octoberfest7/TeamsPhisher",[261],"TeamsPhisher",[31,1998,1999],{},[64,2000,2003],{"href":2001,"rel":2002},"https://github.com/adelapazborrero/slack_jack?tab=readme-ov-file",[261],"Slack Jack - A tool for Slack bot token abuse",[31,2005,2006],{},[64,2007,2009],{"href":259,"rel":2008},[261],"Evilginx - AITM framework for phishing login credentials",[31,2011,2012],{},[64,2013,2016],{"href":2014,"rel":2015},"https://attack.mitre.org/techniques/T1566/003/",[261],"MITRE ATT&CK - Phishing: Spearphishing via Service",[31,2018,2019],{},[64,2020,2023],{"href":2021,"rel":2022},"https://www.microsoft.com/en-us/security/blog/2023/09/12/malware-distributor-storm-0324-facilitates-ransomware-access/",[261],"Storm-0324 distributes malware using TeamsPhisher",{"title":73,"searchDepth":74,"depth":74,"links":2025},[2026,2027,2028,2029],{"id":25,"depth":74,"text":26},{"id":39,"depth":74,"text":40},{"id":57,"depth":74,"text":58},{"id":70,"depth":74,"text":71},[2031,2033],{"text":1958,"url":2032},"https://github.com/pushsecurity/browser-identity-attacks-matrix/blob/main/techniques/im_phishing/examples/slack.md",{"text":1964,"url":2034},"https://github.com/pushsecurity/browser-identity-attacks-matrix/blob/main/techniques/im_phishing/examples/teams.md","im_phishing",{},"/techniques/im_phishing/description",[2039,2040,2041,2042,2043,2044,2045,2046],{"text":1975,"url":1973},{"text":1982,"url":1980},{"text":1989,"url":1987},{"text":1996,"url":1994},{"text":2003,"url":2001},{"text":2009,"url":259},{"text":2016,"url":2014},{"text":2023,"url":2021},{"title":1926,"description":1934},"techniques/im_phishing/description","\u003Cp>Traditionally, phishing attacks have been mostly email-based. While many organizations have been making use of SaaS-based instant messaging apps, these have been traditionally focused on internal communications, but this is changing rapidly.\u003C/p>\n\u003Cp>Due to the ubiquity and effectiveness of instant messaging apps, communication with external parties has become more common. Instant messaging apps also lack many of the security controls around malicious links and attachments that have been common in email gateways for many years. This along with the immediacy and real-time nature of IM makes it a great vector for phishing attacks as users are less familiar with these apps as delivery vectors for phishing attacks.\u003C/p>\n",[112],"SAT1018","S2QS7zOR8kqHlBOofAfOnSrIkSlfR3XgBKHXmkxUK-s",{"id":2054,"title":2055,"body":2056,"description":2063,"examples":2111,"extension":83,"githubDir":2114,"meta":2115,"name":2055,"navigation":86,"path":2116,"references":2117,"seo":2120,"slug":2060,"stem":2121,"summaryHtml":2122,"tactics":2123,"techniqueId":2124,"__hash__":2125},"browserIdentityAttacksTechniques/techniques/im_user_spoofing/description.md","IM user spoofing",{"type":12,"value":2057,"toc":2105},[2058,2061,2064,2066,2072,2074,2077,2080,2083,2085,2091,2093],[15,2059,2055],{"id":2060},"im-user-spoofing",[19,2062,2063],{},"ID: SAT1019",[23,2065,26],{"id":25},[28,2067,2068,2070],{},[31,2069,112],{},[31,2071,36],{},[23,2073,40],{"id":39},[19,2075,2076],{},"Some instant messaging apps do not strongly control the way a user presents themselves in terms of display names, full names, user handles, photos, and so on.",[19,2078,2079],{},"Given that instant messaging systems are often focused on internal communications, users usually trust them. An adversary could take advantage of this to use a compromised account, or an external account where the instant messaging app permits cross-tenant communication (e.g. Slack connect or MS Teams), to spoof their identity to increase the success of phishing attacks and other social engineering attempts.",[19,2081,2082],{},"For example, a compromised user account could be renamed and have the photo changed to match the CEO and attempt CEO fraud by directly messaging members of the finance team. These profile details make CEO impersonation much more credible.",[23,2084,58],{"id":57},[28,2086,2087],{},[31,2088,2089],{},[64,2090,1958],{"href":1957},[23,2092,71],{"id":70},[28,2094,2095,2100],{},[31,2096,2097],{},[64,2098,1975],{"href":1973,"rel":2099},[261],[31,2101,2102],{},[64,2103,1982],{"href":1980,"rel":2104},[261],{"title":73,"searchDepth":74,"depth":74,"links":2106},[2107,2108,2109,2110],{"id":25,"depth":74,"text":26},{"id":39,"depth":74,"text":40},{"id":57,"depth":74,"text":58},{"id":70,"depth":74,"text":71},[2112],{"text":1958,"url":2113},"https://github.com/pushsecurity/browser-identity-attacks-matrix/blob/main/techniques/im_user_spoofing/examples/slack.md","im_user_spoofing",{},"/techniques/im_user_spoofing/description",[2118,2119],{"text":1975,"url":1973},{"text":1982,"url":1980},{"title":2055,"description":2063},"techniques/im_user_spoofing/description","\u003Cp>Some instant messaging apps do not strongly control the way a user presents themselves in terms of display names, full names, user handles, photos, and so on.\u003C/p>\n\u003Cp>Given that instant messaging systems are often focused on internal communications, users usually trust them. An adversary could take advantage of this to use a compromised account, or an external account where the instant messaging app permits cross-tenant communication (e.g. Slack connect or MS Teams), to spoof their identity to increase the success of phishing attacks and other social engineering attempts.\u003C/p>\n\u003Cp>For example, a compromised user account could be renamed and have the photo changed to match the CEO and attempt CEO fraud by directly messaging members of the finance team. These profile details make CEO impersonation much more credible.\u003C/p>\n",[112,36],"SAT1019","XZucRmZHtWdgA7pVME6345Pxe1f3RBjzjtDKQb3BJMc",{"id":2127,"title":2128,"body":2129,"description":2136,"examples":2215,"extension":83,"githubDir":2219,"meta":2220,"name":2128,"navigation":86,"path":2221,"references":2222,"seo":2228,"slug":2133,"stem":2229,"summaryHtml":2230,"tactics":2231,"techniqueId":2232,"__hash__":2233},"browserIdentityAttacksTechniques/techniques/in-app_phishing/description.md","In-app phishing",{"type":12,"value":2130,"toc":2209},[2131,2134,2137,2139,2145,2147,2150,2153,2156,2159,2161,2175,2177],[15,2132,2128],{"id":2133},"in-app-phishing",[19,2135,2136],{},"ID: SAT1020",[23,2138,26],{"id":25},[28,2140,2141,2143],{},[31,2142,112],{},[31,2144,36],{},[23,2146,40],{"id":39},[19,2148,2149],{},"It’s possible to conduct phishing and other social engineering attacks, using native features of SaaS apps. This will often result in activity directly within an app the target already uses and/or may result in email notifications being delivered directly to the target but from legitimate email domains associated with the SaaS app. This is a broad area but commonly can be through shared content or collaborations features, such as document sharing and commenting functionality.",[19,2151,2152],{},"Users will often treat activity within legitimate apps or email notifications from confirmed legitimate SaaS app domains with a much higher level of trust than they would traditional phishing emails and therefore they are more likely to fall victim.",[19,2154,2155],{},"This can be used as both an initial access method, using SaaS apps that allow communication with external users, or as a lateral movement method once a foothold has been established on a legitimate tenant for the target organization.",[19,2157,2158],{},"For example, a malicious document could be shared with a target using a document sharing app in an attempt to gain a foothold elsewhere. A different example involving lateral movement might be a ticketing system where comments and ticket creation functionality could be abused to spread malicious links aimed at harvesting further user credentials.",[23,2160,58],{"id":57},[28,2162,2163,2168],{},[31,2164,2165],{},[64,2166,848],{"href":2167},"examples/github",[31,2169,2170],{},[64,2171,2174],{"href":2172,"rel":2173},"https://www.bleepingcomputer.com/news/security/mondaycom-removes-share-update-feature-abused-for-phishing-attacks/",[261],"Monday.com",[23,2176,71],{"id":70},[28,2178,2179,2186,2191,2196,2203],{},[31,2180,2181],{},[64,2182,2185],{"href":2183,"rel":2184},"https://github.blog/2023-07-18-security-alert-social-engineering-campaign-targets-technology-industry-employees/",[261],"Jade sleet compromise using GitHub repository collaboration",[31,2187,2188],{},[64,2189,1509],{"href":259,"rel":2190},[261],[31,2192,2193],{},[64,2194,2016],{"href":2014,"rel":2195},[261],[31,2197,2198],{},[64,2199,2202],{"href":2200,"rel":2201},"https://www.proofpoint.com/uk/blog/cloud-security/community-alert-ongoing-malicious-campaign-impacting-azure-cloud-environments",[261],"Phishing lures embedded within shared documents",[31,2204,2205],{},[64,2206,2208],{"href":846,"rel":2207},[261],"GitHub notification phishing",{"title":73,"searchDepth":74,"depth":74,"links":2210},[2211,2212,2213,2214],{"id":25,"depth":74,"text":26},{"id":39,"depth":74,"text":40},{"id":57,"depth":74,"text":58},{"id":70,"depth":74,"text":71},[2216,2218],{"text":848,"url":2217},"https://github.com/pushsecurity/browser-identity-attacks-matrix/blob/main/techniques/in-app_phishing/examples/github.md",{"text":2174,"url":2172},"in-app_phishing",{},"/techniques/in-app_phishing/description",[2223,2224,2225,2226,2227],{"text":2185,"url":2183},{"text":1509,"url":259},{"text":2016,"url":2014},{"text":2202,"url":2200},{"text":2208,"url":846},{"title":2128,"description":2136},"techniques/in-app_phishing/description","\u003Cp>It’s possible to conduct phishing and other social engineering attacks, using native features of SaaS apps. This will often result in activity directly within an app the target already uses and/or may result in email notifications being delivered directly to the target but from legitimate email domains associated with the SaaS app. This is a broad area but commonly can be through shared content or collaborations features, such as document sharing and commenting functionality.\u003C/p>\n\u003Cp>Users will often treat activity within legitimate apps or email notifications from confirmed legitimate SaaS app domains with a much higher level of trust than they would traditional phishing emails and therefore they are more likely to fall victim.\u003C/p>\n\u003Cp>This can be used as both an initial access method, using SaaS apps that allow communication with external users, or as a lateral movement method once a foothold has been established on a legitimate tenant for the target organization. \u003C/p>\n\u003Cp>For example, a malicious document could be shared with a target using a document sharing app in an attempt to gain a foothold elsewhere. A different example involving lateral movement might be a ticketing system where comments and ticket creation functionality could be abused to spread malicious links aimed at harvesting further user credentials.\u003C/p>\n",[112,36],"SAT1020","xSYq359lUSW5v-Sa88RpRlGdjg2Nn3bct_uWM9e7-sU",{"id":2235,"title":2236,"body":2237,"description":2244,"examples":2294,"extension":83,"githubDir":2297,"meta":2298,"name":2236,"navigation":86,"path":2299,"references":2300,"seo":2302,"slug":2241,"stem":2303,"summaryHtml":2304,"tactics":2305,"techniqueId":2306,"__hash__":2307},"browserIdentityAttacksTechniques/techniques/inbound_federation/description.md","Inbound federation",{"type":12,"value":2238,"toc":2288},[2239,2242,2245,2247,2253,2255,2258,2261,2267,2269,2277,2279],[15,2240,2236],{"id":2241},"inbound-federation",[19,2243,2244],{},"ID: SAT1041",[23,2246,26],{"id":25},[28,2248,2249,2251],{},[31,2250,330],{},[31,2252,36],{},[23,2254,40],{"id":39},[19,2256,2257],{},"Inbound federation allows users to login to a target identity provider by authenticating with a source identity provider. This is often used in scenarios that involve multiple large divisions that form part of a larger parent, such as with conglomerates or during mergers and acquisitions.",[19,2259,2260],{},"An adversary who has gained administrative control of an application, such as a core identity provider, can use this to both maintain persistent access as well as effectively laterally move to other user accounts by authenticating against an identity provider they control and having those accounts mapped automatically to existing accounts on the target identity provider.",[19,2262,2263,2264,2266],{},"This shares similarities with ",[64,2265,551],{"href":550},", but affects all users of an application instead of being tied specifically to one user account.",[23,2268,58],{"id":57},[28,2270,2271],{},[31,2272,2273],{},[64,2274,2276],{"href":2275},"examples/okta","Okta",[23,2278,71],{"id":70},[28,2280,2281],{},[31,2282,2283],{},[64,2284,2287],{"href":2285,"rel":2286},"https://sec.okta.com/articles/2023/08/cross-tenant-impersonation-prevention-and-detection",[261],"Okta Cross-Tenant Impersonation",{"title":73,"searchDepth":74,"depth":74,"links":2289},[2290,2291,2292,2293],{"id":25,"depth":74,"text":26},{"id":39,"depth":74,"text":40},{"id":57,"depth":74,"text":58},{"id":70,"depth":74,"text":71},[2295],{"text":2276,"url":2296},"https://github.com/pushsecurity/browser-identity-attacks-matrix/blob/main/techniques/inbound_federation/examples/okta.md","inbound_federation",{},"/techniques/inbound_federation/description",[2301],{"text":2287,"url":2285},{"title":2236,"description":2244},"techniques/inbound_federation/description","\u003Cp>Inbound federation allows users to login to a target identity provider by authenticating with a source identity provider. This is often used in scenarios that involve multiple large divisions that form part of a larger parent, such as with conglomerates or during mergers and acquisitions.\u003C/p>\n\u003Cp>An adversary who has gained administrative control of an application, such as a core identity provider, can use this to both maintain persistent access as well as effectively laterally move to other user accounts by authenticating against an identity provider they control and having those accounts mapped automatically to existing accounts on the target identity provider.\u003C/p>\n\u003Cp>This shares similarities with \u003Ca href=\"/resources/browser-identity-attacks-matrix/ghost-logins\">ghost logins\u003C/a>, but affects all users of an application instead of being tied specifically to one user account.\u003C/p>\n",[330,36],"SAT1041","IJSHGm-Bx22OSi0uMAgXW1vtfDJgjzZYedzTJPvBSuA",{"id":2309,"title":2310,"body":2311,"description":2318,"examples":2366,"extension":83,"githubDir":2369,"meta":2370,"name":2310,"navigation":86,"path":2371,"references":2372,"seo":2374,"slug":2315,"stem":2375,"summaryHtml":2376,"tactics":2377,"techniqueId":2378,"__hash__":2379},"browserIdentityAttacksTechniques/techniques/link_backdooring/description.md","Link backdooring",{"type":12,"value":2312,"toc":2360},[2313,2316,2319,2321,2327,2329,2332,2335,2338,2341,2343,2351,2353],[15,2314,2310],{"id":2315},"link-backdooring",[19,2317,2318],{},"ID: SAT1021",[23,2320,26],{"id":25},[28,2322,2323,2325],{},[31,2324,33],{},[31,2326,36],{},[23,2328,40],{"id":39},[19,2330,2331],{},"Users have long been trained to be wary of clicking links from external sources such as email. However, they don’t usually exercise the same caution when clicking links within trusted apps.",[19,2333,2334],{},"Many SaaS apps have functionality to include links to other systems. For example, SaaS-based Office documents may have links in them, tickets in ticket tracking systems and wikis can be especially link-heavy. Often these systems don’t exercise the same link security you would expect in external email, so malicious links can be more easily obfuscated to appear legitimate, even if a user checks.",[19,2336,2337],{},"An adversary who has gained a foothold into a trusted SaaS app where links are common could automate backdooring links in the app to direct to a phishing site they control. Since users are used to their sessions or SSO logins expiring, they’ve grown accustomed to clicking a (seemingly legitimate) link within a trusted system. This makes sending users to a phishing site within a trusted app that much easier because it looks like the standard SSO login page.",[19,2339,2340],{},"Wiki-style apps are a particularly interesting target for this type of attack as links are commonplace and individual users can often edit fairly large amounts of content (and links included therein). Adversaries can even use APIs to automate updating these links.",[23,2342,58],{"id":57},[28,2344,2345],{},[31,2346,2347],{},[64,2348,2350],{"href":2349},"examples/nuclino","Nuclino",[23,2352,71],{"id":70},[28,2354,2355],{},[31,2356,2357],{},[64,2358,1509],{"href":259,"rel":2359},[261],{"title":73,"searchDepth":74,"depth":74,"links":2361},[2362,2363,2364,2365],{"id":25,"depth":74,"text":26},{"id":39,"depth":74,"text":40},{"id":57,"depth":74,"text":58},{"id":70,"depth":74,"text":71},[2367],{"text":2350,"url":2368},"https://github.com/pushsecurity/browser-identity-attacks-matrix/blob/main/techniques/link_backdooring/examples/nuclino.md","link_backdooring",{},"/techniques/link_backdooring/description",[2373],{"text":1509,"url":259},{"title":2310,"description":2318},"techniques/link_backdooring/description","\u003Cp>Users have long been trained to be wary of clicking links from external sources such as email. However, they don’t usually exercise the same caution when clicking links within trusted apps.\u003C/p>\n\u003Cp>Many SaaS apps have functionality to include links to other systems. For example, SaaS-based Office documents may have links in them, tickets in ticket tracking systems and wikis can be especially link-heavy. Often these systems don’t exercise the same link security you would expect in external email, so malicious links can be more easily obfuscated to appear legitimate, even if a user checks.\u003C/p>\n\u003Cp>An adversary who has gained a foothold into a trusted SaaS app where links are common could automate backdooring links in the app to direct to a phishing site they control. Since users are used to their sessions or SSO logins expiring, they’ve grown accustomed to clicking a (seemingly legitimate) link within a trusted system. This makes sending users to a phishing site within a trusted app that much easier because it looks like the standard SSO login page.\u003C/p>\n\u003Cp>Wiki-style apps are a particularly interesting target for this type of attack as links are commonplace and individual users can often edit fairly large amounts of content (and links included therein). Adversaries can even use APIs to automate updating these links.\u003C/p>\n",[33,36],"SAT1021","RJmjTnw3bpb72aNRV8fFhQTV6rCFx1jMv5WYXpkZBAg",{"id":2381,"title":2382,"body":2383,"description":2390,"examples":2429,"extension":83,"githubDir":2434,"meta":2435,"name":2382,"navigation":86,"path":2436,"references":2437,"seo":2438,"slug":2387,"stem":2439,"summaryHtml":2440,"tactics":2441,"techniqueId":2442,"__hash__":2443},"browserIdentityAttacksTechniques/techniques/link_sharing/description.md","Link sharing",{"type":12,"value":2384,"toc":2423},[2385,2388,2391,2393,2399,2401,2404,2407,2409,2421],[15,2386,2382],{"id":2387},"link-sharing",[19,2389,2390],{},"ID: SAT1022",[23,2392,26],{"id":25},[28,2394,2395,2397],{},[31,2396,330],{},[31,2398,333],{},[23,2400,40],{"id":39},[19,2402,2403],{},"Many SaaS apps offer the ability to share items with third parties through sharing links. A file storage app may allow a document to be shared with a third party either through explicitly sharing with named accounts in a separate tenant or through creation of an anonymous/public-sharing link.",[19,2405,2406],{},"An adversary can create sharing links to maintain persistent access to data if the password is changed or the compromised account is disabled. Access to resources that have been shared anonymously are usually not logged in the same detail, can’t be attributed to a specific user, and can be used to evade audit controls.",[23,2408,58],{"id":57},[28,2410,2411,2417],{},[31,2412,2413],{},[64,2414,2416],{"href":2415},"examples/onedrive","OneDrive",[31,2418,2419],{},[64,2420,2350],{"href":2349},[23,2422,71],{"id":70},{"title":73,"searchDepth":74,"depth":74,"links":2424},[2425,2426,2427,2428],{"id":25,"depth":74,"text":26},{"id":39,"depth":74,"text":40},{"id":57,"depth":74,"text":58},{"id":70,"depth":74,"text":71},[2430,2432],{"text":2416,"url":2431},"https://github.com/pushsecurity/browser-identity-attacks-matrix/blob/main/techniques/link_sharing/examples/onedrive.md",{"text":2350,"url":2433},"https://github.com/pushsecurity/browser-identity-attacks-matrix/blob/main/techniques/link_sharing/examples/nuclino.md","link_sharing",{},"/techniques/link_sharing/description",[],{"title":2382,"description":2390},"techniques/link_sharing/description","\u003Cp>Many SaaS apps offer the ability to share items with third parties through sharing links. A file storage app may allow a document to be shared with a third party either through explicitly sharing with named accounts in a separate tenant or through creation of an anonymous/public-sharing link.\u003C/p>\n\u003Cp>An adversary can create sharing links to maintain persistent access to data if the password is changed or the compromised account is disabled. Access to resources that have been shared anonymously are usually not logged in the same detail, can’t be attributed to a specific user, and can be used to evade audit controls.\u003C/p>\n",[330,333],"SAT1022","8TCkzt6eDd80zL0KIvWC7cZloONfVug6FR7P3X6kq30",{"id":2445,"title":2446,"body":2447,"description":2454,"examples":2538,"extension":83,"githubDir":2541,"meta":2542,"name":2446,"navigation":86,"path":2543,"references":2544,"seo":2551,"slug":2451,"stem":2552,"summaryHtml":2553,"tactics":2554,"techniqueId":2555,"__hash__":2556},"browserIdentityAttacksTechniques/techniques/malicious_mail_rules/description.md","Malicious mail rules",{"type":12,"value":2448,"toc":2532},[2449,2452,2455,2457,2465,2467,2470,2473,2476,2478,2486,2488],[15,2450,2446],{"id":2451},"malicious-mail-rules",[19,2453,2454],{},"ID: SAT1023",[23,2456,26],{"id":25},[28,2458,2459,2461,2463],{},[31,2460,330],{},[31,2462,33],{},[31,2464,333],{},[23,2466,40],{"id":39},[19,2468,2469],{},"Common SaaS mail providers like Office365 and Gmail provide mail rule functionality that allows users to automate certain tasks on their mailboxes. This includes forwarding, moving emails, marking them as read and deleting them.",[19,2471,2472],{},"This can be used maliciously for multiple purposes. Mail rules persist after account changes, such as password resets. So one obvious tactic is to use them to persist access to a compromised mailbox by setting up auto-forwarding rules for all emails (or ones with interesting keywords, like “password reset” or “invoice”) to an external address - this is typical in BEC-style attacks.",[19,2474,2475],{},"By intercepting password or MFA reset emails through forwarding and auto-delete rules, mail rules can be used to move laterally to compromise accounts for other SaaS apps, while also avoiding alerting the user to the malicious activity.",[23,2477,58],{"id":57},[28,2479,2480],{},[31,2481,2482],{},[64,2483,2485],{"href":2484},"examples/office_365","Office 365",[23,2487,71],{"id":70},[28,2489,2490,2497,2504,2511,2518,2525],{},[31,2491,2492],{},[64,2493,2496],{"href":2494,"rel":2495},"https://www.netspi.com/blog/technical/adversary-simulation/malicious-outlook-rules/",[261],"Malicious Outlook Rules - Technical blog post",[31,2498,2499],{},[64,2500,2503],{"href":2501,"rel":2502},"https://github.com/sensepost/ruler",[261],"Ruler - A tool to abuse Exchange services",[31,2505,2506],{},[64,2507,2510],{"href":2508,"rel":2509},"https://github.com/FSecureLABS/XRulez",[261],"XRulez - A command line tool for creating malicious outlook rules",[31,2512,2513],{},[64,2514,2517],{"href":2515,"rel":2516},"https://attack.mitre.org/techniques/T1114/003/",[261],"MITRE ATT&CK - Email Forwarding Rule",[31,2519,2520],{},[64,2521,2524],{"href":2522,"rel":2523},"https://darktrace.com/blog/breakdown-of-a-multi-account-compromise-within-office-365",[261],"Multi-account Office365 compromise using mail rules",[31,2526,2527],{},[64,2528,2531],{"href":2529,"rel":2530},"https://www.microsoft.com/en-us/security/blog/2023/12/12/threat-actors-misuse-oauth-applications-to-automate-financially-driven-attacks/",[261],"Microsoft blog - Mail rules used to hide attacks",{"title":73,"searchDepth":74,"depth":74,"links":2533},[2534,2535,2536,2537],{"id":25,"depth":74,"text":26},{"id":39,"depth":74,"text":40},{"id":57,"depth":74,"text":58},{"id":70,"depth":74,"text":71},[2539],{"text":2485,"url":2540},"https://github.com/pushsecurity/browser-identity-attacks-matrix/blob/main/techniques/malicious_mail_rules/examples/office_365.md","malicious_mail_rules",{},"/techniques/malicious_mail_rules/description",[2545,2546,2547,2548,2549,2550],{"text":2496,"url":2494},{"text":2503,"url":2501},{"text":2510,"url":2508},{"text":2517,"url":2515},{"text":2524,"url":2522},{"text":2531,"url":2529},{"title":2446,"description":2454},"techniques/malicious_mail_rules/description","\u003Cp>Common SaaS mail providers like Office365 and Gmail provide mail rule functionality that allows users to automate certain tasks on their mailboxes. This includes forwarding, moving emails, marking them as read and deleting them.\u003C/p>\n\u003Cp>This can be used maliciously for multiple purposes. Mail rules persist after account changes, such as password resets. So one obvious tactic is to use them to persist access to a compromised mailbox by setting up auto-forwarding rules for all emails (or ones with interesting keywords, like “password reset” or “invoice”) to an external address - this is typical in BEC-style attacks.\u003C/p>\n\u003Cp>By intercepting password or MFA reset emails through forwarding and auto-delete rules, mail rules can be used to move laterally to compromise accounts for other SaaS apps, while also avoiding alerting the user to the malicious activity.\u003C/p>\n",[330,33,333],"SAT1023","DIXyEPQxDG_HHC-iebptE-7UPXDs-A0fF7UHonRZfCw",{"id":2558,"title":2559,"body":2560,"description":2567,"examples":2643,"extension":83,"githubDir":2645,"meta":2646,"name":2559,"navigation":86,"path":2647,"references":2648,"seo":2652,"slug":2564,"stem":2653,"summaryHtml":2654,"tactics":2655,"techniqueId":2656,"__hash__":2657},"browserIdentityAttacksTechniques/techniques/mfa_downgrade/description.md","MFA downgrade",{"type":12,"value":2561,"toc":2637},[2562,2565,2568,2570,2574,2576,2584,2592,2595,2598,2601,2603,2612,2614],[15,2563,2559],{"id":2564},"mfa-downgrade",[19,2566,2567],{},"ID: SAT1045",[23,2569,26],{"id":25},[28,2571,2572],{},[31,2573,112],{},[23,2575,40],{"id":39},[19,2577,2578,2579,2583],{},"Phishing-resistant MFA factors, such as passkeys or vendor-specific implementations like Okta Fastpass, have been introduced to deal with the problem of ",[64,2580,2582],{"href":2581},"/techniques/aitm_phishing/description.md","AiTM phishing attacks"," and credential theft. An MFA downgrade attack can be used to prevent the use of a passkey in order to force the use of a vulnerable factor, such that an AiTM phishing attack is still successful.",[19,2585,2586,2587,2591],{},"Traditional authentication factors, like passwords, push notifications and time-based one-time-passwords (TOTPs) are all vulnerable to phishing attacks as they can be either captured and replayed by an attacker or work without even needing to be replayed, as is the case with push notifications. Additionally, ",[64,2588,2590],{"href":2589},"/techniques/mfa_fatigue/description.md","MFA fatigue"," attacks are often effective against push notification factors too, when an attacker has already compromised a password factor.",[19,2593,2594],{},"Using a phishing-resistant factor, such as a passkey, prevents these attacks because they are cryptographically tied to the domain being accessed. Therefore, if a user accesses a AiTM phishing website on a malicious domain, it’s not possible for them to send a successful challenge/response to authenticate.",[19,2596,2597],{},"However, just because a user has a phishing-resistant factor setup and may use them by default, it does not mean they are necessarily enforced. Often services support the use of multiple authentication options, particularly for second factors. In particular, passkeys are device-bound and so enforcing their use prevents logins from other devices and can cause recovery issues in a lost/broken device scenario. Therefore, it is common for the default case to be that passkey authentication is optional, rather than required.",[19,2599,2600],{},"Attackers can exploit this by using an AiTM phishing attack to modify requests/responses so as to prevent the ability of passkeys to be selected as a login option and prompting the user to use vulnerable factors, such as passwords, TOTPs and push notifications instead. Since the server-side will support these authentication options in this case, if the user continues to enter other authentication factors then their authenticated session will be compromised despite the fact they usually use passkeys or similar.",[23,2602,58],{"id":57},[28,2604,2605],{},[31,2606,2607],{},[64,2608,2611],{"href":2609,"rel":2610},"https://medium.com/@yudasm/bypassing-windows-hello-for-business-for-phishing-181f2271dc02#c32b",[261],"Microsoft - Windows Hello for Business MFA downgrade attack",[23,2613,71],{"id":70},[28,2615,2616,2623,2630],{},[31,2617,2618],{},[64,2619,2622],{"href":2620,"rel":2621},"https://fidoalliance.org/passkeys/",[261],"FIDO Alliance - Passkeys 101",[31,2624,2625],{},[64,2626,2629],{"href":2627,"rel":2628},"https://youtu.be/-W-LxcbUxI4?t=1541",[261],"X33fcon - Unraveling and Countering Adversary-in-the-Middle Phishing Attacks - MFA downgrade section",[31,2631,2632],{},[64,2633,2636],{"href":2634,"rel":2635},"https://github.com/yudasm/WHfB-o365-Phishlet",[261],"Evilginx phishlet for WHfB MFA downgrade attack",{"title":73,"searchDepth":74,"depth":74,"links":2638},[2639,2640,2641,2642],{"id":25,"depth":74,"text":26},{"id":39,"depth":74,"text":40},{"id":57,"depth":74,"text":58},{"id":70,"depth":74,"text":71},[2644],{"text":2611,"url":2609},"mfa_downgrade",{},"/techniques/mfa_downgrade/description",[2649,2650,2651],{"text":2622,"url":2620},{"text":2629,"url":2627},{"text":2636,"url":2634},{"title":2559,"description":2567},"techniques/mfa_downgrade/description","\u003Cp>Phishing-resistant MFA factors, such as passkeys or vendor-specific implementations like Okta Fastpass, have been introduced to deal with the problem of \u003Ca href=\"/resources/browser-identity-attacks-matrix/aitm-phishing\">AiTM phishing attacks\u003C/a> and credential theft. An MFA downgrade attack can be used to prevent the use of a passkey in order to force the use of a vulnerable factor, such that an AiTM phishing attack is still successful.\u003C/p>\n\u003Cp>Traditional authentication factors, like passwords, push notifications and time-based one-time-passwords (TOTPs) are all vulnerable to phishing attacks as they can be either captured and replayed by an attacker or work without even needing to be replayed, as is the case with push notifications. Additionally, \u003Ca href=\"/resources/browser-identity-attacks-matrix/mfa-fatigue\">MFA fatigue\u003C/a> attacks are often effective against push notification factors too, when an attacker has already compromised a password factor.\u003C/p>\n\u003Cp>Using a phishing-resistant factor, such as a passkey, prevents these attacks because they are cryptographically tied to the domain being accessed. Therefore, if a user accesses a AiTM phishing website on a malicious domain, it’s not possible for them to send a successful challenge/response to authenticate.\u003C/p>\n\u003Cp>However, just because a user has a phishing-resistant factor setup and may use them by default, it does not mean they are necessarily enforced. Often services support the use of multiple authentication options, particularly for second factors. In particular, passkeys are device-bound and so enforcing their use prevents logins from other devices and can cause recovery issues in a lost/broken device scenario. Therefore, it is common for the default case to be that passkey authentication is optional, rather than required.\u003C/p>\n\u003Cp>Attackers can exploit this by using an AiTM phishing attack to modify requests/responses so as to prevent the ability of passkeys to be selected as a login option and prompting the user to use vulnerable factors, such as passwords, TOTPs and push notifications instead. Since the server-side will support these authentication options in this case, if the user continues to enter other authentication factors then their authenticated session will be compromised despite the fact they usually use passkeys or similar.\u003C/p>\n",[112],"SAT1045","zkHQVWC-aSzupAt0GJ6B3TG2p8Urei2tCkDBjTeFU8Q",{"id":2659,"title":2590,"body":2660,"description":2667,"examples":2711,"extension":83,"githubDir":2712,"meta":2713,"name":2590,"navigation":86,"path":2714,"references":2715,"seo":2718,"slug":2664,"stem":2719,"summaryHtml":2720,"tactics":2721,"techniqueId":2722,"__hash__":2723},"browserIdentityAttacksTechniques/techniques/mfa_fatigue/description.md",{"type":12,"value":2661,"toc":2705},[2662,2665,2668,2670,2674,2676,2679,2682,2685,2687,2689],[15,2663,2590],{"id":2664},"mfa-fatigue",[19,2666,2667],{},"ID: SAT1024",[23,2669,26],{"id":25},[28,2671,2672],{},[31,2673,112],{},[23,2675,40],{"id":39},[19,2677,2678],{},"One of the most common implementations of MFA is using push notifications to a mobile device that allow the user to approve or deny the login request. This is generally the most user friendly approach as a user can authenticate with the push of a button from their phone lock screen, without needing to read a code from another app and type it in anywhere.",[19,2680,2681],{},"An adversary can exploit this process by continually making login requests with compromised credentials at inconvenient times (e.g. the middle of the night) or generally with an annoying frequency. Even if the user initially rejects the push notifications initially it can quickly become infuriating to receive ongoing push notifications and lead to an assumption that perhaps something legitimate is continually failing to authenticate and just needs to be approved to make the problem go away.",[19,2683,2684],{},"Eventually, the user only needs to click to approve the login once, whether through mistake or frustration, and the adversary will gain access to their account.",[23,2686,58],{"id":57},[23,2688,71],{"id":70},[28,2690,2691,2698],{},[31,2692,2693],{},[64,2694,2697],{"href":2695,"rel":2696},"https://www.darkreading.com/attacks-breaches/uber-breach-external-contractor-mfa-bombing-attack",[261],"Uber breach by Lapsus$",[31,2699,2700],{},[64,2701,2704],{"href":2702,"rel":2703},"https://attack.mitre.org/techniques/T1621/",[261],"MITRE ATT&CK - MFA Request Generation",{"title":73,"searchDepth":74,"depth":74,"links":2706},[2707,2708,2709,2710],{"id":25,"depth":74,"text":26},{"id":39,"depth":74,"text":40},{"id":57,"depth":74,"text":58},{"id":70,"depth":74,"text":71},[],"mfa_fatigue",{},"/techniques/mfa_fatigue/description",[2716,2717],{"text":2697,"url":2695},{"text":2704,"url":2702},{"title":2590,"description":2667},"techniques/mfa_fatigue/description","\u003Cp>One of the most common implementations of MFA is using push notifications to a mobile device that allow the user to approve or deny the login request. This is generally the most user friendly approach as a user can authenticate with the push of a button from their phone lock screen, without needing to read a code from another app and type it in anywhere.\u003C/p>\n\u003Cp>An adversary can exploit this process by continually making login requests with compromised credentials at inconvenient times (e.g. the middle of the night) or generally with an annoying frequency. Even if the user initially rejects the push notifications initially it can quickly become infuriating to receive ongoing push notifications and lead to an assumption that perhaps something legitimate is continually failing to authenticate and just needs to be approved to make the problem go away.\u003C/p>\n\u003Cp>Eventually, the user only needs to click to approve the login once, whether through mistake or frustration, and the adversary will gain access to their account.\u003C/p>\n",[112],"SAT1024","zkT0XZvwgK1ZrYxU9UGLXVq211bxCmtTmMMY2HgfZH0",{"id":2725,"title":2726,"body":2727,"description":2734,"examples":2779,"extension":83,"githubDir":2731,"meta":2782,"name":2726,"navigation":86,"path":2783,"references":2784,"seo":2786,"slug":2731,"stem":2787,"summaryHtml":2788,"tactics":2789,"techniqueId":2790,"__hash__":2791},"browserIdentityAttacksTechniques/techniques/noauth/description.md","nOAuth",{"type":12,"value":2728,"toc":2773},[2729,2732,2735,2737,2741,2743,2746,2749,2752,2754,2762,2764],[15,2730,2726],{"id":2731},"noauth",[19,2733,2734],{},"ID: SAT1025",[23,2736,26],{"id":25},[28,2738,2739],{},[31,2740,112],{},[23,2742,40],{"id":39},[19,2744,2745],{},"SaaS apps that make use of OAuth integrations require an identifier to match accounts between the application and identity provider. The OAuth specification states that a user should be identified by the subject claim. The subject claim is an immutable identifier and not an attribute that a user can alter. However, apps can be configured to identify users via other claims (in other words account metadata/attributes), which can lead to unintended consequences.",[19,2747,2748],{},"nOAuth is a common misconfiguration where apps use the 'email' claim to identify users instead of the subject claim.",[19,2750,2751],{},"An adversary could create their own tenant and set the 'email' attribute on their account to match their target's email address. This would allow them to authenticate to any vulnerable SaaS app where the target has an account.",[23,2753,58],{"id":57},[28,2755,2756],{},[31,2757,2758],{},[64,2759,2761],{"href":2760},"examples/azuread","AzureAD",[23,2763,71],{"id":70},[28,2765,2766],{},[31,2767,2768],{},[64,2769,2772],{"href":2770,"rel":2771},"https://www.descope.com/blog/post/noauth",[261],"nOAuth: How Microsoft OAuth Misconfiguration Can Lead to Full Account Takeover",{"title":73,"searchDepth":74,"depth":74,"links":2774},[2775,2776,2777,2778],{"id":25,"depth":74,"text":26},{"id":39,"depth":74,"text":40},{"id":57,"depth":74,"text":58},{"id":70,"depth":74,"text":71},[2780],{"text":2761,"url":2781},"https://github.com/pushsecurity/browser-identity-attacks-matrix/blob/main/techniques/noauth/examples/azuread.md",{},"/techniques/noauth/description",[2785],{"text":2772,"url":2770},{"title":2726,"description":2734},"techniques/noauth/description","\u003Cp>SaaS apps that make use of OAuth integrations require an identifier to match accounts between the application and identity provider. The OAuth specification states that a user should be identified by the subject claim. The subject claim is an immutable identifier and not an attribute that a user can alter. However, apps can be configured to identify users via other claims (in other words account metadata/attributes), which can lead to unintended consequences.\u003C/p>\n\u003Cp>nOAuth is a common misconfiguration where apps use the &#39;email&#39; claim to identify users instead of the subject claim.\u003C/p>\n\u003Cp>An adversary could create their own tenant and set the &#39;email&#39; attribute on their account to match their target&#39;s email address. This would allow them to authenticate to any vulnerable SaaS app where the target has an account.\u003C/p>\n",[112],"SAT1025","L-BC3un0W4U8qc0ZCv9RLV49hfLZAW9mCl8sEcDHQ6s",{"id":2793,"title":2794,"body":2795,"description":2802,"examples":2838,"extension":83,"githubDir":2843,"meta":2844,"name":2794,"navigation":86,"path":2845,"references":2846,"seo":2847,"slug":2799,"stem":2848,"summaryHtml":2849,"tactics":2850,"techniqueId":2851,"__hash__":2852},"browserIdentityAttacksTechniques/techniques/oauth_token_enumeration/description.md","OAuth token enumeration",{"type":12,"value":2796,"toc":2832},[2797,2800,2803,2805,2809,2811,2814,2817,2819,2830],[15,2798,2794],{"id":2799},"oauth-token-enumeration",[19,2801,2802],{},"ID: SAT1026",[23,2804,26],{"id":25},[28,2806,2807],{},[31,2808,459],{},[23,2810,40],{"id":39},[19,2812,2813],{},"SaaS app users may have authenticated using OIDC (social logins) or have created other OAuth integrations to share data and make better use of the app. If an adversary has compromised a user’s account, they can list out existing OAuth integrations to identify other SaaS apps in use.",[19,2815,2816],{},"This may allow an adversary to target those apps for lateral movement or better target those apps for attack.",[23,2818,58],{"id":57},[28,2820,2821,2826],{},[31,2822,2823],{},[64,2824,567],{"href":2825},"examples/google",[31,2827,2828],{},[64,2829,841],{"href":840},[23,2831,71],{"id":70},{"title":73,"searchDepth":74,"depth":74,"links":2833},[2834,2835,2836,2837],{"id":25,"depth":74,"text":26},{"id":39,"depth":74,"text":40},{"id":57,"depth":74,"text":58},{"id":70,"depth":74,"text":71},[2839,2841],{"text":567,"url":2840},"https://github.com/pushsecurity/browser-identity-attacks-matrix/blob/main/techniques/oauth_token_enumeration/examples/google.md",{"text":841,"url":2842},"https://github.com/pushsecurity/browser-identity-attacks-matrix/blob/main/techniques/oauth_token_enumeration/examples/microsoft.md","oauth_token_enumeration",{},"/techniques/oauth_token_enumeration/description",[],{"title":2794,"description":2802},"techniques/oauth_token_enumeration/description","\u003Cp>SaaS app users may have authenticated using OIDC (social logins) or have created other OAuth integrations to share data and make better use of the app. If an adversary has compromised a user’s account, they can list out existing OAuth integrations to identify other SaaS apps in use.\u003C/p>\n\u003Cp>This may allow an adversary to target those apps for lateral movement or better target those apps for attack.\u003C/p>\n",[459],"SAT1026","VygaYP0CFQRQYzluUYCDlFO8QjWaWNU71ohg_xOqIBo",{"id":2854,"title":2855,"body":2856,"description":2863,"examples":2925,"extension":83,"githubDir":2930,"meta":2931,"name":2855,"navigation":86,"path":2932,"references":2933,"seo":2936,"slug":2860,"stem":2937,"summaryHtml":2938,"tactics":2939,"techniqueId":2940,"__hash__":2941},"browserIdentityAttacksTechniques/techniques/oauth_tokens/description.md","OAuth tokens",{"type":12,"value":2857,"toc":2919},[2858,2861,2864,2866,2872,2874,2877,2880,2883,2886,2888,2902,2904],[15,2859,2855],{"id":2860},"oauth-tokens",[19,2862,2863],{},"ID: SAT1027",[23,2865,26],{"id":25},[28,2867,2868,2870],{},[31,2869,662],{},[31,2871,330],{},[23,2873,40],{"id":39},[19,2875,2876],{},"An adversary can use a malicious OAuth app or API development tool to create an OAuth token, using arbitrary permissions to maintain long-term programmatic access to a compromised user account.",[19,2878,2879],{},"SaaS apps typically use OAuth tokens to grant access to app APIs, normally in the context of the user creating the token. Long term access is maintained through refresh tokens, which typically never expire. Refresh tokens can be used to generate short-lived access tokens, which are used to query the API. These tokens generally continue working after password changes and do not require MFA, resulting in a very effective way to maintain control over a compromised user account.",[19,2881,2882],{},"To get access to a raw refresh token after compromising a SaaS account, an adversary could create an integration with a malicious app they control. Most SaaS apps that support OAuth integrations provide SDKs and examples for creating these apps, and many don’t require verification or any security checks before publishing OAuth apps. An alternative method of creating and accessing OAuth tokens is through the use of in-browser API test utilities.",[19,2884,2885],{},"Because the app is controlled by the adversary, the requested scopes or permissions attached to the created token are chosen by the adversary, and are typically limited only by the scopes the app developer has made available.",[23,2887,58],{"id":57},[28,2889,2890,2896],{},[31,2891,2892],{},[64,2893,2895],{"href":2894},"examples/graph_explorer","Microsoft Graph Explorer",[31,2897,2898],{},[64,2899,2901],{"href":2900},"examples/slack_api_tester","Slack API tester",[23,2903,71],{"id":70},[28,2905,2906,2912],{},[31,2907,2908],{},[64,2909,2911],{"href":2529,"rel":2910},[261],"Microsoft blog - Threat actors misuse OAuth applications to automate financially driven attacks",[31,2913,2914],{},[64,2915,2918],{"href":2916,"rel":2917},"https://www.microsoft.com/en-us/security/blog/2024/01/25/midnight-blizzard-guidance-for-responders-on-nation-state-attack/",[261],"Microsoft blog - Midnight Blizzard using OAuth for persistence in attack against MS",{"title":73,"searchDepth":74,"depth":74,"links":2920},[2921,2922,2923,2924],{"id":25,"depth":74,"text":26},{"id":39,"depth":74,"text":40},{"id":57,"depth":74,"text":58},{"id":70,"depth":74,"text":71},[2926,2928],{"text":2895,"url":2927},"https://github.com/pushsecurity/browser-identity-attacks-matrix/blob/main/techniques/oauth_tokens/examples/graph_explorer.md",{"text":2901,"url":2929},"https://github.com/pushsecurity/browser-identity-attacks-matrix/blob/main/techniques/oauth_tokens/examples/slack_api_tester.md","oauth_tokens",{},"/techniques/oauth_tokens/description",[2934,2935],{"text":2911,"url":2529},{"text":2918,"url":2916},{"title":2855,"description":2863},"techniques/oauth_tokens/description","\u003Cp>An adversary can use a malicious OAuth app or API development tool to create an OAuth token, using arbitrary permissions to maintain long-term programmatic access to a compromised user account.\u003C/p>\n\u003Cp>SaaS apps typically use OAuth tokens to grant access to app APIs, normally in the context of the user creating the token. Long term access is maintained through refresh tokens, which typically never expire. Refresh tokens can be used to generate short-lived access tokens, which are used to query the API. These tokens generally continue working after password changes and do not require MFA, resulting in a very effective way to maintain control over a compromised user account.\u003C/p>\n\u003Cp>To get access to a raw refresh token after compromising a SaaS account, an adversary could create an integration with a malicious app they control. Most SaaS apps that support OAuth integrations provide SDKs and examples for creating these apps, and many don’t require verification or any security checks before publishing OAuth apps. An alternative method of creating and accessing OAuth tokens is through the use of in-browser API test utilities.\u003C/p>\n\u003Cp>Because the app is controlled by the adversary, the requested scopes or permissions attached to the created token are chosen by the adversary, and are typically limited only by the scopes the app developer has made available.\u003C/p>\n",[662,330],"SAT1027","-TTS4fR-N3fH41ceYMDJO4u1fKq2a3WhyBOdmrTJ2o8",{"id":2943,"title":2944,"body":2945,"description":2952,"examples":3018,"extension":83,"githubDir":3023,"meta":3024,"name":2944,"navigation":86,"path":3025,"references":3026,"seo":3030,"slug":2949,"stem":3031,"summaryHtml":3032,"tactics":3033,"techniqueId":3034,"__hash__":3035},"browserIdentityAttacksTechniques/techniques/password_scraping/description.md","Password scraping",{"type":12,"value":2946,"toc":3012},[2947,2950,2953,2955,2959,2961,2964,2967,2970,2973,2975,2987,2989],[15,2948,2944],{"id":2949},"password-scraping",[19,2951,2952],{},"ID: SAT1028",[23,2954,26],{"id":25},[28,2956,2957],{},[31,2958,390],{},[23,2960,40],{"id":39},[19,2962,2963],{},"While it may not be security good practice, many teams stored passwords in cleartext, especially shared or system credentials. This could be passwords stored in files that are hosted in SaaS file stores, passwords noted in wikis or ticketing systems or passwords sent in emails during registration processes or as a result of forgotten password functionality.",[19,2965,2966],{},"One more modern example is that some SaaS apps allow passwordless email-based authentication, where a OTP is sent via email when a login is requested, rather than a user having a standard password.",[19,2968,2969],{},"An adversary could search for passwords via compromised apps in order to discover passwords that may allow them to move laterally to other apps and potentially as different user accounts too.",[19,2971,2972],{},"Additionally, cloud password managers are ripe targets for password scraping as compromising a cloud identity that allows direct access to a cloud password manager can enable large-scale password scraping.",[23,2974,58],{"id":57},[28,2976,2977,2981],{},[31,2978,2979],{},[64,2980,2276],{"href":2275},[31,2982,2983],{},[64,2984,2986],{"href":2985},"examples/canva","Canva",[23,2988,71],{"id":70},[28,2990,2991,2998,3005],{},[31,2992,2993],{},[64,2994,2997],{"href":2995,"rel":2996},"https://attack.mitre.org/techniques/T1552/",[261],"MITRE ATT&CK - Unsecured Credentials",[31,2999,3000],{},[64,3001,3004],{"href":3002,"rel":3003},"https://pushsecurity.com/blog/okta-swa/",[261],"Abusing Okta SWA - Technical blog post",[31,3006,3007],{},[64,3008,3011],{"href":3009,"rel":3010},"https://pushsecurity.com/blog/can-my-admins-steal-my-cloud-password-manager-secrets/",[261],"Can my admins steal my cloud password manager secrets? - Technical blog post",{"title":73,"searchDepth":74,"depth":74,"links":3013},[3014,3015,3016,3017],{"id":25,"depth":74,"text":26},{"id":39,"depth":74,"text":40},{"id":57,"depth":74,"text":58},{"id":70,"depth":74,"text":71},[3019,3021],{"text":2276,"url":3020},"https://github.com/pushsecurity/browser-identity-attacks-matrix/blob/main/techniques/password_scraping/examples/okta.md",{"text":2986,"url":3022},"https://github.com/pushsecurity/browser-identity-attacks-matrix/blob/main/techniques/password_scraping/examples/canva.md","password_scraping",{},"/techniques/password_scraping/description",[3027,3028,3029],{"text":2997,"url":2995},{"text":3004,"url":3002},{"text":3011,"url":3009},{"title":2944,"description":2952},"techniques/password_scraping/description","\u003Cp>While it may not be security good practice, many teams stored passwords in cleartext, especially shared or system credentials. This could be passwords stored in files that are hosted in SaaS file stores, passwords noted in wikis or ticketing systems or passwords sent in emails during registration processes or as a result of forgotten password functionality.\u003C/p>\n\u003Cp>One more modern example is that some SaaS apps allow passwordless email-based authentication, where a OTP is sent via email when a login is requested, rather than a user having a standard password.\u003C/p>\n\u003Cp>An adversary could search for passwords via compromised apps in order to discover passwords that may allow them to move laterally to other apps and potentially as different user accounts too.\u003C/p>\n\u003Cp>Additionally, cloud password managers are ripe targets for password scraping as compromising a cloud identity that allows direct access to a cloud password manager can enable large-scale password scraping.\u003C/p>\n",[390],"SAT1028","AQULw02O6eiregZcAfSchVSvUBgxCvVOWPypKqsHHDo",{"id":3037,"title":3038,"body":3039,"description":3046,"examples":3085,"extension":83,"githubDir":3092,"meta":3093,"name":3038,"navigation":86,"path":3094,"references":3095,"seo":3096,"slug":3043,"stem":3097,"summaryHtml":3098,"tactics":3099,"techniqueId":3100,"__hash__":3101},"browserIdentityAttacksTechniques/techniques/passwordless_logins/description.md","Passwordless logins",{"type":12,"value":3040,"toc":3079},[3041,3044,3047,3049,3053,3055,3058,3061,3063,3077],[15,3042,3038],{"id":3043},"passwordless-logins",[19,3045,3046],{},"ID: SAT1029",[23,3048,26],{"id":25},[28,3050,3051],{},[31,3052,36],{},[23,3054,40],{"id":39},[19,3056,3057],{},"Some SaaS apps allow passwordless email-based authentication, where an OTP is sent via email when a login is requested, rather than a user having a standard password.",[19,3059,3060],{},"An adversary with email access could laterally move to other SaaS apps that support this login type. This technique has the added benefit of avoiding detection due to a user noticing that their credentials have been altered.",[23,3062,58],{"id":57},[28,3064,3065,3069,3073],{},[31,3066,3067],{},[64,3068,2986],{"href":2985},[31,3070,3071],{},[64,3072,1958],{"href":1957},[31,3074,3075],{},[64,3076,1687],{"href":1686},[23,3078,71],{"id":70},{"title":73,"searchDepth":74,"depth":74,"links":3080},[3081,3082,3083,3084],{"id":25,"depth":74,"text":26},{"id":39,"depth":74,"text":40},{"id":57,"depth":74,"text":58},{"id":70,"depth":74,"text":71},[3086,3088,3090],{"text":2986,"url":3087},"https://github.com/pushsecurity/browser-identity-attacks-matrix/blob/main/techniques/passwordless_logins/examples/canva.md",{"text":1958,"url":3089},"https://github.com/pushsecurity/browser-identity-attacks-matrix/blob/main/techniques/passwordless_logins/examples/slack.md",{"text":1687,"url":3091},"https://github.com/pushsecurity/browser-identity-attacks-matrix/blob/main/techniques/passwordless_logins/examples/expensify.md","passwordless_logins",{},"/techniques/passwordless_logins/description",[],{"title":3038,"description":3046},"techniques/passwordless_logins/description","\u003Cp>Some SaaS apps allow passwordless email-based authentication, where an OTP is sent via email when a login is requested, rather than a user having a standard password.\u003C/p>\n\u003Cp>An adversary with email access could laterally move to other SaaS apps that support this login type. This technique has the added benefit of avoiding detection due to a user noticing that their credentials have been altered.\u003C/p>\n",[36],"SAT1029","KibocqXtZQiJHhGuYDAK4FqmxgpICCM0772ckbmexHQ",{"id":3103,"title":3104,"body":3105,"description":3112,"examples":3181,"extension":83,"githubDir":3186,"meta":3187,"name":3104,"navigation":86,"path":3188,"references":3189,"seo":3191,"slug":3109,"stem":3192,"summaryHtml":3193,"tactics":3194,"techniqueId":3195,"__hash__":3196},"browserIdentityAttacksTechniques/techniques/poisoned_tenants/description.md","Poisoned tenants",{"type":12,"value":3106,"toc":3175},[3107,3110,3113,3115,3119,3121,3124,3127,3130,3133,3141,3150,3152,3164,3166],[15,3108,3104],{"id":3109},"poisoned-tenants",[19,3111,3112],{},"ID: SAT1030",[23,3114,26],{"id":25},[28,3116,3117],{},[31,3118,112],{},[23,3120,40],{"id":39},[19,3122,3123],{},"An adversary can register a new tenant that it controls and administers with the intent of tricking users to join it, by convincing them it is owned by their organization.",[19,3125,3126],{},"This often means the adversary will have access to all data within the SaaS tenant and may be able to abuse employee-created OAuth or API integrations with other SaaS apps. Targeting SaaS apps that require or encourage users to create integrations with sensitive assets (such as their mailbox) during signup are more likely to yield useful data for the adversary.",[19,3128,3129],{},"In many cases, execution of such an attack will take careful social engineering. However, invite functionality and automatic account association features often found in SaaS apps can make this attack easier to perform. Some SaaS vendors even automatically prompt a user to join a tenant when they sign up to the app if an invite has previously been sent (even if they ignored the invitation itself) increasing the longevity and chance of a successful attack.",[19,3131,3132],{},"Adversaries may use other techniques to make poisoned tenants appealing to users, such as upgrading the tenant to a higher license tier, unlocking useful features.",[19,3134,3135,3136,3140],{},"A demo video of an attack chain combining a poisoned tenant with a ",[64,3137,3139],{"href":3138},"/techniques/samljacking/description.md","SAMLjacking"," attack is given below:",[19,3142,3143],{},[64,3144,3147],{"href":3145,"rel":3146},"https://www.youtube.com/watch?v=4gAeSxbycXU",[261],[953,3148],{"alt":955,"src":3149},"https://img.youtube.com/vi/4gAeSxbycXU/0.jpg",[23,3151,58],{"id":57},[28,3153,3154,3160],{},[31,3155,3156],{},[64,3157,3159],{"href":3158},"examples/trello","Trello",[31,3161,3162],{},[64,3163,2350],{"href":2349},[23,3165,71],{"id":70},[28,3167,3168],{},[31,3169,3170],{},[64,3171,3174],{"href":3172,"rel":3173},"https://pushsecurity.com/blog/samljacking-a-poisoned-tenant/",[261],"SAMLjacking a poisoned tenant - Technical blog post",{"title":73,"searchDepth":74,"depth":74,"links":3176},[3177,3178,3179,3180],{"id":25,"depth":74,"text":26},{"id":39,"depth":74,"text":40},{"id":57,"depth":74,"text":58},{"id":70,"depth":74,"text":71},[3182,3184],{"text":3159,"url":3183},"https://github.com/pushsecurity/browser-identity-attacks-matrix/blob/main/techniques/poisoned_tenants/examples/trello.md",{"text":2350,"url":3185},"https://github.com/pushsecurity/browser-identity-attacks-matrix/blob/main/techniques/poisoned_tenants/examples/nuclino.md","poisoned_tenants",{},"/techniques/poisoned_tenants/description",[3190],{"text":3174,"url":3172},{"title":3104,"description":3112},"techniques/poisoned_tenants/description","\u003Cp>An adversary can register a new tenant that it controls and administers with the intent of tricking users to join it, by convincing them it is owned by their organization.\u003C/p>\n\u003Cp>This often means the adversary will have access to all data within the SaaS tenant and may be able to abuse employee-created OAuth or API integrations with other SaaS apps. Targeting SaaS apps that require or encourage users to create integrations with sensitive assets (such as their mailbox) during signup are more likely to yield useful data for the adversary.\u003C/p>\n\u003Cp>In many cases, execution of such an attack will take careful social engineering. However, invite functionality and automatic account association features often found in SaaS apps can make this attack easier to perform. Some SaaS vendors even automatically prompt a user to join a tenant when they sign up to the app if an invite has previously been sent (even if they ignored the invitation itself) increasing the longevity and chance of a successful attack.\u003C/p>\n\u003Cp>Adversaries may use other techniques to make poisoned tenants appealing to users, such as upgrading the tenant to a higher license tier, unlocking useful features.\u003C/p>\n\u003Cp>A demo video of an attack chain combining a poisoned tenant with a \u003Ca href=\"/resources/browser-identity-attacks-matrix/samljacking\">SAMLjacking\u003C/a> attack is given below:\u003C/p>\n\u003Cp>\u003Ca href=\"https://www.youtube.com/watch?v=4gAeSxbycXU\" target=\"_blank\" rel=\"noopener noreferrer\">demo video ↗\u003C/a>\u003C/p>\n",[112],"SAT1030","qNfkVrROThiaa-3ZKLH692z8UZQPhvjRQTCsiDUPWGM",{"id":3198,"title":3199,"body":3200,"description":3207,"examples":3247,"extension":83,"githubDir":3252,"meta":3253,"name":3199,"navigation":86,"path":3254,"references":3255,"seo":3256,"slug":3204,"stem":3257,"summaryHtml":3258,"tactics":3259,"techniqueId":3260,"__hash__":3261},"browserIdentityAttacksTechniques/techniques/saml_enumeration/description.md","SAML enumeration",{"type":12,"value":3201,"toc":3241},[3202,3205,3208,3210,3214,3216,3219,3222,3225,3227,3239],[15,3203,3199],{"id":3204},"saml-enumeration",[19,3206,3207],{},"ID: SAT1031",[23,3209,26],{"id":25},[28,3211,3212],{},[31,3213,1367],{},[23,3215,40],{"id":39},[19,3217,3218],{},"It’s often possible to determine if an organization is using a SaaS app by checking whether a SAML login IdP has been configured for the organization domain.",[19,3220,3221],{},"Where a dedicated SAML IdP endpoint has been configured, a SaaS app usually needs to map certain logins to that endpoint under certain conditions. Commonly, this will be based on the email domain of the user account, or based on a subdomain or path-based tenant separation.",[19,3223,3224],{},"If SAML is used, adversaries can discover whether a target organization is using a SaaS app and what their SAML provider is by making login attempts using their email domain, or by making login attempts via subdomains or path-based tenants based on the organization name.",[23,3226,58],{"id":57},[28,3228,3229,3235],{},[31,3230,3231],{},[64,3232,3234],{"href":3233},"examples/ramp","Ramp",[31,3236,3237],{},[64,3238,1687],{"href":1686},[23,3240,71],{"id":70},{"title":73,"searchDepth":74,"depth":74,"links":3242},[3243,3244,3245,3246],{"id":25,"depth":74,"text":26},{"id":39,"depth":74,"text":40},{"id":57,"depth":74,"text":58},{"id":70,"depth":74,"text":71},[3248,3250],{"text":3234,"url":3249},"https://github.com/pushsecurity/browser-identity-attacks-matrix/blob/main/techniques/saml_enumeration/examples/ramp.md",{"text":1687,"url":3251},"https://github.com/pushsecurity/browser-identity-attacks-matrix/blob/main/techniques/saml_enumeration/examples/expensify.md","saml_enumeration",{},"/techniques/saml_enumeration/description",[],{"title":3199,"description":3207},"techniques/saml_enumeration/description","\u003Cp>It’s often possible to determine if an organization is using a SaaS app by checking whether a SAML login IdP has been configured for the organization domain.\u003C/p>\n\u003Cp>Where a dedicated SAML IdP endpoint has been configured, a SaaS app usually needs to map certain logins to that endpoint under certain conditions. Commonly, this will be based on the email domain of the user account, or based on a subdomain or path-based tenant separation.\u003C/p>\n\u003Cp>If SAML is used, adversaries can discover whether a target organization is using a SaaS app and what their SAML provider is by making login attempts using their email domain, or by making login attempts via subdomains or path-based tenants based on the organization name.\u003C/p>\n",[1367],"SAT1031","CR4hNV4Tjkp7AGJ2_AJnynFLQViBzsDcu5Ucc-zPfIc",{"id":3263,"title":3139,"body":3264,"description":3271,"examples":3340,"extension":83,"githubDir":3268,"meta":3345,"name":3139,"navigation":86,"path":3346,"references":3347,"seo":3350,"slug":3268,"stem":3351,"summaryHtml":3352,"tactics":3353,"techniqueId":3354,"__hash__":3355},"browserIdentityAttacksTechniques/techniques/samljacking/description.md",{"type":12,"value":3265,"toc":3334},[3266,3269,3272,3274,3280,3282,3285,3288,3291,3299,3306,3308,3320,3322],[15,3267,3139],{"id":3268},"samljacking",[19,3270,3271],{},"ID: SAT1032",[23,3273,26],{"id":25},[28,3275,3276,3278],{},[31,3277,112],{},[31,3279,36],{},[23,3281,40],{"id":39},[19,3283,3284],{},"When configuring SAML integrations for a SaaS app, you must provide a URL to an IdP service so the app can hand-off authentication during the SAML flow. Users expect to be redirected to common SSO login pages (e.g. Google or Microsoft login), and are unlikely to check that the login URL they are redirected to matches the official domain.",[19,3286,3287],{},"An adversary could configure an app tenant with SAML and configure the URL to point to a credential phishing page that looks like or proxies a legitimate authentication service (e.g. Google or Microsoft).",[19,3289,3290],{},"The adversary could target users by sending seemingly legitimate links to the app login page to the tenant. This attack can be made more effective by naming the tenant something familiar for the target (few apps restrict the names of tenants) and using in-app invite mechanisms to lure victims to the tenant.",[19,3292,3293,3294,3298],{},"A demo video of an attack chain combining SAMLjacking with a ",[64,3295,3297],{"href":3296},"/techniques/poisoned_tenants/description.md","poisoned tenant"," is given below:",[19,3300,3301],{},[64,3302,3304],{"href":3145,"rel":3303},[261],[953,3305],{"alt":955,"src":3149},[23,3307,58],{"id":57},[28,3309,3310,3314],{},[31,3311,3312],{},[64,3313,2350],{"href":2349},[31,3315,3316],{},[64,3317,3319],{"href":3318},"examples/datadog","Datadog",[23,3321,71],{"id":70},[28,3323,3324,3329],{},[31,3325,3326],{},[64,3327,1509],{"href":259,"rel":3328},[261],[31,3330,3331],{},[64,3332,3174],{"href":3172,"rel":3333},[261],{"title":73,"searchDepth":74,"depth":74,"links":3335},[3336,3337,3338,3339],{"id":25,"depth":74,"text":26},{"id":39,"depth":74,"text":40},{"id":57,"depth":74,"text":58},{"id":70,"depth":74,"text":71},[3341,3343],{"text":2350,"url":3342},"https://github.com/pushsecurity/browser-identity-attacks-matrix/blob/main/techniques/samljacking/examples/nuclino.md",{"text":3319,"url":3344},"https://github.com/pushsecurity/browser-identity-attacks-matrix/blob/main/techniques/samljacking/examples/datadog.md",{},"/techniques/samljacking/description",[3348,3349],{"text":1509,"url":259},{"text":3174,"url":3172},{"title":3139,"description":3271},"techniques/samljacking/description","\u003Cp>When configuring SAML integrations for a SaaS app, you must provide a URL to an IdP service so the app can hand-off authentication during the SAML flow. Users expect to be redirected to common SSO login pages (e.g. Google or Microsoft login), and are unlikely to check that the login URL they are redirected to matches the official domain.\u003C/p>\n\u003Cp>An adversary could configure an app tenant with SAML and configure the URL to point to a credential phishing page that looks like or proxies a legitimate authentication service (e.g. Google or Microsoft).\u003C/p>\n\u003Cp>The adversary could target users by sending seemingly legitimate links to the app login page to the tenant. This attack can be made more effective by naming the tenant something familiar for the target (few apps restrict the names of tenants) and using in-app invite mechanisms to lure victims to the tenant.\u003C/p>\n\u003Cp>A demo video of an attack chain combining SAMLjacking with a \u003Ca href=\"/resources/browser-identity-attacks-matrix/poisoned-tenants\">poisoned tenant\u003C/a> is given below:\u003C/p>\n\u003Cp>\u003Ca href=\"https://www.youtube.com/watch?v=4gAeSxbycXU\" target=\"_blank\" rel=\"noopener noreferrer\">demo video ↗\u003C/a>\u003C/p>\n",[112,36],"SAT1032","Fs9GhXRPhhq2oX2BYTIa3PcgyiPPDxoS8JC_9Op2Z28",{"id":3357,"title":3358,"body":3359,"description":3366,"examples":3435,"extension":83,"githubDir":3436,"meta":3437,"name":3358,"navigation":86,"path":3438,"references":3439,"seo":3443,"slug":3363,"stem":3444,"summaryHtml":3445,"tactics":3446,"techniqueId":3447,"__hash__":3448},"browserIdentityAttacksTechniques/techniques/session_cookie_theft/description.md","Session cookie theft",{"type":12,"value":3360,"toc":3430},[3361,3364,3367,3369,3375,3377,3380,3383,3386,3400,3407,3409],[15,3362,3358],{"id":3363},"session-cookie-theft",[19,3365,3366],{},"ID: SAT1044",[23,3368,26],{"id":25},[28,3370,3371,3373],{},[31,3372,36],{},[31,3374,333],{},[23,3376,40],{"id":39},[19,3378,3379],{},"Due to increasing use of SaaS apps, core identity providers acting as SSO gateways to them, and the widespread adoption of MFA, hybrid attacks involving the theft of valid browser session cookies from compromised endpoints using infostealing malware are becoming more common. These session cookies are then used to pivot from an endpoint compromise and laterally move to downstream SaaS applications. They are typically imported into an adversary's own browser and then used to resume access to the authenticated session without re-authenticating.",[19,3381,3382],{},"Previously, endpoint compromises would have often involved credential dumping and been focused on lateral movement to other endpoints or internal servers. Now there is an increasing drive to move to SaaS applications instead. Widespread MFA use makes captured passwords less useful alone and so stealing authenticated session cookies is a valid method to circumvent MFA. This can even potentially circumvent modern phishing-resistant MFA factors such as passkeys as it can circumvent the requirement to re-authenticate entirely.",[19,3384,3385],{},"Session cookies for any SaaS application are useful but when valid sessions for core IdPs are compromised then adversaries will typically be able to laterally move to a large number of downstream SaaS applications by abusing SSO mechanisms like SAML and OIDC. Vendor-specific technologies like Okta SWA will also allow direct credential compromise for other downstream SaaS applications.",[19,3387,3388,3389,3394,3395,557],{},"While adversaries may steal cookies directly using compromised endpoints, stolen cookies have also become available for sale in the criminal world from infostealing malware, therefore it may be possible to directly purchase cookies for use. More information of the criminal ecosystem can be found in this ",[64,3390,3393],{"href":3391,"rel":3392},"https://blog.sekoia.io/traffers-a-deep-dive-into-the-information-stealer-ecosystem/",[261],"blog post"," and more information on a variety of stealer malware families can be found in this ",[64,3396,3399],{"href":3397,"rel":3398},"https://news.sophos.com/en-us/2024/03/12/2024-sophos-threat-report/",[261],"threat report",[19,3401,3402,3403,3406],{},"This technique is related to, but distinct from, ",[64,3404,3405],{"href":2581},"AitM Phishing",", which seeks to compromise sessions to circumvent MFA as an initial access vector.",[23,3408,71],{"id":70},[28,3410,3411,3418,3424],{},[31,3412,3413],{},[64,3414,3417],{"href":3415,"rel":3416},"https://attack.mitre.org/techniques/T1185/",[261],"MITRE ATT&CK - Browser Session Hijacking",[31,3419,3420],{},[64,3421,3423],{"href":3397,"rel":3422},[261],"2024 Sophos Threat Report",[31,3425,3426],{},[64,3427,3429],{"href":3391,"rel":3428},[261],"Traffers - a deep dive into the information stealer ecosystem",{"title":73,"searchDepth":74,"depth":74,"links":3431},[3432,3433,3434],{"id":25,"depth":74,"text":26},{"id":39,"depth":74,"text":40},{"id":70,"depth":74,"text":71},[],"session_cookie_theft",{},"/techniques/session_cookie_theft/description",[3440,3441,3442],{"text":3417,"url":3415},{"text":3423,"url":3397},{"text":3429,"url":3391},{"title":3358,"description":3366},"techniques/session_cookie_theft/description","\u003Cp>Due to increasing use of SaaS apps, core identity providers acting as SSO gateways to them, and the widespread adoption of MFA, hybrid attacks involving the theft of valid browser session cookies from compromised endpoints using infostealing malware are becoming more common. These session cookies are then used to pivot from an endpoint compromise and laterally move to downstream SaaS applications. They are typically imported into an adversary&#39;s own browser and then used to resume access to the authenticated session without re-authenticating. \u003C/p>\n\u003Cp>Previously, endpoint compromises would have often involved credential dumping and been focused on lateral movement to other endpoints or internal servers. Now there is an increasing drive to move to SaaS applications instead. Widespread MFA use makes captured passwords less useful alone and so stealing authenticated session cookies is a valid method to circumvent MFA. This can even potentially circumvent modern phishing-resistant MFA factors such as passkeys as it can circumvent the requirement to re-authenticate entirely. \u003C/p>\n\u003Cp>Session cookies for any SaaS application are useful but when valid sessions for core IdPs are compromised then adversaries will typically be able to laterally move to a large number of downstream SaaS applications by abusing SSO mechanisms like SAML and OIDC. Vendor-specific technologies like Okta SWA will also allow direct credential compromise for other downstream SaaS applications.\u003C/p>\n\u003Cp>While adversaries may steal cookies directly using compromised endpoints, stolen cookies have also become available for sale in the criminal world from infostealing malware, therefore it may be possible to directly purchase cookies for use. More information of the criminal ecosystem can be found in this \u003Ca href=\"https://blog.sekoia.io/traffers-a-deep-dive-into-the-information-stealer-ecosystem/\" target=\"_blank\" rel=\"noopener noreferrer\">blog post\u003C/a> and more information on a variety of stealer malware families can be found in this \u003Ca href=\"https://news.sophos.com/en-us/2024/03/12/2024-sophos-threat-report/\" target=\"_blank\" rel=\"noopener noreferrer\">threat report\u003C/a>.\u003C/p>\n\u003Cp>This technique is related to, but distinct from, \u003Ca href=\"/resources/browser-identity-attacks-matrix/aitm-phishing\">AitM Phishing\u003C/a>, which seeks to compromise sessions to circumvent MFA as an initial access vector.\u003C/p>\n",[36,333],"SAT1044","p1HG9tTK2Nkm6fwbEmfu7jGI4ASQs9Td49Aq4SyHLPg",{"id":3450,"title":3451,"body":3452,"description":3459,"examples":3550,"extension":83,"githubDir":3554,"meta":3555,"name":3451,"navigation":86,"path":3556,"references":3557,"seo":3563,"slug":3456,"stem":3564,"summaryHtml":3565,"tactics":3566,"techniqueId":3567,"__hash__":3568},"browserIdentityAttacksTechniques/techniques/shadow_workflows/description.md","Shadow workflows",{"type":12,"value":3453,"toc":3544},[3454,3457,3460,3462,3469,3471,3474,3477,3480,3483,3486,3492,3499,3501,3509,3511],[15,3455,3451],{"id":3456},"shadow-workflows",[19,3458,3459],{},"ID: SAT1033",[23,3461,26],{"id":25},[28,3463,3464,3466],{},[31,3465,662],{},[31,3467,3468],{},"Exfiltration",[23,3470,40],{"id":39},[19,3472,3473],{},"The SaaS world is, by design, largely abstracted away from operating systems and application binaries. There isn’t always a generic equivalent of gaining code execution as you might during an endpoint compromise.",[19,3475,3476],{},"The closest approximation to this in the SaaS world may be low- or no-code automation apps. These are SaaS apps that are focused on integrating with a variety of other SaaS apps and allow the user to automate common tasks. In no-code apps this is done using easy-to-learn UI components that abstract code, where low-code flavors provide scaffolding to minimize code. The user created functions are often called automations, workflows or playbooks.",[19,3478,3479],{},"An adversary with access to a target SaaS account can configure a workflow automation to execute a wide range of malicious actions against the breached account. This could be a daily export of files from shared cloud drives, automatic forwarding and deleting of emails, cloning instant messages, exporting user directories. Basically anything that is possible using the target app’s API.",[19,3481,3482],{},"While the graphical interface is useful for non-technical users, many of these automation platforms allow advanced users to craft direct API calls (often called low-code), which unlocks enormous flexibility for adversaries.",[19,3484,3485],{},"Akin to traditional endpoint “Living Off The Land” (LOTL) techniques such as PowerShell, an adversary may use these legitimate, well-known SaaS automation apps rather than custom OAuth integrations to avoid detection.",[19,3487,3488,3489,3298],{},"A demo video of an attack chain combining a shadow workflow with an ",[64,3490,754],{"href":3491},"/techniques/evil_twin_integrations/description.md",[19,3493,3494],{},[64,3495,3497],{"href":1578,"rel":3496},[261],[953,3498],{"alt":955,"src":1582},[23,3500,58],{"id":57},[28,3502,3503,3507],{},[31,3504,3505],{},[64,3506,67],{"href":66},[31,3508,688],{},[23,3510,71],{"id":70},[28,3512,3513,3520,3527,3532,3537],{},[31,3514,3515],{},[64,3516,3519],{"href":3517,"rel":3518},"https://www.pentestpartners.com/security-blog/living-off-the-cloud-cloudy-with-a-chance-of-exfiltration/",[261],"Living off the Cloud. Cloudy with a Chance of Exfiltration",[31,3521,3522],{},[64,3523,3526],{"href":3524,"rel":3525},"https://attack.mitre.org/techniques/T1020/",[261],"MITRE ATT&CK - Automated Exfiltration",[31,3528,3529],{},[64,3530,1609],{"href":1607,"rel":3531},[261],[31,3533,3534],{},[64,3535,1982],{"href":1980,"rel":3536},[261],[31,3538,3539],{},[64,3540,3543],{"href":3541,"rel":3542},"https://www.microsoft.com/en-us/security/blog/2023/10/25/octo-tempest-crosses-boundaries-to-facilitate-extortion-encryption-and-destruction/",[261],"Octo Tempest use FiveTran to steal SalesForce and ZenDesk databases",{"title":73,"searchDepth":74,"depth":74,"links":3545},[3546,3547,3548,3549],{"id":25,"depth":74,"text":26},{"id":39,"depth":74,"text":40},{"id":57,"depth":74,"text":58},{"id":70,"depth":74,"text":71},[3551,3553],{"text":67,"url":3552},"https://github.com/pushsecurity/browser-identity-attacks-matrix/blob/main/techniques/shadow_workflows/examples/zapier.md",{"text":688},"shadow_workflows",{},"/techniques/shadow_workflows/description",[3558,3559,3560,3561,3562],{"text":3519,"url":3517},{"text":3526,"url":3524},{"text":1609,"url":1607},{"text":1982,"url":1980},{"text":3543,"url":3541},{"title":3451,"description":3459},"techniques/shadow_workflows/description","\u003Cp>The SaaS world is, by design, largely abstracted away from operating systems and application binaries. There isn’t always a generic equivalent of gaining code execution as you might during an endpoint compromise.\u003C/p>\n\u003Cp>The closest approximation to this in the SaaS world may be low- or no-code automation apps. These are SaaS apps that are focused on integrating with a variety of other SaaS apps and allow the user to automate common tasks. In no-code apps this is done using easy-to-learn UI components that abstract code, where low-code flavors provide scaffolding to minimize code. The user created functions are often called automations, workflows or playbooks.\u003C/p>\n\u003Cp>An adversary with access to a target SaaS account can configure a workflow automation to execute a wide range of malicious actions against the breached account. This could be a daily export of files from shared cloud drives, automatic forwarding and deleting of emails, cloning instant messages, exporting user directories. Basically anything that is possible using the target app’s API.\u003C/p>\n\u003Cp>While the graphical interface is useful for non-technical users, many of these automation platforms allow advanced users to craft direct API calls (often called low-code), which unlocks enormous flexibility for adversaries.\u003C/p>\n\u003Cp>Akin to traditional endpoint “Living Off The Land” (LOTL) techniques such as PowerShell, an adversary may use these legitimate, well-known SaaS automation apps rather than custom OAuth integrations to avoid detection.\u003C/p>\n\u003Cp>A demo video of an attack chain combining a shadow workflow with an \u003Ca href=\"/resources/browser-identity-attacks-matrix/evil-twin-integrations\">evil twin integration\u003C/a> is given below:\u003C/p>\n\u003Cp>\u003Ca href=\"https://www.youtube.com/watch?v=g2EITjjJH1s\" target=\"_blank\" rel=\"noopener noreferrer\">demo video ↗\u003C/a>\u003C/p>\n",[662,3468],"SAT1033","qXNJ-JnXNXANYqU41co-4ezlIEXQQM5iFOBmGVvi5TE",{"id":3570,"title":3571,"body":3572,"description":3579,"examples":3624,"extension":83,"githubDir":3627,"meta":3628,"name":3571,"navigation":86,"path":3629,"references":3630,"seo":3632,"slug":3576,"stem":3633,"summaryHtml":3634,"tactics":3635,"techniqueId":3636,"__hash__":3637},"browserIdentityAttacksTechniques/techniques/slug_tenant_enumeration/description.md","Slug tenant enumeration",{"type":12,"value":3573,"toc":3618},[3574,3577,3580,3582,3586,3588,3591,3594,3597,3599,3607,3609],[15,3575,3571],{"id":3576},"slug-tenant-enumeration",[19,3578,3579],{},"ID: SAT1034",[23,3581,26],{"id":25},[28,3583,3584],{},[31,3585,1367],{},[23,3587,40],{"id":39},[19,3589,3590],{},"SaaS vendors make use of different strategies to separate tenants from one another. Often, this is based on the creation of a “slug” chosen by the user during tenant creation. This is used as either a path separator, query parameter, or subdomain to separate tenants.",[19,3592,3593],{},"There are often methods within a SaaS app that allow existing slugs to be enumerated, for example, when attempting to create a new tenant the app may error stating that a tenant with that slug already exists.",[19,3595,3596],{},"It is common for the organization name itself to be used, or something very close to it, so querying a number of variations of the organization name is often a method for discovering if a SaaS app is in use and what the tenant name is.",[23,3598,58],{"id":57},[28,3600,3601],{},[31,3602,3603],{},[64,3604,3606],{"href":3605},"examples/bamboohr","BambooHR",[23,3608,71],{"id":70},[28,3610,3611],{},[31,3612,3613],{},[64,3614,3617],{"href":3615,"rel":3616},"https://attack.mitre.org/techniques/T1595/003/",[261],"MITRE ATT&CK - Wordlist Scanning",{"title":73,"searchDepth":74,"depth":74,"links":3619},[3620,3621,3622,3623],{"id":25,"depth":74,"text":26},{"id":39,"depth":74,"text":40},{"id":57,"depth":74,"text":58},{"id":70,"depth":74,"text":71},[3625],{"text":3606,"url":3626},"https://github.com/pushsecurity/browser-identity-attacks-matrix/blob/main/techniques/slug_tenant_enumeration/examples/bamboohr.md","slug_tenant_enumeration",{},"/techniques/slug_tenant_enumeration/description",[3631],{"text":3617,"url":3615},{"title":3571,"description":3579},"techniques/slug_tenant_enumeration/description","\u003Cp>SaaS vendors make use of different strategies to separate tenants from one another. Often, this is based on the creation of a “slug” chosen by the user during tenant creation. This is used as either a path separator, query parameter, or subdomain to separate tenants.\u003C/p>\n\u003Cp>There are often methods within a SaaS app that allow existing slugs to be enumerated, for example, when attempting to create a new tenant the app may error stating that a tenant with that slug already exists.\u003C/p>\n\u003Cp>It is common for the organization name itself to be used, or something very close to it, so querying a number of variations of the organization name is often a method for discovering if a SaaS app is in use and what the tenant name is.\u003C/p>\n",[1367],"SAT1034","3BVRn618fyReRLbkT_k2WJR9hFn89T5GXMQm6TxiUFk",{"id":3639,"title":3640,"body":3641,"description":3648,"examples":3689,"extension":83,"githubDir":3692,"meta":3693,"name":3640,"navigation":86,"path":3694,"references":3695,"seo":3697,"slug":3645,"stem":3698,"summaryHtml":3699,"tactics":3700,"techniqueId":3701,"__hash__":3702},"browserIdentityAttacksTechniques/techniques/subdomain_tenant_discovery/description.md","Subdomain tenant discovery",{"type":12,"value":3642,"toc":3683},[3643,3646,3649,3651,3655,3657,3660,3663,3666,3668,3674,3676],[15,3644,3640],{"id":3645},"subdomain-tenant-discovery",[19,3647,3648],{},"ID: SAT1035",[23,3650,26],{"id":25},[28,3652,3653],{},[31,3654,1367],{},[23,3656,40],{"id":39},[19,3658,3659],{},"SaaS vendors make use of different strategies to separate different tenants from one another. One of these methods is the use of a unique subdomain, which is often picked during the creation of a new tenant.",[19,3661,3662],{},"Consequently, DNS enumeration techniques to discover valid subdomains can give an insight into who uses a given SaaS app. For example, adversaries can use DNS brute forcing or passive DNS enumeration to discover this information.",[19,3664,3665],{},"It’s common for the organization name itself to be used, making it easy to discover these tenant names or subdomains.",[23,3667,58],{"id":57},[28,3669,3670],{},[31,3671,3672],{},[64,3673,3606],{"href":3605},[23,3675,71],{"id":70},[28,3677,3678],{},[31,3679,3680],{},[64,3681,3617],{"href":3615,"rel":3682},[261],{"title":73,"searchDepth":74,"depth":74,"links":3684},[3685,3686,3687,3688],{"id":25,"depth":74,"text":26},{"id":39,"depth":74,"text":40},{"id":57,"depth":74,"text":58},{"id":70,"depth":74,"text":71},[3690],{"text":3606,"url":3691},"https://github.com/pushsecurity/browser-identity-attacks-matrix/blob/main/techniques/subdomain_tenant_discovery/examples/bamboohr.md","subdomain_tenant_discovery",{},"/techniques/subdomain_tenant_discovery/description",[3696],{"text":3617,"url":3615},{"title":3640,"description":3648},"techniques/subdomain_tenant_discovery/description","\u003Cp>SaaS vendors make use of different strategies to separate different tenants from one another. One of these methods is the use of a unique subdomain, which is often picked during the creation of a new tenant.\u003C/p>\n\u003Cp>Consequently, DNS enumeration techniques to discover valid subdomains can give an insight into who uses a given SaaS app. For example, adversaries can use DNS brute forcing or passive DNS enumeration to discover this information.\u003C/p>\n\u003Cp>It’s common for the organization name itself to be used, making it easy to discover these tenant names or subdomains.\u003C/p>\n",[1367],"SAT1035","E3ekuDwltpo8v0_LSZtbdN8aZtl7hHqLvKMxJUUEZug",{"id":3704,"title":3705,"body":3706,"description":3713,"examples":3761,"extension":83,"githubDir":3764,"meta":3765,"name":3705,"navigation":86,"path":3766,"references":3767,"seo":3770,"slug":3710,"stem":3771,"summaryHtml":3772,"tactics":3773,"techniqueId":3774,"__hash__":3775},"browserIdentityAttacksTechniques/techniques/system_integrations/description.md","System integrations",{"type":12,"value":3707,"toc":3755},[3708,3711,3714,3716,3722,3724,3727,3730,3733,3735,3741,3743],[15,3709,3705],{"id":3710},"system-integrations",[19,3712,3713],{},"ID: SAT1036",[23,3715,26],{"id":25},[28,3717,3718,3720],{},[31,3719,330],{},[31,3721,333],{},[23,3723,40],{"id":39},[19,3725,3726],{},"Some SaaS apps allow OAuth integrations that are not tied to a user account, but to the app tenant, or a machine account instead. Since the integration is not tied to a specific user, persistence can be maintained after a user account has been disabled or deleted.",[19,3728,3729],{},"It can also frustrate forensics by obfuscating which user account is responsible for actions taken by the integration, particularly when that relates to a user account that has since been deleted. This is somewhat equivalent to migrating to a system process in an endpoint attack.",[19,3731,3732],{},"In some cases, app-level integrations require administrative permissions but in others a standard user can do this, resulting in a more significant threat.",[23,3734,58],{"id":57},[28,3736,3737],{},[31,3738,3739],{},[64,3740,1958],{"href":1957},[23,3742,71],{"id":70},[28,3744,3745,3750],{},[31,3746,3747],{},[64,3748,1982],{"href":1980,"rel":3749},[261],[31,3751,3752],{},[64,3753,2003],{"href":2001,"rel":3754},[261],{"title":73,"searchDepth":74,"depth":74,"links":3756},[3757,3758,3759,3760],{"id":25,"depth":74,"text":26},{"id":39,"depth":74,"text":40},{"id":57,"depth":74,"text":58},{"id":70,"depth":74,"text":71},[3762],{"text":1958,"url":3763},"https://github.com/pushsecurity/browser-identity-attacks-matrix/blob/main/techniques/system_integrations/examples/slack.md","system_integrations",{},"/techniques/system_integrations/description",[3768,3769],{"text":1982,"url":1980},{"text":2003,"url":2001},{"title":3705,"description":3713},"techniques/system_integrations/description","\u003Cp>Some SaaS apps allow OAuth integrations that are not tied to a user account, but to the app tenant, or a machine account instead. Since the integration is not tied to a specific user, persistence can be maintained after a user account has been disabled or deleted.\u003C/p>\n\u003Cp>It can also frustrate forensics by obfuscating which user account is responsible for actions taken by the integration, particularly when that relates to a user account that has since been deleted. This is somewhat equivalent to migrating to a system process in an endpoint attack.\u003C/p>\n\u003Cp>In some cases, app-level integrations require administrative permissions but in others a standard user can do this, resulting in a more significant threat.\u003C/p>\n",[330,333],"SAT1036","Qr1jDuJgx7Zzs2WyXPhXbickbQsTXPSXVsS3S_tDics",{"id":3777,"title":3778,"body":3779,"description":3786,"examples":3817,"extension":83,"githubDir":3820,"meta":3821,"name":3778,"navigation":86,"path":3822,"references":3823,"seo":3824,"slug":3783,"stem":3825,"summaryHtml":3826,"tactics":3827,"techniqueId":3828,"__hash__":3829},"browserIdentityAttacksTechniques/techniques/takeout_services/description.md","Takeout services",{"type":12,"value":3780,"toc":3811},[3781,3784,3787,3789,3793,3795,3798,3801,3803,3809],[15,3782,3778],{"id":3783},"takeout-services",[19,3785,3786],{},"ID: SAT1037",[23,3788,26],{"id":25},[28,3790,3791],{},[31,3792,3468],{},[23,3794,40],{"id":39},[19,3796,3797],{},"Takeout services allow users to export all of their data from a SaaS app into a downloadable format. This is often used to satisfy compliance with GDPR which requires that data subjects maintain ownership of their data.",[19,3799,3800],{},"An adversary can make use of this functionality to quickly and easily exfiltrate a very complete set of data from a SaaS app.",[23,3802,58],{"id":57},[28,3804,3805],{},[31,3806,3807],{},[64,3808,567],{"href":2825},[23,3810,71],{"id":70},{"title":73,"searchDepth":74,"depth":74,"links":3812},[3813,3814,3815,3816],{"id":25,"depth":74,"text":26},{"id":39,"depth":74,"text":40},{"id":57,"depth":74,"text":58},{"id":70,"depth":74,"text":71},[3818],{"text":567,"url":3819},"https://github.com/pushsecurity/browser-identity-attacks-matrix/blob/main/techniques/takeout_services/examples/google.md","takeout_services",{},"/techniques/takeout_services/description",[],{"title":3778,"description":3786},"techniques/takeout_services/description","\u003Cp>Takeout services allow users to export all of their data from a SaaS app into a downloadable format. This is often used to satisfy compliance with GDPR which requires that data subjects maintain ownership of their data.\u003C/p>\n\u003Cp>An adversary can make use of this functionality to quickly and easily exfiltrate a very complete set of data from a SaaS app.\u003C/p>\n",[3468],"SAT1037","ceZ_761-zv9IaaJOAm-8SGcVGurxCYRikcfOB6PM1Wk",{"id":3831,"title":3832,"body":3833,"description":3840,"examples":3911,"extension":83,"githubDir":3915,"meta":3916,"name":3832,"navigation":86,"path":3917,"references":3918,"seo":3921,"slug":3837,"stem":3922,"summaryHtml":3923,"tactics":3924,"techniqueId":3925,"__hash__":3926},"browserIdentityAttacksTechniques/techniques/ui_redressing/description.md","UI redressing",{"type":12,"value":3834,"toc":3905},[3835,3838,3841,3843,3847,3849,3852,3864,3866,3888,3890],[15,3836,3832],{"id":3837},"ui-redressing",[19,3839,3840],{},"ID: SAT1049",[23,3842,26],{"id":25},[28,3844,3845],{},[31,3846,1648],{},[23,3848,40],{"id":39},[19,3850,3851],{},"UI redressing attacks can be used to trick a user into performing an action on a legitimate application that is different to what they perceived. The classic example is Clickjacking, that operates by overlaying an invisible iframe over a malicious website. The user thinks they are clicking buttons or other elements on the visible malicious site but are actually clicking buttons in the invisible iframe that perform actions on the target website.",[19,3853,3854,3855,3860,3861,557],{},"While Clickjacking is generally blocked by default due to modern browser controls, the discovery of ",[64,3856,3859],{"href":3857,"rel":3858},"https://www.paulosyibelo.com/2024/12/doubleclickjacking-what.html",[261],"DoubleClickjacking"," has increased the risk of this class of attack again. DoubleClickjacking is not protected against by default and has additionally been shown to be highly effective for performing malicious OAuth consent grants, similar to a ",[64,3862,3863],{"href":542},"consent phishing attack",[23,3865,58],{"id":57},[28,3867,3868,3875,3881],{},[31,3869,3870],{},[64,3871,3874],{"href":3872,"rel":3873},"https://youtu.be/4rGvRRMrD18",[261],"Salesforce",[31,3876,3877],{},[64,3878,1958],{"href":3879,"rel":3880},"https://youtu.be/r7qpY74jtTw",[261],[31,3882,3883],{},[64,3884,3887],{"href":3885,"rel":3886},"https://youtu.be/DTdyvzfVPcI",[261],"Shopify",[23,3889,71],{"id":70},[28,3891,3892,3899],{},[31,3893,3894],{},[64,3895,3898],{"href":3896,"rel":3897},"https://owasp.org/www-community/attacks/Clickjacking",[261],"OWASP - Clickjacking",[31,3900,3901],{},[64,3902,3904],{"href":3857,"rel":3903},[261],"Technical blog - DoubleClickjacking: A New Era of UI Redressing",{"title":73,"searchDepth":74,"depth":74,"links":3906},[3907,3908,3909,3910],{"id":25,"depth":74,"text":26},{"id":39,"depth":74,"text":40},{"id":57,"depth":74,"text":58},{"id":70,"depth":74,"text":71},[3912,3913,3914],{"text":3874,"url":3872},{"text":1958,"url":3879},{"text":3887,"url":3885},"ui_redressing",{},"/techniques/ui_redressing/description",[3919,3920],{"text":3898,"url":3896},{"text":3904,"url":3857},{"title":3832,"description":3840},"techniques/ui_redressing/description","\u003Cp>UI redressing attacks can be used to trick a user into performing an action on a legitimate application that is different to what they perceived. The classic example is Clickjacking, that operates by overlaying an invisible iframe over a malicious website. The user thinks they are clicking buttons or other elements on the visible malicious site but are actually clicking buttons in the invisible iframe that perform actions on the target website.\u003C/p>\n\u003Cp>While Clickjacking is generally blocked by default due to modern browser controls, the discovery of \u003Ca href=\"https://www.paulosyibelo.com/2024/12/doubleclickjacking-what.html\" target=\"_blank\" rel=\"noopener noreferrer\">DoubleClickjacking\u003C/a> has increased the risk of this class of attack again. DoubleClickjacking is not protected against by default and has additionally been shown to be highly effective for performing malicious OAuth consent grants, similar to a \u003Ca href=\"/resources/browser-identity-attacks-matrix/consent-phishing\">consent phishing attack\u003C/a>.\u003C/p>\n",[112],"SAT1049","xzto5l0dL7J67Mpun-7_JsLJMHB9so1yH0_xK1ambjE",{"id":3928,"title":3929,"body":3930,"description":3937,"examples":3983,"extension":83,"githubDir":3988,"meta":3989,"name":3929,"navigation":86,"path":3990,"references":3991,"seo":3994,"slug":3934,"stem":3995,"summaryHtml":3996,"tactics":3997,"techniqueId":3998,"__hash__":3999},"browserIdentityAttacksTechniques/techniques/username_enumeration/description.md","Username enumeration",{"type":12,"value":3931,"toc":3977},[3932,3935,3938,3940,3944,3946,3949,3951,3961,3963],[15,3933,3929],{"id":3934},"username-enumeration",[19,3936,3937],{},"ID: SAT1038",[23,3939,26],{"id":25},[28,3941,3942],{},[31,3943,1367],{},[23,3945,40],{"id":39},[19,3947,3948],{},"When attempting to authenticate to a SaaS app, the login mechanism itself may disclose whether the username/email address is a known/valid account, even if the provided password is incorrect.\nSince email addresses are commonly used during the authentication process and the domain associated will often give away the organization, checking known valid email address combinations for the target organization will often reveal whether the target organization is using the SaaS app, and could lead to the discovery of valid user accounts.",[23,3950,58],{"id":57},[28,3952,3953,3957],{},[31,3954,3955],{},[64,3956,3234],{"href":3233},[31,3958,3959],{},[64,3960,1687],{"href":1686},[23,3962,71],{"id":70},[28,3964,3965,3970],{},[31,3966,3967],{},[64,3968,486],{"href":484,"rel":3969},[261],[31,3971,3972],{},[64,3973,3976],{"href":3974,"rel":3975},"https://github.com/megadose/holehe",[261],"Holehe - OSINT tool for finding registered accounts",{"title":73,"searchDepth":74,"depth":74,"links":3978},[3979,3980,3981,3982],{"id":25,"depth":74,"text":26},{"id":39,"depth":74,"text":40},{"id":57,"depth":74,"text":58},{"id":70,"depth":74,"text":71},[3984,3986],{"text":3234,"url":3985},"https://github.com/pushsecurity/browser-identity-attacks-matrix/blob/main/techniques/username_enumeration/examples/ramp.md",{"text":1687,"url":3987},"https://github.com/pushsecurity/browser-identity-attacks-matrix/blob/main/techniques/username_enumeration/examples/expensify.md","username_enumeration",{},"/techniques/username_enumeration/description",[3992,3993],{"text":486,"url":484},{"text":3976,"url":3974},{"title":3929,"description":3937},"techniques/username_enumeration/description","\u003Cp>When attempting to authenticate to a SaaS app, the login mechanism itself may disclose whether the username/email address is a known/valid account, even if the provided password is incorrect.\nSince email addresses are commonly used during the authentication process and the domain associated will often give away the organization, checking known valid email address combinations for the target organization will often reveal whether the target organization is using the SaaS app, and could lead to the discovery of valid user accounts.\u003C/p>\n",[1367],"SAT1038","Jximpux331LMPfYkXN2iGWgXLgwejI0g8pDJp-UnxR4",{"id":4001,"title":4002,"body":4003,"description":4010,"examples":4044,"extension":83,"githubDir":4045,"meta":4046,"name":4002,"navigation":86,"path":4047,"references":4048,"seo":4050,"slug":4007,"stem":4051,"summaryHtml":4052,"tactics":4053,"techniqueId":4054,"__hash__":4055},"browserIdentityAttacksTechniques/techniques/verification_phishing/description.md","Verification phishing",{"type":12,"value":4004,"toc":4039},[4005,4008,4011,4013,4017,4019,4022,4030,4032],[15,4006,4002],{"id":4007},"verification-phishing",[19,4009,4010],{},"ID: SAT1048",[23,4012,26],{"id":25},[28,4014,4015],{},[31,4016,1648],{},[23,4018,40],{"id":39},[19,4020,4021],{},"Email verification is sometimes used as a control, such as when registering new accounts. This is typically implemented by emailing the target user with either a clickable link for them to verify or a verification code that that they need to enter.",[19,4023,4024,4025,4029],{},"Verification phishing is when an adversary uses phishing, or some other type of social engineering, to convince a user to click a verification link or pass them the verification code in order to defeat this control. This is most relevant when combined with ",[64,4026,4028],{"href":4027},"/techniques/cross-idp_impersonation/description.md","cross-idp impersonation"," in order to circumvent strong SSO authentication to gain direct control of downstream SaaS applications.",[23,4031,71],{"id":70},[28,4033,4034],{},[31,4035,4036],{},[64,4037,1111],{"href":1109,"rel":4038},[261],{"title":73,"searchDepth":74,"depth":74,"links":4040},[4041,4042,4043],{"id":25,"depth":74,"text":26},{"id":39,"depth":74,"text":40},{"id":70,"depth":74,"text":71},[],"verification_phishing",{},"/techniques/verification_phishing/description",[4049],{"text":1111,"url":1109},{"title":4002,"description":4010},"techniques/verification_phishing/description","\u003Cp>Email verification is sometimes used as a control, such as when registering new accounts. This is typically implemented by emailing the target user with either a clickable link for them to verify or a verification code that that they need to enter. \u003C/p>\n\u003Cp>Verification phishing is when an adversary uses phishing, or some other type of social engineering, to convince a user to click a verification link or pass them the verification code in order to defeat this control. This is most relevant when combined with \u003Ca href=\"/resources/browser-identity-attacks-matrix/cross-idp-impersonation\">cross-idp impersonation\u003C/a> in order to circumvent strong SSO authentication to gain direct control of downstream SaaS applications.\u003C/p>\n",[112],"SAT1048","slCW5GtnfCiTZOs74iBct4qiEHip7knuTQz-nW7wl1U",{"id":4057,"title":4058,"body":4059,"description":4066,"examples":4113,"extension":83,"githubDir":4063,"meta":4116,"name":4058,"navigation":86,"path":4117,"references":4118,"seo":4120,"slug":4063,"stem":4121,"summaryHtml":4122,"tactics":4123,"techniqueId":4124,"__hash__":4125},"browserIdentityAttacksTechniques/techniques/webhooks/description.md","Webhooks",{"type":12,"value":4060,"toc":4107},[4061,4064,4067,4069,4075,4077,4080,4083,4086,4088,4096,4098],[15,4062,4058],{"id":4063},"webhooks",[19,4065,4066],{},"ID: SAT1039",[23,4068,26],{"id":25},[28,4070,4071,4073],{},[31,4072,333],{},[31,4074,3468],{},[23,4076,40],{"id":39},[19,4078,4079],{},"Some SaaS apps allow webhooks to be configured so callbacks are made when certain events are triggered. For example, a webmail platform may allow a webhook callback when a new email is received.",[19,4081,4082],{},"This is useful to an adversary looking to extract new data as it is created from that API. This could be new emails, new files, a real-time view into channels in instant messaging apps, etc.",[19,4084,4085],{},"Adversaries using this technique may also evade detection controls as these are not requests made to the SaaS app (showing in logs) but rather requests to an attacker app made from the app.",[23,4087,58],{"id":57},[28,4089,4090],{},[31,4091,4092],{},[64,4093,4095],{"href":4094},"examples/microsoft_365","Microsoft 365",[23,4097,71],{"id":70},[28,4099,4100],{},[31,4101,4102],{},[64,4103,4106],{"href":4104,"rel":4105},"https://attack.mitre.org/techniques/T1567/",[261],"MITRE ATT&CK - Exfiltration Over Web Service",{"title":73,"searchDepth":74,"depth":74,"links":4108},[4109,4110,4111,4112],{"id":25,"depth":74,"text":26},{"id":39,"depth":74,"text":40},{"id":57,"depth":74,"text":58},{"id":70,"depth":74,"text":71},[4114],{"text":4095,"url":4115},"https://github.com/pushsecurity/browser-identity-attacks-matrix/blob/main/techniques/webhooks/examples/microsoft_365.md",{},"/techniques/webhooks/description",[4119],{"text":4106,"url":4104},{"title":4058,"description":4066},"techniques/webhooks/description","\u003Cp>Some SaaS apps allow webhooks to be configured so callbacks are made when certain events are triggered. For example, a webmail platform may allow a webhook callback when a new email is received.         \u003C/p>\n\u003Cp>This is useful to an adversary looking to extract new data as it is created from that API. This could be new emails, new files, a real-time view into channels in instant messaging apps, etc.\u003C/p>\n\u003Cp>Adversaries using this technique may also evade detection controls as these are not requests made to the SaaS app (showing in logs) but rather requests to an attacker app made from the app.\u003C/p>\n",[333,3468],"SAT1039","wJvT3gJTEJKmIF_TMIEEHIeI_eDEqSfig1Jthgv04gk",[4127],{"createdDate":4128,"id":4129,"name":4130,"modelId":4131,"published":4132,"query":4133,"data":4134,"variations":4139,"lastUpdated":4140,"firstPublished":4141,"testRatio":4142,"createdBy":4143,"lastUpdatedBy":4144,"folders":4145,"meta":4146,"rev":4152},1742208588866,"1c7a4e423bf54ac1a328bb4063459ef2","Banner","1c6207a5f24948ab82d4a0b17f251193","published",[],{"type":4135,"url":4136,"text":4137,"link":4138},"web-banner","https://pushsecurity.com/resources/browser-attacks-report","Get our latest report analyzing browser attack techniques in 2026",{},{},1774258294825,1742208637545,1,"CydmZnOWU1XuAaLhEDCoYNM4Z8W2","jKjF9r5jcvXU8tzZEfFQm31Iyvr2",[],{"kind":4147,"lastPreviewUrl":73,"breakpoints":4148,"hasAutosaves":86},"data",{"xsmall":4149,"small":4150,"medium":4151},320,640,768,"ga0kpxjhh76",{"createdDate":4154,"id":4155,"name":4156,"modelId":4157,"published":4132,"stageModifiedSincePublish":6,"query":4158,"data":4159,"variations":4212,"lastUpdated":4213,"firstPublished":4214,"testRatio":4142,"createdBy":4215,"lastUpdatedBy":4216,"folders":4217,"meta":4218,"rev":4222},1774965361051,"fd266d0172cc47429be7ad10f48c99ad","always visible banner","0678d178ec8b41efb8a23c09dba7874d",[],{"ctaText":4160,"text":4161,"url":73,"blocks":4162,"state":4208},"ewrererw","testrfesssssssssss",[4163,4189,4197],{"@type":4164,"@version":74,"id":4165,"component":4166,"responsiveStyles":4179},"@builder.io/sdk:Element","builder-ca12c06a52de41d7b8743da53118cd38",{"name":4167,"tag":4167,"options":4168,"isRSC":4178},"TopBannerContent",{"text":4169,"ctaText":4170,"url":4171,"mainText":4172,"cta":4175},"New Webinar Series: Join John Hammond, Troy Hunt, and Matt Johansen for the State of Browser Attacks","Save Your Spot","https://pushsecurity.com/webinar/state-of-browser-security",{"content":4173,"fontSize":4174},"\u003Cp>Meet Push's browser security experts at BlackHat 2026.\u003C/p>","text-base",{"content":4176,"fontSize":4174,"url":4177},"\u003Cp>Book a meeting →\u003C/p>","https://pushsecurity.com/events/blackhat-2026-meeting",null,{"large":4180},{"display":4181,"flexDirection":4182,"position":4183,"flexShrink":4184,"boxSizing":4185,"marginTop":4186,"marginBottom":4186,"fontSize":4187,"fontWeight":4188},"flex","column","relative","0","border-box",".56rem","1.125rem","700",{"@type":4164,"@version":74,"id":4190,"component":4191,"responsiveStyles":4195},"builder-a2e1f4b9f30b464bb814d7f5de5b0aa7",{"name":4192,"options":4193,"isRSC":4178},"Custom Code",{"code":4194,"scriptsClientOnly":6},"\u003Cstyle>\n  .top-banner.bg-web-orange{background:rgb(114, 79, 255);}\n\u003C/style>\n",{"large":4196},{"display":4181,"flexDirection":4182,"position":4183,"flexShrink":4184,"boxSizing":4185},{"id":4198,"@type":4164,"tagName":953,"properties":4199,"responsiveStyles":4203},"builder-pixel-o503s4fpvk",{"src":4200,"aria-hidden":4201,"alt":73,"role":4202,"width":4184,"height":4184},"https://cdn.builder.io/api/v1/pixel?apiKey=f3a1111ff5be48cdbb123cd9f5795a05","true","presentation",{"large":4204},{"height":4184,"width":4184,"display":4205,"opacity":4184,"overflow":4206,"pointerEvents":4207},"block","hidden","none",{"deviceSize":4209,"location":4210},"large",{"path":73,"query":4211},{},{},1783541846936,1774968080803,"ST0tXQM8slWpFrmioqKHmENB2qe2","kYgMv6WsbvfmlOUYqR2SFwGzw6e2",[],{"kind":4219,"lastPreviewUrl":4220,"hasLinks":6,"breakpoints":4221,"hasErrors":6,"hasAutosaves":6},"component","https://pushsecurity.com/?builder.space=f3a1111ff5be48cdbb123cd9f5795a05&builder.user.permissions=read%2Ccreate%2Cpublish%2CeditDesigns%2CeditLayouts%2CeditLayers%2CeditContentPriority%2CeditFolders%2CcreateProjects%2CsendPullRequests&builder.user.role.name=Designer&builder.user.role.id=creator&builder.cachebust=true&builder.preview=always-visible-banner&builder.noCache=true&builder.allowTextEdit=true&__builder_editing__=true&builder.overrides.always-visible-banner=fd266d0172cc47429be7ad10f48c99ad&builder.overrides.fd266d0172cc47429be7ad10f48c99ad=fd266d0172cc47429be7ad10f48c99ad&builder.options.locale=Default",{"xsmall":4149,"small":4150,"medium":4151},"kyujw1aptq",[4224,4260],{"createdDate":4225,"id":4226,"name":4227,"modelId":4228,"published":4132,"stageModifiedSincePublish":6,"query":4229,"data":4230,"variations":4253,"lastUpdated":4254,"firstPublished":4255,"testRatio":4142,"createdBy":4143,"lastUpdatedBy":4143,"folders":4256,"meta":4257,"rev":4259},1776247359804,"9136a8f18b3b4a6ba29b8653a99372b1","testimonial-inductive-automation","20d9eaa352304613b3d1a794b400703d",[],{"link":4231,"type":4232,"testimonialLink":4233,"testimonial":4234},{},"testimonial","/customer-stories/inductive-automation",{"@type":4235,"id":4236,"model":4232,"value":4237},"@builder.io/core:Reference","f028f2b685bb47cd8bf9e82a26dd5a79",{"query":4238,"folders":4239,"createdDate":4240,"id":4236,"name":4241,"modelId":4242,"published":4132,"data":4243,"variations":4247,"lastUpdated":4248,"firstPublished":4249,"testRatio":4142,"createdBy":4215,"lastUpdatedBy":4215,"meta":4250,"rev":4252},[],[],1735823466309,"We found Push to be more accurate when compared to competitors and the browser agent offered features that others couldn’t match.","42035571a56940ac98bff4544aa79aa5",{"author":4244,"jobTitle":4245,"quote":4241,"image":4246},"Jason Waits","\u003Cp>CISO at Inductive Automation\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Ff04c0c0689ce4a89ac0f0708d78c0a07",{},1735910703862,1735823501152,{"kind":4147,"lastPreviewUrl":73,"breakpoints":4251,"hasAutosaves":86},{"small":4150,"medium":4151},"e8bsg4qrgtu",{},1776247404986,1776247404973,[],{"breakpoints":4258,"kind":4147,"lastPreviewUrl":73,"hasAutosaves":6},{"xsmall":4149,"small":4150,"medium":4151},"g9lqcuxphw7",{"createdDate":4261,"id":4262,"name":4263,"modelId":4228,"published":4132,"meta":4264,"stageModifiedSincePublish":6,"query":4266,"data":4267,"variations":4293,"lastUpdated":4294,"firstPublished":4295,"testRatio":4142,"createdBy":4143,"lastUpdatedBy":4143,"folders":4296,"rev":4259},1776255761419,"05a9322735fc427db12e2740e4302300","Report: 2026 Browser Attack Techniques",{"breakpoints":4265,"kind":4147,"lastPreviewUrl":73,"hasAutosaves":6},{"xsmall":4149,"small":4150,"medium":4151},[],{"testimonial":4268,"link":4287,"type":4290,"title":4263,"description":4291,"image":4292},{"@type":4235,"id":4269,"model":4232,"value":4270},"192acbb1f9ca4cac918c0ec435a8bae3",{"query":4271,"folders":4272,"createdDate":4273,"id":4269,"name":4274,"modelId":4242,"published":4132,"data":4275,"variations":4281,"lastUpdated":4282,"firstPublished":4283,"testRatio":4142,"createdBy":4215,"lastUpdatedBy":4143,"meta":4284,"rev":4286},[],[],1728981467463,"Push does for identity what CrowdStrike did for the endpoint",{"video":4276,"jobTitle":4277,"author":4278,"qoute":73,"quote":4279,"image":4280},"https://cdn.builder.io/o/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F8b30e8ca50064058bbaef0f3c6164575%2Fcompressed?apiKey=f3a1111ff5be48cdbb123cd9f5795a05&token=8b30e8ca50064058bbaef0f3c6164575&alt=media&optimized=true","\u003Cp>Deputy CISO at Microsoft\u003C/p>\u003Cp>Former LinkedIn, Slack, Palantir\u003C/p>","Geoff Belknap","Push does for identity what CrowdStrike did for the endpoint.","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F748f0ad0a5064a00a13f4721fcc8dea1",{},1742902158597,1728981782923,{"kind":4147,"lastPreviewUrl":73,"breakpoints":4285,"hasAutosaves":86},{"small":4150,"medium":4151},"ulhc0im1hfo",{"text":4288,"url":4289},"Download now","/resources/browser-attacks-report","resource","Learn about the latest techniques being used in the wild.","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F7b4a5ebf81d64e8c9d7fc35f6c96c4a9",{},1776255810913,1776255810900,[],[4298,4320],{"createdDate":4299,"id":4300,"name":4263,"modelId":4301,"published":4132,"meta":4302,"stageModifiedSincePublish":6,"query":4304,"data":4305,"variations":4315,"lastUpdated":4316,"firstPublished":4317,"testRatio":4142,"createdBy":4143,"lastUpdatedBy":4143,"folders":4318,"rev":4319},1776256900280,"1f429607996e4e5fae8fe3f9b9610e55","4829faa81e7c4ee8bd2d000e160e8d3c",{"breakpoints":4303,"kind":4147,"lastPreviewUrl":73,"hasAutosaves":6},{"xsmall":4149,"small":4150,"medium":4151},[],{"testimonial":4306,"link":4314,"type":4290,"title":4263,"description":4291,"image":4292},{"@type":4235,"id":4269,"model":4232,"value":4307},{"query":4308,"folders":4309,"createdDate":4273,"id":4269,"name":4274,"modelId":4242,"published":4132,"data":4310,"variations":4311,"lastUpdated":4282,"firstPublished":4283,"testRatio":4142,"createdBy":4215,"lastUpdatedBy":4143,"meta":4312,"rev":4286},[],[],{"video":4276,"jobTitle":4277,"author":4278,"qoute":73,"quote":4279,"image":4280},{},{"kind":4147,"lastPreviewUrl":73,"breakpoints":4313,"hasAutosaves":86},{"small":4150,"medium":4151},{"text":4288,"url":4289},{},1776256937553,1776256937540,[],"xggsv10v1q9",{"createdDate":4321,"id":4322,"name":4323,"modelId":4301,"published":4132,"stageModifiedSincePublish":6,"query":4324,"data":4325,"variations":4335,"lastUpdated":4336,"firstPublished":4337,"testRatio":4142,"createdBy":4143,"lastUpdatedBy":4143,"folders":4338,"meta":4339,"rev":4319},1776256949234,"ce043785b71b4ece98eac811ecf4ba10","inductive-automation",[],{"link":4326,"type":4232,"testimonial":4327,"testimonialLink":4233},{},{"@type":4235,"id":4236,"model":4232,"value":4328},{"query":4329,"folders":4330,"createdDate":4240,"id":4236,"name":4241,"modelId":4242,"published":4132,"data":4331,"variations":4332,"lastUpdated":4248,"firstPublished":4249,"testRatio":4142,"createdBy":4215,"lastUpdatedBy":4215,"meta":4333,"rev":4252},[],[],{"author":4244,"jobTitle":4245,"quote":4241,"image":4246},{},{"kind":4147,"lastPreviewUrl":73,"breakpoints":4334,"hasAutosaves":86},{"small":4150,"medium":4151},{},1776256974140,1776256974130,[],{"breakpoints":4340,"kind":4147,"lastPreviewUrl":73,"hasAutosaves":6},{"xsmall":4149,"small":4150,"medium":4151},1784196678172]