[{"data":1,"prerenderedAt":376},["ShallowReactive",2],{"application-flags":3,"navbar":7,"always-visible-banner":36,"navbar-about-highlight":108,"navbar-resource-highlight":182,"browser-identity-attacks-technique:shadow-workflows":226},[4],{"name":5,"enabled":6},"maintenanceMode",false,[8],{"createdDate":9,"id":10,"name":11,"modelId":12,"published":13,"query":14,"data":15,"variations":20,"lastUpdated":21,"firstPublished":22,"testRatio":23,"createdBy":24,"lastUpdatedBy":25,"folders":26,"meta":27,"rev":35},1742208588866,"1c7a4e423bf54ac1a328bb4063459ef2","Banner","1c6207a5f24948ab82d4a0b17f251193","published",[],{"type":16,"url":17,"text":18,"link":19},"web-banner","https://pushsecurity.com/resources/browser-attacks-report","Get our latest report analyzing browser attack techniques in 2026",{},{},1774258294825,1742208637545,1,"CydmZnOWU1XuAaLhEDCoYNM4Z8W2","jKjF9r5jcvXU8tzZEfFQm31Iyvr2",[],{"kind":28,"lastPreviewUrl":29,"breakpoints":30,"hasAutosaves":34},"data","",{"xsmall":31,"small":32,"medium":33},320,640,768,true,"ga0kpxjhh76",{"createdDate":37,"id":38,"name":39,"modelId":40,"published":13,"stageModifiedSincePublish":6,"query":41,"data":42,"variations":97,"lastUpdated":98,"firstPublished":99,"testRatio":23,"createdBy":100,"lastUpdatedBy":101,"folders":102,"meta":103,"rev":107},1774965361051,"fd266d0172cc47429be7ad10f48c99ad","always visible banner","0678d178ec8b41efb8a23c09dba7874d",[],{"ctaText":43,"text":44,"url":29,"blocks":45,"state":93},"ewrererw","testrfesssssssssss",[46,73,81],{"@type":47,"@version":48,"id":49,"component":50,"responsiveStyles":63},"@builder.io/sdk:Element",2,"builder-ca12c06a52de41d7b8743da53118cd38",{"name":51,"tag":51,"options":52,"isRSC":62},"TopBannerContent",{"text":53,"ctaText":54,"url":55,"mainText":56,"cta":59},"New Webinar Series: Join John Hammond, Troy Hunt, and Matt Johansen for the State of Browser Attacks","Save Your Spot","https://pushsecurity.com/webinar/state-of-browser-security",{"content":57,"fontSize":58},"\u003Cp>Meet Push's browser security experts at BlackHat 2026.\u003C/p>","text-base",{"content":60,"fontSize":58,"url":61},"\u003Cp>Book a meeting →\u003C/p>","https://pushsecurity.com/events/blackhat-2026-meeting",null,{"large":64},{"display":65,"flexDirection":66,"position":67,"flexShrink":68,"boxSizing":69,"marginTop":70,"marginBottom":70,"fontSize":71,"fontWeight":72},"flex","column","relative","0","border-box",".56rem","1.125rem","700",{"@type":47,"@version":48,"id":74,"component":75,"responsiveStyles":79},"builder-a2e1f4b9f30b464bb814d7f5de5b0aa7",{"name":76,"options":77,"isRSC":62},"Custom Code",{"code":78,"scriptsClientOnly":6},"\u003Cstyle>\n  .top-banner.bg-web-orange{background:rgb(114, 79, 255);}\n\u003C/style>\n",{"large":80},{"display":65,"flexDirection":66,"position":67,"flexShrink":68,"boxSizing":69},{"id":82,"@type":47,"tagName":83,"properties":84,"responsiveStyles":88},"builder-pixel-o503s4fpvk","img",{"src":85,"aria-hidden":86,"alt":29,"role":87,"width":68,"height":68},"https://cdn.builder.io/api/v1/pixel?apiKey=f3a1111ff5be48cdbb123cd9f5795a05","true","presentation",{"large":89},{"height":68,"width":68,"display":90,"opacity":68,"overflow":91,"pointerEvents":92},"block","hidden","none",{"deviceSize":94,"location":95},"large",{"path":29,"query":96},{},{},1783541846936,1774968080803,"ST0tXQM8slWpFrmioqKHmENB2qe2","kYgMv6WsbvfmlOUYqR2SFwGzw6e2",[],{"kind":104,"lastPreviewUrl":105,"hasLinks":6,"breakpoints":106,"hasErrors":6,"hasAutosaves":6},"component","https://pushsecurity.com/?builder.space=f3a1111ff5be48cdbb123cd9f5795a05&builder.user.permissions=read%2Ccreate%2Cpublish%2CeditDesigns%2CeditLayouts%2CeditLayers%2CeditContentPriority%2CeditFolders%2CcreateProjects%2CsendPullRequests&builder.user.role.name=Designer&builder.user.role.id=creator&builder.cachebust=true&builder.preview=always-visible-banner&builder.noCache=true&builder.allowTextEdit=true&__builder_editing__=true&builder.overrides.always-visible-banner=fd266d0172cc47429be7ad10f48c99ad&builder.overrides.fd266d0172cc47429be7ad10f48c99ad=fd266d0172cc47429be7ad10f48c99ad&builder.options.locale=Default",{"xsmall":31,"small":32,"medium":33},"kyujw1aptq",[109,145],{"createdDate":110,"id":111,"name":112,"modelId":113,"published":13,"stageModifiedSincePublish":6,"query":114,"data":115,"variations":138,"lastUpdated":139,"firstPublished":140,"testRatio":23,"createdBy":24,"lastUpdatedBy":24,"folders":141,"meta":142,"rev":144},1776247359804,"9136a8f18b3b4a6ba29b8653a99372b1","testimonial-inductive-automation","20d9eaa352304613b3d1a794b400703d",[],{"link":116,"type":117,"testimonialLink":118,"testimonial":119},{},"testimonial","/customer-stories/inductive-automation",{"@type":120,"id":121,"model":117,"value":122},"@builder.io/core:Reference","f028f2b685bb47cd8bf9e82a26dd5a79",{"query":123,"folders":124,"createdDate":125,"id":121,"name":126,"modelId":127,"published":13,"data":128,"variations":132,"lastUpdated":133,"firstPublished":134,"testRatio":23,"createdBy":100,"lastUpdatedBy":100,"meta":135,"rev":137},[],[],1735823466309,"We found Push to be more accurate when compared to competitors and the browser agent offered features that others couldn’t match.","42035571a56940ac98bff4544aa79aa5",{"author":129,"jobTitle":130,"quote":126,"image":131},"Jason Waits","\u003Cp>CISO at Inductive Automation\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Ff04c0c0689ce4a89ac0f0708d78c0a07",{},1735910703862,1735823501152,{"kind":28,"lastPreviewUrl":29,"breakpoints":136,"hasAutosaves":34},{"small":32,"medium":33},"e8bsg4qrgtu",{},1776247404986,1776247404973,[],{"breakpoints":143,"kind":28,"lastPreviewUrl":29,"hasAutosaves":6},{"xsmall":31,"small":32,"medium":33},"g9lqcuxphw7",{"createdDate":146,"id":147,"name":148,"modelId":113,"published":13,"meta":149,"stageModifiedSincePublish":6,"query":151,"data":152,"variations":178,"lastUpdated":179,"firstPublished":180,"testRatio":23,"createdBy":24,"lastUpdatedBy":24,"folders":181,"rev":144},1776255761419,"05a9322735fc427db12e2740e4302300","Report: 2026 Browser Attack Techniques",{"breakpoints":150,"kind":28,"lastPreviewUrl":29,"hasAutosaves":6},{"xsmall":31,"small":32,"medium":33},[],{"testimonial":153,"link":172,"type":175,"title":148,"description":176,"image":177},{"@type":120,"id":154,"model":117,"value":155},"192acbb1f9ca4cac918c0ec435a8bae3",{"query":156,"folders":157,"createdDate":158,"id":154,"name":159,"modelId":127,"published":13,"data":160,"variations":166,"lastUpdated":167,"firstPublished":168,"testRatio":23,"createdBy":100,"lastUpdatedBy":24,"meta":169,"rev":171},[],[],1728981467463,"Push does for identity what CrowdStrike did for the endpoint",{"video":161,"jobTitle":162,"author":163,"qoute":29,"quote":164,"image":165},"https://cdn.builder.io/o/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F8b30e8ca50064058bbaef0f3c6164575%2Fcompressed?apiKey=f3a1111ff5be48cdbb123cd9f5795a05&token=8b30e8ca50064058bbaef0f3c6164575&alt=media&optimized=true","\u003Cp>Deputy CISO at Microsoft\u003C/p>\u003Cp>Former LinkedIn, Slack, Palantir\u003C/p>","Geoff Belknap","Push does for identity what CrowdStrike did for the endpoint.","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F748f0ad0a5064a00a13f4721fcc8dea1",{},1742902158597,1728981782923,{"kind":28,"lastPreviewUrl":29,"breakpoints":170,"hasAutosaves":34},{"small":32,"medium":33},"ulhc0im1hfo",{"text":173,"url":174},"Download now","/resources/browser-attacks-report","resource","Learn about the latest techniques being used in the wild.","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F7b4a5ebf81d64e8c9d7fc35f6c96c4a9",{},1776255810913,1776255810900,[],[183,205],{"createdDate":184,"id":185,"name":148,"modelId":186,"published":13,"meta":187,"stageModifiedSincePublish":6,"query":189,"data":190,"variations":200,"lastUpdated":201,"firstPublished":202,"testRatio":23,"createdBy":24,"lastUpdatedBy":24,"folders":203,"rev":204},1776256900280,"1f429607996e4e5fae8fe3f9b9610e55","4829faa81e7c4ee8bd2d000e160e8d3c",{"breakpoints":188,"kind":28,"lastPreviewUrl":29,"hasAutosaves":6},{"xsmall":31,"small":32,"medium":33},[],{"testimonial":191,"link":199,"type":175,"title":148,"description":176,"image":177},{"@type":120,"id":154,"model":117,"value":192},{"query":193,"folders":194,"createdDate":158,"id":154,"name":159,"modelId":127,"published":13,"data":195,"variations":196,"lastUpdated":167,"firstPublished":168,"testRatio":23,"createdBy":100,"lastUpdatedBy":24,"meta":197,"rev":171},[],[],{"video":161,"jobTitle":162,"author":163,"qoute":29,"quote":164,"image":165},{},{"kind":28,"lastPreviewUrl":29,"breakpoints":198,"hasAutosaves":34},{"small":32,"medium":33},{"text":173,"url":174},{},1776256937553,1776256937540,[],"xggsv10v1q9",{"createdDate":206,"id":207,"name":208,"modelId":186,"published":13,"stageModifiedSincePublish":6,"query":209,"data":210,"variations":220,"lastUpdated":221,"firstPublished":222,"testRatio":23,"createdBy":24,"lastUpdatedBy":24,"folders":223,"meta":224,"rev":204},1776256949234,"ce043785b71b4ece98eac811ecf4ba10","inductive-automation",[],{"link":211,"type":117,"testimonial":212,"testimonialLink":118},{},{"@type":120,"id":121,"model":117,"value":213},{"query":214,"folders":215,"createdDate":125,"id":121,"name":126,"modelId":127,"published":13,"data":216,"variations":217,"lastUpdated":133,"firstPublished":134,"testRatio":23,"createdBy":100,"lastUpdatedBy":100,"meta":218,"rev":137},[],[],{"author":129,"jobTitle":130,"quote":126,"image":131},{},{"kind":28,"lastPreviewUrl":29,"breakpoints":219,"hasAutosaves":34},{"small":32,"medium":33},{},1776256974140,1776256974130,[],{"breakpoints":225,"kind":28,"lastPreviewUrl":29,"hasAutosaves":6},{"xsmall":31,"small":32,"medium":33},{"id":227,"title":228,"body":229,"description":239,"examples":356,"extension":360,"githubDir":361,"meta":362,"name":228,"navigation":34,"path":363,"references":364,"seo":370,"slug":235,"stem":371,"summaryHtml":372,"tactics":373,"techniqueId":374,"__hash__":375},"browserIdentityAttacksTechniques/techniques/shadow_workflows/description.md","Shadow workflows",{"type":230,"value":231,"toc":350},"minimark",[232,236,240,245,255,259,262,265,268,271,274,283,294,298,309,313],[233,234,228],"h1",{"id":235},"shadow-workflows",[237,238,239],"p",{},"ID: SAT1033",[241,242,244],"h2",{"id":243},"tactics","Tactics",[246,247,248,252],"ul",{},[249,250,251],"li",{},"Execution",[249,253,254],{},"Exfiltration",[241,256,258],{"id":257},"summary","Summary",[237,260,261],{},"The SaaS world is, by design, largely abstracted away from operating systems and application binaries. There isn’t always a generic equivalent of gaining code execution as you might during an endpoint compromise.",[237,263,264],{},"The closest approximation to this in the SaaS world may be low- or no-code automation apps. These are SaaS apps that are focused on integrating with a variety of other SaaS apps and allow the user to automate common tasks. In no-code apps this is done using easy-to-learn UI components that abstract code, where low-code flavors provide scaffolding to minimize code. The user created functions are often called automations, workflows or playbooks.",[237,266,267],{},"An adversary with access to a target SaaS account can configure a workflow automation to execute a wide range of malicious actions against the breached account. This could be a daily export of files from shared cloud drives, automatic forwarding and deleting of emails, cloning instant messages, exporting user directories. Basically anything that is possible using the target app’s API.",[237,269,270],{},"While the graphical interface is useful for non-technical users, many of these automation platforms allow advanced users to craft direct API calls (often called low-code), which unlocks enormous flexibility for adversaries.",[237,272,273],{},"Akin to traditional endpoint “Living Off The Land” (LOTL) techniques such as PowerShell, an adversary may use these legitimate, well-known SaaS automation apps rather than custom OAuth integrations to avoid detection.",[237,275,276,277,282],{},"A demo video of an attack chain combining a shadow workflow with an ",[278,279,281],"a",{"href":280},"/techniques/evil_twin_integrations/description.md","evil twin integration"," is given below:",[237,284,285],{},[278,286,290],{"href":287,"rel":288},"https://www.youtube.com/watch?v=g2EITjjJH1s",[289],"nofollow",[83,291],{"alt":292,"src":293},"demo video","https://img.youtube.com/vi/g2EITjjJH1s/0.jpg",[241,295,297],{"id":296},"examples","Examples",[246,299,300,306],{},[249,301,302],{},[278,303,305],{"href":304},"examples/zapier","Zapier",[249,307,308],{},"Microsoft Power Automate",[241,310,312],{"id":311},"references","References",[246,314,315,322,329,336,343],{},[249,316,317],{},[278,318,321],{"href":319,"rel":320},"https://www.pentestpartners.com/security-blog/living-off-the-cloud-cloudy-with-a-chance-of-exfiltration/",[289],"Living off the Cloud. Cloudy with a Chance of Exfiltration",[249,323,324],{},[278,325,328],{"href":326,"rel":327},"https://attack.mitre.org/techniques/T1020/",[289],"MITRE ATT&CK - Automated Exfiltration",[249,330,331],{},[278,332,335],{"href":333,"rel":334},"https://pushsecurity.com/blog/nearly-invisible-attack-chain/",[289],"The shadow workflow's evil twin - Technical blog post",[249,337,338],{},[278,339,342],{"href":340,"rel":341},"https://pushsecurity.com/blog/phishing-slack-persistence/",[289],"Slack Attack: A phisher's guide to persistence and lateral movement",[249,344,345],{},[278,346,349],{"href":347,"rel":348},"https://www.microsoft.com/en-us/security/blog/2023/10/25/octo-tempest-crosses-boundaries-to-facilitate-extortion-encryption-and-destruction/",[289],"Octo Tempest use FiveTran to steal SalesForce and ZenDesk databases",{"title":29,"searchDepth":48,"depth":48,"links":351},[352,353,354,355],{"id":243,"depth":48,"text":244},{"id":257,"depth":48,"text":258},{"id":296,"depth":48,"text":297},{"id":311,"depth":48,"text":312},[357,359],{"text":305,"url":358},"https://github.com/pushsecurity/browser-identity-attacks-matrix/blob/main/techniques/shadow_workflows/examples/zapier.md",{"text":308},"md","shadow_workflows",{},"/techniques/shadow_workflows/description",[365,366,367,368,369],{"text":321,"url":319},{"text":328,"url":326},{"text":335,"url":333},{"text":342,"url":340},{"text":349,"url":347},{"title":228,"description":239},"techniques/shadow_workflows/description","\u003Cp>The SaaS world is, by design, largely abstracted away from operating systems and application binaries. There isn’t always a generic equivalent of gaining code execution as you might during an endpoint compromise.\u003C/p>\n\u003Cp>The closest approximation to this in the SaaS world may be low- or no-code automation apps. These are SaaS apps that are focused on integrating with a variety of other SaaS apps and allow the user to automate common tasks. In no-code apps this is done using easy-to-learn UI components that abstract code, where low-code flavors provide scaffolding to minimize code. The user created functions are often called automations, workflows or playbooks.\u003C/p>\n\u003Cp>An adversary with access to a target SaaS account can configure a workflow automation to execute a wide range of malicious actions against the breached account. This could be a daily export of files from shared cloud drives, automatic forwarding and deleting of emails, cloning instant messages, exporting user directories. Basically anything that is possible using the target app’s API.\u003C/p>\n\u003Cp>While the graphical interface is useful for non-technical users, many of these automation platforms allow advanced users to craft direct API calls (often called low-code), which unlocks enormous flexibility for adversaries.\u003C/p>\n\u003Cp>Akin to traditional endpoint “Living Off The Land” (LOTL) techniques such as PowerShell, an adversary may use these legitimate, well-known SaaS automation apps rather than custom OAuth integrations to avoid detection.\u003C/p>\n\u003Cp>A demo video of an attack chain combining a shadow workflow with an \u003Ca href=\"/resources/browser-identity-attacks-matrix/evil-twin-integrations\">evil twin integration\u003C/a> is given below:\u003C/p>\n\u003Cp>\u003Ca href=\"https://www.youtube.com/watch?v=g2EITjjJH1s\" target=\"_blank\" rel=\"noopener noreferrer\">demo video ↗\u003C/a>\u003C/p>\n",[251,254],"SAT1033","qXNJ-JnXNXANYqU41co-4ezlIEXQQM5iFOBmGVvi5TE",1784196757325]