Push Security

"Should we go with a full-stack enterprise browser or Push?” It’s a question we get a lot. And the answer for many of our customers has been both. We often see customers opt for full-stack browser for contractors or regulated teams handling sensitive materials, but with Push deployed across the whole workforce (including those full-stack browsers) so Security can protect them as they work in the browser. They're not competing architectures: they serve different owners solving different problems. The security team's success metric is attacks stopped and risk reduced, not workspace policy compliance. We broke down the decision framework in detail here 👇 🔗 https://lnkd.in/ezRXQezy

Recent reports indicate that Tycoon2FA, the dominant PhaaS kit for AiTM attacks, has branched out into device code phishing. We've been tracking Tycoon2FA's expansion into device code phishing since reports first surfaced, and we've intercepted these attacks targeting Push customers. Tycoon2FA is responsible for a staggering 62% of all phishing blocked by Microsoft per recent reports. The addition of device code phishing to the existing AiTM infrastructure means the largest phishing-as-a-service platform now offers a technique that bypasses MFA, passkeys, and conditional access policies by design. In April we documented a 37x surge in device code phishing since the start of the year. We've since updated that research and are now tracking 14 unique kits with this capability. Tycoon2FA joining that list is the clearest signal yet that device code phishing has graduated from targeted nation-state tradecraft to commodity PhaaS feature. See the video for a look at Tycoon2FA device code phishing in action. Latest reporting from Bleeping Computer: https://lnkd.in/eYPsayre

Browser security covers a lot of ground — ATO prevention, phishing detection, extension security, shadow SaaS, AI governance, DLP — but not every use case delivers equal security value, and not every one is best solved in the browser. If you're evaluating browser security, the question isn't just "what can it do" but "where does the browser genuinely deliver more value than the tools I already have." We ranked the top 10 use cases on exactly that basis. https://lnkd.in/erxbRfac

We've re-released the SaaS attack matrix as the Browser & Identity Attacks Matrix. The name change reflects what the past two years have made obvious: the attacks behind most major breaches are browser-based and identity-first, and "SaaS attack" stopped being a useful descriptor for what we were tracking. Still open-source, still community-maintained, still on GitHub. Explore the updated matrix: https://lnkd.in/eHEGe9CV

Attack evolutions used to show up once or twice a quarter. Now they're weekly, sometimes daily, and adversaries are using AI to rotate infrastructure faster than traditional detection workflows can keep up. We built an agentic threat hunting pipeline that lets our research team's expertise run continuously across millions of browsers. It's tripled our detection output — and the detections are behavioral, not IOC-based, so they survive infrastructure rotation. Check out what Adam Bateman //O had to say about it, and read the blog post for the technical details 👇 https://lnkd.in/edtViPXV

"Can AI replace a threat researcher?" is the wrong question. The right one is whether AI agents can continuously activate the expertise of a seasoned threat hunter across trillions of browser events without getting bored, missing details, or creating knowledge silos. At Push, we built an end-to-end agentic pipeline to do exactly that — and it's already tripled our detection output. Check out our blog post to learn about our agentic threat hunting architecture, principles, and how it's benefitting Push customers. https://lnkd.in/edtViPXV

There's a difference between telling a CFO "industry benchmarks suggest our expected annual loss is somewhere in this range" and telling them "we can see how often these attacks hit our users, and we can measure what percentage of accounts have the controls to stop them." That difference is what being in the browser gives you — real data on the problem, and control to quantifiably reduce the risk. Check out the latest blog from Mark Orlando: https://lnkd.in/eW6Yhak6

In mid-2023, most of the techniques in our SaaS attacks matrix hadn't been widely observed in the wild. Two and a half years later, many of them aren't just common, but are hitting organizations at an industrial scale. AiTM phishing is now the standard phishing approach. ClickFix went from nonexistent to Microsoft's most-reported initial access vector in under 18 months. Device code phishing jumped from espionage-grade tooling to commodity PhaaS in roughly the same timeframe. ConsentFix merged clipboard-injection social engineering with OAuth consent abuse into a fully browser-native attack chain — first deployed by APT29, now commercialized on criminal forums. The common thread is that these attacks happen in or through the browser and target identity rather than infrastructure. So we've re-released the matrix as the Browser & Identity Attacks Matrix — same open-source, community-maintained framework, updated to reflect where the threat landscape has moved. Read the full breakdown: https://lnkd.in/eHEGe9CV