Push Security

💡 Introducing a SaaS attack matrix of networkless SaaS attack techniques - This is how attackers can own a company without touching the endpoint or the network - These networkless attacks bypass EDR and network detection We hope this helps defenders better understand the threats they face. 💬 #Pentesters #Redteams We’d love to some comments or contributions for things you've tried on GitHub! Links in 🧵 #security #infosec #SaaSsecurity #supplychainsecurity

In news that surprises exactly nobody.... We're hiring at Push Security! 🎉 Specifically, for a pre-sales focused Solutions Engineer with cybersecurity experience, based in the UK 🇬🇧 to support our EMEA sales team and work closely with Joe Stanulis and Peter Cohen. If you're taking a long weekend to think about your next career move, then this is your sign 😊 If that's you or someone you know (no agencies for now, thanks!) drop me a message I'd love to chat more! Link to the full job description in comments ⬇️

It doesn’t take much for cyber attackers to stay ahead of blocklists… Attackers are constantly giving defenders the slip with their phishing sites — whether it’s by serving every victim a unique link, using legitimate hosting services like Cloudflare, or implementing bot protection to defeat sandbox analysis. Join the latest webinar from Push Security on April 23rd to learn why phishing attacks are still so successful — and what we need to solve phishing for good 👊 (Hint: it’s not more awareness training…) Register here 👉 https://lnkd.in/euNdUC8E

We’re thrilled to welcome Chris Tilton as our new Chief Marketing Officer! 🎉 Chris brings a wealth of experience building and scaling go-to-market strategies in cybersecurity, from his early work helping pioneer bug bounties at Bugcrowd, to defining and growing the Pentesting-as-a-Service (PTaaS) category at Cobalt. At every step, Chris has helped innovative security companies cut through the noise. We’re excited to have Chris on board as we continue to scale, sharpen our message, and show the world how Push is changing the identity security game. His mission? To put Push in every browser. 🚀 Here's Chris in his own words on why he is excited to join the team 👇 https://lnkd.in/eJZynTvU

I’m incredibly excited to announce that I’ve joined Push Security as CMO! Founders Adam Bateman //O, Jacques Louw //O and Tyrone Erasmus //O have built an incredible team — here’s what drew me in 👇 ✅ Tech that solves real problems CISOs must fix ✅ A team with red teamer roots and relentless customer focus ✅ A culture buzzing with energy, purpose, and momentum By bringing it into the web browser, Push is transforming threat detection and response. This is a vital new capability that works to combat the surge in attacks happening inside the browser and over the internet, as opposed to the network or endpoint. That means we can detect and stop MFA-bypass phishing, token theft, credential stuffing, and other modern identity attacks at the point of exploitation. It’s incredibly powerful and makes a genuine difference by intercepting and shutting down attacks in real time — before anyone gets hurt. This isn’t shelfware. It’s innovation that matters. Backed by world-class investors, built by people who live and breathe security, and already trusted by some of the world’s largest enterprises. Thrilled to join this rocket ship and help tell the story. Let’s go! If you want to read more about why I’ve joined Push, take a look at my blog post 👇 https://lnkd.in/eu6b2PgE

Push recently detected and blocked customers from interacting with a malicious MFA-bypassing phishing site targeting Onfido, the digital identity platform — via a malvertising watering hole attack. While many phishing attacks are conducted over email, attacks are increasingly happening over channels like IM platforms, social media, using legitimate apps, and via malicious ads (malvertising). In this case, the employee was a regular user of Onfido but, like many employees, opted to Google search for the login page — where they fell foul of the malicious ad. Malvertising takes advantage of the fact that many organizations rely mainly on email-based phishing controls — which are bypassed entirely here. They also remove some of the hassle, as they don’t require that an attacker build up a domain’s reputation to pass mail filters. In this case, the domain was registered only hours before being used. Read our analysis including our review of a super interesting us.com hosting domain which looks very legit (but isn't a real TLD) here 👇 https://lnkd.in/ezD9fu9A You can also see our browser-based phishing detection control kicking in against the malicious page in the clip below!

Someone is using Evilginx to target customers of Onfido, part of Entrust, with a malicious Google advert that comes above the legitimate Onfido advert 🤯 See the domains and adverts below. Yes that us[.]com domain is actually an evilginx server - guess which advert is the malicious one (maybe Google should start requiring verification)

I thought it was going to be pretty difficult to top March when it came to new recruits… It didn't take long for April to prove me wrong. A huge welcome to our SEVEN latest team members! 🎉 🚀 We’re thrilled to be joined by Alison Eastaway, Jake Cohn, Josh Gideon, Nicholas Muniz, Paul Cooney, Peyton Padfield, and Rachael James! 🚀 Lots of new faces at Push's virtual HQ but there’s still room for more — check out our current openings here 👉 https://lnkd.in/dm2P_9jr

We’re still hearing from a lot of security teams that phishing continues to be a major headache. While email security provides an initial layer of defense, it's often bypassed by increasingly sophisticated attacks, especially with the rise of LLM-tailored phishing emails. And, it’s not just email anymore. Phishing is popping up in tools like Slack and Teams too. Traditional blocklists, while helpful, struggle to keep up with the rapidly evolving landscape of phishing domains. The one thing that hasn’t changed? These attacks are all about stealing user credentials—and the browser is where that usually happens. Push Security offers a simple yet powerful solution: a browser agent that detects and blocks phishing attempts directly in the browser. Push's browser agent actively inspects webpages for phishing tools and prevents users from entering their SSO passwords on non-approved or malicious sites. Push acts as a crucial last layer of defense, complementing your existing security stack to effectively combat this persistent threat.

Interesting article about 'Precision-Validated Phishing' — basically where phishing pages that only show malicious login forms when a user enters an email address that the attacker has specifically targeted! As soon as an email is entered, a check is performed that generates an error or redirects to a benign site if the email isn’t on the attacker’s list. I’ve been tracking phish kit evolution for a while now and attackers are constantly adding new features to defeat detections. This is pretty similar to techniques I’ve documented previously — like requiring a specific path to generate the parameters for the malicious content to load. Or serving benign pages if you try to login with a personal email. The whole point of this kind of obfuscation is to reduce the chance of a phish being picked up and reported/investigated by someone who isn’t the intended victim. Because as soon as something gets added to a blocklist, it’s effectively burned. Attackers are doing a whole stack of other obfuscations too, preventing security bots from loading the malicious content on a phishing page so they can’t analyse it. Attackers don’t need their phishing page to stay live forever — just long enough for their intended victim(s) to fall for it. It’s trivial for them to rotate their malicious domains anyway. It’s more about keeping it alive just long enough to claim a victim — think a few hours at least, days at most. This is yet another technique that helps them to do that — meaning that there will pretty much always be an incident and a victim before the site gets taken down. We’ve been doing a lot of thinking about how we approach phishing detection as an industry and why these kinds of blocklist-driven, reactive approaches are failing. If you’re interested in learning more, check out my upcoming webinar on April 23rd where I’ll be covering techniques like this in more detail, and why they’re defeating detections! Article: https://lnkd.in/e4t6kNAM Link to the webinar in the comments 👇