Push Security
By Dan Green, Security Researcher
Cyber attacks have changed fundamentally over the last decade as IT has evolved, and attackers have adapted.
Modern business IT is highly decentralized, with sprawling SaaS and cloud services. Core business systems aren’t locally deployed and centrally managed in the way they used to be. This means that attackers don’t need to drop malware onto a device, or exploit vulnerabilities to get into your local network. They just need to log in over the internet.
The biggest breaches of the last few years have all started with attackers taking over a user account. In particular, criminal groups associated with “The Com”, the broad community of English-speaking threat actors (albeit with international connections) have wreaked havoc using techniques that consciously evade established security controls at the network and endpoint level.
The most infamous groups working across “The Com”, ShinyHunters and Scattered Spider (now referring to themselves as “Scattered Lapsus$ Hunters”) have been responsible for huge breaches in the last few years, from MGM Resorts and Caesars in 2023, to the campaign against 165 Snowflake customers in 2024, to 2025’s hacking spree against 760 Salesforce customers, Marks & Spencer, Co-op, and most notably Jaguar Land Rover — the most economically consequential cyber attack yet recorded in a G7 economy, with a direct impact on UK GDP. All of these breaches began with identity-based initial access — no endpoint malware or software exploits required. Most of the time, it was as simple as logging in to a SaaS app, or an enterprise SSO account (e.g. Microsoft, Okta, or Google) and dumping the data.
When they wanted to take it further, the attackers abused the sprawl of interconnected apps that make up modern business IT, seeking out specific app connections with the data they wanted. Or, they leveraged internet-accessible management portals to chart a path back to your on-premise assets, giving them everything they need to pivot toward more conventional methods such as ransomware deployment.
So, where does the browser come into all of this?
The browser is the gateway to the apps and identities that attackers are now targeting, with many attacks taking place inside the user’s browser — whether that’s entering credentials onto a phishing page, approving a malicious OAuth grant, installing a browser extension, or insecurely accessing an app with a weak password and no MFA.
That’s why Push Security is bringing detection and response into the browser. Our browser-based security platform provides comprehensive detection and response capabilities against attacks like AiTM phishing, credential stuffing, malicious browser extensions, malicious OAuth grants, ClickFix, and session hijacking. You don’t need to wait until it all goes wrong either — you can use Push to proactively find and fix vulnerabilities across the apps that your employees use, like ghost logins, SSO coverage gaps, MFA gaps, vulnerable passwords, and more to harden your attack surface.
To learn more about Push, drop by Booth 305 — we’ll be happy to chat about these evolving TTPs and show you how we’re tackling the latest threats in the browser.