Push Security

Welcome to our first threat briefing of 2026! This time, we’re zeroing in on Scattered Lapsus$ Hunters (SLH), one of the most prolific threat groups of 2025, who’ve had a strong start to the year with a new hybrid vishing + AiTM phishing campaign. We’re also covering a campaign focused on Zendesk (also by SLH), the latest malicious browser extension news, and yet more LinkedIn phishing attacks seen in the wild. So grab a coffee and dive in! ☕ 🗞️

Scattered Lapsus$ Hunters, the criminal supergroup behind last year’s biggest breaches, are back — this time targeting Okta, Entra, and Google SSO platforms with a hybrid vishing + AiTM phishing campaign. Here’s how it works👇  📞 The attacker voice phishes company employees, impersonating IT staff 🪝 They guide them to a new kind of real-time operated AiTM phishing site ⚠️ The AiTM site steals the victim’s account session, bypassing MFA 🔑 The victim is tricked into setting up a passkey, that the attacker intercepts 🥷 The attacker now has persistent access to SSO-connected apps — granting them the keys to the kingdom Betterment, Crunchbase, and SoundCloud have already been named as victims of SLH this year, with an alleged 50 million records stolen so far. And with 100+ companies being actively targeted, there’s surely more to come. But Push customers can rest easy with our browser-native threat detection and blocking capabilities. Learn more about the campaign here 👇 https://lnkd.in/e4jvQEHR

Engineer in the Software Industry gives Push Security 5/5 Rating in Gartner Peer Insights™ Secure Enterprise Browsers Market. Read the full review here: https://gtnr.io/CTrpOTws0 #gartnerpeerinsights

Some of the biggest breaches of 2025 started in the browser, where detection and response teams are flying blind. On February 11, I'm hosting an interactive webinar where YOU will drive the investigation. We'll dig into real #ClickFix attacks, credential #phishing, and other browser-based threats we've seen in the wild over the past year. This isn't a typical webinar. Your decisions will determine where we go next in the investigation. You'll see firsthand: ➡️ How traditional tools measure up (spoiler: they don't) ➡️ What telemetry actually matters when responding to browser attacks ➡️ The detection and response gaps you probably have right now Whether you're hands-on in the SOC or translating technical capabilities into business outcomes, you'll walk away with practical insights you can use immediately. Can't make it live? Register anyway and we'll send you the recording: https://lnkd.in/gtgC9Gvy

Attackers are targeting Google Ad Manager accounts, siphoning ad budgets into paid clicks on their own sites and launching malvertising campaigns to harvest account access for resale on criminal marketplaces. Because these attacks completely circumvent the traditional phishing detection surface (email) and often happen entirely over the internet (meaning no endpoint security controls can come into play) the only way to reliably detect and stop these attacks is to intercept them where they happen — in the user’s web browser. Swipe to see how attackers are monetizing compromised ad manager accounts at scale 👉 https://lnkd.in/gHjNz85a

Come help us conduct a live security incident investigation! As modern attacks evolve, targeting business applications directly over the internet, the way that security teams detect and respond to attacks has to change too. See modern investigative steps unfold live at our upcoming webinar, in a “choose-your-own-adventure” experience walking through modern IR scenarios, where your inputs will determine the course of our investigations. 🎯 Register to join - https://lnkd.in/gR6eeS-k 

What actually happens at a cybersecurity vendor sales kick-off? Most people imagine targets, quotas and revenue charts. Not so at Push Security Ours is wall-to-wall threat intel. Real-world identity attack paths. Where defenders are getting caught out. What CISOs are dealing with right now. The goal isn’t 'sell harder'. The goal is: Make every single interaction with a Push salesperson genuinely useful. If you leave a conversation with us having learned something new. If you’ve got a clearer picture of your exposure. If you’ve saved time joining the dots... Then the commercial side tends to take care of itself. Revenue is a byproduct of value. Not the other way around. (UK team heading to SKO. No go-karts or vodka luges. Just threat intel, coffee and good company)

Modern attack techniques like ConsentFix don’t work in the way that security teams expect. We’re used to attacks taking a similar route — initial access, persistence, lateral movement, exploitation — but modern attacks increasingly collapse these phases. Taking over an account is all that an attacker needs to achieve their goals. This means that a defender’s window of opportunity to detect and disrupt an attack is narrower than ever. But that didn’t stop Push from detecting and blocking ConsentFix the first time we saw it, protecting customers from day zero. Want to learn how to tackle to modern attacks that don’t touch the endpoint? Join Mark Orlando for an interactive, choose-your-own-adventure webinar that walks through real-world incident response scenarios. 📅 Feb 11, 2026 🎯 Register to join live - https://lnkd.in/gR6eeS-k

Our marketing team are smart. They realised the biggest hurdle to adopting browser defences from Push Security, was that people might have to talk to me. Fair point - it's a risk 🤪 So like EDR vs a phishkit, I've been bypassed! Introducing demo arcades, quick click-throughs of super-cool use-cases including: Stopping attacks in the browser (phishkits, MFA bypass, clickfix) https://lnkd.in/eYaaJepT Attack path hardening (stolen creds, ghost logins) https://lnkd.in/eNh_dM9C Shadow IT enumeration (including login methods, vulnerabilities and in-browser guardrails) https://lnkd.in/enB_h8Sb Browser Telemetry for Investigations and Response (detailed timeline view, roll-your-own context with hunt mode) https://lnkd.in/ea2dS5ir Visibility and control of browser extensions (it's the wild west out there, take back control. What's installed, who installed it, how, what permissions) https://lnkd.in/e7WGmzJU So there you go. Push in a nutshell. For a deeper look, or to trial any of this, just ping me (if you include the words 'anyone but Peter' I'll hand you to someone competent) 😁