Risky Bulletin - Sponsored: Push Security on the Evolution of Phishing Techniques

Podcast: Risky Business
Host: Casey Ellis
Guest: Jacques Lowe, Push Security
Release Date: August 31, 2025

Episode Overview

This episode dives deep into the rapidly evolving landscape of phishing attacks in 2025, with a focus on how these threats extend far beyond traditional email vectors. Casey Ellis, host of Risky Business, speaks with Jacques Lowe of Push Security to unpack real-world trends the company is observing through its browser-level security platform. They discuss new phishing delivery methods, the unique challenges of browser-based attacks, and how the line between corporate and personal technology use is impacting the threat surface.

Key Discussion Points and Insights

1. Phishing: Beyond the Email (00:31–02:07)

Traditional thinking has focused on email as the main delivery vehicle for phishing, but Push Security is seeing attacks through a broad array of channels—including HubSpot, LinkedIn, Twitter, SharePoint, and WhatsApp Web.
- “Phishing emails coming from HubSpot, which like, okay, you think about that for half a second... Then you see stuff like LinkedIn... Twitter... SharePoint... WhatsApp web is a recent one.” — Jacques Lowe [01:19]
Notably, WhatsApp Web is now being used for business-to-business (B2B) phishing. Attackers customize their kit to target corporate Microsoft accounts, bypassing personal account filtering.
- "If you put in a corporate account, then it says, okay, yeah, then it redirects you and takes you through the proper full phishing flow." — Jacques Lowe [02:36]

2. Browser-based and SAML/SSO Attack Chains (02:56–06:12)

Push Security tracked a novel campaign that started with a Google search for ‘Microsoft 265,’ leading to a legitimate Microsoft.com link, but ultimately redirecting to a phishing page via authentication abuse and open redirect mechanisms.
- Attackers abuse corporate SSO/OAuth flows (both Microsoft and Google SSO) by setting up legitimate-looking tenants and redirecting authentication to malicious endpoints.
- “There is a consistent way to get a google.com or a Microsoft.com URL that will take you to any arbitrary page with zero user interaction... what are you supposed to be checking for here?” — Jacques Lowe [05:20]
This issue is partly systemic in the SAML specification rather than a fixable vendor bug. There is no automatic assurance the redirect is to a real identity provider.
- “The first step of XAML flow... sends you to the AUTH server and in this case that is just an arbitrary website. So yeah, there’s nothing that checks that you’re getting redirected to a real IDP versus just a fake phishing page.” — Jacques Lowe [05:46]

3. Detection Strategies and the Limitations of User Awareness (06:12–10:01)

Traditional protections (domain blocklists, reputation databases) are increasingly ineffective due to the fluidity and complexity of modern phishing.
- “Stop worrying about domains... You need to be doing detections at a different level because clearly you can’t be trusting where you’re going and where you’re getting redirected to.” — Jacques Lowe [06:09]
Push advocates for browser-layer traffic analysis rather than relying on domains or educating users to a near-developer level of vigilance.
- “The level of user education required is so high. I mean, you need to basically be a developer and then be awake. It's crazy high.” — Jacques Lowe [07:21]
- “All sorts of different badness that can kind of happen downstream…Like the telemetry around that…is super important.” — Casey Ellis [08:18]
Attackers increasingly rotate domains and knockoff IOCs (e.g., .it.com, .sa.com, .ru.com), but their behavioral patterns (such as credential harvesting or MFA downgrades) are much harder to adapt.
- “The thing that's much harder for them to change is the actual behavior of what these attacks are doing... If you start detecting based on those behaviors, you’re in a much, much better position...” — Jacques Lowe [09:16]

4. Credential Syncing & The Extended Attack Surface (10:01–14:32)

Many breaches Push tracks stem from credentials that were leaked on the dark web and then tracked to active use—often due to cross-syncing between work and personal browser profiles.
- “We realize actually what’s happening is that person is logging in on a browser and using the built in browser password manager or a third party password manager... getting synced to a personal Gmail account.” — Jacques Lowe [11:14]
Family/shared home computers (further normalized post-Covid) have become critical parts of the attack surface, especially when browser profiles are synced across work and home environments.
- “Covid really kind of introduced this idea of the five year old being a part of the corporate attack surface...” — Casey Ellis [12:37]
- “If you’re logging into your Chrome at work using your personal Gmail, well then... it’s impossible to detect that thing.” — Jacques Lowe [13:18]

5. Visibility, Mitigation, and Controls (14:32–16:22)

The best current mitigation is gaining visibility into browser profile sync and flagging when passwords or accounts are synced in unsafe ways.
- Some organizations use Google Workspace settings to ensure corporate accounts can only sync to corporate profiles.
- “There’s a setting you can set up in Google Workspace... that can only happen in a browser profile which is linked to that same corporate account... A little bit harder to do in the Microsoft world.” — Jacques Lowe [15:33]
There is high correlation between password theft and personal profile sync in customer environments.

6. Push’s Open Source Phishing Techniques Resource (16:22–17:33)

Push Security is publishing its ever-growing list of documented phishing techniques as an open-source, Creative Commons-licensed resource to foster shared awareness and common language in the industry.
- “There’s been so much discussion and evolution in these techniques… having a list of techniques... [is] good to just have a resource of named techniques and... at least attach ideas.” — Jacques Lowe [16:31]

Notable Quotes

“Stop worrying about domains. We need to be doing detections at a different level because clearly you can’t be trusting where you’re going and where you’re getting redirected to.” — Jacques Lowe [06:09]
“There is a consistent way to get a google.com or a Microsoft.com URL that will take you to any arbitrary page with zero user interaction.” — Jacques Lowe [05:20]
“The level of user education required is so high. I mean, you need to basically be a developer and then be awake. It's crazy high.” — Jacques Lowe [07:21]
“Covid really kind of introduced this idea of the five year old being a part of the corporate attack surface…” — Casey Ellis [12:37]

Timestamps for Important Segments

00:31 – Expanding beyond email: New phishing delivery vectors
02:13 – B2B phishing via WhatsApp Web and tailored phishing kits
03:54 – Malvertising and authentication abuse attacks using SAML/SSO
05:35 – Open redirect as a systemic SAML issue
06:09 – The case for behavioral detection beyond domain intelligence
09:16 – Focus on attacker behavior vs. IOCs
10:34 – Credential theft via browser syncing, home device risks
15:33 – Google Workspace controls to prevent unsafe browser sync
16:31 – Push Security’s open-source phishing techniques resource

Conclusion

This discussion underscores that phishing is now a multidimensional problem requiring visibility and behavioral analysis far beyond email gateways or domain intelligence. The browser is the new front line, both at work and at home. Solutions and awareness must evolve to meet attackers’ pace—something Push Security aspires to facilitate with both its product and its community resource.

Risky Bulletin - Sponsored: Push Security on the Evolution of Phishing Techniques

Podcast: Risky Business
Host: Casey Ellis
Guest: Jacques Lowe, Push Security
Release Date: August 31, 2025

Episode Overview

Key Discussion Points and Insights

1. Phishing: Beyond the Email (00:31–02:07)

Traditional thinking has focused on email as the main delivery vehicle for phishing, but Push Security is seeing attacks through a broad array of channels—including HubSpot, LinkedIn, Twitter, SharePoint, and WhatsApp Web.
- “Phishing emails coming from HubSpot, which like, okay, you think about that for half a second... Then you see stuff like LinkedIn... Twitter... SharePoint... WhatsApp web is a recent one.” — Jacques Lowe [01:19]
Notably, WhatsApp Web is now being used for business-to-business (B2B) phishing. Attackers customize their kit to target corporate Microsoft accounts, bypassing personal account filtering.
- "If you put in a corporate account, then it says, okay, yeah, then it redirects you and takes you through the proper full phishing flow." — Jacques Lowe [02:36]

2. Browser-based and SAML/SSO Attack Chains (02:56–06:12)

Push Security tracked a novel campaign that started with a Google search for ‘Microsoft 265,’ leading to a legitimate Microsoft.com link, but ultimately redirecting to a phishing page via authentication abuse and open redirect mechanisms.
- Attackers abuse corporate SSO/OAuth flows (both Microsoft and Google SSO) by setting up legitimate-looking tenants and redirecting authentication to malicious endpoints.
- “There is a consistent way to get a google.com or a Microsoft.com URL that will take you to any arbitrary page with zero user interaction... what are you supposed to be checking for here?” — Jacques Lowe [05:20]
This issue is partly systemic in the SAML specification rather than a fixable vendor bug. There is no automatic assurance the redirect is to a real identity provider.
- “The first step of XAML flow... sends you to the AUTH server and in this case that is just an arbitrary website. So yeah, there’s nothing that checks that you’re getting redirected to a real IDP versus just a fake phishing page.” — Jacques Lowe [05:46]

3. Detection Strategies and the Limitations of User Awareness (06:12–10:01)

Traditional protections (domain blocklists, reputation databases) are increasingly ineffective due to the fluidity and complexity of modern phishing.
- “Stop worrying about domains... You need to be doing detections at a different level because clearly you can’t be trusting where you’re going and where you’re getting redirected to.” — Jacques Lowe [06:09]
Push advocates for browser-layer traffic analysis rather than relying on domains or educating users to a near-developer level of vigilance.
- “The level of user education required is so high. I mean, you need to basically be a developer and then be awake. It's crazy high.” — Jacques Lowe [07:21]
- “All sorts of different badness that can kind of happen downstream…Like the telemetry around that…is super important.” — Casey Ellis [08:18]
Attackers increasingly rotate domains and knockoff IOCs (e.g., .it.com, .sa.com, .ru.com), but their behavioral patterns (such as credential harvesting or MFA downgrades) are much harder to adapt.
- “The thing that's much harder for them to change is the actual behavior of what these attacks are doing... If you start detecting based on those behaviors, you’re in a much, much better position...” — Jacques Lowe [09:16]

4. Credential Syncing & The Extended Attack Surface (10:01–14:32)

Many breaches Push tracks stem from credentials that were leaked on the dark web and then tracked to active use—often due to cross-syncing between work and personal browser profiles.
- “We realize actually what’s happening is that person is logging in on a browser and using the built in browser password manager or a third party password manager... getting synced to a personal Gmail account.” — Jacques Lowe [11:14]
Family/shared home computers (further normalized post-Covid) have become critical parts of the attack surface, especially when browser profiles are synced across work and home environments.
- “Covid really kind of introduced this idea of the five year old being a part of the corporate attack surface...” — Casey Ellis [12:37]
- “If you’re logging into your Chrome at work using your personal Gmail, well then... it’s impossible to detect that thing.” — Jacques Lowe [13:18]

5. Visibility, Mitigation, and Controls (14:32–16:22)

The best current mitigation is gaining visibility into browser profile sync and flagging when passwords or accounts are synced in unsafe ways.
- Some organizations use Google Workspace settings to ensure corporate accounts can only sync to corporate profiles.
- “There’s a setting you can set up in Google Workspace... that can only happen in a browser profile which is linked to that same corporate account... A little bit harder to do in the Microsoft world.” — Jacques Lowe [15:33]
There is high correlation between password theft and personal profile sync in customer environments.

6. Push’s Open Source Phishing Techniques Resource (16:22–17:33)

Push Security is publishing its ever-growing list of documented phishing techniques as an open-source, Creative Commons-licensed resource to foster shared awareness and common language in the industry.
- “There’s been so much discussion and evolution in these techniques… having a list of techniques... [is] good to just have a resource of named techniques and... at least attach ideas.” — Jacques Lowe [16:31]

Notable Quotes

“Stop worrying about domains. We need to be doing detections at a different level because clearly you can’t be trusting where you’re going and where you’re getting redirected to.” — Jacques Lowe [06:09]
“There is a consistent way to get a google.com or a Microsoft.com URL that will take you to any arbitrary page with zero user interaction.” — Jacques Lowe [05:20]
“The level of user education required is so high. I mean, you need to basically be a developer and then be awake. It's crazy high.” — Jacques Lowe [07:21]
“Covid really kind of introduced this idea of the five year old being a part of the corporate attack surface…” — Casey Ellis [12:37]

Timestamps for Important Segments

00:31 – Expanding beyond email: New phishing delivery vectors
02:13 – B2B phishing via WhatsApp Web and tailored phishing kits
03:54 – Malvertising and authentication abuse attacks using SAML/SSO
05:35 – Open redirect as a systemic SAML issue
06:09 – The case for behavioral detection beyond domain intelligence
09:16 – Focus on attacker behavior vs. IOCs
10:34 – Credential theft via browser syncing, home device risks
15:33 – Google Workspace controls to prevent unsafe browser sync
16:31 – Push Security’s open-source phishing techniques resource

wavePod

Sponsored: Push Security on the evolution of phishing techniques

Powered by Wave AI

Summary

Risky Bulletin - Sponsored: Push Security on the Evolution of Phishing Techniques

Episode Overview

Key Discussion Points and Insights

1. Phishing: Beyond the Email (00:31–02:07)

2. Browser-based and SAML/SSO Attack Chains (02:56–06:12)

3. Detection Strategies and the Limitations of User Awareness (06:12–10:01)

4. Credential Syncing & The Extended Attack Surface (10:01–14:32)

5. Visibility, Mitigation, and Controls (14:32–16:22)

6. Push’s Open Source Phishing Techniques Resource (16:22–17:33)

Notable Quotes

Timestamps for Important Segments

Conclusion

Summary

Risky Bulletin - Sponsored: Push Security on the Evolution of Phishing Techniques

Episode Overview

Key Discussion Points and Insights

1. Phishing: Beyond the Email (00:31–02:07)

2. Browser-based and SAML/SSO Attack Chains (02:56–06:12)

3. Detection Strategies and the Limitations of User Awareness (06:12–10:01)

4. Credential Syncing & The Extended Attack Surface (10:01–14:32)

5. Visibility, Mitigation, and Controls (14:32–16:22)

6. Push’s Open Source Phishing Techniques Resource (16:22–17:33)

Notable Quotes

Timestamps for Important Segments

Conclusion