Get your copy of the SaaS Attacks Report: 2024 edition

Push Help Center
Ready to help
Help for administrators
Help for admins
Help for employees
Help for employees
Help for administrators
/
Browser extension

How does Push detect cloned login pages?

Push can detect when employees visit sites using cloned login screens. Adversaries use cloned login pages, often disguised to look like identity provider login pages, to steal credentials.

On the Controls page of the Push admin console, you can enable Cloned login page detection. Push will then emit a webhook event when it detects that an employee has visited a page that appears to be a clone of a legitimate login page.

It does this by fingerprinting the page structure and resources of your legitimate login pages and monitoring for pages that are very similar.

The Cloned login page detection feature can identify clones of the following legitimate providers’ login and signup pages:

  • Google Workspace

  • Microsoft 365

  • Okta

  • Jumpcloud

  • Duo Security

  • Ping Identity

  • IBM identity provider

  • SAP identity provider

  • Github

  • AWS

When Push detects a cloned app, it will emit a webhook event that you can view on the Events page of the admin console (as part of a rolling 7-day snapshot of all events) and that you can ingest into a SIEM or other tool.

Specify your custom login page domains

Some identity providers and apps, such as Okta, allow you to set a custom domain for your login page.

If you use any custom domains for the providers listed above, you must specify those domains on the Settings page by going to Advanced > Custom login URLs. Otherwise, Push will not be able to create a baseline for comparison between those legitimate login pages and any cloned pages that it detects.

Need more help?
Questions, feedback, tech support, sales support - anything you need.
We’ll get back to you within a day.