- Bypassing E -Mail -Gateways and security tools by never hitting a real server
- Blob uris means phishing — content is not host online so filters never see it coming
- No weird URLs, No Dodgy Domains, Just Silent Theft from a False Microsoft -Login -side
Security researchers have revealed a number of phishing campaigns that use a rarely utilized technique to steal login -credentials, even when these credentials are protected by encryption.
New research from Cofense warns that the method is dependent on blob uris, a browser function designed to display temporary local content, and cyber criminals are now abusing this feature of providing phishing sites.
Blob Uris is created and accesses completely in a user’s browser, which means the phishing content is never found on a publicly facing server. This makes it extremely difficult for even the most advanced end point protection systems to detect.
A hidden technique that slides past defense
In these campaigns, the phishing process begins with an E email that is easily bypassing Secure Email Gateways (SEGS). These e emails typically contain a link to what appears to be a legitimate page that often hosts trusted domains such as Microsoft’s OneDrive.
However, this initial page does not host the phishing content directly. Instead, it acts as an intermediary and silently loads a threat-actor-controlled HTML file that is decoded to a Blob Uri.
The result is a fake login page reproduced within the victim’s browser, designed to carefully mimic Microsoft’s login portal.
For the victim, nothing seems misplaced – no strange URLs or obvious signs of fraud – just a quick to log in to see a secure message or access a document. When they click ‘Log In’, the page redirects to another attacking-controlled HTML file that generates a local Blob Uri showing the overdue login page.
Since Blob Uris works completely within the memory of the browser and is inaccessible outside the session, traditional security tools are unable to scan or block the content.
“This method makes detection and analysis especially difficult,” said Jacob Malimban of Cofense Intelligence Team.
“The phishing side is created and reproduced locally using a Blob URI. It is not hosted online, so it cannot be scanned or blocked in the usual way.”
Credentation information entered on the overdue page is silently exfiltered to an external threat actor ending point, leaving the victim unaware.
AI-based security filters are also struggling to catch these attacks, as Blob Uris is rarely used malicious and may not be well represented in training data. Researchers warn that unless detection methods develop, this technique is likely to have traction among attackers.
To defend against such threats, organizations are encouraged to adopt advanced Firewall-As-A-Service (FWAAS) and Zero Trust Network Access (ZTNA) solutions that can help ensure access and flag suspicious login activity.
