- Evades email security measures by sidestepping real servers entirely
- Blob URIs ensure that phishing content remains invisible to security filters
- No suspicious links or unreliable domains, just discreet credential theft through a counterfeit Microsoft login
Recent investigations have unveiled a wave of phishing attacks utilizing an unconventional technique that successfully steals login credentials, even if they are secured with encryption.
The findings from Cofense highlight that this method exploits blob URIs—a browser capability meant to display temporary local data—now misused by cybercriminals to launch phishing pages.
Blob URIs are generated and accessed solely within a user’s browser, meaning the phishing content lacks a presence on any public server. This obscurity renders detection nearly impossible for even the most sophisticated endpoint protection systems.
A stealthy method that evades detection
The phishing endeavors initiate with emails that cleverly maneuver past Secure Email Gateways (SEGs). Typically, these messages include a link to what seems to be a legitimate site, often masquerading as Microsoft’s OneDrive.
Yet, this facade simply serves as a middleman, loading an HTML file controlled by the threat actor, which subsequently decodes into a blob URI.
This process culminates in a counterfeit login page that is exactly modeled after Microsoft’s login interface.
For unsuspecting victims, there are no obvious anomalies—no unsettling URLs or blatant indicators of fraud—just a prompt to sign in for a secure document or message. Once they engage with the ‘Sign in’ button, they are seamlessly redirected to another HTML file governed by the attackers, which generates a local blob URI delivering the spoofed login page.
Since blob URIs function solely within the browser’s memory and remain inaccessible beyond that session, conventional security measures cannot scan or halt the content.
“This approach complicates detection and analysis significantly,” remarked Jacob Malimban of the Cofense Intelligence Team.
“The phishing content is both generated and rendered on a local level using a blob URI, making it immune to traditional scanning methods.”
When credentials are entered on this deceptive page, they are quietly exfiltrated to a remote endpoint controlled by the attacker, leaving the victim in the dark.
Even AI-powered security solutions find these attacks challenging to intercept, as blob URIs are infrequently associated with malicious activity and may not be adequately represented in existing training datasets. Experts warn that unless detection mechanisms are adapted, these tactics could increasingly proliferate among cybercriminals.
To bolster defenses against such threats, organizations are encouraged to implement advanced Firewall-as-a-Service (FWAAS) and Zero Trust Network Access (ZTNA) frameworks to secure access and identify suspicious login behaviors.
