Your antivirus will not see this coming. This is how blob-based phishing attacks quietly steal passwords from directly under your nose
- Advertisement -
Related Posts
- Advertisement -
- Mailing e -mailgateways and security tools by never touching a real server
- Blob Uris means that phishing content is not hosted online, so filters never see it coming
- No weird URLs, no dodgy domains, only silent theft of a fake Microsoft logpage page
Security researchers have discovered a series of phishing campaigns that use a rarely exploited technique to steal login data, even when those references are protected by coding.
New research by Cofense Warns that the method depends on Blob Uris, a browser function that is designed to display temporary local content, and cyber criminals now abuse this function to deliver phishing pages.
Blob Uris are made and fully accessible in the browser of a user, which means that the phishing content never exists on a public server. This makes it extremely difficult for even the most advanced Endpoint protection systems to detect.
A hidden technique that slides the defense from the past
In these campaigns, the phishing process begins with an e -mail that easily bypasses safe E -mailgateways (SEGS). These e -mails usually contain a link to what a legitimate page seems to be, often hosted in familiar domains such as such as Microsoft‘s OneDrive.
However, this first page does not host the phishing content directly. Instead, it acts as an intermediary, with silence loading a threat actor-controlled HTML file that decodes in a Blob Uri.
The result is a fake login page that is displayed in the victim’s browser, designed to closely imitate the Microsoft registration portal.
For the victim, nothing appears out of place – no strange URLs or clear signs of fraud – just a prompt to log in to view a secure message or to open a document. As soon as they click on ‘Register’, the page is descended to another by attacker-checked HTML file, which generates a local Blob Uri who displays the spidden login page.
Because Blob Uris works completely in the memory of the browser and is inaccessible from outside the session, traditional security tools cannot scan or block the content.
“This method makes detection and analysis especially difficult,” said Jacob Malimban of the Cofense Intelligence team.
“The phishing page is made and displayed locally using a Blob Uri. It is not hosted online, so it cannot be scanned or blocked in the usual way.”
References entered on the spidden page are quietly extracted to an external threat actor -so that the victim does not remain aware.
AI -based security filters also struggle to catch these attacks, because Blob Uris is rarely used malicious and may not be well represented in training data. Researchers warn that unless detection methods evolve, this technique will probably get a grip from attackers.
To defend themselves against such threats, organizations are encouraged to accept advanced firewall-as-a-service (Fwaas) and zero trust network access (ZTNA) Solutions that can help gain access to and suspicious login activities.
Maybe you like it too
- Advertisement -
