A sophisticated, memory-resident phishing campaign called BlobPhish, active since October 2024, that exploits browser Blob URL APIs to silently steal credentials from Microsoft 365 users, major U.S. banks, and financial platforms while remaining almost completely invisible to traditional security tools.<\/p>\n
BlobPhish is a sustained credential-phishing operation that fundamentally changes how phishing pages are delivered to victims.<\/p>\n
Rather than hosting fake login pages<\/a> on attacker-controlled servers and serving them over standard HTTP, BlobPhish generates phishing pages\u00a0entirely inside the victim\u2019s browser<\/em>\u00a0using JavaScript Blob objects.<\/p>\n The result is a phishing payload that exists only in memory, leaving no file on disk, no cache artifact, and no suspicious HTTP request in proxy logs for security tools to flag.<\/p>\n Close the gap before it becomes business risk<\/u><\/a>.<\/strong> Give your SOC full visibility into suspicious activity.<\/p>\n First observed in October 2024, the campaign has run uninterrupted for over 18 months and recorded a significant spike in activity in February 2026, confirming it as a mature, well-maintained threat operation rather than a short-lived opportunistic attack.<\/p>\n Accelerate investigations and stop incidents earlier<\/strong><\/u><\/a>. Leverage threat intelligence to improve threat visibility.<\/p>\n The BlobPhish kill chain is elegantly designed to defeat both network-based and file-based defenses:<\/p>\n BlobPhish impersonates a broad list of high-value platforms, including\u00a0Microsoft 365, OneDrive, SharePoint, Chase, Capital One, FDIC, E*TRADE, Charles Schwab, Morgan Stanley\/Merrill Lynch, American Express, PayPal, and Intuit.<\/p>\n Although financial and cloud-productivity lures dominate, victim organizations span Finance, Manufacturing, Education, Government, Transport, and Telecommunications sectors.<\/p>\n Geographically, approximately\u00a0one-third of observed victims are U.S.-based, with additional activity recorded across Germany, Poland, Spain, Switzerland, the UK, Australia, South Korea, Saudi Arabia, Qatar, Jordan, India, and Pakistan.<\/p>\n The\u00a0 A single successful BlobPhish compromise can cascade into\u00a0Business Email Compromise (BEC) fraud, full Microsoft 365 tenant takeover, unauthorized wire transfers, investment account manipulation, and ransomware deployment following lateral movement.<\/p>\n Regulatory consequences, including GDPR 72-hour breach notification, SEC cybersecurity incident disclosure, and FFIEC authentication guidance, add material legal exposure on top of operational damage.<\/p>\n Additional compromised domains include\u00a0 Security teams should take the following priority actions:<\/p>\n BlobPhish demonstrates that the phishing threat has outpaced perimeter and static-signature defenses.<\/p>\n Effective protection now demands dynamic behavioral analysis, continuous threat hunting, and automated intelligence propagation operating at the speed of attacker infrastructure rotation.<\/p>\n Prevent high-stakes credential attacks with enterprise-grade<\/strong><\/u><\/a>\u00a0intelligence. Reduce risk, not just response time.<\/p>\n The post New BlobPhish Attack Leverages Browser Blob Objects to Steal Users\u2019 Login Credentials<\/a> appeared first on Cyber Security News<\/a>.<\/p>\n<\/div>\n![\"\"](\"https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEjFle5jzl5JuTw-xkcVAqa2WxGIVjRPnPKnx-blcyU63jQW3qFYnx504amxHsclbGQPxbkdGVyPgnuBqhbGJiLM5qTGmjJ37suAsWmPnbnzc_b4yeyAgj6mU39-yNHkWyTTNjXg5B7SNnYbiMK2WtiNIzhOhHjDw4lqxGw_-RShpKkD_zrnBXtS-fYU5mU\/s16000\/blob_2-1536x723%2520%281%29.webp?ssl=1\")
BlobPhish kill chain<\/strong><\/h2>\n
\n
<a><\/code>\u00a0anchor element, Base64-decodes a bundled phishing payload<\/a> using\u00a0atob()<\/code>, constructs a\u00a0Blob<\/code>\u00a0object of type\u00a0text\/html<\/code>, generates a\u00a0blob:https:\/\/<\/code>\u00a0URL via\u00a0window.URL.createObjectURL()<\/code>, and forces the browser to navigate to it \u2014 all without any visible user interaction.<\/li>\n<\/ul>\n![\"\"](\"https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEiPjd4hzDl8gi20V2y7MBLu8btmSEVhpxSMPCy2rFfQQkBEw0tevR0nx262YWW5XMJeBkOBZrC8tE17yYvgJmKhWXGdXHGCEOO3wJ6cZEVLM-gHLcSphPkH_bsZ6qRIW6pitfCFTzs8yuuijK406pYYHFToepr23MNdbSGZHylRTrnp4kAOEa-P8EPklw0\/s16000\/blob_3%2520%281%29.webp?ssl=1\")
\n
window.URL.revokeObjectURL()<\/code>\u00a0and removes the anchor element from the DOM, destroying any remaining in-memory trace of the loader\u2019s operation.<\/li>\n<\/ul>\n![\"\"](\"https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEhJ0QbEXdKSi0swlMc_0qOh7ynvLDgWrDa7e1gtTUB_CTGbLaClXPjdgn3iBF9eWfOTvvNgA_B-5KdizQwmyMbP5PLbIYweHEyVHcA4hfq9hqoDNE0aZbH1UsnADQcdnPdBlc6nmfcgBqzaSgG-krGU9v6OzMWgYjUZ-0RZiat7SS1kVMSojvNQ2AQXz3c\/s16000\/blob_5-1%2520%281%29.webp?ssl=1\")
\n
blob:https:\/\/<\/code>\u00a0URL, which can appear legitimate to an untrained eye. A failed-login counter forces victims to re-enter credentials multiple times, maximizing harvest accuracy. Captured data is exfiltrated via HTTP POST to attacker-controlled endpoints matching the pattern\u00a0*\/res.php<\/code>,\u00a0*\/tele.php<\/code>, or\u00a0*\/panel.php<\/code>\u00a0\u2014 hosted predominantly on compromised legitimate WordPress sites.<\/li>\n<\/ul>\n![\"\"](\"https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEi5jrnqXOiF4HmfH8Ip4FstixOxfQMfXERHkTkefEqrY78Yqy3UT4Ezgq7CjdsTB0jV4WAY6xn7OkfJAGHAutwykzh8NNmc_d5iLGCZut7EpLMgf-I2dp2ykv4ruoLgtkRV1_5hm7gCuP16kkr1sfiYpG_p6sVR1N4eZiidtGmFhfHLZCkKwk7X27GA1VE\/s16000\/blob_10%2520%281%29.webp?ssl=1\")
BlobPhish Evades Conventional Defenses<\/strong><\/h2>\n
![\"\"](\"https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEi0y3R8Z0Gk2O40Bz_iDGCZ8tRpDwrDdgGZQfvOuLSbIqs3-Bxqgzj0WYO5_iXC1s3Akh6d-d6-yLm4qdJQQ5vPkI-XQWspgFE6tjyD11FzR8wpIwx9Yd_u7f6Dq8srcdRFQxQlSsOjE_Jk9kWnHV0wl8GA9hK0eHfy0hFU8g02xi7yzrod1q3DOvWY5Fc\/s16000\/blob_13%2520%281%29.webp?ssl=1\")
blob:https:\/\/<\/code>\u00a0scheme is the campaign\u2019s core evasion innovation. Because the phishing page is never transmitted over the network as a standalone HTTP response:<\/p>\n\n
Key Indicators of Compromise (IOCs)<\/strong><\/h2>\n
\n\n
\n \nIOC Type<\/th>\n Example<\/th>\n<\/tr>\n<\/thead>\n \n Loader URL<\/td>\n hxxps[:\/\/]mtl-logistics[.]com\/blb\/blob[.]html<\/code><\/td>\n<\/tr>\n\n Exfiltration endpoint<\/td>\n hxxps[:\/\/]mtl-logistics[.]com\/css\/sharethepoint\/point\/res[.]php<\/code><\/td>\n<\/tr>\n\n Capital One exfil<\/td>\n hxxps[:\/\/]wajah4dslot[.]com\/wp-includes\/certificates\/tmp\/\/res[.]php<\/code><\/td>\n<\/tr>\n\n Chase Banking exfil<\/td>\n hxxps[:\/\/]hnint[.]net\/cgi-bin\/peacemind\/\/res[.]php<\/code><\/td>\n<\/tr>\n\n E*TRADE exfil<\/td>\n hxxps[:\/\/]ftpbd[.]net\/wp-content\/plugins\/cgi-\/trade\/trade\/\/res[.]php<\/code><\/td>\n<\/tr>\n\n tele.php variant<\/td>\n hxxps[:\/\/]_wildcard_[.]gonzalezlawnandlandscaping[.]com\/\u2026\/tele[.]php<\/code><\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/figure>\nlarva888[.]com<\/code>,\u00a0riobeautybrazil[.]com<\/code>,\u00a0i-seotools[.]com<\/code>, and\u00a0mts-egy[.]net<\/code>.<\/p>\nDefensive Recommendations<\/strong><\/h2>\n
\n
BlobPhishLoaderHTML<\/code>\u00a0YARA rule and URL pivot queries (url:\"\/res.php$\"<\/code>,\u00a0url:\"*\/blob.html$\"<\/code>) in threat intelligence platforms<\/li>\nblob:https:\/\/<\/code>\u00a0URLs in browser address bars as a red flag<\/li>\n<\/ul>\n