Cybersecurity experts have identified a sophisticated phishing technique that exploits blob URIs (Uniform Resource Identifiers) to evade detection by Secure Email Gateways (SEGs) and security analysis tools<\/a>.<\/p>\n This emerging attack method leverages the unique properties of blob URIs, which are designed to display temporary data that can only be accessed by the browser that generated it.<\/p>\n Unlike standard phishing sites that can be crawled and analyzed, blob URI-based attacks create credential harvesting pages that exist solely in the victim\u2019s browser memory, making them nearly invisible to traditional security measures<\/a>.<\/p>\n The attack begins with a seemingly innocuous email containing links to legitimate, allowlisted websites rather than directly to malicious domains.<\/p>\n This initial misdirection helps the phishing attempt bypass email security filters that typically block messages with suspicious links.<\/p>\n Upon reaching these intermediary pages, victims are then redirected through a series of steps that ultimately generate a local blob URI containing the actual phishing content.<\/p>\n Cofense researchers identified<\/a> this technique starting in mid-2022 and have observed its growing adoption among threat actors.<\/p>\n According to their analysis, this method is particularly effective because the final credential phishing page exists only in the victim\u2019s browser, leaving no external URL for security tools to scan or block.<\/p>\n This technical limitation creates a significant blind spot in conventional phishing detection systems.<\/p>\n The infection chain follows a sophisticated multi-stage process. After the initial email bypasses the SEG, users are directed to legitimate services such as Microsoft OneDrive<\/a>.<\/p>\n What appears to be a standard login page<\/a> or document access screen is actually a carefully crafted redirection mechanism.<\/p>\n When victims click to \u201cSign in\u201d or \u201cView document,\u201d they are seamlessly directed to a threat actor-controlled HTML page that generates a blob URI locally in the victim\u2019s browser.<\/p>\n The resulting phishing page, rendered from the blob URI (typically appearing as \u201cblob:https:\/\/domain.com\/random-string\u201d in the address bar), presents convincing login forms mimicking services like Microsoft 365 or OneDrive.<\/p>\n Despite existing only in the local browser memory, these pages contain hidden functionality to exfiltrate captured credentials to remote servers controlled by the attackers.<\/p>\n This technique represents a concerning evolution in phishing tactics, as it effectively circumvents both technological defenses and standard user awareness training that emphasizes checking URL validity before entering credentials.<\/p>\n The post New Phishing Attack Abusing Blob URLs to Bypass SEGs and Evade Analysis<\/a> appeared first on Cyber Security News<\/a>.<\/p>\n<\/div>\n![\"\"](\"https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEgG7U0IKXzQFv8OdxtB4L-NGmN0L-iOwfgOqO3L28oLRoaYdfcEkbzDj4lyupGCwDEP8Ubh1U6imxjYiTwOJJK2lidCYuFvd3nesQuQ9S1CKMuoQCl50gk2Kx-gSclsGAnujyZwTjgAjhyphenhyphendqUq8yv4czrI4uzUYLKZqCQ2GAl7QeHSPKKEg6EuX7ZG0m-s\/s16000\/Infection%2520chain%2520%28Source%2520-%2520Cofense%29.webp?ssl=1\")
![\"\"](\"https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEghJXyTm60eFhPycUYryJS7JM1yjnT9T0fXnbxaQI28lhAJSBFnfsjOXfF1U9ysgCcTPO0f0A62c6g1-P6z-mPJorfj6zWHEIaMaybPPbyiY1e3ARtlXVxzZZVvSYmRBwB7NXZAixppFkWfN_s7bvTTy7-MYn-Z4Yg_75I0mbwX09xdRuYNUjEECwqBbcI\/s16000\/Intermediary%2520site%2520before%2520redirecting%2520to%2520the%2520phishing%2520site%2520is%2520onedrive%255B.%255Dlive%255B.%255Dcom%2520%28Source%2520-%2520Cofense%29.webp?ssl=1\")
![\"\"](\"https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEiWSH2NouuaIkx6VvRCMEC8wnQ9rdBAYlc9cBGq9-l5uPB5R6HD67zH999JwK1VU0NJQk0cHPKLh4G0lehGuETHK8ENwn4HguagBQif0L_GpS88pvkLCE-ZSVZv4DhrU-7XFTdl1vZiTvZkQ3o5R_L4ay_U5tVSfkGJjohUUeNhCrPOOjEUhnWU27WzKNk\/s16000\/A%2520blob%2520URI%2520page%2520spoofing%2520a%2520OneDrive%2520login%2520%28Source%2520-%2520Cofense%29.webp?ssl=1\")
Are you from the SOC and DFIR Teams? \u2013 Analyse Real time Malware Incidents with ANY.RUN ->\u00a0Start Now for Free<\/a>.<\/strong><\/code><\/strong><\/p>\n