- Bypasses email gateways and security tools by never hitting a real server
- Blob URIs mean phishing content isn’t hosted online, so filters never see it coming
- No weird URLs, no dodgy domains, just silent theft from a fake Microsoft login page
Security researchers have uncovered a series of phishing campaigns that use a rarely exploited technique to steal login credentials, even when those credentials are protected by encryption.
New research from Cofense warns the method relies on blob URIs, a browser feature designed to display temporary local content, and cybercriminals are now abusing this feature to deliver phishing pages.
Blob URIs are created and accessed entirely within a user’s browser, meaning the phishing content never exists on a public-facing server. This makes it extremely difficult for even the most advanced endpoint protection systems to detect.
A hidden technique that slips past defenses
In these campaigns, the phishing process begins with an email that easily bypasses Secure Email Gateways (SEGs). These emails typically contain a link to what appears to be a legitimate page, often hosted on trusted domains such as Microsoft’s OneDrive.
However, this initial page doesn’t host the phishing content directly. Instead, it acts as an intermediary, silently loading a threat-actor-controlled HTML file that decodes into a blob URI.
The result is a fake login page rendered within the victim’s browser, designed to closely mimic Microsoft’s sign-in portal.
To the victim, nothing seems out of place – no strange URLs or obvious signs of fraud – just a prompt to log in to view a secure message or access a document. Once they click ‘Sign in,’ the page redirects to another attacker-controlled HTML file, which generates a local blob URI that displays the spoofed login page.
Because blob URIs operate entirely within the browser’s memory and are inaccessible from outside the session, traditional security tools are unable to scan or block the content.
“This method makes detection and analysis especially tricky,” said Jacob Malimban of the Cofense Intelligence Team.
“The phishing page is created and rendered locally using a blob URI. It’s not hosted online, so it can’t be scanned or blocked in the usual way.”
Credentials entered on the spoofed page are silently exfiltrated to a remote threat actor endpoint, leaving the victim unaware.
AI-based security filters also struggle to catch these attacks, as blob URIs are rarely used maliciously and may not be well-represented in training data. Researchers warn that unless detection methods evolve, this technique is likely to gain traction among attackers.
To defend against such threats, organizations are urged to adopt advanced Firewall-as-a-Service (FWAAS) and Zero Trust Network Access (ZTNA) solutions that can help secure access and flag suspicious login activity.
