Cybersecurity experts have uncovered a new phishing method that exploits blob URLs (Uniform Resource Identifiers) to bypass Secure Email Gateways (SEGs) and evade detection by security analysis tools.
Blob URLs are typically used to display temporary data accessible only by the browser that created it. Unlike traditional phishing sites that can be crawled and analyzed by security systems, attacks using blob URLs create credential-harvesting pages that exist solely in the victim’s browser memory, making them nearly invisible to conventional security measures.
The attack starts with a seemingly harmless email containing links to legitimate, trusted websites, avoiding direct links to malicious domains. This tactic helps the phishing email bypass standard email security filters, which often block suspicious links.
Victims are then redirected through intermediary pages, eventually reaching a locally generated blob URL containing the actual phishing content. Researchers at Cofense first identified this method in mid-2022 and have noticed an increase in its use among cybercriminals.
According to their findings, this approach is effective because the phishing page exists only within the victim’s browser, with no external URL for security tools to scan or block. This creates a significant gap in traditional phishing detection systems.
The attack unfolds in multiple stages. After the initial email bypasses the SEG, victims are directed to legitimate services like Microsoft OneDrive. What appears to be a normal login page or document access screen is actually a redirection mechanism controlled by attackers.
When victims click “Sign in” or “View document,” they are redirected to a page that generates a blob URL in their browser. The resulting phishing page, visible as a “blob:domain.com” in the address bar, mimics trusted services like Microsoft 365 or OneDrive.
Even though these phishing pages exist only in the victim’s browser memory, they are equipped with hidden functions to steal credentials and send them to remote servers controlled by the attackers.
This new phishing tactic poses a serious challenge to both technological defenses and standard user training, which typically advises users to verify the legitimacy of URLs before entering their credentials.
