Phishing Campaign Uses Blob URLs to Bypass Email Security and Avoid Detection

Cybersecurity researchers at Cofense Intelligence have identified a sophisticated phishing tactic leveraging Blob URIs (Uniform Resource Identifiers) to deliver credential phishing pages directly to users’ inboxes while evading traditional email security measures.

Blob URIs, typically used by browsers to handle temporary data like images, audio, or video files, are now being weaponized by threat actors to bypass Secure Email Gateways (SEGs) and hinder automated analysis.

Legitimate platforms like YouTube use Blob URIs to store data locally in a user’s browser-ensuring access control and reduced network traffic-but this same mechanism is being abused to render malicious HTML content that appears authentic to unsuspecting victims.

Evasion Technique Exploits Browser

The attack chain begins with a phishing email that slips past SEG defenses, often using a lure related to encrypted messages, financial alerts, or tax account access.

Instead of linking directly to a malicious site, the email directs users to an intermediary, allowlisted domain such as onedrive.live.com, a legitimate Microsoft cloud storage service.

This step ensures the email avoids immediate flagging by security systems.

From there, the allowlisted page redirects to a threat actor-controlled HTML page, which decodes and stores a credential phishing page as a Blob URI in the victim’s browser memory.

Identifiable by prefixes like “blob:http://” or “blob:https://”, these URIs reference local data inaccessible over the internet, making them nearly impossible to analyze remotely.

The phishing page, often mimicking trusted services like OneDrive, tricks users into entering credentials, which are then exfiltrated to the attacker’s endpoint.

How Blob URIs Facilitate Stealthy Attacks

According to Cofense Report, what makes this technique particularly insidious is its ability to evade detection.

Since Blob URIs are browser-specific and locally generated, they cannot be accessed or scanned by external security tools in the same way traditional phishing URLs can.

Moreover, the use of legitimate intermediary sites adds a layer of credibility, reducing suspicion among users.

For instance, victims landing on a genuine Microsoft page are unlikely to spot red flags before being redirected to the malicious Blob URI-hosted login form.

This combination of unusual tactics and multiple redirects exploits gaps in AI-driven detection models, which may not yet be trained to distinguish between legitimate and malicious Blob URI usage.

The adoption of Blob URIs in phishing campaigns marks a concerning trend in cybercrime, as it capitalizes on a relatively obscure browser feature to sidestep conventional defenses.

With SEGs struggling to identify these locally rendered threats, the technique’s usage is expected to grow if left unchecked.

Defenders face significant challenges in adapting to this evasion method, as automated analysis tools are limited in their ability to inspect content that exists only within a user’s browser.

As threat actors continue to refine their methods, organizations must prioritize user awareness and implement advanced behavioral analysis to detect anomalies in email interactions.

The intersection of legitimate technology and malicious intent showcased by Blob URI attacks underscores the ever-evolving nature of cybersecurity threats, demanding vigilance and innovation to stay ahead of adversaries.

Setting Up SOC Team? – Download Free Ultimate SIEM Pricing Guide (PDF) For Your SOC Team -> Free Download