![[The AI Show Episode 145]: OpenAI Releases o3 and o4-mini, AI Is Causing “Quiet Layoffs,” Executive Order on Youth AI Education & GPT-4o’s Controversial Update](https://www.marketingaiinstitute.com/hubfs/ep%20145%20cover.png)
![[DEALS] Internxt Cloud Storage Lifetime Subscription: 10TB Plan (88% off) & Other Deals Up To 98% Off – Offers End Soon!](https://www.javacodegeeks.com/wp-content/uploads/2012/12/jcg-logo.jpg){kind=logo}
![Ditching a Microsoft Job to Enter Startup Purgatory with Lonewolf Engineer Sam Crombie [Podcast #171]](https://cdn.hashnode.com/res/hashnode/image/upload/v1746753508177/0cd57f66-fdb0-4972-b285-1443a7db39fc.png?#)
![What Google Messages features are rolling out [May 2025]](https://i0.wp.com/9to5google.com/wp-content/uploads/sites/4/2023/12/google-messages-name-cover.png?resize=1200%2C628&quality=82&strip=all&ssl=1)
![[Fixed] Gemini 2.5 Flash missing file upload for free app users](https://i0.wp.com/9to5google.com/wp-content/uploads/sites/4/2025/03/google-gemini-workspace-1.jpg?resize=1200%2C628&quality=82&strip=all&ssl=1)
![So your [expletive] test failed. So [obscene participle] what?](https://regmedia.co.uk/2016/08/18/shutterstock_mobile_surprise.jpg)
![Apple Shares 'Last Scene' Short Film Shot on iPhone 16 Pro [Video]](https://www.iclarified.com/images/news/97289/97289/97289-640.jpg)
![Apple M4 MacBook Air Hits New All-Time Low of $824 [Deal]](https://www.iclarified.com/images/news/97288/97288/97288-640.jpg)
![An Apple Product Renaissance Is on the Way [Gurman]](https://www.iclarified.com/images/news/97286/97286/97286-640.jpg)
![Apple to Sync Captive Wi-Fi Logins Across iPhone, iPad, and Mac [Report]](https://www.iclarified.com/images/news/97284/97284/97284-640.jpg)
![Apple's 11th Gen iPad Drops to New Low Price of $277.78 on Amazon [Updated]](https://images.macrumors.com/t/yQCVe42SNCzUyF04yj1XYLHG5FM=/2500x/article-new/2025/03/11th-gen-ipad-orange.jpeg)
New Phishing Attack Abusing Blob URLs to Bypass SEGs and Evade Analysis
Cybersecurity experts have identified a sophisticated phishing technique that exploits blob URIs (Uniform Resource Identifiers) to evade detection by Secure Email Gateways (SEGs) and security analysis tools. This emerging attack method leverages the unique properties of blob URIs, which are designed to display temporary data that can only be accessed by the browser that generated […] The post New Phishing Attack Abusing Blob URLs to Bypass SEGs and Evade Analysis appeared first on Cyber Security News.
Cybersecurity experts have identified a sophisticated phishing technique that exploits blob URIs (Uniform Resource Identifiers) to evade detection by Secure Email Gateways (SEGs) and security analysis tools.
This emerging attack method leverages the unique properties of blob URIs, which are designed to display temporary data that can only be accessed by the browser that generated it.
Unlike standard phishing sites that can be crawled and analyzed, blob URI-based attacks create credential harvesting pages that exist solely in the victim’s browser memory, making them nearly invisible to traditional security measures.
The attack begins with a seemingly innocuous email containing links to legitimate, allowlisted websites rather than directly to malicious domains.
This initial misdirection helps the phishing attempt bypass email security filters that typically block messages with suspicious links.
Upon reaching these intermediary pages, victims are then redirected through a series of steps that ultimately generate a local blob URI containing the actual phishing content.
Cofense researchers identified this technique starting in mid-2022 and have observed its growing adoption among threat actors.
According to their analysis, this method is particularly effective because the final credential phishing page exists only in the victim’s browser, leaving no external URL for security tools to scan or block.
This technical limitation creates a significant blind spot in conventional phishing detection systems.
.webp)
The infection chain follows a sophisticated multi-stage process. After the initial email bypasses the SEG, users are directed to legitimate services such as Microsoft OneDrive.
.webp)
What appears to be a standard login page or document access screen is actually a carefully crafted redirection mechanism.
When victims click to “Sign in” or “View document,” they are seamlessly directed to a threat actor-controlled HTML page that generates a blob URI locally in the victim’s browser.
.webp)
The resulting phishing page, rendered from the blob URI (typically appearing as “blob:https://domain.com/random-string” in the address bar), presents convincing login forms mimicking services like Microsoft 365 or OneDrive.
Despite existing only in the local browser memory, these pages contain hidden functionality to exfiltrate captured credentials to remote servers controlled by the attackers.
This technique represents a concerning evolution in phishing tactics, as it effectively circumvents both technological defenses and standard user awareness training that emphasizes checking URL validity before entering credentials.
Are you from the SOC and DFIR Teams? – Analyse Real time Malware Incidents with ANY.RUN -> Start Now for Free.
The post New Phishing Attack Abusing Blob URLs to Bypass SEGs and Evade Analysis appeared first on Cyber Security News.
