Ddos 
A blob URI page spoofing a OneDrive login | Image: Cofense
Cofense Intelligence has detected a new technique used by threat actors to successfully deliver credential phishing pages to users’ inboxes: the use of blob URIs. This method, observed since mid-2022, allows attackers to bypass Secure Email Gateways (SEGs) and deliver phishing pages in a way that can be difficult for automated analysis to detect.
Blob URIs (Uniform Resource Identifiers) are generated by a browser to display and work with temporary data that is only accessible by that specific browser. As the report states, “Blob URIs are generated by a browser to display and work with temporary data that only that browser can access. No other browser can access a blob URI except the one that generated it.”
This makes them different from traditional website URLs. Common uses of blob URIs include temporarily storing videos for platforms like YouTube. These URIs begin with prefixes like blob:http:// or blob:https:// and cannot be accessed by other browsers or over the internet, only by the browser session that generated them.
The report outlines a sophisticated infection chain:
- A phishing email, containing a link to an intermediary, allowlisted page, bypasses a SEG and reaches the user’s inbox.
- The user clicks on the link, landing on the abused allowlisted page
- This page redirects the user to a threat actor-controlled HTML page.
- The threat actor’s HTML page decodes another HTML file into a blob format, stored locally.
- The locally stored blob URI then loads the credential phishing page in the user’s browser.
- Although the phishing page is local, it is designed to exfiltrate any entered credentials to a threat actor’s server.
“Unlike most malicious sites, the final credential phishing page is inaccessible because the blob URI used to visit it is generated locally,” the report notes.
Cofense Intelligence has observed various campaigns using blob URIs, with lures including prompts to log in to view an encrypted message, access an Intuit tax account, or review an alert from a financial institution. In one instance, the intermediary page was onedrive[.]live[.]com, a legitimate Microsoft cloud storage site, which adds to the credibility of the attack.
Donate