Starting in mid-2022, Cofense Intelligence detected a new technique for successfully delivering a credential phishing page to a user’s inbox: blob URIs (Uniform Resource Identifier).

Security Boulevard is a leading cybersecurity news and information portal, offering articles, analysis, and insights on cybersecurity threats, vulnerabilities, and best practices. From the latest trends in cyber threats to expert commentary on security technologies and compliance frameworks, Security Boulevard provides resources for security professionals, IT leaders, and business executives seeking to protect their organizations from cyber attacks and data breaches.

Security Boulevard

Threat actors are using blob URIs, typically employed for legitimate purposes like serving YouTube videos, to conduct phishing attacks by bypassing Secure Email Gateway defenses. Blob URIs facilitate credential phishing as they generate locally and cannot be directly accessed over the internet, making it hard for analysis tools to identify them as threats. The phishing process involves redirecting users from legitimate sites to malicious blobs containing phishing pages. This technique complicates the automatic detection of phishing attempts.

Using Blob URLs to Bypass SEGs and Evade Analysis