Blob URL Phishing Bypasses Email Filters, Hides in Browser

A newly identified phishing technique is exploiting blob URLs to bypass Secure Email Gateways (SEGs) and evade traditional security analysis tools, according to researchers at Cofense. The method leverages blob URIs—browser-generated, temporary data URLs—to create credential harvesting pages that reside solely in the victim’s browser memory.

The attack begins with emails linking to allowlisted services like Microsoft OneDrive, helping evade detection by standard email filters. Victims are redirected through a series of legitimate-looking pages until a local blob URI is created. This local page mimics login portals, such as Microsoft 365, and is capable of exfiltrating credentials to attacker-controlled servers.

Because the phishing page exists only in the browser’s memory and not on a remotely hosted domain, it circumvents conventional tools used to scan URLs or detect malicious sites. Researchers have tracked this technique since mid-2022 and say its use is growing, highlighting an evolving threat that challenges both technical defenses and user awareness training.