Cyber Security News

Using Blob URLs to Bypass SEGs and Evade Analysis

Cyware
Using Blob URLs to Bypass SEGs and Evade Analysis

This article discusses how threat actors are exploiting blob URIs to deliver credential phishing pages covertly to usersโ€™ browsers, making detection challenging. It highlights how this technique bypasses traditional security defenses and is likely to increase if unaddressed. (Affected: Email Security Systems and Web Browsers)

Keypoints :

  • Threat actors are increasingly using blob URIs to deliver credential phishing pages covertly, exploiting their local browser storage nature.
  • Blob URIs are generated by browsers for temporary data, such as videos on YouTube, but can be abused for malicious purposes.
  • These URIs start with โ€œblob:http://โ€ or โ€œblob:https://โ€, making them identifiable but often overlooked by traditional security tools.
  • The attack flow involves bypassing Secure Email Gateways via intermediary allowlisted pages like Microsoftโ€™s OneDrive to reach malicious blob URI pages.
  • Once the blob URI is loaded in the browser, it displays a phishing page that can exfiltrate user credentials despite being locally accessible.
  • This technique is difficult to automatically analyze because blob URIs reference local browser memory rather than network locations.
  • The use of blob URIs in phishing campaigns is expected to rise if they continue to evade existing security measures, posing a significant threat to users and organizations.

Read More: https://cofense.com/blog/using-blob-urls-to-bypass-segs-and-evade-analysis

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint