- Go around e-mail bridges and safety tools by never hit a real server
- Blub Uris means that phishing content is not hosted online, so filters never see it to come
- No strange URL, no doubtful areas, just a silent flight from a false Microsoft connection page
Security researchers have discovered a series of phishing campaigns that use a technique rarely used to steal connection identification information, even when this identification information is protected by encryption.
New Cofense research warns the method is based on Blob Uris, a browser functionality designed to display temporary local content, and cybercriminals are now abusing this functionality to provide phishing pages.
Blob Uri is created and consulted entirely within a user’s browser, which means that phishing content never exists on a public oriented server. This makes it extremely difficult for the most advanced termination criteria protection systems to detect.
A hidden technique that slides the defenses
In these campaigns, the phishing process begins with an email that easily bypass the secure e-mail bridges (SEG). These emails generally contain a link to what seems to be a legitimate page, often hosted in trusted areas such as Microsoft’s OneDrive.
However, this initial page does not directly host phishing content. Instead, he acts as an intermediary, silently loading an HTML file controlled by a threat actor who decodes in a Uri Blob.
The result is a false connection page rendered in the victim’s browser, designed to closely imitate the Microsoft connection portal.
For the victim, nothing seems out of words – no strange URL or obvious signs of fraud – just an invitation to connect to display a secure message or access a document. Once they have clicked on “Connection”, the page redirects to another HTML file controlled by the attacker, which generates a local URI blob which displays the usurped connection page.
Since Blob Uris works entirely in the browser memory and is inaccessible outside the session, traditional safety tools are unable to scan or block the content.
“This method makes detection and analysis particularly delicate,” said Jacob Malimban of the Cofense Intelligence team.
“The phishing page is created and rendered locally using a Uri Blob. It is not accommodated online, so it cannot be scanned or blocked in the usual way.”
The identification information entered on the usurped page is silently exfiltrated at a point of termination of the actor of the distant threat, leaving the unconscious victim.
IA -based security filters also find it difficult to catch these attacks, as Uris Blob are rarely used with maliciousness and may not be well represented in training data. Researchers warn that less than detection methods to evolve, this technique is likely to gain ground among attackers.
To defend themselves against such threats, organizations are invited to adopt advanced firewall solutions as a service (FWAAS) and zero trust (ZTNA) which can help secure access and report a suspicious connection activity.
