BlobPhish: A Stealthy, Memory-Resident Phishing Campaign Targeting Microsoft 365 and Financial Institutions
Since October 2024, a sophisticated phishing campaign dubbed BlobPhish has been silently harvesting credentials from Microsoft 365 users and major U.S. financial platforms including Chase, Capital One, and PayPal by exploiting browser Blob URL APIs. Unlike traditional phishing attacks, BlobPhish generates malicious login pages entirely in the victim’s browser memory, leaving no disk artifacts, cache traces, or detectable HTTP requests for security tools to flag.
The campaign, which surged in activity in February 2026, operates as a well-maintained threat rather than a short-lived attack. Its kill chain begins with phishing emails mimicking financial alerts, invoices, or document shares, often using trusted services like DocSend or shortened URLs (e.g., t.co). Some variants employ PDF attachments with QR codes, particularly targeting the energy sector.
Upon clicking the link, victims are redirected to an attacker-controlled HTML page hosting a JavaScript loader. The loader decodes a bundled phishing payload, constructs a Blob object, and forces the browser to navigate to a blob:https:// URL all without user interaction. The phishing page, which impersonates platforms like Microsoft 365, OneDrive, or banking portals, appears legitimate due to the blob URL’s deceptive appearance. A failed-login counter ensures multiple credential entries, while stolen data is exfiltrated via HTTP POST to compromised WordPress sites (e.g., */res.php, */tele.php).
BlobPhish’s evasion tactics render traditional defenses ineffective. Since the phishing page never transmits over the network as a standalone HTTP response, URL reputation engines, proxy logs, and secure email gateways fail to detect it. Endpoint solutions find no files on disk, and cache forensics yield no evidence, as the Blob URL is revoked immediately after use.
Victims span finance, manufacturing, education, government, and telecommunications sectors, with roughly one-third based in the U.S. Additional activity has been observed in Germany, Poland, Spain, the UK, Australia, and several Middle Eastern and Asian countries.
A successful compromise can lead to business email compromise (BEC), Microsoft 365 tenant takeovers, unauthorized wire transfers, or ransomware deployment. Regulatory risks include GDPR breach notifications, SEC cybersecurity disclosures, and FFIEC compliance violations.
Key indicators of compromise (IOCs) include loader URLs like hxxps[://]mtl-logistics[.]com/blb/blob[.]html and exfiltration endpoints such as hxxps[://]wajah4dslot[.]com/wp-includes/certificates/tmp//res[.]php. Compromised domains also include larva888[.]com and riobeautybrazil[.]com.
Source: https://cybersecuritynews.com/blobphish-phishing-attack/
JPMorganChase cybersecurity rating report: https://www.rankiteo.com/company/jpmorganchase
PayPal cybersecurity rating report: https://www.rankiteo.com/company/paypal
"id": "JPMPAY1777400719",
"linkid": "jpmorganchase, paypal",
"type": "Cyber Attack",
"date": "10/2024",
"severity": "85",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks"{'affected_entities': [{'industry': 'Banking',
'location': 'U.S.',
'name': 'Chase',
'type': 'Financial Institution'},
{'industry': 'Banking',
'location': 'U.S.',
'name': 'Capital One',
'type': 'Financial Institution'},
{'industry': 'Payments',
'location': 'U.S.',
'name': 'PayPal',
'type': 'Financial Institution'},
{'industry': ['Finance',
'Manufacturing',
'Education',
'Government',
'Telecommunications',
'Energy'],
'location': ['U.S.',
'Germany',
'Poland',
'Spain',
'UK',
'Australia',
'Middle Eastern countries',
'Asian countries'],
'type': 'Organization'}],
'attack_vector': ['Email',
'PDF attachments with QR codes',
'Shortened URLs (e.g., t.co)',
'Compromised WordPress sites'],
'data_breach': {'data_exfiltration': 'Yes (via HTTP POST to compromised '
'WordPress sites)',
'personally_identifiable_information': 'Yes',
'sensitivity_of_data': 'High (financial and corporate '
'credentials)',
'type_of_data_compromised': ['Credentials',
'Personally identifiable '
'information (PII)']},
'date_detected': '2024-10',
'date_publicly_disclosed': '2026-02',
'description': 'Since October 2024, a sophisticated phishing campaign dubbed '
'*BlobPhish* has been silently harvesting credentials from '
'Microsoft 365 users and major U.S. financial platforms '
'including Chase, Capital One, and PayPal by exploiting '
'browser Blob URL APIs. The campaign generates malicious login '
'pages entirely in the victim’s browser memory, leaving no '
'disk artifacts, cache traces, or detectable HTTP requests for '
'security tools to flag. The attack begins with phishing '
'emails mimicking financial alerts, invoices, or document '
'shares, often using trusted services like DocSend or '
'shortened URLs. Victims are redirected to an '
'attacker-controlled HTML page hosting a JavaScript loader, '
'which decodes a phishing payload and constructs a Blob object '
'to display a fake login page. Stolen data is exfiltrated via '
'HTTP POST to compromised WordPress sites.',
'impact': {'brand_reputation_impact': 'Potential reputational damage due to '
'credential theft and unauthorized '
'access',
'data_compromised': 'Credentials (Microsoft 365, banking portals), '
'personally identifiable information (PII)',
'identity_theft_risk': 'High (PII and financial credentials '
'compromised)',
'legal_liabilities': ['GDPR breach notifications',
'SEC cybersecurity disclosures',
'FFIEC compliance violations'],
'operational_impact': ['Unauthorized access to corporate email',
'Potential ransomware deployment'],
'payment_information_risk': 'High (banking portal credentials '
'compromised)',
'systems_affected': ['Microsoft 365',
'Banking portals (Chase, Capital One, PayPal)',
'OneDrive']},
'initial_access_broker': {'entry_point': ['Phishing emails',
'PDF attachments with QR codes',
'Shortened URLs']},
'motivation': ['Credential harvesting',
'Business email compromise (BEC)',
'Financial fraud',
'Ransomware deployment'],
'post_incident_analysis': {'root_causes': 'Exploitation of browser Blob URL '
'APIs to generate phishing pages in '
'memory, evading traditional '
'security tools'},
'references': [{'source': 'Incident Description'}],
'regulatory_compliance': {'regulations_violated': ['GDPR',
'SEC cybersecurity '
'disclosure rules',
'FFIEC compliance']},
'title': 'BlobPhish: A Stealthy, Memory-Resident Phishing Campaign Targeting '
'Microsoft 365 and Financial Institutions',
'type': 'Phishing',
'vulnerability_exploited': 'Browser Blob URL APIs'}