Cybercriminals are now using a sneaky method to steal tax login details and even encrypted messages — and it’s hard to detect.
Security experts have found that hackers are abusing a browser feature called “blob URIs” to launch phishing attacks. Blob URIs are normally used to show temporary files inside your browser. But attackers are using them to hide fake login pages that look just like official sites, such as Microsoft’s sign-in page.
Here’s how it works: You might receive an email that looks real and even links to a trusted site, like Microsoft OneDrive. But instead of hosting a dangerous page online, the email opens a hidden code file that runs directly in your browser.
This creates a fake login screen using a blob URI. Because the page never loads from an outside server, antivirus tools and firewalls can’t see or block it.
When you enter your credentials, your information is quietly sent to the hacker. Since the login page looks completely normal — no strange URLs or obvious errors — most people don’t realize anything is wrong.
According to Cofense, a threat intelligence firm, this technique is hard to detect because blob URIs exist only in your browser’s memory. Even advanced email filters and AI-based tools can miss it, as blob URIs aren’t usually considered harmful.
Experts warn that unless security systems improve, this method could become more common. To stay safe, companies are being urged to use stronger tools like Zero Trust Network Access (ZTNA) and Firewall-as-a-Service (FWaaS) to monitor logins and catch suspicious behavior early.
