In a concerning new trend, cybersecurity researchers at Cofense Intelligence have unveiled a novel phishing technique that utilizes blob URIs to create fake login pages directly on users' browsers, effectively bypassing conventional email security measures. This method, which has been gaining traction since mid-2022, poses significant risks to users’ credentials and highlights vulnerabilities in current security systems.
Blob URIs, or binary large objects-Uniform Resource Identifiers, are temporary data addresses saved by internet browsers. While these URIs have legitimate uses—such as how YouTube temporarily stores video data—they have been weaponized by cybercriminals to deliver phishing attacks. According to Cofense Intelligence, security systems that typically scan emails for malicious links struggle to detect these threats because blob URI data does not reside on the open internet.
When a user receives a phishing email, the link often directs them to a trusted website, such as Microsoft’s OneDrive. From there, users are redirected to a hidden page controlled by attackers, which then generates a fake login interface using a blob URI. This page, although only saved locally on the user's device, can still capture sensitive information like usernames and passwords, sending them directly to the hackers.
The challenge for automated security systems, particularly Secure Email Gateways (SEGs), lies in their inability to adequately distinguish between legitimate and malicious uses of blob URIs. Cofense Intelligence has observed numerous phishing campaigns employing this technique, often luring users with notifications about encrypted messages or prompts to access familiar services like Intuit tax accounts and alerts from financial institutions.
Researchers warn that as this phishing method becomes more prevalent, users must exercise caution with links in emails, even if they appear to lead to legitimate websites. A clear indicator of this trick is the presence of "blob:http://" or "blob:https://" in the website address.
In a separate cybersecurity incident, an engineer associated with both the Department of Government Efficiency (DOGE) and the Cybersecurity and Infrastructure Security Agency (CISA) has reportedly faced multiple data breaches over the past decade. His login credentials have been circulated in numerous data leaks, raising alarms about potential access to sensitive government systems.
The DOGE agency, led by Elon Musk, has attracted significant criticism for its controversial staffing approach, which has included the dismissal of nuclear defense officials and the obstruction of funding for crucial research and aid organizations. The agency's access to sensitive government systems, including those related to social security, has raised further concerns regarding oversight and accountability.
Engineer Kyle Schutt’s login information has been identified in over 50 data breaches tracked by the HaveIBeenPwned website, with some incidents dating back to 2013. Alarmingly, his personal details have appeared in four separate public dumps of malware-acquired credentials since 2023. Journalist Micah Lee remarked, “I have no way of knowing exactly when Schutt's computer was hacked, or how many times.”
Lee speculates that Schutt may have been using personal devices that could have been compromised while accessing government systems, potentially exposing sensitive login information. There is also concern that he may have reused credentials across various platforms, increasing the risk of unauthorized access to government networks.
Despite the lack of definitive proof, some commentators have suggested that Schutt's security lapses may be intentional, hinting at a possible effort by DOGE to leak information. This raises serious implications for the security of devices connected to sensitive government systems.
Meanwhile, Microsoft has acknowledged ongoing issues with Windows updates affecting Windows Server, particularly concerning authentication problems with "Windows Hello for Business" after the April Patchday security updates. According to Microsoft’s Release Health Notes, Active Directory (AD) domain controllers may encounter difficulties processing Kerberos log-ons or delegating them with certificate-based credentials following these updates.
This issue not only affects Windows Hello for Business but also impacts other products relying on similar authentication functions. The problems stem from protective measures implemented against a vulnerability (CVE-2025-26647) that could allow attackers to exploit Kerberos authentication without prior authorization.
Microsoft explained that the April updates altered the method used by domain controllers to verify certificates utilized in Kerberos authentication. If the registry entry "AllowNtAuthPolicyBypass" is set to "1," users may see repeated event ID 45 in the system event log. However, if this value is set to "2," user log-ons may fail, leading to event ID 21 being logged, indicating a failed smartcard logon.
As a temporary countermeasure, administrators are advised to adjust the registry key to "1" to avoid log-on failures. Microsoft is currently working on a permanent solution to address these issues across affected Windows Server versions, including 2025, 2022, 2019, and 2016.
These recent developments underscore the growing sophistication of cyber threats and the urgent need for enhanced vigilance among users and organizations alike. As phishing techniques evolve and security systems struggle to keep pace, individuals must remain cautious about their online activities and the potential risks posed by seemingly innocuous emails.
In an era where digital security is paramount, the responsibility lies not only with organizations to implement robust security measures but also with users to be aware of the tactics employed by cybercriminals. With the rise of phishing schemes utilizing blob URIs and the vulnerabilities exposed in government systems, the landscape of cybersecurity continues to evolve, demanding constant attention and adaptation.
