What happened?
A long‑running phishing operation called “BlobPhish” has been targeting Microsoft 365 users and major financial institutions since late 2024, with activity rising sharply in early 2026, as recently highlighted by ANY.RUN.
This campaign is notable because it does not simply host fake login pages on attacker-controlled servers. Instead, it leverages Blob URL APIs inside the browser. A Blob URL is a temporary, browser-generated link used to load data stored locally within the browser rather than from an external website. By creating fraudulent login interfaces using JavaScript objects and local data, this allows the attack to avoid conventional security measures; as this content runs only in memory and is not stored on the device, it leaves no traceable artefacts on the device, complicating forensic investigations.
The attack begins with a phishing email, purporting to be from a bank, document-sharing platform, or other trusted service, with some variants obfuscating any links using URL shortening services or QR codes. Once accessed, the webpage executes a JavaScript loader - a small script used to decode or fetch the malicious content – resulting in a fake Microsoft 365 login screen.
ANY.RUN reports that approximately one-third of observed victims are based in America, with additional activity recorded across Europe, the Middle East, and Asia.
So what?
BlobPhish is important because it sidesteps many of the tools and checks organisations normally rely on.
While the URL in the browser will show "blob:https://", this may go unrecognised as suspicious by most users. The ephemeral nature of the attack means that file-based endpoint monitoring policies will not be triggered, and URL reputation checks will be unable to block the content as there is no external URL to scan.
If an attacker gains access to the victim's credentials, this compromise can quickly escalate into Business Email Compromise (BEC), where attackers use a compromised email account to impersonate employees, redirect payments, or approve fraudulent transactions, potentially leading to reputational damage and operational downtime while the incident is contained.
A successful compromise may trigger breach-reporting duties under the UK GDPR, the EU GDPR and any sector-specific regimes; organisations should therefore evaluate this potential incident through the lens of their data breach procedures.
What should I do?
This campaign reinforces the need for dynamic, behaviour-based security measures that operate in real-time to counteract the speed and sophistication of modern cyber threats; there are several practical steps organisations can take to reduce the risk of falling victim to this attack:
- Strengthen proactive threat‑monitoring processes - BlobPhish makes use of specific loaders and exfiltration points, and watching for traffic to these can help identify potential compromise. Refer to the indicators of compromise ("IoCs") provided when investigating.
- Educate users to check the browser address bar carefully - If the address begins with an unfamiliar format, such as "blob:https://", or does not match the service they expected to access, they should not enter credentials.
- Enforce multi‑factor authentication (MFA) across key systems - In the event of an account compromise, MFA provides an additional layer of protection. Consider enforcing the use of phishing-resistant methods, such as passkeys to mitigate against similar threats.
- Adopt behaviour‑based security monitoring - BlobPhish bypasses signature‑based tools, so systems that detect unusual browser or account behaviour are far more effective at identifying threats of this nature.