{"id":20074,"date":"2026-04-16T10:55:44","date_gmt":"2026-04-16T10:55:44","guid":{"rendered":"https:\/\/any.run\/cybersecurity-blog\/?p=20074"},"modified":"2026-04-16T10:55:45","modified_gmt":"2026-04-16T10:55:45","slug":"evasive-blob-phishing-detection","status":"publish","type":"post","link":"https:\/\/any.run\/cybersecurity-blog\/evasive-blob-phishing-detection\/","title":{"rendered":"BlobPhish: The Phantom Phishing Campaign Hiding in Browser Memory"},"content":{"rendered":"\n<p>ANY.RUN has&nbsp;observed&nbsp;a sustained surge in a credential-phishing campaign active since 2024. This campaign, dubbed&nbsp;BlobPhish, introduces a&nbsp;sneaky&nbsp;twist: instead of delivering phishing pages via traditional HTTP requests, it <strong>generates them directly inside the victim\u2019s browser using blob objects<\/strong>. The result is a phishing payload that lives entirely in memory, leaving little to no trace in logs, caches, or network telemetry.&nbsp;<\/p>\n\n\n\n<p>The campaign <strong>targets credentials<\/strong> across multiple platforms, including Microsoft 365, banking services, and webmail portals, making it both widespread and&nbsp;high-impact.&nbsp;<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Key Takeaways&nbsp;<\/h2>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Memory-resident evasion<\/strong>:&nbsp;BlobPhish&nbsp;loads entire phishing pages as in-browser blob objects, bypassing file-based and network-based detection entirely.&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Broad targeting:<\/strong>&nbsp;The campaign hits Microsoft 365 alongside major U.S. banks (Chase, Capital One, FDIC, E*TRADE, Schwab) and webmail services.&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Persistent and active<\/strong>: First&nbsp;observed&nbsp;in October 2024, the operation continues uninterrupted as of April 2026 with a major spike in February 2026.&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Compromised infrastructure:<\/strong>&nbsp;Attackers routinely abuse legitimate WordPress sites and reuse exfiltration endpoints (res.php,&nbsp;tele.php,&nbsp;panel.php).&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>High-value credential theft<\/strong>: Stolen accounts enable BEC, data exfiltration, and lateral movement \u2014 threats that carry multimillion-dollar consequences.&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Global but finance-focused:<\/strong>&nbsp;One-third of victims are in the U.S.; phishing pages&nbsp;almost exclusively&nbsp;mimic premium financial and Microsoft services regardless of victim industry.&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li><a href=\"https:\/\/any.run\/enterprise\/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=evasive-blob-phishing-detection&amp;utm_term=160426&amp;utm_content=linktoenterprise\" target=\"_blank\" rel=\"noreferrer noopener\"><strong>ANY.RUN delivers proactive defense<\/strong><\/a><strong>:<\/strong>&nbsp;Sandbox instantly reveals blob behavior in real browsers, while TI Lookup and TI Feeds provide real-time IOCs and YARA rules for automated blocking and hunting, turning reactive security into prevention.&nbsp;<\/li>\n<\/ul>\n\n\n\n<h2 class=\"wp-block-heading\">How&nbsp;BlobPhish&nbsp;works&nbsp;<\/h2>\n\n\n\n<p>The attack is based on the abuse of browser Blob objects to serve fake authentication forms. A JavaScript loader, fetched from an attacker-controlled page, constructs a Blob from a Base64-encoded payload and loads it directly into browser memory \u2014 never touching disk and never generating the traditional HTTP requests that security tools rely on to detect phishing.&nbsp;<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"489\" src=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/04\/blob_1-1024x489.png\" alt=\"\" class=\"wp-image-20081\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/04\/blob_1-1024x489.png 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/04\/blob_1-300x143.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/04\/blob_1-768x367.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/04\/blob_1-370x177.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/04\/blob_1-270x129.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/04\/blob_1-740x353.png 740w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/04\/blob_1.png 1137w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\"><em>Phishing pseudo-MS365 page loaded as a blob object<\/em>&nbsp;<\/figcaption><\/figure>\n\n\n\n<p>Targeted services&nbsp;include:&nbsp;Microsoft 365, OneDrive, SharePoint, Chase, FDIC, Capital One, E*Trade, American Express, Charles Schwab, Merrill Lynch, PayPal, Intuit, and others.&nbsp;<\/p>\n\n\n\n<!-- Regular Banner START -->\n<div class=\"regular-banner\">\n<!-- Text Content -->\n<p class=\"regular-banner__text\">\n<span class=\"highlight\"> Accelerate investigations and stop threats earlier. <\/span><br>Leverage sandbox visibility to improve SOC performance.&nbsp;   \n<\/p>\n<!-- CTA Link -->\n<a class=\"regular-banner__link\" id=\"article-banner-regular\" href=\"https:\/\/app.any.run\/?utm_source=anyrunblog&#038;utm_medium=article&#038;utm_campaign=evasive-blob-phishing-detection&#038;utm_term=160426&#038;utm_content=linktoregistration#register\" rel=\"noopener\" target=\"_blank\">\nRegister now\n<\/a>\n<\/div>\n<!-- Regular Banner END -->\n<!-- Regular Banner Styles START -->\n\n<style>\n.regular-banner {\ndisplay: flex;\ntext-align: center;\nflex-direction: column;\nalign-items: center;\ngap: 1.5rem;\nwidth: 100%;\npadding: 2rem;\nmargin: 1.5rem 0;\nborder-radius: 0.5rem;\nfont-family: 'Catamaran Bold';\nmargin-inline: auto;\nbackground: rgba(32, 168, 241, 0.1);\nborder: 1px solid rgba(75, 174, 227, 0.32);\n}\n\n.regular-banner__text {\nfont-size: 1.5rem;\nmargin: 0;\n}\n\n.highlight {\ncolor: #ea2526;\n}\n\n.regular-banner__link {\npadding: 0.5rem 1.5rem;\nfont-weight: 500;\ntext-decoration: none;\nborder-radius: 0.5rem;\ncolor: #FFFFFF;\nbackground-color: #1491D4;\ntext-align: center;\ntransition: all 0.2s ease-in;\n}\n\n.regular-banner__link:hover {\nbackground-color: #68CBFF;\ncolor: white;\n}\n<\/style>\n<!-- Regular Banner Styles END -->\n\n\n\n<h2 class=\"wp-block-heading\">Technical Deep Dive&nbsp;<\/h2>\n\n\n\n<p>Because the phishing page exists only in memory and is referenced by the scheme&nbsp;<em>blob:https:\/\/<\/em>, it cannot be blocked by URL reputation engines, does not appear in proxy logs as a suspicious request, and leaves no cache artefact. This makes&nbsp;BlobPhish&nbsp;significantly harder to detect and investigate than conventional phishing.&nbsp;<\/p>\n\n\n\n<p><a href=\"https:\/\/app.any.run\/tasks\/191b74fc-fb9f-455a-9492-ca872871d0e1\/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=evasive-blob-phishing-detection&amp;utm_term=160426&amp;utm_content=linktoservice\" target=\"_blank\" rel=\"noreferrer noopener\">View the observed analysis session in ANY.RUN sandbox<\/a>&nbsp;<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"482\" src=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/04\/blob_2-1024x482.png\" alt=\"\" class=\"wp-image-20089\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/04\/blob_2-1024x482.png 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/04\/blob_2-300x141.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/04\/blob_2-768x361.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/04\/blob_2-1536x723.png 1536w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/04\/blob_2-370x174.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/04\/blob_2-270x127.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/04\/blob_2-740x348.png 740w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/04\/blob_2.png 1841w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\"><em>Blobphish attack detonated in the sandbox<\/em>&nbsp;<\/figcaption><\/figure>\n\n\n\n<h3 class=\"wp-block-heading\">1. Delivery Vector&nbsp;<\/h3>\n\n\n\n<p>The typical&nbsp;initial&nbsp;access point is a phishing email or a link to a trusted-looking service such as&nbsp;DocSend. Example phishing link:&nbsp;hxxps[:\/\/]docsend[.]com\/view\/vsrrknxprh2xt84n&nbsp;<br>&nbsp;<br>Upon clicking, the victim is redirected to an HTML page that&nbsp;contains&nbsp;the loader script. Example loader URL:&nbsp;hxxps[:\/\/]mtl-logistics[.]com\/blb\/blob[.]html&nbsp;<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">2. Loader Script \u2014 Step by Step&nbsp;<\/h3>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"928\" height=\"853\" src=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/04\/blob_3.png\" alt=\"\" class=\"wp-image-20112\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/04\/blob_3.png 928w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/04\/blob_3-300x276.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/04\/blob_3-768x706.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/04\/blob_3-370x340.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/04\/blob_3-270x248.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/04\/blob_3-740x680.png 740w\" sizes=\"(max-width: 928px) 100vw, 928px\" \/><figcaption class=\"wp-element-caption\"><em>Code responsible for blob object download<\/em>&nbsp;<\/figcaption><\/figure>\n\n\n\n<p>The loader uses jQuery to perform the following sequence invisibly to the user:&nbsp;<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>var a = $(&#8220;&lt;a style=&#8217;display: none;&#8217;\/&gt;&#8221;)&nbsp;<br><em>Creates an invisible HTML anchor&nbsp;element;<\/em>&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li>var&nbsp;decodedStringAtoB&nbsp;=&nbsp;atob(encodedStringAtoB)&nbsp;<br><em>Decodes the Base64&nbsp;payload;<\/em>&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li>const&nbsp;myBlob&nbsp;= new Blob([decodedStringAtoB],&nbsp;{ type: &#8216;text\/html&#8217; });&nbsp; \u2192&nbsp;&nbsp;<em>Constructs the Blob&nbsp;object;<\/em>&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li>const&nbsp;url&nbsp;=&nbsp;window.URL.createObjectURL(myBlob)&nbsp;<br><em>Generates the blob:&nbsp;URL;<\/em>&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li>a.attr(&#8220;href&#8221;,&nbsp;url)&nbsp;<br><em>Attaches the URL to the hidden&nbsp;anchor;<\/em>&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li>$(&#8220;body&#8221;).append(a)&nbsp;<br><em>Injects the anchor into the&nbsp;DOM;<\/em>&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li>a[0].click()&nbsp;<br><em>Triggers navigation to the phishing&nbsp;page;<\/em>&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li>window.URL.revokeObjectURL(url); +&nbsp;a.remove()&nbsp;<br><em>Destroys evidence from memory and DOM.<\/em>&nbsp;<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">3. The Phishing Page&nbsp;<\/h3>\n\n\n\n<p>The victim sees a convincing Microsoft 365 (or other financial service) login page. The browser address bar shows the scheme&nbsp;blob:https:\/\/, which can appear legitimate to an untrained eye.&nbsp;&nbsp;<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"547\" src=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/04\/blob_4-1024x547.png\" alt=\"\" class=\"wp-image-20115\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/04\/blob_4-1024x547.png 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/04\/blob_4-300x160.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/04\/blob_4-768x411.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/04\/blob_4-370x198.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/04\/blob_4-270x144.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/04\/blob_4-740x396.png 740w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/04\/blob_4.png 1212w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><\/figure>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"157\" src=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/04\/blob_5-1-1024x157.png\" alt=\"\" class=\"wp-image-20118\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/04\/blob_5-1-1024x157.png 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/04\/blob_5-1-300x46.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/04\/blob_5-1-768x118.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/04\/blob_5-1-370x57.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/04\/blob_5-1-270x41.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/04\/blob_5-1-740x113.png 740w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/04\/blob_5-1.png 1200w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\"><em>Code responsible for blob object download<\/em><\/figcaption><\/figure>\n\n\n\n<p>The page&nbsp;contains:&nbsp;<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>A spoofed credential-capture form:&nbsp;&nbsp;<\/li>\n<\/ul>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"555\" height=\"262\" src=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/04\/blob_6.png\" alt=\"\" class=\"wp-image-20120\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/04\/blob_6.png 555w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/04\/blob_6-300x142.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/04\/blob_6-370x175.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/04\/blob_6-270x127.png 270w\" sizes=\"(max-width: 555px) 100vw, 555px\" \/><figcaption class=\"wp-element-caption\"><em>Fake login form<\/em>&nbsp;<\/figcaption><\/figure><\/div>\n\n\n<ul class=\"wp-block-list\">\n<li>Specific set of selectors for the used HTML elements:<\/li>\n<\/ul>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"480\" height=\"227\" src=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/04\/blob_7.png\" alt=\"\" class=\"wp-image-20121\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/04\/blob_7.png 480w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/04\/blob_7-300x142.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/04\/blob_7-370x175.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/04\/blob_7-270x128.png 270w\" sizes=\"(max-width: 480px) 100vw, 480px\" \/><figcaption class=\"wp-element-caption\"><em>Selector list<\/em>&nbsp;<\/figcaption><\/figure><\/div>\n\n\n<ul class=\"wp-block-list\">\n<li>Exfiltration logic that POSTs captured credentials to an attacker-controlled endpoint:<\/li>\n<\/ul>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"621\" height=\"124\" src=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/04\/blob_8.png\" alt=\"\" class=\"wp-image-20122\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/04\/blob_8.png 621w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/04\/blob_8-300x60.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/04\/blob_8-370x74.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/04\/blob_8-270x54.png 270w\" sizes=\"(max-width: 621px) 100vw, 621px\" \/><figcaption class=\"wp-element-caption\"><em>Data exfiltration logic<\/em>&nbsp;<\/figcaption><\/figure><\/div>\n\n\n<ul class=\"wp-block-list\">\n<li>A failed-login counter to force repeated credential entry (increasing harvest accuracy), a&nbsp;final redirect to the legitimate service website to avoid suspicion:&nbsp;<\/li>\n<\/ul>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"497\" height=\"296\" src=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/04\/blob_9.png\" alt=\"\" class=\"wp-image-20125\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/04\/blob_9.png 497w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/04\/blob_9-300x179.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/04\/blob_9-370x220.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/04\/blob_9-270x161.png 270w\" sizes=\"(max-width: 497px) 100vw, 497px\" \/><figcaption class=\"wp-element-caption\"><em>Handling failed attempt counters and final redirect<\/em>&nbsp;<\/figcaption><\/figure><\/div>\n\n\n<ul class=\"wp-block-list\">\n<li>Data is sent via a POST request as form-data:&nbsp;<\/li>\n<\/ul>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"813\" src=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/04\/blob_10-1024x813.png\" alt=\"\" class=\"wp-image-20129\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/04\/blob_10-1024x813.png 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/04\/blob_10-300x238.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/04\/blob_10-768x610.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/04\/blob_10-370x294.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/04\/blob_10-270x214.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/04\/blob_10-740x588.png 740w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/04\/blob_10.png 1200w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\"><em>Data exfiltration patterns<\/em><\/figcaption><\/figure>\n\n\n\n<p>Observed exfiltration endpoint pattern:&nbsp;<\/p>\n\n\n\n<p>hxxps[:\/\/]mtl-logistics[.]com\/css\/sharethepoint\/point\/res[.]php&nbsp;<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">4. YARA Detection Rule<\/h3>\n\n\n\n<p>The following YARA rule matches the loader HTML page and\u00a0<a href=\"https:\/\/intelligence.any.run\/analysis\/yara?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=evasive-blob-phishing-detection&amp;utm_term=160426&amp;utm_content=linktolookup\" target=\"_blank\" rel=\"noreferrer noopener\">can be used<\/a>\u00a0in ANY.RUN Threat\u00a0Intelligence\u00a0Lookup\u00a0to hunt for\u00a0BlobPhish\u00a0infrastructure:\u00a0<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>rule BlobPhishLoaderHTML \n\n{ \n\n    meta: \n\n        author = \"ANY.RUN\" \n\n        description = \"Matches HTML pages with JS-script which creates and loads \n\n                       phishing page as blob-object\" \n\n    strings: \n\n        $s1 = \"function saveFile(\" ascii \n\n        $s2 = \"var a = $(\\\"&lt;a style='display: none;'\/>\\\");\" fullword ascii \n\n        $s3 = \"var encodedStringAtoB\" fullword ascii \n\n        $s4 = \"var decodedStringAtoB = atob(encodedStringAtoB);\" fullword ascii \n\n        $s5 = \"window.URL.createObjectURL(myBlob);\" fullword ascii \n\n        $s6 = \"window.URL.revokeObjectURL(url);\" fullword ascii \n\n    condition: \n\n        all of them \n\n} <\/code><\/pre>\n\n\n\n<h3 class=\"wp-block-heading\">5. Exfiltration Infrastructure by Target\u00a0<\/h3>\n\n\n\n<p>Pivoting on&nbsp;url:&#8221;\/res.php$&#8221; and via the YARA rule above, ANY.RUN researchers&nbsp;identified&nbsp;multiple targets and corresponding exfiltration URLs.&nbsp;&nbsp;<\/p>\n\n\n\n<h4 class=\"wp-block-heading\"><em>1. Capital One<\/em>&nbsp;<\/h4>\n\n\n\n<p><a href=\"https:\/\/app.any.run\/tasks\/04d55695-d952-4a71-b070-4df8fe1112ed\/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=evasive-blob-phishing-detection&amp;utm_term=160426&amp;utm_content=linktoservice\" target=\"_blank\" rel=\"noreferrer noopener\">View sandbox analysis<\/a>&nbsp;<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"524\" src=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/04\/blob_11-1024x524.png\" alt=\"\" class=\"wp-image-20135\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/04\/blob_11-1024x524.png 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/04\/blob_11-300x153.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/04\/blob_11-768x393.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/04\/blob_11-370x189.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/04\/blob_11-270x138.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/04\/blob_11-585x300.png 585w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/04\/blob_11-740x379.png 740w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/04\/blob_11.png 1204w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\"><em>Phishing form imitating Capital One page<\/em>\u00a0<\/figcaption><\/figure>\n\n\n\n<p>Exfiltration URL:&nbsp;hxxps[:\/\/]wajah4dslot[.]com\/wp-includes\/certificates\/tmp\/\/res[.]php&nbsp;<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"791\" src=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/04\/blob_12-1024x791.png\" alt=\"\" class=\"wp-image-20136\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/04\/blob_12-1024x791.png 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/04\/blob_12-300x232.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/04\/blob_12-768x593.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/04\/blob_12-370x286.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/04\/blob_12-270x209.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/04\/blob_12-740x572.png 740w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/04\/blob_12.png 1200w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\"><em>Exfiltration variant<\/em>\u00a0<\/figcaption><\/figure>\n\n\n\n<h4 class=\"wp-block-heading\"><em>2. Chase Banking<\/em><\/h4>\n\n\n\n<p><a href=\"https:\/\/app.any.run\/tasks\/4a69d36d-3528-4b5d-b3b7-ed721c449212\/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=evasive-blob-phishing-detection&amp;utm_term=160426&amp;utm_content=linktoservice\" target=\"_blank\" rel=\"noreferrer noopener\">View sandbox analysis<\/a>&nbsp;<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"548\" src=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/04\/blob_13-1024x548.png\" alt=\"\" class=\"wp-image-20137\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/04\/blob_13-1024x548.png 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/04\/blob_13-300x161.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/04\/blob_13-768x411.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/04\/blob_13-370x198.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/04\/blob_13-270x145.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/04\/blob_13-740x396.png 740w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/04\/blob_13.png 1214w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\"><em>Phishing form imitating Chase Banking login page<\/em><\/figcaption><\/figure>\n\n\n\n<p>Exfiltration URL:&nbsp;hxxps[:\/\/]hnint[.]net\/cgi-bin\/peacemind\/\/res[.]php&nbsp;<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"224\" src=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/04\/blob_14-1024x224.png\" alt=\"\" class=\"wp-image-20138\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/04\/blob_14-1024x224.png 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/04\/blob_14-300x66.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/04\/blob_14-768x168.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/04\/blob_14-370x81.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/04\/blob_14-270x59.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/04\/blob_14-740x162.png 740w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/04\/blob_14.png 1200w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\"><em>Yet another exfiltration variant<\/em><\/figcaption><\/figure>\n\n\n\n<h4 class=\"wp-block-heading\"><em>3. Morgan Stanley\u00a0E*Trade<\/em><\/h4>\n\n\n\n<p><a href=\"https:\/\/app.any.run\/tasks\/f592a777-38aa-4977-8c16-3d9973a84c19\/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=evasive-blob-phishing-detection&amp;utm_term=160426&amp;utm_content=linktoservice\" target=\"_blank\" rel=\"noreferrer noopener\">View sandbox analysis<\/a>&nbsp;<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"568\" src=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/04\/blob_15-1024x568.png\" alt=\"\" class=\"wp-image-20139\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/04\/blob_15-1024x568.png 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/04\/blob_15-300x166.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/04\/blob_15-768x426.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/04\/blob_15-1536x852.png 1536w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/04\/blob_15-370x205.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/04\/blob_15-270x150.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/04\/blob_15-740x410.png 740w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/04\/blob_15.png 1838w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\"><em>Sandbox analysis of phishing targeting Morgan Stanley customers<\/em><\/figcaption><\/figure>\n\n\n\n<p>Exfiltration URL: hxxps[:\/\/]ftpbd[.]net\/wp-content\/plugins\/cgi-\/trade\/trade\/\/res[.]php<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"403\" height=\"406\" src=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/04\/blob_16.png\" alt=\"\" class=\"wp-image-20140\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/04\/blob_16.png 403w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/04\/blob_16-298x300.png 298w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/04\/blob_16-150x150.png 150w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/04\/blob_16-70x70.png 70w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/04\/blob_16-370x373.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/04\/blob_16-270x272.png 270w\" sizes=\"(max-width: 403px) 100vw, 403px\" \/><figcaption class=\"wp-element-caption\"><em>Another exfiltration variant exposed in the sandbox<\/em><\/figcaption><\/figure><\/div>\n\n\n<p><br>Variants with exfiltration to url:&#8221;*\/tele.php&#8221; with a roughly similar request structure were also observed <a href=\"https:\/\/app.any.run\/tasks\/a3ecd187-b5a3-4b18-b700-667aed424da7\/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=evasive-blob-phishing-detection&amp;utm_term=160426&amp;utm_content=linktoservice\" target=\"_blank\" rel=\"noreferrer noopener\">view a sandbox analysis<\/a> with exfiltration URL hxxps[:\/\/]_wildcard_[.]gonzalezlawnandlandscaping[.]com\/zovakmf\/exfuzaj\/pcnlwyf\/cgi-ent\/tele[.]php.<\/p>\n\n\n\n<p>Importantly, in some cases calls to the service endpoint \/panel.php&nbsp;have been&nbsp;observed. In response to a POST request, an&nbsp;error&nbsp;and its description (e.g., &#8220;IP not found&#8221;) are returned.&nbsp;<br>&nbsp;<br>Example POST URL:&nbsp;hxxps[:\/\/]hnint[.]net\/cgi-bin\/peacemind\/\/panel[.]php&nbsp;<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"366\" height=\"162\" src=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/04\/blob_17.png\" alt=\"\" class=\"wp-image-20147\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/04\/blob_17.png 366w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/04\/blob_17-300x133.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/04\/blob_17-270x120.png 270w\" sizes=\"(max-width: 366px) 100vw, 366px\" \/><figcaption class=\"wp-element-caption\"><em>\/panel.php\u00a0POST error response<\/em>\u00a0<\/figcaption><\/figure><\/div>\n\n\n<h3 class=\"wp-block-heading\">6. HTTP Detection Patterns&nbsp;<\/h3>\n\n\n\n<p>The following HTTP traffic signatures reliably&nbsp;identify&nbsp;BlobPhish&nbsp;activity in proxy and SIEM logs:&nbsp;<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>POST *\/res.php&nbsp; \u2014 credentials in body (MIME: form-data or x-www-form-urlencoded);&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li>POST *\/tele.php&nbsp; \u2014 credentials in body (MIME: form-data or x-www-form-urlencoded);&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li>POST *\/panel.php&nbsp; \u2014 empty body; response: JSON with error &amp; description (e.g., \u201cIP not found\u201d).&nbsp;<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">7. Delivery Methods&nbsp;<\/h3>\n\n\n\n<p>The following&nbsp;initial-access vectors have been&nbsp;observed:&nbsp;<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Phishing emails with financial lures (suspicious transaction, personal loan\/operation confirmation, invoice &amp; document signature, disputed payment);&nbsp;<\/li>\n<\/ul>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"438\" src=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/04\/blob_18-1024x438.png\" alt=\"\" class=\"wp-image-20151\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/04\/blob_18-1024x438.png 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/04\/blob_18-300x128.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/04\/blob_18-768x329.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/04\/blob_18-370x158.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/04\/blob_18-270x115.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/04\/blob_18-740x317.png 740w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/04\/blob_18.png 1211w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\"><em>Fake\u00a0payment notification email<\/em><\/figcaption><\/figure>\n\n\n\n<ul class=\"wp-block-list\">\n<li>PDF attachments&nbsp;containing&nbsp;a QR code that leads to a malicious JS page and&nbsp;subsequently&nbsp;the&nbsp;blob:http&nbsp;scheme and *\/res.php&nbsp;exfiltration pattern (observed&nbsp;in an energy-sector campaign);&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Shortened links (e.g., via t.co) redirecting through JS to the&nbsp;blob:http&nbsp;payload;&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Links to legitimate-looking&nbsp;document-sharing&nbsp;services such as&nbsp;DocSend.&nbsp;<\/li>\n<\/ul>\n\n\n\n<h2 class=\"wp-block-heading\">Threat Landscape&nbsp;<\/h2>\n\n\n\n<p>First spotted in October 2024,&nbsp;BlobPhis&nbsp;has proved itself as a sustained, continuously evolving campaign that&nbsp;remains&nbsp;active at the time of publication.&nbsp;<\/p>\n\n\n\n<p>Analysis of related artefacts shows that the&nbsp;threat&nbsp;actors regularly rotate infrastructure, exfiltration endpoints, loader hosting domains, and phishing lure themes. They also vary the path names of the loader pages (blob.html, blom.html, bloji.html, emailandpasssss.html) and exfiltration scripts (res.php,&nbsp;tele.php), complicating static signature-based detection.&nbsp;<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Targeted Industries&nbsp;<\/h3>\n\n\n\n<p>Although the phishing lures&nbsp;predominantly impersonate&nbsp;financial and cloud services, the victim organizations span multiple sectors:&nbsp;<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><a href=\"https:\/\/any.run\/by-industry\/finance\/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=evasive-blob-phishing-detection&amp;utm_term=160426&amp;utm_content=linktofinance\" target=\"_blank\" rel=\"noreferrer noopener\">Finance<\/a>,&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Manufacturing,&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Education,&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Government,&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Transport,&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Telecommunications.&nbsp;&nbsp;<\/li>\n<\/ul>\n\n\n\n<p>Regardless of the&nbsp;victim\u2019s&nbsp;industry, attackers focus on harvesting credentials for high-value financial and cloud corporate services \u2014 increasing the probability of capturing credentials that unlock significant monetary or data assets.&nbsp;<\/p>\n\n\n\n<p><strong>Financial institutions and cloud-productivity platforms most&nbsp;frequently&nbsp;spoofed:<\/strong>&nbsp;<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Capital One,&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li>American Express,&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li>JPMorgan Chase,&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Intuit,&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Charles Schwab,&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Morgan Stanley\u2019s&nbsp;E*TRADE,&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Merrill Lynch,&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li>PayPal,&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Microsoft 365 \/ OneDrive \/ SharePoint (used as a document-access lure).&nbsp;&nbsp;<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Geography&nbsp;<\/h3>\n\n\n\n<p>Approximately one-third of observed activity involves US-based users and&nbsp;organisations.&nbsp;BlobPhish&nbsp; activity has been&nbsp;observed&nbsp;from: Germany, Poland, Spain, Switzerland, United Kingdom, Australia, South Korea, Saudi Arabia, Qatar, Jordan, India, and Pakistan.&nbsp;<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Business Impact: Why&nbsp;BlobPhish&nbsp;Is a Board-Level Risk&nbsp;<\/h2>\n\n\n\n<p>BlobPhish&nbsp;does not just steal one employee\u2019s password. By targeting the financial, cloud, and productivity accounts that employees use every day, a single successful compromise can&nbsp;cascade into:&nbsp;<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Unauthorized wire transfers or fraudulent invoices (Business Email Compromise follow-on);&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Full Microsoft 365 tenant takeover \u2014 email, SharePoint, Teams, and connected SaaS&nbsp;apps;&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li><a href=\"https:\/\/any.run\/cybersecurity-blog\/chile-cybersecurity-framework-law\/\" target=\"_blank\" rel=\"noreferrer noopener\">Regulatory<\/a>&nbsp;exposure (GDPR, SEC, FFIEC, PCI-DSS) from confirmed data&nbsp;exfiltration;&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Reputational damage when customer or partner data is&nbsp;compromised;&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Operational disruption if attacker&nbsp;pivots to&nbsp;ransomware after credential harvest.&nbsp;<\/li>\n<\/ul>\n\n\n\n<!-- Regular Banner START -->\n<div class=\"regular-banner\">\n<!-- Text Content -->\n<p class=\"regular-banner__text\">\nHigh-stakes credentials deserve enterprise-grade intelligence.<br><span class=\"highlight\">Reduce risk, not just response time.<\/span>   \n<\/p>\n<!-- CTA Link -->\n<a class=\"regular-banner__link\" id=\"article-banner-regular\" href=\"https:\/\/any.run\/enterprise\/?utm_source=anyrunblog&#038;utm_medium=article&#038;utm_campaign=evasive-blob-phishing-detection&#038;utm_term=160426&#038;utm_content=linktoenterprise#contact-sales\" rel=\"noopener\" target=\"_blank\">\nContact ANY.RUN\n<\/a>\n<\/div>\n<!-- Regular Banner END -->\n<!-- Regular Banner Styles START -->\n\n<style>\n.regular-banner {\ndisplay: flex;\ntext-align: center;\nflex-direction: column;\nalign-items: center;\ngap: 1.5rem;\nwidth: 100%;\npadding: 2rem;\nmargin: 1.5rem 0;\nborder-radius: 0.5rem;\nfont-family: 'Catamaran Bold';\nmargin-inline: auto;\nbackground: rgba(32, 168, 241, 0.1);\nborder: 1px solid rgba(75, 174, 227, 0.32);\n}\n\n.regular-banner__text {\nfont-size: 1.5rem;\nmargin: 0;\n}\n\n.highlight {\ncolor: #ea2526;\n}\n\n.regular-banner__link {\npadding: 0.5rem 1.5rem;\nfont-weight: 500;\ntext-decoration: none;\nborder-radius: 0.5rem;\ncolor: #FFFFFF;\nbackground-color: #1491D4;\ntext-align: center;\ntransition: all 0.2s ease-in;\n}\n\n.regular-banner__link:hover {\nbackground-color: #68CBFF;\ncolor: white;\n}\n<\/style>\n<!-- Regular Banner Styles END -->\n\n\n\n<p>Security and risk teams should model the following impact chains when a&nbsp;BlobPhish&nbsp;credential is compromised:&nbsp;<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Microsoft 365 credential<\/strong> \u2192 MFA fatigue or session token theft \u2192 full mailbox access \u2192 BEC fraud or data exfiltration to partners\/clients;\u00a0<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Banking credential<\/strong> (Chase, CapitalOne) \u2192 account takeover \u2192 wire fraud or ACH\u00a0manipulation;\u00a0<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Investment platform credential <\/strong>(Schwab, E*TRADE, Merrill) \u2192 unauthorized trades or fund\u00a0transfer;\u00a0<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Any cloud credential <\/strong>\u2192 lateral movement to connected SaaS \u2192 ransomware deployment.\u00a0<\/li>\n<\/ul>\n\n\n\n<p>Regulatory consequences may include mandatory&nbsp;breach&nbsp;notification under GDPR (72-hour window), SEC cybersecurity incident disclosure requirements, and FFIEC guidance on authentication for financial institutions.&nbsp;<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">How ANY.RUN Helps You Stay Ahead&nbsp;<\/h2>\n\n\n\n<p>ANY.RUN\u00a0provides\u00a0the complementary capabilities that address\u00a0BlobPhish\u00a0at every stage of the threat lifecycle: from proactive hunting to real-time detection and automated feed enrichment.\u00a0<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">1. Analyze\u00a0Alerts\u00a0&amp;\u00a0Artifacts to\u00a0Prevent Attack\u00a0<\/h3>\n\n\n\n<p>When a suspicious link or email is&nbsp;forwarded&nbsp;to the security team, ANY.RUN\u2019s fully&nbsp;<a href=\"https:\/\/any.run\/features\/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=evasive-blob-phishing-detection&amp;utm_term=160426&amp;utm_content=linktosandboxlanding\" target=\"_blank\" rel=\"noreferrer noopener\">interactive cloud sandbox<\/a>&nbsp;executes the entire&nbsp;BlobPhish&nbsp;kill chain in a safe cloud environment:&nbsp;<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>The JavaScript loader runs, the Base64 payload is decoded, and the blob: URL is created,&nbsp;exactly as it would on a&nbsp;victim\u2019s&nbsp;machine.&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Analysts watch the live session and see the fake login page&nbsp;render,&nbsp;observe&nbsp;the POST to *\/res.php, and capture all network artefacts.&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Because execution happens in a real browser, there are no emulation gaps that the&nbsp;attacker\u2019s&nbsp;anti-sandbox checks could exploit.&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Full&nbsp;analysis&nbsp;reports \u2014 including screenshots, network traffic, memory artefacts, and extracted IOCs \u2014 are generated in minutes.&nbsp;<\/li>\n<\/ul>\n\n\n\n<p>This means your SOC can definitively confirm or dismiss a&nbsp;BlobPhish&nbsp;suspicion within minutes rather than hours, without risking any internal system.&nbsp;<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">2.&nbsp;Stop Future Attacks by Enriching Proactive Defense&nbsp;<\/h3>\n\n\n\n<p><a href=\"https:\/\/any.run\/threat-intelligence-lookup\/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=evasive-blob-phishing-detection&amp;utm_term=160426&amp;utm_content=linktotilookuplanding\" target=\"_blank\" rel=\"noreferrer noopener\">Threat Intelligence Lookup<\/a>&nbsp;gives threat hunters direct, query-based access to the ANY.RUN database of analyzed samples and infrastructure:&nbsp;<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Run YARA-based searches to find all samples matching the&nbsp;BlobPhishLoaderHTML&nbsp;rule.&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Pivot on URL patterns (url:&#8221;\/res.php$&#8221;,&nbsp;url:&#8221;*\/blob.html$&#8221;) to discover new attacker infrastructure the moment it appears in the wild.&nbsp;<\/li>\n<\/ul>\n\n\n\n<p><a href=\"https:\/\/intelligence.any.run\/analysis\/lookup?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=evasive-blob-phishing-detection&amp;utm_term=160426&amp;utm_content=linktolookup\/#%7B%2522query%2522:%2522url:%255C%2522*\/res.php$%255C%2522%2520AND%2520url:%255C%2522*\/blob.html$%255C%2522%2520and%2520threatName:%255C%2522phishing%255C%2522%2522,%2522dateRange%2522:180%7D\" target=\"_blank\" rel=\"noreferrer noopener\">url:&#8221;*\/res.php$&#8221; AND url:&#8221;*\/blob.html$&#8221;\u00a0and threatName:&#8221;phishing&#8221;<\/a>\u00a0<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"556\" src=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/04\/blob_19-1024x556.png\" alt=\"\" class=\"wp-image-20161\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/04\/blob_19-1024x556.png 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/04\/blob_19-300x163.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/04\/blob_19-768x417.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/04\/blob_19-1536x834.png 1536w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/04\/blob_19-370x201.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/04\/blob_19-270x147.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/04\/blob_19-740x402.png 740w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/04\/blob_19.png 1562w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\"><em>BlobPhish sandbox detonations found via TI Lookup<\/em>\u00a0<\/figcaption><\/figure>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Correlate domains, IPs, file hashes, and HTTP patterns across millions of analyzed tasks.&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Export results directly into SIEM, SOAR, or ticketing workflows.&nbsp;<\/li>\n<\/ul>\n\n\n\n<p>Security teams can&nbsp;monitor&nbsp;this campaign continuously rather than reacting after a compromise. New loader domains and exfiltration endpoints are surfaced as soon as ANY.RUN community members (and automated systems)&nbsp;submit&nbsp;related tasks.&nbsp;<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">3. Automate\u00a0Monitoring with Live Intelligence\u00a0<\/h3>\n\n\n\n<p><a href=\"https:\/\/any.run\/threat-intelligence-feeds\/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=evasive-blob-phishing-detection&amp;utm_term=160426&amp;utm_content=linktotifeedslanding\" target=\"_blank\" rel=\"noreferrer noopener\">Threat&nbsp;Intelligence&nbsp;Feeds<\/a>&nbsp;deliver structured, machine-readable threat intelligence in STIX\/TAXII or flat-file formats, enabling automated enforcement across your security stack:&nbsp;<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>BlobPhish-related domains, IPs, and URL patterns are automatically pushed to firewalls, proxies, and SIEM correlation rules.&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Indicators are enriched with context (campaign name, targeted brand, exfiltration pattern, confidence level) so that alerts are actionable, not just noisy.&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Feeds are updated in near-real-time as the campaign evolves, meaning your defenses track the attacker\u2019s infrastructure rotation without manual analyst effort.&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Integration is supported with leading SIEM\/SOAR platforms (Splunk, Microsoft Sentinel, Palo Alto XSOAR, and others) via standard connectors.&nbsp;<\/li>\n<\/ul>\n\n\n\n<p>Rather than relying solely on reactive detection, TI Feeds shift your posture to proactive blocking:&nbsp;exfiltration endpoints are denied before a single employee credential can be harvested.&nbsp;<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Indicators of Compromise (IOCs)&nbsp;<\/h2>\n\n\n\n<p><strong>URLs\u00a0<\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>hxxps[:\/\/]mtl-logistics[.]com\/blb\/blob[.]html&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li>hxxps[:\/\/]mtl-logistics[.]com\/css\/sharethepoint\/point\/res[.]php&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li>hxxps[:\/\/]larva888[.]com\/wp-includes\/css\/dist\/tmp\/vmo[.]html&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li>hxxps[:\/\/]wajah4dslot[.]com\/wp-includes\/certificates\/tmp\/\/res[.]php&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li>hxxps[:\/\/]wajah4dslot[.]com\/wp-includes\/certificates\/tmp\/\/panel[.]php&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li>hxxps[:\/\/]mail[.]hubnorte[.]com[.]br\/blom[.]html&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li>hxxps[:\/\/]riobeautybrazil[.]com\/wp-admin\/amx\/res[.]php&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li>hxxps[:\/\/]riobeautybrazil[.]com\/wp-admin\/amx\/panel[.]php&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li>hxxps[:\/\/]hnint[.]net\/bloji[.]html&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li>hxxps[:\/\/]hnint[.]net\/cgi-bin\/peacemind\/\/res[.]php&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li>hxxps[:\/\/]hnint[.]net\/cgi-bin\/peacemind\/\/panel[.]php&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li>hxxps[:\/\/]ftpbd[.]net\/wp-content\/plugins\/cgi-\/trade\/blob[.]html&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li>hxxps[:\/\/]ftpbd[.]net\/wp-content\/plugins\/cgi-\/trade\/trade\/\/res[.]php&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li>hxxps[:\/\/]ftpbd[.]net\/wp-content\/plugins\/cgi-\/trade\/trade\/\/panel[.]php&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li>hxxps[:\/\/]i-seotools[.]com\/wp-content\/citttboy[.]html&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li>hxxps[:\/\/]mts-egy[.]net\/wp-content\/plugins\/owpsyzj\/cgi-ent\/res[.]php&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li>hxxps[:\/\/]mts-egy[.]net\/wp-content\/plugins\/owpsyzj\/cgi-ent\/panel[.]php&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li>hxxps[:\/\/]localmarketsense[.]com\/wp-includes\/Text\/sxzmqkp\/krtxbvo\/sahz1xi\/cgi-ent\/emailandpasssss[.]html&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li>hxxps[:\/\/]_wildcard_[.]gonzalezlawnandlandscaping[.]com\/zovakmf\/exfuzaj\/pcnlwyf\/cgi-ent\/tele[.]php&nbsp;<\/li>\n<\/ul>\n\n\n\n<p><strong>Domains\u00a0<\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>mtl-logistics[.]com&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li>larva888[.]com&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li>wajah4dslot[.]com&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li>mail[.]hubnorte[.]com[.]br&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li>riobeautybrazil[.]com&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li>hnint[.]net&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li>ftpbd[.]net&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li>i-seotools[.]com&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li>mts-egy[.]net&nbsp;<\/li>\n<\/ul>\n\n\n\n<h2 class=\"wp-block-heading\">Conclusion&nbsp;<\/h2>\n\n\n\n<p>BlobPhish&nbsp;represents&nbsp;a mature, well-maintained phishing operation that has been running continuously for over eighteen months. Its core innovation \u2014 abusing the browser\u2019s Blob URL API to serve phishing pages entirely in memory \u2014&nbsp;renders&nbsp;the campaign invisible to a wide range of conventional controls including secure email gateways, URL filters, web proxies, and file-based endpoint solutions.&nbsp;<\/p>\n\n\n\n<p>For security teams, the takeaway is clear: static and perimeter-based defenses are insufficient against this class of attack. Effective defense requires dynamic analysis (to execute and observe the full attack chain), proactive threat hunting (to discover attacker infrastructure before it is weaponized against your organization), and automated, continuously updated threat intelligence feeds that propagate IOCs across the entire security stack in near-real-time.&nbsp;<\/p>\n\n\n\n<!-- Regular Banner START -->\n<div class=\"regular-banner\">\n<!-- Text Content -->\n<p class=\"regular-banner__text\">\nProvide your team with the <span class=\"highlight\">visibility and speed<\/span><br>to stay ahead of BlobPhish and protect business assets.\n<\/p>\n<!-- CTA Link -->\n<a class=\"regular-banner__link\" id=\"article-banner-regular\" href=\"https:\/\/any.run\/enterprise\/?utm_source=anyrunblog&#038;utm_medium=article&#038;utm_campaign=evasive-blob-phishing-detection&#038;utm_term=160426&#038;utm_content=linktoenterprise#contact-sales\" rel=\"noopener\" target=\"_blank\">\nContact ANY.RUN\n<\/a>\n<\/div>\n<!-- Regular Banner END -->\n<!-- Regular Banner Styles START -->\n\n<style>\n.regular-banner {\ndisplay: flex;\ntext-align: center;\nflex-direction: column;\nalign-items: center;\ngap: 1.5rem;\nwidth: 100%;\npadding: 2rem;\nmargin: 1.5rem 0;\nborder-radius: 0.5rem;\nfont-family: 'Catamaran Bold';\nmargin-inline: auto;\nbackground: rgba(32, 168, 241, 0.1);\nborder: 1px solid rgba(75, 174, 227, 0.32);\n}\n\n.regular-banner__text {\nfont-size: 1.5rem;\nmargin: 0;\n}\n\n.highlight {\ncolor: #ea2526;\n}\n\n.regular-banner__link {\npadding: 0.5rem 1.5rem;\nfont-weight: 500;\ntext-decoration: none;\nborder-radius: 0.5rem;\ncolor: #FFFFFF;\nbackground-color: #1491D4;\ntext-align: center;\ntransition: all 0.2s ease-in;\n}\n\n.regular-banner__link:hover {\nbackground-color: #68CBFF;\ncolor: white;\n}\n<\/style>\n<!-- Regular Banner Styles END -->\n\n\n\n<h2 class=\"wp-block-heading\">About ANY.RUN&nbsp;&nbsp;&nbsp;<\/h2>\n\n\n\n<p><a href=\"https:\/\/any.run\/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=evasive-blob-phishing-detection&amp;utm_term=160426&amp;utm_content=linktolanding\" target=\"_blank\" rel=\"noreferrer noopener\">ANY.RUN<\/a>, a leading provider of interactive malware analysis and threat intelligence solutions, helps security teams investigate threats faster and with greater clarity across modern enterprise environments.&nbsp;&nbsp;&nbsp;<\/p>\n\n\n\n<p>It allows teams to safely execute suspicious files and URLs,&nbsp;observe&nbsp;real behavior in an&nbsp;<a href=\"https:\/\/any.run\/features\/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=evasive-blob-phishing-detection&amp;utm_term=160426&amp;utm_content=linktosandboxlanding\" target=\"_blank\" rel=\"noreferrer noopener\">Interactive Sandbox<\/a>, enrich&nbsp;indicators&nbsp;with immediate context through&nbsp;<a href=\"https:\/\/any.run\/threat-intelligence-lookup\/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=evasive-blob-phishing-detection&amp;utm_term=160426&amp;utm_content=linktotilookuplanding\" target=\"_blank\" rel=\"noreferrer noopener\">TI Lookup<\/a>, and&nbsp;monitor&nbsp;emerging malicious infrastructure using&nbsp;<a href=\"https:\/\/any.run\/threat-intelligence-feeds\/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=evasive-blob-phishing-detection&amp;utm_term=160426&amp;utm_content=linktotifeedslanding\" target=\"_blank\" rel=\"noreferrer noopener\">Threat Intelligence Feeds<\/a>. Together, these capabilities help reduce investigation uncertainty, accelerate triage, and limit unnecessary escalations across the&nbsp;SOC.&nbsp;&nbsp;&nbsp;<\/p>\n\n\n\n<p>ANY.RUN is trusted by thousands of organizations worldwide and meets enterprise security and compliance expectations. It is&nbsp;<a href=\"https:\/\/any.run\/compliance\/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=evasive-blob-phishing-detection&amp;utm_term=160426&amp;utm_content=linktocompliance\" target=\"_blank\" rel=\"noreferrer noopener\">SOC 2 Type II certified<\/a>,&nbsp;demonstrating&nbsp;its commitment to protecting customer data and&nbsp;maintaining&nbsp;strong security controls.&nbsp;<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">FAQ<\/h2>\n\n\n\n<div class=\"schema-faq wp-block-yoast-faq-block\"><div class=\"schema-faq-section\" id=\"faq-question-1776336744542\"><strong class=\"schema-faq-question\">What is BlobPhish?<\/strong> <p class=\"schema-faq-answer\">BlobPhish is an ongoing credential-phishing campaign active since October 2024 that delivers fake login pages as browser blob objects, evading traditional security tools.<\/p> <\/div> <div class=\"schema-faq-section\" id=\"faq-question-1776336780562\"><strong class=\"schema-faq-question\">How does the blob technique work?<\/strong> <p class=\"schema-faq-answer\">JavaScript decodes a base64 payload, creates a blob object, generates a blob:https:\/\/ URL, forces the browser to load it via a hidden link, then immediately cleans up \u2014 leaving no file or cache trace.<\/p> <\/div> <div class=\"schema-faq-section\" id=\"faq-question-1776336790058\"><strong class=\"schema-faq-question\">Which companies and services are impersonated?<\/strong> <p class=\"schema-faq-answer\">Microsoft 365, Chase, Capital One, FDIC, E*TRADE, Charles Schwab, American Express, PayPal, and others \u2014 primarily U.S. financial and cloud brands.<\/p> <\/div> <div class=\"schema-faq-section\" id=\"faq-question-1776336799842\"><strong class=\"schema-faq-question\">What are the main indicators of compromise?<\/strong> <p class=\"schema-faq-answer\">URLs ending in \/blob.html, \/res.php, \/tele.php or \/panel.php; the YARA rule provided; and blob:https:\/\/ URLs in browser history.<\/p> <\/div> <div class=\"schema-faq-section\" id=\"faq-question-1776336814449\"><strong class=\"schema-faq-question\">Who is at risk?<\/strong> <p class=\"schema-faq-answer\">Organizations in Finance, Manufacturing, Education, Government, Transport, and Telecommunications \u2014 especially those using Microsoft 365 or corporate online banking.<\/p> <\/div> <div class=\"schema-faq-section\" id=\"faq-question-1776336830777\"><strong class=\"schema-faq-question\">How can executives reduce the business impact?<\/strong> <p class=\"schema-faq-answer\">Enforce MFA, train staff on unexpected login prompts, and integrate proactive threat intelligence that catches memory-resident attacks before they reach employees.<\/p> <\/div> <div class=\"schema-faq-section\" id=\"faq-question-1776336848361\"><strong class=\"schema-faq-question\">How does ANY.RUN specifically help against BlobPhish?<\/strong> <p class=\"schema-faq-answer\">The interactive Sandbox detonates the attack in a real browser to reveal blob behavior; TI Lookup surfaces related samples instantly; and TI Feeds push live IOCs into your security tools for automated prevention.<\/p> <\/div> <\/div>\n","protected":false},"excerpt":{"rendered":"<p>ANY.RUN has&nbsp;observed&nbsp;a sustained surge in a credential-phishing campaign active since 2024. This campaign, dubbed&nbsp;BlobPhish, introduces a&nbsp;sneaky&nbsp;twist: instead of delivering phishing pages via traditional HTTP requests, it generates them directly inside the victim\u2019s browser using blob objects. The result is a phishing payload that lives entirely in memory, leaving little to no trace in logs, caches, [&hellip;]<\/p>\n","protected":false},"author":2,"featured_media":20078,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[8],"tags":[57,10,91,34,90,63],"class_list":["post-20074","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-malware-analysis","tag-anyrun","tag-cybersecurity","tag-evasion","tag-malware-analysis","tag-microsoft365","tag-phishing"],"acf":[],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v20.10 - https:\/\/yoast.com\/wordpress\/plugins\/seo\/ -->\n<title>BlobPhish: Invisible Phishing Threat Explained<\/title>\n<meta name=\"description\" content=\"BlobPhish hides phishing pages in browser memory, evading detection. Learn risks and how to protect your business.\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/any.run\/cybersecurity-blog\/evasive-blob-phishing-detection\/\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"ANY.RUN\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"14 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\/\/any.run\/cybersecurity-blog\/evasive-blob-phishing-detection\/#article\",\"isPartOf\":{\"@id\":\"https:\/\/any.run\/cybersecurity-blog\/evasive-blob-phishing-detection\/\"},\"author\":{\"name\":\"ANY.RUN\",\"@id\":\"https:\/\/any.run\/\"},\"headline\":\"BlobPhish: The Phantom Phishing Campaign Hiding in Browser Memory\",\"datePublished\":\"2026-04-16T10:55:44+00:00\",\"dateModified\":\"2026-04-16T10:55:45+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\/\/any.run\/cybersecurity-blog\/evasive-blob-phishing-detection\/\"},\"wordCount\":2879,\"commentCount\":0,\"publisher\":{\"@id\":\"https:\/\/any.run\/\"},\"keywords\":[\"ANYRUN\",\"cybersecurity\",\"evasion\",\"malware analysis\",\"microsoft365\",\"phishing\"],\"articleSection\":[\"Malware Analysis\"],\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"CommentAction\",\"name\":\"Comment\",\"target\":[\"https:\/\/any.run\/cybersecurity-blog\/evasive-blob-phishing-detection\/#respond\"]}]},{\"@type\":[\"WebPage\",\"FAQPage\"],\"@id\":\"https:\/\/any.run\/cybersecurity-blog\/evasive-blob-phishing-detection\/\",\"url\":\"https:\/\/any.run\/cybersecurity-blog\/evasive-blob-phishing-detection\/\",\"name\":\"BlobPhish: Invisible Phishing Threat Explained\",\"isPartOf\":{\"@id\":\"https:\/\/any.run\/\"},\"datePublished\":\"2026-04-16T10:55:44+00:00\",\"dateModified\":\"2026-04-16T10:55:45+00:00\",\"description\":\"BlobPhish hides phishing pages in browser memory, evading detection. Learn risks and how to protect your business.\",\"breadcrumb\":{\"@id\":\"https:\/\/any.run\/cybersecurity-blog\/evasive-blob-phishing-detection\/#breadcrumb\"},\"mainEntity\":[{\"@id\":\"https:\/\/any.run\/cybersecurity-blog\/evasive-blob-phishing-detection\/#faq-question-1776336744542\"},{\"@id\":\"https:\/\/any.run\/cybersecurity-blog\/evasive-blob-phishing-detection\/#faq-question-1776336780562\"},{\"@id\":\"https:\/\/any.run\/cybersecurity-blog\/evasive-blob-phishing-detection\/#faq-question-1776336790058\"},{\"@id\":\"https:\/\/any.run\/cybersecurity-blog\/evasive-blob-phishing-detection\/#faq-question-1776336799842\"},{\"@id\":\"https:\/\/any.run\/cybersecurity-blog\/evasive-blob-phishing-detection\/#faq-question-1776336814449\"},{\"@id\":\"https:\/\/any.run\/cybersecurity-blog\/evasive-blob-phishing-detection\/#faq-question-1776336830777\"},{\"@id\":\"https:\/\/any.run\/cybersecurity-blog\/evasive-blob-phishing-detection\/#faq-question-1776336848361\"}],\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/any.run\/cybersecurity-blog\/evasive-blob-phishing-detection\/\"]}]},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/any.run\/cybersecurity-blog\/evasive-blob-phishing-detection\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\/\/any.run\/cybersecurity-blog\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Malware Analysis\",\"item\":\"https:\/\/any.run\/cybersecurity-blog\/category\/malware-analysis\/\"},{\"@type\":\"ListItem\",\"position\":3,\"name\":\"BlobPhish: The Phantom Phishing Campaign Hiding in Browser Memory\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/any.run\/\",\"url\":\"https:\/\/any.run\/\",\"name\":\"ANY.RUN&#039;s Cybersecurity Blog\",\"description\":\"Cybersecurity Blog covers topics for experienced professionals as well as for those new to it.\",\"publisher\":{\"@id\":\"https:\/\/any.run\/\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/any.run\/?s={search_term_string}\"},\"query-input\":\"required name=search_term_string\"}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\/\/any.run\/\",\"name\":\"ANY.RUN\",\"url\":\"https:\/\/any.run\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/any.run\/\",\"url\":\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2020\/08\/ANYRUN-Icon.svg\",\"contentUrl\":\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2020\/08\/ANYRUN-Icon.svg\",\"width\":1,\"height\":1,\"caption\":\"ANY.RUN\"},\"image\":{\"@id\":\"https:\/\/any.run\/\"},\"sameAs\":[\"https:\/\/www.facebook.com\/www.any.run\/\",\"https:\/\/twitter.com\/anyrun_app\",\"https:\/\/www.linkedin.com\/company\/30692044\",\"https:\/\/www.youtube.com\/channel\/UCOgCPho7lzmH7m6fPNlukrQ\"]},{\"@type\":\"Person\",\"@id\":\"https:\/\/any.run\/\",\"name\":\"ANY.RUN\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/any.run\/\",\"url\":\"https:\/\/secure.gravatar.com\/avatar\/c4ce3a6c672056b4a8cd6b0110782215?s=96&d=mm&r=g\",\"contentUrl\":\"https:\/\/secure.gravatar.com\/avatar\/c4ce3a6c672056b4a8cd6b0110782215?s=96&d=mm&r=g\",\"caption\":\"ANY.RUN\"},\"url\":\"https:\/\/any.run\/cybersecurity-blog\/author\/a-bespalova\/\"},{\"@type\":\"Question\",\"@id\":\"https:\/\/any.run\/cybersecurity-blog\/evasive-blob-phishing-detection\/#faq-question-1776336744542\",\"position\":1,\"url\":\"https:\/\/any.run\/cybersecurity-blog\/evasive-blob-phishing-detection\/#faq-question-1776336744542\",\"name\":\"What is BlobPhish?\",\"answerCount\":1,\"acceptedAnswer\":{\"@type\":\"Answer\",\"text\":\"BlobPhish is an ongoing credential-phishing campaign active since October 2024 that delivers fake login pages as browser blob objects, evading traditional security tools.\",\"inLanguage\":\"en-US\"},\"inLanguage\":\"en-US\"},{\"@type\":\"Question\",\"@id\":\"https:\/\/any.run\/cybersecurity-blog\/evasive-blob-phishing-detection\/#faq-question-1776336780562\",\"position\":2,\"url\":\"https:\/\/any.run\/cybersecurity-blog\/evasive-blob-phishing-detection\/#faq-question-1776336780562\",\"name\":\"How does the blob technique work?\",\"answerCount\":1,\"acceptedAnswer\":{\"@type\":\"Answer\",\"text\":\"JavaScript decodes a base64 payload, creates a blob object, generates a blob:https:\/\/ URL, forces the browser to load it via a hidden link, then immediately cleans up \u2014 leaving no file or cache trace.\",\"inLanguage\":\"en-US\"},\"inLanguage\":\"en-US\"},{\"@type\":\"Question\",\"@id\":\"https:\/\/any.run\/cybersecurity-blog\/evasive-blob-phishing-detection\/#faq-question-1776336790058\",\"position\":3,\"url\":\"https:\/\/any.run\/cybersecurity-blog\/evasive-blob-phishing-detection\/#faq-question-1776336790058\",\"name\":\"Which companies and services are impersonated?\",\"answerCount\":1,\"acceptedAnswer\":{\"@type\":\"Answer\",\"text\":\"Microsoft 365, Chase, Capital One, FDIC, E*TRADE, Charles Schwab, American Express, PayPal, and others \u2014 primarily U.S. financial and cloud brands.\",\"inLanguage\":\"en-US\"},\"inLanguage\":\"en-US\"},{\"@type\":\"Question\",\"@id\":\"https:\/\/any.run\/cybersecurity-blog\/evasive-blob-phishing-detection\/#faq-question-1776336799842\",\"position\":4,\"url\":\"https:\/\/any.run\/cybersecurity-blog\/evasive-blob-phishing-detection\/#faq-question-1776336799842\",\"name\":\"What are the main indicators of compromise?\",\"answerCount\":1,\"acceptedAnswer\":{\"@type\":\"Answer\",\"text\":\"URLs ending in \/blob.html, \/res.php, \/tele.php or \/panel.php; the YARA rule provided; and blob:https:\/\/ URLs in browser history.\",\"inLanguage\":\"en-US\"},\"inLanguage\":\"en-US\"},{\"@type\":\"Question\",\"@id\":\"https:\/\/any.run\/cybersecurity-blog\/evasive-blob-phishing-detection\/#faq-question-1776336814449\",\"position\":5,\"url\":\"https:\/\/any.run\/cybersecurity-blog\/evasive-blob-phishing-detection\/#faq-question-1776336814449\",\"name\":\"Who is at risk?\",\"answerCount\":1,\"acceptedAnswer\":{\"@type\":\"Answer\",\"text\":\"Organizations in Finance, Manufacturing, Education, Government, Transport, and Telecommunications \u2014 especially those using Microsoft 365 or corporate online banking.\",\"inLanguage\":\"en-US\"},\"inLanguage\":\"en-US\"},{\"@type\":\"Question\",\"@id\":\"https:\/\/any.run\/cybersecurity-blog\/evasive-blob-phishing-detection\/#faq-question-1776336830777\",\"position\":6,\"url\":\"https:\/\/any.run\/cybersecurity-blog\/evasive-blob-phishing-detection\/#faq-question-1776336830777\",\"name\":\"How can executives reduce the business impact?\",\"answerCount\":1,\"acceptedAnswer\":{\"@type\":\"Answer\",\"text\":\"Enforce MFA, train staff on unexpected login prompts, and integrate proactive threat intelligence that catches memory-resident attacks before they reach employees.\",\"inLanguage\":\"en-US\"},\"inLanguage\":\"en-US\"},{\"@type\":\"Question\",\"@id\":\"https:\/\/any.run\/cybersecurity-blog\/evasive-blob-phishing-detection\/#faq-question-1776336848361\",\"position\":7,\"url\":\"https:\/\/any.run\/cybersecurity-blog\/evasive-blob-phishing-detection\/#faq-question-1776336848361\",\"name\":\"How does ANY.RUN specifically help against BlobPhish?\",\"answerCount\":1,\"acceptedAnswer\":{\"@type\":\"Answer\",\"text\":\"The interactive Sandbox detonates the attack in a real browser to reveal blob behavior; TI Lookup surfaces related samples instantly; and TI Feeds push live IOCs into your security tools for automated prevention.\",\"inLanguage\":\"en-US\"},\"inLanguage\":\"en-US\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"BlobPhish: Invisible Phishing Threat Explained","description":"BlobPhish hides phishing pages in browser memory, evading detection. Learn risks and how to protect your business.","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/any.run\/cybersecurity-blog\/evasive-blob-phishing-detection\/","twitter_misc":{"Written by":"ANY.RUN","Est. reading time":"14 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/any.run\/cybersecurity-blog\/evasive-blob-phishing-detection\/#article","isPartOf":{"@id":"https:\/\/any.run\/cybersecurity-blog\/evasive-blob-phishing-detection\/"},"author":{"name":"ANY.RUN","@id":"https:\/\/any.run\/"},"headline":"BlobPhish: The Phantom Phishing Campaign Hiding in Browser Memory","datePublished":"2026-04-16T10:55:44+00:00","dateModified":"2026-04-16T10:55:45+00:00","mainEntityOfPage":{"@id":"https:\/\/any.run\/cybersecurity-blog\/evasive-blob-phishing-detection\/"},"wordCount":2879,"commentCount":0,"publisher":{"@id":"https:\/\/any.run\/"},"keywords":["ANYRUN","cybersecurity","evasion","malware analysis","microsoft365","phishing"],"articleSection":["Malware Analysis"],"inLanguage":"en-US","potentialAction":[{"@type":"CommentAction","name":"Comment","target":["https:\/\/any.run\/cybersecurity-blog\/evasive-blob-phishing-detection\/#respond"]}]},{"@type":["WebPage","FAQPage"],"@id":"https:\/\/any.run\/cybersecurity-blog\/evasive-blob-phishing-detection\/","url":"https:\/\/any.run\/cybersecurity-blog\/evasive-blob-phishing-detection\/","name":"BlobPhish: Invisible Phishing Threat Explained","isPartOf":{"@id":"https:\/\/any.run\/"},"datePublished":"2026-04-16T10:55:44+00:00","dateModified":"2026-04-16T10:55:45+00:00","description":"BlobPhish hides phishing pages in browser memory, evading detection. Learn risks and how to protect your business.","breadcrumb":{"@id":"https:\/\/any.run\/cybersecurity-blog\/evasive-blob-phishing-detection\/#breadcrumb"},"mainEntity":[{"@id":"https:\/\/any.run\/cybersecurity-blog\/evasive-blob-phishing-detection\/#faq-question-1776336744542"},{"@id":"https:\/\/any.run\/cybersecurity-blog\/evasive-blob-phishing-detection\/#faq-question-1776336780562"},{"@id":"https:\/\/any.run\/cybersecurity-blog\/evasive-blob-phishing-detection\/#faq-question-1776336790058"},{"@id":"https:\/\/any.run\/cybersecurity-blog\/evasive-blob-phishing-detection\/#faq-question-1776336799842"},{"@id":"https:\/\/any.run\/cybersecurity-blog\/evasive-blob-phishing-detection\/#faq-question-1776336814449"},{"@id":"https:\/\/any.run\/cybersecurity-blog\/evasive-blob-phishing-detection\/#faq-question-1776336830777"},{"@id":"https:\/\/any.run\/cybersecurity-blog\/evasive-blob-phishing-detection\/#faq-question-1776336848361"}],"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/any.run\/cybersecurity-blog\/evasive-blob-phishing-detection\/"]}]},{"@type":"BreadcrumbList","@id":"https:\/\/any.run\/cybersecurity-blog\/evasive-blob-phishing-detection\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/any.run\/cybersecurity-blog\/"},{"@type":"ListItem","position":2,"name":"Malware Analysis","item":"https:\/\/any.run\/cybersecurity-blog\/category\/malware-analysis\/"},{"@type":"ListItem","position":3,"name":"BlobPhish: The Phantom Phishing Campaign Hiding in Browser Memory"}]},{"@type":"WebSite","@id":"https:\/\/any.run\/","url":"https:\/\/any.run\/","name":"ANY.RUN&#039;s Cybersecurity Blog","description":"Cybersecurity Blog covers topics for experienced professionals as well as for those new to it.","publisher":{"@id":"https:\/\/any.run\/"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/any.run\/?s={search_term_string}"},"query-input":"required name=search_term_string"}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/any.run\/","name":"ANY.RUN","url":"https:\/\/any.run\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/any.run\/","url":"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2020\/08\/ANYRUN-Icon.svg","contentUrl":"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2020\/08\/ANYRUN-Icon.svg","width":1,"height":1,"caption":"ANY.RUN"},"image":{"@id":"https:\/\/any.run\/"},"sameAs":["https:\/\/www.facebook.com\/www.any.run\/","https:\/\/twitter.com\/anyrun_app","https:\/\/www.linkedin.com\/company\/30692044","https:\/\/www.youtube.com\/channel\/UCOgCPho7lzmH7m6fPNlukrQ"]},{"@type":"Person","@id":"https:\/\/any.run\/","name":"ANY.RUN","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/any.run\/","url":"https:\/\/secure.gravatar.com\/avatar\/c4ce3a6c672056b4a8cd6b0110782215?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/c4ce3a6c672056b4a8cd6b0110782215?s=96&d=mm&r=g","caption":"ANY.RUN"},"url":"https:\/\/any.run\/cybersecurity-blog\/author\/a-bespalova\/"},{"@type":"Question","@id":"https:\/\/any.run\/cybersecurity-blog\/evasive-blob-phishing-detection\/#faq-question-1776336744542","position":1,"url":"https:\/\/any.run\/cybersecurity-blog\/evasive-blob-phishing-detection\/#faq-question-1776336744542","name":"What is BlobPhish?","answerCount":1,"acceptedAnswer":{"@type":"Answer","text":"BlobPhish is an ongoing credential-phishing campaign active since October 2024 that delivers fake login pages as browser blob objects, evading traditional security tools.","inLanguage":"en-US"},"inLanguage":"en-US"},{"@type":"Question","@id":"https:\/\/any.run\/cybersecurity-blog\/evasive-blob-phishing-detection\/#faq-question-1776336780562","position":2,"url":"https:\/\/any.run\/cybersecurity-blog\/evasive-blob-phishing-detection\/#faq-question-1776336780562","name":"How does the blob technique work?","answerCount":1,"acceptedAnswer":{"@type":"Answer","text":"JavaScript decodes a base64 payload, creates a blob object, generates a blob:https:\/\/ URL, forces the browser to load it via a hidden link, then immediately cleans up \u2014 leaving no file or cache trace.","inLanguage":"en-US"},"inLanguage":"en-US"},{"@type":"Question","@id":"https:\/\/any.run\/cybersecurity-blog\/evasive-blob-phishing-detection\/#faq-question-1776336790058","position":3,"url":"https:\/\/any.run\/cybersecurity-blog\/evasive-blob-phishing-detection\/#faq-question-1776336790058","name":"Which companies and services are impersonated?","answerCount":1,"acceptedAnswer":{"@type":"Answer","text":"Microsoft 365, Chase, Capital One, FDIC, E*TRADE, Charles Schwab, American Express, PayPal, and others \u2014 primarily U.S. financial and cloud brands.","inLanguage":"en-US"},"inLanguage":"en-US"},{"@type":"Question","@id":"https:\/\/any.run\/cybersecurity-blog\/evasive-blob-phishing-detection\/#faq-question-1776336799842","position":4,"url":"https:\/\/any.run\/cybersecurity-blog\/evasive-blob-phishing-detection\/#faq-question-1776336799842","name":"What are the main indicators of compromise?","answerCount":1,"acceptedAnswer":{"@type":"Answer","text":"URLs ending in \/blob.html, \/res.php, \/tele.php or \/panel.php; the YARA rule provided; and blob:https:\/\/ URLs in browser history.","inLanguage":"en-US"},"inLanguage":"en-US"},{"@type":"Question","@id":"https:\/\/any.run\/cybersecurity-blog\/evasive-blob-phishing-detection\/#faq-question-1776336814449","position":5,"url":"https:\/\/any.run\/cybersecurity-blog\/evasive-blob-phishing-detection\/#faq-question-1776336814449","name":"Who is at risk?","answerCount":1,"acceptedAnswer":{"@type":"Answer","text":"Organizations in Finance, Manufacturing, Education, Government, Transport, and Telecommunications \u2014 especially those using Microsoft 365 or corporate online banking.","inLanguage":"en-US"},"inLanguage":"en-US"},{"@type":"Question","@id":"https:\/\/any.run\/cybersecurity-blog\/evasive-blob-phishing-detection\/#faq-question-1776336830777","position":6,"url":"https:\/\/any.run\/cybersecurity-blog\/evasive-blob-phishing-detection\/#faq-question-1776336830777","name":"How can executives reduce the business impact?","answerCount":1,"acceptedAnswer":{"@type":"Answer","text":"Enforce MFA, train staff on unexpected login prompts, and integrate proactive threat intelligence that catches memory-resident attacks before they reach employees.","inLanguage":"en-US"},"inLanguage":"en-US"},{"@type":"Question","@id":"https:\/\/any.run\/cybersecurity-blog\/evasive-blob-phishing-detection\/#faq-question-1776336848361","position":7,"url":"https:\/\/any.run\/cybersecurity-blog\/evasive-blob-phishing-detection\/#faq-question-1776336848361","name":"How does ANY.RUN specifically help against BlobPhish?","answerCount":1,"acceptedAnswer":{"@type":"Answer","text":"The interactive Sandbox detonates the attack in a real browser to reveal blob behavior; TI Lookup surfaces related samples instantly; and TI Feeds push live IOCs into your security tools for automated prevention.","inLanguage":"en-US"},"inLanguage":"en-US"}]}},"_links":{"self":[{"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/posts\/20074"}],"collection":[{"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/comments?post=20074"}],"version-history":[{"count":52,"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/posts\/20074\/revisions"}],"predecessor-version":[{"id":20169,"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/posts\/20074\/revisions\/20169"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/media\/20078"}],"wp:attachment":[{"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/media?parent=20074"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/categories?post=20074"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/tags?post=20074"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}