BlobPhish: The Phantom Phishing Campaign Hiding in Browser Memory

BlobPhish is an active, ongoing credential-phishing campaign (first observed Oct 2024) that constructs phishing pages in-browser by decoding a Base64 payload into a Blob object and navigating to a blob:https:// URL to remain memory-resident and evade URL reputation, proxies, and disk-based detection. The campaign targets Microsoft 365 and major U.S. financial services, reuses exfiltration endpoints (res.php, tele.php, panel.php) hosted on compromised WordPress sites, includes a YARA rule and IOCs for detection, and poses high business risk via account takeover, BEC, and potential lateral movement.