Start of Main Content

BlobPhish: The Phishing Threat Bypassing Traditional Security Tools

By GENADY VISHNEVETSKY, CHIEF INFORMATION SECURITY OFFICER
A white envelope with a red notification badge and a fish hook piercing it, symbolizing phishing scams.

Cybercriminals have found a new way to steal credentials—one that slips past email filters, browser warnings, and even seasoned professionals who know how to spot a scam. It’s called BlobPhish, a phishing technique quietly circulating since late 2024, and it’s now showing up in transactions, title workflows and financial communications across the United States.

Unlike traditional phishing pages that live on the internet with a traceable address, BlobPhish builds a fake login page inside your browser’s memory.

  • Nothing is downloaded.
  • Nothing is hosted.
  • Nothing appears suspicious to your security tools.

By the time you type your Microsoft 365 password, the attacker already has it.


What Makes BlobPhish Different From Traditional Phishing Attacks

Typical phishing pages can be blocked, blacklisted, or taken down. BlobPhish can’t—because the fake page never technically exists on the internet.

A small piece of JavaScript delivered through a link constructs the fake login screen on-the-fly inside your browser. It disappears the moment you click “sign in,” leaving no log, no cache, and no evidence for your IT team to trace.

For real estate and title professionals—who rely heavily on Microsoft 365, SharePoint, DocuSign, and banking portals—this creates a dangerous blind spot.

BlobPhish doesn’t rely on a traditional phishing webpage with a traceable internet address. Instead, a small piece of JavaScript builds the fake login page directly inside your browser’s memory.

The Only Visible Clue: The Address Bar

A legitimate Microsoft 365 login always begins with:
https://login.microsoftonline.com

A BlobPhish page begins with:
blob:https://

That strange prefix is the attack’s fingerprint. Most users have never seen it, and attackers are counting on that.


How BlobPhish Bypasses Traditional Security Tools

“The email filter would have caught it” no longer covers you. BlobPhish arrives through legitimate-looking assets.

Here are some examples of assets that may be hiding a BlobPhish attack:

  • Legitimate-looking DocSend links
  • Shortened URLs 
  • PDF QR codes 
  • Delayed malicious behavior 
  • Browser-rendered phishing pages

What Accounts Are Being Spoofed?

BlobPhish campaigns frequently mimic services used daily in U.S. real estate transactions, business and personal finance management:

  • Microsoft 365
  • SharePoint
  • Chase
  • Capital One
  • Charles Schwab
  • E*TRADE
  • American Express

A compromised Microsoft 365 account doesn’t just expose email It exposes:

  • Wire instructions stored in shared folders
  • Closing packages awaiting signatures
  • Contacts, calendars, and deal timelines
  • Sensitive financial documents

In an industry where a single compromised email can redirect a six figure wire, BlobPhish is a direct threat to transaction security.


What Every Real Estate and Title Professional Should Do

1. Check the Address Bar Before Entering Credentials

Before entering a password, check the domain. If you see blob:https://, stop immediately. Close the tab and report it.

2. Don’t Assume Email Filters Will Save You

BlobPhish often arrives through:

  • DocSend links
  • Shortened URLs
  • PDFs containing QR codes

The initial link isn’t malicious. The danger forms after you click.

3. Pause on Any Unexpected Login Prompt

If you didn’t intentionally navigate to a login page, treat it as suspicious. Call your Security team before typing anything.

4. Remember: MFA Helps, But It’s Not Immunity

Multi factor authentication (MFA) slows attackers down, but it doesn’t prevent password theft. The goal is to avoid entering your credentials in the first place.

Read this article to learn about more tactics to keep your passwords safe: Passwords Are Key to Cyber Security

5. Report Strange Pages—Even If You Didn’t Enter Anything

If the URL looks unfamiliar, report it. Early reporting helps prevent others in your organization from falling for the same link.


Key Takeaways on BlobPhish

BlobPhish has evaded traditional security tools for more than 18 months. Security software can only block what it can see—and BlobPhish hides in plain sight.

Recognizing the blob:https:// prefix and pausing before entering credentials is now a critical skill for anyone working in real estate, title, escrow, or financial services in the United States.

Staying alert protects your clients, your transactions, and your business.

Read More Cybersecurity Tips

For more industry and cybersecurity best practices by Stewart CISO, Genady Vishnevetsky, check out the articles below: