A classy phishing marketing campaign leveraging randomly generated Common Distinctive Identifiers (UUIDs) has emerged, efficiently bypassing Safe E mail Gateways (SEGs) and evading perimeter defenses.
The assault employs a sophisticated JavaScript-based phishing script combining random area choice, dynamic UUID era, and server-driven web page alternative to steal credentials.
In contrast to typical phishing operations counting on static redirects, this marketing campaign demonstrates tactical precision.
The phishing script operates by embedding malicious code inside HTML attachments or spoofed file-sharing platforms reminiscent of Microsoft OneDrive, SharePoint On-line, DocuSign, and Adobe Acrobat Signal.
When victims work together with seemingly authentic paperwork, the script prompts and selects one .org area at random from 9 predefined addresses.
These domains seem bulk-generated with out recognizable phrase patterns, intentionally designed to evade blocklists and machine studying detection methods.
The script generates a dynamic UUID to trace particular person victims whereas using a hardcoded UUID as a marketing campaign identifier.
Cofense researchers recognized this uncommon tactic in early February 2025, noting its ongoing nature and class.
The twin UUID mechanism stands out as significantly unusual in phishing operations.
Phishing electronic mail utilizing Microsoft OneDrive – SharePoint On-line to ship the malicious URL (Supply – Cofense)
After area choice and UUID era, the script sends an HTTPS POST request to the chosen server’s API endpoint.
The server responds with dynamically generated content material tailor-made to the sufferer’s context, reminiscent of customized company login pages.
This method allows risk actors to exchange webpage content material with out altering URLs.
Dynamic Web page Substitute
Probably the most misleading side includes dynamic web page alternative functionality, manipulating browser classes to ship credential phishing pages with out conventional redirects.
Somewhat than utilizing window.location.href redirects altering seen URLs, this script employs DOM manipulation methods to exchange web page content material with server-provided HTML.
A faux Microsoft credential phishing web page rendered with out a redirect (Supply – Cofense)
The server-driven nature permits real-time customization primarily based on sufferer context. When customers enter electronic mail addresses, the script extracts domains and indicators backend infrastructure to generate corresponding branded login pages.
This personalization considerably will increase sufferer belief whereas decreasing suspicion. The seamless expertise maintained all through proves essential for profitable credential harvesting, demonstrating how trendy assaults have developed past easy electronic mail deception into refined browser-based manipulation.
Observe us on Google Information, LinkedIn, and X to Get Extra Immediate Updates, Set CSN as a Most well-liked Supply in Google.
