A new phishing campaign is using deceptive scripting and .org domains to evade detection and steal user credentials.
According to Cyber Press, researchers have uncovered a phishing campaign that began circulating in February 2025, employing advanced scripting techniques to bypass Secure Email Gateways (SEGs) and perimeter defenses. The campaign uses a phishing script designed with domain randomization, dual Universal Unique Identifier (UUID) tracking, and dynamic content replacement to create highly targeted and evasive credential theft attempts.
Unlike typical phishing kits that rely on multiple fallback domains, this campaign maintains a static list of nine obscure, randomly generated .org domains. Each execution selects only one using Math.random(), reducing detectable patterns and avoiding traditional redundancy that might flag abnormal traffic. This one-shot method reduces server load and bypasses many intrusion detection or rate-limiting defenses.
The script also uses two UUIDs: one fixed for the overall campaign and another generated per session using uuidv4(). This allows attackers to monitor high-level trends while also tracking individual victims. Such tactics mirror legitimate analytics tools, enabling the attackers to fine-tune their operations with precision.
The phishing emails are often disguised as file-sharing invites from platforms like Microsoft OneDrive, SharePoint, DocuSign, or Adobe Acrobat Sign. Once opened, a JavaScript-based payload dynamically replaces the email’s page content with a fake login form tailored to mimic the victim’s company branding without redirecting to a different domain. This browser-based session hijacking tactic conceals the attacker’s infrastructure and makes the phishing attempt appear legitimate.
The script loads jQuery from a trusted CDN and includes functions to decode email addresses, validate inputs, and track user sessions in real time. The malicious request is then sent to the selected .org domain over HTTPS, transmitting sensitive identifiers in a structured JSON format.
The UUID-based phishing campaign highlights how attackers are using web development tactics to outsmart email defenses. Instead of redirecting users to suspicious domains, the phishing kit quietly swaps in fake login pages inside the browser - keeping the URL unchanged and making the attack nearly invisible. Randomized .org domains, unique identifiers, and live tracking give the operation a legitimate footprint while helping it avoid detection by traditional filters.
Paubox recommends Inbound Email Security to counter these advanced evasion tactics. Its generative AI analyzes tone, sender reputation, and communication patterns to flag abnormal messages that technical systems might miss. That behavioral insight helps stop phishing emails that blend into trusted environments, catching attacks that hide behind scripting and domain tricks before they reach users.
A UUID (Universally Unique Identifier) is a standardized string of characters used to uniquely identify information. In phishing, it's used to track individual user interactions and distinguish between different victims or campaigns without reusing identifiers.
Attackers use randomly generated .org domains because they are generally perceived as trustworthy and are less likely to be flagged by automated filters compared to newly registered or suspicious commercial domains.
Instead of sending the user to a new website, dynamic page replacement changes the current page’s content in real time using JavaScript, keeping the browser on the same domain and reducing the chance of triggering security alerts.
T1185 refers to "Browser Session Hijacking," where attackers manipulate or take control of an active browser session to steal data. In this case, the phishing kit hijacks the page's session to display a fake login form without a visible transition.
Organizations should supplement SEG tools with behavior-based detection, educate users about suspicious login prompts, and apply threat intelligence feeds that track domain reputation and script-based attack patterns.