Unpacking the Phishing Script Behind a Server-Orchestrated Deception
Category:Threat Alerts / Threat Intelligence
Cofense researchers analyzed a sophisticated phishing campaign leveraging randomized .org domains and dynamic page replacement to bypass Secure Email Gateways (SEGs). The phishing script uses dual UUID generation to track campaigns and victims, enabling the attacker to render fake login pages within legitimate browser sessions without redirects. This evasion method allows credential theft while avoiding DNS and IDS detection.
CORTEX Protocol Intelligence Assessment
Business Impact: Highly adaptive phishing kits pose escalating risks for enterprise email users. Technical Context: The random domain selection and UUID-driven session handling represent an advanced evasion technique.
Strategic Intelligence Guidance
- Deploy phishing-resistant authentication (e.g., FIDO2).
- Add detection logic for random .org domain use in email traffic.
- Educate users on fake login overlays without visible redirects.
- Harden SEGs to identify dynamic page replacement patterns.
Vendors
Threats
Targets
Intelligence Source: Unpacking the Phishing Script Behind a Server-Orchestrated Deception | Oct 23, 2025