In a recent intelligence briefing released on December 3, 2025, the security community was alerted to a sophisticated campaign that leverages the open‑source Evilginx 3.0 framework to compromise single sign‑on (SSO) services across higher‑education institutions in the United States.

The threat actor behind the operation has targeted at least eighteen universities and colleges since April 2025, using phishing emails that appear to originate from legitimate campus services. The emails contain links that direct victims to subdomains carefully crafted to mimic the look and feel of the institution’s official SSO portal. Once the victim logs in, the Evilginx proxy intercepts the authentication flow and captures both the username and password as well as any session cookies that are issued by the legitimate SSO provider.

Evilginx is a well‑known adversary‑in‑the‑middle (AITM) tool that has been used by cybercriminals for years to bypass multi‑factor authentication (MFA). The version employed in this campaign, 3.0, includes enhancements that allow the attacker to avoid detection by modern MFA solutions such as time‑based one‑time passwords (TOTP) and hardware tokens. By capturing the session cookie, the attacker can impersonate the victim without needing to re‑authenticate, thereby maintaining persistent access to the victim’s account for an extended period.

The attack chain begins with DNS reconnaissance. The threat actor uses compromised or newly registered domains that resolve to the Evilginx server. DNS queries are then redirected to the malicious infrastructure, often through the use of subdomain takeover or compromised DNS zones. Once the victim’s browser is tricked into loading the phishing page, the Evilginx proxy presents the victim with a near‑identical copy of the legitimate SSO login page.

After the victim submits their credentials, Evilginx captures the login data and immediately forwards it to the real SSO service, allowing the victim to continue their session uninterrupted. The attacker then stores the captured credentials and session cookies in a secure backend, ready to be used for credential stuffing or lateral movement within the target network.

Impact analysis shows that the stolen credentials are often used to access sensitive research data, financial information, and administrative portals. In several cases, the attackers have escalated privileges by exploiting weak password policies or re‑using credentials across multiple services. The result is a significant breach of confidentiality, integrity, and availability for the affected institutions.

Detection of this threat is challenging because the traffic between the victim’s browser and the legitimate SSO provider is encrypted and appears legitimate. However, security analysts can look for anomalies such as unexpected DNS records pointing to unfamiliar IP addresses, sudden spikes in authentication requests from the same IP, or the presence of known Evilginx indicators such as the evilginx subdomain pattern.

To mitigate this threat, institutions should adopt a multi‑layered approach:

• Implement DNS filtering and monitoring to block known malicious domains and detect subdomain takeover attempts.
• Enforce strong MFA policies that are resistant to session hijacking, such as using hardware security keys or push notifications that require device verification.
• Deploy web application firewalls (WAFs) that can detect and block AITM traffic patterns, including repeated redirects and unusual authentication flows.
• Educate users on phishing recognition, emphasizing the importance of verifying URLs and looking for the presence of the official institution’s branding.
• Conduct regular penetration testing that simulates Evilginx attacks to identify and remediate vulnerabilities before attackers can exploit them.

In addition, institutions should maintain an up‑to‑date inventory of all third‑party services and regularly audit DNS configurations to ensure that no unauthorized subdomains exist. Implementing a zero‑trust architecture, where every authentication request is verified regardless of its origin, can also reduce the effectiveness of AITM tools.

Looking forward, the threat landscape is likely to evolve as attackers refine Evilginx and similar frameworks. Security teams must stay informed by monitoring reputable threat intelligence feeds, such as the AlienVault Pulse and Infoblox blogs, which provide timely updates on emerging tactics, techniques, and procedures.

In conclusion, the recent DNS‑based uncovering of SSO attack infrastructure highlights the persistent risk posed by AITM attacks in the higher‑education sector. By combining technical controls, user education, and continuous monitoring, institutions can significantly reduce the likelihood of successful credential theft and protect their critical assets from compromise.