Infoblox Uncovers MFA-Bypassing “Evilginx” Phishing Operation Targeting U.S. Universities
Key Highlights
- Evilginx was used to proxy login flows, harvest MFA credentials, and hijack sessions for account takeover.
- Researchers identified nearly 70 malicious domains linked to the campaign, indicating extensive infrastructure.
- Targeted universities received dynamic, branded URLs directing students to spoofed SSO portals.
Infoblox Threat Intel has uncovered a coordinated phishing campaign that used the “Evilginx” adversary-in-the-middle toolkit to target at least 18 American universities, according to new research released this week. The operation relied on advanced session-hijacking techniques to bypass multi-factor authentication (MFA) on university portals and gain unauthorized access to student accounts.
Evilginx, an open-source, widely available phishing framework, was deployed to capture login credentials and steal session cookies, enabling attackers to impersonate victims even after MFA verification.
Campaign Spanned Months, Targeting Major Institutions
Infoblox reports that the University of California, Santa Cruz, the University of California, Santa Barbara, the University of San Diego, Virginia Commonwealth University, and the University of Michigan were among the most heavily targeted institutions.
Using DNS signatures, researchers identified nearly 70 related domains tied to the operation. Despite the attacker’s reliance on Cloudflare masking, short-lived URLs, and other evasion tactics, investigators mapped the campaign’s activity from April to November 2025.
Using DNS signatures, researchers identified nearly 70 related domains tied to the operation.
Key Findings
-
Evilginx-enabled account hijacking: The threat actor used Evilginx—likely version 3.0—to proxy real login flows, harvest MFA-protected credentials, and seize session cookies for account takeover.
-
70 malicious domains identified: DNS analysis revealed consistent infrastructure patterns across dozens of short-lived phishing domains.
-
18 universities targeted with tailored lures: Students received dynamic TinyURL links directing them to spoofed SSO portals with university-branded subdomains.
-
Sophisticated evasion measures: Cloudflare proxies, rapidly expiring URLs, and reverse-proxy obfuscation made detection and attribution more difficult for campus security teams.
Community Tip Sparked Investigation
The investigation began after a security practitioner at one of the affected universities reported suspicious login anomalies. That single lead allowed Infoblox to trace the campaign across multiple higher-education networks that had been unknowingly targeted for months.
Impact on Academic Institutions
Renée Burton, Vice President of Infoblox Threat Intel, emphasised universities' vulnerability to persistent cyberattacks.
“Universities remain a common target for malicious actors, who show little concern for the damage they cause or the value of the systems they lock down,” Burton said. “In one unfortunate case, attackers infiltrated the University of Washington and compromised the Burke Museum of Natural History’s systems. Their actions ultimately destroyed part of the museum’s digital catelog of plant and animal specimens, an invaluable record, built through years of voluntary effort, preserving knowledge of extinct and endangered species.”
Infoblox continues to track the infrastructure behind the campaign as attackers update their tools and shift targets.
.
About the Author
Steve Lasky
Editorial Director, Editor-in-Chief/Security Technology Executive
Steve Lasky is Editorial Director of the Endeavor Business Media Security Group, which includes SecurityInfoWatch.com, as well as Security Business, Security Technology Executive, and Locksmith Ledger magazines. He is also the host of the SecurityDNA podcast series. Reach him at [email protected].