Evilginx Attack Techniques Enable MFA Evasion Through Fake SSO Pages

A new wave of phishing attacks is exploiting the open-source Evilginx framework to target student login portals at U.S. universities.

Since April 2025, attackers have used Evilginx version 3.0 to bypass multi-factor authentication (MFA) and steal both credentials and session cookies.

Security researchers have tracked at least 18 higher education institutions targeted through these advanced adversary-in-the-middle (AITM) phishing campaigns.

University Campaigns Use Impersonated SSO Portals

The threat actor behind these attacks relied on realistic single sign-on (SSO) phishing pages that mimicked official university login sites.

The campaigns started with personalized emails containing shortened TinyURL links that redirected to domains generated by Evilginx phishlets, which define how the tool proxies web sessions.

Each phishing link used subdomains similar to legitimate SSO addresses, with eight random alphanumeric characters in the URL path.

These URLs expired within 24 hours, reducing the detection window. Once victims accessed the phishing site, Evilginx transparently proxied the real login flow, capturing authentication details and session cookies required to bypass MFA protections.

Researchers observed consistent DNS patterns across the campaigns, despite the use of short-lived domains and Cloudflare proxies to obscure hosting infrastructure.

Passive DNS analysis revealed nearly 70 related domains and allowed investigators to track evolving operations. The earliest domain linked to the campaign was catering-amato[.]com, active since mid-April.

DNS Analysis Reveals Infrastructure Links

The actor’s infrastructure evolved, initially hosted on GoDaddy and NameCheap servers before transitioning to Cloudflare-based protection. During this shift, domain reuse helped researchers uncover the complete scope of activity.

The most heavily targeted institutions include the University of California, Santa Cruz, UC Santa Barbara, the University of San Diego, Virginia Commonwealth University, and the University of Michigan.

Despite its open-source origins, Evilginx 3.0 offers capabilities that challenge traditional phishing detection methods.

It supports wildcard TLS certificates, JavaScript and HTML obfuscation, bot blocking through advanced fingerprinting, and integration with major DNS providers.

These features make automated scanning and visual analysis less effective, as the proxied session appears legitimate to both browsers and endpoint protection systems.

Investigators developed DNS-based tracking signatures and shared indicators of activity (IoAs) to help organizations preemptively block malicious infrastructure.

Key IPs associated with hosting the phishing proxies include 132.148.73.92, 162.0.214.254, and 208.109.39.196.

Domains such as acmsquared[.]com, mpoterbaru2024[.]com, and weddingsarahetemmanuel[.]com have also been linked to ongoing campaigns.

These findings underscore the growing use of sophisticated phishing frameworks, such as Evilginx, to undermine MFA and target the education sector.

Collaboration among affected institutions, DNS providers, and the threat intelligence community remains essential to protecting academic users.

Find this Story Interesting! Follow us on Google News , LinkedIn and X to Get More Instant Updates

The post Evilginx Attack Techniques Enable MFA Evasion Through Fake SSO Pages appeared first on Cyber Security News.