Threat Research

DNS Uncovers Infrastructure Used in SSO Attacks

Infoblox

A threat actor used the Evilginx adversary-in-the-middle (AITM) phishing framework to target student SSO portals at least 18 U.S. universities since April 2025, delivering personalized TinyURL emails that redirected victims to short-lived subdomain phishing URLs that proxied legitimate login flows and bypassed MFA. Passive DNS analysis and initial web server fingerprinting uncovered nearly 70 domains and multiple dedicated IPs that enabled tracking despite evasion measures like Cloudflare proxies and JavaScript obfuscation; #Evilginx #UniversityOfSanDiego

Keypoints

  • The actor leveraged Evilginx (likely v3.0), an adversary-in-the-middle framework, to capture login credentials and session cookies and bypass multi-factor authentication.
  • At least 18 U.S. universities were targeted between April and November 2025, with the University of California Santa Cruz, UCSB, University of San Diego, Virginia Commonwealth University, and the University of Michigan among the most targeted.
  • Campaigns used personalized email lures containing TinyURL links that redirected to dynamically generated phishing URLs using subdomains that mimicked legitimate SSO services and eight-character randomized URIs that expired within 24 hours.
  • The actor employed multiple evasion techniques — Cloudflare proxies, short-lived URLs, wildcard TLS certificates, bot filtering (JA4 fingerprinting), decoy pages, multi-domain phishlets, and JavaScript obfuscation — to frustrate detection and analysis.
  • Researchers uncovered nearly 70 domains and multiple dedicated IPs (first observed domain: catering-amato[.]com), and crafted DNS-based signatures and initial web server fingerprinting to continuously track the infrastructure.
  • Blocking the listed domains/IPs and leveraging DNS-based detection were recommended mitigation steps; indicators and more details are available in the Infoblox Threat Intel GitHub repo.

MITRE Techniques

  • [T1566 ] Spearphishing Link – The actor delivered personalized emails with shortened links that redirected to phishing pages. (‘students were targeted via personalized emails that contained TinyURL links’)
  • [T1557 ] Man-in-the-Middle – Evilginx acted as a proxy between victim and legitimate site to intercept credentials and session cookies. (‘an open source, advanced phishing adversary-in-the-middle (AITM, aka MITM) framework designed to steal login credentials and session cookies’)
  • [T1539 ] Steal Web Session Cookie – The campaign captured session cookies to bypass MFA and maintain access. (‘designed to steal login credentials and session cookies’)
  • [T1090 ] Proxy – The actor hid phishing infrastructure behind Cloudflare proxies to obscure hosting locations and impede attribution. (‘hide its servers behind Cloudflare proxies’)
  • [T1027 ] Obfuscated Files or Information – JavaScript obfuscation and decoy pages were used to hinder analysis and detection. (‘JavaScript obfuscation’)
  • [T1583 ] Acquire Infrastructure – Domains and hosting were acquired and reused (nearly 70 domains observed) to support multilingual, multi-domain phishlets. (‘We uncovered nearly 70 domains related to these attacks’)

Indicators of Compromise

  • [IPv4 ] Dedicated IP addresses hosting Evilginx phishing proxy domains – 132[.]148[.]73[.]92, 208[.]109[.]244[.]86, and other 13 IPs
  • [Domain ] Domains used by Evilginx phishing proxy URLs – catering-amato[.]com, weddingsarahetemmanuel[.]com, and other 65 domains
  • [Phishing subdomain/URL pattern ] Subdomains and short-lived URIs impersonating SSO pages (used to mimic legitimate login hosts and expire within 24 hours) – shibbolethmainrit[.]fiuy[.]weddingsarahetemmanuel[.]com and URIs with eight random alphabetic characters
  • [Shortened URL ] URL shortener redirects used in email lures – TinyURL links that redirected to dynamically generated Evilginx phishlet URLs

Read more: https://blogs.infoblox.com/threat-intelligence/dns-uncovers-infrastructure-used-in-sso-attacks/