A threat actor used the Evilginx adversary-in-the-middle (AITM) phishing framework to target student SSO portals at least 18 U.S. universities since April 2025, delivering personalized TinyURL emails that redirected victims to short-lived subdomain phishing URLs that proxied legitimate login flows and bypassed MFA. Passive DNS analysis and initial web server fingerprinting uncovered nearly 70 domains and multiple dedicated IPs that enabled tracking despite evasion measures like Cloudflare proxies and JavaScript obfuscation; #Evilginx #UniversityOfSanDiego