Infoblox Threat Intel has uncovered a sophisticated and coordinated phishing campaign that targeted at least 18 major U.S. universities, using the advanced Evilginx adversary-in-the-middle (AiTM) toolkit to bypass multi-factor authentication (MFA). The months-long cyberattack leveraged more than 70 malicious domains, exposing serious vulnerabilities across higher-education institutions including the University of California, Virginia Commonwealth University, and the University of Michigan.
Evilginx-Powered MFA Bypass Puts Student Accounts at Risk
According to Infoblox, attackers deployed Evilginx v3.0, an open-source phishing framework known for its ability to proxy legitimate login flows, intercept authentication data, and steal session cookies. This allows hackers to bypass MFA protections and gain unauthorized access to university portals—even when students have MFA enabled.
DNS Threat Analysis Exposes the Scale of the Campaign
Through detailed DNS threat intelligence, Infoblox analysts identified nearly 70 interconnected phishing domains, a sophisticated network of short-lived URLs, Cloudflare-obfuscated hosting, and unique subdomains impersonating university SSO portals. The campaign ran from April to November 2025, remaining largely undetected due to advanced evasion techniques.
Key findings include:
- Hijacking of student accounts using AiTM phishing: Attackers stole credentials and session cookies via Evilginx-generated reverse-proxy page
- Mapping of 70+ malicious domains: DNS fingerprints enabled detection despite URL rotation and Cloudflare masking.
- Personalized phishing emails sent to students: Dynamic TinyURL links redirected users to fake login portals with university-branded subdomains.
- Advanced evasion tactics: Cloudflare proxies, rapid domain cycling, and reverse-proxy obfuscation made detection significantly harder.
The investigation began when a campus security practitioner spotted abnormal login activity and reported it to Infoblox Threat Intel. The shared intelligence helped analysts connect patterns across multiple institutions, ultimately revealing a widespread, coordinated attack targeting the higher-education sector.
A Growing Threat to Academic Institutions
Emphasizing the increasing risk to universities, Dr. Renée Burton, Vice President of Infoblox Threat Intel, said, “Higher-education institutions remain prime targets for cybercriminals who show little regard for the systems they compromise or the long-term damage they inflict. In one devastating case, attackers breached the University of Washington’s Burke Museum, destroying parts of its digital specimen catalog—an irreplaceable scientific archive.”
Infoblox continues to track the attacker’s evolving infrastructure, noting that the malicious actor is adapting its phishing toolkit and expanding its targeting profile. The company urges universities to strengthen DNS security, zero-trust authentication, session monitoring, and cybersecurity awareness training to combat rising AiTM-based phishing threats.
