DNS Uncovers Infrastructure Used in SSO Attacks

216.73.217.22

DNS Uncovers Infrastructure Used in SSO Attacks

· Published 03/12/2025 17:58 · Modified 21/12/2025 18:21

Essential information

Published: 03/12/2025 17:58
Modified: 21/12/2025 18:21
Tags: 2025-12-03 aitm evilginx mitm phishing reverse proxy sso tinyurl
Related entities: 15 observables, 3 techniques (mitre), 1 malware, 69 others

Description

The threat actor leveraged Evilginx (likely version 3.0), an open source, advanced phishing adversary-in-the-middle (AITM, aka MITM) framework designed to steal login credentials and session cookies. Evilginx is widely used by cybercriminals to undermine multi-factor authentication (MFA) security, and this actor has used it to target at least 18 universities and educational institutions across the United States since April 2025. The campaigns were delivered through email and the phishing domains used subdomains that mimicked the legitimate SSO sites.

External references

https://blogs.infoblox.com/threat-intelligence/dns-uncovers-infrastructure-used-in-sso-attacks/
https://otx.alienvault.com/pulse/69307a4a316b3f36d7ee486e