{ "name": "DNS Uncovers Infrastructure Used in SSO Attacks", "slug": "dns-uncovers-infrastructure-used-in-sso-attacks", "description": "The threat actor leveraged Evilginx (likely version 3.0), an open source, advanced phishing adversary-in-the-middle (AITM, aka MITM) framework designed to steal login credentials and session cookies. Evilginx is widely used by cybercriminals to undermine multi-factor authentication (MFA) security, and this actor has used it to target at least 18 universities and educational institutions across the United States since April 2025. The campaigns were delivered through email and the phishing domains used subdomains that mimicked the legitimate SSO sites.", "published": "2025-12-03T16:58:34+00:00", "created_at": "2025-12-03T16:58:34+00:00", "modified_at": "2025-12-21T17:21:53+00:00", "created_at_opencti": "2025-12-03T16:58:34+00:00", "author": "", "confidence": null, "report_types": [], "labels": [], "tags": [ "2025-12-03", "aitm", "evilginx", "mitm", "phishing", "reverse proxy", "sso", "tinyurl" ], "related_entities": { "observables": [ { "id": "", "name": "160.153.178.199" }, { "id": "", "name": "203.161.60.59" }, { "id": "", "name": "132.148.74.178" }, { "id": "", "name": "72.167.52.130" }, { "id": "", "name": "208.109.39.196" }, { "id": "", "name": "192.169.177.165" }, { "id": "", "name": "132.148.73.92" }, { "id": "", "name": "66.29.133.135" }, { "id": "", "name": "162.0.214.254" }, { "id": "", "name": "160.153.176.197" }, { "id": "", "name": "162.0.228.151" }, { "id": "", "name": "199.192.23.40" }, { "id": "", "name": "208.109.244.86" }, { "id": "", "name": "72.167.224.193" }, { "id": "", "name": "64.202.186.223" } ], "malware": [ { "id": "legacy:malware:f1dcc66c08742f2c", "name": "Evilginx", "slug": "evilginx" } ], "attack_patterns": [ { "id": "00430919-9257-403b-8a1b-958d4c3613aa", "name": "T1557" }, { "id": "d9b45b3b-d093-4016-89e9-48f31ff4d05d", "name": "T1566" }, { "id": "b7c6c1ad-f183-4128-8427-3891029c73dc", "name": "T1539" } ], "others": [ { "id": "", "name": "United States of America" }, { "id": "", "name": "Education" }, { "id": "", "name": "hafikoman.com" }, { "id": "", "name": "amj-international.com" }, { "id": "", "name": "lpdeco.com" }, { "id": "", "name": "ideallivingsolutions.com" }, { "id": "", "name": "brownak.com" }, { "id": "", "name": "bazmepaigham.com" }, { "id": "", "name": "citywideprayer.com" }, { "id": "", "name": "schnaitsee.com" }, { "id": "", "name": "allwebdirectories.com" }, { "id": "", "name": "ads2ads.com" }, { "id": "", "name": "ilchirone.com" }, { "id": "", "name": "hurenkontakte.com" }, { "id": "", "name": "impexinc.com" }, { "id": "", "name": "kbdav.com" }, { "id": "", "name": "joshuasdodds.com" }, { "id": "", "name": "e-briefe.com" }, { "id": "", "name": "yoopuipui.com" }, { "id": "", "name": "lost-signal.com" }, { "id": "", "name": "igreensoft.com" }, { "id": "", "name": "intellipex.com" }, { "id": "", "name": "dogcuty.com" }, { "id": "", "name": "forty-something.com" }, { "id": "", "name": "aghomesandproperties.com" }, { "id": "", "name": "intercuba.com" }, { "id": "", "name": "eggcoo.com" }, { "id": "", "name": "data-logistics.com" }, { "id": "", "name": "georgiayr.com" }, { "id": "", "name": "brillianceboundielts.com" }, { "id": "", "name": "dartsinireland.com" }, { "id": "", "name": "dhoughton.com" }, { "id": "", "name": "acmsquared.com" }, { "id": "", "name": "apartamentosmalaga.com" }, { "id": "", "name": "geegletee.com" }, { "id": "", "name": "ispamembers.com" }, { "id": "", "name": "freaksandfriends.com" }, { "id": "", "name": "winbet299mas.com" }, { "id": "", "name": "goraba.com" }, { "id": "", "name": "cappadociavisittours.com" }, { "id": "", "name": "bedrijvenregister.com" }, { "id": "", "name": "jimmylange.com" }, { "id": "", "name": "thelovecity.com" }, { "id": "", "name": "buildonhope.com" }, { "id": "", "name": "qrcodespoweredbygs1.com" }, { "id": "", "name": "mykidsfashion.com" }, { "id": "", "name": "l2storm.com" }, { "id": "", "name": "monnalissaboutique.com" }, { "id": "", "name": "weddingsarahetemmanuel.com" }, { "id": "", "name": "tubeunderwater.com" }, { "id": "", "name": "bestshayari.com" }, { "id": "", "name": "heisseliebe.com" }, { "id": "", "name": "esdetodo.com" }, { "id": "", "name": "inkdchronicles.com" }, { "id": "", "name": "transusasia.com" }, { "id": "", "name": "ehsantrust.com" }, { "id": "", "name": "controlunlimited.com" }, { "id": "", "name": "catering-amato.com" }, { "id": "", "name": "coralridgehour.com" }, { "id": "", "name": "srpskazemlja.com" }, { "id": "", "name": "armingaud.com" }, { "id": "", "name": "littlenuggetsco.com" }, { "id": "", "name": "sercanaydin.com" }, { "id": "", "name": "mpoterbaru2024.com" }, { "id": "", "name": "thermalresistivity.com" }, { "id": "", "name": "cccsok.com" }, { "id": "", "name": "eheringe-trauringe.com" }, { "id": "", "name": "northstarcouncil.com" }, { "id": "", "name": "fluffybascha.com" } ] }, "external_refs": [ "https://blogs.infoblox.com/threat-intelligence/dns-uncovers-infrastructure-used-in-sso-attacks/", "https://otx.alienvault.com/pulse/69307a4a316b3f36d7ee486e" ] }