DNS Uncovers Infrastructure Used in SSO Attacks

This report documents an active phishing campaign using the Evilginx AITM (likely v3.0) framework that targeted at least 18 U.S. universities’ SSO portals since April 2025, bypassing MFA and capturing login credentials and session cookies; investigators used DNS and passive-DNS analysis to identify 67 related domains and multiple IPs and published IoCs to enable blocking and continuous tracking.