DNS Uncovers Infrastructure Used in SSO Attacks

This report documents an ongoing Evilginx-based phishing campaign that targeted at least 18 U.S. universities' student SSO portals between April and November 2025. The actor used TinyURL lures, short-lived impersonating subdomains, and Cloudflare-proxied infrastructure to capture credentials and session cookies (bypassing MFA); the analysis uncovered 67 associated domains, multiple hosting IPs, and DNS fingerprints that enable detection and blocking.