DNS Uncovers Infrastructure Used in SSO Attacks

This report describes an active Evilginx AITM phishing campaign (April–Nov 2025) that targeted student single sign-on (SSO) portals at 18+ U.S. universities, using short-lived, brand-mimicking subdomains and Cloudflare-protected infrastructure to proxy legitimate login flows and bypass MFA; passive DNS analysis uncovered 67 domains and multiple IPs attributed to the actor and enabled DNS-based tracking and recommended blocking of IoAs to reduce risk.