This threat involves the use of Evilginx version 3.0, an open-source adversary-in-the-middle (AITM) phishing framework that acts as a reverse proxy to intercept and steal login credentials and session cookies from users during Single Sign-On (SSO) authentication processes. Evilginx enables attackers to bypass multi-factor authentication (MFA) by capturing session tokens, effectively allowing them to impersonate legitimate users without needing to compromise MFA directly. The threat actor has conducted targeted phishing campaigns since April 2025, focusing on at least 18 universities and educational institutions in the United States. These campaigns are delivered via email, using phishing domains with subdomains crafted to closely resemble legitimate SSO login pages, increasing the likelihood of user deception. The attacker’s infrastructure was uncovered through DNS analysis, revealing the use of malicious subdomains and domain names designed to evade detection. Although no widespread exploitation beyond these campaigns is currently known, the technique is sophisticated and effective against organizations relying on SSO and MFA for authentication security. The attack leverages techniques categorized under MITRE ATT&CK tactics T1557 (Adversary-in-the-Middle), T1566 (Phishing), and T1539 (Steal Web Session Cookie). The absence of a CVSS score necessitates an assessment based on impact and exploitability, with the medium severity reflecting the threat’s ability to compromise confidentiality and integrity without requiring complex exploitation or extensive user interaction beyond phishing. The threat highlights the importance of securing DNS infrastructure, user awareness, and deploying anti-phishing defenses to protect SSO environments.

For European organizations, especially those in the education sector or any entity relying heavily on SSO authentication, this threat can lead to significant credential compromise and session hijacking. The attacker’s ability to bypass MFA undermines one of the strongest layers of defense, increasing the risk of unauthorized access to sensitive data, intellectual property, and internal systems. Compromised credentials can facilitate lateral movement within networks, data exfiltration, and potential disruption of services. The reputational damage and regulatory consequences under GDPR for data breaches involving personal data are also considerable. Given the phishing delivery vector, widespread user susceptibility could amplify the impact. The threat is particularly concerning for institutions with large user bases and less mature phishing detection capabilities. Additionally, the use of DNS infrastructure for attack delivery suggests that organizations with insufficient DNS monitoring and filtering may be more vulnerable. The medium severity rating reflects a balance between the sophisticated attack method and the requirement for user interaction (phishing click), meaning that while impactful, the threat is not trivially exploitable at scale without user engagement.

1. Implement advanced phishing detection and email filtering solutions that can identify and block emails containing malicious links or domains mimicking legitimate SSO services. 2. Conduct targeted user awareness training focused on recognizing phishing attempts, especially those impersonating SSO login pages. 3. Deploy DNS monitoring and filtering tools to detect and block access to suspicious subdomains and domains used in these campaigns. 4. Enforce strict domain and subdomain registration monitoring to identify potential lookalike domains early. 5. Utilize browser isolation or anti-phishing browser extensions that can detect and warn users about man-in-the-middle proxy attacks. 6. Implement anomaly detection on authentication logs to identify unusual login patterns or session behaviors indicative of session hijacking. 7. Consider adopting hardware-based MFA tokens or FIDO2/WebAuthn standards, which are less susceptible to session cookie theft. 8. Regularly review and update incident response plans to include scenarios involving AITM phishing attacks. 9. Collaborate with DNS providers and threat intelligence services to share indicators of compromise and block malicious infrastructure proactively. 10. Encourage the use of zero-trust network architectures that limit the impact of compromised credentials.