DNS Uncovers Infrastructure Used in SSO Attacks
A threat actor is using Evilginx 3. 0, an advanced phishing man-in-the-middle framework, to conduct SSO credential theft attacks targeting educational institutions. The attacker delivers phishing campaigns via email, employing subdomains that closely mimic legitimate Single Sign-On (SSO) sites to deceive users. This technique allows the adversary to bypass multi-factor authentication by stealing session cookies and login credentials. Since April 2025, at least 18 universities in the United States have been targeted. The campaign leverages DNS infrastructure to mask its operations. Although no known exploits have been reported in the wild beyond these campaigns, the threat poses a medium severity risk due to its ability to undermine MFA protections. European organizations using similar SSO systems and with exposed user bases are at risk, especially those in countries with large academic sectors and high phishing susceptibility. Mitigation requires targeted user training, enhanced phishing detection, DNS monitoring, and deployment of advanced anti-phishing technologies. Countries with significant higher education institutions and digital infrastructure, such as the UK, Germany, France, and the Netherlands, are most likely to be affected.
AI Analysis
Technical Summary
This threat involves the use of Evilginx version 3.0, an open-source adversary-in-the-middle (AITM) phishing framework that acts as a reverse proxy to intercept and steal login credentials and session cookies from users during Single Sign-On (SSO) authentication processes. Evilginx enables attackers to bypass multi-factor authentication (MFA) by capturing session tokens, effectively allowing them to impersonate legitimate users without needing to compromise MFA directly. The threat actor has conducted targeted phishing campaigns since April 2025, focusing on at least 18 universities and educational institutions in the United States. These campaigns are delivered via email, using phishing domains with subdomains crafted to closely resemble legitimate SSO login pages, increasing the likelihood of user deception. The attacker’s infrastructure was uncovered through DNS analysis, revealing the use of malicious subdomains and domain names designed to evade detection. Although no widespread exploitation beyond these campaigns is currently known, the technique is sophisticated and effective against organizations relying on SSO and MFA for authentication security. The attack leverages techniques categorized under MITRE ATT&CK tactics T1557 (Adversary-in-the-Middle), T1566 (Phishing), and T1539 (Steal Web Session Cookie). The absence of a CVSS score necessitates an assessment based on impact and exploitability, with the medium severity reflecting the threat’s ability to compromise confidentiality and integrity without requiring complex exploitation or extensive user interaction beyond phishing. The threat highlights the importance of securing DNS infrastructure, user awareness, and deploying anti-phishing defenses to protect SSO environments.
Potential Impact
For European organizations, especially those in the education sector or any entity relying heavily on SSO authentication, this threat can lead to significant credential compromise and session hijacking. The attacker’s ability to bypass MFA undermines one of the strongest layers of defense, increasing the risk of unauthorized access to sensitive data, intellectual property, and internal systems. Compromised credentials can facilitate lateral movement within networks, data exfiltration, and potential disruption of services. The reputational damage and regulatory consequences under GDPR for data breaches involving personal data are also considerable. Given the phishing delivery vector, widespread user susceptibility could amplify the impact. The threat is particularly concerning for institutions with large user bases and less mature phishing detection capabilities. Additionally, the use of DNS infrastructure for attack delivery suggests that organizations with insufficient DNS monitoring and filtering may be more vulnerable. The medium severity rating reflects a balance between the sophisticated attack method and the requirement for user interaction (phishing click), meaning that while impactful, the threat is not trivially exploitable at scale without user engagement.
Mitigation Recommendations
1. Implement advanced phishing detection and email filtering solutions that can identify and block emails containing malicious links or domains mimicking legitimate SSO services. 2. Conduct targeted user awareness training focused on recognizing phishing attempts, especially those impersonating SSO login pages. 3. Deploy DNS monitoring and filtering tools to detect and block access to suspicious subdomains and domains used in these campaigns. 4. Enforce strict domain and subdomain registration monitoring to identify potential lookalike domains early. 5. Utilize browser isolation or anti-phishing browser extensions that can detect and warn users about man-in-the-middle proxy attacks. 6. Implement anomaly detection on authentication logs to identify unusual login patterns or session behaviors indicative of session hijacking. 7. Consider adopting hardware-based MFA tokens or FIDO2/WebAuthn standards, which are less susceptible to session cookie theft. 8. Regularly review and update incident response plans to include scenarios involving AITM phishing attacks. 9. Collaborate with DNS providers and threat intelligence services to share indicators of compromise and block malicious infrastructure proactively. 10. Encourage the use of zero-trust network architectures that limit the impact of compromised credentials.
Affected Countries
United Kingdom, Germany, France, Netherlands, Italy, Spain, Sweden
Indicators of Compromise
- ip: 160.153.178.199
- ip: 162.0.228.151
- ip: 192.169.177.165
- ip: 132.148.74.178
- ip: 160.153.176.197
- ip: 162.0.214.254
- ip: 199.192.23.40
- ip: 203.161.60.59
- ip: 208.109.244.86
- ip: 208.109.39.196
- ip: 64.202.186.223
- ip: 66.29.133.135
- ip: 72.167.224.193
- ip: 72.167.52.130
- domain: acmsquared.com
- domain: ads2ads.com
- domain: aghomesandproperties.com
- domain: allwebdirectories.com
- domain: amj-international.com
- domain: apartamentosmalaga.com
- domain: armingaud.com
- domain: bazmepaigham.com
- domain: bedrijvenregister.com
- domain: bestshayari.com
- domain: brillianceboundielts.com
- domain: brownak.com
- domain: buildonhope.com
- domain: cappadociavisittours.com
- domain: catering-amato.com
- domain: cccsok.com
- domain: citywideprayer.com
- domain: controlunlimited.com
- domain: coralridgehour.com
- domain: dartsinireland.com
- domain: data-logistics.com
- domain: dhoughton.com
- domain: dogcuty.com
- domain: e-briefe.com
- domain: eggcoo.com
- domain: eheringe-trauringe.com
- domain: ehsantrust.com
- domain: esdetodo.com
- domain: fluffybascha.com
- domain: forty-something.com
- domain: freaksandfriends.com
- domain: geegletee.com
- domain: georgiayr.com
- domain: goraba.com
- domain: hafikoman.com
- domain: heisseliebe.com
- domain: hurenkontakte.com
- domain: ideallivingsolutions.com
- domain: igreensoft.com
- domain: ilchirone.com
- domain: impexinc.com
- domain: inkdchronicles.com
- domain: intellipex.com
- domain: intercuba.com
- domain: ispamembers.com
- domain: jimmylange.com
- domain: joshuasdodds.com
- domain: kbdav.com
- domain: l2storm.com
- domain: littlenuggetsco.com
- domain: lost-signal.com
- domain: lpdeco.com
- domain: monnalissaboutique.com
- domain: mpoterbaru2024.com
- domain: mykidsfashion.com
- domain: northstarcouncil.com
- domain: qrcodespoweredbygs1.com
- domain: schnaitsee.com
- domain: sercanaydin.com
- domain: srpskazemlja.com
- domain: thelovecity.com
- domain: thermalresistivity.com
- domain: transusasia.com
- domain: tubeunderwater.com
- domain: weddingsarahetemmanuel.com
- domain: winbet299mas.com
- domain: yoopuipui.com
- ip: 132.148.73.92
DNS Uncovers Infrastructure Used in SSO Attacks
Description
A threat actor is using Evilginx 3. 0, an advanced phishing man-in-the-middle framework, to conduct SSO credential theft attacks targeting educational institutions. The attacker delivers phishing campaigns via email, employing subdomains that closely mimic legitimate Single Sign-On (SSO) sites to deceive users. This technique allows the adversary to bypass multi-factor authentication by stealing session cookies and login credentials. Since April 2025, at least 18 universities in the United States have been targeted. The campaign leverages DNS infrastructure to mask its operations. Although no known exploits have been reported in the wild beyond these campaigns, the threat poses a medium severity risk due to its ability to undermine MFA protections. European organizations using similar SSO systems and with exposed user bases are at risk, especially those in countries with large academic sectors and high phishing susceptibility. Mitigation requires targeted user training, enhanced phishing detection, DNS monitoring, and deployment of advanced anti-phishing technologies. Countries with significant higher education institutions and digital infrastructure, such as the UK, Germany, France, and the Netherlands, are most likely to be affected.
AI-Powered Analysis
Technical Analysis
This threat involves the use of Evilginx version 3.0, an open-source adversary-in-the-middle (AITM) phishing framework that acts as a reverse proxy to intercept and steal login credentials and session cookies from users during Single Sign-On (SSO) authentication processes. Evilginx enables attackers to bypass multi-factor authentication (MFA) by capturing session tokens, effectively allowing them to impersonate legitimate users without needing to compromise MFA directly. The threat actor has conducted targeted phishing campaigns since April 2025, focusing on at least 18 universities and educational institutions in the United States. These campaigns are delivered via email, using phishing domains with subdomains crafted to closely resemble legitimate SSO login pages, increasing the likelihood of user deception. The attacker’s infrastructure was uncovered through DNS analysis, revealing the use of malicious subdomains and domain names designed to evade detection. Although no widespread exploitation beyond these campaigns is currently known, the technique is sophisticated and effective against organizations relying on SSO and MFA for authentication security. The attack leverages techniques categorized under MITRE ATT&CK tactics T1557 (Adversary-in-the-Middle), T1566 (Phishing), and T1539 (Steal Web Session Cookie). The absence of a CVSS score necessitates an assessment based on impact and exploitability, with the medium severity reflecting the threat’s ability to compromise confidentiality and integrity without requiring complex exploitation or extensive user interaction beyond phishing. The threat highlights the importance of securing DNS infrastructure, user awareness, and deploying anti-phishing defenses to protect SSO environments.
Potential Impact
For European organizations, especially those in the education sector or any entity relying heavily on SSO authentication, this threat can lead to significant credential compromise and session hijacking. The attacker’s ability to bypass MFA undermines one of the strongest layers of defense, increasing the risk of unauthorized access to sensitive data, intellectual property, and internal systems. Compromised credentials can facilitate lateral movement within networks, data exfiltration, and potential disruption of services. The reputational damage and regulatory consequences under GDPR for data breaches involving personal data are also considerable. Given the phishing delivery vector, widespread user susceptibility could amplify the impact. The threat is particularly concerning for institutions with large user bases and less mature phishing detection capabilities. Additionally, the use of DNS infrastructure for attack delivery suggests that organizations with insufficient DNS monitoring and filtering may be more vulnerable. The medium severity rating reflects a balance between the sophisticated attack method and the requirement for user interaction (phishing click), meaning that while impactful, the threat is not trivially exploitable at scale without user engagement.
Mitigation Recommendations
1. Implement advanced phishing detection and email filtering solutions that can identify and block emails containing malicious links or domains mimicking legitimate SSO services. 2. Conduct targeted user awareness training focused on recognizing phishing attempts, especially those impersonating SSO login pages. 3. Deploy DNS monitoring and filtering tools to detect and block access to suspicious subdomains and domains used in these campaigns. 4. Enforce strict domain and subdomain registration monitoring to identify potential lookalike domains early. 5. Utilize browser isolation or anti-phishing browser extensions that can detect and warn users about man-in-the-middle proxy attacks. 6. Implement anomaly detection on authentication logs to identify unusual login patterns or session behaviors indicative of session hijacking. 7. Consider adopting hardware-based MFA tokens or FIDO2/WebAuthn standards, which are less susceptible to session cookie theft. 8. Regularly review and update incident response plans to include scenarios involving AITM phishing attacks. 9. Collaborate with DNS providers and threat intelligence services to share indicators of compromise and block malicious infrastructure proactively. 10. Encourage the use of zero-trust network architectures that limit the impact of compromised credentials.
Affected Countries
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Author
- AlienVault
- Tlp
- white
- References
- ["https://blogs.infoblox.com/threat-intelligence/dns-uncovers-infrastructure-used-in-sso-attacks/"]
- Adversary
- null
- Pulse Id
- 69307a4a316b3f36d7ee486e
- Threat Score
- null
Indicators of Compromise
Ip
| Value | Description | Copy |
|---|---|---|
ip160.153.178.199 | CC=US ASN=AS20773 host europe gmbh | |
ip162.0.228.151 | CC=US ASN=AS22612 namecheap inc. | |
ip192.169.177.165 | CC=US ASN=AS398101 godaddy.com llc | |
ip132.148.74.178 | CC=US ASN=AS398101 godaddy.com llc | |
ip160.153.176.197 | CC=US ASN=AS20773 host europe gmbh | |
ip162.0.214.254 | CC=US ASN=AS22612 namecheap inc. | |
ip199.192.23.40 | CC=US ASN=AS22612 namecheap inc. | |
ip203.161.60.59 | CC=US ASN=AS22612 namecheap inc. | |
ip208.109.244.86 | CC=US ASN=AS26496 godaddy.com llc | |
ip208.109.39.196 | CC=US ASN=AS398101 godaddy.com llc | |
ip64.202.186.223 | CC=US ASN=AS26496 godaddy.com llc | |
ip66.29.133.135 | CC=US ASN=AS22612 namecheap inc. | |
ip72.167.224.193 | CC=US ASN=AS26496 godaddy.com llc | |
ip72.167.52.130 | CC=US ASN=AS398101 godaddy.com llc | |
ip132.148.73.92 | CC=US ASN=AS398101 godaddy.com llc |
Domain
| Value | Description | Copy |
|---|---|---|
domainacmsquared.com | — | |
domainads2ads.com | — | |
domainaghomesandproperties.com | — | |
domainallwebdirectories.com | — | |
domainamj-international.com | — | |
domainapartamentosmalaga.com | — | |
domainarmingaud.com | — | |
domainbazmepaigham.com | — | |
domainbedrijvenregister.com | — | |
domainbestshayari.com | — | |
domainbrillianceboundielts.com | — | |
domainbrownak.com | — | |
domainbuildonhope.com | — | |
domaincappadociavisittours.com | — | |
domaincatering-amato.com | — | |
domaincccsok.com | — | |
domaincitywideprayer.com | — | |
domaincontrolunlimited.com | — | |
domaincoralridgehour.com | — | |
domaindartsinireland.com | — | |
domaindata-logistics.com | — | |
domaindhoughton.com | — | |
domaindogcuty.com | — | |
domaine-briefe.com | — | |
domaineggcoo.com | — | |
domaineheringe-trauringe.com | — | |
domainehsantrust.com | — | |
domainesdetodo.com | — | |
domainfluffybascha.com | — | |
domainforty-something.com | — | |
domainfreaksandfriends.com | — | |
domaingeegletee.com | — | |
domaingeorgiayr.com | — | |
domaingoraba.com | — | |
domainhafikoman.com | — | |
domainheisseliebe.com | — | |
domainhurenkontakte.com | — | |
domainideallivingsolutions.com | — | |
domainigreensoft.com | — | |
domainilchirone.com | — | |
domainimpexinc.com | — | |
domaininkdchronicles.com | — | |
domainintellipex.com | — | |
domainintercuba.com | — | |
domainispamembers.com | — | |
domainjimmylange.com | — | |
domainjoshuasdodds.com | — | |
domainkbdav.com | — | |
domainl2storm.com | — | |
domainlittlenuggetsco.com | — | |
domainlost-signal.com | — | |
domainlpdeco.com | — | |
domainmonnalissaboutique.com | — | |
domainmpoterbaru2024.com | — | |
domainmykidsfashion.com | — | |
domainnorthstarcouncil.com | — | |
domainqrcodespoweredbygs1.com | — | |
domainschnaitsee.com | — | |
domainsercanaydin.com | — | |
domainsrpskazemlja.com | — | |
domainthelovecity.com | — | |
domainthermalresistivity.com | — | |
domaintransusasia.com | — | |
domaintubeunderwater.com | — | |
domainweddingsarahetemmanuel.com | — | |
domainwinbet299mas.com | — | |
domainyoopuipui.com | — |
Threat ID: 69307b18b129615efa19324a
Added to database: 12/3/2025, 6:02:00 PM
Last enriched: 12/3/2025, 6:14:15 PM
Last updated: 12/5/2025, 12:41:56 AM
Views: 49
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Related Threats
Cloudflare Blocks Aisuru Botnet Powered Largest Ever 29.7 Tbps DDoS Attack
MediumNew Android malware lets criminals control your phone and drain your bank account
MediumSalty2FA & Tycoon2FA: Hybrid Phishing Threat
MediumTeams Social Engineering Attack: Threat Actors Impersonate IT to Steal Credentials via Quick Assist
MediumFake Investment Platform Reputation Laundering: Felix Markets
MediumActions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.