Researchers say attackers used dozens of domains to steal student and staff credentials over several months.
What happened
A coordinated phishing campaign targeted at least eighteen universities across the United States between April and November 2025. According to Hackread, attackers used nearly 70 domains and relied on the Evilginx phishing framework to capture login credentials and active session data, even when multi-factor authentication was enabled. The campaign focused on students and staff and used messages that imitated university single sign-on portals.
Going deeper
The attackers relied on an adversary-in-the-middle technique, where phishing infrastructure sits between the victim and the real login page. When a user enters credentials and completes MFA, the tool intercepts the session cookie that grants access to the account. Investigators found that the campaign used short-lived redirect links, frequently rotated domains, and content delivery services to mask hosting locations. DNS analysis enabled researchers to connect activity across multiple institutions and identify patterns that linked the infrastructure. The first confirmed attack occurred in April 2025, and activity continued through mid-November before being fully mapped.
What was said
Researchers say the campaign showed deliberate planning and persistence, with operators frequently changing domains to avoid detection. Universities remain frequent targets because of the breadth of access provided by campus credentials and the limited tolerance for disruption in academic environments. Researchers noted that past incidents tied to similar techniques have resulted in lasting data loss, including damage to research and digital archives.
The big picture
According to Intelligent CISO, universities continue to be frequent targets of phishing campaigns because attackers “show little concern for the damage they cause or the value of the systems they lock down,” said Renée Burton, vice president of Infoblox Threat Intelligence. Burton pointed to a “particularly sad case” involving the University of Washington, where attackers compromised the Burke Museum of Natural History and “destroyed part of the museum’s digital catalogue of plant and animal specimens,” calling it “an invaluable record, built through years of voluntary effort, preserving knowledge of extinct and endangered species.”
FAQs
Why are universities frequent phishing targets?
University accounts often provide access to email, research systems, financial platforms, and cloud services, making them valuable to attackers.
How does Evilginx bypass multi-factor authentication?
It captures the session cookie after a user completes MFA, allowing attackers to reuse that session without needing additional codes.
Why do attackers rotate domains so often?
Frequent changes help avoid blocklists and delay detection by security teams and automated defenses.
What part does DNS analysis play in investigations?
DNS data can reveal relationships between domains, hosting services, and attack timing, helping analysts link activity across targets.
How can universities reduce exposure to these attacks?
They can monitor for suspicious login patterns, restrict token reuse, block known phishing frameworks, and reinforce training on unexpected login prompts.
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
Farah Amod
