EXECUTIVE SUMMARY:
A newly observed campaign is actively targeting single sign-on (SSO) portals used by educational institutions. It exploits an adversary-in-the-middle (AITM) phishing framework, such as Evilginx, to intercept login credentials and session cookies, enabling compromise even in the presence of multi-factor authentication (MFA). By impersonating legitimate SSO login portals, the attackers lure victims to phishing sites, posing a serious risk to organizations relying on SSO for user authentication.[/subscribe_to_unlock_form]
EXECUTIVE SUMMARY:
A newly observed campaign is actively targeting single sign-on (SSO) portals used by educational institutions. It exploits an adversary-in-the-middle (AITM) phishing framework, such as Evilginx, to intercept login credentials and session cookies, enabling compromise even in the presence of multi-factor authentication (MFA). By impersonating legitimate SSO login portals, the attackers lure victims to phishing sites, posing a serious risk to organizations relying on SSO for user authentication.[emaillocker id="1283"]
The attackers used an AITM phishing framework to generate realistic phishing sites that replicated legitimate SSO portals and delivered them through phishing emails containing shortened links. When victims clicked these links, they were redirected to dynamically generated phishing URLs hosted on subdomains designed to mimic authentic institutional SSO domains. These URLs were intentionally short-lived, expiring quickly, and shielded behind reverse-proxy services, significantly reducing the effectiveness of static URL analysis and front-end code inspection. Despite these evasion methods, passive DNS analysis exposed consistent infrastructure patterns, revealing nearly seventy domains associated with the campaign. DNS-level monitoring and domain registration pattern analysis enabled defenders to identify the attackers infrastructure, track activity over time, and establish signatures for ongoing detection.
It illustrates how can effectively circumvent MFA and conventional detection by combining AITM tooling, deceptive subdomains, and short-lived, proxy-protected URLs. While these techniques significantly reduce the effectiveness of traditional security controls, the attackers reliance on DNS infrastructure created a detectable footprint that allowed analysts to uncover and monitor the operation. Organizations can strengthen defenses against similar campaigns by incorporating DNS-centric monitoring, enforcing strict URL-filtering policies, and educating users on identifying phishing attempts involving SSO portals.
THREAT PROFILE:
| Tactic | Technique Id | Technique | Sub-technique |
| Reconnaissance | T1592.001 | Gather Victim Host Information | Hardware |
| Resource Development | T1583.003 | Acquire Infrastructure | Virtual Private Server |
| T1608.004 | Stage Capabilities | Drive-by Target | |
| Initial Access | T1566.002 | Phishing | Spearphishing Link |
| Credential Access | T1557.002 | Adversary-in-the-Middle | ARP Cache Poisoning |
| T1555.003 | Credentials from Password Stores | Credentials from Web Browsers | |
| Discovery | T1083 | File and Directory Discovery | — |
| Collection | T1530 | Data from Cloud Storage | — |
| Command and Control | T1090.003 | Proxy | Multi-hop Proxy |
| T1102.002 | Web Service | Bidirectional Communication |
REFERENCES:
The following reports contain further technical details:
[/emaillocker]