Ongoing Phishing Campaign Targets 18 US Universities Using Evilginx to Bypass MFA

Between April and November 2025, an ongoing phishing campaign targeting 18 universities in the United States has been identified by Infoblox Threat Intel. The attackers are employing the Evilginx phishing kit, a sophisticated tool designed to bypass multi-factor authentication (MFA) by intercepting legitimate user sessions and capturing authentication credentials. This campaign has involved the exploitation of over 70 domains, indicating a substantial and coordinated effort by the threat actors. Evilginx operates as a man-in-the-middle attack tool, positioning itself between the victim and the legitimate authentication service. This allows the attackers to proxy authentication requests in real-time, capturing not only credentials but also MFA tokens as they are entered by the victim. This method is particularly effective against MFA implementations that do not employ additional protections such as device fingerprinting or behavioral analysis. The targeting of universities is noteworthy, as academic institutions often hold vast amounts of personal data and intellectual property, making them attractive targets for cybercriminals. Additionally, university users—including students and faculty—may be less accustomed to recognizing sophisticated phishing attempts compared to users in corporate environments with more rigorous security training. While the report does not specify the identities of the targeted universities or provide detailed information on the consequences of the data theft, the scale of the operation—with over 70 domains involved—suggests a significant and ongoing threat to the academic sector. For cybersecurity professionals, this campaign underscores several critical considerations. First, the continued evolution of phishing techniques, such as the use of tools like Evilginx to bypass MFA, highlights the need for ongoing user education and awareness programs. Users must be trained to recognize the signs of phishing attempts, even when MFA is in place. Second, the use of multiple domains in this campaign emphasizes the importance of domain monitoring and the detection of suspicious domain registrations that may mimic legitimate university domains. Implementing measures such as DMARC (Domain-based Message Authentication, Reporting & Conformance) can help prevent domain spoofing and reduce the effectiveness of phishing campaigns. Third, this incident serves as a reminder that while MFA is a critical security control, it is not impervious to attack. Organizations should consider supplementing MFA with additional security measures, such as conditional access policies, user behavior analytics, and continuous monitoring for anomalous authentication attempts. In conclusion, the ongoing phishing campaign targeting US universities with Evilginx represents a significant threat to the academic sector. Cybersecurity professionals should take note of the tactics employed and ensure that their organizations are prepared to defend against similar attacks. This includes regular security awareness training, robust domain monitoring, and the implementation of layered security controls to mitigate the risk of credential theft and MFA bypass.