Phishing Campaigns Targeting US Universities and Higher Education
A coordinated phishing campaign targeted at least 18 American universities over several months used the open-source Evilginx phishing kit to bypass multi-factor authentication (MFA) and compromise student and staff accounts. Attackers employed adversary-in-the-middle (AiTM) tactics, leveraging personalized emails with short-lived TinyURLs that mimicked university single sign-on (SSO) portals. By capturing both credentials and session cookies, the attackers were able to fully take over accounts, despite MFA protections. The campaign demonstrated advanced operational security, including frequent changes to attack links and the use of services like Cloudflare to obscure infrastructure, as detailed in Infoblox's investigation.
Separately, Harvard University experienced a breach of its Alumni Affairs and Development office systems, attributed to a successful mobile phishing ("mishing") attack. The attacker gained access to internal systems, which the university subsequently secured. This incident highlights the growing trend of mobile-first phishing strategies that bypass traditional desktop and network defenses, posing significant risks to organizations with distributed workforces and sensitive data. The breach underscores the need for dedicated mobile threat defense solutions, as standard MDM and UEM tools are insufficient against sophisticated mobile phishing attacks.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
4 events from the most recent confirmed update back to the earliest known activity.
Infoblox investigates and links nearly 70 domains to the campaign
By December 2025, Infoblox had analyzed DNS data and, with help from a university security professional, tied nearly 70 domains to the months-long university phishing operation. The investigation publicly documented the campaign's scope, infrastructure, and use of Evilginx-based AiTM techniques.
University of Washington suffers account takeover and record destruction
In at least one confirmed case during the campaign, compromised access at the University of Washington led to the destruction of digital records. This showed the operation had moved beyond credential theft to causing direct institutional impact.
Phishing spree expands across at least 18 U.S. universities
From April through November 2025, the campaign spread to at least 18 American universities, including UC Santa Cruz, UC Santa Barbara, Virginia Commonwealth University, the University of Michigan, and others. The attackers relied on nearly 70 domains, short-lived TinyURLs, and Cloudflare-obscured infrastructure to support account takeover activity.
University of San Diego becomes first known target in phishing campaign
A coordinated phishing operation targeting U.S. universities began in April 2025, with the University of San Diego identified as the first known victim. The attackers used Evilginx in an adversary-in-the-middle setup to steal session cookies and bypass MFA.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
2 references tracked. Mallory keeps watching after this page renders.
See the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Phishing Campaigns Using Advanced Kits Targeting Universities and Banks
Threat actors have launched a sophisticated phishing campaign targeting U.S. universities by leveraging the open-source Evilginx framework. At least 18 educational institutions have been affected since April 2025, with attackers using personalized emails containing TinyURL links that redirect to dynamically generated phishing pages. These pages closely mimic student single sign-on portals and employ advanced evasion techniques, such as expiring URLs, wildcard TLS certificates, bot filtering, and JavaScript obfuscation, making detection and mitigation increasingly difficult. The campaign demonstrates the growing accessibility of advanced phishing tools, enabling even unskilled actors to bypass multi-factor authentication and compromise sensitive credentials. Simultaneously, a new phishing kit called Spiderman has emerged on the dark web, targeting customers of major European banks and cryptocurrency platforms. This full-stack kit allows attackers to easily clone login pages for dozens of financial institutions and conduct real-time credential theft across multiple countries. With a large user community and features that facilitate immediate data exfiltration and hybrid fraud operations, Spiderman represents a significant escalation in the scale and efficiency of phishing threats facing the financial sector. Both campaigns highlight the evolving landscape of phishing, where sophisticated toolkits are lowering the barrier to entry for cybercriminals and increasing the risk to organizations worldwide.
Mar 21, 2026
Payroll Pirate Phishing Attacks Targeting US University Employees
Cybercriminals identified as 'payroll pirates' have launched a targeted phishing campaign against US universities, aiming to divert salary payments from employees to accounts under their control. Microsoft Threat Intelligence reported that since March 2025, at least 11 accounts across three universities were successfully compromised, with phishing emails sent to nearly 6,000 recipients at 25 different universities. The attackers primarily targeted third-party platforms such as Workday, which are commonly used for HR and payroll management in higher education institutions. The phishing emails often contained malicious links and were crafted to steal multifactor authentication (MFA) codes, enabling the attackers to bypass security measures and hijack employee accounts. Once inside a compromised account, the threat actors established inbox rules to automatically delete warning emails from Workday, thereby concealing unauthorized changes to bank account information. This allowed the attackers to redirect salary payments without immediate detection by the victims. The phishing lures were varied, with some emails referencing COVID-19 exposure or faculty misconduct, and often included links to Google Docs to increase credibility. In one instance, a phishing email about illness exposure was sent to 500 individuals at a single organization. Microsoft attributed the campaign to a group it tracks as Storm-2657 and has proactively contacted affected customers with mitigation advice. The campaign demonstrates a sophisticated understanding of university HR processes and leverages social engineering themes relevant to academic environments. The attackers' use of MFA code theft highlights the evolving tactics used to bypass common security controls. Microsoft emphasized that while Workday was a primary target, other HR and payment systems could also be at risk. The scale of the campaign, with thousands of potential victims, underscores the need for heightened vigilance and improved security awareness among university staff. The incident has raised concerns about the security of third-party platforms used for payroll and HR functions in the education sector. Workday, the platform most frequently targeted, did not respond to requests for comment regarding the incident. Microsoft’s response included sharing technical indicators and recommended best practices to help organizations defend against similar attacks. The campaign is ongoing, and universities are urged to review their security protocols, especially around MFA and email filtering. The incident highlights the persistent threat of phishing and the importance of layered security defenses in protecting sensitive financial information.
May 1, 2026
Multi-Stage Phishing Campaigns Bypassing MFA to Steal Microsoft 365 Credentials
A wave of sophisticated phishing campaigns is targeting organizations globally to steal Microsoft 365 credentials by bypassing traditional email security gateways and multi-factor authentication (MFA) protections. Attackers are employing advanced techniques such as multi-stage payload delivery using nested PDF attachments, legitimate content delivery networks, and mouse tracking to evade detection. Once victims interact with these emails and enter their credentials on a credential harvesting site, attackers leverage legitimate Microsoft infrastructure to bypass MFA and gain immediate access to the victim’s Microsoft 365 environment. These campaigns are engineered to filter out security analysts and block standard security tools, making detection and response more challenging. In parallel, threat actors are increasingly using attacker-in-the-middle toolkits like Evilginx and hybrid phishing-as-a-service kits such as Salty2FA and Tycoon2FA to capture both user credentials and session cookies. By stealing session cookies, attackers can impersonate users and maintain access without triggering additional MFA prompts, even after successful authentication. The blending of different phishing kits into hybrid strains is making detection harder, as traditional security rules tuned to individual kits are now being evaded. Security researchers warn that static indicators are no longer sufficient, and behavioral analysis is required to spot these evolving threats.
Mar 21, 2026