Cookie Monsters on Campus: How Hackers Outsmarted MFA in a Coast-to-Coast University Phishing Rampage

It started with an email that looked like just another campus notice - a link to log in, a familiar university logo, nothing out of the ordinary. But behind the scenes, a months-long cybercrime operation was already in full swing, targeting students and staff at major American universities and quietly sidestepping defenses that many believed were unbreakable.

The Anatomy of a Campus Heist

According to cybersecurity firm Infoblox, the attackers orchestrated a carefully planned phishing campaign that ran for seven months, targeting the digital identities of students and faculty at institutions including the University of California campuses, Virginia Commonwealth University, the University of Michigan, and more. The campaign’s secret weapon? Evilginx, an “Adversary-in-the-Middle” tool that doesn’t just steal passwords - it hijacks the digital session itself.

Multi-Factor Authentication (MFA) is designed to stop hackers in their tracks by requiring an extra step - like a code from your phone - before granting access. But Evilginx turned that safety net into a trap. When a victim clicked a phishing link, Evilginx silently intercepted the login process, capturing not only credentials but also the session cookie - the digital key that says “this person is already logged in.” With that, attackers could waltz into accounts, MFA or not.

To cover their tracks, the criminals cycled through nearly 70 lookalike domains, often using short-lived TinyURLs and hiding their infrastructure behind services like Cloudflare. The links were crafted to mimic official university single sign-on portals, exploiting trust and urgency to lure victims.

The breach went undetected for months, until a vigilant security professional at one campus raised the alarm, enabling Infoblox’s Threat Intel team to trace the pattern through DNS analysis. The scale and sophistication shocked even seasoned investigators.

What’s at Stake?

Renée Burton, Vice President of Threat Intel at Infoblox, underscored the real-world damage: “Universities remain a common target for malicious actors, who show little concern for the damage they cause.” In one particularly devastating case, an attack on the University of Washington destroyed part of a museum’s digital catalogue - erasing irreplaceable scientific records.

This campaign serves as a stark warning: even advanced security measures like MFA can be outsmarted by skilled adversaries. The best defense? Ongoing security awareness, rapid reporting, and a healthy dose of skepticism toward unexpected login requests - no matter how official they seem.