In 2025, a persistent Evilginx AiTM campaign targeting at least 18 U.S. universities, including UC Santa Cruz, UC Santa Barbara, University of San Diego, Virginia Commonwealth University, and the University of Michigan. All had MFA enabled, yet attackers still captured MFA-protected session tokens through proxied .edu SSO portals at scale.
This is a clear reminder: not all MFA is created equal â we need to move critical accounts to phishing-resistant methods like GoTrust Idem Key.
