Ethical Hacking News
The cybersecurity landscape has witnessed a constant evolution with new phishing kits emerging every now and then. Salty2FA is one of these PhaaS frameworks that claims to have bypassed multiple two-factor authentication methods and slipped past traditional defenses. It already targets finance, energy, and telecom sectors and can lead directly to account takeover due to its ability to intercept credentials and 2FA codes.
Salty2FA is a new phishing kit that claims to have bypassed multiple two-factor authentication methods and slipped past traditional defenses. The kit has already been spotted in campaigns across the US and EU, targeting industries from finance to energy. Salty2FA's multi-stage execution chain, evasive infrastructure, and ability to intercept credentials and 2FA codes make it one of the most dangerous PhaaS frameworks seen this year. The kit can bypass push, SMS, and voice-based 2FA, allowing stolen credentials to lead directly to account takeover. The key target regions for Salty2FA are the US and EU, with a focus on finance, healthcare, government, logistics, energy, IT consulting, education, construction, telecom, chemicals, industrial manufacturing, real estate, and consulting. The campaign activity began gaining momentum in June 2025, with confirmed campaigns active since late July. Salty2FA has already shown its capability to intercept credentials and 2FA codes, with one recent case analyzing a convincing phishing email attack chain. Security teams need to adopt a new approach that focuses on behaviors and response speed to combat Salty2FA, including relying on behavioral detection, hardening MFA policies, training employees, integrating sandbox results, and combining these measures.
The cybersecurity landscape has witnessed a constant evolution, with new phishing kits emerging every now and then to target enterprises across the globe. The latest entrant in this cat-and-mouse game is Salty2FA, a phishing kit that claims to have bypassed multiple two-factor authentication methods and slipped past traditional defenses. According to researchers at ANY.RUN, Salty2FA has already been spotted in campaigns across the US and EU, putting enterprises at risk by targeting industries from finance to energy.
Salty2FA's multi-stage execution chain, evasive infrastructure, and ability to intercept credentials and 2FA codes make it one of the most dangerous PhaaS frameworks seen this year. Its ability to bypass push, SMS, and voice-based 2FA means stolen credentials can lead directly to account takeover. Already aimed at finance, energy, and telecom sectors, the kit turns common phishing emails into high-impact breaches.
The key target regions for Salty2FA are the US and EU, with specific focus on industries such as finance, healthcare, government, logistics, energy, IT consulting, education, construction, telecom, chemicals, industrial manufacturing, real estate, and consulting. This is not an exhaustive list, as the kit has been spotted in various other regions and industries worldwide.
The campaign activity began gaining momentum in June 2025, with early traces possibly dating back to March-April. Confirmed campaigns have been active since late July and continue to this day, generating dozens of fresh analysis sessions daily. According to ANY.RUN's data, Salty2FA has already shown its capability to intercept credentials and 2FA codes.
One recent case analyzed by ANY_RUN shows just how convincing Salty2FA can be in practice. An employee received an email with the subject line "External Review Request: 2025 Payment Correction", a lure designed to trigger urgency and bypass skepticism. The attack chain unfolded step by step:
Stage 1: Email lure
The email contained a payment correction request disguised as a routine business message.
Stage 2: Redirect and fake login
The link led to a Microsoft-branded login page, wrapped in Cloudflare checks to bypass automated filters. In the sandbox, ANY_RUN's Automated Interactivity handled the verification automatically, exposing the flow without manual clicks and cutting investigation time for analysts.
Stage 3: Credential theft
Employee details entered on the page were harvested and exfiltrated to attacker-controlled servers.
Stage 4: 2FA bypass
If the account had multi-factor authentication enabled, the phishing page prompted for codes and could intercept push, SMS, or even voice call verification.
The full execution chain was visible in real-time, from the first click to credential theft and 2FA interception. Sandbox analysis provides a level of visibility that is critical, as static indicators like domains or hashes mutate daily, but behavioral patterns remain consistent. This level of insight allows security teams to stop phishing attacks before they lead to major breaches.
To combat Salty2FA, security leaders need to adopt a new approach that focuses on behaviors and response speed. Here are some steps SOCs can take:
Relying on behavioral detection: Track recurring patterns like domain structures and page logic rather than chasing constantly changing IOCs.
Detonating suspicious emails in a sandbox: Full-chain visibility reveals credential theft and 2FA interception attempts in real time.
Harden MFA policies: Favor app-based or hardware tokens over SMS and voice, and use conditional access to flag risky logins.
Train employees on financial lures: Common hooks like "payment correction" or "billing statement" should always raise suspicion.
Integrate sandbox results into your stack: Feeding live attack data into SIEM/SOAR speeds detection and reduces manual workload.
By combining these measures, enterprises can turn Salty2FA from a hidden risk into a known and manageable threat. With interactive sandboxes like ANY.RUN, SOCs can gain the speed and clarity they need to stop phishing before it leads to a major breach.
Related Information:
https://www.ethicalhackingnews.com/articles/New-Phishing-Kit-Threatens-Enterprise-Security-Salty2FA-Exploits-2FA-Bypass-Vulnerabilities-ehn.shtml
https://thehackernews.com/2025/09/watch-out-for-salty2fa-new-phishing-kit.html
Published: Wed Sep 10 03:53:06 2025 by llama3.2 3B Q4_K_M
