Beware of Salty2FA: The Latest Phishing Kit Threatening US and EU Enterprises

Phishing-as-a-Service (PhaaS) platforms continue to evolve, offering attackers efficient and cost-effective methods for infiltrating corporate accounts. A recent discovery by researchers at ANY.RUN highlights a new phishing kit called Salty2FA, designed to circumvent various two-factor authentication (2FA) methods and overcome traditional cybersecurity defenses.

Salty2FA has already been identified in multiple campaigns across the United States and Europe, posing significant risks to various industries, including finance, energy, and telecom. The framework features a complex multi-stage execution process, evasive infrastructure, and the capability to intercept both credentials and 2FA codes, establishing it as one of the most significant threats in the current cybersecurity landscape.

Risks Posed by Salty2FA

One of the biggest concerns with Salty2FA is its ability to bypass different forms of 2FA, including push notifications, SMS, and voice authentication. This enables stolen credentials to directly lead to account takeovers, impacting sectors such as finance, energy, and telecom by transforming typical phishing emails into significant security breaches.

Targeted Industries

ANY.RUN’s analysis indicates that Salty2FA campaigns predominantly target industries in specific regions:

• United States: Finance, healthcare, government, logistics, energy, IT consulting, education, and construction.
• Europe (including the UK, Germany, Spain, Italy, Greece, Switzerland): Telecom, chemicals, energy (solar included), industrial manufacturing, real estate, and consulting.
• Worldwide: Logistics, IT, and metallurgy (particularly in India, Canada, France, and LATAM).

Timeline of Salty2FA Activity

The emergence of Salty2FA appears to have begun in June 2025, with early traces possibly dating back to March and April. Confirmed campaigns have been observed since late July, with fresh analysis sessions continuing daily.

Real-World Exploitation

A real-world case analyzed by ANY.RUN shows the effectiveness of Salty2FA. In this incident, an employee received an urgent email about a "Payment Correction," deliberately designed to provoke a quick response and bypass skepticism. The attack unfolded in multiple stages:

1. Email Lure: The phishing email mimicked a standard business communication regarding payment corrections.

2. Redirect to Fake Login: Clicking the embedded link led to a Microsoft-branded login page, fortified by Cloudflare checks to evade automated detection.

3. Credential Theft: Employee credentials entered on the fake page were harvested and sent to the attackers.

4. 2FA Bypass: If multi-factor authentication was enabled, the phishing interface prompted the user for their authentication codes, allowing attackers to intercept these as well.

By employing a sandbox environment, security teams can observe the entire execution flow in real-time, providing insight into credential theft and 2FA manipulation.

Recommendations for Security Operations Centers (SOCs)

To mitigate the threat posed by Salty2FA, it’s crucial for security leaders to adapt their focus:

• Behavioral Detection: Emphasize tracking established patterns instead of solely relying on static indicators.
• Sandbox Testing for Emails: Utilize sandbox environments to obtain comprehensive visibility into potential threats before they materialize.
• Strengthen MFA Policies: Prefer app-based or hardware token 2FA methods over SMS and voice calls, while implementing conditional access protocols for flagging suspicious logins.
• Employee Training: Elevate awareness around common phishing triggers, such as financial lures.
• Integrate Sandbox Insights: Connect real-time attack data with SIEM/SOAR systems to enhance detection efficiency.

By applying these strategies, organizations can convert the threat from Salty2FA into a manageable risk.

Enhancing SOC Functionality with Interactive Sandboxing

Interactive sandbox solutions like ANY.RUN are becoming indispensable for enterprises aiming to fortify defenses against sophisticated phishing kits like Salty2FA. These tools can deliver significant improvements in operational efficiency, reducing investigation times and increasing overall detection capabilities.

With these insights and methodologies, organizations can better position themselves against evolving phishing threats and protect their sensitive information effectively.

Welcome to DediRock, your trusted partner in high-performance hosting solutions. At DediRock, we specialize in providing dedicated servers, VPS hosting, and cloud services tailored to meet the unique needs of businesses and individuals alike. Our mission is to deliver reliable, scalable, and secure hosting solutions that empower our clients to achieve their digital goals. With a commitment to exceptional customer support, cutting-edge technology, and robust infrastructure, DediRock stands out as a leader in the hosting industry. Join us and experience the difference that dedicated service and unwavering reliability can make for your online presence. Launch our website.