The Phishing-as-a-Service (PHAAS) platform continues to evolve and offers attackers a faster, cheaper way to infiltrate corporate accounts. Now, Any.run researchers have discovered a new participant called Salty2FA, a phishing kit designed to bypass multiple two-factor authentication methods and slide beyond traditional defenses.
Already discovered in US and EU campaigns, Salty2FA puts businesses at risk by targeting industries from finance to energy. The multi-stage execution chain, evasion infrastructure, and the ability to intercept credentials and 2FA code make it one of the most dangerous PHAAS frameworks we’ve seen this year.
Why Salty2FA raises corporate interests
Salty2FA’s ability to bypass push, SMS, and voice-based 2FA, stolen credentials could lead to account takeovers directly. Already aiming for the finance, energy and communications sector, the kit is turning common phishing emails into a highly influential breaches.
Who is being targeted?
Any.run analysts mapped the Salty2FA campaign and discovered activities across multiple regions and industries. US and EU businesses have been hit hardest.
Regional Key Target Industry US Finance, Healthcare, Government, Logistics, Energy, IT Consulting, IT Consulting, Education, Construction Europe (UK, Germany, Spain, Italy, Greece, Switzerland) Telecom, Chemicals, Energy (including solar), Industrial Manufacturing, Real Estate, Global / Other Logistics, IT, Metallogy (India, France, Ratum)
When did Salty2FA start to hit companies?
Based on any.run sandbox and TI data, Salty2FA activity began to gain momentum in June 2025. The confirmed campaign has been active since late July and continues to this day, producing dozens of fresh analytical sessions each day.
Real World Case: How Salty2FA leverages enterprise employees
One recent case, analyzed by any.run, shows how persuasive Salty2FA is in fact. The employee received an email with the subject line “External Review Request: 2025 Payment Amendment.”
When opened in any.run sandbox, the attack chain unfolded in stages.
Shows the actual case of a Salty2FA attack
Malicious emails containing salty2fa attacks were analyzed within any.run sandbox
Stage 1: Email Lure
The email included payment correction requests that disguised daily business messages.
Join 15K+ enterprises around the world to reduce investigation times and stop violations faster.
Get started now
Stage 2: Redirect and fake login
This link led to a Microsoft branded login page, which bypassed the automated filter wrapped in a CloudFlare check. In Sandbox, any.run’s automated interactivity handled validation automatically, exposing flows without manual clicks, reducing analyst research time.
CloudFlare verification completed automatically inside any.run sandbox
Stage 3: Qualification Theft
The employee details entered on the page were harvested and extracted to servers controlled by the attacker.
Fake Microsoft Page, ready to steal credentials from victim
Stage 4: 2FA Bypass
If your account had multifactor authentication enabled, the phishing page was asked for a code and could intercept push, SMS, or voice call verification.
By running files in the sandbox, the SOC team was able to see the complete execution chain in real time, from initial clicks to credential theft and 2FA intercepts. This level of visibility is important. This is because static indicators such as domains and hashes change daily, but behavioral patterns remain consistent. Sandbox analysis provides better coverage for threat detection, reduce analyst workloads, and evolving PHAAS kits like Salty2FA.
Stop Salty2FA: What SOC should do next
Salty2FA shows how quickly phishing as a service is evolving, and why only static indicators don’t stop it. For SOCS and security leaders, protection means shifting focus to action and response speed.
Rely on behavior detection: Rather than chasing constantly changing IOCs, it tracks recurring patterns such as domain structure and page logic. Exploding suspicious emails in sandbox: Full chain visibility reveals credential theft and attempts to intercept 2FA in real time. Harden MFA Policy: Advocates app-based or hardware tokens over SMS and voice, and uses conditional access to logins at risk of flags. Training employees with financial lures: Common hooks such as “payment corrections” and “claim documents” should always raise doubt. Integrate sandbox results into the stack. Feed live attack data into SIEM/SOAR speed detection to reduce manual workloads.
By combining these measures, businesses can turn Salty2FA from hidden risks into known manageable threats.
Increase SOC efficiency with interactive sandbox
Enterprises around the world are turning to interactive sandboxes like any.run to enhance their defense against advanced phishing kits such as Salty2FA. The results are measurable:
Combines interactive analytics and automation for 3x SOC efficiency. We reduce survey times from hours to minutes, and conduct surveys up to 50% faster. 94% of users report faster triage and use clearer IOCs and TTPs for confident decisions. Tier 1-2 tier escalation is 30% less as junior analysts gain trust and senior staff are released to focus on key tasks.
By visualizing 88% of the threat in under 60 seconds, businesses get the speed and clarity they need to stop phishing.
Try Any.run today: Built for enterprise SOCs that require faster investigations, stronger defenses, and measurable results.
Source link
