New Phishing Kit "Salty2FA" Threatens Enterprise Security Across US and EU

A sophisticated new phishing-as-a-service (PhaaS) platform called Salty2FA is actively targeting enterprises across the United States and European Union, bypassing multiple forms of two-factor authentication security systems. Security researchers at ANY.RUN discovered this threat that primarily impacts financial, healthcare, and energy sectors.

The emergence of Salty2FA marks a concerning evolution in sophisticated phishing attack methodologies, as it can circumvent push notifications, SMS, and voice-based 2FA methods, potentially leading to widespread account compromises. Active since June 2025, this threat demonstrates how PhaaS platforms continue to advance in complexity and effectiveness.

Widespread Impact Across Industries

The attack campaign has shown particular focus on specific sectors:

• United States: Finance, healthcare, government, logistics, energy, and education
• European Union: Telecom, chemicals, energy (including solar), and manufacturing
• Additional targets include organizations in India, Canada, France, and Latin America

Companies are particularly vulnerable to Salty2FA's sophisticated multi-stage attack chain, which begins with convincing business-related email lures such as "External Review Request: 2025 Payment Correction."

Advanced Attack Methodology

The phishing kit employs a four-stage attack process:

1. Initial email lure using urgent business-related messages
2. Redirect to fake Microsoft login pages protected by Cloudflare verification
3. Credential harvesting from unsuspecting employees
4. Interception of various 2FA authentication methods

Security analysts note that the kit's ability to bypass traditional two-factor authentication protections makes it particularly dangerous, as compromised credentials can lead directly to account takeovers.

Enhanced Security Measures

Organizations can protect themselves against Salty2FA attacks by implementing several key strategies:

• Deploy behavioral detection systems that identify suspicious domain patterns
• Use sandbox environments to test suspicious emails
• Strengthen MFA policies by preferring app-based or hardware tokens
• Conduct regular employee training focused on financial-themed phishing lures
• Integrate real-time threat detection tools into existing security infrastructure

According to recent research from Microsoft's Digital Defense Report, organizations implementing hardware-based authentication tokens have experienced 99.9% fewer account compromises compared to traditional methods.

Response Protocol

1. IT Security teams should immediately review their current 2FA implementation and consider upgrading to hardware-based authentication methods
2. Organizations should evaluate their email security protocols and implement sandbox testing for suspicious messages
3. Security awareness training programs should be updated to include specific examples of Salty2FA lures and tactics