Salty2FA Used in Targeted Attacks on Enterprise Accounts

A phishing kit known as Salty2FA is now being used in active campaigns to steal login credentials and multi-factor authentication (MFA) codes.

Identified through sandbox-based malware analysis, this phishing-as-a-service tool has already been linked to attacks across North America and Europe. Targeted sectors include finance, telecom, energy, healthcare, and manufacturing.

Attacks often begin with a short, urgency-driven email related to payments or account issues. The message contains a link to a fake Microsoft login page that closely mimics the real one. When users enter their credentials and MFA code, the information is sent directly to the attacker.

The process happens quickly enough that the stolen code can still be used before it expires.

Why It Matters: Multi-factor authentication is designed to stop unauthorized access even when passwords are compromised. Salty2FA breaks that model by collecting second-factor codes during the login attempt. The phishing happens in real time and relies on tricking users. Defenses based only on URLs, domains, or file hashes are unlikely to catch it. Detecting behavior is more reliable than tracking infrastructure.

• Campaigns Span Countries and Industries and Continue to Grow: Salty2FA has been linked to phishing campaigns across the US, UK, Germany, Spain, Italy, Greece, and Switzerland. These are not isolated events. The attacks repeat familiar patterns with minor adjustments depending on region or target. Affected organizations include banks, energy providers, healthcare systems, manufacturers, logistics firms, and schools. In some cases, attackers appear to move through smaller vendors to reach larger enterprise networks.

• Fake Login Pages Mimic Trusted Enterprise Tools: The phishing portals are modeled after Microsoft login screens. Icons, layouts, and redirects match what users expect. These pages often use Cloudflare and other legitimate infrastructure to avoid detection. For enterprise employees moving quickly, the pages appear routine and trustworthy.

• Account Access Often Takes Only One Click: In one confirmed case, a user received an email labeled “2025 Payment Correction” from a familiar contact. The link opened a fake Microsoft 365 login. After entering credentials and a 2FA code, attackers gained access within minutes. No malware was involved. The attack relied entirely on a convincing interface and quick user action.

• Static Indicators Offer Limited Protection: Salty2FA frequently rotates its domains and hosting. Defenses that rely on fixed indicators like URLs or hashes are likely to miss it. What stays consistent is the attack pattern. It starts with a business-themed message, moves to a fake login, and ends with real-time capture of credentials and 2FA. Security tools that focus on behavior are more likely to detect it early.

• MFA is the Target, Not a Backup: This kit is designed to collect MFA codes as part of the phishing process. After credentials are entered, users are prompted for whatever second factor is required, including push notifications, text codes, or voice responses. The attacker captures the code and logs in before it expires. Many users approve prompts without thinking, especially if they believe the request is from their own login attempt.

Go Deeper -> Watch Out for Salty2FA: New Phishing Kit Targeting US and EU Enterprises – The Hacker News