A newly discovered Phishing-as-a-Service (PhaaS) platform called Salty 2FA is posing a serious threat to Microsoft 365 users across industries in the US and Europe. This advanced tool uses multi-stage execution and obfuscation techniques to bypass two-factor authentication and steal corporate credentials.
Targeting sectors like finance, telecom, energy, logistics, and education, Salty 2FA delivers phishing campaigns that lure victims with fake voice messages, billing alerts, and document requests. These emails redirect users to convincing Microsoft login pages designed to capture credentials.
The framework stands out for its domain infrastructure, blending compound ".com" domains with Russian ".ru" domains. This setup enables complex redirections and payload delivery that evade standard detection tools.
Researchers at ANY.RUN uncovered Salty 2FA during a routine analysis, noting consistent use of Cloudflare Turnstile and similar behavioral patterns across different domains. Their investigation revealed the platform’s ability to intercept various 2FA methods, including SMS, push notifications, voice calls, and authenticator apps. This allows attackers to maintain access even after credentials are stolen.
Technically, Salty 2FA operates through a five-stage process. It begins with obfuscated JavaScript containing misleading comments, followed by encoded element IDs using Base64 and XOR. The front-end relies on jQuery and dynamic identifiers that require decoding before use.
Found this article interesting? Follow us on X(Twitter) ,Threads and FaceBook to read more exclusive content we post.
