Salty2FA: The Phishing-as-a-Service kit that eats your MFA for breakfast

Executive summary: A new PhaaS framework dubbed Salty2FA is actively targeting enterprises across the U.S. and EU. First seen ramping up in June 2025 (with traces as early as March–April), it’s built to steal credentials and bypass multiple forms of MFA—including push, SMS, and voice call—and it’s already in real-world use against finance, energy, telecom, government, healthcare, education, and more. Researchers at ANY.RUN analyzed live campaigns and mapped a multi-stage flow designed to slip past filters, trick users, and intercept second-factor codes.

What makes Salty2FA different

• MFA aware, not MFA afraid: Designed to phish the second factor—not just usernames and passwords. It supports push fatigue, one-time code interception, and voice-based verification capture.

• Enterprise-grade lures: Realistic Microsoft 365 login clones fronted by Cloudflare checks to dodge automation and reputation blocks.

• Fast-moving infrastructure: Links, domains, and artifacts churn frequently; behavioral patterns (flow, page logic, MFA prompts) stay consistent.

• Breadth of targeting: Heavy activity across U.S. and EU enterprises. Sectors hit include finance, healthcare, government, logistics, energy, IT consulting, education, construction, telecom, chemicals, industrial manufacturing, real estate, and consulting; additional activity observed in India, Canada, France, and LATAM (logistics/IT/metallurgy).

How the attack works (real case, simplified)

1. Email lure
   Subject lines like “External Review Request: 2025 Payment Correction” create urgency around finance workflows.

2. Redirect + fake login
   Victim is funneled through Cloudflare verification to a polished Microsoft-branded page.

3. Credential capture
   User enters email + password; details are exfiltrated to attacker infrastructure.

4. 2FA interception
   If MFA is enabled, the phishing site prompts for the second factor—push, SMS, or voice—to complete a real-time session hijack.

Why this matters: Static IOCs expire quickly. The behavioral chain—financial lure → Cloudflare gate → M365 clone → MFA prompt—remains stable and is your best detection handle.

Defensive playbook for SOCs and IT security

1) Shift detection from IOCs to behaviors

• Write detections for Cloudflare-gated phishing flows, M365 login clones with immediate MFA prompts, and sudden user-agent/session handoffs following a web form submit.

• Correlate email, DNS, proxy, and identity logs to flag: link-click → form-post → unusual geo/device → MFA change → mailbox or OAuth app changes.

2) Harden identity

• Prefer phishing-resistant MFA (FIDO2/WebAuthn, hardware keys) over SMS/voice and push alone.

• Enforce number-matching and geofencing for push approvals; throttle consecutive prompts to kill push fatigue attacks.

• Lock down help-desk flows for MFA reset/add-device; require step-up verification and change-management tickets for high-risk accounts (finance, IT, executives).

3) Raise the bar for email & web controls

• Pre-detonate payment-themed messages and links in a sandbox; treat “payment correction/invoice/billing” lures as high-risk.

• Enforce Strict Transport Security (HSTS) and Safe Links-style rewriting/inspection; block newly registered domains and look-alike M365 phishing kits.

4) Train for realism

• Run micro-simulations focused on finance/HR workflows (invoice changes, payment corrections, benefits updates).

• Teach users to spot Cloudflare “human verification” before login as a tell, and to report unexpected MFA prompts immediately.

5) Response checklist (minutes matter)

• Contain identity: Force global sign-out; reset credentials; revoke refresh tokens; invalidate app passwords.

• Audit changes: Inbox rules, forwarding, OAuth consents, MFA devices, conditional access, and privileged group membership.

• Hunt sessions: Look for impossible travel, brand-new devices/IPs, newly created mailbox rules, and token replay.

• Notify impacted users and enable additional step-up for the next 72 hours.

Quick wins you can implement this week

• Turn on phishing-resistant MFA (start with payroll, AP/AR, C-suite, IT admins).

• Enable number-matching and MFA prompt rate-limiting.

• Require additional verification for MFA reset/add-device via help desk.

• Create a SIEM rule: finance-themed email → external link click → login → MFA change within 30 minutes.

• Add a “Report suspicious MFA prompt” button to your security portal and rotate it through onboarding refreshers.

Bottom line

Salty2FA shows how quickly PhaaS is evolving: yesterday’s “phish” is today’s identity takeover with MFA in the loop. Beating it isn’t about catching a single URL—it’s about recognizing the playbook, hardening identity, and responding in minutes. If your defenses still assume MFA stops phishers, it’s time to update that model.