Phishing-as-a-Service (PhaaS) platforms keep evolving, giving attackers faster and cheaper ways to break into corporate accounts. Now, researchers at ANY.RUN has uncovered a new entrant: Salty2FA, a phishing kit designed to bypass multiple two-factor authentication methods and slip past traditional defenses.
Already spotted in campaigns across the US and EU, Salty2FA puts enterprises at risk by targeting industries from finance to energy. Its multi-stage execution chain, evasive infrastructure, and ability to intercept credentials and 2FA codes make it one of the most dangerous PhaaS frameworks seen this year.
Why Salty2FA Raises the Stakes for Enterprises
Salty2FA’s ability to bypass push, SMS, and voice-based 2FA means stolen credentials can lead directly to account takeover. Already aimed at finance, energy, and telecom sectors, the kit turns common phishing emails into high-impact breaches.
Who is Being Targeted?
ANY.RUN analysts mapped Salty2FA campaigns and found activity spanning multiple regions and industries, with the US and EU enterprises most heavily hit.
| Region | Key Targeted Industries |
| United States | Finance, healthcare, government, logistics, energy, IT consulting, education, construction |
| Europe (UK, Germany, Spain, Italy, Greece, Switzerland) | Telecom, chemicals, energy (including solar), industrial manufacturing, real estate, consulting |
| Worldwide / Other | Logistics, IT, metallurgy (India, Canada, France, LATAM) |
When Did Salty2FA Start Hitting Enterprises?
Based on data from the ANY.RUN Sandbox and TI, Salty2FA activity began gaining momentum in June 2025, with early traces possibly dating back to March–April. Confirmed campaigns have been active since late July and continue to this day, generating dozens of fresh analysis sessions daily.
Real-World Case: How Salty2FA Exploits Enterprise Employees
One recent case analyzed by ANY.RUN shows just how convincing Salty2FA can be in practice. An employee received an email with the subject line “External Review Request: 2025 Payment Correction”, a lure designed to trigger urgency and bypass skepticism.
When opened in the ANY.RUN sandbox, the attack chain unfolded step by step:
View real-world case of Salty2FA attack
 |
| Malicious email with Salty2FA attack analyzed inside ANY.RUN sandbox |
Stage 1: Email lure
The email contained a payment correction request disguised as a routine business message.
Join 15K+ enterprises worldwide that cut investigation time and stop breaches faster with ANY.RUN
Stage 2: Redirect and fake login
The link led to a Microsoft-branded login page, wrapped in Cloudflare checks to bypass automated filters. In the sandbox, ANY.RUN’s Automated Interactivity handled the verification automatically, exposing the flow without manual clicks and cutting investigation time for analysts.
 |
| Source link
Disclaimer We strive to uphold the highest ethical standards in all of our reporting and coverage. We blogs.grocliq.com want to be transparent with our readers about any potential conflicts of interest that may arise in our work. It’s possible that some of the investors we feature may have connections to other businesses, including competitors or companies we write about. However, we want to assure our readers that this will not have any impact on the integrity or impartiality of our reporting. We are committed to delivering accurate, unbiased news and information to our audience, and we will continue to uphold our ethics and principles in all of our work. Thank you for your trust and support. Website Upgradation is going on for any glitch kindly connect at [email protected]
Related Articles
|