A newly uncovered phishing kit called Salty2FA is targeting enterprises in the U.S. and Europe, using fake login pages to steal credentials and bypass multiple forms of two-factor authentication (2FA).
What happened
According to The Hacker News, researchers at ANY.RUN have identified a new phishing kit, Salty2FA, which is being used in active campaigns targeting enterprises across the United States and the European Union.
Salty2FA is designed to steal credentials and to bypass multiple forms of two-factor authentication (2FA), including push notifications, SMS messages, and voice-based codes. The kit has been observed targeting industries such as finance, energy, telecommunications, government, and consulting, among others.
Going deeper
Timeline and spread
Salty2FA’s activity began gaining momentum around June 2025. There are indications that the kit may have been in development or early use as early as March or April. Confirmed phishing campaigns have been in full swing since late July and continue at the time of reporting.
Target geography and industries
Major targets are in the US and EU. Industries hit include finance, healthcare, government, logistics, energy, IT consulting, construction, telecom, chemicals, industrial manufacturing, solar energy, real estate, consulting, etc. Also, some global spread occurred to regions like LATAM, India, and Canada.
Technical details
- Email lure: For example, an employee receives an email with a subject like “External Review Request: 2025 Payment Correction” intended to spur urgency.
- Redirect to fake login page: The email link leads to a Microsoft-branded login page, but with added evasion (Cloudflare checks, etc.) to bypass filters and make detection harder.
- Credential capture: When the target submits their credentials, these are harvested and sent to the attacker-controlled infrastructure.
- 2FA bypass: If multi-factor authentication is enabled, the phishing flow then prompts for the second factor, intercepting the push, SMS, or voice call verification.
Detection and defense
ANY.RUN’s sandbox/interactive analysis environment provided full visibility of the attack chain, from clicking the phishing link through credential theft and 2FA interception, which helps security operations teams (SOCs) to see behavioral patterns rather than relying solely on static indicators (like domain names or file hashes).
They suggest that static indicators are easily changed, so defence must focus on behaviours, rapid response, and harder MFA methods.
In the know
Phishing kits are pre-packaged tools that let attackers easily launch scams by mimicking login pages, stealing credentials, and even bypassing 2FA. Sold as “phishing-as-a-service,” they lower the barrier for cybercrime and enable large-scale attacks against enterprises.
Why it matters
By intercepting push notifications, SMS codes, and even voice-based verification, the kit undermines methods that many organizations trust as their last line of defense. This means that even employees and executives who follow best practices (using strong passwords and enabling MFA) can still have their accounts compromised.
See also: HIPAA Compliant Email: The Definitive Guide (2025 Update)
FAQS
What is two-factor authentication (2FA)?
2FA is a security step that asks for something extra, like a code sent to your phone or an app notification, after you enter your password. It’s meant to stop hackers even if they steal your password.
Does this mean 2FA is useless?
No, 2FA still makes hacking harder. But some forms of 2FA, like SMS or voice codes, are easier to trick. Stronger options, like authenticator apps or hardware keys, give much better protection.
Tshedimoso Makhene
