Attackers are using a newly discovered phishing-as-a-service (PhaaS) platform dubbed “Salty 2FA” to target a wide range of industries across North America and Europe, according to researchers at ANYRUN.
The phishing attacks are delivered via email and primarily attempt to steal Microsoft 365 credentials. Like many popular commodity phishing kits, Salty 2FA is designed to bypass a variety of multifactor authentication measures.
“With its ability to distribute phishing payloads at scale, maintain dynamic infrastructure, intercept and process most known 2FA authentication methods beyond simple credentials, and manage a complex communication model between phishing pages and C2 servers, Salty 2FA stands on par with the ‘major’ kits in today’s phishing landscape,” the researchers note.
Common phishing lures used by the kit relate to billing statements, payroll amendments, requests for proposals, or bid invitations. ANYRUN observed the attackers using the phishing kit to target a variety of sectors across the US, Canada, France, Germany, Greece, Italy, Spain, Switzerland, and the United Kingdom. The attacks have also targeted the financial sector in Latin America and the metallurgy industry in the US and India.
The researchers believe Salty 2FA’s developers are still improving the platform, and organizations worldwide should be on the lookout for these phishing attacks.
“Based on data from the ANYRUN Sandbox and TI, activity resembling Salty 2FA began gaining momentum in June 2025, although it is possible that early or ‘raw’ variants of the kit, or samples similar to it, were already being deployed as early as March–April 2025,” the researchers write. “Confirmed activity attributed to Salty 2FA has been observed since late July 2025 and continues to this day, generating dozens of new public analysis sessions in the Sandbox every day.”
AI-powered security awareness training can give your organization an essential layer of defense against social engineering attacks. KnowBe4 empowers your workforce to make smarter security decisions every day. Over 70,000 organizations worldwide trust the KnowBe4 HRM+ platform to strengthen their security culture and reduce human risk.
ANYRUN has the story.
