Phishing-as-a-Service (PhaaS) platforms keep evolving, giving attackers faster and cheaper ways to break into corporate accounts. Now, researchers at ANY.RUN has uncovered a new entrant: Salty2FA, a phishing kit designed to bypass multiple two-factor authentication methods and slip past traditional defenses.
Already spotted in campaigns across the US and EU, Salty2FA puts enterprises at risk by targeting industries from finance to energy. Its multi-stage execution chain, evasive infrastructure, and ability to intercept credentials and 2FA codes make it one of the most dangerous PhaaS frameworks seen this year.
Why Salty2FA Raises the Stakes for Enterprises
Salty2FA’s ability to bypass push, SMS, and voice-based 2FA means stolen credentials can lead directly to account takeover. Already aimed at finance, energy, and telecom sectors, the kit turns common phishing emails into high-impact breaches.
Who is Being Targeted?
ANY.RUN analysts mapped Salty2FA campaigns and found activity spanning multiple regions and industries, with the US and EU enterprises most heavily hit.
| Region | Key Targeted Industries |
| United States | Finance, healthcare, government, logistics, energy, IT consulting, education, construction |
| Europe (UK, Germany, Spain, Italy, Greece, Switzerland) | Telecom, chemicals, energy (including solar), industrial manufacturing, real estate, consulting |
| Worldwide / Other | Logistics, IT, metallurgy (India, Canada, France, LATAM) |
When Did Salty2FA Start Hitting Enterprises?
Based on data from the ANY.RUN Sandbox and TI, Salty2FA activity began gaining momentum in June 2025, with early traces possibly dating back to March–April. Confirmed campaigns have been active since late July and continue to this day, generating dozens of fresh analysis sessions daily.
Real-World Case: How Salty2FA Exploits Enterprise Employees
One recent case analyzed by ANY.RUN shows just how convincing Salty2FA can be in practice. An employee received an email with the subject line “External Review Request: 2025 Payment Correction”, a lure designed to trigger urgency and bypass skepticism.
When opened in the ANY.RUN sandbox, the attack chain unfolded step by step:
View real-world case of Salty2FA attack
 |
| Malicious email with Salty2FA attack analyzed inside ANY.RUN sandbox |
Stage 1: Email lure
The email contained a payment correction request disguised as a routine business message.
Join 15K+ enterprises worldwide that cut investigation time and stop breaches faster with ANY.RUN
Get started now
Stage 2: Redirect and fake login
The link led to a Microsoft-branded login page, wrapped in Cloudflare checks to bypass automated filters. In the sandbox, ANY.RUN’s Automated Interactivity handled the verification automatically, exposing the flow without manual clicks and cutting investigation time for analysts.
 |
| Cloudflare verification completed automatically inside ANY.RUN sandbox |
Stage 3: Credential theft
Employee details entered on the page were harvested and exfiltrated to attacker-controlled servers.
 |
| Fake Microsoft page, ready to steal credentials from victims |
Stage 4: 2FA bypass
If the account had multi-factor authentication enabled, the phishing page prompted for codes and could intercept push, SMS, or even voice call verification.
By running the file in the sandbox, SOC teams could see the full execution chain in real time, from the first click to credential theft and 2FA interception. This level of visibility is critical, because static indicators like domains or hashes mutate daily, but behavioral patterns remain consistent. Sandbox analysis gives faster confirmation of threats, reduced analyst workload, and better coverage against evolving PhaaS kits like Salty2FA.
Stopping Salty2FA: What SOCs Should Do Next
Salty2FA shows how fast phishing-as-a-service is evolving and why static indicators alone won’t stop it. For SOCs and security leaders, protection means shifting focus to behaviors and response speed:
- Rely on behavioral detection: Track recurring patterns like domain structures and page logic rather than chasing constantly changing IOCs.
- Detonate suspicious emails in a sandbox: Full-chain visibility reveals credential theft and 2FA interception attempts in real time.
- Harden MFA policies: Favor app-based or hardware tokens over SMS and voice, and use conditional access to flag risky logins.
- Train employees on financial lures: Common hooks like “payment correction” or “billing statement” should always raise suspicion.
- Integrate sandbox results into your stack: Feeding live attack data into SIEM/SOAR speeds detection and reduces manual workload.
By combining these measures, enterprises can turn Salty2FA from a hidden risk into a known and manageable threat.
Boost SOC Efficiency with Interactive Sandboxing
Enterprises worldwide are turning to interactive sandboxes like ANY.RUN to strengthen their defenses against advanced phishing kits such as Salty2FA. The results are measurable:
- 3× SOC efficiency by combining interactive analysis and automation.
- Up to 50% faster investigations, cutting time from hours to minutes.
- 94% of users report faster triage, with clearer IOCs and TTPs for confident decision-making.
- 30% fewer Tier 1–Tier 2 escalations, as junior analysts gain confidence and senior staff are freed to focus on critical tasks.
With visibility into 88% of threats in under 60 seconds, enterprises get the speed and clarity they need to stop phishing before it leads to a major breach.
Try ANY.RUN today: built for enterprise SOCs that need faster investigations, stronger defenses, and measurable results.
