Salty2FA Bypasses Multi-Factor Authentication in Advanced Phishing Campaign
A New Era of Phishing
Cybersecurity researchers have identified a next-generation phishing kit known as Salty2FA, which uses advanced tactics to bypass multi-factor authentication (MFA) and impersonate trusted corporate login portals.
The kit was revealed in exclusive research by the Ontinue Cyber Defence Centre, which described it as part of a wider evolution in phishing that mirrors the development practices of legitimate software companies.
The campaign begins with an email lure pointing victims to a fake document-sharing page hosted on Aha.io, created on September 3, 2025, using a free trial account.
Phishing Lure (Source: Ontinue)
Multi-Stage Attack Chain
Once on the malicious site, victims are directed through a Cloudflare Turnstile captcha — a step that ironically blocks automated sandboxes and analysis tools while allowing human victims to proceed.
From there, the phishing kit deploys a multi-stage attack chain supported by session-based rotating subdomains. Each new visitor is assigned a unique URL, making it nearly impossible for defenders to blacklist domains or disrupt the campaign.
Session-based rotating subdomains (Source: Ontinue)
Offensive Security, Bug Bounty Courses
Discover your weakest link. Be proactive, not reactive. Cybercriminals need just one flaw to strike.
The Art of Impersonation
Ontinue researchers highlighted the kit’s ability to perform dynamic corporate branding. By analyzing a victim’s email domain, Salty2FA generates a fraudulent login portal complete with the target company’s logo, colors, and styling.
This tactic enhances the realism of the phishing attempt and has been observed across industries including healthcare, finance, technology, and energy.
The kit also simulates up to six forms of multi-factor authentication, such as SMS, authenticator apps, and phone call codes — giving victims the false impression they are interacting with a secure, legitimate system.
Defensive Evasion
To hinder defenders, the malware employs heavy code obfuscation and anti-debugging techniques, complicating efforts by security researchers to reverse engineer or dismantle the framework.
The sophistication of the campaign suggests the involvement of an organized and well-funded criminal group, though Ontinue noted no definitive attribution could be made.
Trending: Recon Tool: ZoomeyeSearch
The Bigger Picture
This discovery aligns with a broader surge in advanced phishing. Data from Menlo Security shows a 140% increase in browser-based phishing since 2023, alongside a 130% rise in zero-hour phishing attacks exploiting unpatched vulnerabilities.
These trends underscore the growing difficulty of defending against “Phishing 2.0” kits that blend technical sophistication with psychological manipulation.
Expert Perspectives
Nicole Carignan, Senior Vice President of Security & AI Strategy at Darktrace, warned that traditional tools struggle to detect such campaigns:
“Organisations can’t rely on employees as the last line of defence. Machine learning systems that build a baseline of normal activity are essential to accurately detect suspicious behavior.”
Jason Soroko, Senior Fellow at Sectigo, added that MFA alone is not foolproof:
“Not all multi-factor authentication is created equal. Shared-secret MFA, such as one-time passwords, is just as vulnerable to fake authentication pages as traditional passwords. Education and stronger MFA methods are critical.”
Are u a security researcher? Or a company that writes articles about Cyber Security, Offensive Security (related to information security in general) that match with our specific audience and is worth sharing? If you want to express your idea in an article contact us here for a quote: [email protected]
Source: hackread.com
Recent News
Offensive Security & Ethical Hacking Course
Begin the learning curve of hacking now!
Information Security Solutions
Find out how Pentesting Services can help you.
