{"id":14760,"date":"2025-09-09T13:03:36","date_gmt":"2025-09-09T13:03:36","guid":{"rendered":"https:\/\/newestek.com\/?p=14760"},"modified":"2025-09-09T13:03:36","modified_gmt":"2025-09-09T13:03:36","slug":"phishing-kit-salty2fa-washes-away-confidence-in-mfa","status":"publish","type":"post","link":"https:\/\/newestek.com\/?p=14760","title":{"rendered":"Phishing kit Salty2FA washes away confidence in MFA"},"content":{"rendered":"<div>\n<div id=\"remove_no_follow\">\n<div class=\"grid grid--cols-10@md grid--cols-8@lg article-column\">\n<div class=\"col-12 col-10@md col-6@lg col-start-3@lg\">\n<div class=\"article-column__content\">\n<section class=\"wp-block-bigbite-multi-title\">\n<div class=\"container\"><\/div>\n<\/section>\n<p>A newly uncovered phishing campaign has been linked to Salty2FA, a phishing-as-a-service framework built to sidestep multi-factor authentication (MFA).<\/p>\n<p>The ongoing campaign is using the kit to bypass <a href=\"https:\/\/www.csoonline.com\/article\/3535222\/mfa-adoption-is-catching-up-but-is-not-quite-there.html\" target=\"_blank\">MFA protections<\/a> by intercepting verification methods, rotating subdomains, and cloaking themselves within trusted platforms like <a href=\"https:\/\/www.csoonline.com\/article\/4003056\/new-phishing-campaign-hijacks-clipboard-via-fake-captcha-for-malware-delivery.html\" target=\"_blank\">Cloudflare Turnstile<\/a>, according to cybersecurity firm Ontinue\u2019s findings. In a disclosure shared with CSO ahead of its publication on Tuesday, Ontinue said the campaign employs \u2018notable technical innovations\u2019 that include evasion tactics previously unseen with the kit\u2019s use.<\/p>\n<p>\u201cSalty2FA is another reminder that phishing has matured into enterprise-grade operations, complete with advanced evasion tactics and convincing MFA simulations,\u201d said Brian Thornton, Senior Sales Engineer at Zimperium. \u201cBy exploiting trusted platforms and mimicking corporate portals, attackers are blurring the lines between real and fraudulent traffic.\u201d<\/p>\n<p>First observed in mid-2025, Salty2FA has already <a href=\"https:\/\/blog.knowbe4.com\/new-phishing-kit-bypasses-mfa-to-steal-microsoft-365-credentials\" target=\"_blank\" rel=\"noreferrer noopener\">powered multiple campaigns<\/a> against Microsoft 365 users worldwide.<\/p>\n<h2 class=\"wp-block-heading\" id=\"mfa-isnt-the-shield-it-used-to-be\">MFA isn\u2019t the shield it used to be<\/h2>\n<p>In the campaign, attackers set up a multi-stage infrastructure beginning with a malicious redirect hosted on a newly registered \u2018aha[.]io\u2019 account. Victims were funneled through a Cloudflare Turnstile gate to filter out automated analysis before landing on the final credential harvester page. There, Salty2FA simulated multiple MFA flows, including SMS, authenticator apps, push notifications, and even hardware tokens \u2014 while applying dynamic corporate branding based on the victim\u2019s email domain to make the phishing portals appear authentic.<\/p>\n<p>The campaign shows how adversaries are undermining MFA, the security practice once claimed as the <a href=\"https:\/\/www.csoonline.com\/article\/563753\/two-factor-authentication-2fa-explained.html\">safest way to protect accounts<\/a>. The kit employs domain pairing, obfuscation, and Cloudflare Turnstile manipulation to create portals nearly indistinguishable from legitimate login pages. Keeper Security\u2019s CISO Shane Barney called it \u201cthe arrival of phishing 2.0\u2013attacks engineered to bypass the very safeguards organizations once trusted.\u201d<\/p>\n<p>In addition to Cloudflare Turnstile challenges, the campaign uses subdomain rotation and geo-blocking for advanced evasion. Each victim gets a unique subdomain, sidestepping domain blacklists, while traffic from security vendors and cloud providers is blocked, so only real users reach the phishing page.<\/p>\n<h2 class=\"wp-block-heading\"><a><\/a>A call for layered and adaptive defenses<\/h2>\n<p>Countering Salty2FA might need something more than passwords and legacy controls, industry experts agreed. Darren Guccione, CEO of Keeper Security, argued that passkeys and passwordless authentication should be part of the strategy. \u201cThese technologies complement existing security measures by reducing reliance on traditional passwords, which remain a prime target for phishing,\u201d he said.<\/p>\n<p>Ontinue researchers have <a href=\"https:\/\/www.ontinue.com\/resource\/blog-salty2fa-multi-stage-evasion-phishing\/\" target=\"_blank\" rel=\"noreferrer noopener\">advised<\/a> shifting away from static checks, which Salty2FA easily evades, toward sandboxing and run-time inspection of suspicious domains. They also stress that user awareness remains critical, as the phishing portals mimic legitimate sites so closely that technical controls alone cannot reliably stop them.<\/p>\n<p>Barney echoed the concern and argued that static detection techniques are inadequate in this new environment. Instead, he said, defenders need to monitor for domain anomalies, unusual JavaScript execution, and other subtle behavioral clues. He also pointed to phishing-resistant methods like <a href=\"https:\/\/www.csoonline.com\/article\/574265\/why-it-might-be-time-to-consider-using-fido-based-authentication-devices.html\">FIDO2<\/a> and WebAuthn tokens, which make stolen codes useless, as critical safeguards.<\/p>\n<p>Privileged access management, a zero-trust framework, and continuous training are recommended as key to limiting the fallout from credential theft. \u201cOrganizations must be equally adaptive by combining behavioral detection, runtime visibility, and phishing-resistant authentication to keep pace with a new generation of threats,\u201d Barney added.<\/p>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n","protected":false},"excerpt":{"rendered":"<p>A newly uncovered phishing campaign has been linked to Salty2FA, a phishing-as-a-service framework built to sidestep multi-factor authentication (MFA). The ongoing campaign is using the kit to bypass MFA protections by intercepting verification methods, rotating subdomains, and cloaking themselves within trusted platforms like Cloudflare Turnstile, according to cybersecurity firm Ontinue\u2019s findings. In a disclosure shared with CSO ahead of its publication on Tuesday, Ontinue said&#8230; <\/p>\n<p class=\"more\"><a class=\"more-link\" href=\"https:\/\/newestek.com\/?p=14760\">Read More<\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"inline_featured_image":false,"footnotes":""},"categories":[1],"tags":[],"class_list":["post-14760","post","type-post","status-publish","format-standard","hentry","category-uncategorized","is-cat-link-borders-light is-cat-link-rounded"],"_links":{"self":[{"href":"https:\/\/newestek.com\/index.php?rest_route=\/wp\/v2\/posts\/14760","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/newestek.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/newestek.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/newestek.com\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/newestek.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=14760"}],"version-history":[{"count":0,"href":"https:\/\/newestek.com\/index.php?rest_route=\/wp\/v2\/posts\/14760\/revisions"}],"wp:attachment":[{"href":"https:\/\/newestek.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=14760"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/newestek.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=14760"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/newestek.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=14760"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}