A newly uncovered phishing campaign has been linked to Salty2FA, a phishing-as-a-service framework built to sidestep multi-factor authentication (MFA).
The ongoing campaign is using the kit to bypass MFA protections by intercepting verification methods, rotating subdomains, and cloaking themselves within trusted platforms like Cloudflare Turnstile, according to cybersecurity firm Ontinue’s findings. In a disclosure shared with CSO ahead of its publication on Tuesday, Ontinue said the campaign employs ‘notable technical innovations’ that include evasion tactics previously unseen with the kit’s use.
“Salty2FA is another reminder that phishing has matured into enterprise-grade operations, complete with advanced evasion tactics and convincing MFA simulations,” said Brian Thornton, Senior Sales Engineer at Zimperium. “By exploiting trusted platforms and mimicking corporate portals, attackers are blurring the lines between real and fraudulent traffic.”
First observed in mid-2025, Salty2FA has already powered multiple campaigns against Microsoft 365 users worldwide.
MFA isn’t the shield it used to be
In the campaign, attackers set up a multi-stage infrastructure beginning with a malicious redirect hosted on a newly registered ‘aha[.]io’ account. Victims were funneled through a Cloudflare Turnstile gate to filter out automated analysis before landing on the final credential harvester page. There, Salty2FA simulated multiple MFA flows, including SMS, authenticator apps, push notifications, and even hardware tokens — while applying dynamic corporate branding based on the victim’s email domain to make the phishing portals appear authentic.
The campaign shows how adversaries are undermining MFA, the security practice once claimed as the safest way to protect accounts. The kit employs domain pairing, obfuscation, and Cloudflare Turnstile manipulation to create portals nearly indistinguishable from legitimate login pages. Keeper Security’s CISO Shane Barney called it “the arrival of phishing 2.0–attacks engineered to bypass the very safeguards organizations once trusted.”
In addition to Cloudflare Turnstile challenges, the campaign uses subdomain rotation and geo-blocking for advanced evasion. Each victim gets a unique subdomain, sidestepping domain blacklists, while traffic from security vendors and cloud providers is blocked, so only real users reach the phishing page.
A call for layered and adaptive defenses
Countering Salty2FA might need something more than passwords and legacy controls, industry experts agreed. Darren Guccione, CEO of Keeper Security, argued that passkeys and passwordless authentication should be part of the strategy. “These technologies complement existing security measures by reducing reliance on traditional passwords, which remain a prime target for phishing,” he said.
Ontinue researchers have advised shifting away from static checks, which Salty2FA easily evades, toward sandboxing and run-time inspection of suspicious domains. They also stress that user awareness remains critical, as the phishing portals mimic legitimate sites so closely that technical controls alone cannot reliably stop them.
Barney echoed the concern and argued that static detection techniques are inadequate in this new environment. Instead, he said, defenders need to monitor for domain anomalies, unusual JavaScript execution, and other subtle behavioral clues. He also pointed to phishing-resistant methods like FIDO2 and WebAuthn tokens, which make stolen codes useless, as critical safeguards.
Privileged access management, a zero-trust framework, and continuous training are recommended as key to limiting the fallout from credential theft. “Organizations must be equally adaptive by combining behavioral detection, runtime visibility, and phishing-resistant authentication to keep pace with a new generation of threats,” Barney added.
No Responses