Salty2FA: the phishing kit that pinches your codes (not your chips)
Researchers at ANY.RUN have identified Salty2FA, a phishing-as-a-service kit used across the US and EU that steals credentials and bypasses 2FA (including push, SMS and voice). Campaigns ramped up from June 2025 and target sectors such as finance, energy, telecoms, healthcare and government. A typical lure poses as a Microsoft login, sometimes behind Cloudflare checks, then captures passwords and one-time codes. Recommended defences: focus on behavioural detection over fragile IOCs, sandbox suspicious emails, harden MFA (prefer app/hardware tokens with conditional access), train staff on payment-themed lures, and feed sandbox telemetry into SIEM/SOAR to speed response. The piece includes ANY.RUN’s efficiency claims and is a contributed partner article.
Meet Salty2FA—a ready-made phishing toolkit helping crooks swipe passwords and two-factor codes. It’s been spotted hitting organisations across the UK, Europe and the US, with favourite targets including finance, energy, telecoms and healthcare. Lovely.
How the scam works
• You get an email about a “payment correction”.
• Click through to a convincing Microsoft-style login (sometimes fronted by Cloudflare checks).
• Enter your details… and the site dutifully snaffles your password and 2FA (push, SMS or even voice). Job done—for them.
Why this matters
2FA is brilliant, but it’s not magic. If you type a code into a fake page, the attacker can reuse it in real time. Salty2FA wraps that trick in a nice, reusable kit—making sophisticated attacks easier and cheaper to run.
What good looks like
• Harden MFA: Favour authenticator apps or hardware tokens; add conditional access (device, location, risk signals).
• Think behaviour, not breadcrumbs: IOCs change daily; behavioural detection catches the flow.
• Sandbox suspicious emails: Detonate safely and see the whole chain.
• Extension of the SOC: Pipe sandbox telemetry into SIEM/SOAR to automate triage.
• Train for money lures: “Payment correction” should ring alarm bells louder than a fire drill.
Bottom line: Don’t bin 2FA—boost it. Combine stronger factors with behavioural controls and faster investigation, and Salty2FA becomes more nuisance than nightmare.