Salty2FA Takes Phishing Kits to Enterprise Level
Summary
A recent campaign analysed by Ontinue shows the Salty2FA phishing kit has evolved into an enterprise-style platform. The kit uses legitimate services to host lures, rotates subdomains per session, dynamically applies corporate branding based on victim email domains, mimics multiple MFA methods, and implements evasion techniques such as geo-blocking, ASN/IP filters and JavaScript anti-debugging. Researchers observed attackers registering trial accounts on trusted platforms (notably Aha.io) and using OneDrive and Cloudflare Turnstile to make the scam look authentic.
Ontinue couldn’t tie the kit to a specific actor, but the toolset and operational approach — automated theming, session-level domain rotation, and behavioural evasion — mirror professional software development and significantly raise the bar for phishing detection.
Key Points
- Salty2FA automates subdomain rotation and session-level infrastructure to reduce traceability.
- Attackers abused legitimate platforms (Aha.io, OneDrive) to stage convincing lures and leverage user trust.
- The kit dynamically deploys corporate branding based on victim email domains, creating highly realistic login replicas.
- It can simulate multiple MFA workflows, increasing the likelihood that victims will disclose credentials or bypass protections.
- Evasion tactics include geo-blocking, ASN/IP filtering and JavaScript anti-debugging to hinder researchers and SOCs.
- Cloudflare Turnstile and proper HTTPS are used to bypass casual detection and make pages appear legitimate.
- Defenders should move beyond static IOCs to behavioural detection across endpoints, mobile and apps.
Context and Relevance
Phishing kits like Salty2FA show the commoditisation and professionalisation of cybercrime: low-skill operators can deploy high-fidelity campaigns that closely mimic corporate systems. This trend matters because it erodes traditional warning signs (bad URLs, poor styling) and forces security teams to adopt more sophisticated, cross-layer defences and behavioural analytics.
Why should I read this?
Because this isn’t your average dodgy email — Salty2FA makes scams look like the real thing. If you work in security, IT or run a business that relies on email auth, the tricks here tell you exactly what to watch for and why usual red flags might fail you. Short version: you need to rethink phishing defences now.
Author Style
Punchy: the article highlights a clear escalation in phishing capability and why that should matter to defenders. Read the detail if you want actionable cues on what to change in your detection and incident response playbooks.
