The Ontinue Ion Cyber Defense Center has published new research exposing a sophisticated phishing campaign leveraging the Salty2FA framework. This campaign illustrates how phishing kits are rapidly evolving into enterprise-grade operations, employing advanced evasion tactics, dynamic branding, and even multi-factor authentication (MFA) simulations to bypass both technical defenses and human intuition.
Ontinue's analysis uncovered several groundbreaking techniques that push Salty2FA beyond traditional phishing kits:
Session-based rotating subdomains: Every victim session receives a unique subdomain from a pre-computed pool, making static blocking and blacklist defenses nearly useless.
Platform abuse: Attackers exploited Aha.io, creating a OneDrive-like sharing page as the initial lure. Accounts were quickly spun up and discarded, reflecting throwaway tradecraft common in modern phishing.
Sophisticated defense evasion: Cloudflare's Turnstile captcha was used to block known ASN ranges and frustrate automated sandboxes. Additional client-side anti-debugging code prevented security researchers from analyzing malicious JavaScript.
Dynamic corporate branding: By parsing the victim's email domain, Salty2FA automatically applied corporate logos, color palettes, and styling. Testing showed targeted themes across healthcare, financial services, technology, energy, and automotive sectors, proving attackers are investing in broad customization.
Ontinue highlights how Salty2FA mirrors legitimate software practices:
Code obfuscation and encryption: Every string and function was hidden with XOR encryption, decoded at runtime.
Anti-analysis by design: Keyboard shortcuts for developer tools (F12, Ctrl+Shift+I/J/C/U/S) were blocked; timing-based debugger traps triggered infinite loops to crash analysis session.
Full MFA simulation: The phishing kit supported six different MFA flows (SMS, authenticator apps, phone calls, push notifications, backup codes, and hardware tokens), presenting convincing interfaces that mirrored enterprise authentication portals.
"Salty2FA is another reminder that phishing has matured into enterprise-grade operations, complete with advanced evasion tactics and convincing MFA simulations," said Brian Thornton, Senior Sales Engineer at Zimperium. "By exploiting trusted platforms and mimicking corporate portals, attackers are blurring the lines between real and fraudulent traffic. To defend against these evolving threats, organizations need advanced, layered protection that goes beyond traditional email and network security—covering endpoints, mobile devices, and apps—to detect, analyze, and stop attacks before sensitive data is compromised."
This level of sophistication means users can no longer rely on the "usual red flags." HTTPS, familiar branding, or realistic MFA prompts are now standard in malicious campaigns.
Ontinue's report makes clear that phishing is no longer a low-skill game. Criminal groups are applying systematic planning, layered defenses, and psychological manipulation to rival enterprise-grade development.
For defenders, the implications are profound:
Detection must evolve: Traditional domain blacklists are ineffective against session-based rotation. Behavioral detection and anomaly analysis must take center stage.
MFA is not a silver bullet: While MFA remains critical, Salty2FA demonstrates attackers' ability to phish MFA tokens in real time. Organizations must adopt phishing-resistant MFA such as FIDO2/WebAuthn wherever possible.
SOC operations need new playbooks: Analysts may be unable to access malicious infrastructure from enterprise networks due to geo-blocking and ASN filtering. SOCs should incorporate residential VPNs and alternate IP vantage points into their analysis workflows.
User awareness still matters: With technical controls harder to rely on, security culture and user vigilance are essential. Ontinue stresses that end-users may be the last line of defense when phishing sites are indistinguishable from legitimate portals.
Salty2FA represents a paradigm shift in phishing operations. What Ontinue uncovered is not a hobbyist kit but a professional-grade framework that adapts, evades, and deceives at scale.
As the research concludes: "We're seeing phishing operations mature into something that resembles legitimate software development.… The integration of anti-analysis techniques, dynamic infrastructure, and behavioral psychology creates a formidable opponent that challenges traditional detection and response methodologies."
We asked experts from cybersecurity vendors for their thoughts on Salty2FA.
Nicole Carignan, Senior Vice President, Security & AI Strategy, and Field CISO at Darktrace, said:
"Despite increased focus on email security, organizations and their employees continue to be plagued by successful phishing attempts. Many tools used by organizations today depend on historical attack data to identify and stop known email threats from reentering inboxes. However, this approach often fails to recognize new or unknown threats."
"As sophistication of phishing attacks continues to grow, organizations cannot rely on employees to be the last line of defense against these attacks. Instead, organizations must use machine learning-powered tools that can understand how their employees interact with their inboxes and build a profile of what activity is normal for users, including their relationships, tone and sentiment, content, when and how they follow or share links, etc. Only then can they accurately recognize suspicious activity that may indicate an attack or business email compromise (BEC)."
Jason Soroko, Senior Fellow at Sectigo, said:
"MFA, while a critical security measure, isn't a cure-all to solve unauthorized access. Simply put, MFA raises the difficulty for a malicious actor, however, the bar often isn't high enough to prevent a successful attack."
"Not all MFA is created equal, and the weak forms of MFA share an inherent weakness in that it is a shared secret, similar to a password. All shared secrets face the risk of interception or harvesting by an attacker. A one-time password generated by an app that has to be typed into an authentication web page is just as vulnerable as a password to key logging or fake authentication page. Attackers have adapted to MFA in multiple ways, taking advantage of this fundamental flaw of all shared secrets."
"Additionally, many organizations deploy MFA selectively, leaving critical gaps. Even when implemented, poor configuration, reliance on weaker factors like SMS, and user errors, such as phishing, undermine its effectiveness. Yes, MFA works to raise the level of difficulty of attack, but its success depends on the method and context. However, attackers bypass MFA through social engineering, exploiting 'MFA fatigue,' man-in-the-middle attacks, and technical flaws like SIM swapping or stealing session cookies."
"Some MFA solutions are better than others. Some forms of MFA rely on non-shared secrets that are cryptographically generated and stored in a secure location where they never leave. However, even the best MFA solutions can't address the human element—education and awareness are crucial to bolstering MFA's effectiveness."
Additionally, earlier this year, Menlo Security detected a surge in GenAI-based threats which has spurred a 140% increase in browser-based phishing attacks compared to 2023, and a 130% increase specifically in zero-hour phishing attacks.