A new type of cyberattack has appeared, led by a very advanced scam tool that copies how real software companies work. This tool, called Salty2FA, is built to get around different types of security codes and avoid normal protection systems.
The ongoing campaign uses this kit to get past extra security steps by stealing verification codes, changing web addresses often, and hiding behind trusted services like Cloudflare Turnstile. First observed in mid-2025, Salty2FA has powered multiple campaigns against Microsoft 365 users worldwide.
How It Works
Quick Setup - On Sept. 3, attackers signed up for a trial account on the real website Aha.io, pretending to be a well-known company.
Fake Trust - They used this fake account on a trusted platform to trick users into believing the attack was real.
Bait Creation - The attackers used their fake account to set up a OneDrive sharing page with a clickable link in the middle.
False Promise - The page claimed to share an important document with the victim
Hidden Complexity - Behind this simple-looking page was a complex system that shows how tricky the Salty2FA scam tool has become.
Security Bypass - When users clicked the fake page, attackers sent them to Cloudflare Turns tile (a security check system) to make the scam look more real.
The Camouflage
The phishing tool is built to avoid being stopped by normal security methods. It uses a clever trick where it creates a new, unique web address for each person it targets meaning:
· Every victim gets their own special website link
· Security teams can't easily find and block these sites
· By the time one address is blocked, many new ones have already been created
· It's like playing whack-a-mole, as soon as you stop one, another pops up
Common phishing email lures include:
“Voice message was left…”
“Access full document…”
“Payroll amendment…”
“Request for Proposal…”
“Bid invitation…”
“Billing statement…”
IOCs
Recommendations
Rely on behavioral detection– Focus on recurring patterns such as domain structures and page logic, instead of chasing constantly changing IOCs.
Detonate suspicious emails in a sandbox – Gain full-chain visibility to spot credential theft and 2FA interception attempts in real time.
HardenMFA policies –Favor app-based or hardware tokens over SMS and voice and use conditional access to flag risky login attempts.
Train employees on financial lures – Raise awareness of common hooks like “payment correction” or “billing statement” that should trigger suspicion.
Integrates and box results into your security stack – Feed live attack data into SIEM/SOAR platforms to accelerate detection and reduce manual workload.
While the tactics of cybercriminals continue to evolve, every proactive step, whether enforcing access controls, training employees, or integrating smarter defenses brings us closer to staying ahead of the threat.
.png)
.png)