Salty 2FA – Emerging PhaaS Framework Bypassing Multi-Factor Authentication

Threat Actor Association: Overlaps with Storm-1575/1747, but distinct
Threat Type: Phishing-as-a-Service (PhaaS)
Targeted Sectors: Financial, Telecom, Energy, Consulting, Logistics, Education, Government

Executive Summary

A newly identified Phishing-as-a-Service (PhaaS) framework, dubbed Salty 2FA, has emerged as a credible threat to enterprises. Unlike commodity phishing kits, Salty 2FA introduces a multi-stage execution chain, advanced obfuscation, and infrastructure patterns not previously documented. Its most concerning capability is the ability to bypass multiple 2FA methods including push notifications, SMS OTPs, and voice calls making it highly effective at defeating account protection mechanisms.

Initial over laps in infrastructure suggest possible links to Storm-1575 (Dadsec) and Storm-1747(Tycoon 2FA), but the technical distinctions are sufficient to classify Salty2FA as a separate PhaaS ecosystem.

Key Intelligence Findings

• New Infrastructure Pattern: Uses compound domain chains (e.g., .com.de, .it.com) combined with .ru TLDs for hosting and exfiltration.
• Anti-Analysis Capabilities: Employs obfuscation, injected “noise” code, debugger evasion, and encoded DOM element IDs to resist sandboxing and static inspection.
• Multi-Stage Execution Chain: Delivers phishing content through encrypted and obfuscated payloads, gradually unfolding into a fake Microsoft 365 login page.
• 2FA Bypass: Capable of intercepting and processing OTPs across push apps, SMS, voice, and companion apps, giving attackers access even when MFA is     enabled.
• Victimology: Targets span finance, telecom, logistics, energy, healthcare, government, and consulting, with observed activity across the US, UK, EU, Canada, India, and LATAM.
• Evasion of IOC-based Detection: Indicators such as domains mutate rapidly; behavioral detection is required.

Observed Tactics, Techniques, and Procedures (TTPs)

Using the MITREATT&CK framework:

• Initial Access (T1566.002 –  Phishing via Email): Emails with lures such as “Voice message,” “Payroll amendment,” “Bid invitation”.
• Execution (T1204.002 –     Malicious Link): Victims are redirected through compound .com subdomains with embedded .ru infrastructure.
• Defense Evasion (T1027 –  Obfuscated Files/Scripts): Heavy JavaScript obfuscation, DOM encoding, and injected “filler code.”
• Credential Access (T1110.004 – Credential Phishing): Fake Microsoft 365 login pages harvest user credentials.
• Credential Access (T1556.006 –     Multi-Factor Authentication Interception): Intercepts SMS OTPs, push notifications, and voice-based MFA tokens.
• Exfiltration (T1041 –  Exfiltration over C2 Channel): Stolen credentials and 2FA data are encoded (Base64 + XOR) and sent to .ru C2 servers.

Attribution Assessment

While Storm-1575(Dadsec) and Storm-1747 (Tycoon2FA) share partial infrastructure overlaps, Salty 2FA diverges in:

• Domain composition patterns
• Client-side obfuscation techniques
• Communication model with C2 servers

This suggests either a splinter group or a new commercial PhaaS operator reusing fragments of older infrastructure.

Impact on Organizations

• Credential Theft at Scale: Direct compromise of Microsoft 365 accounts across sensitive industries.
• 2FA Defeat: Neutralizes MFA defenses, increasing the likelihood of full account takeover.
• Supply Chain Risk: With victims in logistics, consulting, and energy, adversaries could leverage compromised accounts for downstream attacks.
• Detection Gaps: Traditional IOC feeds are ineffective; behavioral indicators must be prioritized.

Detection and Hunting Recommendations

Since static IOCs are unreliable, SOCs should hunt for behavioral fingerprints:

1. Domain Pattern Recognition:
   
    
   • Compound domains with format: <subdomain>.<main_domain>.??.com
    
   • Frequent pairing with .ru infrastructure for exfiltration.
2. Network Indicators:
   
    
   • Suspicious POST requests to .ru domains with parameters request= and session=.
    
   • Unusual JSON responses controlling phishing page states.
 
3. Browser Behavior:
   
    
   • Presence of Cloudflare Turnstile in phishing chains.
    
   • Obfuscated page text and dynamically generated DOM element ID
4. User Awareness:
   
    
   • Train users to spot common lures (voicemail, billing statement, payroll updates).
    
   • Reinforce reporting mechanisms for suspicious login prompts.

Mitigation and Defensive Actions

• Strengthen MFA Controls: Enforce phishing-resistant MFA (FIDO2/WebAuthn, hardware keys) over SMS/push.
• Threat Intelligence Integration: Ingest TI feeds with behavioral patterns, not just domain/IP IOCs.
• Incident Response:
  
   
  • Monitor for suspicious logins with impossible travel/time anomalies.
   
  • Enforce conditional access policies (geo-fencing, device posture).