Salty 2FA is a recently identified Phishing-as-a-Service (PhaaS) framework targeting industries across the United States and Europe. This sophisticated threat leverages a unique domain pattern that combines .com subdomains with .ru domains, complicating detection efforts based on static indicators of compromise (IOCs). The framework employs a multi-stage execution chain designed to evade traditional security mechanisms and detection tools. Notably, Salty 2FA is capable of bypassing multiple two-factor authentication (2FA) methods, including push notifications, SMS codes, and voice calls, which significantly enhances its ability to compromise accounts protected by 2FA. Victims span a broad range of high-value sectors such as finance, telecommunications, energy, consulting, logistics, and education, indicating a wide attack surface and the targeting of critical infrastructure and sensitive data. Salty 2FA shares some operational traits with the Storm-1575 adversary but maintains distinct characteristics that differentiate it from other known phishing frameworks like Tycoon2FA or EvilProxy. Its infrastructure is dynamic, with complex command-and-control (C2) communication protocols that facilitate the distribution of phishing payloads and management of the phishing infrastructure. Due to the dynamic nature of its domains and IP addresses, static IOCs are unreliable for detection; instead, behavioral analysis focusing on the multi-stage execution chain and anomalous network communications is required. Indicators associated with Salty 2FA include IP addresses such as 153.127.234.4, 153.127.234.5, and 191.96.207.129, and domains like marketplace24ei.ru and telephony.nexttradeitaly.com. Although there are no known exploits in the wild at this time, the threat poses a medium-severity risk due to its ability to circumvent 2FA and target critical sectors.

For European organizations, Salty 2FA presents a significant threat to the confidentiality, integrity, and availability of sensitive data and critical systems. By bypassing multiple 2FA mechanisms, attackers can gain unauthorized access to corporate accounts, potentially leading to data breaches, financial fraud, and disruption of essential services. The finance and energy sectors are particularly vulnerable given their regulatory obligations and the sensitive nature of their operations. Telecommunications and consulting firms risk reputational damage and loss of client trust if compromised. The multi-stage, dynamic infrastructure complicates detection and response efforts, increasing the likelihood of prolonged undetected intrusions. Organizations lacking advanced behavioral detection capabilities may fail to identify the threat promptly, exacerbating potential damage. The broad targeting across sectors also raises concerns about supply chain compromises, where attackers leverage access to one organization to infiltrate partners or clients. Consequences may include operational disruptions, GDPR-related regulatory penalties for data breaches, and significant financial losses.

European organizations should adopt advanced behavioral analytics and anomaly detection systems capable of identifying phishing attempts that evade traditional static IOC-based defenses. Deploying Endpoint Detection and Response (EDR) solutions with capabilities to monitor multi-stage execution chains and unusual network communications is critical. User awareness training must be enhanced to address sophisticated phishing tactics that bypass 2FA, emphasizing vigilance even when 2FA prompts appear legitimate. Implementing adaptive, risk-based authentication methods can reduce reliance on static 2FA mechanisms vulnerable to bypass. Network segmentation and strict access controls should be enforced to limit lateral movement in case of credential compromise. DNS filtering and firewall rules must be configured to monitor and block access to suspicious domains and IP addresses associated with Salty 2FA infrastructure, such as marketplace24ei.ru and telephony.nexttradeitaly.com. Incident response teams should prepare and regularly update playbooks for phishing attacks, including rapid containment and credential reset procedures. Collaboration with threat intelligence sharing platforms is recommended to receive timely updates on evolving phishing infrastructure. Finally, deploying phishing-resistant authentication methods, such as hardware security keys compliant with FIDO2 standards, can significantly mitigate risks associated with 2FA bypass.