Salty 2FA is a newly identified Phishing-as-a-Service (PhaaS) framework actively targeting industries across the United States and Europe. This threat is notable for its sophisticated multi-stage execution chain designed to evade traditional detection mechanisms. Salty 2FA employs a unique domain pattern that combines .com subdomains with .ru domains, complicating static indicator of compromise (IOC) detection. The framework is capable of bypassing multiple forms of two-factor authentication (2FA), including push notifications, SMS codes, and voice calls, which significantly increases its effectiveness against organizations relying on 2FA for security. Victims span a broad range of sectors such as finance, telecommunications, energy, consulting, logistics, and education, indicating a wide attack surface and high-value targets. Unlike other phishing frameworks like Tycoon2FA or EvilProxy, Salty 2FA shares some traits with the Storm-1575 adversary but maintains distinct operational characteristics, including dynamic infrastructure management and complex command-and-control (C2) communication protocols. Detection efforts must focus on behavioral analysis rather than static IOCs due to the framework's use of dynamic domains and IPs. Indicators include several IP addresses (e.g., 153.127.234.4, 153.127.234.5, 191.96.207.129) and domains such as marketplace24ei.ru and telephony.nexttradeitaly.com, which are part of the phishing infrastructure. The threat does not currently have known exploits in the wild but represents a medium-severity risk due to its capability to circumvent 2FA and target critical industries.

For European organizations, the Salty 2FA threat poses a significant risk to the confidentiality and integrity of sensitive data and access credentials. By bypassing multiple 2FA methods, attackers can gain unauthorized access to corporate accounts, potentially leading to data breaches, financial fraud, and disruption of critical services. Industries such as finance and energy are particularly vulnerable due to the sensitive nature of their operations and regulatory requirements. The telecom and consulting sectors may face reputational damage and loss of client trust if compromised. The multi-stage and dynamic nature of the attack infrastructure complicates detection and response, increasing the likelihood of prolonged undetected intrusions. Additionally, the reliance on behavioral detection means that organizations without advanced monitoring capabilities may fail to identify the threat promptly. The broad targeting across sectors also raises the risk of supply chain compromises, where attackers leverage access to one organization to infiltrate partners or clients. Overall, the threat could lead to operational disruptions, regulatory penalties under GDPR for data breaches, and financial losses.

European organizations should implement advanced behavioral analytics and anomaly detection systems capable of identifying phishing attempts that bypass traditional static IOC-based defenses. Deploying endpoint detection and response (EDR) solutions with capabilities to monitor multi-stage execution chains and unusual network communications is critical. Organizations must enhance user awareness training focused on sophisticated phishing tactics that circumvent 2FA, emphasizing vigilance even when 2FA prompts appear legitimate. Implementing adaptive authentication methods that incorporate risk-based assessments can reduce reliance on static 2FA methods vulnerable to bypass. Network segmentation and strict access controls can limit lateral movement if credentials are compromised. Monitoring and blocking access to suspicious domains and IP addresses associated with Salty 2FA infrastructure, such as marketplace24ei.ru and telephony.nexttradeitaly.com, should be enforced via DNS filtering and firewall rules. Incident response teams should prepare playbooks for phishing attacks that include rapid containment and credential reset procedures. Collaboration with threat intelligence sharing platforms to receive timely updates on evolving phishing infrastructure is recommended. Finally, organizations should consider deploying phishing-resistant authentication methods such as hardware security keys (e.g., FIDO2) to mitigate 2FA bypass risks.