By Motasem Hamdan — 10 Sep 2025

How Hackers Bypass Two-Factor Authentication in 2025 | Salty 2FA Explained

Introduction

In my investigation, I uncovered a sophisticated phishing-as-a-service (PhaaS) framework known as Salty 2FA. This framework is specifically designed to bypass two-factor authentication and evade modern detection systems, with a primary focus on targeting Microsoft 365 users.

Capabilities and Evasion Strategies

Salty 2FA is far more complex than a typical credential stealer. It utilizes distinct domain infrastructure patterns and a multi-stage execution chain to remain hidden. One of its most unique evasion strategies is the use of unusual domain pairings, such as combining subdomains like .it.com or .de.com with top-level .ru domains. These previously undocumented combinations allow it to slip past many static detection systems that rely on known bad patterns.

I’ve observed Salty 2FA being used to target a wide range of industries, including finance, telecommunications, energy, and education, with a particular focus on organizations in the US and EU.

The Attack Chain Explained

The attack is not a simple redirect to a phishing page. It involves a multi-stage execution process designed to filter out security scanners and researchers.

Initial Stage: The attack begins with a phishing email containing a lure, such as an attachment named “2025 Remittance Adjustment.” Clicking the link initiates the first stage, which runs obfuscated JavaScript. This “trampoline code” performs a bot check using Cloudflare Turnstile and fetches the next payload.

Second Stage: The decoded payload points to a Russian (.ru) domain. This page contains a large amount of HTML with hidden “noise” to confuse scanners, along with an obfuscated login form. A hidden input field on this page contains a Base64-encoded URL that leads to the actual phishing page.

Third Stage (Obfuscation): On the final phishing page, client-side logic dynamically generates element IDs and encodes them using Base64 and XOR. This makes it difficult to write static rules to detect the page’s structure.
Fourth Stage (2FA Bypass): When the victim enters their credentials and 2FA code, the data is sent via POST requests to the .ru endpoints. The stolen information is encoded within “request” and “session” parameters, and a dedicated session key is used on the server-side to decode the data.

Detection and Protection

My analysis shows that relying solely on static indicators of compromise (IOCs) like known bad domains or file hashes is insufficient to detect Salty 2FA. Protection requires a shift towards behavioral-based detection.

Security teams need to focus on identifying the patterns of the attack, such as:

The unique domain structure pairings (e.g., .de.com with .ru).
The multi-stage execution chaining.
The specific obfuscation routines used.
The pattern of data exfiltration to .ru endpoints.

Using interactive sandboxing tools is crucial for observing this behavior in real-time. By analyzing how the attack unfolds, security professionals can uncover the hidden infrastructure and build robust detection systems that are resilient to these advanced phishing threats.