Salty2FA & Tycoon2FA Hybrid: A New Phishing Threat to Enterprises

Modern phishing has moved far beyond the clumsy “enter-your-password-here” scams. Two powerful Phishing-as-a-Service (PhaaS) families — Tycoon2FA and the recently surfaced Salty2FA — have matured into turnkey toolkits that bypass multifactor authentication (MFA) using adversary-in-the-middle (AiTM) techniques. Even worse: defenders are now seeing hybrid campaigns that combine features of both kits, producing highly automated, resilient attacks aimed specifically at enterprise Microsoft 365 and Google Workspace environments.

What are Tycoon2FA and Salty2FA (quick primer)

  • Tycoon2FA is a sophisticated AiTM phishing kit that uses reverse proxies and real-time session capture to defeat SMS/push and other common second factors. It’s been publicized and analyzed by multiple threat intel vendors for its ability to harvest credentials and session cookies in real time.

  • Salty2FA is a newer PhaaS toolkit observed in targeted enterprise campaigns. It focuses on evasion — dynamic infrastructure, CAPTCHA gating, template morphing, and hijacking trusted delivery paths — allowing it to masquerade as legitimate corporate or vendor email flows. Security outlets and analysts have noted its enterprise targeting and MFA-bypass focus.

  • Hybrid usage: Recent telemetry and OSINT show attackers combining capabilities from both toolkits (e.g., Salty’s dynamic cloaking + Tycoon’s proxying/session capture) to make attacks faster to deploy and harder to detect. IBM X-Force and a number of incident reports highlight these mixed-tool campaigns.

How the hybrid attack typically works (attack flow)

  1. Targeting & Delivery — Highly targeted email or vendor-spoofed message delivered to employees (often via compromised marketing/sales tooling or by using lookalike domains). Salty-style delivery techniques try to blend into legitimate traffic.

  2. Initial Lure — Link opens a phishing page that looks identical to a corporate SSO or Microsoft/Google login. The page is served via a reverse proxy so the attacker can handle real-time responses.

  3. Credential Harvesting & AiTM — When victims enter credentials and submit MFA prompts (SMS, push, or OTP), the proxy relays these to the real service and captures session tokens/cookies. This allows immediate account takeover without needing to break MFA cryptographically.

  4. Evasion & Persistence — Salty components add evasion: conditional gating (e.g., serve phishing only to specific IP ranges), CAPTCHA, fast-rotating infrastructure, and obfuscation to escape sandboxing and email defenses.

Why enterprises should be alarmed

  • MFA is not a silver bullet — AiTM kits are explicitly built to defeat common second factors. Organizations relying only on SMS or push notifications without additional controls are at real risk.

  • Scale & quality — PhaaS lowers the bar for attackers; hybrid campaigns accelerate reach and increase success rates. Analysts have recovered large volumes of phished credentials tied to these kits. For example, telemetry analyses have captured hundreds of thousands of phished credentials in recent campaigns.

  • Operational sophistication — Combining Salty’s evasion and Tycoon’s session capture reduces forensic visibility and increases the window for attackers to act before detection.

Indicators of compromise (IoCs) & detection tips

Look for these behaviors rather than just static signatures (hybrids deliberately rotate infrastructure):

  • Unusual session creation patterns — simultaneous or rapid reauth from proxied IPs, or session token reuse across disparate geographies shortly after a login.

  • New OAuth consents or unusual app authorizations following a user login. Attackers often try to implant long-lived OAuth tokens.

  • Email delivery anomalies — messages that originate from legitimate third-party platforms but with odd Message-IDs, return-path differences, or unexpected reply-to headers (used by Salty-style delivery to blend in).

  • Phishing landing page traits — pages that proxy to real login pages (look for HTML differences, embedded iframe reverse-proxy patterns, or intermediate redirectors).

(Collect IoCs from your own telemetry and vendor feeds—many community repos and vendor writeups maintain IPs, domain patterns, and file hashes for Tycoon/Salty variants.)

Immediate defensive actions (practical checklist)

  1. Enforce stronger MFA — use phishing-resistant methods where possible: hardware security keys (FIDO2/WebAuthn) or certificate-based auth for high-risk accounts. SMS and simple push should not be the only layer.

  2. Block suspicious OAuth flows — monitor and require admin approval for third-party app consents. Look for unexpected changes to app permissions.

  3. Conditional access & risk-based policies — implement geolocation, device compliance, and network context checks. Block or step-up authentication if login behavior is anomalous.

  4. Email & web gateway tuning — enable URL rewriting/safe-linking, sandbox attachments, and block known-bad delivery patterns. Use heuristics to detect reverse-proxy landing pages and enforce safe-click warning banners.

  5. Hunt for early indicators — look for bursts of failed logins, new session tokens, or bulk password resets following targeted lures. Tie logs from email gateway, proxy, CASB, and identity provider for correlation.

  6. User awareness that matters — train users not only to spot suspicious emails but to verify unexpected MFA prompts and report unexpected login prompts to security teams immediately. Simulated phishing should include AiTM scenarios so testing aligns with real threats.

Longer-term resilience strategies

  • Adopt phishing-resistant MFA (FIDO2) for admins & high-risk roles.

  • Zero Trust identity posture — least privilege, just-in-time admin access, and continuous device posture checks.

  • Telemetry centralization — ingest identity provider logs, email gateway telemetry, and endpoint detections into an analytics plane for faster correlation and automation of containment.

  • Threat intelligence & sharing — subscribe to reputable intel feeds and contribute IOC sightings to sector information-sharing groups to starve PhaaS operators of amplification paths.

What to do if you suspect a hybrid Salty2FA/Tycoon2FA compromise

  1. Immediately revoke sessions and rotate known-compromised credentials and OAuth tokens for affected accounts.

  2. Force reauthentication for accounts that presented unusual OAuth grants or suspicious session behavior.

  3. Perform a targeted hunt: look for lateral movement, mailbox rule creation, data egress, and newly established persistence mechanisms.

  4. Notify affected users and law enforcement/incident response partners as appropriate. Capture forensic artifacts (HTTP headers, proxy logs, auth logs) for attribution and to feed back into prevention controls.

Bottom line

Phishing kits like Tycoon2FA proved what AiTM attacks could do; Salty2FA and now hybrid campaigns have raised the stakes by adding stealth and delivery sophistication. Enterprises must treat this as an identity-centric threat: focus on phishing-resistant MFA, tight OAuth governance, risk-based access controls, and strong telemetry correlation. The attack is not just about stolen passwords anymore — it’s about stolen sessions, abused OAuth consents, and speedy account takeover. Act now to harden identity controls before a hybrid campaign finds a gap in your environment.