New insight from Barracuda Research provides a step‑by‑step analysis of the latest phishing campaigns from the relatively rare phishing kit, Saiga 2FA. The findings highlight how some phishing kits are evolving from static toolsets into configurable, application-level attack platforms.
Saiga 2FA is a low‑volume but highly evasive adversary‑in‑the‑middle (AitM) phishing kit designed to bypass multifactor authentication (MFA) and steal session cookies from enterprise email users. Like other phishing kits, Saiga 2FA lures victims through brand impersonation phishing emails with embedded malicious links or QR codes and then redirects them through various stages to the final phishing site. It employs similar layered evasion techniques to reduce detection and hinder analysis, such as detecting when browser developer tools are opened and immediately redirecting the user to a benign page such as Google search.
What sets Saiga 2FA apart from other phishing-as-a-service (PhaaS) kits:
· Saiga delivers its phishing pages as a fully-fledged web application, with phishing content generated on the fly using JavaScript. This makes it much harder for basic security scanners to spot anything malicious by simply inspecting the page source.
· A configuration file embedded within the web application controls how each phishing session behaves, for example, by changing the phishing theme as needed.
· The web pages used by Saiga feature ‘lorem ipsum’ pseudo-Latin placeholder text in the metadata fields. This text is semantically meaningless and does not indicate the page’s purpose or function, helping attackers to avoid triggering keyword-based detection systems and brand impersonation heuristics.
· An integrated FM Scanner, a tool for extracting and analyzing mailbox content, enables attackers to search for and extract compromised mailbox data. This is reused via Saiga Mailer for further phishing campaigns.
· Saiga provides a web-based dashboard for campaign lifecycle management, enables domain configuration, logging and automation, and implements advanced traffic filtering and conditional content loading. This level of centralization and control differentiates it from simpler phishing kits that rely mainly on Telegram-based logging.
“Saiga belongs to a class of advanced phishing kits that function more like a boutique service than a fully automated platform, with a suite of configuration options that can be implemented on-the-fly during an attack,” said Saravanan Mohankumar, Manager, Threat Analysis Team at Barracuda. “To mitigate against such attacks, organizations are advised to adopt phishing-resistant authentication methods such as FIDO2/WebAuthn, enforce strict URL verification practices and implement advanced monitoring to detect anomalous authentication behavior. A layered security approach is essential in defending against modern AitM phishing frameworks.”
