Saiga phishing kit returns to bypass multifactor auth

Barracuda has identified new phishing campaigns linked to the Saiga 2FA kit, pointing to the return of a relatively rare tool used to bypass multifactor authentication.

The latest campaigns show Saiga 2FA operating as an adversary-in-the-middle phishing framework targeting enterprise email users, according to Barracuda's researchers. Attackers use brand impersonation emails containing malicious links or QR codes to lure targets, then redirect them through several stages to a final phishing page.

Session theft

The kit is designed to steal session cookies after users complete authentication, allowing attackers to sidestep multifactor authentication protections. Although the attacks remain low in volume, they are difficult to detect because the infrastructure changes behaviour during a session and uses several layers of evasion.

One unusual feature is how the phishing pages are delivered. Instead of relying on static pages that can be easily inspected, Saiga serves phishing content through a web application that generates material dynamically with JavaScript.

That structure means simple scanning methods may miss malicious content if they examine only the page source code. An embedded configuration file can also alter how each phishing session behaves, including changing the phishing theme during an attack.

Evasion tactics

Researchers said the kit also uses techniques intended to frustrate analysis. If browser developer tools are opened, the user may be redirected immediately to a benign destination such as a Google search page, making inspection harder for analysts and automated systems.

Another element highlighted in the research is the use of "lorem ipsum" placeholder text in page metadata. This pseudo-Latin text carries no meaningful description of the page and may help attackers evade detection methods that rely on keywords or brand impersonation signals.

Attack chain

The attack chain begins with a phishing lure that imitates a trusted brand. Once a user engages, the victim is moved through a sequence of pages before reaching the credential theft stage, where the adversary-in-the-middle setup captures the information needed to hijack an authenticated session.

Saiga differs from many simpler phishing operations because it includes a more centralised management structure. The kit includes a web-based dashboard for campaign management, domain configuration, logging and automation, as well as traffic filtering and conditional content loading.

Barracuda also identified an integrated FM Scanner, described as a tool for extracting and analysing mailbox content. Data gathered from compromised mailboxes can then be reused through what it calls Saiga Mailer to support further phishing activity.

Defence steps

The findings suggest a shift in parts of the phishing market away from fixed toolsets and towards more adaptable, application-based frameworks. In practice, that gives operators greater control over how campaigns appear and respond in real time, while making it harder for defenders to rely on straightforward detection signatures.

Security teams have been watching the growth of adversary-in-the-middle phishing kits because they target one of the most widely used account protection measures. By stealing session cookies rather than just passwords, these attacks can compromise accounts even when an extra authentication step is in place.

The latest Saiga activity underlines the need for stronger defences than conventional multifactor authentication alone, Barracuda said. It pointed to phishing-resistant methods such as FIDO2 and WebAuthn, along with strict URL verification practices and monitoring for unusual authentication patterns.

"Saiga belongs to a class of advanced phishing kits that function more like a boutique service than a fully automated platform, with a suite of configuration options that can be implemented on-the-fly during an attack," said Saravanan Mohankumar, Manager of Barracuda's Threat Analysis Team.

"To mitigate against such attacks, organisations are advised to adopt phishing-resistant authentication methods such as FIDO2/WebAuthn, enforce strict URL verification practices and implement advanced monitoring to detect anomalous authentication behaviour. A layered security approach is essential in defending against modern AitM phishing frameworks," added Mohankumar.