New research from Barracuda Networks has identified a surge in attacks by Saiga 2FA, a small-scale but sophisticated phishing kit. Activity increased significantly in February 2026, following earlier sightings targeting legal organizations in Australia in 2025. The kit operates as a boutique service rather than a high-volume automated platform, focusing on highly targeted campaigns against enterprise email users. Saiga 2FA serves as an Adversary-in-the-Middle tool that bypasses multifactor authentication and steals session cookies in real time.[1]
It lures victims with brand-impersonation emails that mimic DocuSign notifications, urging urgent document review or signature. Messages contain malicious links or QR codes that initiate a multi-stage redirection chain. Once clicked, the link routes victims through reputable URL protection services and tracking links to mask the final phishing domain. The process begins with a custom Cloudflare Turnstile CAPTCHA to block automated scanners and bots. After validation, victims encounter a fake Adobe consent screen followed by a replica Microsoft login page where credentials are captured. The kit then steals session cookies, granting attackers persistent access to the victim’s mailbox. An integrated FM Scanner tool extracts and analyses mailbox content for reuse in follow-up phishing campaigns via Saiga Mailer.
Saiga 2FA stands out through its use of modern web technologies and layered evasion methods. Phishing pages are delivered as fully fledged web applications built with Next.js. Content is generated dynamically at runtime using JavaScript, making static source code inspection by traditional security scanners ineffective.
Metadata fields contain “lorem ipsum” pseudo-Latin placeholder text instead of brand-specific keywords. This approach avoids triggering keyword-based detection systems and brand-impersonation heuristics. Additional measures include detection of browser developer tools, which triggers an immediate redirect to a benign page such as Google search, and IP-based filtering to serve real phishing content only to intended victims while hiding it from researchers. URL structures mimic legitimate Microsoft OAuth flows with parameters such as client_id, scope, and redirect_uri to enhance credibility, although the entire authentication process remains under attacker control.
Unlike many Phishing-as-a-Service platforms, Saiga 2FA features a centralized Saiga-Hub dashboard for campaign management, domain configuration, logging, and automation. It supports advanced traffic filtering and conditional content loading. The kit also includes post-compromise capabilities beyond simple credential theft and follows a stealth-focused operational model aimed at high-value targets while evading endpoint detection and response solutions. It is typically more expensive than mass-market alternatives and appears less frequently in the wild, which contributes to its longevity.
The findings highlight the continuing evolution of phishing kits into configurable, application-level platforms that adapt on the fly and challenge conventional detection methods. Barracuda advises organizations to implement phishing-resistant authentication methods such as FIDO2 or WebAuthn to reduce reliance on passwords and session cookies.
Strict URL verification practices should be enforced, alongside advanced monitoring for anomalous authentication attempts. Training users to scrutinize unexpected DocuSign or similar notifications remains essential.
Jim McKee, CEO of https://www.redskyalliance.com, stated, “I receive at least one bogus DocuSign agreement every week. This is the reason why I no longer use their services.”
This article is shared at no charge for educational and informational purposes only.
Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization. We provide indicators of compromise information (CTI) via a notification/Tier I analysis service (RedXray) or an analysis service (CTAC). For questions, comments, or assistance, please contact the office directly at 1-844-492-7225 or feedback@redskyalliance.com
- Reporting: https://www.redskyalliance.org/
- Website: https://www.redskyalliance.com/
- LinkedIn: https://www.linkedin.com/company/64265941
Weekly Cyber Intelligence Briefings:
REDSHORTS - Weekly Cyber Intelligence Briefings
https://register.gotowebinar.com/register/5207428251321676122
[1] https://www.cybersecurityintelligence.com/blog/boutique-phishing-kit-ramps-up-activity-9334.html
Comments