Phishing Kits & PhaaS
What Is Saiga 2FA?
Saiga 2FA is an emerging Adversary-in-the-Middle (AiTM) Phishing-as-a-Service (PhaaS) offering that emerged at the end of 2024 and achieved widespread adoption by threat actors in 2025, operating as a fully-featured platform providing reverse-proxy-based session hijacking capabilities targeting M...
Saiga 2FA is an emerging Adversary-in-the-Middle (AiTM) Phishing-as-a-Service (PhaaS) offering that emerged at the end of 2024 and achieved widespread adoption by threat actors in 2025, operating as a fully-featured platform providing reverse-proxy-based session hijacking capabilities targeting Microsoft 365 accounts. According to Sekoia.io analysis published in Q1 2025, Saiga 2FA represents one of several new AiTM phishing kits that entered the market in late 2024 alongside Sneaky 2FA, CEPHAS, Gabagool, and Legions 2FA, collectively expanding the PhaaS ecosystem beyond established platforms like Tycoon 2FA and EvilProxy. The platform enables attackers to intercept complete OAuth and Azure AD login chains, capturing session cookies that maintain authenticated state and enabling account access bypassing multi-factor authentication by replaying proof that authentication already occurred.
Saiga 2FA operates within the broader PhaaS infrastructure model providing turnkey solutions to threat actors through subscription-based access, regular updates and improvements to evade detection, and minimal technical expertise requirements for customers deploying campaigns. According to Sekoia.io global analysis of adversary-in-the-middle phishing threats, eleven widespread AiTM kits dominated the ecosystem by Q1 2025, with Saiga 2FA positioned among the most widely adopted emerging platforms competing against established market leaders including Tycoon 2FA (commanding 95.59% market share by August 2025 according to Centripetal.ai analysis), EvilProxy, and newer entrants like Whisper 2FA.
How Does Saiga 2FA Work?
Saiga 2FA functions as a reverse-proxy-based phishing service that positions infrastructure between user browsers and Microsoft's legitimate authentication endpoints. When victims click phishing links distributed through email or other channels, they encounter convincing replica Microsoft 365 login pages hosted on Saiga 2FA infrastructure. These pages proxy authentication requests from victim browsers to Microsoft's actual servers while intercepting all data transmitted during the authentication flow.
The adversary-in-the-middle architecture enables Saiga 2FA to capture username and password credentials as victims enter them, intercept MFA tokens including SMS codes, authenticator app OTPs, and push notification responses as victims complete multi-factor authentication challenges, and harvest session cookies and authentication tokens issued by Microsoft servers after successful login completion. According to Sekoia.io analysis from Q1 2025, this comprehensive data capture provides attackers with both static credentials and dynamic session tokens representing proof of successful authentication.
Session cookie theft enables persistent account access independent of password changes. Microsoft 365 session cookies typically remain valid for 24 to 72 hours depending on organizational timeout policies and conditional access configurations. During this validity window, attackers possessing stolen cookies can access victim accounts repeatedly without requiring new authentication, as the cookie itself proves that authentication already occurred. This capability enables attackers to conduct sustained exploitation including email monitoring, data exfiltration, and lateral movement within compromised organizations.
The reverse-proxy mechanism operates in real time, validating stolen MFA codes against Microsoft's servers simultaneously as victims provide them. When victims enter one-time passwords believing they are authenticating to Microsoft, Saiga 2FA captures these codes and immediately relays them to legitimate authentication endpoints. Microsoft's servers validate the codes as authentic, issue session tokens, and grant account access. The victim completes authentication believing they have successfully logged in, while Saiga 2FA obtains valid authenticated sessions for attacker exploitation.
Target architecture focuses primarily on Microsoft 365 environments including Office 365, OneDrive, SharePoint, and Azure Active Directory authentication flows. According to Sekoia.io analysis, Saiga 2FA provides pre-built templates and infrastructure specifically optimized for Microsoft authentication interception, reflecting the platform's specialization rather than multi-platform versatility. This Microsoft focus aligns with broader PhaaS market concentration on Microsoft 365 as high-value enterprise targets with substantial user bases and sensitive data.
How Does Saiga 2FA Differ From Other Emerging Platforms?
Aspect | Saiga 2FA | Sneaky 2FA | CEPHAS | Gabagool | Legions 2FA |
|---|---|---|---|---|---|
Emergence | End 2024 | Dec 2024 | Late 2024 | Late 2024 | Late 2024 |
Type | AiTM PhaaS | AiTM PhaaS | AiTM PhaaS | AiTM PhaaS | AiTM PhaaS |
Primary Target | Microsoft 365 | Microsoft 365 | Unknown | Corporate/Gov email | Unknown |
Session Cookie Focus | Yes | Yes | Unknown | Yes (JWT tokens) | Unknown |
Adoption Level | Widely adopted | Emerging (4.41% Aug 2025) | Emerging | Emerging | Emerging |
Distribution Model | PhaaS subscription | Licensed code | Unknown | Direct use by operators | Unknown |
Market Categorization | Emerging leader | Budget tier | Emerging | Specialized | Emerging |
Ideal for | High-volume campaigns | Budget-conscious attackers | Unknown | Government targeting | Unknown |
The comparison reveals Saiga 2FA as one of multiple AiTM platforms emerging simultaneously in late 2024. According to Sekoia.io analysis from Q1 2025, this wave of new platforms including Saiga, Sneaky, CEPHAS, Gabagool, and Legions represents expanding PhaaS market capacity beyond established incumbents. While Tycoon 2FA maintained market dominance at 95.59% by August 2025 according to Centripetal.ai, the emergence of multiple alternatives indicates either growing demand exceeding incumbent capacity or customer preference diversity seeking specialized features or pricing differentiation.
Saiga 2FA's "widely adopted" classification according to Sekoia.io suggests stronger market penetration than platforms like Sneaky 2FA despite Sneaky's quantified 4.41% market share. This apparent discrepancy may reflect measurement methodology differences where "adoption" refers to customer count or campaign frequency rather than attack volume or credential harvest totals. Alternatively, Saiga's emergence timing at end of 2024 versus Sneaky's December 2024 discovery may have provided additional operational months enabling broader customer acquisition.
The session cookie theft focus common across Saiga, Sneaky, and Gabagool indicates convergence around proven AiTM techniques. According to Sekoia.io analysis, session cookie interception provides more reliable account access than credential-only harvesting because cookies enable authentication replay without requiring password knowledge or MFA completion. This technical convergence suggests PhaaS operators recognize session hijacking as the most effective approach against MFA-protected environments.
Saiga's PhaaS subscription model contrasts with Sneaky 2FA's licensed obfuscated code distribution approach. While Sneaky provides customers with code for independent deployment, reducing operator infrastructure liability, Saiga apparently operates centralized infrastructure where customers access managed services. This architectural difference affects operational resilience, as centralized platforms face single-point-of-failure disruption risk while distributed models spread infrastructure across customers.
Why Does Saiga 2FA Matter?
Saiga 2FA represents the continued low barriers to entry in PhaaS market development. According to Sekoia.io analysis from Q1 2025, new platforms including Saiga emerged despite Tycoon 2FA's overwhelming market dominance, indicating that development and operational costs remain sufficiently low to attract new operators. This continued market entry suggests that law enforcement disruption efforts and defensive evolution have not substantially increased PhaaS development barriers, as operators continue launching new platforms achieving market viability.
The platform's wide adoption among threat actors demonstrates sustained demand for AiTM capabilities. According to Sekoia.io reporting, Saiga 2FA achieved "widely adopted" status within months of emergence, indicating rapid customer acquisition and operational scaling. This demand reflects both the effectiveness of AiTM techniques against MFA-protected environments and the expanding threat actor population seeking turnkey phishing infrastructure requiring minimal technical expertise.
Saiga 2FA's emergence as one of eleven widespread AiTM kits identified by Sekoia illustrates ecosystem diversification. Rather than consolidating around one or two dominant platforms, the PhaaS market sustains multiple concurrent offerings at various price points, feature sets, and operational models. According to Sekoia analysis, this diversity enables customer segmentation where budget-conscious attackers select cheaper platforms, sophisticated threat actors choose feature-rich options, and specialized operators prefer platforms optimized for specific attack scenarios.
The session cookie interception capability undermines organizations' MFA deployment investments. According to security analysis, many organizations implement MFA believing it provides comprehensive protection against credential theft, unaware that session cookie hijacking bypasses MFA entirely. Saiga 2FA's exploitation of this gap demonstrates that MFA represents necessary but insufficient protection requiring complementary controls including session token binding, impossible travel detection, and aggressive timeout policies.
What Are the Limitations of Saiga 2FA?
Session Cookie Temporal Constraints
Stolen session cookies have limited validity windows determined by Microsoft 365 timeout policies. According to Microsoft security documentation and Sekoia.io analysis, typical session cookies expire after 24-72 hours of inactivity, with aggressive organizational policies reducing validity to minutes for sensitive operations. Attackers must exploit stolen cookies within these timeframes or lose access when sessions expire. Organizations implementing aggressive session timeout policies substantially reduce the practical value of stolen cookies compared to permanent password compromise.
Certificate Pinning Defeats Reverse-Proxy Attacks
Applications using certificate pinning can detect and block reverse-proxy attacks by validating that server certificates match expected values. According to security analysis, certificate pinning cryptographically binds applications to specific certificate authorities or server certificates, preventing man-in-the-middle proxies from intercepting traffic even with valid SSL certificates. While browser-based authentication typically does not implement certificate pinning, mobile applications and some desktop clients do, limiting Saiga 2FA's effectiveness against these platforms.
Modern Browser Security Protections
Contemporary browsers include protections against cookie theft and AiTM attacks that complicate session hijacking. According to Barracuda Networks and browser security analysis, features including SameSite cookie attributes, secure cookie flags, and HTTP Strict Transport Security (HSTS) reduce cookie theft effectiveness. Organizations leveraging these browser security features through proper cookie configuration and security header deployment create additional obstacles for session hijacking platforms.
Device Fingerprinting Survives Cookie Theft
Modern authentication platforms increasingly use device fingerprinting as additional authentication factors independent of session cookies. According to Microsoft and Azure AD analysis, device trust signals including hardware identifiers, browser characteristics, and installed certificates enable detection when stolen cookies are used from different devices. Conditional Access policies requiring device compliance or trusted device status can block cookie replay attempts even when cookies themselves remain valid.
Behavioral Analysis Detects Unusual Login Patterns
Advanced security platforms employ behavioral analytics detecting unusual patterns characteristic of session cookie replay. According to Sekoia.io and security vendor analysis, patterns including authentication from unexpected geographic locations, rapid sequential access from multiple IP addresses, and authentication during unusual hours trigger risk scores elevating security requirements. Even with valid session cookies, behavioral anomalies can trigger additional authentication challenges or access blocking.
How Can Organizations Defend Against Saiga 2FA?
Hardware Security Key Deployment
The most effective defense against Saiga 2FA and similar session hijacking platforms is deploying FIDO2 security keys for passwordless authentication. According to Sekoia.io and Microsoft security guidance, FIDO2 keys use WebAuthn protocol providing cryptographic authentication bound to legitimate domains. When Saiga 2FA presents phishing pages from fraudulent domains, FIDO2 keys detect domain mismatches through cryptographic validation and refuse authentication. This protection is absolute regardless of reverse-proxy sophistication, eliminating the credential and session token theft vulnerability that Saiga 2FA exploits.
Session Token Binding and Device Compliance
Microsoft 365 administrators should implement session token binding tying authenticated sessions to specific device characteristics. According to Microsoft security guidance, organizations should require device compliance status before granting access, validate that session tokens include device fingerprints matching original authentication devices, and implement device-based risk assessment elevating risk scores for authentication from unmanaged devices. Azure AD Conditional Access and Microsoft Intune provide policy frameworks enforcing device binding and compliance requirements.
Aggressive Session Timeout Policies
Organizations should implement aggressive session expiration policies limiting exploitation windows for stolen tokens. According to Sekoia.io and Microsoft guidance, session timeouts should be configured at 5-10 minutes for sensitive operations including administrative actions and financial transactions, with general access limited to 1-hour maximum. While this creates user friction through frequent re-authentication, it substantially reduces stolen token value by minimizing exploitation windows to minutes rather than hours or days.
Impossible Travel and Geographic Anomaly Detection
Security operations centers should implement real-time monitoring for impossible travel scenarios and geographic anomalies indicative of session cookie replay. According to Sekoia.io analysis, impossible travel detection identifies authentication from geographically distant locations within short timeframes physically impossible without aircraft travel. Conditional Access policies should block authentication displaying impossible travel patterns, forcing re-authentication even when technically valid session cookies are presented.
Passwordless Authentication Migration
Organizations should prioritize migration to passwordless authentication eliminating reliance on credentials and session tokens susceptible to phishing. According to Microsoft and industry guidance, Windows Hello for Business, FIDO2 security keys, and certificate-based authentication provide cryptographic proof of identity that cannot be intercepted by reverse-proxy attacks. While migration requires infrastructure investment and user training, passwordless authentication provides comprehensive protection against credential phishing, session hijacking, and password-related vulnerabilities.
FAQs
When did Saiga 2FA emerge?
Saiga 2FA emerged at the end of 2024 and became widely adopted throughout 2025 according to Sekoia.io analysis published in Q1 2025. The platform represents one of several new generation AiTM phishing-as-a-service platforms that entered the market in late 2024, joining Sneaky 2FA, CEPHAS, Gabagool, and Legions 2FA in expanding PhaaS ecosystem capacity. The end-of-2024 emergence provided approximately three to four months of operational history before Sekoia documented widespread adoption in Q1 2025 analysis.
How does Saiga 2FA compare to established kits like Tycoon 2FA?
While Tycoon 2FA remains the market leader commanding 95.59% share by August 2025 according to Centripetal.ai, Saiga 2FA represents an emerging competitor with similar session cookie-focused capabilities. Both platforms employ AiTM reverse-proxy techniques intercepting complete authentication flows, but Tycoon has substantially higher adoption rates reflecting established reputation, extensive operational history, and proven reliability. Saiga's emergence as a widely adopted platform despite Tycoon's dominance indicates either growing market demand exceeding incumbent capacity or customer preference for alternatives based on pricing, features, or operational security considerations.
What makes Saiga 2FA part of an "emerging" category?
Saiga 2FA is classified as emerging because it entered the market in late 2024, remains in growth and adoption phase, and has not reached the volume or brand recognition of established platforms like Tycoon 2FA or EvilProxy according to Sekoia.io analysis from Q1 2025. Emerging platforms demonstrate increasing customer adoption and operational presence but lack the multi-year track records and dominant market positions of established incumbents. This categorization reflects market lifecycle positioning rather than technical capability, as emerging platforms may offer comparable or superior features while lacking reputation and customer base depth.
How many AiTM phishing kits does Sekoia identify as "widespread"?
According to Sekoia.io analysis published in Q1 2025, approximately eleven AiTM phishing kits qualify as "widespread" including Tycoon 2FA, EvilProxy, Whisper 2FA, Saiga 2FA, Sneaky 2FA, CEPHAS, Gabagool, Legions 2FA, NakedPages, Storm-1167, and Evilginx. This widespread designation indicates platforms achieving sufficient operational scale, customer adoption, and campaign frequency to warrant tracking as significant threats. The eleven-platform count demonstrates substantial PhaaS ecosystem diversification beyond one or two dominant offerings.
What is the primary defense against session cookie theft attacks like those from Saiga 2FA?
The most effective defense is hardware security keys using FIDO2/WebAuthn protocol according to Sekoia.io and Microsoft guidance. FIDO2 keys provide cryptographic authentication bound to legitimate domains, automatically detecting and refusing authentication to phishing pages regardless of visual authenticity or SSL certificate validity. The cryptographic domain binding cannot be defeated by reverse-proxy attacks, making hardware keys immune to credential phishing and session token theft. Organizations unable to immediately deploy hardware keys should implement session token binding, aggressive timeout policies, impossible travel detection, and device compliance requirements as layered defensive controls.
