The threat actor known as PoisonSeed, loosely affiliated with groups like Scattered Spider and CryptoChameleon, has deployed an active phishing kit designed to circumvent multi-factor authentication (MFA) and harvest credentials from individuals and organizations.
This kit, operational since April 2025, targets login services of major CRM and bulk email providers such as Google, SendGrid, and Mailchimp, enabling attackers to seize email infrastructure for spam dissemination and cryptocurrency scams.
PoisonSeed’s tactics involve spear-phishing emails with embedded malicious links that redirect victims to impersonated domains, where an encrypted victim email is appended to the URL and stored as a cookie for server-side validation a method dubbed “Precision-Validated Phishing.”
Emerging Threat from PoisonSeed Actor
The kit mimics legitimate interfaces, including a fake Cloudflare Turnstile challenge, to verify the encrypted email and ensure it is not banned by the target service.
Once validated, victims encounter login forms that capture and relay credentials to the authentic service, acting as an Adversary-in-the-Middle (AitM) to intercept authentication details, including various 2FA methods like authenticator codes, SMS, email codes, and API keys.
According to Nviso report, this allows PoisonSeed to bypass MFA protections, gain unauthorized access, and automate the extraction of email lists for further malicious activities, such as seed phrase manipulation attacks in cryptocurrency wallets.
Developed using React, the phishing kit features a structured architecture with components like App.jsx for route protection, TurnstileChallenge.jsx for initial bot verification with anti-automation delays, and specialized forms for login and 2FA handling.
Technical Breakdown
For instance, the kit employs Axios for API calls to endpoints like /check-email and /login, relaying data to legitimate services while capturing session cookies.
It supports dynamic redirection based on HTTP statuses (e.g., 200 for success, 202 for processing), ensuring seamless AitM operations.
Infrastructure analysis reveals consistent patterns: all domains are registered via NICENIC, a registrar notorious for malicious activities, and hosted primarily on Cloudflare, with additional providers like DE-Firstcolo and SWISSNETWORK02.
Name servers leverage Cloudflare and Bunny.net, facilitating obfuscation. Hunting opportunities include URLScan queries targeting API filenames, URL parameters, and cookie names, alongside SilentPush WHOIS scans for domains lacking certain fields and registered post-March 2025.
Prevention strategies emphasize adopting phishing-resistant MFA like FIDO2 keys, eliminating vulnerable methods such as SMS, and enhancing anomaly detection for suspicious logins and bulk exports.
As PoisonSeed continues to evolve, aligning with “The Com” community’s TTPs, organizations must prioritize user awareness and robust monitoring to mitigate these MFA-bypassing threats.
Indicators of Compromise
| Domain Example |
|---|
| device-sendgrid[.]com |
| navigate-sendgrid[.]com |
| https-sendgrid[.]com |
| network-sendgrid[.]com |
| sso-sendgridnetwork[.]com |
Find this News Interesting! Follow us on Google News, LinkedIn, and X to Get Instant Updates!
Source link
