Spoof the email delivery platform SendGrid and employ fake Cloudflare CAPTCHA interstitials to lend legitimacy before redirecting unsuspecting users to credential harvesting pages.
Since June 1, 2025, DomainTools Investigations has identified 21 newly registered domains exhibiting hallmarks of the eCrime actor known as PoisonSeed.
Although specific victims have not been confirmed, PoisonSeed’s historical focus on cryptocurrency platforms and enterprise environments underscores the urgency of monitoring this emerging infrastructure.
The domains in question were registered via the NiceNIC International Group Co. registrar and hosted on IP addresses assigned to Global-Data System IT Corporation (AS42624).
Most names include direct references to SendGrid, while a handful invoke more generic digital services such as single sign-on portals and login pages.
Examples include https-loginsg[.]com, sgaccountsettings[.]com, and my-sandgrid[.]com. A partial list of these domains appears below:
| Domain Name | Hosting IP |
|---|---|
| aws-us3[.]com | 185.208.156.46 |
| loginportalsg[.]com | 86.54.42.106 |
| execubranetteaminvite[.]com | 185.196.10.54 |
| https-sgpartners[.]info | 185.208.156.46 |
| my-sandgrid[.]com | 86.54.42.106 |
DomainTools investigators have uploaded a fuller list of several hundred domains sharing the same registration and hosting patterns to their GitHub repository for threat hunters and analysts to explore.
Fake CAPTCHA Interstitials
Key to PoisonSeed’s modus operandi is the presentation of fake Cloudflare CAPTCHA challenges.
Visitors to these malicious domains encounter interstitial pages that mimic legitimate Cloudflare Ray ID verification screens, complete with fabricated Ray ID strings.
This tactic aims to overcome user suspicion by simulating a common security measure before funneling targets into phishing sites that request enterprise credentials.
Analysis via URLScan.io confirmed that many of the newly discovered domains deliver identical interstitials to those documented in the Mimecast Threat Research blog from May 2025.
Once credentials are harvested, PoisonSeed operators are likely to utilize them for follow-on phishing campaigns, lateral movement within compromised enterprise environments, or unauthorized access to cryptocurrency accounts.
Past campaigns leveraged SendGrid-themed phishing to execute large-scale cryptocurrency extortion, demonstrating the actor’s proficiency in blending brand impersonation with social engineering.
PoisonSeed’s tactics, techniques, and procedures (TTPs) closely mirror those publicly attributed to the SCATTERED SPIDER adversary group.
Recent high-profile SCATTERED SPIDER incidents against retailers, grocery chains, insurance providers, and airlines across the U.S., U.K., and Canada have garnered significant media attention due to business disruption and data theft.
While DomainTools has found no direct evidence tying the new PoisonSeed domains to those sector breaches, the shared use of fake CAPTCHA interstitials, similar domain naming conventions, and registration patterns suggest at least an operational affiliation, if not shared personnel, between PoisonSeed and SCATTERED SPIDER.
SCATTERED SPIDER is known to be part of “The Com” collective, a fluid consortium of financially motivated cybercriminals specializing in smishing, SIM-swap fraud, and MFA-fatigue attacks.
Membership turnover and collaboration among “The Com” could explain PoisonSeed’s adoption of SCATTERED SPIDER-like techniques.
Alternately, former SCATTERED SPIDER operators may have splintered to form PoisonSeed, carrying over core TTPs into new campaigns.
Assessment and Recommendations
The discovery of this PoisonSeed infrastructure highlights the evolving sophistication of eCrime actors in credential harvesting. Security teams should:
- Monitor NiceNIC-registered domains containing SendGrid or SSO references.
- Analyze inbound traffic for Cloudflare CAPTCHA interstitials originating from unrecognized domains.
- Block or sinkhole known PoisonSeed domains and associated IP addresses.
- Enforce multi-factor authentication policies and user-awareness training focusing on CAPTCHA impersonation.
Ongoing threat intelligence sharing and collaborative hunting will be critical to mitigating PoisonSeed’s attempts to compromise enterprise credentials and limit downstream impact.
Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant Updates.
Source link
