This article discusses the emergence of a new phishing campaign named “PoisonSeed,” targeting enterprise organizations and VIP individuals beyond the cryptocurrency sector. This campaign notably affects various CRM and bulk email providers, utilizing phishing techniques to gather credentials and send out spam, particularly focusing on cryptocurrency seed phrases to exploit individual crypto holders. Affected: Coinbase, Ledger, Mailchimp, SendGrid, Hubspot, Mailgun, Zoho
Keypoints :
- The PoisonSeed campaign targets enterprise organizations and VIP individuals outside the crypto industry.
- Phishing techniques involve compromising bulk email providers to send out credential-stealing emails and cryptocurrency seed phrases.
- A compromised Akamai SendGrid account was confirmed to have disseminated spam phishing messages.
- The campaign is classified separately from other threat actors like Scattered Spider and CryptoChameleon.
- The phishing pages mimic legitimate CRM and bulk email services, like Mailchimp and SendGrid.
- The campaign utilizes complex phishing strategies, such as crypto seed phrase poisoning.
- Silent Push analysts link PoisonSeed to a series of coordinated phishing attacks targeting well-known email platforms and cryptocurrency companies.
MITRE Techniques :
- T1071.001 – Application Layer Protocol: Phishing emails were used to lure targets to fake login portals.
- T1070.004 – Indicator Removal on Host: The threat actors likely cleaned up compromised email accounts after gaining access.
- T1589.001 – Gather Victim Information: Use of targeted email addresses to launch personalized phishing attacks.
- T1566.001 – Spear Phishing Link: Phishing emails containing links to fake login pages designed to harvest credentials.
- T1221 – Compromise Accounts: Use of compromised accounts for sending phishing emails and spam to further the campaign.
Indicator of Compromise :
- [Domain] sso-account[.]com
- [Domain] mailchimp-sso[.]com
- [Domain] firmware-server12[.]com
- [IP Address] 212.224.88[.]188
- [IP Address] 86.54.42[.]92
Full Story: https://www.silentpush.com/blog/poisonseed/