DomainTools found 21 domains registered since 01 June 2025 likely linked to the ecrime actor PoisonSeed that spoof SendGrid and use fake Cloudflare CAPTCHA interstitials to harvest enterprise credentials. Evidence suggests PoisonSeed’s TTPs resemble those of SCATTERED SPIDER, though a definitive operational link is unproven. #PoisonSeed #SCATTERED_SPIDER
Keypoints
- DomainTools identified 21 domains registered since 01 June 2025 that mimic SendGrid and display fake Cloudflare CAPTCHA interstitials to add legitimacy before redirecting to phishing pages.
- The malicious domains primarily spoof SendGrid and some reference generic SSO/login services; many are hosted on IP space assigned to Global-Data System IT Corporation (AS42624).
- Observed interstitials include fake Cloudflare Ray ID data consistent with earlier Mimecast reporting describing PoisonSeed/SCATTERED SPIDER techniques.
- Historically, PoisonSeed has been linked to SendGrid-themed phishing for cryptocurrency theft; Mimecast documented similar campaigns aimed at harvesting enterprise credentials for lateral movement.
- PoisonSeed TTPs share notable similarities with SCATTERED SPIDER and “The Com” collective, including advanced social engineering and credential abuse, though direct attribution is not confirmed.
- Domain registrations showed use of the NiceNIC International Group Co. registrar and naming patterns referencing SendGrid and login portals.
- DomainTools published a larger list of several hundred domains with the same fingerprint to GitHub for further research and hunting.
MITRE Techniques
- [T1566] Phishing – Use of spoofed SendGrid domains and phishing pages to harvest enterprise credentials. Quote: ‘…displaying fake Cloudflare CAPTCHA interstitials … redirecting targeted users to phishing pages.’
- [T1588] Obtain Infrastructure – Registration of malicious domains via NiceNIC International Group Co. and hosting on IP addresses assigned to Global-Data System IT Corporation (AS42624). Quote: ‘…Domains registered via the NiceNIC International Group Co. registrar … Hosting on IP addresses assigned to the provider Global-Data System IT Corporation (AS42624).’
- [T1204] User Execution (Malicious Web Content) – Presentation of fake Cloudflare CAPTCHA interstitials (social-engineered web content) to convince users to interact and proceed to credential-harvesting pages. Quote: ‘…fake Cloudflare CAPTCHA interstitials to add legitimacy to malicious domains before redirecting targeted users to phishing pages.’
- [T1078] Valid Accounts – Harvesting enterprise credentials to facilitate further phishing campaigns and lateral movement within targeted enterprise environments. Quote: ‘…objective of these campaigns was to harvest enterprise credentials and use them to facilitate further phishing campaigns and lateral movement within targeted enterprise environments.’
Indicators of Compromise
- [Domain ] SendGrid-spoofing and login-themed domains identified since 01 June 2025 – examples: mysandgrid[.]com, https-loginsg[.]com, and several hundred more domains listed on the researcher’s GitHub.
- [IP / ASN ] Hosting context – IP space assigned to Global-Data System IT Corporation (AS42624) (examples referenced in article: hosting on AS42624 addresses).
- [Registrar ] Domain registration patterns – domains registered via NiceNIC International Group Co. (example context: multiple malicious domains registered through this registrar).
- [Artifact ] Fake Cloudflare Ray ID data – examples observed in interstitials on newly registered domains and as shown in Mimecast reporting (e.g., fake Ray ID strings embedded in CAPTCHA pages).