PoisonSeed Threat Actor Registering New Domains in Attempt to Compromise Enterprise Credentials

In recent months, cybersecurity researchers have observed a surge in malicious domain registrations linked to an emerging e-crime group known as PoisonSeed.

First identified in April 2025, this actor has focused its efforts on impersonating legitimate cloud-based email platforms, most notably SendGrid, to harvest enterprise credentials.

By embedding fake Cloudflare CAPTCHA interstitials and Ray ID data into their phishing infrastructure, PoisonSeed has managed to evade cursory detections and lure unsuspecting targets into surrendering login information.

Domaintools analysts noted that between June and September 2025, PoisonSeed registered over twenty domains that closely mimic SendGrid’s login portals.

These domains were often hosted on IP ranges assigned to the Global-Data System IT Corporation (AS42624) and registered through NiceNIC International Group Co., a registrar that has attracted scrutiny for its lax verification processes.

Researchers identified subtle misspellings and additional path structures—such as “sgportalexecutive[.]com” and “internal-sendgrid[.]com”—designed to exploit both user trust and automated screening tools.

The impact of PoisonSeed’s campaign extends beyond simple credential theft. Once enterprise credentials are compromised, the actor deploys lateral movement techniques within corporate environments to expand access.

This progression can lead to data exfiltration, fraudulent fund transfers, and even ransomware deployment.

In one unreported incident, PoisonSeed leveraged harvested credentials to send internal phishing invitations to high-value targets, ultimately siphoning sensitive financial data.

Despite the sophistication of these campaigns, detection evasion remains a core focus for PoisonSeed.

By integrating fake JavaScript-based CAPTCHA logic and dynamically generated Ray IDs, the group ensures that each interstitial appears unique.

Moreover, their use of co-hosting on legitimate-looking domains adds an additional layer of stealth, delaying incident response teams from isolating the malicious infrastructure.

Infection Mechanism and Detection Evasion

A closer examination of PoisonSeed’s infection mechanism reveals a multi-stage process that capitalizes on human trust and automated filtering weaknesses.

In the initial phase, victims receive an email purporting to originate from SendGrid, complete with legitimate-looking headers and tracking links.

When the target clicks the link, they are redirected to a CAPTCHA challenge page that appears authentic.

PoisonSeed embeds counterfeit session tokens to maintain the illusion of authenticity. Following validation, users are presented with a second form requesting their SendGrid credentials.

At this juncture, the actor captures the submitted data before forwarding the victim to the legitimate SendGrid login page, minimizing suspicion.

The use of chained redirects and script obfuscation ensures that traditional URL blocklists and signature-based defenses struggle to keep pace with the rapidly changing domain infrastructure.

By continuously rotating domain names and leveraging compromised hosting environments, PoisonSeed maintains a resilient phishing operation that demands advanced threat intelligence and proactive monitoring to counter effectively.

Boost your SOC and help your team protect your business with free top-notch threat intelligence: Request TI Lookup Premium Trial.