← Back to Pulse Feed
PULSE DETAIL
PULSE NAME
Newly Identified Domains Likely Linked to Continued Activity from PoisonSeed E-Crime Actor.
WHITE PetrP.73 2025-09-11 Modified: 2025-10-11
4
IOCs
LOW VOLUME
Recent investigations have unveiled new malicious domains likely associated with the e-crime actor known as PoisonSeed. These domains, registered since June 1, 2025, predominantly imitate the legitimate email platform SendGrid. Their primary aim appears to be the compromise of enterprise credentials from SendGrid's customer base. To enhance the credibility of these malicious websites, they present fake Cloudflare CAPTCHA interstitials before redirecting unsuspecting users to phishing pages. While no specific target has been identified, historical data suggests that PoisonSeed has focused on cryptocurrency platforms and enterprise environments.
poisonseedsendgridttpsjunecloudflare raymimecastmimecast blogcanadanew poisonseedaprilgenerative ai
MITRE ATT&CK & Malware Families
ATT&CK TECHNIQUES
MALWARE FAMILIES
Generative AI
Indicators of Compromise (4)
All domain hostname
TYPEINDICATORDESCRIPTIONCREATED
domain internal-sendgrid.com 2025-09-11
domain mysandgrid.com 2025-09-11
hostname aws-us3.comaws-us4.comaws-us5.comloginportalsg.comusportalhelp.comexecutiveteaminvite.comsgportalexecutive.orghttps-loginsg.comhttps-sgportal.comhttps-sendgrid.infosecurehttps-sgservices.comsgaccountsettings.comhttps-sglogin.comsgsettings.livehttps-sgpartners.infoserver-sendlogin.comgrid-sendlogin.commysandgrid.com 2025-09-11
hostname terminateloginsession.comsso-sendgridnetwork.com 2025-09-11
References (1)
↗ https://dti.domaintools.com/newly-identified-domains-likely-linked-to-continued-activity-from-poisonseed-e-crime-actor/