{ "type": "Domain", "indicator": "mysandgrid.com", "general": { "sections": [ "general", "geo", "url_list", "passive_dns", "malware", "whois", "http_scans" ], "whois": "http://whois.domaintools.com/mysandgrid.com", "alexa": "http://www.alexa.com/siteinfo/mysandgrid.com", "indicator": "mysandgrid.com", "type": "domain", "type_title": "Domain", "validation": [], "base_indicator": { "id": 4086499994, "indicator": "mysandgrid.com", "type": "domain", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 4, "pulses": [ { "id": "68c32a68ff7d03c531893e90", "name": "Newly Identified Domains Likely Linked to Continued Activity from PoisonSeed E-Crime Actor.", "description": "Recent investigations have unveiled new malicious domains likely associated with the e-crime actor known as PoisonSeed. These domains, registered since June 1, 2025, predominantly imitate the legitimate email platform SendGrid. Their primary aim appears to be the compromise of enterprise credentials from SendGrid's customer base. To enhance the credibility of these malicious websites, they present fake Cloudflare CAPTCHA interstitials before redirecting unsuspecting users to phishing pages. While no specific target has been identified, historical data suggests that PoisonSeed has focused on cryptocurrency platforms and enterprise environments.", "modified": "2025-10-11T19:13:22.436000", "created": "2025-09-11T20:00:40.130000", "tags": [ "poisonseed", "sendgrid", "ttps", "june", "cloudflare ray", "mimecast", "mimecast blog", "canada", "new poisonseed", "april", "generative ai" ], "references": [ "https://dti.domaintools.com/newly-identified-domains-likely-linked-to-continued-activity-from-poisonseed-e-crime-actor/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Generative AI", "display_name": "Generative AI", "target": null } ], "attack_ids": [ { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1496", "name": "Resource Hijacking", "display_name": "T1496 - Resource Hijacking" }, { "id": "T1199", "name": "Trusted Relationship", "display_name": "T1199 - Trusted Relationship" } ], "industries": [ "Cryptocurrency" ], "TLP": "green", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "PetrP.73", "id": "154605", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 2, "hostname": 2 }, "indicator_count": 4, "is_author": false, "is_subscribing": null, "subscriber_count": 540, "modified_text": "233 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "689e401339aa3a7bded2bc47", "name": "aaaaaaaaaaa", "description": "", "modified": "2025-08-14T19:59:15.917000", "created": "2025-08-14T19:59:15.917000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 19, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "ESFBSOCTCR", "id": "200541", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 27, "hostname": 13 }, "indicator_count": 40, "is_author": false, "is_subscribing": null, "subscriber_count": 85, "modified_text": "291 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "689cedc5c02064a230762d66", "name": "Shedding Light on PoisonSeed s Phishing Kit.", "description": "PoisonSeed, an active phishing actor affiliated with the English-speaking \u201cThe Com\u201d community and loosely aligned with Scattered Spider and CryptoChameleon, operates an MFA-resistant phishing kit designed to harvest CRM and bulk-email provider credentials to export contact lists and scale cryptocurrency-related spam and seed-phrase manipulation attacks. Initial access is via targeted spear-phishing emails that impersonate providers (Google, SendGrid, Mailchimp, etc.) and deliver marketing-style links that redirect to phishing domains. Many redirecting domains are observed originating from sendgrid.net.", "modified": "2025-08-13T19:55:49.357000", "created": "2025-08-13T19:55:49.357000", "tags": [ "poisonseed", "apiurl", "protectedroute", "api key", "route", "post request", "function", "await", "span", "verify", "error", "path", "april", "phishing", "prop" ], "references": [ "https://blog.nviso.eu/2025/08/12/shedding-light-on-poisonseeds-phishing-kit/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1056.003", "name": "Web Portal Capture", "display_name": "T1056.003 - Web Portal Capture" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1111", "name": "Two-Factor Authentication Interception", "display_name": "T1111 - Two-Factor Authentication Interception" }, { "id": "T1204.001", "name": "Malicious Link", "display_name": "T1204.001 - Malicious Link" }, { "id": "T1566.002", "name": "Spearphishing Link", "display_name": "T1566.002 - Spearphishing Link" }, { "id": "T1583.001", "name": "Domains", "display_name": "T1583.001 - Domains" }, { "id": "T1583.002", "name": "DNS Server", "display_name": "T1583.002 - DNS Server" }, { "id": "T1584.004", "name": "Server", "display_name": "T1584.004 - Server" }, { "id": "T1589.002", "name": "Email Addresses", "display_name": "T1589.002 - Email Addresses" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 26, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "PetrP.73", "id": "154605", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 38, "hostname": 21 }, "indicator_count": 59, "is_author": false, "is_subscribing": null, "subscriber_count": 540, "modified_text": "292 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "686e0dff4857788fa8407bab", "name": "Phishing domains", "description": "Set of related phishing domains, using the same ki. According to https://www.mimecast.com/threat-intelligence-hub/scattered-spider-attacks/, they are related to Scattered Spider", "modified": "2025-08-08T06:00:40.325000", "created": "2025-07-09T06:36:46.487000", "tags": [], "references": [ "https://www.mimecast.com/threat-intelligence-hub/scattered-spider-attacks/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1192", "name": "Spearphishing Link", "display_name": "T1192 - Spearphishing Link" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 5, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "enrique.delahoz", "id": "64909", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 18, "hostname": 5 }, "indicator_count": 23, "is_author": false, "is_subscribing": null, "subscriber_count": 23, "modified_text": "297 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "references": [ "https://www.mimecast.com/threat-intelligence-hub/scattered-spider-attacks/", "https://blog.nviso.eu/2025/08/12/shedding-light-on-poisonseeds-phishing-kit/", "https://dti.domaintools.com/newly-identified-domains-likely-linked-to-continued-activity-from-poisonseed-e-crime-actor/" ], "related": { "alienvault": { "adversary": [], "malware_families": [], "industries": [] }, "other": { "adversary": [], "malware_families": [ "Generative ai" ], "industries": [ "Cryptocurrency" ] } } }, "false_positive": [] }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 4, "pulses": [ { "id": "68c32a68ff7d03c531893e90", "name": "Newly Identified Domains Likely Linked to Continued Activity from PoisonSeed E-Crime Actor.", "description": "Recent investigations have unveiled new malicious domains likely associated with the e-crime actor known as PoisonSeed. These domains, registered since June 1, 2025, predominantly imitate the legitimate email platform SendGrid. Their primary aim appears to be the compromise of enterprise credentials from SendGrid's customer base. To enhance the credibility of these malicious websites, they present fake Cloudflare CAPTCHA interstitials before redirecting unsuspecting users to phishing pages. While no specific target has been identified, historical data suggests that PoisonSeed has focused on cryptocurrency platforms and enterprise environments.", "modified": "2025-10-11T19:13:22.436000", "created": "2025-09-11T20:00:40.130000", "tags": [ "poisonseed", "sendgrid", "ttps", "june", "cloudflare ray", "mimecast", "mimecast blog", "canada", "new poisonseed", "april", "generative ai" ], "references": [ "https://dti.domaintools.com/newly-identified-domains-likely-linked-to-continued-activity-from-poisonseed-e-crime-actor/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Generative AI", "display_name": "Generative AI", "target": null } ], "attack_ids": [ { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1496", "name": "Resource Hijacking", "display_name": "T1496 - Resource Hijacking" }, { "id": "T1199", "name": "Trusted Relationship", "display_name": "T1199 - Trusted Relationship" } ], "industries": [ "Cryptocurrency" ], "TLP": "green", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "PetrP.73", "id": "154605", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 2, "hostname": 2 }, "indicator_count": 4, "is_author": false, "is_subscribing": null, "subscriber_count": 540, "modified_text": "233 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "689e401339aa3a7bded2bc47", "name": "aaaaaaaaaaa", "description": "", "modified": "2025-08-14T19:59:15.917000", "created": "2025-08-14T19:59:15.917000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 19, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "ESFBSOCTCR", "id": "200541", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 27, "hostname": 13 }, "indicator_count": 40, "is_author": false, "is_subscribing": null, "subscriber_count": 85, "modified_text": "291 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "689cedc5c02064a230762d66", "name": "Shedding Light on PoisonSeed s Phishing Kit.", "description": "PoisonSeed, an active phishing actor affiliated with the English-speaking \u201cThe Com\u201d community and loosely aligned with Scattered Spider and CryptoChameleon, operates an MFA-resistant phishing kit designed to harvest CRM and bulk-email provider credentials to export contact lists and scale cryptocurrency-related spam and seed-phrase manipulation attacks. Initial access is via targeted spear-phishing emails that impersonate providers (Google, SendGrid, Mailchimp, etc.) and deliver marketing-style links that redirect to phishing domains. Many redirecting domains are observed originating from sendgrid.net.", "modified": "2025-08-13T19:55:49.357000", "created": "2025-08-13T19:55:49.357000", "tags": [ "poisonseed", "apiurl", "protectedroute", "api key", "route", "post request", "function", "await", "span", "verify", "error", "path", "april", "phishing", "prop" ], "references": [ "https://blog.nviso.eu/2025/08/12/shedding-light-on-poisonseeds-phishing-kit/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1056.003", "name": "Web Portal Capture", "display_name": "T1056.003 - Web Portal Capture" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1111", "name": "Two-Factor Authentication Interception", "display_name": "T1111 - Two-Factor Authentication Interception" }, { "id": "T1204.001", "name": "Malicious Link", "display_name": "T1204.001 - Malicious Link" }, { "id": "T1566.002", "name": "Spearphishing Link", "display_name": "T1566.002 - Spearphishing Link" }, { "id": "T1583.001", "name": "Domains", "display_name": "T1583.001 - Domains" }, { "id": "T1583.002", "name": "DNS Server", "display_name": "T1583.002 - DNS Server" }, { "id": "T1584.004", "name": "Server", "display_name": "T1584.004 - Server" }, { "id": "T1589.002", "name": "Email Addresses", "display_name": "T1589.002 - Email Addresses" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 26, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "PetrP.73", "id": "154605", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 38, "hostname": 21 }, "indicator_count": 59, "is_author": false, "is_subscribing": null, "subscriber_count": 540, "modified_text": "292 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "686e0dff4857788fa8407bab", "name": "Phishing domains", "description": "Set of related phishing domains, using the same ki. According to https://www.mimecast.com/threat-intelligence-hub/scattered-spider-attacks/, they are related to Scattered Spider", "modified": "2025-08-08T06:00:40.325000", "created": "2025-07-09T06:36:46.487000", "tags": [], "references": [ "https://www.mimecast.com/threat-intelligence-hub/scattered-spider-attacks/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1192", "name": "Spearphishing Link", "display_name": "T1192 - Spearphishing Link" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 5, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "enrique.delahoz", "id": "64909", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 18, "hostname": 5 }, "indicator_count": 23, "is_author": false, "is_subscribing": null, "subscriber_count": 23, "modified_text": "297 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "mysandgrid.com", "type": "Domain" }, "abuseipdb": null, "urlhaus": { "indicator": "mysandgrid.com", "found": false, "verdict": "clean", "urls": [], "error": null }, "from_cache": true, "_cached_at": 1780358312.8530927 }