Poisonseed has successfully phished enterprise email accounts for over a year to further their crypto seed phrase poisoning attacks.
-
Poisonseed has successfully phished enterprise email accounts for over a year to further their crypto seed phrase poisoning attacks.
️ 
It's been one year since @troyhunt's Mailchimp phishing incident (https://www.troyhunt.com/a-sneaky-phish-just-grabbed-my-mailchimp-mailing-list/) which resulted in threat actors downloading his entire email list and creating an API key likely in an attempt to send mass emails from his account.
Before we get into some fresh domains you can hunt, here's a bit of background on this ongoing threat...
The threat actors behind this campaign are seemingly associated with The Com / Scattered Spider threat actors and use a compromised email account to send CRM phishing emails and also crypto seed phrase poisoning / crypto phishing emails. They essentially compromise a CRM to send more CRM phishing emails from it – a supply chain compromise that just keeps spreading -- very clever! The threat actors are targeting Mailchimp, Sendgrid, ActiveCampaign and allegedly other CRM providers.
We've had some great writeups in the last year on this threat including:
Validin: "Pulling the Threads on the Phish of Troy Hunt" @ https://www.validin.com/blog/pulling_threads_on_phishing_campaign
Silent Push: "PoisonSeed Campaign Targets CRM and Bulk Email Providers in Supply Chain Spam Operation" https://www.silentpush.com/blog/poisonseed/
NViso: "Shedding Light on PoisonSeed’s Phishing Kit" https://blog.nviso.eu/2025/08/12/shedding-light-on-poisonseeds-phishing-kit/
Domain Tools: "Newly Identified Domains Likely Linked to Continued Activity from PoisonSeed E-Crime Actor" https://dti.domaintools.com/research/newly-identified-domains-likely-linked-to-continued-activity-from-poisonseed-e-crime-actor
Over the last year, Poisonseed have successfully phished *dozens* of major organizations, seemingly with no or minimal public disclosures about these incidents from impacted organizations. And while we don't share victim details, we have a breakdown of the industries who have been impacted by the CRM phishing campaigns (essentially every major industry):
-
Poisonseed has successfully phished enterprise email accounts for over a year to further their crypto seed phrase poisoning attacks.
️ It's been one year since @troyhunt's Mailchimp phishing incident (https://www.troyhunt.com/a-sneaky-phish-just-grabbed-my-mailchimp-mailing-list/) which resulted in threat actors downloading his entire email list and creating an API key likely in an attempt to send mass emails from his account.
Before we get into some fresh domains you can hunt, here's a bit of background on this ongoing threat...
The threat actors behind this campaign are seemingly associated with The Com / Scattered Spider threat actors and use a compromised email account to send CRM phishing emails and also crypto seed phrase poisoning / crypto phishing emails. They essentially compromise a CRM to send more CRM phishing emails from it – a supply chain compromise that just keeps spreading -- very clever! The threat actors are targeting Mailchimp, Sendgrid, ActiveCampaign and allegedly other CRM providers.
We've had some great writeups in the last year on this threat including:
Validin: "Pulling the Threads on the Phish of Troy Hunt" @ https://www.validin.com/blog/pulling_threads_on_phishing_campaign
Silent Push: "PoisonSeed Campaign Targets CRM and Bulk Email Providers in Supply Chain Spam Operation" https://www.silentpush.com/blog/poisonseed/
NViso: "Shedding Light on PoisonSeed’s Phishing Kit" https://blog.nviso.eu/2025/08/12/shedding-light-on-poisonseeds-phishing-kit/
Domain Tools: "Newly Identified Domains Likely Linked to Continued Activity from PoisonSeed E-Crime Actor" https://dti.domaintools.com/research/newly-identified-domains-likely-linked-to-continued-activity-from-poisonseed-e-crime-actor
Over the last year, Poisonseed have successfully phished *dozens* of major organizations, seemingly with no or minimal public disclosures about these incidents from impacted organizations. And while we don't share victim details, we have a breakdown of the industries who have been impacted by the CRM phishing campaigns (essentially every major industry):
On major social networks, if you search "Sendgrid" "Phishing" and you'll find people complaining about these CRM phishing messages on a weekly basis. Here's a few redacted tweets that have gone out in the last couple weeks which shows targeted individuals typically receiving *numerous* phishing emails (if you get one, you get lots!)
-
On major social networks, if you search "Sendgrid" "Phishing" and you'll find people complaining about these CRM phishing messages on a weekly basis. Here's a few redacted tweets that have gone out in the last couple weeks which shows targeted individuals typically receiving *numerous* phishing emails (if you get one, you get lots!)
Through our research sharing partners our team has received copies of the Poisonseed phishing emails. We were surprised by the diversity of the content and the novel efforts to use breaking news topics to try and trick someone into quickly logging into one of their phishing portals.
Some of their phishing messages are a bit more classic, with lures like "Your bounce rate needs attention"
Or "A subuser with sending permissions was recently created on your account."
-
Through our research sharing partners our team has received copies of the Poisonseed phishing emails. We were surprised by the diversity of the content and the novel efforts to use breaking news topics to try and trick someone into quickly logging into one of their phishing portals.
Some of their phishing messages are a bit more classic, with lures like "Your bounce rate needs attention"
Or "A subuser with sending permissions was recently created on your account."
In December 2025 Poisonseed started to test phishing content which alleged that a "new theme" was going to be added to all ongoing emails by default, typically using a politicized topic to make someone worry about injecting politics into their mass communications, which could lead to someone rushing through the login process and getting phished.
The first phishing email with this "template lure" was about a LGBTQ+ pride theme:
-
In December 2025 Poisonseed started to test phishing content which alleged that a "new theme" was going to be added to all ongoing emails by default, typically using a politicized topic to make someone worry about injecting politics into their mass communications, which could lead to someone rushing through the login process and getting phished.
The first phishing email with this "template lure" was about a LGBTQ+ pride theme:
In December 2025 they sent out a phishing email about a "Black Lives Matter Theme" which honored George Floyd claiming it was turned on by default and would merely need a quick login to disable the theme...
-
In December 2025 they sent out a phishing email about a "Black Lives Matter Theme" which honored George Floyd claiming it was turned on by default and would merely need a quick login to disable the theme...
In February 2026 they sent another phishing email about a "LGBTQ+ Footer" being added to all outgoing communications:
-
In February 2026 they sent another phishing email about a "LGBTQ+ Footer" being added to all outgoing communications:
On March 1, 2026, the threat actors sent out a similar email claiming that an "Iran Awareness Footer" would be added to all outgoing emails and claiming, "If you'd prefer to not include it, you can easily disable it in your account preferences."
-
On March 1, 2026, the threat actors sent out a similar email claiming that an "Iran Awareness Footer" would be added to all outgoing emails and claiming, "If you'd prefer to not include it, you can easily disable it in your account preferences."
In March 2026 they've also sent multiple phishing emails that claimed a "Women's History Month" footer would be added to all outgoing emails by default, and you merely need to login to disable it...
-
In March 2026 they've also sent multiple phishing emails that claimed a "Women's History Month" footer would be added to all outgoing emails by default, and you merely need to login to disable it...
One interesting detail about the Poisonseed phishing campaign is that it appears different targeted users will get different phishing campaigns. There are far fewer examples but ActiveCampaign users have also been targeted on phishing sites like support-activecampaign[.]com
It seems based on the shifts in content the last few months that Poisonseed has seen success with these "Footer template phishing" emails, so this is definitely something to keep an eye on. Some of the Sendgrid phishing domains promoted during these campaigns includes:
usnw1-sgapi[.]com
ussw-sendgrid[.]com
priority-sgportal[.]com
-
One interesting detail about the Poisonseed phishing campaign is that it appears different targeted users will get different phishing campaigns. There are far fewer examples but ActiveCampaign users have also been targeted on phishing sites like support-activecampaign[.]com
It seems based on the shifts in content the last few months that Poisonseed has seen success with these "Footer template phishing" emails, so this is definitely something to keep an eye on. Some of the Sendgrid phishing domains promoted during these campaigns includes:
usnw1-sgapi[.]com
ussw-sendgrid[.]com
priority-sgportal[.]com
There has also been seed phrase poisoning / crypto phishing efforts which have used domains targeting Trezor, Ledger, Coinbase and likely other wallets.
Somewhat surprisingly, a recent phishing site actually had a fake blog post from Trezor titled, "Address Poisoning Attacks are Surging – Here's How Your Trezor Now Protects You" which had substantial content likely written by AI, and further links on the page to a phishing portal.
writeup-blogtrezor[.]com
-
There has also been seed phrase poisoning / crypto phishing efforts which have used domains targeting Trezor, Ledger, Coinbase and likely other wallets.
Somewhat surprisingly, a recent phishing site actually had a fake blog post from Trezor titled, "Address Poisoning Attacks are Surging – Here's How Your Trezor Now Protects You" which had substantial content likely written by AI, and further links on the page to a phishing portal.
writeup-blogtrezor[.]com
Many of the other crypto phishing pages have been simpler lures:
try-trezcard[.]com
live-ledgerupdate[.]com
valid-ledgerlive[.]com
822037[.]help
support.devicerecovery[.]ioOur team at Infoblox is hopeful that with more public awareness about these ongoing campaigns from Poisonseed, hopefully fewer enterprise organizations and individuals will be impacted and we'll see a reduction in these attacks over the next year.
If you have any tips or leads on this campaign or others like it, please don't hesitate to ping our team!
-
M mttaggart@infosec.exchange shared this topic
