Seeing FQDNs like "mtmoqiuq.20.218.142.124.static.hostiran[.]name" and "sgrwnbid.172-202-98-170.cloud-xip[.]com", we first thought some ASNs could be exploited similarly to the ".ARPA abuse" we described in one of our recent blogs.

Seeing FQDNs like "mtmoqiuq.20.218.142.124.static.hostiran[.]name" and "sgrwnbid.172-202-98-170.cloud-xip[.]com", we first thought some ASNs could be exploited similarly to the ".ARPA abuse" we described in one of our recent blogs. Turns out we were overthinking it... This kind of "DNS abuse" is so straight forward... We're not sure it qualifies as DNS abuse...

Here is what is going on: Whatever IP address you prepend to "static.hostiran[.]name" creates a hostname which resolves to this IP... That is it! Same goes for cloud-xip[.]com!

We've seen these kinds of hostnames a lot in SPAM emails recently, like the one we screenshot below which loads an image from a CDN as a giant hyperlink. We aren't sure why malicious SPAM actors bother to use this trick in their email links... If they control an IP, they can use it directly in URLs. They don't need a domain name!? And it isn't like this bypasses a firewall... If their IP is blocked, queries to those FQDNs will be too...

Our best guesses are that:
- Using hostnames rather than IPs helps them bypass SPAM email detection?
- And / or it enables them to create "subdomains", which they seem to be doing to track something, either SPAM campaigns, or their victims.

Technically, this could be used to create lookalike FQDNs. Those examples look like random subdomains, but literally anything can be prepended to the IP, so the only limit is your imagination! Not the most convincing lookalike by any means... but we've seen worse!

Here is an example of how this can be abused to both, load content from literally any IP, and create low quality lookalikes:
https://urlscan.io/result/019d1b3d-b94e-70f9-aae7-ecf5a02e3c89/

#dns #threatintel #threatintelligence #cybercrime #cybersecurity #infosec #infoblox #infobloxthreatintel #spam #scam

Many of the other crypto phishing pages have been simpler lures:

try-trezcard[.]com
live-ledgerupdate[.]com
valid-ledgerlive[.]com
822037[.]help
support.devicerecovery[.]io

Our team at Infoblox is hopeful that with more public awareness about these ongoing campaigns from Poisonseed, hopefully fewer enterprise organizations and individuals will be impacted and we'll see a reduction in these attacks over the next year.

If you have any tips or leads on this campaign or others like it, please don't hesitate to ping our team!

There has also been seed phrase poisoning / crypto phishing efforts which have used domains targeting Trezor, Ledger, Coinbase and likely other wallets.

Somewhat surprisingly, a recent phishing site actually had a fake blog post from Trezor titled, "Address Poisoning Attacks are Surging – Here's How Your Trezor Now Protects You" which had substantial content likely written by AI, and further links on the page to a phishing portal.

writeup-blogtrezor[.]com

One interesting detail about the Poisonseed phishing campaign is that it appears different targeted users will get different phishing campaigns. There are far fewer examples but ActiveCampaign users have also been targeted on phishing sites like support-activecampaign[.]com

It seems based on the shifts in content the last few months that Poisonseed has seen success with these "Footer template phishing" emails, so this is definitely something to keep an eye on. Some of the Sendgrid phishing domains promoted during these campaigns includes:

usnw1-sgapi[.]com

ussw-sendgrid[.]com

priority-sgportal[.]com

In March 2026 they've also sent multiple phishing emails that claimed a "Women's History Month" footer would be added to all outgoing emails by default, and you merely need to login to disable it...

On March 1, 2026, the threat actors sent out a similar email claiming that an "Iran Awareness Footer" would be added to all outgoing emails and claiming, "If you'd prefer to not include it, you can easily disable it in your account preferences."

In February 2026 they sent another phishing email about a "LGBTQ+ Footer" being added to all outgoing communications:

In December 2025 they sent out a phishing email about a "Black Lives Matter Theme" which honored George Floyd claiming it was turned on by default and would merely need a quick login to disable the theme...

In December 2025 Poisonseed started to test phishing content which alleged that a "new theme" was going to be added to all ongoing emails by default, typically using a politicized topic to make someone worry about injecting politics into their mass communications, which could lead to someone rushing through the login process and getting phished.

The first phishing email with this "template lure" was about a LGBTQ+ pride theme:

Through our research sharing partners our team has received copies of the Poisonseed phishing emails. We were surprised by the diversity of the content and the novel efforts to use breaking news topics to try and trick someone into quickly logging into one of their phishing portals.

Some of their phishing messages are a bit more classic, with lures like "Your bounce rate needs attention"

Or "A subuser with sending permissions was recently created on your account."

On major social networks, if you search "Sendgrid" "Phishing" and you'll find people complaining about these CRM phishing messages on a weekly basis. Here's a few redacted tweets that have gone out in the last couple weeks which shows targeted individuals typically receiving *numerous* phishing emails (if you get one, you get lots!)

Poisonseed has successfully phished enterprise email accounts for over a year to further their crypto seed phrase poisoning attacks. ️

It's been one year since @troyhunt's Mailchimp phishing incident (https://www.troyhunt.com/a-sneaky-phish-just-grabbed-my-mailchimp-mailing-list/) which resulted in threat actors downloading his entire email list and creating an API key likely in an attempt to send mass emails from his account.

Before we get into some fresh domains you can hunt, here's a bit of background on this ongoing threat...

The threat actors behind this campaign are seemingly associated with The Com / Scattered Spider threat actors and use a compromised email account to send CRM phishing emails and also crypto seed phrase poisoning / crypto phishing emails. They essentially compromise a CRM to send more CRM phishing emails from it – a supply chain compromise that just keeps spreading -- very clever! The threat actors are targeting Mailchimp, Sendgrid, ActiveCampaign and allegedly other CRM providers.

We've had some great writeups in the last year on this threat including:

Validin: "Pulling the Threads on the Phish of Troy Hunt" @ https://www.validin.com/blog/pulling_threads_on_phishing_campaign

Silent Push: "PoisonSeed Campaign Targets CRM and Bulk Email Providers in Supply Chain Spam Operation" https://www.silentpush.com/blog/poisonseed/

NViso: "Shedding Light on PoisonSeed’s Phishing Kit" https://blog.nviso.eu/2025/08/12/shedding-light-on-poisonseeds-phishing-kit/

Domain Tools: "Newly Identified Domains Likely Linked to Continued Activity from PoisonSeed E-Crime Actor" https://dti.domaintools.com/research/newly-identified-domains-likely-linked-to-continued-activity-from-poisonseed-e-crime-actor

Over the last year, Poisonseed have successfully phished *dozens* of major organizations, seemingly with no or minimal public disclosures about these incidents from impacted organizations. And while we don't share victim details, we have a breakdown of the industries who have been impacted by the CRM phishing campaigns (essentially every major industry):

Dios mio! While researching a particular type of Colombian folk music, we stumbled across a .edu domain selling... accordions? Our first thought was potentially domain hijacking, but it appears to be more likely an exploitation of CVE-2026-27210 (TLDR; cross-site scripting). While the vulnerability has been patched in the plugin itself, not all pages have updated their plugins, and search engines have already indexed the poisoned pages! Pivoting led to 50+ additional domains found spread across three risky TLDs: .sbs, .pics, and .shop. The domains on .sbs and .pics appear to be config servers to exploit the vulnerability; the domains on .shop are the landing pages where victims can be scammed.

IOCs:
000o[.]sbs,0pen[.]sbs,123buys[.]shop,123me[.]shop,1bg[.]pics,1ki[.]pics,1mage[.]sbs,1ql[.]pics,1ty[.]pics,1vi[.]pics,1wr[.]pics,2ty[.]pics,569oagri[.]shop,66buys[.]shop,6ip[.]pics,6ym[.]pics,7rt[.]pics,8pi[.]pics,99buys[.]shop,99i[.]pics,9gwe[.]shop,a25n[.]shop,bk2[.]pics,bk59t[.]shop,buysok[.]shop,c68k[.]shop,cc1[.]pics,doo[.]pics,ep7[.]pics,estore-1[.]com,g9gvv[.]sbs,gaer896[.]shop,gm5[.]pics,gosok[.]shop,gt3[.]pics,h66p[.]shop,hh6[.]pics,iilvw[.]sbs,im9[.]pics,img1[.]sbs,in6[.]pics,jj3[.]pics,kk9[.]pics,lilil[.]sbs,llvvw[.]sbs,m66p6[.]shop,mebuys[.]shop,mg6[.]pics,mh8f6k[.]shop,mkk[.]pics,ms1[.]pics,nn6[.]pics,onsgs[.]com,p6[.]pics,p888p[.]shop,pan1[.]top,pic1[.]sbs,pic2[.]sbs,pt11[.]sbs,py3y[.]com,qq1[.]pics,rey89p[.]shop,shop56[.]shop,t88t8[.]shop,tp1[.]pics,tp9[.]pics,trues[.]sbs,up9[.]pics,upimg[.]sbs,uu2[.]pics,vt5[.]pics,vteyu[.]shop,vvf1[.]sbs,vvp1[.]sbs,w2w[.]pics,w88p[.]shop,wp59q[.]shop,wvlll[.]sbs,wvv1[.]sbs,wvvvv[.]sbs,x2p[.]pics,xyaer548[.]shop,yi1[.]pics

#dns #threatintel #threatintelligence #cybercrime #cybersecurity #infosec #infoblox #infobloxthreatintel #scam #seo_poisoning #seopoisoning