PoisonSeed Phishing Kit Bypasses MFA to Steal Credentials from Users and Organizations

The threat actor known as PoisonSeed, loosely affiliated with groups like Scattered Spider and CryptoChameleon, has deployed an active phishing kit designed to circumvent multi-factor authentication (MFA) and harvest credentials from individuals and organizations.

This kit, operational since April 2025, targets login services of major CRM and bulk email providers such as Google, SendGrid, and Mailchimp, enabling attackers to seize email infrastructure for spam dissemination and cryptocurrency scams.

PoisonSeed’s tactics involve spear-phishing emails with embedded malicious links that redirect victims to impersonated domains, where an encrypted victim email is appended to the URL and stored as a cookie for server-side validation a method dubbed “Precision-Validated Phishing.”

Emerging Threat from PoisonSeed Actor

The kit mimics legitimate interfaces, including a fake Cloudflare Turnstile challenge, to verify the encrypted email and ensure it is not banned by the target service.

Once validated, victims encounter ...