PoisonSeed Threat Actor Strengthens Credential Theft Operations with New Domains

Spoof the email delivery platform SendGrid and employ fake Cloudflare CAPTCHA interstitials to lend legitimacy before redirecting unsuspecting users to credential harvesting pages.

Since June 1, 2025, DomainTools Investigations has identified 21 newly registered domains exhibiting hallmarks of the eCrime actor known as PoisonSeed.

Although specific victims have not been confirmed, PoisonSeed’s historical focus on cryptocurrency platforms and enterprise environments underscores the urgency of monitoring this emerging infrastructure.

The domains in question were registered via the NiceNIC International Group Co. registrar and hosted on IP addresses assigned to Global-Data System IT Corporation (AS42624).

Most names include direct references to SendGrid, while a handful invoke more generic digital services such as single sign-on portals and login pages.

Examples include https-loginsg[.]com, sgaccountsettings[.]com, and my-sandgrid[.]com. A partial list of these domains appears below: