PoisonSeed’s MFA-Resistant Phishing Kit Exposed: A Deep Dive into Precision-Validated Credential Theft
Ddos 
PoisonSeed Phishing Attack Chain | Image: NVISO
A new NVISO investigation has revealed the inner workings of PoisonSeed, a sophisticated threat actor whose tactics mirror those of Scattered Spider and CryptoChameleon. This group has weaponized an advanced phishing kit capable of bypassing multi-factor authentication (MFA) through Adversary-in-the-Middle (AitM) techniques, enabling large-scale credential harvesting and cryptocurrency-related scams.
“PoisonSeed uses this phishing kit to acquire credentials from individuals and organizations, leveraging them for email infrastructure purposes such as sending emails and acquiring email lists to expand the scope of cryptocurrency-related spam,” NVISO warns.
At the core of PoisonSeed’s operation is a Precision-Validated Phishing system. Each phishing URL embeds the victim’s email in encrypted form, stored as a cookie and validated server-side before any login form appears. Victims first encounter a fake Cloudflare Turnstile challenge—a clever ruse to verify that they are a targeted, legitimate email account.
This validation is not cosmetic. As NVISO explains, “The victim’s email is appended in the phishing kit’s URL and also stored as a cookie in an encrypted format that is verified server-side.” If the check fails, the victim is redirected to Google, effectively filtering out non-targets.
The phishing campaign begins with spear-phishing emails posing as CRM or bulk email providers like Google, SendGrid, or Mailchimp. Subjects such as “Sending Privileges Restricted” are designed to trigger urgent action. The embedded links redirect to PoisonSeed-controlled domains—registered through the NICENIC registrar—that convincingly mimic legitimate login portals.
Once victims enter credentials, the kit acts as an AitM proxy, forwarding login and MFA data to the real service in real time. It supports multiple authentication methods, including Authenticator app codes, SMS codes, email codes, and even API keys. This allows PoisonSeed to capture authentication cookies and gain full account access, bypassing MFA entirely.
PoisonSeed’s infrastructure choices show a clear intent to evade detection:
- Registrar: All phishing domains were registered via NICENIC, a registrar ranked among the top for malicious domain registrations by Spamhaus.
- Hosting: Most domains use Cloudflare for IP obfuscation, followed by DE-Firstcolo and SWISSNETWORK02—both flagged in Spamhaus’ ASN-DROP list.
- Name Servers: Split between Cloudflare and Bunny.net.
These measures make takedown efforts slower and attribution more difficult.
The stolen email infrastructure serves a bigger purpose—cryptocurrency fraud. According to NVISO, recipients of PoisonSeed spam are subjected to “a cryptocurrency seed phrase manipulation attack,” where victims are tricked into using attacker-provided recovery phrases for new wallets, granting PoisonSeed direct access to their funds.
This campaign has already been linked to high-profile incidents, including the theft of security researcher Troy Hunt’s Mailchimp mailing list and a Coinbase phishing scheme involving fake wallet migration notices.
Related Posts:
- PoisonSeed Campaign: Uncovering a Web of Cryptocurrency and Email Provider Attacks
- Black Basta Exploits Microsoft Teams for Phishing Attacks
- BRICKSTORM Backdoor Targets European Industries
- AiTM Attacks Bypass MFA Despite Widespread Adoption
- The OAuth Phishing Trap: Proofpoint Exposes AiTM Attacks That Bypass MFA to Hijack Cloud Accounts
Support Our Threat Intelligence
If you find our CVE report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
