Shedding Light on PoisonSeed’s Phishing Kit

NVISO details an active PoisonSeed phishing campaign that uses a React-based, MFA-resistant phishing kit to perform precision-validated phishing and Adversary-in-the-Middle capture of credentials, 2FA (authenticator, SMS, email, API keys) and authentication cookies to bypass MFA and take over CRM/bulk-email accounts. The report includes code-level analysis of the fake Cloudflare Turnstile flow, infrastructure (registrar, hosting, name servers), a long list of IoCs, hunting queries, and mitigation advice (phishing-resistant MFA, user awareness, and anomaly detection).