Tracking Adversary Infrastructure with ValidIn and URLScan.io

In this post, I want to share some threat hunting techniques I’ve honed over time while investigating adversary infrastructure using crowdsourced and freemium tools.

While enterprise tools are powerful, you don't always need a massive budget to find evil. I heavily rely on open-source intelligence (OSINT) to find correlations and context for ongoing phishing campaigns. This guide is designed for beginners or anyone seeking to enhance their pivot skills without incurring significant costs.

Disclaimer: These techniques were developed through random OSINT research to understand infrastructure correlations. The goal here is to demonstrate the methodology of pivoting.

This blog may appeal to individuals who rely heavily on crowd-sourced feed sources for threat hunting, as well as to beginners in the field who prefer not to make significant investments at the start of their careers.

Phase 1: The Spark( Intelligence-Led Hunting)

My curiosity usually starts with reading research from the community. Recently, I was reading a Mandiant article titled Defending Against UNC3944: Cybercrime Hardening Guidance from the Frontlines. It detailed the operations of Scattered Spider (UNC3944), a financially motivated group known for aggressive social engineering.

If you are interested in learning about Scattered Spider’s modus operandi/TTPs, read here.

One section caught my eye: the group's specific patterns for registering phishing domains. [Fig. 1]

Fig. 1: Phishing Domain Registration Pattern mentioned in the blog

I became curious and attempted to search a database of newly registered domains that I had created and managed on my local machine over the previous two years. Similarly, I recall similar domain registration patterns last year that impersonated the "Okta" service and targeted multiple brands.

The Hypothesis

Based on Scattered Spider's history, they often use keywords like help, vpn, sso, and servicenow. However, given their recent campaigns targeting Salesforce customers, I hypothesized they might be shifting focus.

I searched my local NRD database for the keyword "salesforce".

Out of four results, one stood out immediately. On November 22, 2025, the domain salesforce-logs[.]com was registered.

• Hosting IP: 193.143.1.220

• ASN: AS198953 (PROTON66)

This ASN is frequently associated with bulletproof hosting or malicious activity (Ref: ThreatFox), which was my first red flag.

Ref: https://threatfox.abuse.ch/asn/198953

Phase 2: The Pivot (Validin)

Now that we have a suspicious indicator ( salesforce-logs[.]com ), we need to see how deep the rabbit hole goes. This is where ValidIn shines for correlating Passive DNS (pDNS) data.

Upon checking the IP 193.143.1.220 in ValidIn, I noticed a change in ownership around November 27, 2025. More importantly, the IP hosted a cluster of domains following a very specific theme. [Fig. 2]

Fig. 2: Passive DNS of the IP

The adversary wasn't just targeting Salesforce; they were building infrastructure to impersonate email marketing automation platforms such as ActiveCampaign, SendGrid, MailerLite, and ConvertKit.

activecarnpaignes[.]com
activecarnpaigns[.]com
serdgrid[.]com
salesforce-logs[.]com
converts-kits[.]com
mailerlite-logs[.]com

Using ValidIn’s Lookalike feature and with the deduced pattern *-logs.com from the above cluster, the search revealed 24 similar domains, confirming a wider campaign targeting marketing tools:

Fig. 3: Validin Lookalike Feature for *-log.com

mailjet-logs.com
mailchimp-logs.com
mailerlite-logs.com

At this stage, we have successfully mapped the infrastructure. We know what they are building, but we don't yet know how they are using it.

Phase 3: The Context (URLScan.io)

To understand the attack vector without touching the malicious infrastructure directly, we turn to URLScan.io.

We searched for our original suspect: salesforce-logs[.]com.

The "Evasion" Red Flag

You might notice scans redirecting to www.google.com. This is a classic evasion technique. If the phishing kit detects a scanner or a bot (like URLScan's automated browser), it redirects to a benign site (Google) to hide the true phishing page.

Fig. 4: Scans of salesforce-logs[.]com on URLScan

However, some scans succeeded. The results confirmed the domain was hosting a fake Salesforce Marketing Cloud login page.

Whatever we suspected about the uncovered domains is now confirmed. Similarly, we can check individual domains.

In the below example for serdgrid[.]com we have identified the similar pattern, i.e., the phishing page hosted on a subdomain with login keyword.

Finding the Delivery Vector

How is this reaching victims? This is where the Redirects tab in URLScan is a goldmine.

Most of the time, the Redirects tab in the URLScan tells us the story that we are looking for.

By analysing the redirect chain for a related domain (salesforce-logs[.]com), we can reconstruct the narrative. The scan data showed the link was likely delivered via a "Trailhead Account Verification" lure.

Fig. 5: Inspecting Redirects section from URLScan

Similarly, serdgrid[.]com was used to create a fake scenario claiming a "SendGrid API Key was paused due to violations." This creates urgency—a classic social engineering tactic to encourage the user to click and "log in" to the fake platform.

Conclusion

In this hunt, we focused heavily on Passive DNS and Lookalike Domains. These are powerful Indicators of Future Attack (IOFA)—breadcrumbs the adversary leaves behind while building their infrastructure before they launch the first phishing email.

You don't need a million-dollar budget to start. You only need curiosity, a few bookmarkable tools, and the patience to follow the thread when you notice something unusual.

Start with a keyword. Pivot on the IP. Verify the intent. Happy hunting!