2-Step Email Attack Uses Powtoon Video to Execute Payload

UPDATE

A unique multistep cyberattack has been observed in the wild that attempts to trick users into playing a malicious video that ultimately serves up a spoofed Microsoft page to steal credentials. 

The team at Perception Point released a report on the phishing campaign, noting that attacks begin with an email that appears to contain an invoice from British email security company Egress. The report noted the fake Egress email contains a valid sender signature, which helps it pass email security filters. 

Once the user clicks on the scam Egress invoice, they are taken to the legitimate video-sharing platform, Powtoon. The attackers use Powtoon to play a malicious video, ultimately presenting the victim with a very convincing spoofed Microsoft login page, where their credentials are harvested.

It all, the attack methodology is notable, researchers said. “This is a highly sophisticated phishing attack that involves multiple steps…and video,” according to the Perception Point report on the two-step video phishing campaign.

Egress Brand Impersonation

Egress tells Dark Reading that its own investigation found the attack to rely on brand impersonation, even though the email could be seen on face value as being a legitimate Egress email.

“We can confirm that there is currently no evidence that Egress itself has been the victim of a phishing attack, and reports of an account takeover attack involving any Egress employee or any Egress user are false,” the company said in a statement sent to Dark Reading. “There is no need for any Egress customer or user to take any action at this time.”

The statement continued, “Our investigation shows that this is a standard brand impersonation. As you are probably aware, cybercriminals leverage many trusted and well-known brands to add legitimacy to their attacks. In the instance reported, a phishing email was sent using an Egress Protect (email encryption) template.”

This story was updated at 9:30 a.m. ET on Sept. 21, to clarify that there was no account takeover at Egress. This story was also updated at 12:50 p.m. ET on Sept. 22, after Perception Point amended certain details in its blog on the attack.

.