2-Step Email Attack Uses Powtoon Video to Execute Payload


A unique multistep cyberattack has been observed in the wild that attempts to trick users into playing a malicious video that ultimately serves up a spoofed Microsoft page to steal credentials. 

The team at Perception Point released a report on the phishing campaign, noting that attacks begin with an email that appears to contain an invoice from British email security company Egress. The report noted the fake Egress email contains a valid sender signature, signaling there was an earlier successful account takeover of an Egress employee. 

“It’s clear that this an [account takeover] because 1) the email contains the user’s signature, and 2) it passes SPF and is sent from Microsoft [Outlook],” researchers explained in a blog post today. “Because two-step phishing attacks are typically sent by compromised accounts, it makes this type of phishing attack all the more dangerous, especially if the recipient knows and trusts the sender.”

Once the user clicks on the scam Egress invoice, they are taken to the legitimate video-sharing platform, Powtoon. The attackers use Powtoon to play a malicious video, ultimately presenting the victim with a very convincing spoofed Microsoft login page, where their credentials are harvested.

It all, the attack methodology is notable, researchers said. “This is a highly sophisticated phishing attack that involves multiple steps, account takeover and video,” according to the Perception Point report on the two-step video phishing campaign.

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.