informa
1 MIN READ
Quick Hits

2-Step Email Attack Uses Powtoon Video to Execute Payload

The attack uses hijacked Egress branding and the legit Powtoon video platform to steal user credentials.

UPDATE

[Editor's note: Perception Point has taken down its original blog post detailing a unique multistep cyberattack that attempts to trick users into playing a malicious video that ultimately serves up a spoofed Microsoft page to steal credentials. However, the attack does exist in the wild, so we're keeping the bare details of the phish available.]

The report had noted that attacks begin with an email that purports to contain an invoice from British email security company Egress.

"Our investigation shows that this is a standard brand impersonation," an Egress spokesperson told Dark Reading. "As you are probably aware, cybercriminals leverage many trusted and well-known brands to add legitimacy to their attacks. In the instance reported, a phishing email was sent using an Egress Protect (email encryption) template."

The spokesperson added, "We can confirm that there is currently no evidence that Egress itself has been the victim of a phishing attack, and reports of an account takeover attack involving any Egress employee or any Egress user are false,. There is no need for any Egress customer or user to take any action at this time."

Once the user clicks on the scam Egress invoice, they are taken to the legitimate video-sharing platform, Powtoon. The attackers use Powtoon to play a malicious video, ultimately presenting the victim with a very convincing spoofed Microsoft login page, where their credentials are harvested.

This story was updated at 9:30 a.m. ET on Sept. 21, to clarify that there was no account takeover at Egress. This story was also updated at 12:50 p.m. ET on Sept. 22, after Perception Point amended certain details in its blog on the attack. This story was amended a third time, at 1:30 p.m. ET on Sept. 26, to reflect that Perception Point took its original research offline.