2-Step Email Attack Uses Powtoon Video to Execute Payload

The attack uses hijacked Egress branding and the legit Powtoon video platform to steal user credentials.

Dark Reading Staff, Dark Reading

September 20, 2022

2 Min Read
Image of Powtoon platform page in browser
Source: Postmodern Studio via Alamy


A unique multistep cyberattack that attempts to trick users into playing a malicious video ultimately serves up a spoofed Microsoft page to steal credentials. 

That's according to a report from Perception Point, which noted that attacks begin with an email that purports to contain an invoice from British email security company Egress.

"Our investigation shows that this is a standard brand impersonation," an Egress spokesperson told Dark Reading. "As you are probably aware, cybercriminals leverage many trusted and well-known brands to add legitimacy to their attacks. In the instance reported, a phishing email was sent using an Egress Protect (email encryption) template."

The spokesperson added, "We can confirm that there is currently no evidence that Egress itself has been the victim of a phishing attack, and reports of an account takeover attack involving any Egress employee or any Egress user are false,. There is no need for any Egress customer or user to take any action at this time."

Once the user clicks on the scam Egress invoice, they are taken to the legitimate video-sharing platform, Powtoon. The attackers use Powtoon to play a malicious video, ultimately presenting the victim with a very convincing spoofed Microsoft login page, where their credentials are harvested.

This story was updated at 9:30 a.m. ET on Sept. 21, to clarify that there was no account takeover at Egress. This story was also updated at 12:50 p.m. ET on Sept. 22, after Perception Point amended certain details in its blog on the attack. This story was amended a third time, at 1:30 p.m. ET on Sept. 26, to reflect that Perception Point took its original research offline. And then a fourth time at 10 a.m. ET on Oct 14, to reflect that an amended version of the original blog was re-posted.

About the Author(s)

Dark Reading Staff

Dark Reading

Dark Reading is a leading cybersecurity media site.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like

More Insights