A unique multi-stage cyberattack has been observed in the wild that attempts to trick users into playing a malicious video that ultimately serves a spoofed Microsoft page to steal credentials.
The Perception Point team released a report on the phishing campaign, noting that the attacks begin with an email that appears to contain an invoice from UK email security firm Egress. The report noted that the fake Egress email contains a valid sender signature, signaling that there was a successful takeover of an Egress employee’s account.
“It is clear that it is a [account takeover] because 1) the email contains the user’s signature, and 2) it passes SPF and is sent by Microsoft [Outlook]”, explained the researchers in a blog post today. “Because two-step phishing attacks are usually sent by compromised accounts, this makes this type of phishing attack all the more dangerous, especially if the recipient knows the sender and trusts him.”
Once the user clicks on the fraudulent invoice from Egress, they are redirected to the legitimate video-sharing platform, Powtoon. The attackers use Powtoon to play a malicious video, eventually presenting the victim with a very convincing spoofed Microsoft login page, where their credentials are collected.
All of this, the attack methodology is remarkable, the researchers said. “This is a highly sophisticated phishing attack that involves multiple stages, account takeover and video,” according to Perception Point’s report on the two stages video phishing campaign.