Cybercriminals are increasingly leveraging multimedia file formats in sophisticated vishing campaigns, evading conventional security tools and exploiting psychological manipulation to harvest sensitive personal and financial information.
Vishing, or voice phishing, is a form of social engineering attack where threat actors impersonate trusted entities-often through urgent or alarming scenarios-coercing victims into divulging credentials or payment data via phone communication.
Recent findings highlight a surge in malicious emails utilizing novel file attachments, including MP4 videos and WebP images, to initiate these covert attacks.
Emergence of Multimedia-based Vishing Vectors
Traditionally, vishing scams have started with phishing emails utilizing PDF or image attachments, which contain fake customer support numbers.
Victims, compelled by the urgency or legitimacy of these emails-purportedly from reputable organizations like PayPal-are manipulated into dialing the provided number.
Once contact is established, attackers deploy social engineering tactics, instilling a psychological sense of crisis that pressures victims into hastily submitting sensitive data.
Detection systems have adapted to known techniques by scrutinizing abnormal patterns within email content and common file formats, but emerging vectors are challenging these defense mechanisms.
Recent telemetry from Trellix Advanced Research Center has revealed a marked shift in attacker methodology. Threat actors now embed vishing instructions within MP4 files attached to seemingly innocuous emails.
This strategy exploits the benign reputation of multimedia files, enabling the malicious payload to bypass many email security filters that might otherwise flag executable or script-based attachments.
Email content is often minimal-frequently using generic or finance-themed phrasing-further increasing the likelihood of user curiosity or compliance.
When recipients open the MP4 attachment, they find instructions urging them to call a supplied number under the guise of resolving urgent financial transactions or disputes.
Attack Flow Exploits User Trust in File Attachments
A similar advancement in vishing technique leverages the WebP image format. WebP, designed for efficient image compression and web delivery, is rarely associated with malicious activity.
Attackers now use WebP files attached to emails that reference logistics or shipping scenarios, again with minimal body content to spark concern or curiosity.
Upon opening these attachments, recipients encounter fake invoice or order notifications, complete with fraudulent contact details that direct them to contact the adversary under false pretenses.
These evolving tactics present significant challenges to security platforms and end users alike.
The reliance on free email services for the distribution of these phishing messages permits threat actors to masquerade as legitimate organizations while minimizing their own exposure and traceability.
Notably, reputable companies typically avoid sending unsolicited invoices or urgent notices via formats such as MP4 or WebP, favoring more secure channels or PDF documents delivered through authenticated portals.
Mitigating the threat of multimedia-based vishing attacks requires both technological adaptation and user vigilance.
Security solutions must enhance their capability to analyze less conventional attachment formats and proactively identify anomalous communication patterns.
Equally critical is user education: individuals should be wary of unsolicited emails containing unusual file attachments or urgent requests, particularly when prompted to initiate outbound contact.
Verifying any such solicitation through official channels remains imperative.
As these attack vectors evolve, staying ahead of adversaries depends on a multidimensional defense strategy-combining cutting-edge detection tools with a culture of skepticism and verification among users.
Indicators of Compromise (IoC)
| File Name | SHA256 |
|---|---|
| Invoice QCFT-01031D15.mp4 | 564474210b017fcad57c3ca3a9dd5fc130850ef01182d6dc745d5e2599354be9 |
| ASIF_page-0001 (1).webp | fa578d184cf5f23d2fc5ef9eee45febc4e168edaeef7b1ba13c33124786e57cb |
| TFYUH 9.webp | b38a51a1261994e57847d5efb0dca20ab3ec45ca362876054995b8fd6f095717 |
| 0rderConfirmation#023#WDH3O4M9M7.webp | 02999587ea5442f39ac8cda213ddd7a1c5a1c10a73068799f2d7ee171e381563 |
Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant updates
