AI-Powered Gamma Tool Used in Advanced Phishing Scams Targeting Microsoft Users
Cybercriminals are now leveraging an AI-based presentation platform, Gamma, to launch sophisticated phishing attacks targeting Microsoft credentials. These campaigns are part of a growing trend where attackers use trusted tools to evade detection.
Phishing Campaign Uses Gamma to Deliver Malicious Content
The attack starts with a phishing email, often sent from compromised but legitimate email accounts. The message includes a PDF attachment that appears trustworthy at first glance. However, instead of containing any document, the PDF simply includes a link.
Clicking the link redirects the user to a Gamma-hosted presentation that encourages them to “Review Secure Documents.” From there, users are taken through a Cloudflare Turnstile verification page, adding a layer of false legitimacy. Once complete, the victim reaches a spoofed Microsoft SharePoint login page that harvests credentials.
Also read: CyberArk Unveils New AI-Driven Security Innovations to Safeguard Human, Machine, and AI Identities
To make matters worse, attackers use real-time validation techniques. If a user enters incorrect login details, the phishing page responds with an error. This behavior suggests that attackers may be using adversary-in-the-middle techniques to verify and capture credentials immediately.
AI and LOTS Techniques Make Phishing Harder to Detect
This phishing attack is part of a larger trend called “living-off-trusted-sites” or LOTS. This technique uses legitimate platforms to host malicious content, bypassing common email security checks like SPF, DKIM, and DMARC.
The attackers rely on multi-step redirection to hide their true intentions. By not linking directly to the phishing page, they make it harder for email filters and static scanners to detect malicious links.
Storm-1811 Expands Tactics with New Malware and Delivery Methods
Meanwhile, other threat actors like Storm-1811 continue to evolve. Once focused on Microsoft Teams phishing and voice scams, the group now uses novel persistence methods. These include TypeLib COM hijacking and PowerShell backdoors. Early versions of this malware appeared in Bing ads earlier this year.
These campaigns specifically targeted industries like finance and professional services. Attackers also timed phishing messages to reach victims during periods of low alertness, such as mid-afternoon.
With tactics evolving rapidly, organizations must remain vigilant as attackers use AI and trusted platforms to deceive even the most cautious users.
