AI-Powered Phishing Attack Targets Microsoft Accounts Using Gamma Tool

A newly uncovered phishing campaign is leveraging the AI-powered presentation platform Gamma to launch an intricate credential harvesting operation targeting Microsoft accounts. This highly sophisticated attack utilizes advanced evasion techniques, circumventing both technical security measures and human vigilance, and it marks a new evolution in phishing tactics.

Sophisticated Multi-Stage Phishing Attack Using AI

The attack begins with a phishing email originating from a legitimate but compromised account. These emails often come from trusted individuals, such as the founder of an educational institution, to increase their legitimacy. The message contains a hyperlink disguised as a PDF attachment, which leads victims to a malicious presentation hosted on Gamma.

One key feature of this attack is its use of a compromised sender. This tactic ensures that the email bypasses standard security protocols such as SPF, DKIM, and DMARC, making it more likely to be delivered successfully. Once the victim clicks on the link, they are directed to a seemingly innocuous presentation on the Gamma platform, complete with organizational branding and a call-to-action button that encourages users to click on phrases like “View PDF” or “Review Secure Documents.”

Clicking on this button redirects victims to a page that mimics Microsoft’s branding and is protected by Cloudflare Turnstile—a CAPTCHA-free bot detection mechanism. This adds an extra layer of authenticity to the attack, making it harder for users to detect.

The Adversary-in-the-Middle (AiTM) Framework

What sets this phishing campaign apart from others is its implementation of the Adversary-in-the-Middle (AiTM) technique. Once victims pass the Turnstile verification, they are sent to a convincing Microsoft SharePoint login page, where their credentials are harvested.

The AiTM framework enables real-time credential validation against Microsoft’s authentication servers. This allows attackers to not only capture valid login credentials but also session cookies, which can bypass multi-factor authentication (MFA) protocols. This is a significant advantage, as MFA is often considered a strong defense against phishing attacks.

Evading Detection with Legitimate Platforms

The use of the Gamma platform to host malicious content presents a major challenge to security professionals. By leveraging a lesser-known platform instead of more popular services like Canva or Figma, attackers exploit a gap in security awareness training. Most organizations haven’t incorporated emerging tools like Gamma into their phishing detection programs, making them vulnerable to such sophisticated attacks.

Moreover, the use of Cloudflare Turnstile serves a dual purpose. It blocks automated security tools from scanning the phishing infrastructure while simultaneously making the attack appear more legitimate. Users are generally familiar with CAPTCHA-style verification, and the presence of this mechanism in the phishing process creates a sense of security, leading them to trust the malicious site.

A New Era of Living-Off-Trusted-Sites Attacks

This campaign is an example of how cybercriminals are evolving their tactics to exploit trusted sites. Rather than using native sharing functionalities within the Gamma platform (which might trigger content scanning or abuse detection), attackers embed malicious links in seemingly normal emails that have already passed authentication checks.

This technique represents an advanced form of the “living-off-trusted-sites” (LOTS) attack, where legitimate services are weaponized to host malicious content. It’s a significant evolution in phishing tactics, making detection even more challenging. The multi-layered architecture, which includes compromised accounts, trusted hosting platforms, anti-bot mechanisms, and real-time credential validation, creates a nearly flawless deception that can bypass both automated defenses and human judgment.

Implications for Security Awareness and Defense

Security professionals must take note of this sophisticated attack methodology. It highlights how threat actors are adapting to emerging technologies and exploiting gaps in security awareness training. Organizations should update their training programs to include newer collaboration and presentation platforms as potential phishing vectors. Additionally, advanced security controls capable of detecting multi-stage phishing attacks that leverage legitimate services are crucial to defend against such sophisticated threats.

What Undercode Say:

The rise of AI-powered phishing campaigns is a clear indication of how cybercriminals are evolving their tactics. Platforms like Gamma, which are not traditionally associated with phishing attacks, present new challenges for organizations and security teams. The key takeaway here is that attackers are increasingly using legitimate services to host their malicious content, making detection much more difficult. Security awareness programs must adapt to address these emerging threats by including newer collaboration tools, presentation platforms, and advanced evasion techniques like Cloudflare Turnstile.

Furthermore, the AiTM technique marks a shift in phishing tactics, as attackers are now able to bypass MFA by stealing session cookies in addition to credentials. This highlights the need for organizations to implement more robust defenses that go beyond traditional MFA, such as monitoring for abnormal session activity and employing real-time security checks.

This campaign represents a dangerous evolution in phishing attacks, and businesses must be proactive in adopting advanced security measures to stay ahead of these ever-evolving threats.

Fact Checker Results:

The attack method uses compromised legitimate accounts, leveraging AI-powered Gamma to deceive victims.
Cloudflare Turnstile is utilized to enhance the attack’s legitimacy and evade bot detection.
The adversary-in-the-middle technique allows attackers to bypass MFA by capturing session cookies, making it more effective than traditional phishing tactics.