AI-Powered Gamma Platform Exploited in Sophisticated Phishing Attack Targeting Microsoft SharePoint Users

Gamma AI Platform Abused in Phishing Chain to Spoof Microsoft SharePoint Logins

Threat actors are leveraging an artificial intelligence (AI) powered presentation platform named Gamma in phishing attacks to direct unsuspecting users to spoofed Microsoft login pages. "Attackers weaponize Gamma, a relatively new AI-based presentation tool, to deliver a link to a fraudulent Microsoft SharePoint login portal," Abnormal Security researchers Hinman Baron and Piotr Wojtyla said in a Tuesday analysis. The attack chain commences with a phishing email, in some cases sent from legitimate, compromised email accounts, to entice message recipients into opening an embedded PDF document. In reality, the PDF attachment is nothing but a hyperlink that, when clicked, redirects the victim to a presentation hosted on Gamma that prompts them to click on a button to "Review Secure Documents." Doing so takes the user to an intermediate page that impersonates Microsoft and instructs them to complete a Cloudflare Turnstile verification step before accessing the supposed document. This CAPTCHA barrier serves to increase the legitimacy of the attack, as well as prevent automated URL analysis by security tools. Targets are then taken to a phishing page that masquerades as a Microsoft SharePoint sign-in portal and aims to collect their credentials. "If mismatched credentials are provided, it triggers an 'Incorrect password' error, which indicates the perpetrators are using some sort of adversary-in-the-middle (AiTM) for validating credentials in real time," the researchers noted. The findings are part of an ongoing trend of phishing attacks that exploit legitimate services to stage malicious content and bypass email authentication checks like SPF, DKIM, and DMARC, a technique called living-off-trusted-sites (LOTS). "This clever, multi-stage attack shows how today's threat actors are taking advantage of the blind spots created by lesser-known tools to sidestep detection, deceive unsuspecting recipients, and compromise accounts," the researchers said. "Rather than linking directly to a credential-harvesting page, the attackers route the user through several intermediary steps: first to the Gamma-hosted presentation, then to a splash page protected by a Cloudflare Turnstile, and finally to a spoofed Microsoft login page. This multi-stage redirection hides the true destination and makes it difficult for static link analysis tools to trace the attack path." The disclosure comes as Microsoft, in its latest Cyber Signals report, warned of an increase in AI-driven fraud attacks to generate believable content for attacks at scale using deepfakes, voice cloning, phishing emails, authentic-looking fake websites, and bogus job listings. "AI tools can scan and scrape the web for company information, helping attackers build detailed profiles of employees or other targets to create highly convincing social engineering lures," the company said. "In some cases, bad actors are luring victims into increasingly complex fraud schemes using fake AI-enhanced product reviews and AI-generated storefronts, where scammers create entire websites and e-commerce brands, complete with fake business histories and customer testimonials." Microsoft also said it has taken action against attacks orchestrated by Storm-1811 (aka STAC5777), which has abused Microsoft Quick Assist software by posing as IT support through voice phishing schemes conducted via Teams and convincing victims to grant them remote device access for subsequent ransomware deployment. That said, there is evidence to suggest that the cybercrime group behind the Teams vishing campaign may be shifting tactics. According to a new report from ReliaQuest, the attackers have been observed employing a previously unreported persistence method using TypeLib COM hijacking and a new PowerShell backdoor to evade detection and maintain access to compromised systems. The threat actor is said to have been developing versions of the PowerShell malware since January 2025, deploying early iterations via malicious Bing advertisements. The activity, detected two months later, targeted customers in the finance and professional, scientific, and technical services sectors, specifically focusing on executive-level employees with female-sounding names. The changes in the later stages of the attack cycle have raised the possibility that Storm-1811 is either evolving with new methods or it's the work of a splinter group, or that an entirely different threat actor has adopted the same initial access techniques that were exclusive to it. "The phishing chats were carefully timed, landing between 2:00 p.m. and 3:00 p.m., perfectly synced to the recipient organizations' local time and coinciding with an afternoon slump in which employees may be less alert in spotting malicious activity," ReliaQuest said. "Whether or not this Microsoft Teams phishing campaign was run by Black Basta, it's clear that phishing through Microsoft Teams isn't going anywhere. Attackers keep finding clever ways to bypass defenses and stay inside organizations."

Popular AI program spoofed in phishing campaign spawning fake Microsoft Sharepoint logins

They are creating fake landing pages through Gamma AI,e xperts warn Gamma, a relatively new AI-powered presentation software tool, is being abused in hyper-convincing phishing attacks that impersonate Microsoft's SharePoint and aim to steal people's login credentials. Cybersecurity researchers Abnormal spotted the attacks in the wild, and described the phishing flow as "so polished it feels legitimate at every step." The attack starts with a generic, quick-to-the-point phishing email being sent from a legitimate, but compromised, email account. This helps the crooks bypass standard authentication checks like SPF, DKIM, and DMARC and land the email directly into the target's inbox. The email itself is nothing out of the ordinary, and carries a PDF attachment that, in reality, is just a hyperlink, leading to a presentation hosted on Gamma, an AI-powered online presentation builder. The presentation features the impersonated organization's logo and a message in the lines of "View PDF" or "Review Secure Documents". The message is in the form of a hyperlink that leads to an intermediary splash page holding impersonated Microsoft branding and a Cloudflare Turnstile. That way, crooks make sure that actual humans, not basic automated security tools, access the site. If the victim clicks on the call-to-action, they are taken to a phishing page that impersonates the Microsoft SharePoint sign-in portal. This is where the actual theft happens, since the victims are then invited to log in using their Microsoft credentials. Typing in the wrong credentials returns an error, prompting the researchers to conclude that the attackers have some sort of adversary-in-the-middle setup that helps them verify the credentials in real-time. Abnormal says the attack is unique mostly because Gamma is a "relative newcomer" on the scene, only being around for a few years. "Organizations are becoming increasingly familiar with file-sharing phishing attacks in general, and some may have even begun incorporating examples into their security awareness training. That being said, it's highly likely that the percentage of companies that have updated their cybersecurity education to include this type of phishing is low -- and the number that use examples of attacks other than those exploiting household brands like Docusign and Dropbox is even lower," the researchers said. "Thus, this kind of attack may not set off alarm bells that encourage a higher level of scrutiny from employees the way an attack that exploits Canva or Google Drive might."