A newly discovered phishing campaign has been identified where threat actors are weaponizing Gamma, a relatively new AI-powered presentation tool, to orchestrate a sophisticated credential harvesting operation targeting Microsoft accounts.
The attack chain employs multiple legitimate services and advanced evasion techniques to circumvent both technical security controls and human vigilance.
Sophisticated Multi-Stage Attack Leverages AI Presentation Platform
The attack begins with a phishing email sent from a compromised legitimate account, typically belonging to an individual with authority such as the founder of an educational institution.
The message contains what appears to be a PDF attachment but is actually a hyperlink directing victims to a malicious presentation hosted on Gamma.
The use of a compromised sender ensures the email passes standard authentication protocols including SPF, DKIM, and DMARC, thereby increasing its chances of delivery.
Upon accessing the Gamma-hosted presentation, users are presented with organizational branding and a call-to-action button labeled with enticing text such as “View PDF” or “Review Secure Documents.”
According to the Report, this button redirects to an intermediary page featuring Microsoft branding and protected by Cloudflare Turnstile, a CAPTCHA-free bot detection mechanism.
Advanced Evasion Through Adversary-in-the-Middle Framework
What distinguishes this campaign is its implementation of adversary-in-the-middle (AiTM) techniques. After completing the Turnstile verification, victims are directed to a convincing Microsoft SharePoint login portal where their credentials are harvested.
The AiTM framework enables real-time validation of submitted credentials against Microsoft’s authentication servers, allowing attackers to capture not only valid credentials but also session cookies that can bypass multi-factor authentication.
The attack chain’s multi-layered architecture presents significant detection challenges.
By leveraging the lesser-known Gamma platform instead of more recognizable services like Canva or Figma, the attackers exploit a knowledge gap in security awareness training.
Most organizations have not yet incorporated such emerging platforms into their phishing education programs.
Furthermore, the implementation of Cloudflare Turnstile serves dual purposes: it prevents automated security tools from analyzing the phishing infrastructure while simultaneously increasing perceived legitimacy, as users are accustomed to encountering security checks before accessing sensitive content.
This campaign represents an evolution in “living-off-trusted-sites” (LOTS) attacks, where legitimate services are misappropriated to host malicious content.
Rather than using Gamma’s native sharing functionality, which might trigger content scanning or abuse detection, the attackers simply embed links in regular emails that have passed authentication checks.
Security professionals should note that this attack methodology demonstrates how threat actors are adapting to target blind spots created by emerging technologies and services.
The campaign’s sophisticated design utilizing legitimate compromised accounts, reputable hosting platforms, anti-bot protection, and real-time credential validation creates a nearly seamless deception flow that challenges both technical defenses and human judgment.
Organizations should update their security awareness training to include emerging presentation and collaboration platforms as potential threat vectors, while implementing advanced security controls capable of detecting multi-stage phishing operations that leverage legitimate services.
Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant Updates
