AI Presentation Tool Gamma Exploited in Microsoft SharePoint Phishing Scheme

Cybercriminals are now using AI to make their phishing attacks even more convincing. One recent trick involves using Gamma, an AI-powered presentation platform, to trick users into handing over their Microsoft login details.

Researchers at Abnormal Security, Callie Hinman Baron and Piotr Wojtyla, highlighted this in a recent analysis. "Attackers are using Gamma, a relatively new AI-based tool, to lead victims to fake Microsoft SharePoint login pages," they explained.

So, how does this work? It all starts with a phishing email. Sometimes, these emails are even sent from real, but compromised, accounts. The goal? To get you to click on a PDF attachment.

But here's the catch: that PDF is just a link. Click it, and you're redirected to a presentation hosted on Gamma. This presentation urges you to "Review Secure Documents," which, of course, is a trap.

Clicking *that* button takes you to a fake Microsoft page. Sneaky, right? It even throws in a Cloudflare Turnstile verification step (like a CAPTCHA) to make it seem legit and fool security tools.

After jumping through that hoop, you're presented with a fake Microsoft SharePoint login page designed to steal your username and password.

"If you enter the wrong password, it actually gives you an 'Incorrect password' error," the researchers pointed out. "This suggests they're using an adversary-in-the-middle (AiTM) technique to check your credentials in real time."

This is part of a growing trend: attackers are exploiting legitimate services to host malicious content and bypass email security checks. It's called "living-off-trusted-sites" (LOTS).

"This multi-stage attack shows how cybercriminals are exploiting blind spots in lesser-known tools to avoid detection, trick users, and compromise accounts," the researchers concluded.

"Instead of linking directly to a credential-harvesting page, the attackers route the user through several intermediary steps: first to the Gamma-hosted presentation, then to a splash page protected by a Cloudflare Turnstile, and finally to a spoofed Microsoft login page. This multi-stage redirection hides the true destination and makes it difficult for static link analysis tools to trace the attack path."

Microsoft, in their latest Cyber Signals report, is also warning about the rise of AI-driven fraud. They say AI is being used to create believable content for large-scale attacks, including deepfakes, voice cloning, phishing emails, fake websites, and bogus job listings.

"AI tools can scan the web for company information, helping attackers build detailed profiles of employees or other targets to create highly convincing social engineering lures," Microsoft stated.

"In some cases, bad actors are luring victims into increasingly complex fraud schemes using fake AI-enhanced product reviews and AI-generated storefronts, where scammers create entire websites and e-commerce brands, complete with fake business histories and customer testimonials."

Microsoft has also been fighting back against attacks from Storm-1811 (aka STAC5777). This group has been abusing Microsoft Quick Assist software by pretending to be IT support via Teams and convincing users to give them remote access, which they then use to deploy ransomware.

But it looks like Storm-1811 might be changing tactics. A new report from ReliaQuest says they've spotted the group using a previously unknown persistence method called TypeLib COM hijacking and a new PowerShell backdoor to stay hidden and maintain access to compromised systems.

Apparently, this group has been developing versions of this PowerShell malware since January 2025, initially spreading it through malicious Bing ads. The activity, discovered a couple of months later, targeted customers in finance, professional, scientific, and technical services, focusing on high-level female employees.

These changes suggest that Storm-1811 is either evolving, or a different group is using their initial attack methods.

"The phishing chats were carefully timed, landing between 2:00 p.m. and 3:00 p.m., perfectly synced to the recipient organizations' local time and coinciding with an afternoon slump in which employees may be less alert in spotting malicious activity," ReliaQuest reported.

"Whether or not this Microsoft Teams phishing campaign was run by Black Basta, it's clear that phishing through Microsoft Teams isn't going anywhere. Attackers keep finding clever ways to bypass defenses and stay inside organizations."