Description: Attackers reportedly exploited Gamma, an AI-powered presentation tool, to create convincing presentation pages that hosted links to a spoofed Microsoft SharePoint login portal. The phishing flow allegedly used compromised email accounts, Cloudflare Turnstile for bot evasion, and adversary-in-the-middle (AiTM) tactics to validate credentials in real time and capture session cookies. The campaign aimed to bypass MFA and compromise accounts.
Editor Notes: First public disclosure of the campaign occurred on April 15, 2025, in a research post by Abnormal Security detailing the use of Gamma in a multi-stage phishing attack. The precise start date of the campaign is not known. Please read their report here: https://abnormal.ai/blog/multi-stage-phishing-attack-gamma-presentation.
Entities
View all entitiesAlleged: Gamma developed an AI system deployed by Unknown threat actors , Unknown threat actors leveraging Gamma and Unknown AiTM phishing campaign actors, which harmed Gamma , Microsoft , Microsoft SharePoint users , Recipients of phishing emails sent from compromised accounts , Enterprises relying on Microsoft 365 and identity services and Organizations whose employees interacted with Gamma-hosted phishing content.
Alleged implicated AI systems: Gamma , Cloudflare Turnstile , Microsoft SharePoint , Compromised email accounts and AiTM phishing frameworks
Incident Stats
Incident ID
1068
Report Count
2
Incident Date
2025-04-15
Editors
Daniel Atherton
Incident Reports
Reports Timeline
An AI-powered presentation tool named Gamma is being used in phishing attacks to trick targets into thinking an email is legitimate.
That's according to researchers at security vendor Abnormal Security, which published research today dedica…
AI-powered content generation platforms are reshaping how we work---and how threat actors launch attacks.
In this newly uncovered campaign, attackers weaponize Gamma, a relatively new AI-based presentation tool, to deliver a link to a fraud…
Variants
A "variant" is an incident that shares the same causative factors, produces similar harms, and involves the same intelligent systems as a known AI incident. Rather than index variants as entirely separate incidents, we list variations of incidents under the first similar incident submitted to the database. Unlike other submission types to the incident database, variants are not required to have reporting in evidence external to the Incident Database. Learn more from the research paper.
Similar Incidents
Did our AI mess up? Flag the unrelated incidents
Similar Incidents
Did our AI mess up? Flag the unrelated incidents