Associated Incidents
An AI-powered presentation tool named Gamma is being used in phishing attacks to trick targets into thinking an email is legitimate.
That's according to researchers at security vendor Abnormal Security, which published research today dedicated to Gamma and how threat actors are misusing it to reach targets in a new campaign. Gamma is an otherwise legitimate graphic design product used by customers to generate presentations with generative AI models, but Abnormal researchers detailed how Gamma can be used to deliver a link to a fake Microsoft portal.
"This clever, multi-stage attack shows how today's threat actors are taking advantage of the blind spots created by lesser-known tools to sidestep detection, deceive unsuspecting recipients, and compromise accounts," the research blog post read.
Leveraging Gamma for Phishing Attacks
In an example attack shared in the blog post, a threat actor sent an email to a target via a legitimate but stolen email account. The email included a brief message with a call to action to view an attached PDF.
Clicking on the "attachment" (an image of a PDF embedded in the email) would lead to a Gamma presentation on a legitimate Gamma webpage with a link to view the "completed PDF document."
"The presentation features the impersonated organization's logo, a message designed to appear as a notification regarding the shared file, and a prominent call-to-action button --- typically labeled something like 'View PDF' or 'Review Secure Documents,'" Abormal's research read. "Hovering over the CTA reveals it is a link to a subdomain containing the impersonated company's name."
When the target clicks the second call to action on the Gamma page, they are sent to a transitional page with a fraudulent Microsoft logo and a Cloudflare bot-detection tool. If they complete the Cloudflare check, they hit a fake yet convincing Microsoft SharePoint login page intended to harvest the target's credentials.
Interestingly, the campaign utilizes an adversary-in-the-middle (AiTM) technique Abnormal previously detailed in which the fake Microsoft login page apparently checks the credentials in real time and will say if said credentials are incorrect.
Abnormal called the practice of threat actors using legitimate sites to host malicious content "living-off-trusted-sites" (LOTS) attacks. It marks only the latest example of phishing attackers stepping up their game in noteworthy ways.
Dark Reading asked Piotr Wojtyla, head of threat intel and platform at Abnormal, whether the use of real-time credential verification and bot-verification tools are most useful as a social engineering tool to make a target feel secure. "Absolutely," he says.
"While the primary objective of AiTM attacks is to capture MFA tokens and sessions to gain unauthorized access to the target's account, building trust and enhancing the appearance of legitimacy are just as important," Wojtyla says. "In this case, the attacker uses a Gamma presentation, a fake captcha-free authenticator, and a convincing spoofed login screen to recreate a flow that exactly mirrors what the target would expect to see. This, in turn, establishes trust, reduces friction, and avoids raising red flags."
What to Do
For an organization attempting to protect themselves against this attack, the regular phishing best practices still apply. The example Abnormal provided included --- on the part of the threat actor --- generic calls to action, inappropriate URLs for a SharePoint login page, and grammatical errors.
However, as Abnormal noted in its research, this campaign is more difficult to detect than your average phish because it originated from a legitimate (albeit misused) email address and leveraged a legitimate product.
On Gamma's end, Wojtyla says that as these kinds of phishing attacks are becoming increasingly common, providers of cloud-based platforms that allow anyone to use their tools "must have systems and processes in place to detect malicious use and disable access to the content."
"This includes automated content scanning and analysis, phishing link detection, utilization of threat intel feeds, reviews of end-user reports, and behavioral tracking," he said. "Providers can also add warning banners that alert users when they are being redirected to a site outside of Gamma."
Dark Reading contacted Gamma via email for additional comment, but the company had not responded by press time.