Associated Incidents
Cybercriminals are exploiting an AI-powered presentation tool called Gamma to launch a multi-stage attack aimed at stealing Microsoft credentials.
This attack route is designed not only to evade traditional security measures but also to deceive human recipients by leveraging trusted platforms and services.
Exploitation of Gamma and Cloudflare Turnstile
Cyber attackers are taking advantage of Gamma, a lesser-known but increasingly used platform for creating presentations, to host malicious content.
Here's how the attack unfolds:
- Initial Contact: The campaign begins with an email from a legitimate, compromised account, inviting the recipient to view a document. The subject line and message are generic, often stating something like "View the attached file." However, the "attached document" is actually a hyperlink leading to a Gamma-hosted presentation.
- Gamma Presentation: Upon clicking the link, the unsuspecting user is directed to a Gamma presentation featuring the organization's logo and a call-to-action (CTA) button labeled "View PDF" or similar. This CTA redirects the user to a manipulative path.
- Intermediary Splash Page: The next step involves a splash page with Microsoft branding and a Cloudflare Turnstile, a CAPTCHA-free bot detector. This step is crucial as it ensures only real users can access the phishing site, bypassing automated security tools.
- Fake Microsoft Login: Passing through the Turnstile, the user is confronted with a meticulously crafted phishing page mimicking Microsoft's SharePoint login. Here, victims are prompted to enter their credentials, which are then validated in real-time through an Adversary-in-the-Middle (AiTM) framework, enhancing the attack's sophistication.
Why This Attack Stands Out
This phishing campaign is notable for several reasons:
-
Gamma's Novelty: Being relatively new, Gamma isn't as widely recognized, reducing the likelihood of user suspicion.
-
Indirect Email: Attackers do not send emails directly through Gamma, instead embedding malicious links in emails from compromised accounts to bypass content scanning or detection.
-
Cloudflare Turnstile: This service adds a layer of legitimacy, making the phishing site harder to detect by automated systems.
The attackers' use of an AiTM framework is particularly alarming. This setup allows them to not only harvest credentials but also capture session cookies, enabling attackers to bypass Multi-Factor Authentication (MFA) and gain unauthorized access to the victim's account.
The layered approach of this attack, starting from a legitimate sender, through to a reputable service like Gamma, then a trusted security tool, and finally to a convincing fake login, makes it challenging to detect:
- Email Authentication: The email passes standard authentication checks, appearing to come from a legitimate source.
- Multi-Stage Redirection: The attack path is obfuscated by multiple redirects, making static link analysis less effective.
According to the Report, this campaign underscores the importance of moving beyond traditional rule-based email security.
AI and behavioral analysis are becoming critical in identifying and stopping such nuanced phishing attempts.