Threat actors leverage an artificial intelligence (AI)-driven presentation platform named Gamma in their phishing attacks to direct unsuspecting users to spoofed Microsoft login pages.
“Attackers weaponize Gamma, a relatively new AI-based presentation tool, to provide a link to a fraudulent Microsoft SharePoint login portal,” anomalous security researchers Callie Hinman Baron and Piotr Wojtyla said in an analysis Tuesday.
The attack chain is launched with a phishing email. In some cases, it is sent from a legitimate compromised email account and tempts message recipients to open an embedded PDF document.
In reality, a PDF attachment is nothing more than a hyperlink that redirects the victim to a presentation that hosts its victim in gamma when clicked.
In doing so, the user will impersonate Microsoft and use it for intermediate pages that tell them to complete the CloudFlare turnstyle validation step before accessing the expected document. This Captcha barrier helps to improve the legitimacy of attacks and prevent automated URL analysis by security tools.
The target will then be taken to a phishing page that is intended to collect credentials, pose as a Microsoft SharePoint sign-in portal.
“If mismatched credentials are provided, trigger a ‘incorrect password’ error. This indicates that the perpetrator is using some kind of enemy (AITM) to verify their credentials in real time,” the researcher said.
The findings are part of a continuing trend in phishing attacks that use legitimate services on malicious content and bypass email authentication checks such as SPF, DKIM, DMARC.
“This clever multi-stage attack shows how today’s threat attacks are being carried out by avoiding blind spots created by lesser-known tools, deceiving unsuspecting recipients and compromising accounts,” the researchers said.
“As opposed to link directly to the Credential Harvest page, the attacker routes the user through several mediation steps: first to a gamma host presentation, then to a splash page protected by cloudflare turnstyle, and finally to a spoofed Microsoft login page.
The disclosure warned that Microsoft would increase AI-driven fraud attacks in its latest cybersignal report, and that it would use deepfakes, voice cloning, phishing emails, fake websites that look real, and Bogus jobs to generate reliable content for large-scale attacks.
“AI tools can scan the company’s information to scrape the web, allowing attackers to build detailed profiles of employees or other targets to create highly compelling social engineering lures,” the company said.
“In some cases, bad actors use fake AI-enhanced product reviews and AI-generated storefronts to invite victims to increasingly complex fraud schemes, and scammers create an entire website and an entire e-commerce brand with fake business history and customer testimony.”
Microsoft also said it took action against the attacks organized by Storm-1811 (aka STAC5777). This allowed Microsoft’s Quick Assist software to pause by supporting it through a voice phishing scheme implemented through a team, and to grant remote device access for subsequent ransomware deployment.
That said, there is evidence to suggest that the cybercriminal groups behind the Team Vising campaign may be changing tactics. According to a new report from ReliaQuest, attackers have been observed to employ a permanent method that has not been previously reported, using Typelib Com hijacking and a new PowerShell backdoor, to avoid detection and maintain access to compromised systems.
Threat actors have been developing versions of PowerShell malware since January 2025, and are said to be deploying early iterations via malicious Bing ads. Detected two months later, the activity targets targeted customers in the financial and professional, scientific and technical services sectors, with a focus on executive-level employees with names like female sound.
The later stages of the attack cycle increased the likelihood that Storm-1811 has evolved in a new way, or that it is the work of the shard group, or that a completely different threat actor has adopted the same initial access technology exclusive to it.
“The phishing chat was carefully timed, landing from 2pm to 3pm, perfectly synchronized with the receiver’s local time, coinciding with an afternoon slump where employees were less wary when they spot malicious activities,” ReliaQuest said.
“Whether or not this Microsoft team’s phishing campaign was run by Black Basta, it’s clear that phishing by Microsoft teams is not going anywhere. Attackers continue to find smart ways to bypass defenses and stay within their organization.”
Source link
