Attackers are turning trusted AI platforms into phishing weapons, and Gamma is their latest tool. Researchers at Abnormal Security have uncovered a trend where attackers are using the AI-powered presentation tool to trick victims into disclosing their credentials.
In these phishing campaigns, emails are sent from legitimate but compromised accounts, increasing their chances of evading anti-phishing checks. These emails contain a short, generic message alongside what appears to be a PDF attachment.
Phishing Email
Credit: Abnormal Securityย
The PDF attachment, however, is a hyperlink that redirects users to a presentation hosted on Gammaโs website. The presentation page is customized with the organizationโs branding and a “View PDF” or “Review Secure Documents” button.
PDF Page
Credit: Abnormal Securityย
If a user clicks on the link, they pass through a multi-stage redirection process. They are first directed to an intermediary splash page that displays a Microsoft logo and Cloudflareโs Turnstile, which aims to block bots and boost the appearance of legitimacy. If the user passes this checkpoint, theyโre taken to a fake Microsoft SharePoint login page. If the provided credentials are incorrect, an โIncorrect passwordโ message appears, just as it would on a genuine Microsoft site.
Fake Microsoft Login Page
Credit: Abnormal Securityย
This confirmed to the researchers that the attackers are validating input in real time using Adversary-in-The-Middle (AiTM) techniques. AiTM tactics allow the attackers to validate stolen login information immediately. Once correct details are provided, attackers can steal session cookies and bypass multi-factor authentication, effectively granting full access to the compromised account.
This style of phishing, called โLiving-Off-Trusted-Sitesโ (LOTS), is part of a growing trend where attackers abuse well-known platforms to avoid suspicion. Similar campaigns have involved tools like Canva, Lucidchart, and Figma. Since these tools are widely used for collaboration, many security tools and employees give them a pass.
To address the issue, organizations are advised to maintain core phishing detection practices, such as being cautious of generic calls to action, suspicious URLs, and grammatical errors. However, additional vigilance is necessary, as the phishing emails originate from legitimate, compromised accounts and trusted platforms.
Platform providers like Gamma are recommended to implement automated content scanning and analysis, integrate phishing link detection and threat intelligence feeds, and actively encourage user reporting. They should also monitor for suspicious user behavior and consider adding warning banners when users are redirected away from the platform.
About the author:
