Taking advantage of Gamma AI platform in the chain of Phishing attacks to steal Microsoft account 365
Overview
Gamma AI Platform (often simply called Gamma) is a platform that uses artificial intelligence (AI) to help users create visual, professional content quickly and easily. Some key features of the Gamma AI Platform include:
Creating presentation slides (like PowerPoint) with attractive designs, automatically adjusting layout and colors.
Converting long text into concise, easy-to-understand presentations.
Creating interactive documents for learning, product introductions, project plans, etc.
Allowing easy embedding of images, videos, charts, and links.
Recently, FPT Threat Intelligence has recorded a sophisticated attack campaign where hackers exploited the "Gamma AI Platform" to provide a link to a phishing Microsoft SharePoint login portal. They took advantage of users potentially being unfamiliar with the platform, thus unaware of the potential exploitation risks, leading to data breaches.
Objective of the attack
Steal Microsoft 365 account login information, especially accounts related to SharePoint and OneDrive.
From there, the attacker can access internal data, spread malware, or continue attacking others within the same organization.
Details of the Campaign
- According to analysts, an initial malicious email will be sent from a legitimate email account that hackers have obtained from various leaked sources.
In the email sent, the attackers tricked the victim into viewing the attached file. Analysis reports show that the file name often includes the name of the impersonated company. The document is always formatted to appear as a PDF attachment, but in reality, it is a hyperlink that redirects the user.
If the recipient clicks on the PDF in the email, they are redirected to a presentation hosted on Gamma provided by AI.
- When the victim clicks on the document, they are immediately redirected to a fake Microsoft notification page and Turnstile Cloudflare, a bot detection tool without captcha.
- After the victim completes the authentication process, they are taken to a phishing page disguised as a Microsoft SharePoint login portal. Here, the rest of the website is inaccessible until the login information is entered, mimicking Microsoft's UI templates.
- After that, the user will need to enter their email address and click next, which redirects them to a second fraudulent login portal with a prompt to enter their password.
- If incorrect login information is provided, it triggers an incorrect password error, indicating that the perpetrator is using some type of adversary-in-the-middle (AITM) to authenticate credentials in real-time.
- When the user enters the correct information, their personal data is collected by hackers and sent to the C2 server system. They then use these sessions to access internal data such as emails, files, and sensitive information.
Recommendation
Protect User Accounts
Enable Advanced MFA (Phishing-Resistant MFA):
Use FIDO2, Windows Hello, or app-based authentication with push notifications instead of SMS/email OTPs that are easy to steal.Block Logins with Stolen Cookies:
Set up a "Re-authentication on high-risk actions" policy on Azure AD or similar systems.
Use Advanced Security Tools
Microsoft Defender for Office 365 / Google Workspace Security:
Detect phishing, AiTM, and malicious links in real-time.Web Proxy / Secure Web Gateway (SWG): Block or monitor access to domains like
gamma.appor fake Microsoft login pages.
Prevent Phishing via Email
Security Awareness Training
Recognize new techniques such as:
Legitimate-looking presentations on AI platforms (e.g., Gamma, Notion, Canva).
Authentication pages with real Turnstile or CAPTCHA but fake content.
Train with real-world scenarios that simulate multi-layered attacks.
Conclusion
The multi-layered phishing campaign exploiting Gamma is not only a prime example of the creativity and sophistication of cybercriminals but also a serious warning to any organization relying on digital systems and cloud platforms like Microsoft 365.
By leveraging a seemingly "harmless" tool—the AI presentation platform Gamma—and combining it with Adversary-in-the-Middle (AiTM) techniques and Cloudflare Turnstile, the attackers have successfully bypassed both traditional defenses and multi-factor authentication (MFA).
This attack also demonstrates that technical security alone is not enough. Even with MFA, if users are not well-trained or lack awareness of new phishing signs, they remain the weakest link in the system. The combination of modern technology, AI-generated content, and social engineering tactics has elevated phishing to a new level—no longer as easily recognizable as before.
