Full Report
Threat actors are leveraging an artificial intelligence (AI) powered presentation platform named Gamma in phishing attacks to direct unsuspecting users to spoofed Microsoft login pages. "Attackers weaponize Gamma, a relatively new AI-based presentation tool, to deliver a link to a fraudulent Microsoft SharePoint login portal," Abnormal Security researchers Hinman Baron and Piotr Wojtyla said in
Analysis Summary
# Tool/Technique: Gamma Presentation Platform Exploitation
## Overview
Threat actors are weaponizing the legitimate, AI-powered presentation platform Gamma ($\text{gamma.app}$) to host malicious content used in sophisticated, multi-stage phishing attacks designed to harvest Microsoft credentials.
## Technical Details
- Type: Technique (Abuse of a legitimate service)
- Platform: Web-based (Redirecting to endpoints targeting Windows/Web users)
- Capabilities: Hosting malicious redirections; bypassing email security checks via LOTS; enabling multi-stage obfuscation.
- First Seen: Unspecified (Mentioned as leveraging a "relatively new" tool)
## MITRE ATT&CK Mapping
*Note: Since this is the use of a legitimate platform as an intermediary, the primary mapped techniques relate to the initial access and circumvention strategies.*
- **TA0001 - Initial Access**
- T1566 - Phishing
- T1566.001 - Spearphishing Attachment (Used via PDF hyperlink)
- **TA0005 - Defense Evasion**
- T1573.002 - Encrypted Channel (Used implicitly by relying on HTTPS/legitimate domains)
- T1564.003 - Cloud Service Hosting (Leveraging Gamma)
- **TA0011 - Command and Control**
- T1090 - Proxy (Using service redirects as an intermediary)
## Functionality
### Core Capabilities
- Utilizing a legitimate service ($\text{gamma.app}$) to stage the payload, thereby evading reputation-based blocks on malicious domains.
- Employing a multi-stage redirection process to obscure the final phishing goal.
- Serving an initial lure via a seemingly benign PDF attachment (which is actually a hyperlink).
### Advanced Features
- **Multi-Stage Redirection:** Attack flow involves: Phishing Email $\rightarrow$ Malicious link in PDF $\rightarrow$ Presentation hosted on Gamma $\rightarrow$ "Review Secure Documents" button $\rightarrow$ Intermediate splash page with Cloudflare Turnstile verification $\rightarrow$ Spoofed Microsoft SharePoint login page.
- **Anti-Automation Measure:** The insertion of a Cloudflare Turnstile CAPTCHA step is used to block automated security scanners and URL analysis tools from reaching the final phishing destination.
- **Real-Time Credential Validation:** The final SharePoint spoof uses a possible Adversary-in-the-Middle (AiTM) setup to validate credentials in real-time when a user inputs a mismatched password, often resulting in a realistic "Incorrect password" error instead of an immediate flag.
- **Living-Off-Trusted-Sites (LOTS):** Exploiting the trust associated with the Gamma domain to successfully bypass email authentication checks such as SPF, DKIM, and DMARC.
## Indicators of Compromise
- File Hashes: N/A (Relies on external platforms)
- File Names: Malicious PDF attachment (Content unknown)
- Registry Keys: N/A
- Network Indicators:
- C2/Hosting: $\text{gamma.app}$ (Used as a trusted intermediary)
- Final Destination: Spoofed Microsoft SharePoint domains (Specific domains not provided in context)
- Behavioral Indicators: Redirect chain involving high-reputation link shorteners or trusted third-party hosts before landing on a suspicious login page; attempt to pass a Cloudflare Turnstile challenge.
## Associated Threat Actors
- The tool/technique itself is not attributed to a specific actor, but it represents a trend observed by security researchers.
## Detection Methods
- Signature-based detection: Ineffective against the initial link hosted on Gamma itself due to its legitimate context.
- Behavioral detection: Detection relies on monitoring multi-hop URL redirects, analysis of link expansion, and detecting the known sequence of redirection steps (Gamma $\rightarrow$ Turnstile $\rightarrow$ Microsoft login).
- YARA rules: Not applicable for URL/service abuse mechanisms.
## Mitigation Strategies
- User training focusing on recognizing multi-stage phishing lures, especially those involving legitimate file-sharing or presentation services.
- Employing advanced URL sandboxing or link expansion services capable of resolving multi-stage redirects, including those protected by CAPTCHA barriers.
- Implementing security policies that scrutinize the context of user interaction immediately following redirects from unknown or untrusted sources, even if the source domain ($\text{gamma.app}$) appears legitimate.
## Related Tools/Techniques
- Adversary-in-the-Middle (AiTM) phishing frameworks (e.g., Evilginx) used for real-time credential validation.
- General Living-Off-Trusted-Sites (LOTS) techniques exploiting other legitimate cloud storage or collaboration services.