A sophisticated phishing campaign has been identified that abuses the Gamma AI presentation platform to harvest Microsoft SharePoint credentials. The multi‑stage attack uses trusted domains and CAPTCHA barriers to bypass basic security filters, culminating in a real‑time adversary‑in‑the‑middle credential check. This exploit exemplifies how even lesser‑known tools can be weaponized to slip past email authentication and static URL analysis, underscoring the need for behavior‑based detection and multi‑layered defenses.
Attack Flow
1. Initial Lure
Users receive a phishing email—often from a legitimate, compromised account—with what appears to be a PDF attachment. In reality, that “PDF” is a hyperlink to a Gamma‑hosted presentation.
2. Gamma Presentation
On clicking, victims land on a Gamma slide deck prompting them to “Review Secure Documents.” Because Gamma is a legitimate domain, standard email gateways tend to allow the link through.
3. CAPTCHA Verification
Next, users encounter a splash page requiring a Cloudflare Turnstile check. This CAPTCHA not only lends an air of authenticity but also prevents security tools from automating URL scans.
4. Spoofed Login and AiTM Validation
Finally, users are directed to a counterfeit Microsoft SharePoint sign‑in page. Entered credentials are relayed through an adversary‑in‑the‑middle proxy, triggering “Incorrect password” errors on mismatch—evidence of real‑time validation.
Underlying Tactics
Living‑Off‑Trusted‑Sites (LOTS)
By hosting malicious content on legitimate domains, the attack evades SPF, DKIM, and DMARC checks, and slips past reputation‑based filters.
Adversary‑in‑the‑Middle (AiTM)
Real‑time credential validation via a proxy allows attackers to confirm harvested passwords immediately, increasing success rates and victim credibility in repeated login attempts.
Broader Context
This Gamma campaign reflects a surge in AI‑enabled scams—deepfakes, voice cloning, and dynamic phishing chains—that exploit automation to scale social engineering efforts. Security platforms report a marked increase in multi‑stage attacks that blend human psychology with technical evasion techniques.
Mitigation Strategies
-
Behavioral Email Analysis
Deploy AI‑driven email security that builds sender and content profiles, spotting deviations from established patterns rather than relying solely on blacklists. -
Multi‑Layered Link Inspection
Combine gateway filtering with sandbox detonation, CAPTCHA‑aware URL crawling, and continuous reputation scoring to detect hidden redirections and LOTS behavior. -
Strong Authentication Controls
Enforce multi‑factor authentication with phishing‑resistant factors (hardware tokens, certificate‑based auth) to neutralize AiTM‑style credential harvesting. -
Continuous User Education
Regularly train staff on emerging phishing flows—unexpected CAPTCHAs in email, unfamiliar platform domains, and multi‑step redirections—and simulate these attacks to reinforce vigilance. -
Incident Response Playbook
Develop and test a phishing incident workflow that includes rapid link takedown, compromised‑account detection, and real‑time credential resets to limit exposure in ongoing campaigns.
Conclusion
The Gamma‑based phishing chain demonstrates how threat actors leverage legitimate AI platforms and multi‑stage tactics to outmaneuver traditional security controls. For B2B tech leaders, the imperative is clear: adopt behavior‑centric detection, reinforce authentication, and build layered defenses that anticipate evolving phishing methodologies. Only with a holistic, adaptive security posture can organizations stay ahead of AI‑enhanced cyber threats.
