This newly identified attack chain demonstrates how threat actors are increasingly leveraging legitimate platforms to bypass security controls and deceive unsuspecting victims.
The attack begins with a seemingly innocuous email sent from a compromised legitimate account, typically belonging to a trusted individual or organization.
The message contains what appears to be a PDF attachment but is actually a hyperlink.
When clicked, this link redirects victims to a professionally crafted presentation hosted on Gamma’s platform, complete with organizational branding and a prominent call-to-action button labeled as “View PDF” or “Review Secure Documents.”
Upon clicking this button, victims are directed to an intermediary page featuring Microsoft branding and protected by Cloudflare Turnstile, a CAPTCHA-free bot detection mechanism.
This addition serves a dual purpose: preventing automated security tools from analyzing the malicious content while simultaneously increasing the perceived legitimacy of the page.
Abnormal Security researchers identified this campaign as part of a growing trend of “living-off-trusted-sites” (LOTS) attacks, where threat actors exploit legitimate services to host malicious content.
“What makes this campaign particularly dangerous is its use of Gamma, a relatively new platform that employees may not recognize as a potential vector for phishing attacks,” noted the security team.
The infection chain concludes at a convincing replica of a Microsoft SharePoint login portal, where the page design mimics Microsoft’s UI patterns with a modal-style login window overlaid on a blurred background.
Analysis suggests the implementation of an adversary-in-the-middle (AiTM) framework that validates credentials in real-time against Microsoft’s servers, as evidenced by accurate error messages for incorrect passwords.
The AiTM technique enables attackers to not only harvest credentials but also capture session cookies, potentially allowing them to bypass multi-factor authentication protections.
This sophisticated approach demonstrates how modern phishing campaigns have evolved beyond simple credential harvesting to implement complex technical mechanisms that can circumvent even robust security measures.
This campaign highlights the growing sophistication of phishing attacks and emphasizes the need for organizations to implement advanced security solutions that can detect context-based threats rather than relying solely on traditional indicators of compromise.
Malware Trends Report Based on 15000 SOC Teams Incidents, Q1 2025 out!-> Get Your Free Copy
The post Hackers Weaponize Gamma Tool Via Cloudflare Turnstile to Steal Microsoft Credentials appeared first on Cyber Security News.
The sequel to Stellar Blade will not be published by PlayStation, developer Shift Up has…
Michael Pennington — better known to Star Wars fans as Return of the Jedi's Moff…
50 Years Ago An early morning trash fire that may have been set by four…
Editor’s note: This is the second of two parts. “In happy moments one realizes that…
An overnight frost on April 20 set asparagus season off to a false start in…
BOSTON — Amid widespread fear across the country over federal immigration law enforcement activities, legislation…
This website uses cookies.