Cybercriminals are misusing Gamma, an AI-powered presentation tool, in a new phishing campaign that targets users with deceptive emails and spoofed Microsoft login pages.
According to researchers at cybersecurity firm Abnormal Security. Gamma a legitimate platform that uses generative AI to create polished presentations — is now being exploited to host phishing content. In their latest blog post, Abnormal detailed how attackers are taking advantage of Gamma to lure users into credential theft schemes using a multi-step strategy.
Using Gamma to Launch Phishing Campaigns
In the reported attack, hackers used a legitimate, compromised email account to send messages to victims. The emails contain a short message and an image posing as a PDF attachment. Clicking the image redirects the user to a presentation hosted on Gamma’s official website.
These Gamma-hosted slides mimic the branding of a trusted organization, including its logo and language suggesting that a secure document is being shared. A prominent call-to-action (CTA) button — such as “View PDF” — leads users to another page that mimics Microsoft’s SharePoint login portal.
“The CTA button links to a domain containing the impersonated company’s name,” the blog post explained.
The next step brings the victim to a transition screen with a fake Microsoft logo and a Cloudflare verification. After passing that check, the user lands on a fraudulent Microsoft login screen designed to steal credentials.
This attack leverages an adversary-in-the-middle (AiTM) tactic that can verify credentials in real time, immediately notifying users if they enter the wrong information, adding an air of legitimacy to the scam.
Exploiting Trust: A LOTS Attack
Abnormal refers to this method as a “living-off-trusted-sites” (LOTS) attack — where cybercriminals exploit legitimate platforms to host malicious content. It’s a growing trend that helps phishing campaigns evade detection.
Piotr Wojtyla, head of threat intel at Abnormal, told Dark Reading that tools like real-time credential validation and CAPTCHA-free transitions serve as powerful social engineering tactics.
“These techniques reinforce trust by mirroring what users expect from legitimate interactions,” he said. “The Gamma presentation, bot-check, and convincing login all work together to reduce suspicion.”
Mitigation Measures for Organizations
To mitigate the risk, organizations should continue applying phishing detection best practices. In the example provided, clues included odd SharePoint URLs, generic language, and grammatical errors.
However, due to the use of compromised email accounts and a reputable platform like Gamma, this type of attack is harder to spot.
Wojtyla urged companies like Gamma to deploy mechanisms to identify and remove malicious content. This could involve automatic link scanning, threat intel integration, end-user reporting, and behavioral analytics.
“Platforms should also consider adding warning banners that notify users when they’re leaving the trusted environment,” he added.
