Cyber Security News

Hackers Weaponize Gamma Tool Through Cloudflare Turnstile to Steal Microsoft Credentials

Cybercriminals are exploiting an AI-powered presentation tool called Gamma to launch a multi-stage attack aimed at stealing Microsoft credentials.

This attack route is designed not only to evade traditional security measures but also to deceive human recipients by leveraging trusted platforms and services.

Exploitation of Gamma and Cloudflare Turnstile

Cyber attackers are taking advantage of Gamma, a lesser-known but increasingly used platform for creating presentations, to host malicious content.

Here’s how the attack unfolds:

  • Initial Contact: The campaign begins with an email from a legitimate, compromised account, inviting the recipient to view a document. The subject line and message are generic, often stating something like “View the attached file.” However, the “attached document” is actually a hyperlink leading to a Gamma-hosted presentation.
  • Gamma Presentation: Upon clicking the link, the unsuspecting user is directed to a Gamma presentation featuring the organization’s logo and a call-to-action (CTA) button labeled “View PDF” or similar. This CTA redirects the user to a manipulative path.
  • Intermediary Splash Page: The next step involves a splash page with Microsoft branding and a Cloudflare Turnstile, a CAPTCHA-free bot detector. This step is crucial as it ensures only real users can access the phishing site, bypassing automated security tools.
  • Fake Microsoft Login: Passing through the Turnstile, the user is confronted with a meticulously crafted phishing page mimicking Microsoft’s SharePoint login. Here, victims are prompted to enter their credentials, which are then validated in real-time through an Adversary-in-the-Middle (AiTM) framework, enhancing the attack’s sophistication.
Microsoft CredentialsMicrosoft Credentials
second fraudulent login portal

Why This Attack Stands Out

This phishing campaign is notable for several reasons:

  • Gamma’s Novelty: Being relatively new, Gamma isn’t as widely recognized, reducing the likelihood of user suspicion.
  • Indirect Email: Attackers do not send emails directly through Gamma, instead embedding malicious links in emails from compromised accounts to bypass content scanning or detection.
presentation hosted on Gamma
  • Cloudflare Turnstile: This service adds a layer of legitimacy, making the phishing site harder to detect by automated systems.

The attackers’ use of an AiTM framework is particularly alarming. This setup allows them to not only harvest credentials but also capture session cookies, enabling attackers to bypass Multi-Factor Authentication (MFA) and gain unauthorized access to the victim’s account.

The layered approach of this attack, starting from a legitimate sender, through to a reputable service like Gamma, then a trusted security tool, and finally to a convincing fake login, makes it challenging to detect:

  • Email Authentication: The email passes standard authentication checks, appearing to come from a legitimate source.
  • Multi-Stage Redirection: The attack path is obfuscated by multiple redirects, making static link analysis less effective.

According to the Report, this campaign underscores the importance of moving beyond traditional rule-based email security.

AI and behavioral analysis are becoming critical in identifying and stopping such nuanced phishing attempts.

Find this News Interesting! Follow us on Google NewsLinkedIn, & X to Get Instant Updates!

Aman Mishra

Aman Mishra is a Security and privacy Reporter covering various data breach, cyber crime, malware, & vulnerability.

Recent Posts

Researchers Uncover Remote Code Execution Flaw in macOS – CVE-2024-44236

Security researchers Nikolai Skliarenko and Yazhi Wang of Trend Micro’s Research Team have disclosed critical…

23 minutes ago

Apache ActiveMQ Vulnerability Allows Attackers to Induce DoS Condition

Critical vulnerability in Apache ActiveMQ (CVE-2024-XXXX) exposes brokers to denial-of-service (DoS) attacks by allowing malicious…

25 minutes ago

Kaspersky Alerts on AI-Driven Slopsquatting as Emerging Supply Chain Threat

Cybersecurity researchers at Kaspersky have identified a new supply chain vulnerability emerging from the widespread…

26 minutes ago

UK Government to Shift Away from Passwords in New Security Move

UK government has unveiled plans to implement passkey technology across its digital services later this…

29 minutes ago

Europol Dismantles DDoS-for-Hire Network and Arrests Four Administrators

Significant blow to cybercriminal infrastructure, Europol has coordinated an international operation resulting in the arrest…

36 minutes ago

Play Ransomware Deployed in the Wild Exploiting Windows 0-Day Vulnerability

Patched Windows zero-day vulnerability (CVE-2025-29824) in the Common Log File System (CLFS) driver was exploited…

38 minutes ago