Cyber Security News

Hackers Weaponize Gamma Tool Through Cloudflare Turnstile to Steal Microsoft Credentials

Cybercriminals are exploiting an AI-powered presentation tool called Gamma to launch a multi-stage attack aimed at stealing Microsoft credentials.

This attack route is designed not only to evade traditional security measures but also to deceive human recipients by leveraging trusted platforms and services.

Exploitation of Gamma and Cloudflare Turnstile

Cyber attackers are taking advantage of Gamma, a lesser-known but increasingly used platform for creating presentations, to host malicious content.

Here’s how the attack unfolds:

  • Initial Contact: The campaign begins with an email from a legitimate, compromised account, inviting the recipient to view a document. The subject line and message are generic, often stating something like “View the attached file.” However, the “attached document” is actually a hyperlink leading to a Gamma-hosted presentation.
  • Gamma Presentation: Upon clicking the link, the unsuspecting user is directed to a Gamma presentation featuring the organization’s logo and a call-to-action (CTA) button labeled “View PDF” or similar. This CTA redirects the user to a manipulative path.
  • Intermediary Splash Page: The next step involves a splash page with Microsoft branding and a Cloudflare Turnstile, a CAPTCHA-free bot detector. This step is crucial as it ensures only real users can access the phishing site, bypassing automated security tools.
  • Fake Microsoft Login: Passing through the Turnstile, the user is confronted with a meticulously crafted phishing page mimicking Microsoft’s SharePoint login. Here, victims are prompted to enter their credentials, which are then validated in real-time through an Adversary-in-the-Middle (AiTM) framework, enhancing the attack’s sophistication.
Microsoft CredentialsMicrosoft Credentials
second fraudulent login portal

Why This Attack Stands Out

This phishing campaign is notable for several reasons:

  • Gamma’s Novelty: Being relatively new, Gamma isn’t as widely recognized, reducing the likelihood of user suspicion.
  • Indirect Email: Attackers do not send emails directly through Gamma, instead embedding malicious links in emails from compromised accounts to bypass content scanning or detection.
presentation hosted on Gamma
  • Cloudflare Turnstile: This service adds a layer of legitimacy, making the phishing site harder to detect by automated systems.

The attackers’ use of an AiTM framework is particularly alarming. This setup allows them to not only harvest credentials but also capture session cookies, enabling attackers to bypass Multi-Factor Authentication (MFA) and gain unauthorized access to the victim’s account.

The layered approach of this attack, starting from a legitimate sender, through to a reputable service like Gamma, then a trusted security tool, and finally to a convincing fake login, makes it challenging to detect:

  • Email Authentication: The email passes standard authentication checks, appearing to come from a legitimate source.
  • Multi-Stage Redirection: The attack path is obfuscated by multiple redirects, making static link analysis less effective.

According to the Report, this campaign underscores the importance of moving beyond traditional rule-based email security.

AI and behavioral analysis are becoming critical in identifying and stopping such nuanced phishing attempts.

Find this News Interesting! Follow us on Google NewsLinkedIn, & X to Get Instant Updates!

Aman Mishra

Aman Mishra is a Security and privacy Reporter covering various data breach, cyber crime, malware, & vulnerability.

Recent Posts

Threat Actors Use Fake DocuSign Notifications to Steal Corporate Data

DocuSign has emerged as a cornerstone for over 1.6 million customers worldwide, including 95% of…

15 hours ago

Government Calls on Organizations to Adopt SIEM and SOAR Solutions

In a landmark initiative, international cybersecurity agencies have released a comprehensive series of publications to…

16 hours ago

WordPress TI WooCommerce Wishlist Plugin Flaw Puts Over 100,000 Websites at Risk of Cyberattack

A severe security flaw has been identified in the TI WooCommerce Wishlist plugin, a widely…

16 hours ago

Microsoft Alerts on Void Blizzard Hackers Targeting Telecommunications and IT Sectors

Microsoft Threat Intelligence Center (MSTIC) has issued a critical warning about a cluster of global…

16 hours ago

Hackers Use Fake OneNote Login to Capture Office365 and Outlook Credentials

A recent investigation by security analysts has uncovered a persistent phishing campaign targeting Italian and…

17 hours ago

Hackers Exploit Craft CMS Vulnerability to Inject Cryptocurrency Miner Malware

Threat actors have exploited a critical Remote Code Execution (RCE) vulnerability, identified as CVE-2025-32432, in…

17 hours ago