Key Takeaways
• Cybercriminals exploited the Gamma AI platform to host a phishing chain targeting Microsoft SharePoint users
• The phishing campaign used a multi-step redirection approach including PDF lures, CAPTCHA gates, and spoofed login pages
• Microsoft has warned of increasing AI-powered attacks, including deepfakes, voice impersonation, and fake websites
• A threat actor identified as Storm-1811 has shifted to using PowerShell backdoors and sophisticated social engineering
A new phishing campaign has emerged in which attackers have exploited Gamma, an AI-driven presentation tool, to impersonate Microsoft SharePoint login pages and steal user credentials.
According to researchers at Abnormal Security, the attackers initiated the campaign through phishing emails that often originated from compromised legitimate email accounts.
The emails contained embedded PDFs that were in fact hyperlinked to Gamma-hosted presentations.
These presentations displayed a deceptive button prompting users to “Review Secure Documents.” Clicking this led victims through a multi-stage redirection path that masked the phishing site’s true intent.
• Emails disguised as legitimate messages embedded malicious PDFs
• Gamma-hosted presentations served as initial launchpads for the phishing chain
• Cloudflare Turnstile CAPTCHA was used to simulate legitimacy and block automated security checks
From the Gamma presentation, users were redirected to a splash page designed to look like a Microsoft site and prompted to complete a Cloudflare CAPTCHA verification. The final redirection led to a spoofed Microsoft SharePoint login page, where credentials could be harvested.
“Attackers weaponize Gamma, a relatively new AI-based presentation tool, to deliver a link to a fraudulent Microsoft SharePoint login portal.”— Hinman Baron and Piotr Wojtyla, Abnormal Security
Real-Time Credential Validation Reveals AiTM Strategy
What sets this phishing campaign apart is the adversary-in-the-middle (AiTM) technique used to validate credentials in real time.
If a user enters incorrect login details, the fake portal displays an “Incorrect password” error, confirming that attackers are monitoring input dynamically.
“If mismatched credentials are provided, it triggers an ‘Incorrect password’ error, which indicates the perpetrators are using some sort of adversary-in-the-middle (AiTM) for validating credentials in real time.”— Abnormal Security researchers
This capability increases the attack’s success rate by confirming stolen credentials before attackers commit them to use, while also reinforcing the illusion of authenticity for the user.
Microsoft Reports Surge in AI-Fueled Phishing and Fraud
The Gamma phishing campaign coincides with broader trends reported in Microsoft’s recent Cyber Signals report.
The company warns of a rise in AI-driven attacks involving deepfakes, voice cloning, and automated phishing schemes. These tactics are increasingly being used to create realistic social engineering lures at scale.
• AI tools enable attackers to scan the web for corporate info to tailor phishing messages
• Fake e-commerce storefronts and fraudulent business personas are generated using AI
• Voice and visual impersonation tools help attackers bypass identity verification protocols
“AI tools can scan and scrape the web for company information, helping attackers build detailed profiles of employees or other targets to create highly convincing social engineering lures.”— Microsoft Cyber Signals Report
These developments point to a concerning shift toward more personalized, realistic, and hard-to-detect phishing campaigns, enabled by AI’s speed and content generation capabilities.
Storm-1811: A Persistent and Adaptive Threat Actor
In parallel with the Gamma-based phishing scheme, another evolving threat actor, Storm-1811 (also known as STAC5777), has adopted more advanced persistence methods.
According to a new report by ReliaQuest, the group has moved beyond traditional phishing tactics to include PowerShell backdoors and TypeLib COM hijacking—techniques aimed at maintaining long-term access to compromised systems.
Initial payloads were delivered via malicious Bing ads, and the campaign focused on executive-level employees in finance and technology sectors—particularly individuals with female-sounding names, indicating a highly selective targeting strategy.
• Phishing chats were sent during mid-afternoon hours to exploit decreased employee alertness
• PowerShell malware variants have been under development since January 2025
• Hijacking methods used help attackers remain undetected in corporate environments
“The phishing chats were carefully timed, landing between 2:00 p.m. and 3:00 p.m., perfectly synced to the recipient organizations’ local time and coinciding with an afternoon slump in which employees may be less alert in spotting malicious activity.”— ReliaQuest report
ReliaQuest also speculates that Storm-1811’s shifting tactics may reflect internal evolution, a splintering of actors, or the reuse of initial access tactics by entirely new groups.
The abuse of Gamma—an AI tool intended for legitimate presentations—illustrates a broader trend in cybercriminals misusing trusted platforms to host and distribute malicious content.
These attacks represent a shift toward “living-off-trusted-sites” (LOTS) tactics, where attackers hide in plain sight using platforms that are often overlooked by security filters.
The combined use of CAPTCHA gates, real-time credential checks, and AI-driven social engineering showcases the increasing complexity of phishing threats. As generative AI tools become more accessible, so too does the potential for large-scale, convincing fraud and data theft.
Security leaders are advised to:
-
Audit and monitor usage of third-party SaaS tools across the organization
-
Adopt behavior-based detection methods that go beyond static URL filters
-
Train employees to recognize advanced phishing signs, including indirect login prompts and unfamiliar webflows
As attackers grow more agile and adaptive, so too must enterprise defense strategies—especially when the threat surface now includes the tools we trust the most.
For more news and insights, visit AI News on our website.
