- Pirates use stolen messaging accounts to launch phishing attacks
- They create false destination pages via gamma ai, e xperts warns
- The objective is to steal Microsoft connection identification information
GAMMA, a presentation software tool relatively newly fueled by AI, is abused in hyper-convigant phishing attacks that have usurped the identity of Microsoft SharePoint and aim to steal people’s connection references.
Researchers in abnormal cybersecurity have identified the attacks in the wild and described the flow of phishing as “so polite that it seems legitimate at each stage”.
The attack begins with a generic and fast phishing email to the point from a legitimate but compromised messaging account. This helps the crooks to bypass standard authentication checks such as SPF, DKIM and DMARC and win the email directly in the target reception box.
SharePoint usurpation
The email itself is nothing out of the ordinary and has a PDF attachment which, in reality, is only a hyperlink, leading to an organized presentation on Gamma, an online presentation manufacturer powered by AI.
The presentation includes the logo of the unclean organization and a message in the lines of “display PDF” or “review the secure documents”.
The message is in the form of a hyperlink which leads to an intermediate splash page containing an imitated Microsoft brand and a Cloudflare turnstile. In this way, crooks ensure that real humans, not basic automated safety tools, access the site.
If the victim clicks on the call to the call, they are taken to a phishing page that pretends to be for the Microsoft SharePoint connection portal.
This is where the real flight occurs because the victims are then invited to connect using their Microsoft identification information.
The entry of bad references returns an error, which prompted the researchers to conclude that the attackers have a kind of opponent configuration in the environment which helps them to check the identification information in real time.
Abnormal says that the attack is unique mainly because Gamma is a “new relative” on the stage, being only for a few years.
“Organizations are becoming more and more familiar with the phlinging attacks in general, and some may have even started to incorporate examples in their training in safety awareness.
“Thus, this type of attack cannot trigger alarm ringtones which encourage a higher level of control of employees of the way an attack that exploits Canva or Google Drive could do it.”
