We use AI every day, whether it’s ChatGPT helping draft emails, Canva creating social media posts, or even tools like Gamma, an AI-powered presentation platform, simplifying the way we build decks for work. AI has become our online co-pilot, our time-saver, our creative assistant. But what happens when that same convenience becomes a disguise for deception?
That’s exactly what’s happening now.
Cybercriminals have figured out how to use Gamma—a sleek, AI-driven tool many professionals use to create stunning presentations—as a stage for something far more sinister. Instead of sharing company updates or pitching ideas, attackers are using Gamma to host presentations that hide a dark purpose: to steal your login credentials.
According to security researchers Callie Hinman Baron and Piotr Wojtyla from Abnormal Security, the attack starts subtly, like many phishing schemes do. Victims receive an email—sometimes from a legitimate, compromised account—inviting them to open a PDF.
It could easily be mistaken for an HR document or a shared resource. But here’s the twist: the PDF isn’t really a document at all. It’s a hyperlink that redirects to a Gamma-hosted presentation.
That presentation includes a sleek button that says something harmless like “Review Secure Documents.” You click, expecting to view a file—but instead, you're ushered to a page impersonating Microsoft. Before you can access the content, you're asked to complete a Cloudflare Turnstile CAPTCHA, which makes everything feel official. It’s a clever trick: the CAPTCHA helps the scam feel real and also prevents some security tools from detecting the malicious site.
After that, you're sent to a convincing replica of a Microsoft SharePoint login page. The goal? Your credentials. And if you make a typo while logging in, it gives an “Incorrect password” error—another trick that reveals the attackers are validating logins in real time using an adversary-in-the-middle setup. It’s not just phishing, it’s interactive phishing.
This kind of multi-layered attack, using tools people trust, is part of a broader trend known as living-off-trusted-sites(LOTS). Attackers aren’t building shady websites anymore—they’re piggybacking on legitimate platforms like Gamma, SharePoint, and even Microsoft Teams, making it harder for spam filters and firewalls to block them.
It’s a chilling reminder that even the tech we rely on to streamline our lives can become weapons in the wrong hands.
And it’s not just Gamma. Microsoft recently sounded the alarm in its Cyber Signals report about how threat actors are going all-in on AI to scale up their scams—creating deepfakes, voice clones, fake job listings, and AI-enhanced websites.
One group, known as Storm-1811, has taken things even further. They’ve impersonated IT support via Microsoft Teams, tricking users into giving remote access through Microsoft’s own Quick Assist tool. And now, they’re evolving again—deploying backdoors using sophisticated tools like PowerShell malware and COM hijacking, targeting high-level employees, particularly those with female-sounding names.
Even the timing of their attacks is eerily calculated, emails and Teams messages arriving between 2 p.m. and 3 p.m., right in the post-lunch lull when focus drops and reflexes slow.
Whether it’s Storm-1811 or another group borrowing their tactics, one thing is clear: phishing isn’t going away. It’s getting smarter, more personal, and more embedded in the very tools we trust.
So next time you’re clicking through that AI-powered presentation or logging into your Microsoft account, pause and look twice!!
Mitigations For Everyday Users
Bookmark Trusted Login Pages
Go directly to login.microsoft.com or your organization’s single sign-on (SSO)portal. Don’t log in through links in emails or documents.
Trust, but Verify AI Tools
AI platforms are super helpful—but if you’re being redirected to an AI-based presentation or site asking for your login, be cautious. These tools can be used by anyone, even attackers.
Mitigations For Organizations
Implement Email Security Filters with LOTS Detection
Upgrade your email gateway to detect Living Off Trusted Sites (LOTS)tactics and inspect links within PDF attachments and presentations—even if they point to legitimate platforms like Gamma or Microsoft.
Educate Employees on Modern Phishing Tactics
Train staff to recognize multi-step phishing attempts that use CAPTCHAs or AI-generated interfaces. Awareness is the best frontline defense.
Deploy Adversary-in-the-Middle (AiTM) Detection
Use threat detection tools that can identify AiTM behavior, such as real-time credential validation or session hijacking.
Restrict Access to Lesser-Known AI Tools
If platforms like Gamma aren’t business-critical, consider blocking them on your network or implementing conditional access policies.
Monitor for Unusual Authentication Attempts
Use SIEM tools to track login attempts from new IP addresses, devices, or geographic locations. Trigger alerts for anomalies.
Patch and Update Security Software
Ensure all security tools—email filters, firewalls, EDR, and browsers—are fully updated to catch the latest threats.
.png)
.png)