Threat actors use Gamma, Cloudflare Turnstile, and AiTM techniques to bypass detection and steal Microsoft credentials in a complex credential-harvesting campaign.
Security researchers have uncovered a multi-layered phishing campaign that exploits Gamma, an AI-powered presentation tool, to trick users into entering their Microsoft login credentials. The attack begins with an email from a compromised legitimate account and directs users through a fake document preview hosted on Gamma, leading ultimately to a spoofed Microsoft SharePoint login page.
The campaign employs several techniques to appear trustworthy and avoid detection, including the use of Cloudflare Turnstile for bot filtering, domain impersonation, and adversary-in-the-middle (AiTM) tactics that allow attackers to validate stolen credentials in real time.
The phishing email appears to come from a familiar source and contains what looks like a PDF attachment, but is actually a link to a Gamma-hosted presentation. The presentation mimics a file-sharing notification, using brand logos and language consistent with a shared document experience. A prominent CTA button leads the target to a splash page that mimics Microsoft's styling and includes Cloudflare Turnstile verification, a tactic used to block basic automated scanners.
Once verification is completed, the user is taken to a spoofed Microsoft login portal. After entering an email address, they are prompted for their password. If incorrect credentials are entered, the site returns an error in real time, evidence that an AiTM setup is validating inputs live.
These attacks belong to a broader trend known as "living-off-trusted-sites" (LOTS), where legitimate platforms like Canva or Lucidchart are repurposed for phishing. Gamma’s relative newness makes it less likely to be flagged by security systems or recognized by users as potentially risky. By not using Gamma’s built-in sharing features, attackers avoid triggering content scans or spam filters, further increasing inbox delivery success.
Security analysts point out that the inclusion of Cloudflare Turnstile and AiTM elements marks a new level of technical precision in phishing flows. These steps allow attackers to evade detection, increase believability, and capture session cookies that can bypass MFA.
Researchers warn that organizations may not yet include emerging platforms like Gamma in their security awareness training, giving attackers a broader window of opportunity to exploit unfamiliar tools.
The Gamma campaign shows how attackers are moving beyond suspicious domains and fake brands to abuse legitimate platforms people already trust. Emails come from real accounts, link to real Gamma pages, and use Cloudflare’s own tools to appear secure. Each layer looks normal until the final step, where users hand over Microsoft credentials to a live phishing portal that even checks passwords in real time.
Paubox recommends Inbound Email Security as an added layer of protection against attacks like this. It studies how people in an organization normally communicate and flags messages that feel out of place, even when they pass technical checks. That context-first approach helps catch phishing campaigns hiding behind trusted services before users ever click.
Gamma is an AI-powered presentation tool. Its relatively low profile and trusted domain status make it a useful platform for attackers to host phishing content without raising red flags.
Turnstile blocks automated scanners from reaching the final phishing page, making the malicious content invisible to many detection tools while appearing legitimate to human users.
AiTM attacks allow cybercriminals to intercept and relay login credentials in real time, capturing session cookies and potentially bypassing MFA protections.
The use of compromised legitimate email accounts and links hosted on a trusted domain helped the phishing emails bypass authentication checks and evade rule-based filters.
Organizations should implement behavioral threat detection tools, expand security training to include lesser-known platforms, and monitor context-driven anomalies rather than relying solely on static rules or known phishing URLs.