- Computer pirates are using stolen email accounts to launch phishing attacks
- They are creating false destination pages through Gamma AI, and Xperts warns
- The goal is to steal Microsoft’s login credentials
Gamma, a relatively new presentation software tool, is being abused in hyperconcineent phishing attacks that are passed through Microsoft SharePoint and aim to steal the people’s login credentials.
Abnormal cybersecurity researchers saw the attacks in nature and described the phishing flow as “as polished that it feels legitimate in each step.”
The attack begins with a generic phishing email, fast to the point that is sent from a legitimate but compromised email account. This helps criminals avoid standard authentication verifications such as SPF, DKIM and DMARC and land email directly in the target entrance tray.
SPOOFING SHAREPOINT
The email itself is nothing out of the ordinary, and has an attached PDF file that, in reality, is only a hyperlink, which leads to a presentation organized in Gamma, an online presentations builder with AI.
The presentation presents the logo of the strase organization and a message in the “See PDF” or “Review safe documents”.
The message is in the form of a hyperlink that leads to an intermediate splashes page that has the Microsoft Microsoft brand and a cloudflare tourniquet. In this way, criminals make sure that real humans, not basic automated safety tools, access the site.
If the victim clicks on the call to action, he takes to a Phishing page that is passed through the Microsoft SharePoint login portal.
This is where the real robbery occurs, since the victims are invited to log in using their Microsoft credentials.
Writing in incorrect credentials returns an error, which leads to researchers to conclude that attackers have some type of adversary configuration in the environment that helps them verify credentials in real time.
Abnormal says that the attack is unique mainly because Gamma is a “relative newcomer” in the scene, only is close for a few years.
“Organizations are becoming increasingly familiar with the phishing attacks for file exchange in general, and some may have begun to incorporate examples in their training in security awareness. That said, it is very likely that the percentage of companies that have updated their cyber education to include this type of phishing, and the number that uses examples of the attacks of the researchers who exploit the researchers.
“Therefore, this type of attack may not activate the alarms that foster a higher level of employee scrutiny in the way an attack that explodes Canva or Google Drive.”
