You won’t even realize when you’ve been fooled.
Researchers from Abnormal Security reported that a PDF file attached to an email is actually a link to a Gamma presentation disguised as a secure document viewer. When clicked, the victim lands on an intermediate page mimicking a Microsoft service, complete with Cloudflare Turnstile CAPTCHA protection. This creates an illusion of legitimacy and reduces the likelihood of automated security analysis.
The next stage involves redirecting to a fake Microsoft SharePoint login page, where attackers use an Adversary-in-the-Middle (AitM) mechanism to verify credentials in real time, displaying an error message if the password is incorrect.
Such attacks fall under the "Living-off-Trusted-Sites" (LoTS) category—they exploit legitimate online services to host malicious content, bypassing SPF, DKIM, and DMARC checks. By using lesser-known tools like Gamma, attackers evade automated detection systems and deceive users. The presentation platform becomes not just a disguise but part of a complex redirection chain concealing the attack's true purpose.
Phishing attacks are becoming increasingly sophisticated, skillfully leveraging legitimate tools and trusted services to mask malicious schemes. The Gamma incident demonstrates that even seemingly harmless technologies can be weaponized as part of an elaborate hacking chain.
Defensive mechanisms designed for straightforward threats are powerless against attacks that exploit trust in well-known brands and intricate redirection paths. This highlights the need for constant reassessment of cybersecurity approaches and tighter controls over unconventional uses of familiar services.[/CENTER]
