Newly emergent artificial intelligence-based presentation tool Gamma has been exploited in multi-stage phishing attacks involving redirections to fake Microsoft login pages, reports The Hacker News.
Intrusions commence with the delivery of malicious emails with a hyperlink masquerading as a PDF attachment, which redirects to a Gamma-hosted presentation that lures targets into clicking a button redirecting to a Microsoft-spoofing page, according to an Abnormal Security report. With the page ordering the completion of Cloudflare Turnstile verification, targets are then redirected to a fake Microsoft SharePoint sign-in portal to obtain their credentials, said researchers, who noted that 'Incorrect password' prompts triggered by erroneous credential inputs indicate utilization of adversary-in-the-middle tactics. Such findings follow a Microsoft report detailing the mounting exploitation of AI in illicit cyber activity, as well as its thwarting of Quick Assist software-exploiting attacks by the Storm-1811 threat operation, also known as STAC5777. Storm-1811 has been reported by ReliaQuest to have conducted TypeLib COM hijacking to spread a custom PowerShell backdoor variant.
Intrusions commence with the delivery of malicious emails with a hyperlink masquerading as a PDF attachment, which redirects to a Gamma-hosted presentation that lures targets into clicking a button redirecting to a Microsoft-spoofing page, according to an Abnormal Security report. With the page ordering the completion of Cloudflare Turnstile verification, targets are then redirected to a fake Microsoft SharePoint sign-in portal to obtain their credentials, said researchers, who noted that 'Incorrect password' prompts triggered by erroneous credential inputs indicate utilization of adversary-in-the-middle tactics. Such findings follow a Microsoft report detailing the mounting exploitation of AI in illicit cyber activity, as well as its thwarting of Quick Assist software-exploiting attacks by the Storm-1811 threat operation, also known as STAC5777. Storm-1811 has been reported by ReliaQuest to have conducted TypeLib COM hijacking to spread a custom PowerShell backdoor variant.
