In phishing attacks, thugs are directing unsuspecting users to spoofed Microsoft login pages using an artificial intelligence ( AI)-powered presentation platform called .
According to Abnormal Security researchers Hinman Baron and Piotr Wojtyla,” Attackers weaponize Gamma, a fairly new AI-based demonstration tool, to give a hyperlink to a false Microsoft SharePoint login portal.”
A phishing email, which is occasionally sent from reputable, affected email accounts, is the first step in the attack chain to entice message recipients to open an integrated PDF document.
In fact, the PDF commitment is nothing more than a hyperlink that, when clicked, points the victim to a lecture hosted on Gamma that prompts them to click a button to” Review Secure Documents.”
The customer is directed to an intermediate site that looks like Microsoft and requires them to pass a Cloudflare Turnstile verification test before attempting to access the advertised document. This Plugin restriction helps to strengthen the validity of the strike and stop automated URL analysis by security tools.
Goals are then taken to a phishing website that tries to gather their certificates using a Microsoft SharePoint sign-in website.
The researchers noted that if mismatched credentials are provided, it causes an” Incorrect password” error, which indicates that the perpetrators are using some sort of ( ) for authenticating credentials in real time.
The findings are a result of a growing trend of phishing attacks that use legitimate services to evade email authentication checks like SPF, DKIM, and DMARC, using a method known as living-off-trusted-sites ( ).
The researchers said that this smart, multi-stage attack illustrates how today’s threat actors are exploiting the blind spots created by less-known tools to deceive innocent recipients, compromise accounts, and deceive innocent recipients.
The attackers take the consumer through various intermediate steps, starting with the Gamma-hosted presentation, moving on to a splash page protected by a Cloudflare Turnstile, and eventually to a flagged Microsoft registration page. This multi-stage duplication makes it difficult for dynamic link analysis tools to identify the attack path and hides the real destination.
The disclosure comes as Microsoft issued a warning about an increase in AI-driven scam problems that use deepfakes, words copying, phishing emails, authentic-looking fraudulent websites, and false job listings at level.
According to the company,” AI tools can check and brush the web for company information, assisting assailants in creating very encouraging social engineering lures” through the creation of detailed profiles of employees or different targets.
” Alternative actors are luring victims into increasingly sophisticated fraud schemes by creating false e-commerce companies and websites with fake business biographies and client testimonials using phony AI-enhanced product reviews and artificial storefronts,” according to the report.
Microsoft also stated that it has taken action against attacks carried out by ( also known as STAC5777 ), which has abused Microsoft Quick Assist software by using voice-phishing schemes carried out via Teams to persuade victims to grant them remote device access for subsequent ransomware deployments.
Despite this, there is proof that the crime organization behind the Teams Vishing plan may be changing tactics. A new report from ReliaQuest revealed that the attackers have been seen using a previously unidentified TypeLib COM kidnapping and a fresh PowerShell secret to evade detection and maintain access to affected systems.
Since January 2025, the danger artist has allegedly been creating PowerShell malware in its early stages through obnoxious Bing advertisements. Customers in the banking and professional, medical, and specialized services sectors were targeted by the activity, which was discovered two months later, with a particular attention given to executive-level employees with female-sounding names.
The early stages of the attack cycle have changed, suggesting that Storm-1811 is developing with novel approaches, that it is the product of a splinter group, or that a completely unique threat actor has adopted the same original access methods that were previously reserved for it.
According to ReliaQuest,” The phishing chats were properly timed, landing between 2:00 and 3:00 p.m., beautifully timed with the recipient organization’s local time, which may cause employees to be less alert when spotting malicious activity,” and were timed accordingly.
It’s obvious that spoofing using Microsoft Teams isn’t going anywhere, regardless of whether or not Black Basta was behind this Microsoft Teams hacking campaign. Intruders continue to find creative ways to circumvent defenses and remain in organizations.