Cybercriminals are using Gamma—an AI-powered presentation and website builder—to create realistic-looking pages that redirect victims to Microsoft-themed credential-harvesting sites. Attack chains combine polished Gamma pages, short-lived hosting, and evasion techniques like fake CAPTCHAs, making phishing lures harder to detect and remove.
Main Takeaways
Attackers are weaponizing Gamma to spin up professional-looking redirectors that lead to spoofed Microsoft login portals. These pages are delivered through:
- Compromised email accounts or convincing PDF attachments
- Short-lived hosting and anti-takedown tricks
Defenders should treat Gamma-hosted pages as potential phishing infrastructure and focus on monitoring URLs, identifying short-lived domains, and raising user awareness.
Phishers craft Gamma pages that mimic legitimate SharePoint, OneDrive, or corporate landing pages. Recipients receive a message—often a PDF or email appearing to come from a trusted sender—with a link to a Gamma-hosted presentation. That presentation contains a clickable button or embedded link redirecting users to a credential-collection page that impersonates a Microsoft login. Attackers also incorporate anti-automation or CAPTCHA-like checks to evade automated takedowns and analysis.
How the attack works
The campaign usually starts with a phishing email, sometimes sent from a legitimate, compromised account. The link leads to a Gamma-generated page hosting the redirector. The redirector then sends victims to a short-lived credential-harvesting site using disposable hosting or CDNs. Key benefits for attackers include:
- Better deliverability due to widely used SaaS domains
- Reduced chances of reputation-based blocking
- The ability to spin up multiple campaigns quickly
Gamma enables attackers to rapidly assemble polished, brand-consistent pages without coding experience. For defenders, the challenges are:
- The content looks legitimate to users
- Many email filters whitelist established SaaS domains
- Short-lived redirects make blocklisting difficult
Together, these factors increase click-through rates and make automated takedowns slower to respond.
Scale
Researchers have observed multiple campaigns targeting Microsoft account users and enterprise employees. Using SaaS tools and disposable infrastructure allows attackers to scale efficiently, producing many distinct lures with minimal effort. These campaigns not only steal credentials but can also serve as initial access vectors for broader intrusions or fraud.
Detection & mitigation
Organizations can reduce risk by treating content hosted on generative-AI platforms as untrusted by default. Recommended actions include:
- Monitor for unusual Gamma (and other SaaS) URLs in inbound email
- Use URL reputation and short-link analysis to identify redirectors
- Flag newly created or ephemeral hosts containing brand names (e.g., “Microsoft,” “SharePoint”)
- Enforce multi-factor authentication (passwordless where possible)
- Educate users to verify unexpected links, even from known senders
- Work with SaaS providers and registrars to quickly take down fraudulent pages
Advanced email defenses should inspect embedded PDFs and linked web content, not just the sending domain.
Mourad Maacha 
Leave a comment