Zum Hauptinhalt springen
Abnormal Intelligence

Credential Phishing

Gamma-Hosted File-Sharing Phishing Attack Uses Cloudflare Turnstile to Evade Detection

A malicious email links to a Gamma-hosted presentation that redirects to a Cloudflare Turnstile-protected phishing page impersonating Microsoft to steal credentials.

April 11, 2025

Attack Target Summary

Attack Overview

Step 1: Email

The phishing campaign begins with an email sharing a financial document hosted on Gamma, a legitimate AI-powered presentation and content generation platform. The email appears trustworthy and passes all authentication checks.

Attack Library Repo 18 8 Apr Image 1
  • Email subject references a payment schedule.
  • Document link uses the trusted Gamma domain.
  • Message contains no unusual formatting or indicators of malicious content.

Step 2: Gamma Document + Link to Cloudflare Turnstile

Once clicked, the Gamma-hosted document presents a button that redirects the user to a phishing site. Before reaching the spoofed Microsoft login page, users must pass a Cloudflare Turnstile challenge.

Attack Library Repo 18 8 Apr Image 2
  • Turnstile prevents URL scanners from accessing the final page.
  • Turnstile adds perceived legitimacy to the attack.
  • Target sees familiar branding and is prompted to continue.

Step 3: Microsoft Phishing Page

The final destination is a spoofed Microsoft login page designed to capture credentials and potentially MFA codes. The site mimics real branding and language to lull targets into a false sense of security.

Attack Library Repo 18 8 Apr Image 3
  • Target enters login information.
  • Data is captured by attackers using a known phishing framework.
  • Attackers may use stolen credentials for account takeover or lateral movement.

Step 4: Final Destination (Spoofed Microsoft Login)

Attack Library Threat Actors Exploit Docusign 6 Nov Portal

How Does This Attack Bypass Email Defenses?

This email attack bypasses traditional security solutions for several reasons, including:

  • The email came from a verified domain passing SPF, DKIM, and DMARC checks.
  • The phishing link was hosted on a legitimate domain (Gamma).
  • Cloudflare Turnstile blocked automated scanning and URL analysis.

How Did Abnormal Detect This Attack?

This attack was detected using AI and ML by analyzing various factors, including:

  • Never-before-seen sender behavior and messaging patterns.
  • Suspicious use of a clean domain to host phishing content.
  • Financially themed bait combined with behavioral anomalies.

By recognizing established normal behavior and detecting these abnormal indicators, a modern email security solution has the ability to prevent this attack from reaching inboxes.

Please note the exact detection mechanism from Abnormal Security's system might include proprietary techniques and methodologies not disclosed here.

Classification

Credential PhishingLink-basedExternal Party - Vendor/SupplierCredential Theft

Stop these attacks at your organization

See how Abnormal's behavioral AI detects the threats this digest covers — before they reach inboxes.

Request a Demo