Actors threats use the specified artificial intelligence platform (AI) Range In phishing attacks to direct unburable users to fake Microsoft.
“The attackers are armed with Gamma, a relatively new AI -based presentation tool to deliver a link to a fake portal Microsoft SharePoint Login,” Pathological Researchers Hinman Baron and Piotr Wojtyla – Note Tuesday analysis.
The attack network begins with a phishing email, in some cases sent from legitimate, broken e -mail accounts to attract the recipients of messages to open the built -in PDF document.
In reality, pdf attachment is nothing but a hyperlink that, when pressed, retains the victim to the presentation on Gamma, which offers them to press the button to “consider safe documents”.
This takes the user on an intermediate page that pretends to be Microsoft and orders them to complete the cloudflare tournicer’s check before accessing the intended document. This CAPTCHA barrier serves to increase the legitimacy of the attack, as well as prevent automated security tools.
The target targets are then transferred to a phishing page that is masked as a Microsoft SharePoint portal and seeks to collect your credentials.
“If inappropriate credentials are provided, it causes an” wrong password “error that shows that criminals use some The opponent in the middle (Aith) To verify the powers in real time, “the researchers noted.
The conclusions are part of the constant tendency of phishing attacks that operate legitimate services for malware and bypass authentication checks such as SPF, DKIM and DMARC, technique called ouses from VesMany).
“This reasonable, multi-stage attack shows how today’s threat actuals use blind spots created by less known tools to identify the parties, cheat on anything suspected recipients and compromise,” the researchers said.
“Instead of directly referring to the page that covers the credentials, the attackers send the user through a few intermediaries: first to the presentation in the gamma, and then on the outbreak page protected by this Cloudflare Turnstile, and finally for the forgery of the Microsoft page. static reference analysis to overcome the way. “
Disclosure is going on as Microsoft, in it Report on the latest cyber -signsThey warned of increasing the attacks of fraud that form AI to create plausible content for attacks using Geepfakes, voice cloning, phishing sheets, real fake sites and false work lists.
“AI’s tools can scan and promote the Internet for information about the company, helping the attackers create detailed employees profiles or other goals to create very convincing bait social engineering,” the company said.
“In some cases, bad actors seize the victims of more complex fraud schemes, using fake products of AI-consuming products and showcases that have received AI, where scammers create whole websites and e-commerce brands in the complete business and customer reviews.”
Microsoft also stated that took measures against the attacks organized Storm-1811 (AKA STAC5777), which abused Microsoft Quick Assist software, creating how it supports via voice phishing schemes conducted through the teams and convincing the victims to provide them with deleted access to the device for subsequent deployment.
Given this, there is data that suggest that a group of cybercrime behind the team that strives for the company can move tactics. According to the new report from Reliaquest, the attackers watched Typelib Com according to and the new back of the PowerShell to evade and maintain access to the impaired systems.
The threatening actor is said to develop malicious PowerShell software since January 2025, deploying early iterations through malicious advertisements. The activity revealed two months later sent customers in the finance and professional, scientific and technical services sector, in particular, focusing on employees at the executive level with the surnames of women.
Changes in the late stages of the attack cycle caused the possibility that the Storm-1811 is either developing with new methods, or this is a weakening work, or that a completely different actor threatened took the same initial access methods that were exceptional to him.
“The phishing chats were carefully timed, landing between 14:00 to 15:00, perfectly synchronized with local time organizations and coincided with the afternoon, in which employees may be less wary in the malicious activity, reliaquest – Note.
“No matter whether this Microsoft Physhing Company has ruled Black Basta, it is clear that phishing through Microsoft teams is not going anywhere. The attackers continue to find reasonable ways to work out and stay in organizations.”
