Gamma-Hosted File-Sharing Phishing Attack Uses Cloudflare Turnstile to Evade Detection
Attack Overview
Step 1: Email
The phishing campaign begins with an email sharing a financial document hosted on Gamma, a legitimate AI-powered presentation and content generation platform. The email appears trustworthy and passes all authentication checks.
- Email subject references a payment schedule.
- Document link uses the trusted Gamma domain.
- Message contains no unusual formatting or indicators of malicious content.
Step 2: Gamma Document + Link to Cloudflare Turnstile
Once clicked, the Gamma-hosted document presents a button that redirects the user to a phishing site. Before reaching the spoofed Microsoft login page, users must pass a Cloudflare Turnstile challenge.
- Turnstile prevents URL scanners from accessing the final page.
- Turnstile adds perceived legitimacy to the attack.
- Target sees familiar branding and is prompted to continue.
Step 3: Microsoft Phishing Page
The final destination is a spoofed Microsoft login page designed to capture credentials and potentially MFA codes. The site mimics real branding and language to lull targets into a false sense of security.
- Target enters login information.
- Data is captured by attackers using a known phishing framework.
- Attackers may use stolen credentials for account takeover or lateral movement.
How Does This Attack Bypass Email Defenses?
This email attack bypasses traditional security solutions for several reasons, including:
- The email came from a verified domain passing SPF, DKIM, and DMARC checks.
- The phishing link was hosted on a legitimate domain (Gamma).
- Cloudflare Turnstile blocked automated scanning and URL analysis.
How Did Abnormal Detect This Attack?
This attack was detected using AI and ML by analyzing various factors, including:
- Never-before-seen sender behavior and messaging patterns.
- Suspicious use of a clean domain to host phishing content.
- Financially themed bait combined with behavioral anomalies.
By recognizing established normal behavior and detecting these abnormal indicators, a modern email security solution has the ability to prevent this attack from reaching inboxes.
Please note the exact detection mechanism from Abnormal Security's system might include proprietary techniques and methodologies not disclosed here.