Investigating Storm-2755: “Payroll pirate” attacks targeting Canadian employees

Microsoft DART researchers identified Storm-2755, a financially motivated threat actor targeting Canadian employees via payroll diversion schemes. The group utilizes malvertising and SEO poisoning to direct victims to fraudulent Microsoft 365 login pages, employing Adversary-in-the-Middle (AiTM) techniques to harvest session cookies and access tokens. This method allows the actor to bypass standard multifactor authentication (MFA) and hijack authenticated sessions using tools like Axios. The campaign results in direct financial loss by diverting salary payments to attacker-controlled accounts. Unlike industry-specific attacks, this campaign targets users geographically. Microsoft recommends implementing phishing-resistant MFA solutions, such as FIDO2 or WebAuthN, to mitigate token theft risks. Organizations are advised to monitor for anomalous session activity and user-agent changes indicative of token replay. Proactive hunting and tenant takedown efforts are ongoing to disrupt this activity and protect affected customers from further compromise.

Microsoft Incident Response – Detection and Response Team (DART) researchers observed an emerging, financially motivated threat actor, tracked as Storm-2755, compromising Canadian employee accounts to gain unauthorized access to employee profiles and divert salary payments to attacker-controlled accounts. The post Investigating Storm-2755: “Payroll pirate” attacks targeting Canadian employees appeared first on Microsoft Security Blog .

Microsoft DART researchers identified Storm-2755, a financially motivated threat actor targeting Canadian employees via payroll diversion schemes. The group utilizes malvertising and SEO poisoning to direct victims to fraudulent Microsoft 365 login pages, employing Adversary-in-the-Middle (AiTM) techniques to harvest session cookies and access tokens. This method allows the actor to bypass standard multifactor authentication (MFA) and hijack authenticated sessions using tools like Axios. The campaign results in direct financial loss by diverting salary payments to attacker-controlled accounts. Unlike industry-specific attacks, this campaign targets users geographically. Microsoft recommends implementing phishing-resistant MFA solutions, such as FIDO2 or WebAuthN, to mitigate token theft risks. Organizations are advised to monitor for anomalous session activity and user-agent changes indicative of token replay. Proactive hunting and tenant takedown efforts are ongoing to disrupt this activity and protect affected customers from further compromise. Microsoft Incident Response – Detection and Response Team (DART) researchers observed an emerging, financially motivated threat actor, tracked as Storm-2755, compromising Canadian employee accounts to gain unauthorized access to employee profiles and divert salary payments to attacker-controlled accounts. The post Investigating Storm-2755: “Payroll pirate” attacks targeting Canadian employees appeared first on Microsoft Security Blog . In this article Storm-2755’s attack chain Defending against Storm-2755 and AiTM campaigns Microsoft Defender detection and hunting guidance Indicators of compromise Microsoft Incident Response – Detection and Response Team (DART) researchers observed an emerging, financially motivated threat actor that Microsoft tracks as Storm-2755 conducting payroll pirate attacks targeting Canadian users. In this campaign, Storm-2755 compromised user accounts to gain unauthorized access to employee profiles and divert salary payments to attacker-controlled accounts, resulting in direct financial loss for affected individuals and organizations. While similar payroll pirate attacks have been observed in other malicious campaigns , Storm-2755’s campaign is distinct in both its delivery and targeting. Rather than focusing on a specific industry or organization, the actor relied exclusively on geographic targeting of Canadian users and used malvertising and search engine optimization (SEO) poisoning on industry agnostic search terms to identify victims. The campaign also leveraged adversary‑in‑the‑middle (AiTM) techniques to hijack authenticated sessions, allowing the threat actor to bypass multifactor authentication (MFA) and blend into legitimate user activity. Storm-2657 Payroll pirate attacks affecting US universities › Microsoft has been actively engaged with affected organizations and taken multiple disruption efforts to help prevent further compromise, including tenant takedown. Microsoft continues to engage affected customers, providing visibility by sharing observed tactics, techniques, and procedures (TTPs) while supporting mitigation efforts. In this blog, we present our analysis of Storm-2755’s recent campaign and the TTPs employed across each stage of the attack chain. To support proactive mitigations against this campaign and similar activity, we also provide comprehensive guidance for investigation and remediation, including recommendations such as implementing phishing-resistant MFA to help block these attacks and protect user accounts. Storm-2755’s attack chain Analysis of this activity reveals a financially motivated campaign built around session hijacking and abuse of legitimate enterprise workflows. Storm-2755 combined initial credential and token theft with session persistence and targeted discovery to identify payroll and human resources (HR) processes within affected Canadian organizations. By operating through authenticated user sessions and blending into normal business activity, the threat actor was able to minimize detection while pursuing direct financial gain. The sections below examine each stage of the attack chain—from initial access through impact—detailing the techniques observed. Initial access In the observed campaign, Storm-2755 likely gained initial access through SEO poisoning or malvertising that positioned the actor-controlled domain, bluegraintours[.]com , at the top of search results for generic queries like “Office 365” or common misspellings like “Office 265”. Based on data received by DART, unsuspecting users who clicked these links were directed to a malicious Microsoft 365 sign-in page designed to mimic the legitimate experience, resulting in token and credential theft when users entered their credentials. Once a user entered their credentials into the malicious page, sign-in logs reveal that the victim recorded a 50199 sign-in interrupt error immediately before Storm-2755 successfully compromised the...