Investigating Storm-2755: “Payroll pirate” attacks targeting Canadian employees

Microsoft DART researchers have identified Storm-2755, a financially motivated threat actor, conducting 'payroll pirate' attacks targeting Canadian users. The campaign employs sophisticated adversary-in-the-middle (AiTM) techniques to hijack authenticated sessions and bypass non-phishing resistant MFA. Attackers gain initial access through SEO poisoning and malvertising, directing victims to fake Microsoft 365 sign-in pages. The threat actor then exploits the Axios HTTP client (CVE-2025-27152) to replay authentication tokens, granting persistent access to compromise employee profiles and divert salary payments. Organizations face direct financial losses, while individuals risk personal account compromise. Microsoft recommends implementing phishing-resistant MFA (FIDO2/WebAuthN), conducting employee security awareness training, and monitoring for session anomalies to mitigate these attacks. The threat actor specifically targets Canadian users through geographic targeting rather than focusing on specific industries.

Microsoft Incident Response – Detection and Response Team (DART) researchers observed an emerging, financially motivated threat actor, tracked as Storm-2755, compromising Canadian employee accounts to gain unauthorized access to employee profiles and divert salary payments to attacker-controlled accounts. The post Investigating Storm-2755: “Payroll pirate” attacks targeting Canadian employees appeared first on Microsoft Security Blog .

Microsoft DART researchers have identified Storm-2755, a financially motivated threat actor, conducting 'payroll pirate' attacks targeting Canadian users. The campaign employs sophisticated adversary-in-the-middle (AiTM) techniques to hijack authenticated sessions and bypass non-phishing resistant MFA. Attackers gain initial access through SEO poisoning and malvertising, directing victims to fake Microsoft 365 sign-in pages. The threat actor then exploits the Axios HTTP client (CVE-2025-27152) to replay authentication tokens, granting persistent access to compromise employee profiles and divert salary payments. Organizations face direct financial losses, while individuals risk personal account compromise. Microsoft recommends implementing phishing-resistant MFA (FIDO2/WebAuthN), conducting employee security awareness training, and monitoring for session anomalies to mitigate these attacks. The threat actor specifically targets Canadian users through geographic targeting rather than focusing on specific industries. Microsoft Incident Response – Detection and Response Team (DART) researchers observed an emerging, financially motivated threat actor, tracked as Storm-2755, compromising Canadian employee accounts to gain unauthorized access to employee profiles and divert salary payments to attacker-controlled accounts. The post Investigating Storm-2755: “Payroll pirate” attacks targeting Canadian employees appeared first on Microsoft Security Blog . In this article Storm-2755’s attack chain Defending against Storm-2755 and AiTM campaigns Microsoft Defender detection and hunting guidance Indicators of compromise Microsoft Incident Response – Detection and Response Team (DART) researchers observed an emerging, financially motivated threat actor that Microsoft tracks as Storm-2755 conducting payroll pirate attacks targeting Canadian users. In this campaign, Storm-2755 compromised user accounts to gain unauthorized access to employee profiles and divert salary payments to attacker-controlled accounts, resulting in direct financial loss for affected individuals and organizations. While similar payroll pirate attacks have been observed in other malicious campaigns , Storm-2755’s campaign is distinct in both its delivery and targeting. Rather than focusing on a specific industry or organization, the actor relied exclusively on geographic targeting of Canadian users and used malvertising and search engine optimization (SEO) poisoning on industry agnostic search terms to identify victims. The campaign also leveraged adversary‑in‑the‑middle (AiTM) techniques to hijack authenticated sessions, allowing the threat actor to bypass multifactor authentication (MFA) and blend into legitimate user activity. Storm-2657 Payroll pirate attacks affecting US universities › Microsoft has been actively engaged with affected organizations and taken multiple disruption efforts to help prevent further compromise, including tenant takedown. Microsoft continues to engage affected customers, providing visibility by sharing observed tactics, techniques, and procedures (TTPs) while supporting mitigation efforts. In this blog, we present our analysis of Storm-2755’s recent campaign and the TTPs employed across each stage of the attack chain. To support proactive mitigations against this campaign and similar activity, we also provide comprehensive guidance for investigation and remediation, including recommendations such as implementing phishing-resistant MFA to help block these attacks and protect user accounts. Storm-2755’s attack chain Analysis of this activity reveals a financially motivated campaign built around session hijacking and abuse of legitimate enterprise workflows. Storm-2755 combined initial credential and token theft with session persistence and targeted discovery to identify payroll and human resources (HR) processes within affected Canadian organizations. By operating through authenticated user sessions and blending into normal business activity, the threat actor was able to minimize detection while pursuing direct financial gain. The sections below examine each stage of the attack chain—from initial access through impact—detailing the techniques observed. Initial access In the observed campaign, Storm-2755 likely gained initial access through SEO poisoning or malvertising that positioned the actor-controlled domain, bluegraintours[.]com , at the top of search results for generic queries like “Office 365” or common misspellings like “Office 265”. Based on data received by DART, unsuspecting users who clicked these links were directed to a malicious Microsoft 365 sign-in page designed to mimic the legitimate experience, resulting in token and credential theft when users entered their credentials. Once a user entered their credentials into the malicious page, sign-in logs reveal that the victim recorded a 50199 sign-in interrupt error immediately before Storm-2755 successfully compromised the account. When the session shifts...