Microsoft: Canadian employees targeted in payroll pirate attacks
Storm-2755 targets Canadian employees with AiTM phishing to hijack payroll accounts.
Summary
A financially motivated threat actor tracked as Storm-2755 is stealing Canadian employees' salary payments by deploying adversary-in-the-middle (AiTM) attacks using malicious Microsoft 365 sign-in pages to capture authentication tokens and session cookies. After compromising accounts, the attackers create hidden inbox rules to intercept HR communications about direct deposits, then either socially engineer HR staff or directly access payroll systems like Workday to redirect salary payments. Microsoft recommends implementing phishing-resistant MFA, blocking legacy authentication, and immediately revoking compromised tokens to defend against these payroll pirate attacks.
Full text
Microsoft: Canadian employees targeted in payroll pirate attacks By Sergiu Gatlan April 10, 2026 07:56 AM 0 A financially motivated threat actor tracked as Storm-2755 is stealing Canadian employees' salary payments after hijacking their accounts in payroll pirate attacks. The attackers used malicious Microsoft 365 sign-in pages to steal victims' authentication tokens and session cookies by redirecting them to domains (e.g., bluegraintours[.]com) hosting malicious web pages (pushed to the top of search engine results through malvertising or SEO poisoning) that masqueraded as Microsoft 365 sign-in forms. This allowed Storm-2755 to bypass multifactor authentication (MFA) in adversary‑in‑the‑middle (AiTM) attacks by replaying stolen session tokens rather than re-authenticating. "Rather than harvesting only usernames and passwords, AiTM frameworks proxy the entire authentication flow in real time, enabling the capture session cookies and OAuth access tokens issued upon successful authentication," Microsoft explained. "Due to these tokens representing a fully authenticated session, threat actors can reuse them to gain access to Microsoft services without being prompted for credentials or MFA, effectively bypassing legacy MFA protections not designed to be phishing-resistant." Storm-2755 attack flow (Microsoft) After gaining access to an employee's account, the attacker created inbox rules that automatically moved messages from human resources staff containing the words "direct deposit" or "bank" to hidden folders, preventing the victim from seeing the correspondence. In the next stage, they searched for "payroll," "HR," "direct deposit," and "finance," then sent emails to human resources staff with the subject line "Question about direct deposit" to trick staff into updating banking information. Where social engineering failed, the attacker logged directly into HR software platforms such as Workday, using the stolen session to manually update direct deposit details. Storm-2755 emailing HR staff (Microsoft) To harden defenses against AiTM and payroll pirate attacks, Microsoft advises defenders to block legacy authentication protocols and implement phishing-resistant MFA. If any signs of compromise are detected, they should also revoke compromised tokens and sessions immediately, remove malicious inbox rules, and reset MFA methods and credentials for all affected accounts. In October, Microsoft disrupted another pirate payroll campaign targeting Workday accounts since March 2025, in which a cybercrime gang tracked as Storm-2657 targeted university employees across the United States to hijack their salary payments. In these attacks, Storm-2657 breached the targets' accounts via phishing emails and stole MFA codes using AITM tactics, which allowed the threat actors to compromise the victims' Exchange Online accounts. Payroll pirate attacks are a variant of business email compromise (BEC) scams that target businesses and individuals who regularly make wire transfers. Last year, the FBI's Internet Crime Complaint Center (IC3) recorded over 24,000 BEC fraud complaints, resulting in losses exceeding $3 billion, making it the second most lucrative crime type behind investment scams. Automated Pentesting Covers Only 1 of 6 Surfaces. Automated pentesting proves the path exists. BAS proves whether your controls stop it. Most teams run one without the other.This whitepaper maps six validation surfaces, shows where coverage ends, and provides practitioners with three diagnostic questions for any tool evaluation. Get Your Copy Now Related Articles: Microsoft links Medusa ransomware affiliate to zero-day attacksFBI: Americans lost a record $21 billion to cybercrime last yearRussia arrests suspected owner of LeakBase cybercrime forumManager of botnet used in ransomware attacks gets 2 years in prisonYanluowang ransomware access broker gets 81 months in prison
Indicators of Compromise
- domain — bluegraintours[.]com