Payroll Pirates Use Phishing to Steal Employee Salaries
Storm-2755 attackers are successfully stealing Canadian employees' salaries by using sophisticated adversary-in-the-middle (AiTM) attacks that bypass traditional MFA protections. The attackers create fake Microsoft 365 login pages to capture authentication tokens and session cookies, then use hidden inbox rules to intercept HR communications about payroll changes. Once inside email systems, they either manipulate HR staff through social engineering or directly access payroll platforms like Workday to redirect salary payments to attacker-controlled accounts. This attack highlights the critical need for phishing-resistant authentication methods and employee awareness training to recognize sophisticated credential harvesting attempts.
Tactical Insight
Immediate actions
- Deploy phishing-resistant MFA methods like FIDO2 keys or certificate-based authentication
- Block legacy authentication protocols across all Microsoft 365 services
- Review and audit all existing inbox rules for suspicious email forwarding or filtering
Long-term improvements
- Implement conditional access policies that restrict payroll system access to authorized devices and locations
- Establish dual-approval workflows for all payroll changes and direct deposit modifications
- Deploy email security solutions with advanced threat protection and safe links scanning
Detection measures
- Monitor for unusual inbox rule creation and modification activities
- Set up alerts for payroll system access from new devices or suspicious locations
- Implement user behavior analytics to detect abnormal email and application usage patterns