Microsoft: Canadian employees targeted in payroll pirate attacks

Payroll Pirate Attacks: Canadian Employees Targeted Through AiTM Tactics

1. Executive Overview

• A financially motivated threat actor group, tracked as Storm-2755, targeted Canadian employees by hijacking payroll processes.
• The attackers used malicious Microsoft 365 sign-in pages to harvest authentication tokens and session cookies.
• Redirection to fake pages hosted on domains such as bluegraintours[.]com allowed the capture of credentials and session data.
• By replaying stolen session tokens in adversary‑in‑the‑middle (AiTM) attacks, they bypassed multifactor authentication (MFA) and gained access to Microsoft services without re‑prompting for credentials.
• After breaching an employee’s account, the group deployed techniques to hide payroll-related communications and manipulated direct deposit details.

1. Threat Actor Profile: Storm-2755

• Storm-2755 is described as a cybercrime operation with a focus on payroll-related intrusion.
• The group’s workflow combines credential-stealing pages, session token reuse, and targeted social engineering to move payroll information under their control.

1. Attack Lifecycle: How the Operation Unfolded

• Account compromise: The intruder gained access to an employee’s Microsoft 365 session.
• Inbox manipulation: Automated inbox rules were created to move messages containing “direct deposit” or “bank” to hidden folders, masking payroll correspondence from the victim.
• Targeted reconnaissance: The attackers searched for terms such as “payroll,” “HR,” “direct deposit,” and “finance.”
• Deceptive outreach: They sent emails to HR staff with the subject line “Question about direct deposit” to prompt updates to banking details.
• Direct system manipulation: When social engineering failed to yield results, the attackers logged directly into HR software platforms (e.g., Workday) using the stolen session to alter direct deposit information.
• Outcome: The attacker’s changes redirected salary payments or otherwise redirected funds under control of the threat actors.

1. The AiTM Advantage: Why MFA Could Be Bypassed

• AiTM frameworks proxy the entire authentication flow in real time, capturing session cookies and OAuth tokens issued during successful logins.
• Because the tokens represent an actively authenticated session, the threat actors can reuse them to access services without entering credentials or triggering MFA prompts.
• This technique undermines legacy MFA protections that are not designed to be phishing‑resistant, enabling continued access after initial intrusion.

1. Infrastructure and Tactics: How the Attack Was Orchestrated

• Sign-in page deception: The attackers deployed malicious Microsoft 365 sign-in pages designed to resemble legitimate portals.
• Malvertising and SEO poisoning: Malicious pages were pushed to top search results to lure users into signing in.
• Domain redirection: Victims were directed to fraudulent domains where their authentication was captured.
• Payment data manipulation: Access to HR platforms allowed direct modification of banking and payroll details, facilitating unauthorized payments.

1. Defensive Context: What Microsoft Highlighted

• To counter AiTM and payroll pirate campaigns, defenders are advised to block legacy authentication protocols and adopt phishing‑resistant MFA.
• In the event of a breach, Microsoft recommends revoking compromised tokens and sessions, removing malicious inbox rules, and resetting MFA methods and credentials for affected accounts.
• The emphasis is on reducing token‑based access and strengthening the authentication flow to resist real-time credential harvesting.

1. Related Campaigns: A Broader Pattern

• In October, Microsoft disrupted another pirate payroll campaign targeting Workday accounts since March 2025, with a different set of actors (Storm-2657) targeting university employees in the United States.
• The Storm-2657 operation leveraged phishing and AiTM tactics to compromise Exchange Online accounts and hijack salary payments, illustrating a recurring pattern across sectors and regions.

1. Context Within the Larger Landscape

• Payroll pirate attacks are a variant of business email compromise (BEC), a category of fraud that inflates risk for organizations involved in regular wire transfers.
• The FBI’s Internet Crime Complaint Center (IC3) reported over 24,000 BEC complaints in the previous year, with losses exceeding $3 billion, underscoring the scale and financial impact of this threat category.

1. Observations on Tactics and Impact

• The combination of credential theft, session hijacking, and targeted manipulation of payroll workflows demonstrates a multilayered approach designed to bypass traditional security controls.
• By prioritizing direct changes to payroll data and masking communications, attackers increase their chances of successfully diverting payments before the anomaly is detected.
• The use of HR software platforms like Workday as a manipulation vector highlights the importance of monitorable, auditable change controls within enterprise systems.

1. Takeaways from the Incident Scenario

• The attack illustrates how trusted workstreams (sign-in processes, HR portals, payroll communications) can be exploited when compromised sessions are allowed to persist.
• The AiTM approach shows the vulnerability of token-based authentication in the presence of adversary‑in‑the‑middle dynamics, especially when MFA is not explicitly phishing‑resistant.
• The incident reinforces the need for layered defenses that scrutinize both login activity and post‑login behavior, along with strict review of payroll-related changes and automation rules.

1. Related Context: Consequences and Scope

• Payroll fraud remains tightly coupled to BEC dynamics, with attackers seeking to exploit timing, trust, and routine financial processes.
• The incidents described span multiple regions and organizations, signaling a broad threat surface for enterprises that rely on online payroll and HR ecosystems.

1. Final Note: The Ongoing Threat Ecosystem

• As adversaries continue to refine AiTM techniques and abuse legitimate business workflows, organizations must remain vigilant about unusual payroll requests, unexpected authentication patterns, and changes to direct deposit configurations.
• The evolving landscape underscores the importance of robust authentication, strict access controls, and comprehensive monitoring of payroll-related activities across cloud services and HR platforms.