Storm-2755 Payroll Heist: How Cybercriminals Are Hijacking Salaries Through Microsoft 365 Attacks

Listen to this Post

Featured Image

Introduction: When Your Paycheck Becomes the Target

Cybercrime is no longer just about stealing data. It is now about stealing livelihoods. A sophisticated threat actor known as Storm-2755 has shifted the battlefield toward something far more personal: employee salaries. By exploiting weaknesses in authentication systems and human trust, attackers are quietly redirecting paychecks into their own accounts. These “payroll pirate” attacks are not loud or destructive. Instead, they are silent, precise, and financially devastating.

Summary of the Original

Storm-2755 is a financially motivated cybercriminal group targeting Canadian employees by hijacking their payroll accounts. The attackers rely on fake Microsoft 365 login pages to trick users into handing over authentication data. These phishing pages are hosted on malicious domains such as bluegraintours[.]com and are often pushed to the top of search engine results using techniques like malvertising and SEO poisoning. Victims unknowingly land on these pages and enter their credentials, believing they are accessing legitimate Microsoft services.

Unlike traditional phishing attacks that only collect usernames and passwords, Storm-2755 uses adversary-in-the-middle techniques. This allows them to intercept the entire authentication process in real time. By doing so, they capture session cookies and OAuth tokens, which represent already authenticated sessions. This method enables attackers to bypass multi-factor authentication without needing to re-enter credentials.

Once inside an account, the attackers create inbox rules that hide emails related to payroll or banking. Messages containing keywords like “direct deposit” or “bank” are automatically moved to hidden folders, preventing victims from noticing suspicious activity. The attackers then search the compromised inbox for relevant financial or HR-related terms to understand internal processes.

Next, they initiate social engineering attacks by emailing HR departments with requests to update direct deposit information. These emails often appear legitimate, increasing the chances of success. If this tactic fails, the attackers escalate by directly accessing HR platforms like Workday using the stolen session tokens. From there, they manually change banking details to redirect salary payments.

Microsoft recommends several defensive measures to counter these attacks. Organizations should block legacy authentication protocols and adopt phishing-resistant multi-factor authentication systems. In the event of a compromise, immediate action is required, including revoking active sessions, removing malicious inbox rules, and resetting authentication credentials.

This campaign follows a similar operation disrupted in October, where another group, Storm-2657, targeted university employees in the United States. That campaign also used phishing and AiTM techniques to steal MFA codes and gain access to accounts.

Payroll pirate attacks fall under the broader category of business email compromise scams. According to the FBI’s Internet Crime Complaint Center, more than 24,000 BEC complaints were recorded last year, resulting in losses exceeding $3 billion. These attacks remain one of the most profitable forms of cybercrime.

What Undercode Say: The Real Danger Behind Token-Based Attacks

The Shift from Credentials to Sessions

The most alarming aspect of this attack is the transition from credential theft to session hijacking. Traditional security models focus heavily on protecting passwords and enforcing MFA. However, Storm-2755 demonstrates that once a session is authenticated, it becomes the weakest link. Tokens are essentially digital keys, and once stolen, they render MFA irrelevant.

Why MFA Alone Is No Longer Enough

Many organizations still rely on legacy MFA systems that were not designed to resist phishing. Attackers no longer need to break MFA. They simply bypass it. This creates a dangerous false sense of security, where companies believe they are protected while attackers operate undetected inside authenticated sessions.

The Power of Search Engine Manipulation

The use of SEO poisoning and malvertising adds another layer of sophistication. Instead of sending phishing emails, attackers let victims come to them. By placing malicious links at the top of search results, they exploit user trust in search engines. This method significantly increases success rates because users do not expect danger when searching for common services.

Inbox Rules as a Stealth Mechanism

The creation of hidden inbox rules is a subtle but highly effective tactic. It ensures that victims remain unaware of the attack for extended periods. This delay gives attackers enough time to execute financial fraud without interruption. It also complicates incident response, as users may not immediately detect anything unusual.

Human Resources as a High-Value Target

HR departments are increasingly becoming prime targets in cyberattacks. They handle sensitive financial data and have the authority to change payroll details. By impersonating employees, attackers exploit trust within internal communication channels. This highlights a critical gap in organizational security awareness.

Direct System Access as a Backup Plan

When social engineering fails, attackers pivot to direct system access. This demonstrates a layered attack strategy where multiple paths lead to the same goal. It also exposes the risks associated with session-based authentication in enterprise platforms like Workday.

The Scale of Financial Impact

Business email compromise remains one of the most lucrative cybercrime categories. The scale of losses indicates that these attacks are not isolated incidents but part of a broader, highly organized ecosystem. Cybercriminals are investing in advanced techniques because the return on investment is substantial.

Defensive Strategies Need to Evolve

Organizations must move beyond basic security measures. Phishing-resistant MFA, continuous session monitoring, and zero-trust architectures are no longer optional. Security teams must also focus on detecting unusual behavior within authenticated sessions, not just preventing initial access.

The Role of User Awareness

While technical defenses are critical, user awareness remains a key factor. Employees must be trained to recognize suspicious login pages and avoid clicking on search results without verification. A single mistake can lead to significant financial consequences.

Security Validation Gaps

The mention of automated pentesting highlights another issue. Many organizations rely on a single layer of security validation. However, testing only one surface leaves multiple attack vectors exposed. A comprehensive approach is required to identify and mitigate all potential weaknesses.

Fact Checker Results

Accuracy of Attack Method ✅

AiTM attacks and session token theft are well-documented techniques used to bypass MFA.

Financial Impact Claims ✅

Reported BEC losses exceeding $3 billion align with official FBI IC3 statistics.

Defensive Recommendations ✅

Microsoft’s guidance on phishing-resistant MFA and session revocation reflects current best practices.

Prediction

Rise of Token-Based Attacks 📈

Session hijacking will become more common as attackers move away from traditional credential theft.

Decline of Legacy MFA Systems ⚠️

Organizations relying on outdated MFA will face increasing risk unless they upgrade to phishing-resistant solutions.

Increased Targeting of Payroll Systems 💰

Payroll platforms and HR departments will remain high-value targets due to their direct link to financial assets.

🕵️‍📝✔️Let’s dive deep and fact‑check.

References:

Reported By: www.bleepingcomputer.com
Extra Source Hub (Possible Sources for article):
https://www.reddit.com/r/AskReddit
Wikipedia
OpenAi & Undercode AI

Image Source:

Unsplash
Undercode AI DI v2
Bing

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow UndercodeNews & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin | 🦋BlueSky | 🐘Mastodon