Who Is Storm-2755?
Microsoft has identified a financially motivated threat actor, tracked internally as Storm-2755, that is systematically targeting Canadian employees with the goal of hijacking their salary payments. The campaign, described as a payroll pirate attack, combines sophisticated credential theft, session token replay, and social engineering to reroute direct deposit information before victims can detect the intrusion.
How the Attack Begins: Malicious Sign-In Pages and SEO Manipulation
The initial infection vector relies on fraudulent Microsoft 365 sign-in pages hosted on attacker-controlled domains. One such domain observed in the campaign is bluegraintours[.]com. These pages are pushed to the top of search engine results through malvertising or SEO poisoning, making them appear as legitimate Microsoft 365 login portals to unsuspecting users.
When a victim submits credentials on one of these pages, the attacker captures not only usernames and passwords but also authentication tokens and session cookies in real time. This technique is classified as an adversary-in-the-middle (AiTM) attack, and it is specifically engineered to defeat conventional multifactor authentication (MFA).
Bypassing MFA With Stolen Tokens
Microsoft explained the mechanism in detail, noting that AiTM frameworks do more than harvest static credentials:
"Rather than harvesting only usernames and passwords, AiTM frameworks proxy the entire authentication flow in real time, enabling the capture of session cookies and OAuth access tokens issued upon successful authentication. Due to these tokens representing a fully authenticated session, threat actors can reuse them to gain access to Microsoft services without being prompted for credentials or MFA, effectively bypassing legacy MFA protections not designed to be phishing-resistant."
By replaying these stolen session tokens, Storm-2755 can access a victim's Microsoft 365 environment as if they were the legitimate account holder — no second factor required. This underscores a critical limitation of traditional MFA: it was not designed to counter token-replay scenarios enabled by AiTM proxy toolkits.
Inside the Account: Inbox Rules and Social Engineering
Once inside a compromised account, Storm-2755 moves quickly to suppress any communications that might alert the victim or HR staff to suspicious activity. Specifically, the attacker creates inbox rules that automatically route messages from human resources personnel containing keywords such as "direct deposit" or "bank" into hidden folders, keeping the victim oblivious to the unfolding fraud.
The threat actor then searches the compromised mailbox for terms including "payroll," "HR," "direct deposit," and "finance" to gather organizational context. Armed with this information, Storm-2755 sends emails to HR staff with the subject line "Question about direct deposit," impersonating the employee and requesting that banking information be updated.
Direct Access to HR Platforms When Social Engineering Fails
When the social engineering approach does not yield results, the attackers take a more direct route. Using the stolen session tokens, Storm-2755 logs directly into HR software platforms — including Workday — and manually updates the victim's direct deposit details, substituting the employee's real bank account with one controlled by the attackers. This step requires no further phishing and bypasses any email-based verification that HR staff might otherwise perform.
Microsoft's Recommended Defenses
Microsoft has issued guidance to help organizations protect themselves against AiTM and payroll pirate attacks. Defenders are advised to take the following steps:
- Block legacy authentication protocols that cannot enforce modern security controls.
- Implement phishing-resistant MFA — such as FIDO2 security keys or certificate-based authentication — that cannot be defeated by token replay.
- If compromise is detected, immediately revoke compromised tokens and sessions to cut off attacker access.
- Remove any malicious inbox rules created by the attacker to suppress communications.
- Reset MFA methods and credentials for all accounts identified as affected.
A Pattern of Payroll Piracy: Storm-2657 and Workday Attacks
Storm-2755 is not the only threat actor operating in this space. In October, Microsoft disrupted a separate payroll pirate campaign that had been active since March 2025, targeting university employees across the United States. That campaign was attributed to a cybercrime group tracked as Storm-2657.
In those attacks, Storm-2657 breached targets' accounts through phishing emails and stole MFA codes using AiTM tactics, ultimately compromising victims' Exchange Online accounts before redirecting salary payments. The Workday HR platform was again a central target, highlighting how payroll software has become a prime objective for this category of financially motivated threat actors.
The Broader BEC Landscape
Payroll pirate attacks are a specific variant of business email compromise (BEC) scams, a broader category of fraud that targets businesses and individuals who regularly conduct wire transfers. The scale of BEC fraud in the United States alone is staggering.
According to the FBI's Internet Crime Complaint Center (IC3), last year recorded over 24,000 BEC fraud complaints, resulting in losses exceeding $3 billion. This made BEC the second most lucrative crime type tracked by the IC3, surpassed only by investment scams. The persistent profitability of BEC schemes ensures that threat actors like Storm-2755 will continue to refine and deploy these techniques against high-value targets across industries and geographies.
Key Takeaways for Security Teams
The Storm-2755 campaign illustrates that conventional MFA, while valuable, is no longer sufficient on its own when adversaries deploy AiTM infrastructure. Organizations should audit their authentication frameworks for phishing-resistance, monitor HR platforms like Workday for unauthorized changes to payment details, and ensure that any anomalous inbox rules are flagged for immediate investigation. Rapid token revocation capabilities should be tested and ready to deploy the moment a compromise is suspected.
Source: BleepingComputer