![[Canada] Microsoft warns of payroll pirate attacks targeting employees](http://gpa.net/cdn/shop/articles/bigstock-Cyber-Crime-Abstract-Concept--278825773_58fd14b7-926d-4b09-ba55-cd123999d84a_1200x.jpg?v=1776395203)
In Canada, Microsoft has warned that a financially motivated threat actor tracked as Storm-2755 is stealing employees' salary payments after hijacking their accounts in payroll pirate attacks, Bleeping Computer reports.
The attackers used malicious Microsoft 365 sign-in pages to take victims' authentication tokens and session cookies by redirecting them to domains hosting malicious web pages that masqueraded as Microsoft 365 sign-in forms.
The pages were reportedly pushed to the top of search engine results through malvertising or SEO poisoning. These tactics allowed Storm-2755 to bypass multifactor authentication (MFA) in adversary‑in‑the‑middle (AiTM) attacks by replaying stolen session tokens rather than re-authenticating.
"Rather than harvesting only usernames and passwords, AiTM frameworks proxy the entire authentication flow in real time, enabling the capture session cookies and OAuth access tokens issued upon successful authentication," Microsoft said.
"Due to these tokens representing a fully authenticated session, threat actors can reuse them to gain access to Microsoft services without being prompted for credentials or MFA, effectively bypassing legacy MFA protections not designed to be phishing-resistant."
According to Microsoft, after gaining account access, the attacker created inbox rules that automatically moved messages from HR staff containing the words "direct deposit" or "bank" to hidden folders, preventing targeted employees from seeing the correspondence.
They then searched for "payroll," "HR," "direct deposit," and "finance," and emailed HR staff with the subject line "Question about direct deposit" to fool them into updating banking information.
When such social engineering failed, the attacker logged directly into HR software platforms, such as Workday, using the stolen session to manually update direct deposit details.
Microsoft has reportedly advised defenders to block legacy authentication protocols and implement phishing-resistant MFA to reinforce defences against AiTM and payroll pirate attacks.
Where signs of compromise are detected, they should also revoke compromised tokens and sessions immediately, remove malicious inbox rules, and reset MFA methods and credentials for all affected accounts.
Bleeping Computer explains that payroll pirate attacks are a variant of business email compromise (BEC) scams, which target businesses and individuals who regularly make wire transfers.
The FBI's Internet Crime Complaint Center (IC3) recorded over 24,000 BEC fraud complaints in 2025, leading to losses in excess of $3 billion. After investment scams, it is the most lucrative crime type.
Source: Bleeping Computer
(Links via original reporting)
In Canada, Microsoft has warned that a financially motivated threat actor tracked as Storm-2755 is stealing employees' salary payments after hijacking their accounts in payroll pirate attacks, Bleeping Computer reports.
The attackers used malicious Microsoft 365 sign-in pages to take victims' authentication tokens and session cookies by redirecting them to domains hosting malicious web pages that masqueraded as Microsoft 365 sign-in forms.
The pages were reportedly pushed to the top of search engine results through malvertising or SEO poisoning. These tactics allowed Storm-2755 to bypass multifactor authentication (MFA) in adversary‑in‑the‑middle (AiTM) attacks by replaying stolen session tokens rather than re-authenticating.
"Rather than harvesting only usernames and passwords, AiTM frameworks proxy the entire authentication flow in real time, enabling the capture session cookies and OAuth access tokens issued upon successful authentication," Microsoft said.
"Due to these tokens representing a fully authenticated session, threat actors can reuse them to gain access to Microsoft services without being prompted for credentials or MFA, effectively bypassing legacy MFA protections not designed to be phishing-resistant."
According to Microsoft, after gaining account access, the attacker created inbox rules that automatically moved messages from HR staff containing the words "direct deposit" or "bank" to hidden folders, preventing targeted employees from seeing the correspondence.
They then searched for "payroll," "HR," "direct deposit," and "finance," and emailed HR staff with the subject line "Question about direct deposit" to fool them into updating banking information.
When such social engineering failed, the attacker logged directly into HR software platforms, such as Workday, using the stolen session to manually update direct deposit details.
Microsoft has reportedly advised defenders to block legacy authentication protocols and implement phishing-resistant MFA to reinforce defences against AiTM and payroll pirate attacks.
Where signs of compromise are detected, they should also revoke compromised tokens and sessions immediately, remove malicious inbox rules, and reset MFA methods and credentials for all affected accounts.
Bleeping Computer explains that payroll pirate attacks are a variant of business email compromise (BEC) scams, which target businesses and individuals who regularly make wire transfers.
The FBI's Internet Crime Complaint Center (IC3) recorded over 24,000 BEC fraud complaints in 2025, leading to losses in excess of $3 billion. After investment scams, it is the most lucrative crime type.
Source: Bleeping Computer
(Links via original reporting)
