Blogs.Microsoft
Storm-2755 Targets Canadian Employees in Payroll Pirate Attacks
Ask AI about this cluster
Analyzing cluster data...
Referenced clusters:
Something went wrong. Please try again.
Cluster AI
Ask questions about this threat cluster with AI-powered analysis.
Get Researcher $29.99/moArticle Content
A financially motivated threat actor known as Storm-2755 is targeting Canadian employees by hijacking their payroll accounts to redirect salary payments to attacker-controlled bank accounts. The attackers employ adversary-in-the-middle (AiTM) techniques to steal authentication tokens and session cookies through malicious Microsoft 365 sign-in pages. This method allows them to bypass multi-factor authentication (MFA) and conduct their operations without raising immediate suspicion. Victims receive phishing emails that trick human resources into updating banking information, while the attackers also manipulate inbox rules to hide critical communications. Microsoft has previously disrupted similar campaigns, indicating a growing trend in payroll-related cybercrime. The FBI reported over 24,000 business email compromise (BEC) complaints last year, highlighting the financial impact of such attacks. Microsoft advises organizations to block legacy authentication protocols and implement phishing-resistant MFA as preventive measures.
Key Points: • Storm-2755 uses AiTM techniques to hijack payroll accounts of Canadian employees. • Attackers bypass MFA by stealing session tokens from malicious sign-in pages. • Microsoft recommends blocking legacy authentication and enhancing MFA to mitigate risks.