Storm-2755 Targets Canadian Employees in Payroll Pirate Attacks

Severity: High (Score: 71.0)

Sources: Cybersecuritynews, Bleepingcomputer, Gbhackers, Blogs.Microsoft

Summary

A financially motivated threat actor known as Storm-2755 is targeting Canadian employees by hijacking their payroll accounts to redirect salary payments to attacker-controlled bank accounts. The attackers employ adversary-in-the-middle (AiTM) techniques to steal authentication tokens and session cookies through malicious Microsoft 365 sign-in pages. This method allows them to bypass multi-factor authentication (MFA) and conduct their operations without raising immediate suspicion. Victims receive phishing emails that trick human resources into updating banking information, while the attackers also manipulate inbox rules to hide critical communications. Microsoft has previously disrupted similar campaigns, indicating a growing trend in payroll-related cybercrime. The FBI reported over 24,000 business email compromise (BEC) complaints last year, highlighting the financial impact of such attacks. Microsoft advises organizations to block legacy authentication protocols and implement phishing-resistant MFA as preventive measures. Key Points: • Storm-2755 uses AiTM techniques to hijack payroll accounts of Canadian employees. • Attackers bypass MFA by stealing session tokens from malicious sign-in pages. • Microsoft recommends blocking legacy authentication and enhancing MFA to mitigate risks.

Key Entities

• Data Breach (attack_type)
• Man-in-the-Middle (attack_type)
• Phishing (attack_type)
• Payroll Pirate (campaign)
• Payroll Pirate Campaign (campaign)
• Storm-2755 (campaign)
• United States (country)
• T1078 - Valid Accounts (mitre_attack)
• T1566.002 - Spearphishing Link (mitre_attack)
• Exchange Online (platform)
• Microsoft 365 (platform)
• Workday (company)
• AiTM Frameworks (tool)