Storm-2755, a financially motivated group, has been hijacking Canadian employees’ payroll accounts to steal salary payments in payroll‑pirate attacks. They deploy malicious Microsoft 365 sign‑in pages and AiTM frameworks to capture session cookies and OAuth tokens—bypassing legacy MFA—to access accounts, hide HR messages, and change direct deposit details (including via Workday). #Storm-2755 #Microsoft365
Keypoints
- Storm-2755 hijacks payroll accounts to divert Canadian employees’ salary payments.
- Attackers use malicious Microsoft 365 sign‑in pages (e.g., bluegraintours[.]com) pushed via malvertising or SEO poisoning.
- AiTM techniques capture session cookies and OAuth tokens, enabling MFA bypass without re-authentication.
- Threat actors create hidden inbox rules to hide HR messages and either social‑engineer HR or directly update Workday payroll info.
- Microsoft advises blocking legacy authentication, deploying phishing‑resistant MFA, and revoking compromised tokens and inbox rules when detected.