Payroll Pirates Target Canadian Employees via Microsoft 365 Hijacking

Cyber Threat Intelligence is flagging a sophisticated attack campaign, dubbed ‘payroll pirate attacks,’ specifically targeting Canadian employees. A financially motivated threat actor known as Storm-2755 has been successfully hijacking Microsoft 365 accounts to intercept and steal salary payments. The attackers are employing a cunning adversary-in-the-middle (AiTM) technique, using malicious Microsoft 365 sign-in pages hosted on compromised domains. These fake pages are often pushed to the top of search results via malvertising or SEO poisoning, tricking users into entering their credentials.

This AiTM approach is particularly nasty because it doesn’t just steal usernames and passwords; it proxies the entire authentication flow in real-time. As Microsoft points out, this allows attackers to capture session cookies and OAuth tokens. With these tokens, Storm-2755 can bypass multi-factor authentication (MFA) entirely, gaining access to a victim’s account as if they were the legitimate user, without needing to re-authenticate. It’s a stark reminder that not all MFA implementations are created equal when it comes to phishing resistance.

Once inside an employee’s account, the attackers get sneaky. Cyber Threat Intelligence reports they create hidden inbox rules to intercept and conceal sensitive communications from HR departments, particularly those containing keywords like ‘direct deposit’ or ‘bank.’ They then search for payroll-related information and send fraudulent emails to HR, posing as employees needing to update their banking details. This entire operation is designed to divert paychecks directly into the attackers’ coffers.