Microsoft has disclosed a new financially motivated campaign in which a threat actor it tracks as Storm-2755 targeted Canadian employees and used stolen Microsoft 365 sessions to redirect payroll deposits to attacker-controlled bank accounts.
According to Microsoft Incident Response and DART researchers, the operation caused direct financial losses and stood out because it did not focus on a single sector, employer, or software provider, but instead used broad geographic targeting across Canada.
The campaign marks a notable evolution in so-called payroll-pirate attacks, as the actor relied on search-engine optimization poisoning and malvertising rather than traditional email-first phishing to reach victims.
Microsoft said Storm-2755 pushed an actor-controlled domain, bluegraintours[.]com, into search results for generic terms such as “Office 365” and even common misspellings like “Office 265,” increasing the chance that users seeking a legitimate login page would land on a malicious Microsoft 365 credential portal instead.
Storm-2755 Hijacks via AiTM Session Theft
Once a victim entered credentials, the attacker did not simply steal a password and wait for another chance to log in. Microsoft’s analysis indicates Storm-2755 used an adversary-in-the-middle framework that proxied the authentication flow in real time.
Capturing session cookies and OAuth access tokens after successful sign-in, which then allowed the actor to reuse authenticated sessions and bypass legacy multifactor authentication controls that are not phishing-resistant.
Microsoft said one of the most consistent technical indicators appeared immediately after the phishing event in Entra sign-in data.
Victims generated a 50199 sign-in interrupt error just before the account was successfully compromised, and the session then shifted to an Axios user-agent, commonly version 1.7.9, while the session ID remained unchanged, a pattern Microsoft said strongly suggests token replay rather than a fresh login.
That detail matters because Storm-2755’s method turned identity theft into quiet session hijacking. By operating inside a valid user session, the actor could blend into ordinary enterprise activity, access Outlook and profile-related services, and reduce the chance that security teams or end users would notice an obvious account takeover in progress.
Microsoft also noted that the attack path appears to exploit weaknesses in Axios and referenced CVE-2025-27152 as relevant to the affected infrastructure.
While Axios itself is not malicious, the company said Storm-2755 used version 1.7.9 of the HTTP client to relay authentication tokens to customer environments, effectively preserving access and enabling repeated non-interactive sign-ins to OfficeHome roughly every 30 minutes until defenders revoked the active tokens.
Microsoft observed that stolen tokens could remain useful for around 30 days unless they were invalidated by remediation, expiration, rotation, or policy enforcement. For a smaller number of victims, the actor also changed passwords or MFA settings to maintain more durable access after the replayed session expired.
Microsoft said compromised sessions were used to search intranet resources for terms tied to payroll and human resources, including “payroll,” “HR,” “human,” “resources,” “finance,” “account,” and “admin,” showing a deliberate attempt to map how each organization handled salary and employee record changes.
The social engineering phase was equally focused. Across compromised accounts, Microsoft repeatedly saw the subject line “Question about direct deposit,” which the actor used to impersonate employees and persuade HR or finance staff to alter banking details manually, eliminating the need for noisy post-exploitation tooling or prolonged hands-on-keyboard activity.
If the impersonation path failed, Storm-2755 sometimes pivoted to direct use of HR software platforms such as Workday.
Microsoft stressed that the issue does not represent a vulnerability in Workday or similar payroll services, but rather abuse of compromised identities and trusted single sign-on workflows to modify payment elections from inside a legitimate employee context.
Microsoft said these rules moved messages containing terms such as “direct deposit” or “bank” into the conversation history or other hidden locations, and stopped further rule processing, preventing victims from seeing replies from HR about pending payroll changes.
Microsoft observed session renewal activity around 5:00 AM in the user’s local time zone, a window likely chosen to reduce the odds that the real employee would reauthenticate and invalidate the attacker’s stolen session during regular business hours.
In at least one documented case, the operation ended with an actual payroll diversion. Microsoft said the actor used the hijacked session to contact HR, received instructions on updating direct-deposit data, then manually signed in to Workday as the victim and changed banking information so that a paycheck was sent to an attacker-controlled account.
The newly disclosed campaign also shows how payroll fraud activity has expanded since Microsoft’s earlier Storm-2657 reporting in 2025.
In that case, the company described payroll-piracy attacks against U.S. universities that used phishing emails, inbox-rule abuse, and MFA manipulation to modify Workday payment settings, whereas Storm-2755 shifted toward SEO poisoning, malvertising, session replay, and broader geographic targeting of Canadian users rather than a single vertical industry.
For defenders, Microsoft’s guidance centers on fast containment and stronger identity controls. The company recommends revoking compromised sessions.
Tokens immediately, resetting credentials and MFA methods, removing malicious inbox rules, enforcing device compliance and Conditional Access, blocking legacy authentication where possible, and adopting phishing-resistant MFA such as FIDO2 or WebAuthn-based methods.
Microsoft also advised organizations to use continuous access evaluation to shorten the lifespan of stolen tokens and to monitor for unusual user agents, such as Axios, abnormal travel patterns, and suspicious sign-ins from uncommon IP addresses.
Its published detections for Defender and Entra include alerts for possible AiTM attacks, anomalous OAuth device code activity, suspicious sign-ins from unusual user-agents, and risky Entra device registration events tied to malicious infrastructure. The hunting guidance is especially relevant for security operations teams investigating payroll fraud.
Microsoft published Defender XDR and Sentinel queries aimed at identifying suspicious inbox rules, Workday “Change My Account” and “Manage Payment Elections” events, domain hits tied to bluegraintours[.]com, and the broader pattern of failed sign-ins followed by error 50199, an Axios user-agent transition, and an unchanged session ID.
The larger lesson is that payroll theft is increasingly an identity-and-session security problem rather than just an email security problem.
Storm-2755 demonstrates how attackers can combine search manipulation, AiTM phishing, token replay, and quiet workflow abuse to turn a single user login into direct monetary loss, making phishing-resistant authentication and session-aware detection essential controls for enterprises that rely on cloud identity and HR platforms.
FAQs
What is Storm-2755?
Storm-2755 is a financially motivated threat actor that Microsoft said targeted Canadian employees to hijack sessions and reroute payroll deposits to attacker-controlled accounts.
How did the attackers get in?
Microsoft said the actor used SEO poisoning and malvertising to lure users to a fake Microsoft 365 login page that captured credentials and authenticated session tokens.
Why did MFA not stop the attack?
The campaign used adversary-in-the-middle token theft and replay, which can bypass legacy MFA that is not phishing-resistant.
What should defenders check first?
Microsoft recommends revoking sessions and tokens, removing malicious inbox rules, resetting credentials and MFA methods, and hunting for Axios user-agents, error 50199, and payroll-related Workday changes.
Site: thecybrdef.com
About the Author
