A threat actor called Storm-2755 is targeting Canadian employees in payroll pirate attacks, stealing salary payments by hijacking Microsoft 365 accounts. The attackers use adversary-in-the-middle (AiTM) phishing pages to capture session cookies and OAuth tokens, bypassing MFA without needing credentials. Once inside a victim's account, they hide HR correspondence, impersonate employees to request direct deposit changes, or log directly into HR platforms like Workday to redirect payroll. Microsoft recommends blocking legacy authentication, implementing phishing-resistant MFA, revoking compromised tokens, and resetting affected accounts. This follows a similar 2025 campaign (Storm-2657) targeting US university employees. BEC fraud exceeded $3 billion in losses last year according to the FBI.
Table of contents
Related Articles:Sort: