Payroll Pirate Attacks Are Draining Canadian Salaries

A new wave of payroll pirate attacks is hitting Canadian workers, and the money disappears before anyone notices. Microsoft's Detection and Response Team has identified a financially motivated threat actor, tracked as Storm-2755, running a campaign designed to intercept employee salary payments and divert them to attacker-controlled bank accounts. The attack chain is technically sophisticated, hard to detect, and built to exploit the everyday tools that HR and finance teams rely on.

How Storm-2755 Gets In

The attack begins long before a victim ever opens a phishing email. Storm-2755 uses SEO poisoning and malvertising to push attacker-controlled domains to the top of search results for generic queries. Someone searching for "Office 365" or common misspellings like "Office 265" may find a fraudulent site ranking above the legitimate one. One domain confirmed in the campaign is bluegraintours[.]com, which hosted a spoofed Microsoft 365 sign-in page designed to look indistinguishable from the real thing.

But this is not standard credential theft. Storm-2755 deploys an adversary-in-the-middle (AiTM) framework that proxies the entire authentication flow in real time. Rather than simply capturing a username and password, it intercepts session cookies and OAuth access tokens at the moment they are issued. These tokens represent a fully authenticated session. Once stolen, attackers can replay them to access Microsoft services without triggering a credential or MFA prompt. Thus, bypassing legacy multifactor authentication entirely.

Suspicious Axios 1.7.9 user-agent activity was observed throughout the campaign, which Microsoft's team used as a forensic signal to map the attack infrastructure.

Inside the Attack: From Inbox to Payroll

Once inside a compromised account, Storm-2755 moves methodically. The first action is reconnaissance. Attackers search the victim's inbox and intranet for terms like "payroll," "HR," "direct deposit," "finance," and "admin" to locate relevant contacts and processes. At the same time, they create inbox rules that automatically redirect incoming messages containing words like "bank" or "direct deposit" to hidden folders. The victim stops seeing HR correspondence without knowing why.

The next step is impersonation. Attackers send emails to HR or finance staff with the subject line "Question about direct deposit," requesting a change to the employee's banking details. The message comes from a legitimate, authenticated account, which makes itdifficult for HR staff to flag as suspicious.

When Social Engineering Fails

Where that approach does not work, Storm-2755 pivots. Using the stolen session, the attacker logs directly into HR SaaS platforms such as Workday and manually updates the employee's direct deposit information. No further social engineering is needed. The attacker is already operating inside an authenticated session with full user privileges, making their actions appear entirely routine to platform audit logs.

Microsoft also observed a subset of cases where attackers modified MFA settings and changed passwords to maintain persistence after session tokens expired. Therefore, locking down longer-term access before the initial compromise was discovered.

A Deliberate Geographic Focus

What sets this campaign apart from similar payroll pirate attacks is its targeting logic. Storm-2755 is not pursuing a specific industry or organization type. It is targeting Canada, broadly. The actor selected victims based on geography, not sector, using industry-agnostic search terms to cast a wide net. This approach gives the campaign unusual reach and makes it harder to contain through vertical-specific defenses.

Microsoft has not disclosed why Canadian organizations are specifically in scope, but the pattern is deliberate. It mirrors a separate campaign attributed to Storm-2657, a related but distinct threat actor that has been running payroll piracy attacks against US university employees since March 2025. That campaign compromised 11 accounts at three universities and sent phishing emails to nearly 6,000 accounts across 25 institutions.

The Bigger Picture: BEC Fraud and Its Financial Cost

Payroll pirate attacks are a variant of business email compromise (BEC) fraud. The FBI recorded over 24,000 BEC complaints in 2025, with losses exceeding $3 billion, placing it second only to investment scams as the most financially damaging cybercrime category. Storm-2755 fits directly into this pattern: financially motivated, operationally patient, and designed to exploit trust rather than vulnerability.

The campaign also illustrates how AiTM techniques have shifted the threat landscape. Standard MFA no longer provides reliable protection against session token theft. An attacker who captures a fully authenticated token does not need credentials. They walk in through the front door.

What Organizations Should Do Now

Microsoft has engaged affected organizations directly and taken disruption actions including tenant takedowns. But the defensive burden falls on every organization running Microsoft 365 or cloud-based HR platforms.

The most important step is deploying phishing-resistant MFA, specifically FIDO2 or passkey-based authentication, which cannot be bypassed through token replay. Beyond that, security teams should:

• Monitor sign-in logs for error code 50199 and Axios 1.7.9 user-agent strings
• Flag repeated non-interactive sign-ins to OfficeHome, Outlook, My Sign-Ins, and My Profile
• Audit inbox rules for keywords related to banking and direct deposit
• Require out-of-band verification for any payroll or direct deposit change request
• Review active session tokens and revoke any tied to suspicious activity

HR and security teams need to be working from the same playbook here. Payroll pirate attacks exploit the gap between them.

The Threat Is Not Going Away

Storm-2755 is an emerging actor. The campaign is still active. And the techniques it uses, AiTM session hijacking, SEO poisoning, HRSaaS abuse, are not exotic. They are replicable, scalable, and already spreading to other threat actors running similar operations.

Organizations that have not yet audited their authentication controls, payroll change workflows, and HR platform access policies are carrying risk they may not know about. The employees whose salaries disappear into attacker accounts find out only when payday comes and nothing arrives.