Storm-2755 turns payroll into a phishing prize

A Microsoft-tracked cybercrime group is using adversary-in-the-middle techniques to hijack Microsoft 365 sessions, bypass multifactor authentication and reroute employee pay into attacker-controlled bank accounts, in what researchers describe as a geographically focused campaign against users in Canada. Microsoft said the actor, tracked as Storm-2755, combined search-result poisoning, fake sign-in pages and session replay to move from account takeover to payroll fraud, causing direct financial loss for at least one victim.

What sets this operation apart is the way it turns an ordinary log-in into a gateway for financial theft. Rather than exploiting a flaw in Microsoft 365 itself, the attackers appear to have relied on malvertising and search engine optimisation poisoning to push an actor-controlled domain to the top of results for generic terms such as “Office 365” and even the misspelling “Office 265”. Unsuspecting users were then taken to a fraudulent Microsoft 365 sign-in page that captured credentials and, more importantly, live session tokens that could be replayed after authentication.

Microsoft’s account of the campaign underlines a hard truth for organisations that still treat MFA as a cure-all. In an AiTM attack, the criminal sits between the user and the legitimate service, relaying the real authentication flow and harvesting the session cookie that proves the user has already signed in. Microsoft has warned for several years that this method does not “break” MFA so much as route around it by stealing the authenticated session after the user has completed the challenge. That is why the company is again urging organisations to move towards phishing-resistant MFA and stricter conditional access controls.

After gaining access, Storm-2755 did not behave like a smash-and-grab intruder. Microsoft said the group searched compromised mailboxes for terms linked to human resources and finance, then impersonated staff members to ask payroll or HR teams to alter direct-deposit details. The subject line “Question about direct deposit” appeared repeatedly across observed cases, suggesting a standardised social-engineering playbook. When persuasion failed, the attackers moved directly into HR software platforms, including Workday, and manually changed banking instructions themselves.

The stealth element is central to the scheme. Microsoft said the attackers created inbox rules designed to hide messages containing words such as “direct deposit” or “bank”, shifting them into concealed folders so the employee would not see warnings or follow-up exchanges from HR. Researchers also observed the threat actor renewing stolen sessions around 5am in the victim’s local time zone, a pattern consistent with efforts to avoid interference from legitimate users and to prolong access before a reauthentication event could invalidate the session.

The campaign also fits a broader shift in financially motivated cybercrime, where identity abuse and business workflow manipulation are proving just as dangerous as malware. Verizon’s 2025 Data Breach Investigations Report said compromised credentials were the initial access vector in 22% of breaches it reviewed, underlining how valuable stolen log-ins remain to attackers. Microsoft’s own reporting shows Storm-2755 is not an isolated case: in October 2025 it disclosed a related “payroll pirate” campaign, tracked as Storm-2657, that targeted employees at US universities and used hijacked accounts to tamper with payroll information in Workday environments.

That continuity matters because it suggests payroll diversion is becoming an operational model rather than a one-off scam. In the earlier university campaign, Microsoft said attackers harvested MFA codes through phishing and then created inbox rules to suppress warning emails while they modified salary-payment settings. The newly disclosed Canada-focused operation points to a refinement of the method: broader targeting, search-engine manipulation instead of narrowly tailored lures, and token replay that allows the attacker to blend into normal cloud activity.

For employers, the lesson is as much procedural as technical. Payroll systems and HR teams remain vulnerable when a request to change banking details can be actioned on the strength of an email, a session or a self-service portal alone. Microsoft’s guidance is to revoke compromised sessions and tokens immediately, remove malicious inbox rules, reset credentials and MFA methods for affected users, block legacy authentication and enforce phishing-resistant MFA. CISA has likewise promoted phishing-resistant authentication as the stronger answer to account-takeover campaigns that can sidestep older MFA methods.