A financially motivated threat actor going by the name Storm-2755 stole the paychecks of Canadian workers after hijacking their accounts in a phishing attack.
Attackers used Microsoft 365 login pages to steal victims’ authentication tokens and session cookies by redirecting them to domains (eg bluegraintours[.]com) hosts malicious web pages (pushed to the top of search engine results by trickery or SEO poison) masquerading as Microsoft 365 login forms.
This allowed Storm-2755 to bypass multifactor authentication (MFA) in an adversary-in-the-middle (AiTM) attack by replaying stolen session tokens instead of re-authentication.
“Instead of harvesting only usernames and passwords, AiTM frameworks proxy the entire authentication flow in real-time, enabling session cookies and OAuth access tokens to be removed from successful authentication,” explains Microsoft.
“Because these tokens represent a fully authenticated session, malicious actors can re-use them to gain access to Microsoft services without credentialing or MFA, effectively bypassing legacy MFA protections that are not designed to resist phishing.”
After accessing the employee’s account, the attacker created inbox rules that automatically routed messages from human resources staff containing the words “direct deposit” or “bank” to hidden folders, preventing the victim from seeing the correspondence.
In the next phase, they searched for “payroll,” “HR,” “direct deposit,” and “finance,” and sent emails to human resources staff with the subject line “Question about direct deposit” to trick employees into updating bank information.
When social engineering failed, the attacker logged directly into HR software platforms such as Workday, using a hijacked session to update direct deposit information.
To strengthen defenses against AiTM and hacker attacks, Microsoft advises defenders to block legacy authentication protocols and use resilient MFA.
If any signs of compromise are detected, they should also immediately revoke compromised tokens and sessions, remove malicious inbox rules, and reset MFA methods and credentials for all affected accounts.
In October, Microsoft disrupted another payment hacking campaign targeting Workday accounts from March 2025, when the gang tracked that Storm-2657 was targeting university employees across the United States to hijack their payments.
In this attack, Storm-2657 compromised target accounts with phishing emails and stole MFA codes using AITM tactics, which allowed threat actors to compromise victims’ Exchange Online accounts.
Payroll scams are different from business email scams (BEC) that target businesses and individuals who regularly wire money. Last year, the FBI’s Internet Crime Complaint Center (IC3) recorded more than 24,000 BEC fraud complaints, resulting in losses exceeding $3 billion, making it the second most profitable type of crime after investment scams.
Automatic logging proves that the path exists. BAS proves that your controls are stopping you. Many teams run without each other.
This white paper outlines six areas of validation, indicates where coverage ends, and provides clinicians with three diagnostic questions for any screening tool.
