Storm-2755 payroll attacks target Canadian employees

Introduction

Microsoft Incident Response has published new findings on Storm-2755, a threat actor running so-called payroll pirate attacks against Canadian users. For IT and security teams, this campaign is notable because it combines SEO poisoning, malvertising, and adversary-in-the-middle (AiTM) phishing to hijack authenticated sessions and redirect employee salary payments.

This matters beyond Canada: the tradecraft can be reused against any organization that relies on Microsoft 365 and online HR or payroll platforms.

What’s new

Microsoft says Storm-2755 used a distinct attack chain focused on broad geographic targeting of Canadian users, rather than a single industry.

Key techniques observed

• SEO poisoning and malvertising pushed victims to attacker-controlled domains from searches like “Office 365” and similar misspellings.
• Victims were sent to a fake Microsoft 365 sign-in page designed to steal credentials and session tokens.
• The actor used AiTM techniques to capture session cookies and OAuth tokens, allowing them to bypass non-phishing-resistant MFA.
• Microsoft observed suspicious Axios 1.7.9 user-agent activity and linked the flow to known Axios-related abuse, including CVE-2025-27152 concerns.
• After access, Storm-2755 searched for payroll and HR-related resources, then impersonated employees with emails such as “Question about direct deposit.”
• In some cases, the actor also created inbox rules to hide messages containing terms like “direct deposit” or “bank.”

Impact on administrators and organizations

The most immediate risk is direct financial loss. Once an account is compromised, the attacker can use legitimate sessions to blend into normal business activity, making detection harder.

Admins should also note that traditional MFA is not always enough against token theft. Because AiTM attacks replay authenticated sessions, organizations relying on legacy MFA methods may still be exposed.

What IT teams should do next

Microsoft recommends prioritizing mitigations that reduce token replay and phishing success.

Action items

• Deploy phishing-resistant MFA, such as FIDO2/WebAuthn.
• Review sign-in logs for error 50199, unusual session continuity, and Axios user-agent activity.
• Monitor for repeated non-interactive sign-ins to apps like OfficeHome, Outlook, My Sign-Ins, and My Profile.
• Audit inbox rules for keywords related to banking or direct deposit.
• Investigate suspicious access to HR and payroll platforms such as Workday.
• Revoke active session tokens and reset credentials for suspected compromised accounts.
• Educate users about search-result phishing and fake Microsoft 365 login pages.

Bottom line

Storm-2755 shows how modern phishing campaigns are evolving from simple credential theft to session hijacking with real financial impact. Organizations using Microsoft 365 should review phishing-resistant authentication, strengthen monitoring for anomalous sign-in behavior, and coordinate security and HR teams on payroll change verification processes.