Security

Storm-2755 Payroll Attacks Hit Canadian Employees

3 min read

Summary

Microsoft has detailed a financially motivated Storm-2755 campaign targeting Canadian employees with payroll diversion attacks. The threat actor used SEO poisoning, malvertising, and adversary-in-the-middle techniques to steal sessions, bypass legacy MFA, and alter direct deposit details, making phishing-resistant MFA and session monitoring critical defenses.

Need help with Security?Talk to an Expert

Storm-2755 payroll attacks target Canadian employees

Introduction

Microsoft Incident Response has published new findings on Storm-2755, a threat actor running so-called payroll pirate attacks against Canadian users. For IT and security teams, this campaign is notable because it combines SEO poisoning, malvertising, and adversary-in-the-middle (AiTM) phishing to hijack authenticated sessions and redirect employee salary payments.

This matters beyond Canada: the tradecraft can be reused against any organization that relies on Microsoft 365 and online HR or payroll platforms.

What’s new

Microsoft says Storm-2755 used a distinct attack chain focused on broad geographic targeting of Canadian users, rather than a single industry.

Key techniques observed

  • SEO poisoning and malvertising pushed victims to attacker-controlled domains from searches like “Office 365” and similar misspellings.
  • Victims were sent to a fake Microsoft 365 sign-in page designed to steal credentials and session tokens.
  • The actor used AiTM techniques to capture session cookies and OAuth tokens, allowing them to bypass non-phishing-resistant MFA.
  • Microsoft observed suspicious Axios 1.7.9 user-agent activity and linked the flow to known Axios-related abuse, including CVE-2025-27152 concerns.
  • After access, Storm-2755 searched for payroll and HR-related resources, then impersonated employees with emails such as “Question about direct deposit.”
  • In some cases, the actor also created inbox rules to hide messages containing terms like “direct deposit” or “bank.”

Impact on administrators and organizations

The most immediate risk is direct financial loss. Once an account is compromised, the attacker can use legitimate sessions to blend into normal business activity, making detection harder.

Admins should also note that traditional MFA is not always enough against token theft. Because AiTM attacks replay authenticated sessions, organizations relying on legacy MFA methods may still be exposed.

What IT teams should do next

Microsoft recommends prioritizing mitigations that reduce token replay and phishing success.

Action items

  • Deploy phishing-resistant MFA, such as FIDO2/WebAuthn.
  • Review sign-in logs for error 50199, unusual session continuity, and Axios user-agent activity.
  • Monitor for repeated non-interactive sign-ins to apps like OfficeHome, Outlook, My Sign-Ins, and My Profile.
  • Audit inbox rules for keywords related to banking or direct deposit.
  • Investigate suspicious access to HR and payroll platforms such as Workday.
  • Revoke active session tokens and reset credentials for suspected compromised accounts.
  • Educate users about search-result phishing and fake Microsoft 365 login pages.

Bottom line

Storm-2755 shows how modern phishing campaigns are evolving from simple credential theft to session hijacking with real financial impact. Organizations using Microsoft 365 should review phishing-resistant authentication, strengthen monitoring for anomalous sign-in behavior, and coordinate security and HR teams on payroll change verification processes.

Need help with Security?

Our experts can help you implement and optimize your Microsoft solutions.

Talk to an Expert

Stay updated on Microsoft technologies

Storm-2755AiTM phishingMicrosoft 365payroll fraudMFA

Related Posts

Security

Microsoft SFI AI Hardens Cloud Security at Scale

Microsoft detailed an internal multi-agent AI system built under its Secure Future Initiative (SFI) to proactively evaluate and harden live cloud services. The approach speeds up deep security analysis from weeks to hours by correlating code, identity, network, configuration, and runtime signals to uncover composite risks that single-tool reviews can miss.

Security

Cloud Security Posture Management Trends for 2026

Frost & Sullivan’s 2025 Frost Radar shows cloud security posture management is shifting from periodic compliance checks to continuous, risk-based governance within CNAPP platforms. For IT and security teams, the key takeaway is clear: prioritize tools that unify posture, identity, workload, and data signals to reduce risk faster across multicloud environments.

Security

Microsoft CSP Security: New Partner Ecosystem Protections

Microsoft outlined how it is strengthening security across its Cloud Solution Provider ecosystem to reduce partner-led attacks on customer environments. The update focuses on tighter partner vetting, mandatory tenant security requirements, least-privilege access through GDAP, and stronger monitoring and response capabilities.

Security

Microsoft Frost Radar 2026: Cloud Runtime Security

Microsoft has been named a leader in Frost & Sullivan’s 2026 Frost Radar for Cloud/Application Runtime Security, highlighting its unified approach to cloud and application risk reduction. The recognition matters to security teams because it reflects a broader market shift toward prioritizing exploitable attack paths across code, cloud, runtime, identity, and SOC workflows.

Security

Quantum-Safe Security: Microsoft Targets 2029

Microsoft is accelerating its quantum-safe security roadmap and now aims to transition critical products and services to post-quantum cryptography by 2029. The update matters because IT teams need to start cryptographic inventory, crypto-agility planning, and TLS 1.3 modernization sooner as the risk timeline for quantum attacks moves closer.

Security

Securing AI Agents: MCP Tool Poisoning Risks

Microsoft Incident Response warns that as AI agents move from reading content to taking actions, poisoned Model Context Protocol (MCP) tool metadata can silently redirect agent behavior and expose sensitive data. The guidance outlines how to detect, contain, and prevent this emerging supply chain risk using controls across Copilot Studio, Entra, Purview, Defender, and Sentinel.