In a concerning development within the digital security landscape, a group of hackers has been identified leveraging adversary-in-the-middle (AiTM) session hijacking tactics to orchestrate a campaign referred to as “payroll pirates.” This campaign, monitored closely by Microsoft under the codename Storm-2755, is primarily targeting Canadian employees and aims to misappropriate their salaries through sophisticated methods.
By exploiting live Microsoft 365 sessions, the attackers redirect payroll deposits into bank accounts controlled by them. Notably, their strategies allow them to bypass multifactor authentication (MFA), enabling them to blend seamlessly into regular user activities. The ultimate objective of this malicious group is to modify payroll and human resources records, enabling the covert rerouting of salaries to accounts that are entirely under their control. This malicious act could result in significant financial ramifications for both the impacted employees and their employers.
Unlike traditional cybercriminal approaches that often focus on specific sectors, Storm-2755 employs broader tactics, relying on malvertising and Search Engine Optimization (SEO) poisoning to attract unsuspecting users. By targeting general queries, such as those related to “Office 365” or even common typographical errors like “Office 265,” they aim to ensnare as many potential victims as possible.
According to the Microsoft Incident Response Detection and Response Team (DART), Storm-2755 is categorized as a financially motivated entity that strategically zeroes in on Canadian employees instead of focusing on specific industries or organizations. Their tactics include pushing compromised domains—specifically bluegraintours[.]com—so that these malicious sites appear at the top of search results. This effectively lures users into a counterfeit Microsoft 365 sign-in page, ingeniously designed to mimic the official portal.
Once unsuspecting users input their corporate credentials on this spoofed page, the attackers capture not only the passwords but also session tokens in real-time. Logs from compromised accounts frequently reveal a peculiar error, labeled as 50199 sign-in interrupt, occurring right before the hackers successfully take over the account. This is followed by a continuation of the same session ID, albeit under a different user agent, Axios 1.7.9. This indicates that instead of performing a legitimate login, the hackers are employing token replay tactics, a hallmark of AiTM attacks.
In such scenarios, the adversary effectively positions themselves between the user and the cloud service, allowing them to capture session cookies and OAuth access tokens that symbolize fully authenticated sessions. Since these tokens have already been validated, the hackers can use them to access Microsoft 365 services without needing the original credentials, thus circumventing standard MFA protocols, especially those lacking phishing resistance.
Once inside an organization’s network, Storm-2755 exploits Axios 1.7.9 as an HTTP client to replay stolen tokens stealthily, interfacing directly with the victim’s Microsoft 365 environment. This continuous access generally occurs at intervals of roughly thirty minutes, allowing attackers to maintain a presence without alerting the user or IT security teams. The hijacked tokens remain functional for approximately thirty days unless disrupted by expiration, rotation, or changes in policy. During this time, the attackers can infiltrate various services, including Outlook, user profiles, and HR platforms.
In an alarming escalation, some victims have reported that Storm-2755 changes their passwords and MFA settings to maintain prolonged access, even after the original session tokens expire. As the threat actors burrow deeper, they conduct focused searches across intranet portals, SharePoint, and email inboxes for terms such as “payroll,” “finance,” and “HR” to identify payment workflows.
The hackers often pose as legitimate employees, sending fabricated emails to HR or finance departments with subject lines like “Question about direct deposit” and requesting modifications to bank details. In stark cases where social engineering strategies fail, they pivot directly into Software as a Service (SaaS) platforms like Workday, using their hijacked sessions to manually change banking information. Reports confirm that Storm-2755 was able to reroute a victim’s paycheck successfully to an account owned by the attackers, causing the employee to realize the fraud only after missing a salary payment.
To conceal their activities, the attackers set up inbox rules to move emails containing keywords related to “direct deposit” or “bank” into hidden folders, ensuring that victims remain unaware of the HR responses concerning account changes. They consistently update stolen sessions, typically around 5:00 AM in the targeted user’s time zone, reducing the likelihood of legitimate logins invalidating their access.
In response to these alarming tactics, Microsoft recommends immediate token revocation and the elimination of any malicious inbox rules. Additionally, they advise that organizations enforce forced credential and MFA resets for affected accounts while implementing phishing-resistant MFA technologies like FIDO2/WebAuthn. Organizations are also urged to adopt Conditional Access protocols with adaptive session lifetimes and Continuous Access Evaluation and monitor unusual user-agent activity, particularly Axios accessing OfficeHome, to enhance their overall security posture.
Given the rising sophistication of cyber threats such as those posed by Storm-2755, organizations must remain vigilant and proactively implement robust security measures to safeguard both employee information and financial assets.