Find notable cyber news and cases, enriched with sources, timelines, and signals.
Home Browse News Feed Stats Watchlists Beta About Contact

Microsoft AiTM payroll pirate attack mitigation

Advisory/Mitigation
First reported
Last updated
Happening score
H score 39
1 unique sources, 2 articles

Summary

Hide ▲

Microsoft is urging defenders to harden Microsoft 365 and related HR workflows against AiTM-driven payroll theft by requiring phishing-resistant MFA, blocking legacy authentication protocols, and revoking compromised tokens and sessions. The guidance is meant to stop attackers from replaying stolen session cookies and OAuth access tokens to bypass reauthentication, reach Workday, and change salary or direct deposit details. Microsoft also says defenders should remove malicious inbox rules and reset MFA methods and credentials after compromise is suspected.

Related Happenings

Healthcare phishing defense guidance for VPN MFA and continuous training

Defensive Guidance
First: 22.05.2026 16:17 Last: 22.05.2026 16:17 Sources 1

About this happening: Healthcare defenders were urged to treat **phishing** as a top priority, which matters because social engineering is a direct path to **credential abuse** in clinical environments...

Open Happening

EvilTokens Microsoft 365 consent phishing campaign

Campaign
First: 19.05.2026 14:30 Last: 19.05.2026 14:30 Sources 1

About this happening: The **EvilTokens** campaign rapidly compromised **more than 340 Microsoft 365 organizations** across **five countries**, showing how **OAuth grant abuse** can bypass **MFA** and c...

Open Happening

Tycoon2FA device-code phishing campaign targeting Microsoft 365

Campaign
First: 17.05.2026 17:43 Last: 17.05.2026 17:43 Sources 1

About this happening: The **Tycoon2FA** phishing operation added **device-code phishing** to hijack **Microsoft 365** accounts, expanding its ability to steal access tokens and reach email, calendar, a...

Open Happening

Code of conduct-themed Microsoft AiTM phishing campaign

Campaign
First: 05.05.2026 09:35 Last: 05.05.2026 09:35 Sources 1

About this happening: A **large-scale phishing campaign** used code of conduct-themed lures and **legitimate email services** to push victims to attacker-controlled domains and steal **authentication t...

Open Happening

BlackFile vishing extortion campaign targeting retail and hospitality organizations

Campaign
First: 24.04.2026 21:26 Last: 24.04.2026 21:26 Sources 1

About this happening: The **BlackFile** campaign is driving **vishing-based data theft and extortion** against **retail and hospitality organizations**, putting employee credentials and enterprise data...

Open Happening

Timeline

  1. 10.04.2026 14:56 1 articles · 1mo ago

    Storm-2755 uses AiTM to hijack Canadian payroll accounts

    Technical Analysis Update

    Microsoft says Storm-2755 is targeting Canadian employees in payroll pirate attacks by steering victims to malicious Microsoft 365 sign-in pages hosted on domains such as bluegraintours[.]com, using malvertising or SEO poisoning to promote the pages, stealing session cookies and OAuth access tokens, bypassing MFA through adversary-in-the-middle token replay, hiding HR emails about direct deposit or bank changes, and, when needed, logging into Workday to alter payroll details.

    Show sources
    Open in new tab
  2. 10.04.2026 14:56 3 articles · 1mo ago

    Microsoft advises phishing-resistant MFA and token revocation

    Mitigation Patch Update

    Microsoft advises defenders to block legacy authentication protocols, require phishing-resistant MFA, and immediately revoke compromised tokens and sessions, remove malicious inbox rules, and reset MFA methods and credentials for affected accounts to reduce AiTM-driven payroll theft.

    Show sources
    Open in new tab