Find notable cyber news and cases, enriched with sources, timelines, and signals.

Microsoft AiTM payroll pirate attack mitigation

Advisory/Mitigation
First reported
Last updated
Happening score
H score 34
1 unique sources, 2 articles

Summary

Hide ▲

Microsoft is urging defenders to harden Microsoft 365 and related HR workflows against AiTM-driven payroll theft by requiring phishing-resistant MFA, blocking legacy authentication protocols, and revoking compromised tokens and sessions. The guidance is meant to stop attackers from replaying stolen session cookies and OAuth access tokens to bypass reauthentication, reach Workday, and change salary or direct deposit details. Microsoft also says defenders should remove malicious inbox rules and reset MFA methods and credentials after compromise is suspected.

Related Happenings

Microsoft Azure CLI password-spray campaign using ROPC

Campaign
H score24 First: 01.07.2026 08:46 Last: 01.07.2026 08:46 Sources 1

About this happening: A **massive automated password-spray campaign** against **Microsoft Azure CLI** compromised **at least 78 accounts** across **64 organizations**, expanding access risk across clou...

Signal Backup Recovery Key phishing mitigation

Advisory/Mitigation
H score25 First: 27.06.2026 01:06 Last: 27.06.2026 01:06 Sources 1

About this happening: The **FBI** and **CISA** updated mitigation guidance for **Signal users** after a phishing operation began targeting **Backup Recovery Keys**, which can expose **historical messag...

Service desk social engineering defenses tighten identity verification for password resets and MFA changes

Defensive Guidance
H score17 First: 24.06.2026 17:02 Last: 24.06.2026 17:02 Sources 1

About this happening: **Service desk identity verification** is being tightened against **social engineering attacks**, reducing impersonation-driven account takeover and unauthorized access across cor...

CISA FortiBleed mitigation guidance

Advisory/Mitigation
H score67 First: 19.06.2026 09:47 Last: 19.06.2026 09:47 Sources 1

About this happening: **CISA** issued mitigation guidance for **FortiBleed**, urging operators of **internet-accessible Fortinet devices** to harden exposed **FortiGate** and VPN environments after a *...

Healthcare phishing defense guidance for VPN MFA and continuous training

Defensive Guidance
H score16 First: 22.05.2026 16:17 Last: 22.05.2026 16:17 Sources 1

About this happening: Healthcare defenders were urged to treat **phishing** as a top priority, which matters because social engineering is a direct path to **credential abuse** in clinical environments...

Timeline

  1. 10.04.2026 14:56 1 articles · 3mo ago

    Storm-2755 uses AiTM to hijack Canadian payroll accounts

    Technical Analysis Update

    Microsoft says Storm-2755 is targeting Canadian employees in payroll pirate attacks by steering victims to malicious Microsoft 365 sign-in pages hosted on domains such as bluegraintours[.]com, using malvertising or SEO poisoning to promote the pages, stealing session cookies and OAuth access tokens, bypassing MFA through adversary-in-the-middle token replay, hiding HR emails about direct deposit or bank changes, and, when needed, logging into Workday to alter payroll details.

    Show sources
  2. 10.04.2026 14:56 3 articles · 3mo ago

    Microsoft advises phishing-resistant MFA and token revocation

    Mitigation Patch Update

    Microsoft advises defenders to block legacy authentication protocols, require phishing-resistant MFA, and immediately revoke compromised tokens and sessions, remove malicious inbox rules, and reset MFA methods and credentials for affected accounts to reduce AiTM-driven payroll theft.

    Show sources