Microsoft AiTM payroll pirate attack mitigation
Advisory/Mitigation
Summary
Hide ▲
Show ▼
Microsoft is urging defenders to harden Microsoft 365 and related HR workflows against AiTM-driven payroll theft by requiring phishing-resistant MFA, blocking legacy authentication protocols, and revoking compromised tokens and sessions. The guidance is meant to stop attackers from replaying stolen session cookies and OAuth access tokens to bypass reauthentication, reach Workday, and change salary or direct deposit details. Microsoft also says defenders should remove malicious inbox rules and reset MFA methods and credentials after compromise is suspected.
Related Happenings
Microsoft Azure CLI password-spray campaign using ROPC
Campaign
H score24
First: 01.07.2026 08:46
Last: 01.07.2026 08:46
Sources 1
About this happening:
A **massive automated password-spray campaign** against **Microsoft Azure CLI** compromised **at least 78 accounts** across **64 organizations**, expanding access risk across clou...
Microsoft Azure CLI password-spray campaign using ROPC
CampaignAbout this happening: A **massive automated password-spray campaign** against **Microsoft Azure CLI** compromised **at least 78 accounts** across **64 organizations**, expanding access risk across clou...
Signal Backup Recovery Key phishing mitigation
Advisory/Mitigation
H score25
First: 27.06.2026 01:06
Last: 27.06.2026 01:06
Sources 1
About this happening:
The **FBI** and **CISA** updated mitigation guidance for **Signal users** after a phishing operation began targeting **Backup Recovery Keys**, which can expose **historical messag...
Signal Backup Recovery Key phishing mitigation
Advisory/MitigationAbout this happening: The **FBI** and **CISA** updated mitigation guidance for **Signal users** after a phishing operation began targeting **Backup Recovery Keys**, which can expose **historical messag...
Service desk social engineering defenses tighten identity verification for password resets and MFA changes
Defensive Guidance
H score17
First: 24.06.2026 17:02
Last: 24.06.2026 17:02
Sources 1
About this happening:
**Service desk identity verification** is being tightened against **social engineering attacks**, reducing impersonation-driven account takeover and unauthorized access across cor...
Service desk social engineering defenses tighten identity verification for password resets and MFA changes
Defensive GuidanceAbout this happening: **Service desk identity verification** is being tightened against **social engineering attacks**, reducing impersonation-driven account takeover and unauthorized access across cor...
CISA FortiBleed mitigation guidance
Advisory/Mitigation
H score67
First: 19.06.2026 09:47
Last: 19.06.2026 09:47
Sources 1
About this happening:
**CISA** issued mitigation guidance for **FortiBleed**, urging operators of **internet-accessible Fortinet devices** to harden exposed **FortiGate** and VPN environments after a *...
CISA FortiBleed mitigation guidance
Advisory/MitigationAbout this happening: **CISA** issued mitigation guidance for **FortiBleed**, urging operators of **internet-accessible Fortinet devices** to harden exposed **FortiGate** and VPN environments after a *...
Healthcare phishing defense guidance for VPN MFA and continuous training
Defensive Guidance
H score16
First: 22.05.2026 16:17
Last: 22.05.2026 16:17
Sources 1
About this happening:
Healthcare defenders were urged to treat **phishing** as a top priority, which matters because social engineering is a direct path to **credential abuse** in clinical environments...
Healthcare phishing defense guidance for VPN MFA and continuous training
Defensive GuidanceAbout this happening: Healthcare defenders were urged to treat **phishing** as a top priority, which matters because social engineering is a direct path to **credential abuse** in clinical environments...
Timeline
-
10.04.2026 14:56 1 articles · 3mo ago
Storm-2755 uses AiTM to hijack Canadian payroll accounts
Technical Analysis UpdateMicrosoft says Storm-2755 is targeting Canadian employees in payroll pirate attacks by steering victims to malicious Microsoft 365 sign-in pages hosted on domains such as bluegraintours[.]com, using malvertising or SEO poisoning to promote the pages, stealing session cookies and OAuth access tokens, bypassing MFA through adversary-in-the-middle token replay, hiding HR emails about direct deposit or bank changes, and, when needed, logging into Workday to alter payroll details.
Show sources
- Microsoft: Canadian employees targeted in payroll pirate attacks — www.bleepingcomputer.com — 10.04.2026 14:56
-
10.04.2026 14:56 3 articles · 3mo ago
Microsoft advises phishing-resistant MFA and token revocation
Mitigation Patch UpdateMicrosoft advises defenders to block legacy authentication protocols, require phishing-resistant MFA, and immediately revoke compromised tokens and sessions, remove malicious inbox rules, and reset MFA methods and credentials for affected accounts to reduce AiTM-driven payroll theft.
Show sources
- Microsoft: Canadian employees targeted in payroll pirate attacks — www.bleepingcomputer.com — 10.04.2026 14:56
- Microsoft: Canadian employees targeted in payroll pirate attacks — www.bleepingcomputer.com — 10.04.2026 14:56
- Microsoft: Hackers target universities in “payroll pirate” attacks — www.bleepingcomputer.com — 09.10.2025 22:38