CyberHappenings logo
Home Browse Watchlists Experimental About

Track cybersecurity events as they unfold. Sourced timelines. Filter, sort, and browse. Fast, privacy‑respecting. No invasive ads, no tracking.

Storm-2755 conducts AiTM payroll pirate attacks against Canadian Microsoft 365 accounts

First reported
Last updated
1 unique sources, 1 articles

Summary

Hide ▲

A financially motivated threat actor named Storm-2755 has compromised Canadian employee accounts via adversary-in-the-middle (AiTM) phishing to intercept and divert salary payments in a payroll pirate campaign. The attackers hijacked Microsoft 365 sessions by stealing authentication tokens and session cookies through malicious sign-in pages hosted on SEO-poisoned or malvertised domains, thereby bypassing MFA protections. Once inside victim mailboxes, Storm-2755 created stealthy inbox rules to hide HR correspondence, then contacted HR staff to update direct deposit details or directly modified payroll systems such as Workday to reroute payments. The campaign highlights ongoing abuse of legacy authentication and non-phishing-resistant MFA in enterprise environments.

Timeline

  1. 10.04.2026 14:56 1 articles · 3h ago

    Storm-2755 AiTM payroll pirate attacks detected targeting Canadian organizations

    Financially motivated threat actor Storm-2755 compromised Microsoft 365 accounts via adversary-in-the-middle (AiTM) phishing to steal session tokens and bypass MFA protections. After account takeover, attackers created stealthy inbox rules to hide HR correspondence, contacted HR staff to update direct deposit details, or directly modified payroll systems such as Workday to reroute salary payments. The campaign affects Canadian organizations and illustrates the risk of legacy authentication and non-phishing-resistant MFA in enterprise environments.

    Show sources
    Open in new tab

Information Snippets

  • Storm-2755 leveraged malicious Microsoft 365 sign-in pages hosted on domains like bluegraintours[.]com to capture user authentication tokens and session cookies.

    First reported: 10.04.2026 14:56
    1 source, 1 article
    Show sources

  • Attackers replayed stolen session tokens to bypass MFA in AiTM proxy flows, gaining full access without re-authenticating or prompting for additional factors.

    First reported: 10.04.2026 14:56
    1 source, 1 article
    Show sources

  • Compromised accounts had inbox rules created to automatically move messages containing "direct deposit" or "bank" to hidden folders, preventing victims from seeing HR correspondence.

    First reported: 10.04.2026 14:56
    1 source, 1 article
    Show sources

  • Storm-2755 contacted HR staff via email with subjects like "Question about direct deposit" to update banking details, or directly accessed HR platforms such as Workday to change direct deposit settings.

    First reported: 10.04.2026 14:56
    1 source, 1 article
    Show sources

  • Microsoft previously disrupted a separate payroll pirate campaign in October 2025 attributed to Storm-2657, which targeted U.S. university employees via AITM phishing to compromise Exchange Online accounts.

    First reported: 10.04.2026 14:56
    1 source, 1 article
    Show sources