What Happened
Microsoft Incident Response researchers have published a detailed breakdown of Storm-2755, a financially motivated threat actor running a campaign Microsoft calls “Payroll Pirate” — a scheme that compromises Canadian employee accounts to redirect salary payments to attacker-controlled bank accounts.
The attack chain begins with malvertising or SEO poisoning. When a Canadian employee searches for their organization’s Microsoft 365 sign-in page, Storm-2755 serves a poisoned search result near the top of the page, directing the target to an adversary-in-the-middle phishing proxy. The proxy passes login traffic through to the legitimate Microsoft 365 service in real time, harvesting the victim’s session cookie and authentication token in the process. Multi-factor authentication prompts are captured and relayed, so MFA provides no protection once the victim clicks the malicious link.
With a valid session token, Storm-2755 logs into the compromised account and creates email inbox rules that silently move any emails containing the words “direct deposit” or “bank” to the conversation history folder, preventing the victim from seeing alerts or HR confirmations. The attacker then impersonates the victim in emails to HR or finance staff, requesting payroll banking updates. Where HR teams decline to act on email requests alone, Storm-2755 has been observed logging directly into SaaS HR platforms such as Workday using the stolen session and changing direct deposit details without further social engineering.
Why This Matters for Canadian Organizations
This campaign targets Canadian employees specifically and directly. The use of AiTM phishing to defeat MFA is not novel, but the deliberate focus on payroll redirection distinguishes Storm-2755 from the credential-theft-and-ransomware playbook common to most threat actors. The financial damage is immediate and personal — an employee’s entire paycheque disappears on pay day.
For Canadian organizations, the operational risk extends beyond individual employees. HR and payroll teams with access to enterprise payroll platforms become high-value targets. A single compromised HR account with permissions to modify direct deposit details across hundreds of employees represents significant exposure. Organizations using Microsoft 365 combined with cloud HR platforms such as Workday, ADP, or Ceridian face the full attack chain Microsoft describes.
Canadian privacy law adds a compliance layer. Where direct deposit redirection succeeds, it may constitute unauthorized access to financial records held by the employer, triggering PIPEDA breach assessment obligations. Organizations that do not detect and report these incidents within 72 hours of confirmation face regulatory exposure in addition to employee relations fallout.
What to Do
Review Microsoft 365 sign-in logs for authentication events originating from unfamiliar IP ranges or geographic locations inconsistent with employee locations. Audit inbox rules created in the last 30 days for rules redirecting emails to conversation history or other obscure folders. Implement Conditional Access policies that require compliant devices for payroll platform access and block legacy authentication protocols. Train HR and payroll staff to require verified, out-of-band confirmation — via phone or in-person — before processing any direct deposit change request received by email. Enable risk-based sign-in policies in Microsoft Entra ID to flag and challenge anomalous sessions. Engage your payroll platform vendor to enable alerts for bank account changes and enforce change approval workflows.
Source: Microsoft Security Blog | BleepingComputer
