Payroll “Pirate” Threat Actor Storm‑2755 Hijacks Canadian Employee Accounts to Divert Salaries
What Happened — Microsoft’s DART team identified a financially‑motivated threat group, Storm‑2755, that compromises Canadian employee credentials, accesses internal payroll systems, and redirects salary payments to attacker‑controlled accounts. The campaign leverages credential‑theft techniques to harvest employee profiles and manipulate payroll data.
Why It Matters for TPRM —
- Direct financial loss to client organizations and their employees.
- Exposure of personally identifiable information (PII) and payroll data.
- Demonstrates a supply‑chain risk where a vendor’s payroll service becomes a conduit for fraud.
Who Is Affected — Canadian enterprises across all sectors that use third‑party payroll processing services (e.g., ADP, Paychex, Ceridian) and their employees.
Recommended Actions —
- Verify that payroll vendors enforce multi‑factor authentication (MFA) for employee accounts.
- Conduct credential‑security assessments for any third‑party payroll or HR platforms.
- Implement transaction‑level controls and alerts for anomalous salary disbursements.
Technical Notes — Attack vector appears to be phishing‑based credential compromise, leading to unauthorized access of payroll applications. No specific CVE is cited. Data types accessed include employee personal data, banking details, and salary information. Source: Microsoft Security Blog