Payroll Pirate Attacks Hijack Canadian Employees’ Salary Payments via Microsoft 365 AiTM Phishing
What Happened – A financially‑motivated group tracked as Storm‑2755 compromised Microsoft 365 accounts of Canadian employees by luring them to malicious sign‑in pages. The attackers harvested authentication tokens and OAuth access tokens, bypassed MFA, and used the sessions to steal payroll data, alter direct‑deposit details, and exfiltrate salary payments.
Why It Matters for TPRM –
- Credential‑theft techniques that defeat legacy MFA can affect any SaaS provider handling payroll or HR data.
- Compromise of a single employee’s account can cascade into fraudulent payments across the supply chain.
- The attack demonstrates the risk of AiTM phishing against third‑party services (e.g., Workday) that many organizations rely on.
Who Is Affected – Companies with Canadian workforces that use Microsoft 365 for email and cloud services, especially those that integrate with payroll/HR platforms such as Workday.
Recommended Actions –
- Block legacy authentication protocols across all Microsoft 365 tenants.
- Enforce phishing‑resistant MFA (e.g., FIDO2, Microsoft Authenticator with password‑less flow).
- Regularly audit and purge suspicious inbox rules.
- Revoke any compromised tokens/sessions and reset credentials for affected accounts.
Technical Notes –
- Attack vector: AiTM phishing using SEO‑poisoned malicious sign‑in pages (e.g.,
bluegraintours.com). - Tokens stolen: Session cookies and OAuth access tokens that grant full Microsoft 365 access.
- Follow‑on tactics: Creation of hidden inbox rules, targeted phishing of HR staff, direct login to Workday to modify direct‑deposit information.
Source: BleepingComputer