A sophisticated cybercrime operation, identified as Storm-2755, is leveraging AiTM session hijacking to divert employee salaries to attacker-controlled bank accounts. This campaign, primarily targeting Canadian workers, uses advanced techniques to bypass multi-factor authentication (MFA) and gain unauthorized access to sensitive financial information.
The “payroll pirate” attacks begin with deceptive search engine optimization (SEO) poisoning and malvertising. Threat actors promote a malicious domain, bluegraintours[.]com, which appears atop search results for terms like “Office 365” and common misspellings. Employees clicking these links are directed to a convincing fake Microsoft 365 sign-in page, where their credentials and live session tokens are captured in real-time, effectively bypassing MFA prompts.
Microsoft researchers have highlighted the broad and industry-agnostic targeting strategy employed by Storm-2755. Unlike many threat groups that focus on specific sectors, this operation casts a wide net across all Canadian industries, making it challenging to detect through sector-specific threat intelligence alone. This indiscriminate approach allows the attackers to maximize their potential victim pool.
Understanding the AiTM Attack Chain
The core of Storm-2755’s operation lies in its advanced adversary-in-the-middle (AiTM) methodology. Unlike traditional phishing attempts that solely aim to steal credentials, AiTM attacks intercept and proxy the entire authentication flow between the user and the legitimate service provider. This allows attackers to capture not only passwords but also session cookies and OAuth access tokens.
These captured tokens effectively represent a fully authenticated session. As a result, attackers can reuse these tokens to access Microsoft services without requiring further credential entry or MFA verification. The logs indicate that Storm-2755 utilizes version 1.7.9 of the Axios HTTP client to relay these captured tokens to their own infrastructure. This client makes non-interactive sign-ins to OfficeHome approximately every 30 minutes, maintaining active sessions without obvious detection.
The campaign exhibits a concerning level of meticulousness in its execution and evasion tactics. To avoid triggering reauthentication events, Storm-2755 renews stolen sessions around 5:00 AM in the victim’s local time zone. Furthermore, malicious inbox rules are systematically created to intercept and bury any HR responses concerning the fraudulent bank change requests. This deliberate action ensures that victims remain unaware of the compromise until their paychecks fail to arrive, often leading to significant delays and financial distress.
In some instances, attackers have gone beyond simply maintaining session access. After approximately 30 days of inactivity, or to sustain access for longer periods, they have actively reset account passwords and MFA settings for compromised accounts. This proactive step ensures continued control over the compromised accounts even after the initial stolen tokens naturally expire, demonstrating a persistent and evolving threat posture.
Once an account is compromised, Storm-2755 operatives search mailboxes for keywords related to payroll and human resources. They then send emails from the victim’s own inbox to HR personnel, requesting changes to direct deposit information. This social engineering tactic is designed to appear as a routine administrative request. When direct email manipulation is insufficient, attackers manually log into HR platforms, such as Workday, and directly update banking details, rerouting salary payments into their own accounts.
.webp)
To counter these sophisticated attacks, organizations are strongly advised to implement a series of proactive security measures. Immediately revoking compromised tokens, removing any malicious inbox rules, and resetting credentials and MFA methods for affected accounts are critical first steps. The adoption of phishing-resistant MFA solutions, such as FIDO2 security keys, is highly recommended, as these are specifically engineered to thwart AiTM token theft.
Furthermore, implementing robust Conditional Access policies can significantly enhance security. Configuring these policies to limit session lifetimes and enforce reauthentication upon the detection of changing risk signals is essential. Enabling Continuous Access Evaluation (CAE) ensures that stolen tokens rapidly lose their validity once a risk condition is detected. Security teams should also establish alerts for the creation of suspicious inbox rules and conduct regular audits of HR SaaS platforms like Workday to detect unauthorized modifications to banking or payment information. The ongoing evolution of cyber threats necessitates a vigilant and adaptive security posture.