Meta Description
Storm-2755 is using adversary-in-the-middle session hijacking, SEO poisoning, and malvertising to steal Microsoft 365 sessions and redirect employee salaries. This analysis explains how the attack works, why legacy MFA is not enough, and what organizations must do now.
Introduction
Payroll fraud is no longer just a fake email asking HR to change bank details.
The Storm-2755 campaign shows how financially motivated attackers are now using adversary-in-the-middle, or AiTM, session hijacking to compromise Microsoft 365 accounts, bypass traditional multi-factor authentication, and redirect employee salaries into attacker-controlled bank accounts.
The campaign primarily targets Canadian employees and has been described as a “payroll pirate” attack because the attacker’s goal is direct salary theft.
What makes this attack dangerous is not only the phishing page. It is the way the attackers steal authenticated sessions after the victim completes login and MFA. Once the session token is captured, the attacker can access Microsoft 365 as the victim without needing to repeatedly enter credentials or approve MFA prompts.
This is the uncomfortable lesson for organizations:
MFA helps, but not all MFA is phishing resistant.
If attackers can steal a valid session, they can turn a legitimate login into an unauthorized payroll compromise.
What Happened
Storm-2755 used SEO poisoning and malvertising to drive victims toward fake Microsoft 365 login pages.
Instead of relying only on email phishing links, the attackers placed malicious infrastructure in front of users through search-based lures. Victims searching for Microsoft 365 or mistyped Microsoft-related terms could be redirected to attacker-controlled login pages that looked legitimate.
The victim would enter credentials and complete MFA as expected. Behind the scenes, the attacker’s AiTM infrastructure proxied the authentication flow and captured the resulting session cookies and OAuth tokens.
Once the attacker had access to the authenticated session, they could operate inside Microsoft 365 as the victim.
The attackers then searched for payroll-related content, HR contacts, finance messages, direct deposit workflows, and employee profile details. In some cases, they contacted HR from the victim’s real mailbox using messages about direct deposit changes. They also created inbox rules designed to hide replies and warnings from the real employee.
The end goal was simple:
Redirect salary payments to attacker-controlled bank accounts.
In some cases, the attackers also targeted HR SaaS platforms such as Workday to alter payroll or banking information directly.
Why This Issue Is Critical
This issue is critical because it bypasses the confidence many organizations place in standard MFA.
Traditional MFA can reduce password theft, but AiTM session hijacking changes the attack model. The attacker does not need to guess the MFA code, steal the phone, or brute-force the account. The victim completes the MFA process normally, and the attacker steals the valid authenticated session afterward.
That means the login may appear successful and legitimate.
The email may come from the real employee mailbox.
The payroll request may look routine.
The HR system activity may appear to come from an approved user.
This makes the attack difficult to detect because the attacker is abusing trusted identity, trusted sessions, trusted applications, and trusted business workflows.
The financial impact is also immediate. Unlike ransomware or data theft, payroll redirection can cause direct salary loss for employees and financial exposure for the organization.
What Caused the Issue
The campaign is caused by a combination of phishing infrastructure, weak session resilience, non-phishing-resistant MFA, and business process abuse.
Adversary-in-the-Middle Phishing
AiTM phishing places attacker infrastructure between the victim and the legitimate login provider. The victim thinks they are logging into Microsoft 365, but the attacker-controlled proxy captures session material after authentication succeeds.
Session Token Theft
The attackers capture session cookies and OAuth tokens. These tokens can allow access to cloud services without requiring the attacker to repeat the full authentication process.
MFA Bypass Through Session Replay
This is not a traditional MFA failure where the attacker guesses the second factor. Instead, the attacker waits until the victim completes MFA, then reuses the authenticated session.
SEO Poisoning and Malvertising
Storm-2755 used search manipulation and malicious ads to lure victims. This is especially dangerous because many employees are trained to distrust suspicious emails, but they may still trust search results.
Inbox Rule Abuse
After compromise, attackers created mailbox rules to hide HR or payroll-related messages. This prevents victims from seeing replies, warnings, or confirmation emails.
Payroll Workflow Manipulation
The attackers used compromised accounts to interact with HR teams or payroll systems. This allowed them to request or perform direct deposit changes from inside a legitimate employee account.
Possible Axios-Related Activity
Microsoft observed Axios user-agent activity in the token replay flow and referenced CVE-2025-27152 in relation to known Axios issues. Organizations should avoid assuming this campaign is only a phishing problem. It also highlights the need to review application dependencies, logging behavior, and unusual automated access patterns.
How the Failure Chain Works
The failure chain follows a clear identity compromise path.
Search Manipulation
The victim searches for Microsoft 365 or a related service. A malicious result or advertisement leads them to an attacker-controlled domain.
Fake Login Page
The victim reaches a fake Microsoft 365 login page that closely resembles the legitimate sign-in experience.
Credential and MFA Capture Flow
The victim enters credentials and completes MFA. The attacker’s proxy relays the authentication process while capturing the authenticated session.
Session Replay
The attacker uses the stolen session token to access Microsoft 365 as the victim.
Mailbox Discovery
The attacker searches for HR, payroll, finance, account, direct deposit, and support-related terms.
Inbox Rule Creation
The attacker creates rules to hide messages related to direct deposit, banking, payroll, or HR conversations.
Payroll Social Engineering
The attacker emails HR from the victim’s real mailbox asking how to update direct deposit details.
HR SaaS Abuse
Where possible, the attacker accesses HR platforms such as Workday and changes banking information directly.
Salary Redirection
The employee’s pay is redirected to an attacker-controlled bank account.
Why This Incident Matters for Cybersecurity
This incident matters because it shows how identity attacks have evolved.
The target is no longer just the password.
The target is the session.
Organizations have spent years telling users to use MFA, and that advice is still valid. However, Storm-2755 shows that standard MFA alone is not enough when attackers can intercept authenticated sessions.
This campaign also shows how attackers are blending technical compromise with business process abuse. They do not need to deploy ransomware, exploit a domain controller, or install malware on every endpoint. They can steal a session, access email, manipulate HR workflows, and quietly redirect money.
For cybersecurity teams, this means identity security, SaaS monitoring, HR process controls, and penetration testing must be treated as connected disciplines.
A Microsoft 365 compromise is not just an email security issue.
It can become a payroll fraud issue, an HR security issue, a finance issue, and an employee trust issue.
Common Risks Highlighted by the Incident
Non-Phishing-Resistant MFA
SMS codes, email codes, push notifications, and app prompts can still be defeated if attackers steal the session after authentication.
Weak Session Controls
Long session lifetimes increase the value of stolen tokens and give attackers more time to operate.
Poor Token Revocation
Password resets do not always terminate stolen sessions. Active sessions and refresh tokens must be revoked during response.
Unmonitored Inbox Rules
Malicious mailbox rules are frequently used to hide attacker activity. They should be treated as high-value detection signals.
Overtrust in Internal Email
HR teams may trust requests from employee mailboxes without verifying through an independent channel.
Limited HR SaaS Visibility
Payroll and banking changes inside HR platforms should trigger monitoring, approval workflows, and security review.
Search-Based Phishing Exposure
Employees may be cautious with email links but less cautious with search engine results and sponsored ads.
Insufficient Identity Penetration Testing
Many organizations still test networks and web apps more thoroughly than identity workflows, session controls, and SaaS access paths.
Potential Impact on Organizations
The potential impact can be serious even without ransomware or destructive malware.
Organizations may face:
-
Salary payments redirected to attacker-controlled accounts
-
Employee financial harm
-
Payroll disputes and reimbursement costs
-
Microsoft 365 account compromise
-
Unauthorized access to email and internal files
-
Hidden inbox rules suppressing warnings
-
HR SaaS account manipulation
-
Exposure of personal employee data
-
Business email compromise investigations
-
Legal and compliance obligations
-
Reputational damage
-
Increased help desk and security workload
The most damaging part is timing.
Payroll fraud may not be discovered until payday, when the employee realizes their salary has not arrived. By then, the attacker may have already moved the funds and deleted or hidden evidence.
What Organisations Should Do Now
Organizations should treat Storm-2755 as a warning to strengthen identity security and payroll verification.
Deploy Phishing-Resistant MFA
Move toward FIDO2 security keys, passkeys, certificate-based authentication, or other phishing-resistant methods. These are more resilient against AiTM attacks than traditional MFA prompts.
Revoke Suspicious Sessions
When compromise is suspected, revoke active sessions and refresh tokens. Do not rely only on password resets.
Audit Inbox Rules
Review mailbox rules for suspicious keywords such as payroll, direct deposit, bank, HR, finance, Workday, account, or support. Look for rules that delete, move, hide, or forward messages.
Verify Payroll Changes Out of Band
Any request to change direct deposit details should be verified through a trusted channel, not through the same email thread that requested the change.
Monitor HR SaaS Activity
Changes to banking details, employee profiles, payment elections, or MFA methods inside HR systems should generate alerts and require additional verification.
Strengthen Conditional Access
Use risk-based access controls, device compliance checks, location controls, impossible travel detection, and reauthentication triggers for suspicious activity.
Reduce Session Risk
Limit session lifetimes where appropriate and use continuous access evaluation where available to reduce the usefulness of stolen sessions.
Train Employees on Search-Based Phishing
Security awareness should explain that phishing can begin from search engines and malicious ads, not only from suspicious emails.
Conduct Identity-Focused Penetration Testing
Penetration tests should include Microsoft 365 session controls, MFA resilience, inbox rule abuse, SaaS access paths, and payroll change workflows.
Detection and Monitoring Strategies
Security teams should monitor for signs of AiTM session hijacking and payroll fraud.
Important signals include:
-
Sign-ins from unusual locations
-
Impossible travel alerts
-
Sudden user-agent changes
-
Axios user-agent activity where it is abnormal
-
Non-interactive sign-ins occurring at regular intervals
-
Suspicious OfficeHome or Microsoft 365 session activity
-
New inbox rules after unusual sign-ins
-
Rules containing payroll or banking-related keywords
-
Email subjects related to direct deposit changes
-
Searches in mailboxes for HR, payroll, finance, or account terms
-
Access to Workday or HR tools from abnormal sessions
-
Banking or payment election changes
-
MFA method changes after suspicious login activity
-
OAuth activity inconsistent with normal behavior
The strongest detections come from correlation.
A suspicious login may not be enough on its own. A new inbox rule may not be enough on its own. A payroll change may be legitimate.
But when those signals appear together, they form a strong attack pattern.
The Role of Incident Response Planning
Storm-2755 shows why incident response plans must include session hijacking and payroll fraud.
A strong response plan should define steps for:
-
Revoking Microsoft 365 sessions
-
Resetting passwords and MFA methods
-
Auditing inbox rules
-
Reviewing HR SaaS changes
-
Freezing suspicious payroll updates
-
Notifying HR and finance teams
-
Preserving mailbox and sign-in logs
-
Contacting banking partners when fraud is suspected
-
Communicating with affected employees
-
Reviewing legal and compliance obligations
Security, IT, HR, finance, legal, and communications teams all have a role in this response.
Speed matters.
If an organization waits until payroll has already been redirected, recovery becomes harder. The goal is to detect and disrupt the attack before salary payments leave the organization.
Key Takeaway
Storm-2755’s payroll pirate campaign shows that attackers are moving beyond password theft into session hijacking and business process abuse.
By using SEO poisoning, malvertising, fake Microsoft 365 login pages, AiTM infrastructure, stolen session tokens, inbox rules, and HR SaaS manipulation, attackers can redirect employee salaries while appearing to operate from legitimate user accounts.
The main lesson is clear:
Traditional MFA is not enough against adversary-in-the-middle attacks.
Organizations must adopt phishing-resistant MFA, strengthen Conditional Access, revoke suspicious sessions quickly, monitor inbox rules, audit HR SaaS activity, verify payroll changes out of band, and include identity workflows in penetration testing.
A stolen password is dangerous.
A stolen session can be worse.
Contact Us Now to Prepare
for Digital Warfare
Meta Description
Storm-2755 is using adversary-in-the-middle session hijacking, SEO poisoning, and malvertising to steal Microsoft 365 sessions and redirect employee salaries. This analysis explains how the attack works, why legacy MFA is not enough, and what organizations must do now.
Introduction
Payroll fraud is no longer just a fake email asking HR to change bank details.
The Storm-2755 campaign shows how financially motivated attackers are now using adversary-in-the-middle, or AiTM, session hijacking to compromise Microsoft 365 accounts, bypass traditional multi-factor authentication, and redirect employee salaries into attacker-controlled bank accounts.
The campaign primarily targets Canadian employees and has been described as a “payroll pirate” attack because the attacker’s goal is direct salary theft.
What makes this attack dangerous is not only the phishing page. It is the way the attackers steal authenticated sessions after the victim completes login and MFA. Once the session token is captured, the attacker can access Microsoft 365 as the victim without needing to repeatedly enter credentials or approve MFA prompts.
This is the uncomfortable lesson for organizations:
MFA helps, but not all MFA is phishing resistant.
If attackers can steal a valid session, they can turn a legitimate login into an unauthorized payroll compromise.
What Happened
Storm-2755 used SEO poisoning and malvertising to drive victims toward fake Microsoft 365 login pages.
Instead of relying only on email phishing links, the attackers placed malicious infrastructure in front of users through search-based lures. Victims searching for Microsoft 365 or mistyped Microsoft-related terms could be redirected to attacker-controlled login pages that looked legitimate.
The victim would enter credentials and complete MFA as expected. Behind the scenes, the attacker’s AiTM infrastructure proxied the authentication flow and captured the resulting session cookies and OAuth tokens.
Once the attacker had access to the authenticated session, they could operate inside Microsoft 365 as the victim.
The attackers then searched for payroll-related content, HR contacts, finance messages, direct deposit workflows, and employee profile details. In some cases, they contacted HR from the victim’s real mailbox using messages about direct deposit changes. They also created inbox rules designed to hide replies and warnings from the real employee.
The end goal was simple:
Redirect salary payments to attacker-controlled bank accounts.
In some cases, the attackers also targeted HR SaaS platforms such as Workday to alter payroll or banking information directly.
Why This Issue Is Critical
This issue is critical because it bypasses the confidence many organizations place in standard MFA.
Traditional MFA can reduce password theft, but AiTM session hijacking changes the attack model. The attacker does not need to guess the MFA code, steal the phone, or brute-force the account. The victim completes the MFA process normally, and the attacker steals the valid authenticated session afterward.
That means the login may appear successful and legitimate.
The email may come from the real employee mailbox.
The payroll request may look routine.
The HR system activity may appear to come from an approved user.
This makes the attack difficult to detect because the attacker is abusing trusted identity, trusted sessions, trusted applications, and trusted business workflows.
The financial impact is also immediate. Unlike ransomware or data theft, payroll redirection can cause direct salary loss for employees and financial exposure for the organization.
What Caused the Issue
The campaign is caused by a combination of phishing infrastructure, weak session resilience, non-phishing-resistant MFA, and business process abuse.
Adversary-in-the-Middle Phishing
AiTM phishing places attacker infrastructure between the victim and the legitimate login provider. The victim thinks they are logging into Microsoft 365, but the attacker-controlled proxy captures session material after authentication succeeds.
Session Token Theft
The attackers capture session cookies and OAuth tokens. These tokens can allow access to cloud services without requiring the attacker to repeat the full authentication process.
MFA Bypass Through Session Replay
This is not a traditional MFA failure where the attacker guesses the second factor. Instead, the attacker waits until the victim completes MFA, then reuses the authenticated session.
SEO Poisoning and Malvertising
Storm-2755 used search manipulation and malicious ads to lure victims. This is especially dangerous because many employees are trained to distrust suspicious emails, but they may still trust search results.
Inbox Rule Abuse
After compromise, attackers created mailbox rules to hide HR or payroll-related messages. This prevents victims from seeing replies, warnings, or confirmation emails.
Payroll Workflow Manipulation
The attackers used compromised accounts to interact with HR teams or payroll systems. This allowed them to request or perform direct deposit changes from inside a legitimate employee account.
Possible Axios-Related Activity
Microsoft observed Axios user-agent activity in the token replay flow and referenced CVE-2025-27152 in relation to known Axios issues. Organizations should avoid assuming this campaign is only a phishing problem. It also highlights the need to review application dependencies, logging behavior, and unusual automated access patterns.
How the Failure Chain Works
The failure chain follows a clear identity compromise path.
Search Manipulation
The victim searches for Microsoft 365 or a related service. A malicious result or advertisement leads them to an attacker-controlled domain.
Fake Login Page
The victim reaches a fake Microsoft 365 login page that closely resembles the legitimate sign-in experience.
Credential and MFA Capture Flow
The victim enters credentials and completes MFA. The attacker’s proxy relays the authentication process while capturing the authenticated session.
Session Replay
The attacker uses the stolen session token to access Microsoft 365 as the victim.
Mailbox Discovery
The attacker searches for HR, payroll, finance, account, direct deposit, and support-related terms.
Inbox Rule Creation
The attacker creates rules to hide messages related to direct deposit, banking, payroll, or HR conversations.
Payroll Social Engineering
The attacker emails HR from the victim’s real mailbox asking how to update direct deposit details.
HR SaaS Abuse
Where possible, the attacker accesses HR platforms such as Workday and changes banking information directly.
Salary Redirection
The employee’s pay is redirected to an attacker-controlled bank account.
Why This Incident Matters for Cybersecurity
This incident matters because it shows how identity attacks have evolved.
The target is no longer just the password.
The target is the session.
Organizations have spent years telling users to use MFA, and that advice is still valid. However, Storm-2755 shows that standard MFA alone is not enough when attackers can intercept authenticated sessions.
This campaign also shows how attackers are blending technical compromise with business process abuse. They do not need to deploy ransomware, exploit a domain controller, or install malware on every endpoint. They can steal a session, access email, manipulate HR workflows, and quietly redirect money.
For cybersecurity teams, this means identity security, SaaS monitoring, HR process controls, and penetration testing must be treated as connected disciplines.
A Microsoft 365 compromise is not just an email security issue.
It can become a payroll fraud issue, an HR security issue, a finance issue, and an employee trust issue.
Common Risks Highlighted by the Incident
Non-Phishing-Resistant MFA
SMS codes, email codes, push notifications, and app prompts can still be defeated if attackers steal the session after authentication.
Weak Session Controls
Long session lifetimes increase the value of stolen tokens and give attackers more time to operate.
Poor Token Revocation
Password resets do not always terminate stolen sessions. Active sessions and refresh tokens must be revoked during response.
Unmonitored Inbox Rules
Malicious mailbox rules are frequently used to hide attacker activity. They should be treated as high-value detection signals.
Overtrust in Internal Email
HR teams may trust requests from employee mailboxes without verifying through an independent channel.
Limited HR SaaS Visibility
Payroll and banking changes inside HR platforms should trigger monitoring, approval workflows, and security review.
Search-Based Phishing Exposure
Employees may be cautious with email links but less cautious with search engine results and sponsored ads.
Insufficient Identity Penetration Testing
Many organizations still test networks and web apps more thoroughly than identity workflows, session controls, and SaaS access paths.
Potential Impact on Organizations
The potential impact can be serious even without ransomware or destructive malware.
Organizations may face:
- Salary payments redirected to attacker-controlled accounts
- Employee financial harm
- Payroll disputes and reimbursement costs
- Microsoft 365 account compromise
- Unauthorized access to email and internal files
- Hidden inbox rules suppressing warnings
- HR SaaS account manipulation
- Exposure of personal employee data
- Business email compromise investigations
- Legal and compliance obligations
- Reputational damage
- Increased help desk and security workload
The most damaging part is timing.
Payroll fraud may not be discovered until payday, when the employee realizes their salary has not arrived. By then, the attacker may have already moved the funds and deleted or hidden evidence.
What Organisations Should Do Now
Organizations should treat Storm-2755 as a warning to strengthen identity security and payroll verification.
Deploy Phishing-Resistant MFA
Move toward FIDO2 security keys, passkeys, certificate-based authentication, or other phishing-resistant methods. These are more resilient against AiTM attacks than traditional MFA prompts.
Revoke Suspicious Sessions
When compromise is suspected, revoke active sessions and refresh tokens. Do not rely only on password resets.
Audit Inbox Rules
Review mailbox rules for suspicious keywords such as payroll, direct deposit, bank, HR, finance, Workday, account, or support. Look for rules that delete, move, hide, or forward messages.
Verify Payroll Changes Out of Band
Any request to change direct deposit details should be verified through a trusted channel, not through the same email thread that requested the change.
Monitor HR SaaS Activity
Changes to banking details, employee profiles, payment elections, or MFA methods inside HR systems should generate alerts and require additional verification.
Strengthen Conditional Access
Use risk-based access controls, device compliance checks, location controls, impossible travel detection, and reauthentication triggers for suspicious activity.
Reduce Session Risk
Limit session lifetimes where appropriate and use continuous access evaluation where available to reduce the usefulness of stolen sessions.
Train Employees on Search-Based Phishing
Security awareness should explain that phishing can begin from search engines and malicious ads, not only from suspicious emails.
Conduct Identity-Focused Penetration Testing
Penetration tests should include Microsoft 365 session controls, MFA resilience, inbox rule abuse, SaaS access paths, and payroll change workflows.
Detection and Monitoring Strategies
Security teams should monitor for signs of AiTM session hijacking and payroll fraud.
Important signals include:
- Sign-ins from unusual locations
- Impossible travel alerts
- Sudden user-agent changes
- Axios user-agent activity where it is abnormal
- Non-interactive sign-ins occurring at regular intervals
- Suspicious OfficeHome or Microsoft 365 session activity
- New inbox rules after unusual sign-ins
- Rules containing payroll or banking-related keywords
- Email subjects related to direct deposit changes
- Searches in mailboxes for HR, payroll, finance, or account terms
- Access to Workday or HR tools from abnormal sessions
- Banking or payment election changes
- MFA method changes after suspicious login activity
- OAuth activity inconsistent with normal behavior
The strongest detections come from correlation.
A suspicious login may not be enough on its own. A new inbox rule may not be enough on its own. A payroll change may be legitimate.
But when those signals appear together, they form a strong attack pattern.
The Role of Incident Response Planning
Storm-2755 shows why incident response plans must include session hijacking and payroll fraud.
A strong response plan should define steps for:
- Revoking Microsoft 365 sessions
- Resetting passwords and MFA methods
- Auditing inbox rules
- Reviewing HR SaaS changes
- Freezing suspicious payroll updates
- Notifying HR and finance teams
- Preserving mailbox and sign-in logs
- Contacting banking partners when fraud is suspected
- Communicating with affected employees
- Reviewing legal and compliance obligations
Security, IT, HR, finance, legal, and communications teams all have a role in this response.
Speed matters.
If an organization waits until payroll has already been redirected, recovery becomes harder. The goal is to detect and disrupt the attack before salary payments leave the organization.
Key Takeaway
Storm-2755’s payroll pirate campaign shows that attackers are moving beyond password theft into session hijacking and business process abuse.
By using SEO poisoning, malvertising, fake Microsoft 365 login pages, AiTM infrastructure, stolen session tokens, inbox rules, and HR SaaS manipulation, attackers can redirect employee salaries while appearing to operate from legitimate user accounts.
The main lesson is clear:
Traditional MFA is not enough against adversary-in-the-middle attacks.
Organizations must adopt phishing-resistant MFA, strengthen Conditional Access, revoke suspicious sessions quickly, monitor inbox rules, audit HR SaaS activity, verify payroll changes out of band, and include identity workflows in penetration testing.
A stolen password is dangerous.
A stolen session can be worse.