Executive Summary
In April 2026, Microsoft identified a financially motivated threat actor, Storm-2755, targeting Canadian employees through sophisticated 'payroll pirate' attacks. The attackers employed adversary-in-the-middle (AiTM) techniques, using malicious Microsoft 365 sign-in pages to intercept authentication tokens and session cookies. This method allowed them to bypass traditional multi-factor authentication (MFA) and gain unauthorized access to employee accounts. Once inside, they created inbox rules to conceal communications from human resources and manipulated payroll systems, such as Workday, to redirect salary payments to accounts under their control. (microsoft.com)
This incident underscores the evolving nature of business email compromise (BEC) schemes, highlighting the need for organizations to implement phishing-resistant MFA solutions and monitor for anomalous activities within their systems. The use of AiTM tactics to circumvent standard security measures signifies a shift in cybercriminal strategies, emphasizing the importance of continuous vigilance and adaptive security protocols. (microsoft.com)
Why This Matters Now
The rise of AiTM attacks like those executed by Storm-2755 demonstrates the increasing sophistication of cyber threats, making traditional MFA methods insufficient. Organizations must urgently adopt phishing-resistant MFA and enhance monitoring to detect and prevent such advanced attacks. (microsoft.com)
Attack Path Analysis
The adversary initiated the attack by employing SEO poisoning and malvertising to direct users to fraudulent Microsoft 365 login pages, capturing credentials and session tokens. With these, they bypassed MFA protections to access employee email accounts. They then created inbox rules to conceal HR communications and searched for payroll-related information. Subsequently, they impersonated employees to request direct deposit changes from HR staff or directly modified payroll details in HR systems like Workday. This led to the diversion of salary payments to attacker-controlled accounts, resulting in financial loss for the victims.
Kill Chain Progression
Initial Compromise
Description
The attacker used SEO poisoning and malvertising to direct users to fake Microsoft 365 login pages, capturing credentials and session tokens.
MITRE ATT&CK® Techniques
Adversary-in-the-Middle
Valid Accounts
Email Collection
Phishing
Application Layer Protocol
Account Manipulation
Command and Scripting Interpreter
User Execution
Potential Compliance Exposure
Mapping incident impact across multiple compliance frameworks.
PCI DSS 4.0 – Ensure that all system components are protected from known vulnerabilities by installing applicable security patches
Control ID: 6.4.3
NYDFS 23 NYCRR 500 – Multi-Factor Authentication
Control ID: 500.12
DORA – ICT Risk Management Framework
Control ID: Article 6
CISA Zero Trust Maturity Model 2.0 – Implement Strong Authentication Mechanisms
Control ID: Identity Pillar
NIS2 Directive – Cybersecurity Risk Management Measures
Control ID: Article 21
Sector Implications
Industry-specific impact of the vulnerabilities, including operational, regulatory, and cloud security risks.
Human Resources/HR
Primary target for payroll pirate attacks using AiTM techniques to bypass MFA and manipulate direct deposit information through compromised HR platforms like Workday.
Higher Education/Acadamia
Storm-2657 specifically targeted university employees in similar payroll attacks, making educational institutions highly vulnerable to business email compromise and salary theft schemes.
Financial Services
Direct exposure to wire transfer fraud and banking information manipulation attacks, requiring phishing-resistant MFA and enhanced session token protection against AiTM bypasses.
Government Administration
High-value target for payroll manipulation attacks due to large employee bases, standardized HR systems, and potential for significant financial impact from compromised authentication.
Sources
- Microsoft: Canadian employees targeted in payroll pirate attackshttps://www.bleepingcomputer.com/news/microsoft/microsoft-canadian-employees-targeted-in-payroll-pirate-attacks/Verified
- Investigating Storm-2755: 'Payroll pirate' attacks targeting Canadian employeeshttps://www.microsoft.com/en-us/security/blog/2026/04/09/investigating-storm-2755-payroll-pirate-attacks-targeting-canadian-employees/Verified
- From cookie theft to BEC: Attackers use AiTM phishing sites as entry point to further financial fraudhttps://www.microsoft.com/en-us/security/blog/2022/07/12/from-cookie-theft-to-bec-attackers-use-aitm-phishing-sites-as-entry-point-to-further-financial-fraud/Verified
Frequently Asked Questions
Cloud Native Security Fabric Mitigations and ControlsCNSF
Aviatrix Zero Trust CNSF is pertinent to this incident as it could have limited the attacker's ability to move laterally and access sensitive systems, thereby reducing the potential blast radius of the breach.
Control: Cloud Native Security Fabric (CNSF)
Mitigation: The attacker's ability to exploit compromised credentials may have been constrained, limiting unauthorized access to cloud resources.
Control: Zero Trust Segmentation
Mitigation: The attacker's ability to escalate privileges within the cloud environment could have been limited, reducing unauthorized access to sensitive resources.
Control: East-West Traffic Security
Mitigation: The attacker's lateral movement within the cloud environment could have been constrained, limiting access to additional systems and data.
Control: Multicloud Visibility & Control
Mitigation: The attacker's ability to maintain persistent access across multiple cloud environments could have been reduced, limiting control over compromised accounts.
Control: Egress Security & Policy Enforcement
Mitigation: The attacker's ability to exfiltrate sensitive data could have been limited, reducing the risk of data loss.
The financial impact of the attack could have been mitigated by limiting the attacker's ability to access and manipulate payroll systems.
Impact at a Glance
Affected Business Functions
- Payroll Processing
- Human Resources Management
- Employee Financial Services
Estimated downtime: 3 days
Estimated loss: $50,000
Employee payroll information, including bank account details, was compromised.
Recommended Actions
Key Takeaways & Next Steps
- • Implement phishing-resistant MFA methods, such as FIDO2/WebAuthn, to prevent adversary-in-the-middle attacks.
- • Regularly monitor and audit email inbox rules for unauthorized changes that could conceal malicious activities.
- • Educate employees on recognizing phishing attempts and the importance of verifying the authenticity of login pages.
- • Enforce strict access controls and segmentation within HR systems to limit the potential impact of compromised accounts.
- • Establish out-of-band verification processes for any requests to change direct deposit information to prevent unauthorized modifications.
