Executive Summary
In April 2026, a financially motivated threat actor identified as Storm-2755 targeted Canadian employees through a sophisticated 'payroll pirate' campaign. Utilizing adversary-in-the-middle (AiTM) phishing techniques, the attackers intercepted authentication sessions to gain unauthorized access to employee profiles on HR platforms. This access enabled them to divert salary payments to accounts under their control, resulting in direct financial losses for both individuals and organizations. The campaign was notable for its use of malvertising and search engine optimization (SEO) poisoning to lure victims to malicious sites, effectively bypassing traditional multi-factor authentication (MFA) methods.
This incident underscores the evolving nature of cyber threats, particularly the increasing prevalence of AiTM attacks that can circumvent standard MFA protections. Organizations must recognize the limitations of traditional security measures and adopt more robust, phishing-resistant authentication methods to safeguard against such sophisticated attacks.
Why This Matters Now
The Storm-2755 campaign highlights the urgent need for organizations to implement phishing-resistant multi-factor authentication methods, as traditional MFA is increasingly vulnerable to adversary-in-the-middle attacks. With cybercriminals employing more sophisticated techniques to bypass standard security measures, it is imperative for businesses to enhance their cybersecurity protocols to protect sensitive employee information and financial assets.
Attack Path Analysis
Storm-2755 initiated the attack by using SEO poisoning and malvertising to direct Canadian users to a fraudulent Microsoft 365 sign-in page, capturing their credentials and session tokens. With these stolen tokens, the attacker maintained persistent access to user accounts, bypassing MFA protections. They then searched internal systems for payroll and HR information to identify processes for diverting salary payments. The attacker established command and control by creating email inbox rules to hide communications from HR, ensuring their fraudulent activities remained undetected. They exfiltrated sensitive payroll data and modified direct deposit information to redirect salaries to accounts they controlled. The impact was direct financial loss for affected individuals and organizations due to unauthorized salary redirections.
Kill Chain Progression
Initial Compromise
Description
Storm-2755 used SEO poisoning and malvertising to lure users to a fake Microsoft 365 sign-in page, capturing their credentials and session tokens.
Related CVEs
CVE-2025-27152
CVSS 5.3Axios versions up to 1.7.9 are vulnerable to Server-Side Request Forgery (SSRF) and credential leakage when absolute URLs are used instead of protocol-relative URLs, potentially allowing unauthorized access to internal systems and sensitive data.
Affected Products:
Axios Axios – < 0.30.0, 1.0.0 - 1.7.9
Exploit Status:
proof of concept
MITRE ATT&CK® Techniques
Adversary-in-the-Middle
Valid Accounts
Email Collection
Hide Artifacts: Email Hiding Rules
Application Layer Protocol: Web Protocols
Application Layer Protocol: File Transfer Protocols
Application Layer Protocol: Mail Protocols
Application Layer Protocol: DNS
Potential Compliance Exposure
Mapping incident impact across multiple compliance frameworks.
PCI DSS 4.0 – Ensure that all system components are protected from known vulnerabilities by installing applicable security patches
Control ID: 6.4.3
NYDFS 23 NYCRR 500 – Multi-Factor Authentication
Control ID: 500.12
DORA – ICT Risk Management Framework
Control ID: Article 5
CISA Zero Trust Maturity Model 2.0 – Implement Strong Authentication Mechanisms
Control ID: Identity Pillar
NIS2 Directive – Cybersecurity Risk Management Measures
Control ID: Article 21
Sector Implications
Industry-specific impact of the vulnerabilities, including operational, regulatory, and cloud security risks.
Human Resources/HR
Direct target of Storm-2755's payroll piracy campaign using compromised employee credentials to manipulate HR systems and redirect salary payments through social engineering.
Financial Services
High risk from adversary-in-the-middle attacks bypassing MFA protections, with validated capabilities targeting encrypted traffic and egress security critical for financial operations.
Higher Education/Acadamia
Referenced Storm-2657 payroll attacks on US universities indicate educational institutions face similar business email compromise threats targeting employee financial information systems.
Government Administration
Geographic targeting of Canadian employees creates national security implications, requiring zero trust segmentation and threat detection capabilities to protect government payroll systems.
Sources
- Investigating Storm-2755: “Payroll pirate” attacks targeting Canadian employeeshttps://www.microsoft.com/en-us/security/blog/2026/04/09/investigating-storm-2755-payroll-pirate-attacks-targeting-canadian-employees/Verified
- CVE-2025-27152 Detailhttps://nvd.nist.gov/vuln/detail/CVE-2025-27152Verified
- Possible SSRF and Credential Leakage via Absolute URL in axios Requestshttps://github.com/axios/axios/security/advisories/GHSA-jr5f-v2jv-69x6Verified
Frequently Asked Questions
Cloud Native Security Fabric Mitigations and ControlsCNSF
Aviatrix Zero Trust CNSF is pertinent to this incident as it could have limited the attacker's ability to move laterally and exfiltrate sensitive data by enforcing strict segmentation and identity-aware controls.
Control: Cloud Native Security Fabric (CNSF)
Mitigation: While Aviatrix Zero Trust CNSF may not prevent initial credential theft via phishing, it could limit the attacker's subsequent access within the cloud environment.
Control: Zero Trust Segmentation
Mitigation: Aviatrix Zero Trust Segmentation could limit the attacker's ability to escalate privileges by enforcing strict access controls based on identity and context.
Control: East-West Traffic Security
Mitigation: Aviatrix East-West Traffic Security could reduce the attacker's ability to move laterally by monitoring and controlling internal traffic flows.
Control: Multicloud Visibility & Control
Mitigation: Aviatrix Multicloud Visibility & Control could enhance detection of anomalous activities by providing comprehensive monitoring across cloud environments.
Control: Egress Security & Policy Enforcement
Mitigation: Aviatrix Egress Security & Policy Enforcement could limit unauthorized data exfiltration by controlling outbound traffic and enforcing strict egress policies.
While Aviatrix Zero Trust CNSF may not prevent all financial impacts, it could reduce the scope of such incidents by limiting unauthorized access and data exfiltration.
Impact at a Glance
Affected Business Functions
- Payroll Processing
- Human Resources Management
Estimated downtime: 7 days
Estimated loss: $50,000
Employee payroll and personal information
Recommended Actions
Key Takeaways & Next Steps
- • Implement phishing-resistant MFA methods, such as FIDO2/WebAuthN, to prevent token theft and session hijacking.
- • Enforce Conditional Access policies to manage session lifetimes and require reauthentication under specific conditions.
- • Monitor for anomalous user-agent strings and non-interactive sign-ins to detect potential token replay attacks.
- • Regularly audit and remove unauthorized email inbox rules to prevent attackers from hiding malicious activities.
- • Educate employees on recognizing phishing attempts and the importance of verifying changes to payroll information through multiple channels.
