Search

Microsoft Warns Canadian Employees Are Being Targeted in Payroll Pirate Attacks

Cyber threats and incidents
By Evan Rowe

Related

Share

What happened

A financially motivated threat actor tracked as Storm-2755 is hijacking salary payments in Canada through payroll redirection attacks aimed at employee Microsoft 365 accounts. The attackers used fake Microsoft 365 sign-in pages hosted on malicious domains to steal authentication tokens and session cookies, often by pushing those pages high in search results through malvertising or SEO poisoning. That allowed them to bypass traditional MFA by replaying stolen session tokens instead of forcing a fresh login. After gaining access, the attackers created inbox rules to hide messages from HR containing terms like “direct deposit” or “bank,” then searched mailboxes for payroll-related terms and emailed HR staff to request banking changes. Where social engineering failed, they used the stolen session to log directly into HR platforms such as Workday and manually update direct deposit details. 

Who is affected

The direct exposure affects Canadian employees whose Microsoft 365 accounts are targeted, along with the HR and payroll teams responsible for handling direct deposit changes. The activity also affects organizations using platforms such as Workday where a stolen authenticated session can be used to alter payroll instructions. 

Why CISOs should care

This matters because the attack is designed to bypass legacy MFA protections by stealing and replaying authenticated session tokens rather than just harvesting usernames and passwords. It also combines mailbox rule abuse, HR impersonation, and direct payroll-system access in a way that can quickly turn an identity compromise into financial loss for employees and operational risk for employers. 

3 practical actions

  1. Move to phishing-resistant MFA: Prioritize phishing-resistant authentication controls because the attackers are using adversary-in-the-middle methods to bypass legacy MFA with stolen session tokens. 
  2. Revoke sessions and remove inbox rules fast: If compromise is suspected, immediately revoke active sessions and tokens, delete malicious inbox rules, and reset affected credentials and MFA methods. 
  3. Harden payroll change workflows: Tighten verification for direct deposit updates and watch for unusual emails to HR or payroll staff referencing banking changes, payroll, or finance. 

For more news about intrusions targeting identity systems and financial workflows, click Cyberattack to read more.

Previous article
Supply Chain Attack at CPUID Pushes Malware Through CPU-Z and HWMonitor Downloads
Next article
New Hampshire Appoints Pamela McLeod as New Chief Information Security Officer
Cyber threats and incidents

New LucidRook Malware Used in Targeted Attacks on NGOs and Universities in Taiwan

What happened A new Lua-based malware family called LucidRook has...
Founders, Analysts & Industry Voices

Black Duck Appoints Dom Glavach as Chief Information Security Officer

What happened Black Duck appointed Dom Glavach as chief information...

Subscribe to our stories

To be updated with all the latest news, offers and special announcements.