**Storm-2755** is conducting payroll pirate attacks by stealing Canadian employees' salary payments after gaining unauthorized access to their accounts. ### AiTM Attack Methodology The attackers employ malicious **Microsoft 365** sign-in pages to steal victims' authentication tokens and session cookies. This is achieved by redirecting users to domains like `bluegraintours[.]com`, which host malicious web pages masquerading as legitimate **Microsoft 365** login forms. These malicious pages are often pushed to the top of search engine results through malvertising or SEO poisoning techniques. This tactic allows **Storm-2755** to bypass multi-factor authentication (MFA) through adversary-in-the-middle (AiTM) attacks. Instead of re-authenticating, the attackers replay stolen session tokens. >"Rather than harvesting only usernames and passwords, AiTM frameworks proxy the entire authentication flow in real time, enabling the capture session cookies and OAuth access tokens issued upon successful authentication," **Microsoft** explained. >"Due to these tokens representing a fully authenticated session, threat actors can reuse them to gain access to Microsoft services without being prompted for credentials or MFA, effectively bypassing legacy MFA protections not designed to be phishing-resistant."  *Storm-2755 attack flow (Microsoft)* ### Tactics Post-Account Compromise Once an account is compromised, the attackers create inbox rules to automatically move messages from human resources staff containing keywords like "direct deposit" or "bank" to hidden folders. This prevents victims from noticing the fraudulent activity. Next, they search for terms like "payroll," "HR," "direct deposit," and "finance" and send emails to human resources staff with subjects like "Question about direct deposit" to trick them into updating banking information. If social engineering fails, the attackers directly log into HR software platforms such as **Workday**, using the stolen session to manually update direct deposit details.  *Storm-2755 emailing HR staff (Microsoft)* ### Mitigation Strategies To defend against AiTM and payroll pirate attacks, **Microsoft** recommends: * Blocking legacy authentication protocols. * Implementing phishing-resistant MFA. * Revoking compromised tokens and sessions immediately upon detection. * Removing malicious inbox rules. * Resetting MFA methods and credentials for all affected accounts. ### Prior Payroll Attacks In October, **Microsoft** disrupted a similar payroll campaign targeting **Workday** accounts since March 2025. This campaign, conducted by **Storm-2657**, targeted university employees across the United States, hijacking salary payments using phishing emails and AiTM tactics to steal MFA codes and compromise Exchange Online accounts. Payroll pirate attacks are a form of business email compromise (BEC) scams. The FBI's Internet Crime Complaint Center (IC3) reported over 24,000 BEC fraud complaints last year, resulting in losses exceeding $3 billion.