The Payroll Pirate Campaign Leverages AiTM Session Hijacking to Target HR Departments
Do Son 
SecurityRisk Advisors (SRA) recently identified an active cyber threat targeting corporate finance departments. Known as the Payroll Pirate campaign, this malicious activity focuses heavily on stealing employee salary payments. Specifically, the adversaries compromise accounts belonging to HR, payroll, and administrative personnel. Because the attack leaves no endpoint footprint, organizations must rely on cloud telemetry to detect the intrusion.
How the Multi-Stage Attack Works
First, the threat actors deploy sophisticated phishing tactics to intercept user credentials. During this initial stage, they employ AiTM session hijacking techniques to bypass multi-factor authentication (MFA) mechanisms. According to the SRA threat bulletin, “The actor steals authenticated Microsoft 365 sessions through AITM techniques, replays the stolen tokens to bypass MFA, enumerates the directory through the Microsoft Graph API to identify payroll and HR personnel, and ultimately redirects employee salary payments.” Consequently, traditional security perimeters fail to block the unauthorized access.
After gaining entry, the attackers execute bulk directory reconnaissance. To achieve this, they run nearly identical Graph API queries using specific keywords like “payroll” and “hr”. Therefore, they can harvest sensitive directory information without raising immediate alarms.
Infrastructure Split and Global Footprint
Interestingly, the Payroll Pirate campaign demonstrates a unique infrastructure setup. SRA analysts observed that authentication attempts come from United States mobile networks. However, the subsequent database exploration originates from Canadian residential internet service providers. This clever split helps the criminals obscure their actual physical location from security teams.
Microsoft attributes this ongoing cluster of activity to threat groups Storm-2755 and Storm-2657. These actors have successfully hit multiple sectors, including healthcare, manufacturing, and food services. In each instance, their primary goal remains direct financial theft through account manipulation.
Defending Against Identity Threats
To mitigate these risks, organizations must implement robust cloud safeguards immediately. SRA recommends enforcing phishing-resistant authentication methods like FIDO2 keys or Windows Hello for Business. Furthermore, security teams should actively track Graph audit telemetry. As highlighted by investigators, “Graph audit telemetry detected this campaign and is the only data source covering the directory reconnaissance stage.” Finally, administrators must audit enterprise applications to eliminate persistent OAuth backdoors established during a compromise.
Support Our Threat Intelligence
If you find our CVE report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
