Payroll Pirates in the North: Microsoft Unmasks ‘Storm-2755’ and the Theft of Canadian Salaries

Researchers from the Microsoft Incident Response – Detection and Response Team (DART) have identified an emerging threat actor, tracked as Storm-2755, who has perfected the art of the “payroll pirate” attack.

The campaign is a sophisticated blend of technical bypasses and classic social engineering, designed to quietly divert salary payments into attacker-controlled accounts before the victim or the employer even realizes a breach has occurred.

Unlike many state-sponsored actors that target specific industries, Storm-2755 takes a broader, geographic approach. According to the Microsoft report, “the actor relied exclusively on geographic targeting of Canadian users and used malvertising and search engine optimization (SEO) poisoning on industry agnostic search terms to identify victims”.

When a user clicks on one of these “poisoned” search results, they are led into an Adversary-in-the-Middle (AITM) trap. This technique allows the threat actor to hijack authenticated sessions in real-time. The most dangerous aspect of this approach is its efficiency: it allows the actor to “bypass multifactor authentication (MFA) and blend into legitimate user activity”, making the compromise nearly invisible to standard security logs.

Once Storm-2755 gains access to an employee’s profile, the “piracy” begins. The actor’s primary goal is to change direct deposit details. In many cases, they attempt to do this by impersonating the employee in emails to Human Resources.

A sample email intercepted by researchers shows the actor’s conversational tone: “Hi there, I’m setting up a new banking package and need to change my direct deposit details, should I send the void cheque to this email, or is there another place I should upload or drop it off?”.

However, if social engineering fails, Storm-2755 isn’t afraid to get their hands dirty. Microsoft observed “a pivot to direct interaction and manual manipulation of HR software-as-a-service (SaaS) programs such as Workday”. By manually navigating these platforms, the attackers can often override security questions or update banking information directly from the hijacked session.

Microsoft has been proactive in countering this emerging threat, engaging in “multiple disruption efforts to help prevent further compromise, including tenant takedown”.

To protect your organization from becoming the next port of call for Storm-2755, security experts recommend several layers of defense:

• Educate Employees: Raise awareness about the risks of clicking on search engine ads for login portals and the nature of AITM attacks.
• Harden HR SaaS Access: Implement strict conditional access policies and monitor for unusual changes to direct deposit information.
• Verify Out-of-Band: HR departments should implement a policy of calling employees on a known phone number to verify any request for changes to banking or payroll information.