Payroll pirate attacks targeting Canadian employees

Microsoft Incident Response researchers identified Storm-2755, a financially motivated threat actor conducting payroll pirate attacks against Canadian users. The campaign uses malvertising and SEO poisoning on generic search terms like "Office 365" to lure victims to a fraudulent sign-in page. Through adversary-in-the-middle techniques, the actor captures authentication tokens and session cookies, bypassing MFA protections. Storm-2755 maintains persistence using Axios HTTP client to replay stolen tokens, then conducts discovery for payroll and HR contacts. The actor impersonates compromised users to socially engineer HR staff or directly manipulates payroll systems like Workday. Malicious inbox rules hide correspondence from victims. Attacks resulted in direct financial losses through redirected salary payments to attacker-controlled bank accounts.

Pulse ID: 69d80c2c976a9ec209e19217
Pulse Link: https://otx.alienvault.com/pulse/69d80c2c976a9ec209e19217
Pulse Author: AlienVault
Created: 2026-04-09 20:29:32

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#AdversaryInTheMiddle #Bank #Canadian #Cookies #CyberSecurity #HTTP #InfoSec #MFA #Malvertising #Microsoft #OTX #Office #OpenThreatExchange #RAT #SEOPoisoning #Troll #bot #iOS #AlienVault