Full Report
A financially motivated threat actor tracked as Storm-2755 is stealing Canadian employees' salary payments after hijacking their accounts in payroll pirate attacks. [...]
Analysis Summary
# Threat Actor: Storm-2755
## Attribution & Identity
- **Actor Identification:** Storm-2755 is a financially motivated cybercrime group.
- **Aliases:** None currently listed, though they are categorized under Microsoft's "Storm" designation for emerging, developing, or unidentified groups.
- **Associated Groups:** The activity is similar to **Storm-2657**, another "payroll pirate" actor that targeted US-based university employees in 2025.
## Activity Summary
Storm-2755 specializes in "payroll pirate" attacks, a specific sub-type of Business Email Compromise (BEC). Their recent operations involve hijacking Microsoft 365 accounts of Canadian employees to redirect salary payments. The actors utilize Adversary-in-the-Middle (AiTM) techniques to bypass Multi-Factor Authentication (MFA) and gain persistent access to corporate communications and HR software.
## Tactics, Techniques & Procedures
- **Initial Access:** SEO poisoning and malvertising are used to push malicious Microsoft 365 sign-in pages to the top of search results.
- **Adversary-in-the-Middle (AiTM):** Proxies the entire authentication flow to capture session cookies and OAuth access tokens, allowing for the bypass of non-phishing-resistant MFA.
- **Defense Evasion:**
- Creation of inbox rules to auto-move emails from HR containing keywords like "direct deposit" or "bank" to hidden folders.
- Token replay to maintain access without re-authenticating.
- **Internal Reconnaissance:** Searching compromised accounts for keywords such as "payroll," "HR," "direct deposit," and "finance."
- **Social Engineering:** Impersonating the victim to send emails to HR staff with the subject line "Question about direct deposit."
- **Direct Manipulation:** If social engineering fails, the actor logs directly into HR platforms (e.g., Workday) using the stolen session to update banking information manually.
**MITRE ATT&CK Mapping:**
- **T1566.002:** Phishing: Spearphishing Link (via SEO Poisoning/Malvertising)
- **T1556:** Modify Authentication Process (AiTM)
- **T1114.003:** Email Collection: Email Forwarding Rule
- **T1567:** Exfiltration Over Web Service (Redirecting payroll)
## Targeting
- **Sectors:** Broadly targeting organizations with HR/Payroll departments; specific mention of Higher Education (in similar Storm-2657 campaigns).
- **Geography:** Primarily Canada (Storm-2755); United States (associated Storm-2657).
- **Victims:** Corporate employees and HR departments.
## Tools & Infrastructure
- **Malware:** Not specified; focus is on AiTM frameworks and phishing kits.
- **Infrastructure:**
- `bluegraintours[.]com` (Phishing hosting)
- Spoofed Microsoft 365 sign-in pages.
- **Platforms Exploited:** Microsoft 365, Exchange Online, Workday.
## Implications
Storm-2755 represents a sophisticated evolution of BEC. By moving beyond traditional credential harvesting to AiTM token theft, they have rendered legacy MFA (such as SMS or app-based push notifications) ineffective. This threat emphasizes the financial risk posed by "payroll piracy," where attackers exploit the trust between employees and HR departments to divert significant sums of money.
## Mitigations
- **Phishing-Resistant MFA:** Implement FIDO2-based security keys or certificate-based authentication to prevent AiTM token theft.
- **Revocation:** If compromise is suspected, immediately revoke all active session tokens and reset MFA methods/passwords.
- **Audit Rules:** Frequently monitor for unauthorized inbox rules or hidden folders.
- **Legacy Auth:** Disable legacy authentication protocols that do not support MFA.
- **Process Controls:** Require out-of-band verification (e.g., phone call or in-person) for any requests to change banking or direct deposit details.