Payroll pirate attacks targeting Canadian employees
Microsoft Incident Response researchers identified a financially motivated threat actor, Storm-2755, conducting payroll pirate attacks targeting Canadian employees. The campaign uses malvertising and SEO poisoning on generic search terms such as "Office 365" to lure victims to fraudulent sign-in pages. Using adversary-in-the-middle techniques, the attacker captures authentication tokens and session cookies, bypassing multi-factor authentication. The actor maintains persistence by replaying stolen tokens and conducts discovery to identify payroll and HR contacts. They impersonate compromised users to socially engineer HR staff or manipulate payroll systems like Workday, using malicious inbox rules to hide their activity. These attacks have resulted in direct financial losses through redirected salary payments to attacker-controlled accounts.
AI Analysis
Technical Summary
Storm-2755 is a financially motivated threat actor targeting Canadian users with payroll pirate attacks. The campaign leverages malvertising and SEO poisoning to redirect victims searching for terms like "Office 365" to fraudulent sign-in pages. Through adversary-in-the-middle (AITM) techniques, the attacker captures authentication tokens and session cookies, effectively bypassing MFA protections. Persistence is maintained by using the Axios HTTP client to replay stolen tokens. The actor performs discovery to identify payroll and HR contacts, then impersonates compromised users to socially engineer HR personnel or directly manipulate payroll systems such as Workday. Malicious inbox rules are deployed to conceal attacker communications. The attacks have caused direct financial losses by redirecting salary payments to attacker-controlled bank accounts. No patch or official remediation guidance is provided in the available data.
Potential Impact
The threat actor successfully bypasses MFA protections by capturing authentication tokens and session cookies, enabling unauthorized access to user accounts. This access is used to discover payroll and HR contacts and manipulate payroll systems, resulting in direct financial losses through redirected salary payments. The use of malicious inbox rules to hide correspondence further complicates detection and response. The campaign specifically targets Canadian employees, causing financial and operational impacts to affected organizations.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Organizations should monitor official Microsoft security advisories for updates related to CVE-2025-27152 and the Storm-2755 campaign. Given the attack techniques, consider enhancing detection capabilities for adversary-in-the-middle attacks, token theft, and suspicious mailbox rule creation. Educate HR and payroll staff about social engineering risks and verify any payroll change requests through out-of-band channels. Since no official fix is currently documented, vigilance and layered defense are critical.
Affected Countries
Canada
Indicators of Compromise
- cve: CVE-2025-27152
- url: http://bluegraintours.com
- domain: bluegraintours.com
Payroll pirate attacks targeting Canadian employees
Description
Microsoft Incident Response researchers identified a financially motivated threat actor, Storm-2755, conducting payroll pirate attacks targeting Canadian employees. The campaign uses malvertising and SEO poisoning on generic search terms such as "Office 365" to lure victims to fraudulent sign-in pages. Using adversary-in-the-middle techniques, the attacker captures authentication tokens and session cookies, bypassing multi-factor authentication. The actor maintains persistence by replaying stolen tokens and conducts discovery to identify payroll and HR contacts. They impersonate compromised users to socially engineer HR staff or manipulate payroll systems like Workday, using malicious inbox rules to hide their activity. These attacks have resulted in direct financial losses through redirected salary payments to attacker-controlled accounts.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
Storm-2755 is a financially motivated threat actor targeting Canadian users with payroll pirate attacks. The campaign leverages malvertising and SEO poisoning to redirect victims searching for terms like "Office 365" to fraudulent sign-in pages. Through adversary-in-the-middle (AITM) techniques, the attacker captures authentication tokens and session cookies, effectively bypassing MFA protections. Persistence is maintained by using the Axios HTTP client to replay stolen tokens. The actor performs discovery to identify payroll and HR contacts, then impersonates compromised users to socially engineer HR personnel or directly manipulate payroll systems such as Workday. Malicious inbox rules are deployed to conceal attacker communications. The attacks have caused direct financial losses by redirecting salary payments to attacker-controlled bank accounts. No patch or official remediation guidance is provided in the available data.
Potential Impact
The threat actor successfully bypasses MFA protections by capturing authentication tokens and session cookies, enabling unauthorized access to user accounts. This access is used to discover payroll and HR contacts and manipulate payroll systems, resulting in direct financial losses through redirected salary payments. The use of malicious inbox rules to hide correspondence further complicates detection and response. The campaign specifically targets Canadian employees, causing financial and operational impacts to affected organizations.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Organizations should monitor official Microsoft security advisories for updates related to CVE-2025-27152 and the Storm-2755 campaign. Given the attack techniques, consider enhancing detection capabilities for adversary-in-the-middle attacks, token theft, and suspicious mailbox rule creation. Educate HR and payroll staff about social engineering risks and verify any payroll change requests through out-of-band channels. Since no official fix is currently documented, vigilance and layered defense are critical.
Affected Countries
Technical Details
- Author
- AlienVault
- Tlp
- white
- References
- ["https://www.microsoft.com/en-us/security/blog/2026/04/09/investigating-storm-2755-payroll-pirate-attacks-targeting-canadian-employees/"]
- Adversary
- Storm-2755
- Pulse Id
- 69d80c2c976a9ec209e19217
- Threat Score
- null
Indicators of Compromise
Cve
| Value | Description | Copy |
|---|---|---|
cveCVE-2025-27152 | — |
Url
| Value | Description | Copy |
|---|---|---|
urlhttp://bluegraintours.com | — |
Domain
| Value | Description | Copy |
|---|---|---|
domainbluegraintours.com | — |
Threat ID: 69d8ceff1cc7ad14daa91506
Added to database: 4/10/2026, 10:20:47 AM
Last enriched: 4/10/2026, 10:35:54 AM
Last updated: 4/10/2026, 9:39:05 PM
Views: 11
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.