A financially motivated hacking group has been discovered targeting employees in Canada with a sophisticated scheme to redirect their salaries into accounts controlled by the attackers. Microsoft researchers identified this group, referred to as Storm-2755, which employs various tactics to manipulate search engine results and run malicious advertisements.

How the Attack Works

The campaign begins with the poisoning of search engine results, particularly for common queries related to 'Office 365' or its common misspellings like 'Office 265.' When victims click on these poisoned results, they are directed to a convincing fake login page for Microsoft 365, where their login credentials are stolen. Additionally, the attackers proxy the entire authentication session in real time, capturing the session tokens issued after login.

According to Microsoft’s incident responders, “Storm-2755 leveraged version 1.7.9 of the Axios HTTP client to relay authentication tokens to the customer infrastructure, effectively bypassing non-phishing resistant multi-factor authentication (MFA) and preserving access without repeated sign-ins.” This replay flow allows the attackers to maintain active sessions and proxy legitimate user actions, executing what is known as an “Account takeover Man-in-the-Middle” (AiTM) attack.

Targeting Payroll Information

While many victims experienced silent background access, some accounts were further compromised as the attackers changed the victim’s password and MFA settings. This tactic ensured that even if the original stolen token was revoked, the attackers still maintained control over the account.

Once inside the victim’s email account, the attackers searched for payroll, HR, and finance references. They would then send an email from the victim’s account to the organization's HR department, requesting a change in direct deposit details. Since the email appeared to come from a legitimate employee, HR often complied without suspicion, resulting in the employee's next paycheck being directed to the attackers’ bank account instead.

To cover their tracks, the attackers created inbox rules that buried any HR replies containing keywords like “bank” or “direct deposit” in a hidden folder, ensuring that victims remained unaware of any suspicious activity.

In cases where impersonation and social engineering of HR personnel did not succeed, the attackers pivoted to directly accessing HR software-as-a-service (SaaS) programs such as Workday. In one incident, Storm-2755 manually logged into Workday as the victim to update banking information, leading to direct financial loss for that employee.

Recommendations to Prevent Attacks

While this specific campaign focused on Canadian employees, similar attacks are being launched globally, targeting various economic sectors. To counteract these types of 'payroll pirate' attacks, Microsoft recommends implementing FIDO2/WebAuthn passkeys as a second authentication factor. These passkeys bind authentication to the legitimate origin site, making them immune to interception by AiTM proxies, unlike traditional push or OTP-based MFA.

Organizations are encouraged to monitor for the Axios user-agent appearing in sign-in logs, watch for non-interactive sign-ins to OfficeHome occurring at regular intervals, and alert on newly created inbox rules containing financial keywords. Additionally, HR and payroll teams should verify any direct deposit change requests through out-of-band methods, such as phone calls or in-person confirmations.

The rise in these sophisticated phishing attacks necessitates heightened awareness and proactive measures to safeguard sensitive payroll information and prevent financial losses.

Source: Help Net Security News