Storm-2755 'Payroll Pirate' Attacks Target Canadian Staff

by CyberNewsAI Admin
Threat IntelligenceVulnerability WatchData Breaches

Executive Summary

A financially motivated threat actor, tracked as Storm-2755, is conducting a targeted "payroll pirate" campaign against employees in Canada. The adversary leverages Adversary-in-the-Middle (AiTM) techniques to bypass non-phishing-resistant multifactor authentication (MFA) and gain control of employee accounts. The primary objective is to manipulate direct deposit information within HR and payroll systems to divert salary payments to attacker-controlled bank accounts. This activity represents a significant financial and operational risk to organizations and their personnel.

Key Findings

Adversary-in-the-Middle (AiTM) Initial Access

The initial access vector combines malvertising with Search Engine Optimization (SEO) poisoning. The actor promotes malicious domains, such as bluegraintours[.]com, to the top of search engine results for generic queries like "Office 365". Unsuspecting users are redirected to a malicious web page that proxies the legitimate Microsoft 365 sign-in flow. This AiTM infrastructure allows the actor to intercept and steal authentication tokens and session cookies in real-time. Analysis shows that a Microsoft Entra sign-in error code 50199 is often recorded immediately before a successful compromise.

Post image

MFA Bypass and Session Hijacking

By capturing a fully authenticated session token, Storm-2755 effectively bypasses legacy MFA protections that are not designed to be phishing-resistant. The actor then replays the stolen token to gain access to Microsoft services. A key indicator of this activity is a change in the session's user-agent string to axios/1.7.9 while the session ID remains consistent, confirming a token replay attack. The actor maintains persistence by renewing the session approximately every 30 minutes, often during non-business hours (~5:00 AM local time) to avoid detection.

Defense Evasion and Discovery

Once inside the compromised account, the adversary creates inbox rules to automatically move emails from HR staff containing keywords like "direct deposit" or "bank" into hidden folders (e.g., Conversation History). This action prevents the victim from seeing correspondence related to the fraudulent bank account changes. The actor then performs discovery by searching the environment for terms such as "payroll", "HR", "human resources", and "finance" to identify key personnel and processes.

Objective: Payroll Diversion

The end goal is financial theft. Storm-2755 initiates contact with HR or finance personnel, often using the subject line "Question about direct deposit," to socially engineer a change in banking details. Where this fails, the actor leverages the hijacked session to log directly into HR software-as-a-service (SaaS) platforms, such as Workday, to manually alter the victim's direct deposit information.

Impact

This campaign has resulted in direct financial loss for affected employees. In at least one confirmed case, the threat actor successfully used the hijacked session to access the victim's Workday profile and reroute a payroll check to an adversary-controlled bank account. This attack pattern is a variant of Business Email Compromise (BEC) fraud, which the FBI IC3 reports as the second most lucrative cybercrime type, with over $3 billion in reported losses in a recent year.

Mitigation

Immediate Remediation

  • Revoke Sessions: Immediately revoke all compromised session tokens and active sessions for affected user accounts.
  • Reset Credentials: Force a password reset and re-register MFA methods for all impacted accounts.
  • Audit Inbox Rules: Scan all user mailboxes for malicious inbox rules and remove them. Investigate any rules that auto-move or delete emails containing financial keywords.

Strategic Hardening

  • Phishing-Resistant MFA: Enforce phishing-resistant MFA methods such as FIDO2 security keys or certificate-based authentication. Traditional MFA (SMS, Push) is vulnerable to AiTM attacks.
  • Conditional Access Policies: Implement strict Conditional Access policies to enforce device compliance and manage session lifetimes, prompting reauthentication for sensitive actions.
  • Continuous Access Evaluation (CAE): Enable CAE to ensure access tokens are re-evaluated in near real-time, allowing for rapid revocation when risk conditions change.
  • Monitor User-Agents: Monitor for and alert on anomalous user-agent strings in sign-in logs, such as Axios.

Indicators of Compromise (IOCs)

Network IOC

  • URL: hxxp://bluegraintours[.]com

Host-Based IOCs

  • User-Agent: axios/1.7.9
  • Sign-in Pattern: A failed sign-in with Microsoft Entra error code 50199 immediately followed by a successful sign-in from a session where the user-agent shifts to Axios while the session ID remains the same.

// INTELLIGENCE_SOURCES

[Microsoft][Bleeping Computer]

// INITIALIZE_SUBSCRIPTION

Receive critical threat intelligence briefings directly to your feed. Join the CyberNewsAI operations center.

SUBSCRIBE_NOW