Storm2755: the AiTM campaign that steals sessions and manipulates payroll in Microsoft 365

Recently, security researchers identified a campaign to steal Canadian employees' wages by using a combination of techniques that have already been seen growing in recent years: forged login pages that intercept session tokens and entry tray rules that silence any human resources notice. The group behind this scheme, traced as Storm-2755, he did not agree to capture user names and passwords: his goal was to reuse the already authenticated sessions to move with impunity within Microsoft 365 and payroll platforms environments.

Fraud mechanics is part of a classic improved phishing tactic: attackers place at the top of search results or malicious ads that mimic Microsoft 365's start forms. When the victim tries to authenticate, the page acts as a real-time proxy - a technique known as adverse-in-the-middle (AiTM) - and captures cookies and OAuth tokens issued after successful authentication. These tokens are equivalent to a session that has already been taken over, and so criminals can reuse them to access services without being asked for the password or the multifactor code again. Microsoft explains in more detail how these attacks work and the flow followed by Storm-2755 in its technical report recently published.

A concrete example that illustrates the deception is the use of legitimate domains to house false pages (among the names involved, for example, bluegraintours [.] com), and the promotion of those pages by maldumping or "poisoning" techniques of search engines. The result: victims who believe they are accessing Microsoft 365 when they are actually delivering the credentials and, more critically, the evidence of an already validated session.

Once inside a compromised account, the attackers put in place measures to ensure that the victim does not detect intrusion. They create automatic rules in the inbox that move human resources emails to hidden folders that include keywords such as "direct deposit" or "bank," which prevents the user from seeing communications on payroll changes. They then seek emails related to "payroll," "HR," direct deposit "or" finance "and pose as the employee to ask human resources staff to update bank data. When social engineering does not work, adversaries take advantage of the stolen session to enter directly into staff management platforms such as Workday and modify the accounts to divert transfers.

This type of fraud, known as "payroll pirate" or payroll hacking, is a variant of the business mail engagement schemes (BEC) that target organizations and people who make regular money transfers. The magnitude of the problem is enormous: according to the annual report of the FBI, IC3 received in 2025 more than 24,000 BEC complaints with losses exceeding $3 billion, which places this fraud among the most lucrative at the global level. according to the IC3 itself.

Security teams have several levers to reduce the risk of this attack vector, and many go by preventing a stolen token from being reused. Block "legacy" authentication protocols and adopt phishing-resistant MFA methods are key measures. Organizations such as NIST offer guidelines on identity management and authentication that recommend avoiding vulnerable mechanisms; in addition, Microsoft and other platforms explain how to implement FIDO2-based or certified-based methods that greatly complicate the work of AiTM proxies. For a phishing-resistant MFA practical framework, Microsoft technical documentation on this security approach is available. Here. and NIST access control guides help to understand the underlying principles in this document.

If an intrusion is detected, the rapid response is essential: to revoke committed sessions and tokens, to remove suspicious tray rules, to force the restoration of authentication and credentials factors, and to review access to payroll systems. Microsoft details these operational recommendations in its report on Storm-2755, and containment measures should combine technical actions with a forensic review to understand the extent of abuse.

This incident is part of a broader trend. Last October, Microsoft intervened to unravel another payroll hacking campaign - attributed to a different actor, Storm-2657 - that since March 2025 had been compromising Workday accounts of university employees in the United States. The tactic was similar: phishing combined with AiTM techniques to avoid MFA and take control of online exchange mailboxes in order to manipulate payments.

For organizations, the lesson is two-fold: on the one hand, to strengthen technical controls (old authentication block, MFA phishing-resistant, session monitoring and automatic revocation against abnormal behavior). On the other hand, to adapt human resources and finance procedures to validate changes in bank accounts with multiple channels outside the usual email, and to keep RR personnel. HH trained to detect suspicious applications. It is also important that advertising procurement teams and search engine reputators control where ads are displayed and monitor possible malicious content that can promote cloned pages.

Ultimately, these attacks show that modern security no longer depends only on a good password or a second traditional factor: sophisticated adversaries exploit their own authentication mechanisms to turn them into entry doors. Effective defence requires combining technology, processes and governance so that a stolen session will no longer be a free ticket to payroll accounts. For those who want to deepen, Microsoft and IC3 sources are a solid and up-to-date starting point on the nature of these threats and recommended countermeasures.