Hackers News Hackers News
  • CyberSecurity News
  • Threats
  • Attacks
  • Vulnerabilities
  • Breaches
  • Comparisons

Social Media

Hackers News Hackers News
  • CyberSecurity News
  • Threats
  • Attacks
  • Vulnerabilities
  • Breaches
  • Comparisons
Search the Site
Popular Searches:
technology Amazon AI
Recent Posts
North Korean Hackers Conceal JavaScript Loaders in Open Source Repos
July 3, 2026
AI Used in Ticketmaster Attack to Score Free Tickets
July 3, 2026
Anthropic Details Claude 3.5 Sonnet Safeguards and Jailbreak Framework
July 3, 2026
Home/Threats/Storm-2755 Uses AiTM Session Hijacking to Redirect Employee Salaries
Threats

Storm-2755 Uses AiTM Session Hijacking to Redirect Employee Salaries

Key Takeaways A financially motivated threat group, Storm-2755, is leveraging advanced Adversary-in-the-Middle (AiTM) techniques to hijack authenticated sessions and redirect employee salaries. The...

Marcus Rodriguez
Marcus Rodriguez
April 10, 2026 4 Min Read
29 0

Key Takeaways

  • A financially motivated threat group, Storm-2755, is leveraging advanced Adversary-in-the-Middle (AiTM) techniques to hijack authenticated sessions and redirect employee salaries.
  • The campaign primarily targets Canadian workers across all sectors, bypassing multi-factor authentication (MFA) through SEO poisoning and convincing fake Microsoft 365 login pages.
  • Attackers maintain persistence by renewing stolen sessions, creating malicious inbox rules to hide their activity, and sometimes resetting account passwords and MFA settings.
  • Organizations should immediately revoke compromised tokens, enforce phishing-resistant MFA, configure Conditional Access policies, and monitor for suspicious activity, especially within HR platforms.

A sophisticated cybercrime group, identified as Storm-2755, is orchestrating a widespread campaign to clandestinely divert employee salary payments into accounts under its control. The group’s modus operandi involves advanced Adversary-in-the-Middle (AiTM) attacks, allowing them to hijack authenticated user sessions and circumvent multi-factor authentication (MFA) mechanisms.

Table Of Content

  • Key Takeaways
  • Post-Compromise Tactics and Evasion
  • Inside the AiTM Attack Chain
  • What You Should Do

Dubbed “payroll pirate” attacks by researchers, this campaign specifically targets Canadian employees across diverse sectors. Storm-2755 initiates its operations through SEO poisoning and malvertising, manipulating search engine results to promote a fraudulent domain, bluegraintours[.]com. This rogue site appears prominently in searches for terms like “Office 365” or common misspellings such as “Office 265.”

When unsuspecting employees click these deceptive links, they are directed to a highly convincing replica of a Microsoft 365 sign-in page. As victims enter their credentials, the attackers instantaneously capture both the password and the active session token. This real-time interception grants Storm-2755 complete access to the victim’s account without triggering any MFA prompts.

Microsoft researchers were instrumental in identifying this emerging threat and highlighted an unusual aspect of its targeting strategy. Unlike many threat groups that concentrate on specific industries, Storm-2755 casts a broad net, using industry-agnostic search terms to compromise Canadian employees across all sectors. This generalized approach makes the campaign particularly challenging to detect using only vertical-specific threat intelligence.

Post-Compromise Tactics and Evasion

Once inside a compromised account, Storm-2755 meticulously searches mailboxes for keywords related to payroll and human resources. The group then leverages the victim’s own email account to send requests to HR staff regarding direct deposit changes. This social engineering tactic makes the request appear entirely legitimate to the recipient. In scenarios where email manipulation proves insufficient, attackers directly log into HR platforms, such as Workday, using the stolen session tokens to update banking details. This direct intervention ensures that salary payments are rerouted to an attacker-controlled account.

A defining characteristic of this campaign is the attackers’ careful efforts to conceal their tracks. Storm-2755 refreshes stolen sessions around 5:00 AM in the victim’s local time zone, a deliberate tactic to avoid triggering reauthentication events that might alert the user. Furthermore, the group creates malicious inbox rules designed to immediately hide any HR responses concerning the fraudulent bank change request. This sophisticated evasion often means victims remain unaware of the compromise until their anticipated paycheck fails to arrive.

Inside the AiTM Attack Chain

The technical sophistication of Storm-2755’s AiTM method distinguishes it from simpler phishing operations. Instead of merely stealing passwords, AiTM attacks function as proxies, intermediating the entire authentication flow between the victim and Microsoft’s legitimate login service. During the sign-in process, the attacker intercepts both the session cookie and the OAuth access token. Because these artifacts represent a fully authenticated session, they can be reused to access Microsoft services without any further credential verification or MFA challenges.

Storm-2755 utilizes version 1.7.9 of the Axios HTTP client to relay captured tokens to its command-and-control infrastructure. Analysis of sign-in logs reveals that Axios performed non-interactive sign-ins to OfficeHome approximately every 30 minutes, effectively maintaining session persistence without overt detection. A known vulnerability, CVE-2025-27152, present in this library, can introduce server-side request forgery risks, which Storm-2755 appears to exploit within its token relay process.

Typically, stolen tokens would expire naturally after approximately 30 days of inactivity. However, in several instances, attackers preemptively reset account passwords and MFA settings, thereby sustaining access long after the initial compromise and token expiration.

The image below illustrates the convincing email sent from a victim’s account, designed to deceive HR staff into processing a banking change.

Example Storm-2755 direct deposit email (Source - Microsoft)
Example Storm-2755 direct deposit email (Source – Microsoft)

What You Should Do

  • Revoke Compromised Tokens: Immediately revoke all compromised session tokens and OAuth access tokens for affected accounts.
  • Reset Credentials and MFA: Force a password reset and reconfigure all MFA methods for any account suspected of compromise.
  • Enforce Phishing-Resistant MFA: Implement and enforce phishing-resistant MFA solutions, such as FIDO2 security keys, which are specifically designed to thwart AiTM token theft.
  • Configure Conditional Access Policies: Set up Conditional Access policies to limit session lifetimes and mandate reauthentication when risk signals change. Enable Continuous Access Evaluation (CAE) to rapidly invalidate stolen tokens upon detection of a risk condition.
  • Monitor for Suspicious Inbox Rules: Implement alerts for the creation of new or suspicious inbox rules that could be used to hide malicious activity.
  • Audit HR Platforms: Regularly audit HR SaaS platforms like Workday for any unauthorized modifications to banking or payment information.

Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.

Tags:

AttackCVEExploitphishingSecurityThreatVulnerability

Share Article

Marcus Rodriguez

Marcus Rodriguez

Marcus is a security researcher and investigative journalist with expertise in vulnerability research, bug bounties, and cloud security. Since 2017, Marcus has been breaking stories on critical vulnerabilities affecting major platforms. His investigative work has led to the disclosure of numerous security flaws and improved defenses across the industry. Marcus is an active participant in bug bounty programs and has been recognized for responsible disclosure practices. He holds multiple security certifications and regularly speaks at industry events.

Previous Post

Critical EngageSDK Flaw Exposes Millions of Crypto Wallet Users

Next Post

Anthropic Claude Beta Integrates AI Editing into Microsoft Word Docs

No Comment! Be the first one.

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Popular Posts
AsyncRAT Campaign Exploits Cloudflare Tunnels and Python for Malware Delivery
July 2, 2026
New Microsoft 365 Phishing Uses OAuth Device Code Flow to Steal Tokens
July 2, 2026
Critical Claude Cowork Sandbox Vulnerability Lets Attackers Run Commands as Root
July 2, 2026
Top Authors
Marcus Rodriguez
Marcus Rodriguez
Jennifer sherman
Jennifer sherman
Emy Elsamnoudy
Emy Elsamnoudy
Let's Connect
156k
2.25m
285k

Related Posts

Jennifer sherman
By Jennifer sherman
Threats

GlassWorm Attacks macOS via Malicious VS Code…

January 1, 2026
Emy Elsamnoudy
By Emy Elsamnoudy
Attacks

ClickFix Attack Hides Malicious Code via Stegan Security

January 1, 2026
Sarah simpson
By Sarah simpson
Vulnerabilities

MongoBleed Detector Tool Released to Detect MongoDB Vulnerability(CVE-2025-14847)

January 1, 2026
Emy Elsamnoudy
By Emy Elsamnoudy
Breaches

Conti Ransomware Gang Leaders & Infrastructure Exposed

January 1, 2026
Hackers News Hackers News
  • [email protected]

Quick Links

  • Contact Us
  • Privacy Policy
  • Terms of service

Categories

Attacks
Breaches
Comparisons
CyberSecurity News
Threats
Vulnerabilities

Let's keep in touch

receive fresh updates and breaking cyber news every day and week!

All Rights Reserved by HackersRadar ©2026

Follow Us