Storm-2755 Uses AiTM Session Hijacking to Redirect Employee Salaries
Key Takeaways A financially motivated threat group, Storm-2755, is leveraging advanced Adversary-in-the-Middle (AiTM) techniques to hijack authenticated sessions and redirect employee salaries. The...
Key Takeaways
- A financially motivated threat group, Storm-2755, is leveraging advanced Adversary-in-the-Middle (AiTM) techniques to hijack authenticated sessions and redirect employee salaries.
- The campaign primarily targets Canadian workers across all sectors, bypassing multi-factor authentication (MFA) through SEO poisoning and convincing fake Microsoft 365 login pages.
- Attackers maintain persistence by renewing stolen sessions, creating malicious inbox rules to hide their activity, and sometimes resetting account passwords and MFA settings.
- Organizations should immediately revoke compromised tokens, enforce phishing-resistant MFA, configure Conditional Access policies, and monitor for suspicious activity, especially within HR platforms.
A sophisticated cybercrime group, identified as Storm-2755, is orchestrating a widespread campaign to clandestinely divert employee salary payments into accounts under its control. The group’s modus operandi involves advanced Adversary-in-the-Middle (AiTM) attacks, allowing them to hijack authenticated user sessions and circumvent multi-factor authentication (MFA) mechanisms.
Table Of Content
Dubbed “payroll pirate” attacks by researchers, this campaign specifically targets Canadian employees across diverse sectors. Storm-2755 initiates its operations through SEO poisoning and malvertising, manipulating search engine results to promote a fraudulent domain, bluegraintours[.]com. This rogue site appears prominently in searches for terms like “Office 365” or common misspellings such as “Office 265.”
When unsuspecting employees click these deceptive links, they are directed to a highly convincing replica of a Microsoft 365 sign-in page. As victims enter their credentials, the attackers instantaneously capture both the password and the active session token. This real-time interception grants Storm-2755 complete access to the victim’s account without triggering any MFA prompts.
Microsoft researchers were instrumental in identifying this emerging threat and highlighted an unusual aspect of its targeting strategy. Unlike many threat groups that concentrate on specific industries, Storm-2755 casts a broad net, using industry-agnostic search terms to compromise Canadian employees across all sectors. This generalized approach makes the campaign particularly challenging to detect using only vertical-specific threat intelligence.
Post-Compromise Tactics and Evasion
Once inside a compromised account, Storm-2755 meticulously searches mailboxes for keywords related to payroll and human resources. The group then leverages the victim’s own email account to send requests to HR staff regarding direct deposit changes. This social engineering tactic makes the request appear entirely legitimate to the recipient. In scenarios where email manipulation proves insufficient, attackers directly log into HR platforms, such as Workday, using the stolen session tokens to update banking details. This direct intervention ensures that salary payments are rerouted to an attacker-controlled account.
A defining characteristic of this campaign is the attackers’ careful efforts to conceal their tracks. Storm-2755 refreshes stolen sessions around 5:00 AM in the victim’s local time zone, a deliberate tactic to avoid triggering reauthentication events that might alert the user. Furthermore, the group creates malicious inbox rules designed to immediately hide any HR responses concerning the fraudulent bank change request. This sophisticated evasion often means victims remain unaware of the compromise until their anticipated paycheck fails to arrive.
Inside the AiTM Attack Chain
The technical sophistication of Storm-2755’s AiTM method distinguishes it from simpler phishing operations. Instead of merely stealing passwords, AiTM attacks function as proxies, intermediating the entire authentication flow between the victim and Microsoft’s legitimate login service. During the sign-in process, the attacker intercepts both the session cookie and the OAuth access token. Because these artifacts represent a fully authenticated session, they can be reused to access Microsoft services without any further credential verification or MFA challenges.
Storm-2755 utilizes version 1.7.9 of the Axios HTTP client to relay captured tokens to its command-and-control infrastructure. Analysis of sign-in logs reveals that Axios performed non-interactive sign-ins to OfficeHome approximately every 30 minutes, effectively maintaining session persistence without overt detection. A known vulnerability, CVE-2025-27152, present in this library, can introduce server-side request forgery risks, which Storm-2755 appears to exploit within its token relay process.
Typically, stolen tokens would expire naturally after approximately 30 days of inactivity. However, in several instances, attackers preemptively reset account passwords and MFA settings, thereby sustaining access long after the initial compromise and token expiration.
The image below illustrates the convincing email sent from a victim’s account, designed to deceive HR staff into processing a banking change.

What You Should Do
- Revoke Compromised Tokens: Immediately revoke all compromised session tokens and OAuth access tokens for affected accounts.
- Reset Credentials and MFA: Force a password reset and reconfigure all MFA methods for any account suspected of compromise.
- Enforce Phishing-Resistant MFA: Implement and enforce phishing-resistant MFA solutions, such as FIDO2 security keys, which are specifically designed to thwart AiTM token theft.
- Configure Conditional Access Policies: Set up Conditional Access policies to limit session lifetimes and mandate reauthentication when risk signals change. Enable Continuous Access Evaluation (CAE) to rapidly invalidate stolen tokens upon detection of a risk condition.
- Monitor for Suspicious Inbox Rules: Implement alerts for the creation of new or suspicious inbox rules that could be used to hide malicious activity.
- Audit HR Platforms: Regularly audit HR SaaS platforms like Workday for any unauthorized modifications to banking or payment information.
Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.



No Comment! Be the first one.