AiTM Session Hijacking Steals Employee Salaries in Storm-

Financially motivated threat group Storm-2755 is executing a campaign to quietly reroute employee salary payments into bank accounts under their control.

Targeting Canadian workers, the group uses adversary-in-the-middle (AiTM) techniques to hijack authenticated sessions and bypass multi-factor authentication (MFA), in what researchers have labeled “payroll pirate” attacks.​

The campaign starts with SEO poisoning and malvertising. Storm-2755 pushes a rogue domain, bluegraintours[.]com, to the top of search results for queries like “Office 365” or the common misspelling “Office 265.”

Employees who click these links land on a convincing fake Microsoft 365 sign-in page. The moment they type in their credentials, the attackers capture both the password and the live session token in real time, gaining full account access without triggering any MFA prompt.​

Microsoft researchers identified this emerging threat and noted something unusual about its targeting.

Unlike most threat groups that focus on specific industries, Storm-2755 broadly targets Canadian employees across all sectors, using industry-agnostic search terms to cast a wide net.

This approach makes the campaign harder to detect through vertical-specific threat intelligence alone.​

Once inside a compromised account, Storm-2755 silently searches mailboxes for payroll and HR-related keywords. The group then sends emails from the victim’s own inbox to HR staff, asking about direct deposit changes — a social engineering move that appears completely routine to the recipient.

When email manipulation alone is not enough, attackers manually log into HR platforms like Workday using the stolen session and update banking details directly, causing salary payments to flow into an attacker-held account.​

What makes this campaign especially dangerous is how carefully the group covers its tracks. Storm-2755 renews stolen sessions around 5:00 AM in the victim’s local time zone to avoid triggering reauthentication events.

Inbox rules are also created to immediately bury any HR responses about the fake bank change request, so victims often have no idea anything has changed until their paycheck simply does not arrive.​

Inside the AiTM Attack Chain

What separates Storm-2755 from older phishing groups is the technical depth of its AiTM method. Rather than simply stealing passwords, AiTM attacks proxy the full authentication flow between the victim and Microsoft’s real login service.

When the victim signs in, the attacker intercepts both the session cookie and the OAuth access token — and since these represent a fully authenticated session, they can be reused to access Microsoft services without any further credential check or MFA challenge.​

Storm-2755 uses version 1.7.9 of the Axios HTTP client to relay captured tokens to its own infrastructure. Sign-in logs show that Axios made non-interactive sign-ins to OfficeHome approximately every 30 minutes, keeping sessions alive without obvious detection.

A known vulnerability in this library, CVE-2025-27152, can lead to server-side request forgery risks, which the group appears to exploit within this relay flow.

After roughly 30 days of inactivity, stolen tokens expired naturally — but in some cases, attackers had already reset account passwords and MFA settings to sustain access long after the initial compromise.​

This illustrates the convincing message sent from a victim’s account to trick HR staff into executing the banking change.​

Organizations are strongly advised to revoke compromised tokens immediately, remove malicious inbox rules, and reset credentials and MFA methods for any affected accounts.

Phishing-resistant MFA — such as FIDO2 security keys — should be enforced wherever possible, as these are specifically designed to block AiTM-style token theft.

Conditional Access policies should be configured to limit session lifetimes and require reauthentication when risk signals change. Continuous Access Evaluation (CAE) should be enabled so that stolen tokens lose their value quickly after a risk condition is detected.

Security teams should also set up alerts for suspicious inbox rule creation and regularly audit HR SaaS platforms such as Workday for any unauthorized changes to banking or payment information.

Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.