Hackers Use Microsoft Graph Reconnaissance to Target Payroll and

Threat actors are actively exploiting Microsoft’s cloud tools for covert reconnaissance, targeting payroll and human resources staff within corporate networks. Their objective is to reroute employee salaries to accounts under their control. This campaign is rapidly expanding across industries and international borders, demanding an urgent response from security teams.

The attack method is deceptively clean. Instead of planting malware or exploiting software bugs, the threat actors steal active login sessions through adversary-in-the-middle (AiTM) phishing pages that sit between the victim and a fake Microsoft 365 sign-in portal.

Once the stolen session token is captured, the attacker replays it to bypass multi-factor authentication entirely, slipping into the account without ever needing the user’s password again.

Security Risk Advisors (SRA) and BushidoToken Threat Intel said in a report shared with Cyber Security News (CSN) that the legitimate tooling continues to blur the line between normal activity and active intrusion, a pattern that fits this campaign almost perfectly.

The attackers never touch an endpoint, leaving traditional EDR solutions with almost nothing to detect or alert on.

Once inside a compromised Microsoft 365 account, the attacker pivots to the Microsoft Graph API, a legitimate developer tool used to query directory information.

From there, they run bulk queries searching for users whose job titles or display names contain keywords like payroll, hr, human, resources, finance, and admin.

The entire directory scan can be completed within minutes, handing the attacker a clean list of the exact staff they need to target.

The campaign, linked to clusters Microsoft tracks as Storm-2755 and Storm-2657, has been observed across healthcare, food services, and manufacturing environments.

The end goal in every case is the same: redirect an employee’s direct deposit to an attacker-controlled bank account, often by contacting HR directly or by modifying settings in HR platforms like Workday.

Hackers Use Microsoft Graph Reconnaissance

The Graph queries observed across compromised environments were nearly identical. Attackers started with a bulk pull of all users using the endpoint /v1.0/users?$top=999, then ran chained search filters across fields like displayName, jobTitle, mail, and userPrincipalName for payroll-related terms, paginated using $skiptoken to harvest every result in bulk.

The tokens used during this enumeration carried broad delegated permissions including Directory.Read.All, Files.ReadWrite.All, Group.ReadWrite.All, Chat.ReadWrite, and User.ReadWrite.

This gave attackers far more access than a simple directory lookup, raising the risk of OAuth-based persistence through consented applications that can survive password resets and token revocations.

Authentication traffic came from US mobile carrier IP ranges, while Graph enumeration traffic traced back to Canadian residential ISPs, a split consistent with residential proxy infrastructure used to mask the operation.

Unremediated accounts were still generating non-interactive sign-ins to Office 365 Exchange Online roughly every three hours, using the Firefox 131.0 user-agent and rotating token identifiers with each session, meaning attackers maintained persistent access long after the initial compromise.

Defending Against Payroll Piracy Attacks

Detection for this campaign depends almost entirely on Microsoft Entra sign-in telemetry and Microsoft Graph activity logs, since no malware or endpoint footprint is left behind.

SRA strongly recommends enabling Microsoft Graph activity logging and forwarding those logs to a SIEM or security data lake as the single most impactful step any organization can take right now.

On the authentication side, deploying phishing-resistant MFA using FIDO2 security keys, Windows Hello for Business, or certificate-based authentication is critical.

Standard authenticator app push notifications and SMS codes offer no protection against AiTM token theft. Conditional Access policies should be configured to require compliant or hybrid-joined devices and enable continuous access evaluation to cut off replayed tokens in near real time.

For organizations already dealing with compromised accounts, remediation must be thorough.

Revoking sessions and refresh tokens through the Entra Admin Center, resetting credentials, re-registering MFA methods, and auditing all enterprise application consent grants are required steps.

Any direct deposit or payroll changes made during the compromise window must also be reviewed and reversed. HR teams should treat any payroll change request as suspect until verified through an out-of-band channel.

Indicators of Compromise:-

Note: IP addresses and domains are intentionally defanged (e.g., [.]) to prevent accidental resolution or hyperlinking. Re-fang only within controlled threat intelligence platforms such as MISP, VirusTotal, or your SIEM.

Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.