Storm-2755 Targets Canadian Employees in Payroll Pirate Campaigns

Microsoft’s threat intelligence team has identified a persistent campaign orchestrated by Storm-2755, a financially motivated threat actor focused on hijacking employee payroll. According to BleepingComputer, the campaign primarily targets organizations in Canada, utilizing sophisticated Phishing to gain access to internal human resources (HR) and payroll systems.

The primary objective of these “payroll pirate” attacks is the redirection of employee salary payments to attacker-controlled bank accounts. While the TTP used are not unique to this actor, the specific Storm-2755 targeted sector focus on Canadian enterprises highlights a calculated effort to exploit specific regional banking and payroll workflows. This actor is characterized as an APT primarily driven by financial gain rather than espionage or disruption.

Technical Analysis of AitM Payroll Attacks

The attack chain begins with Adversary-in-the-Middle (AitM) phishing. Storm-2755 deploys proxy servers that sit between the victim and the legitimate login page. When a user enters their credentials and completes a multi-factor authentication (MFA) challenge, the attacker captures the session cookie. This allows the threat actor to bypass MFA and gain unauthorized access to the employee’s account without needing the password or a second-factor code again during that session.

Once the account is compromised, the actor navigates to the HR portal or self-service payroll system. Their goal is the modification of direct deposit information. By substituting the legitimate employee bank details with their own, the attacker ensures that the next salary cycle is diverted. This form of business process compromise is particularly effective because it does not involve the deployment of Ransomware or disruptive malware, allowing the actor to remain undetected until the victim notices the missing payment. The stolen funds are often moved through a network of money mules to obscure the trail.

How to Detect Storm-2755 Payroll Pirate Attacks

Detecting these incidents requires a combination of behavioral analysis and identity monitoring. Security teams should look for specific IoC patterns and behavioral anomalies, including:

• Logins from known AitM C2 infrastructure or suspicious IP ranges associated with proxy services.
• Concurrent sessions originating from geographically distant locations within a timeframe that makes travel impossible.
• Administrative alerts triggered by changes to sensitive fields, such as “Bank Account Number” or “Direct Deposit Info,” especially when preceded by a password reset.
• Unusual activity in SOC dashboards involving the manipulation of HR-related applications by non-administrative users.

Actionable Recommendations and Storm-2755 Phishing Mitigation

To defend against this threat, organizations must move beyond simple SMS or push-based MFA. These methods are susceptible to AitM proxying and social engineering. Implementing Zero Trust principles is essential to minimize the blast radius of a credential compromise.

1. Implement Phishing-Resistant MFA: Organizations should deploy FIDO2-compatible security keys or Windows Hello for Business. These hardware-backed methods bind the authentication session to the specific hardware and domain, preventing token theft.
2. Conditional Access Policies: Configure policies that require EDR-compliant devices or specific IP ranges for accessing HR systems. This ensures that even if a session token is stolen, it cannot be used from an untrusted device.
3. Out-of-Band Verification: Establish a policy where any change to banking information requires a secondary manual verification step, such as a phone call to the employee.
4. User Awareness Training: Educate employees on the specific TTP of AitM attacks, emphasizing that legitimate portals will not prompt for MFA multiple times in unexpected sequences.

By integrating these defenses into the MITRE ATT&CK framework, specifically focusing on account hijacking (T1078) and financial theft, organizations can significantly reduce the risk of successful payroll diversion.