Storm-2755 Steals Canadian Paychecks via SEO Poisoning

Microsoft's Detection and Response Team (DART) has identified a threat actor systematically stealing employee paychecks through a combination of search engine manipulation and adversary-in-the-middle attacks. Tracked as Storm-2755, the group exclusively targets Canadian workers, redirecting their salaries to attacker-controlled bank accounts.

The campaign, which Microsoft dubbed "Payroll Pirate," doesn't target specific industries or organizations. Instead, Storm-2755 poisons search results for generic terms like "Office 365" and common misspellings like "Office 265" to cast a wide net across Canadian IP ranges.

How the Attack Works

Storm-2755's operation combines several techniques into an effective credential-to-cash pipeline:

Stage 1 — SEO Poisoning: The attackers registered bluegraintours.com and optimized it to appear at the top of search results for Microsoft 365 login queries originating from Canada. Users searching for legitimate Microsoft services land on the attacker-controlled domain instead.

Stage 2 — Credential Harvesting: The malicious site presents a convincing Microsoft 365 sign-in page. When victims enter credentials, Storm-2755 captures both the password and the authentication token.

Stage 3 — MFA Bypass: Using Axios HTTP client version 1.7.9, attackers relay authentication tokens to victim infrastructure in real-time. This adversary-in-the-middle technique bypasses non-phishing-resistant MFA by proxying the legitimate authentication flow.

Stage 4 — Mailbox Reconnaissance: Once inside victim email accounts, Storm-2755 searches for keywords like "payroll," "HR," "finance," and "direct deposit" to understand the organization's payroll processes.

Stage 5 — Social Engineering: Attackers send emails from compromised accounts to HR staff requesting direct deposit changes. The requests appear legitimate because they originate from real employee mailboxes.

Stage 6 — Direct System Manipulation: When social engineering fails, Storm-2755 pivots to directly accessing HR SaaS platforms. Microsoft observed attackers signing into Workday as victims to manually change banking information.

Real Financial Impact

This isn't theoretical. Microsoft confirmed that at least one employee suffered "direct financial loss" after Storm-2755 successfully changed their Workday banking details. The victim's next paycheck went directly to an attacker-controlled account.

The attack pattern mirrors techniques we've seen from device code phishing campaigns that bypass OAuth protections, but Storm-2755's geographic focus and end goal—actual payroll theft—sets it apart from typical credential harvesting operations.

Why Canada?

Microsoft's analysis suggests Storm-2755 exclusively filters for Canadian IP addresses during the SEO poisoning stage. The geographic targeting may relate to:

• Canada's payroll systems commonly using self-service portals where employees update banking info
• Less stringent verification requirements for direct deposit changes at some organizations
• The attacker group's familiarity with Canadian HR software platforms

The financial motivation contrasts with nation-state operations like the APT28 FrostArmada campaign we covered recently, which focused on credential harvesting for espionage. Storm-2755 wants money, not intelligence.

Detection and Prevention

Microsoft recommends several defensive measures:

Technical Controls

1. Deploy phishing-resistant MFA — FIDO2 security keys or certificate-based authentication prevent AiTM token replay attacks
2. Enable conditional access policies — Require compliant devices and block legacy authentication protocols
3. Monitor for suspicious sign-in activity — Watch for logins from unusual locations or IP addresses, especially to HR systems
4. Implement email security rules — Flag or block messages containing payroll change requests that originate externally

Process Controls

1. Verify payroll changes out-of-band — Require phone verification for any direct deposit modifications using a number on file, not one provided in the request
2. Implement dual authorization — Require manager approval for banking changes
3. Train HR staff — Ensure teams recognize social engineering attempts, even when they appear to come from legitimate employee accounts

For organizations without dedicated security teams, our social engineering guide covers how to recognize and respond to these manipulation techniques.

Indicators of Compromise

Microsoft's security blog details the following IOCs:

Domains:

• bluegraintours.com — Primary phishing domain

Behavioral Indicators:

• Axios HTTP client 1.7.9 in authentication traffic
• Searches for payroll-related terms immediately after account compromise
• Emails to HR requesting banking changes from recently compromised accounts

The Bigger Picture

Storm-2755 demonstrates how financially motivated actors are refining attack chains that convert credential theft directly into cash. Traditional security advice focuses on protecting organizational data, but payroll piracy targets individual employees' bank accounts.

The use of SEO poisoning as initial access is particularly insidious. Users searching for legitimate Microsoft services believe they're exercising caution by going to the official site—they just end up at the wrong one.

Organizations with Canadian employees should review their payroll change processes immediately. The verification step between "employee requests change" and "change is implemented" is where these attacks succeed or fail.