Storm-2755 hijacks Canadian payroll via AiTM phishing of Microsoft 365 sessions

Microsoft is tracking Storm-2755, a financially motivated crew rerouting Canadian employees’ salary payments by stealing Microsoft 365 session tokens. Victims land on spoofed sign-in pages — promoted via malvertising and SEO poisoning on domains like bluegraintours[.]com — where an adversary-in-the-middle proxy captures the full authentication flow, including session cookies and OAuth tokens. Replaying those tokens sidesteps legacy MFA entirely, since the attacker never re-authenticates.

Once inside the mailbox, the actor plants inbox rules that bury any HR reply mentioning “direct deposit” or “bank,” then either socially engineers HR with a deposit-change request or logs straight into Workday using the stolen session to rewrite banking details. The pattern mirrors Storm-2657’s 2025 campaign against US universities, which Microsoft disrupted in October.

Mitigation guidance is unchanged but increasingly urgent: kill legacy auth, deploy phishing-resistant MFA (FIDO2/passkeys), and on any indicator of compromise revoke tokens, purge inbox rules, and reset credentials. Payroll pirate fraud rolls up under BEC, which the FBI’s IC3 logged at 24,000+ complaints and $3B+ in losses last year.