Fake Microsoft 365 Pages Used in Payroll Theft Campaign

Microsoft has confirmed that a financially motivated threat actor known as Storm-2755 is actively targeting employees in Canada using payroll redirection scams. The campaign focuses on hijacking employee accounts to reroute salary payments into attacker-controlled bank accounts.

Fake Microsoft 365 pages used to capture credentials

The attacks rely on fake Microsoft 365 login pages that closely mimic legitimate sign-in portals. Victims land on these pages through malvertising campaigns, SEO poisoning, or malicious domains designed to appear trustworthy and authentic.

Microsoft says the group uses adversary-in-the-middle (AiTM) techniques to intercept authentication sessions. This method allows attackers to steal session cookies and authentication tokens, bypassing multi-factor authentication by replaying valid session data without requiring users to log in again.

Attackers hide activity and target HR departments

Once inside an account, attackers create inbox rules that automatically hide emails containing keywords like “direct deposit” or “bank.” This prevents victims from spotting suspicious activity and delays detection.

The attackers then impersonate employees and send phishing messages to HR teams, often using subjects like “Question about direct deposit.” These emails aim to trick HR into updating payroll banking details.

If social engineering fails, attackers escalate access by logging into HR platforms such as Workday and manually changing direct deposit information using stolen sessions.

Microsoft shares mitigation steps for organizations

Microsoft advises organizations to block legacy authentication protocols and deploy phishing-resistant MFA solutions. If a compromise occurs, administrators should revoke active sessions, remove malicious inbox rules, and reset authentication methods and credentials immediately.

This campaign reflects a broader trend of financially motivated cyberattacks relying on social engineering. Similar techniques appeared in the Axios breach, where attackers exploited human behavior instead of technical flaws.

The warning comes as the industry faces ongoing security threats. Researchers recently flagged a BlueHammer zero-day vulnerability capable of granting system-level access, while Google patched an actively exploited Chrome zero-day vulnerability.

Via Bleeping Computer