Have you ever imagined your hard-earned salary landing in someone else's bank account? This is not just a nightmare, but a reality that some Canadian employees are facing due to AiTM phishing payroll scams. Storm-2755, a notorious cybercrime group, has been exploiting advanced phishing techniques to deceive individuals into revealing sensitive information, leading to payroll hijacks. In this blog, we'll unravel the tactics used by these attackers, detail the steps they take to conceal their actions, and provide actionable strategies approved by Microsoft to protect your financial information.
Understanding Storm-2755 and AiTM Phishing Tactics
The reality is clear: attackers aren’t just getting bolder—they’re getting smarter. One group standing out in recent years is Storm-2755, whose name is becoming synonymous with payroll-targeted phishing scams across Canada. But how does this group operate, and what makes their tactics so effective?
Storm-2755: Who Are They and What Do They Want?
Storm-2755 is a cybercrime collective with a focus on netting large paydays through payroll diversion fraud. Their primary weapon is AiTM (Adversary-in-the-Middle) phishing—a sophisticated method that tricks users into giving up their Microsoft 365 credentials. This isn’t about sending obvious spam. Instead, employees receive convincing emails that mimic real company communication or notifications from reputable platforms.
The Anatomy of an AiTM Attack
What sets AiTM phishing apart is the use of fake Microsoft 365 login pages. These counterfeit sites look and feel legitimate, often featuring the same branding, logos, and URL structures employees expect. Victims are lured to these pages through email links or malicious attachments, believing they’re logging in for normal business reasons.
Here’s how it typically unfolds:
- Deceptive Emails: Attackers send a strategic email, often mimicking internal HR or payroll communication, sometimes with urgent hooks like “Verify your payroll details to avoid interruption.”
- Convincing Landing Pages: The email links lead to almost identical replicas of Microsoft 365 login pages. Any information entered—email address, password, and even MFA codes—gets instantly relayed to the attackers.
- Session Token Capture: The real magic lies here. Beyond stealing just credentials, the fake login site intercepts session tokens, allowing hackers to “piggyback” on a legitimate session. This allows them to bypass even multi-factor authentication.
The Canadian Employee in the Crosshairs
Why target Canadian employees? Many companies in Canada rely on Microsoft 365, making them lucrative targets for attackers using these phishing tactics. By focusing on employees with payroll access, Storm-2755 gets one step closer to siphoning off paychecks without triggering immediate alarms.
As these attacks grow in sophistication, awareness is your first line of defense. Recognizing how these phishing campaigns start and what to look for in a suspicious login page can make the difference between a secured paycheck and financial loss.
Session Token Hijacking: Bypassing Multi-Factor Authentication
Attackers know that passwords alone rarely open the door. Multi-factor authentication (MFA) is supposed to block them—but AiTM phishing attacks have found a way to slip past this extra guard.
How Session Token Theft Works
When you log into a service like Microsoft 365, after your credentials and MFA check out, the platform issues a session token. This token proves to the server that you’ve authenticated. If someone else gets this token, they can access your account—even if they don’t have your password or your second authentication method.
Here’s how Storm-2755 and other actors exploit this process:
- Victim provides credentials: The unsuspecting employee enters their password and MFA code into the fake login page.
- Session token is captured: Instead of just stealing the login details, the AiTM phishing kit sitting between the real Microsoft server and the victim’s browser captures the generated session token.
- Attacker assumes identity: The hacker uses the session token to “walk right in,” bypassing MFA completely. They appear to the server as the legitimate user.
- No alerts: Since there’s no failed login or suspicious authentication, most security systems don’t flag this access.
The Complete Lifecycle of an AiTM Payroll Scam
Let’s walk through what a typical attack looks like from start to finish:
- Reconnaissance: Cybercriminals study their target, often identifying payroll or HR staff using social media or LinkedIn.
- Phishing Email Delivered: Carefully crafted emails, sometimes referencing current projects or using company language, land in inboxes.
- User Interaction: The employee clicks the link and is directed to a cloned login page.
- Credentials and MFA Intercepted: The website captures all login information and, crucially, the session token.
- Account Access Granted: Using the stolen session token, attackers immediately gain full account access, often from a location that mirrors the real user’s typical sign-in pattern.
- Maintaining Stealth: The attacker quickly acts before the token expires, searching inboxes for payroll-related emails, adjusting settings, or preparing for further fraud.
Through session token hijacking, cybercriminals effectively step around some of the most robust defenses on the market—making it essential to know not just the steps they take, but the warning signs that might pop up along the way.
The Intricate Dance of Payroll Hijacking
Once attackers are inside an employee’s account, subtlety is their greatest asset. They rarely announce themselves—instead, they quietly set the stage for payroll fraud, using clever techniques to cover their tracks and move money without raising alarms.
Manipulating Inbox Rules to Hide Evidence
One of their first moves? They create or modify inbox rules. This allows them to manage incoming and outgoing mail automatically, making it easier to hide any sign of fraud. Here’s how hackers typically use inbox rules:
- Auto-forwarding: All payroll-related emails are forwarded to an external account the attacker controls, ensuring they see updates in real time.
- Auto-delete or archive: Any emails from the payroll department or financial alerts are deleted or moved out of sight, stopping the real employee from noticing anything amiss.
- Filter by keyword: Rules are set up to intercept messages with keywords like “payroll,” “bank account,” or “direct deposit,” further reducing the likelihood of discovery.
Impersonation: Staying Under the Radar
Fraudsters don’t just lurk—they impersonate. With access to the inbox, they can reply to emails as if they’re the legitimate employee. This means:
- Requests to update bank details or direct deposit forms seem to come from the right person.
- If the payroll or HR team replies with questions, the attacker responds convincingly, using previous emails and signatures for reference.
- Communications are timed carefully, often sent during off-hours or holidays to avoid scrutiny.
Editing Payroll Details Without Detection
The end goal is simple: change where the paycheck goes. Here’s how attackers pull this off without tripping any alarms:
- Initiate change requests: Using the employee’s compromised email, hackers send a “routine” request to update bank details to payroll staff.
- Supply new fraudulent details: The attacker provides bank account information that funnels the next paycheck away from the victim.
- Confirm changes—and cover up: If further confirmation or paperwork is needed, the attacker supplies it, matching the style, tone, and documentation of the original employee.
Throughout this process, manipulated inbox rules ensure the victim doesn’t see any of the changes happening in their name—making this scheme dangerously effective unless IT or payroll teams are actively monitoring for irregularities.
Protecting Your Paycheck from Phishing Scams
Getting ahead of payroll phishing scams means putting smart barriers in place and staying alert to the signs of trouble. Microsoft and cybersecurity experts have outlined clear tactics that, when practiced consistently, make it much harder for attackers to slip through.
Microsoft-Recommended Strategies
1. Modern Authentication Methods
- Switch from legacy authentication to modern options, like OAuth and security keys. These newer systems better resist phishing schemes and aren’t as easily exploited by session token theft.
2. Conditional Access Policies
- Limit account access based on context—such as user identity, device, location, or risk level. For example, flagging and blocking logins from unusual geographies or devices adds an extra line of defense.
3. Enhanced MFA Protections
- Use phishing-resistant MFA solutions, such as app-based authentication with number matching, Microsoft Authenticator app push notifications, or FIDO2 security keys. Avoid basic SMS or email-based codes, as these are easier to intercept.
4. Real-Time Email Threat Protection
- Utilize Microsoft Defender for Office 365 or similar email security tools. Automated scanning for phishing attempts, malicious links, or suspicious content in messages can catch attacks before they reach users.
Staying Vigilant: Monitoring and Rapid Response
Defensive technology is important, but employee awareness and consistent monitoring are equally vital:
- Employee Training: Regularly educate staff to recognize red flags—like odd requests to update payroll info, unfamiliar sender addresses, or login pages that seem slightly off.
- Proactive Threat Detection: IT should monitor for unusual account activity, such as rapid inbox rule creation, multiple failed login attempts, or sign-ins from unexpected regions.
- Swift Incident Response: If an attack is suspected, immediately revoke active session tokens, reset credentials, and conduct a thorough audit for unauthorized changes.
Most importantly, cultivate a culture where employees feel safe reporting anything suspicious without fear of reprimand. A quick call or email to confirm a payroll change could be the last barrier standing between you and a stolen paycheck.
