Poisoned Office 365 Search Results Lead to Stolen Paychecks
Significant risk — action recommended within 24-48 hours
Basically, hackers trick people into giving up their paycheck information through fake search results.
A hacking group is stealing paychecks from Canadian employees by manipulating search results for Office 365. This sophisticated attack highlights the need for stronger security measures. Organizations must be vigilant to prevent financial losses.
What Happened
A financially motivated hacking group, tracked by Microsoft as Storm-2755, has launched a sophisticated campaign targeting Canadian employees. This group uses SEO poisoning and malvertising to redirect search results for common queries related to Office 365. Victims who click on these poisoned links are led to a fake Microsoft 365 login page designed to steal their login credentials.
How It Works
Upon entering their credentials, victims unknowingly grant the attackers access to their accounts. Storm-2755 employs an Account takeover (AiTM) attack method, using the Axios HTTP client to relay authentication tokens. This allows the attackers to bypass traditional multi-factor authentication (MFA) and maintain access to the victim's account without needing repeated sign-ins.
Who's Being Targeted
The primary targets of this attack are employees in Canada, particularly those with access to payroll and HR systems. Once inside the compromised email account, the attackers search for any references to payroll or finance.
Signs of Infection
Victims may notice unusual login activity, such as unexpected sign-ins or changes to their account settings. Additionally, if HR or finance teams receive requests for direct deposit changes from employee accounts, they should verify the authenticity of these requests.
What the Attackers Do
After gaining access, the attackers send an email from the victim's account to HR, requesting a change in direct deposit information. Since the email appears legitimate, HR personnel are likely to comply without suspicion. To further cover their tracks, the attackers create inbox rules that hide any responses from HR that may contain keywords like "bank" or "direct deposit."
How to Protect Yourself
To mitigate the risk of such attacks, Microsoft recommends several strategies:
- Use FIDO2/WebAuthn passkeys as a second authentication factor, which are more secure than traditional MFA methods.
- Monitor for the Axios user-agent in sign-in logs and watch for unusual sign-in patterns.
- Implement out-of-band verification for any direct deposit change requests, such as a phone call or in-person confirmation.
Conclusion
This incident serves as a reminder of the evolving tactics used by cybercriminals. Organizations must remain vigilant and proactive in implementing security measures to protect against these sophisticated fraud schemes. Regular training for employees on recognizing phishing attempts and verifying sensitive requests can help reduce the risk of falling victim to such attacks.
🔒 Pro insight: The use of AiTM tactics in this campaign underscores the necessity for organizations to adopt phishing-resistant MFA solutions.