Storm-2755 - Investigating Payroll Pirate Attacks in Canada
Significant risk — action recommended within 24-48 hours
Basically, hackers are stealing employee accounts to redirect their paychecks.
Storm-2755 is targeting Canadian employees by hijacking accounts to redirect salary payments. This campaign poses significant risks, leading to financial losses. Microsoft is actively working to mitigate these threats.
What Happened
Microsoft's Detection and Response Team (DART) has uncovered a new threat actor known as Storm-2755, responsible for a series of financially motivated attacks targeting Canadian employees. The group has been compromising user accounts to divert salary payments into their own accounts, leading to financial losses for both individuals and organizations.
Who's Affected
The primary victims of Storm-2755's attacks are Canadian employees across various organizations. Unlike previous campaigns that targeted specific industries, Storm-2755 has focused on a broader geographic area, making many employees vulnerable.
How It Works
Storm-2755 employs sophisticated techniques such as malvertising and search engine optimization (SEO) poisoning to lure victims. By positioning their malicious domain at the top of search results, they trick users into entering their credentials on a fake Microsoft 365 sign-in page. This method allows them to capture authentication tokens, effectively hijacking user sessions without needing to bypass multifactor authentication (MFA).
Signs of Infection
Indicators of compromise include unusual sign-in attempts from the Axios user-agent, unexpected email inbox rules that hide correspondence from HR, and unauthorized changes to payroll information. If employees notice any discrepancies in their accounts or receive unexpected communications regarding payroll changes, they should investigate immediately.
How to Protect Yourself
Organizations can take several steps to defend against these attacks:
- Implement phishing-resistant MFA: Traditional MFA methods are increasingly ineffective against sophisticated phishing techniques. Using methods like FIDO2/WebAuthN can significantly improve security.
- Monitor for anomalous activity: Use security information and event management (SIEM) solutions to track both regular and irregular activity, helping to identify compromised sessions.
- Educate employees: Conduct phishing simulation campaigns to enhance user awareness about credential theft and phishing tactics.
- Revoke compromised sessions immediately: If a breach is suspected, revoke tokens and reset credentials to prevent further unauthorized access.
By understanding the tactics employed by Storm-2755 and implementing robust security measures, organizations can better protect their employees and financial assets from these sophisticated fraud schemes.
🔒 Pro insight: Storm-2755's use of AiTM techniques highlights the need for organizations to adopt phishing-resistant MFA and robust session management practices.