A financially motivated hacking group has been discovered targeting employees in Canada with a sophisticated scheme aimed at covertly redirecting salary payments into bank accounts controlled by the attackers.

SEO Poisoning and Phishing Techniques

Microsoft researchers identified the group, known as Storm-2755, which begins its operation by poisoning search engine results. They run malicious advertisements against generic search queries such as “Office 365” and even common misspellings like “Office 265.” When unsuspecting victims click on these links, they are directed to a convincing but fake Microsoft 365 login page designed to steal their login credentials and proxy the entire authentication session in real time, effectively capturing the session token issued after login.

According to Microsoft's incident responders, “Storm-2755 leveraged version 1.7.9 of the Axios HTTP client to relay authentication tokens to the customer infrastructure. This effectively bypassed non-phishing resistant multi-factor authentication (MFA) and preserved access without requiring repeated sign-ins.” This replay flow allowed the group to maintain active sessions and proxy legitimate user actions, executing an Attack-in-the-Middle (AiTM) attack.

Exploiting Compromised Accounts

For the majority of victims, the attackers maintained quiet background access. However, for a smaller number of accounts, they altered the victim’s password and MFA settings, ensuring that even after the original stolen token expired or was revoked, they still retained control over the account.

Once inside the victim’s email account, the attackers meticulously searched for references to payroll, human resources, and finance. They then sent an email from the compromised account to the organization’s HR staff, requesting a change to the direct deposit information. Since the request originated from the employee’s legitimate email address, HR had no reason to be suspicious, and if they complied, the victim’s next paycheck would be redirected to the attacker’s bank account.

Before sending these emails, the attackers also created inbox rules that silently filtered any HR replies containing keywords such as “bank” or “direct deposit” into a hidden folder, preventing the victim from noticing any suspicious activity.

Direct Manipulation of Payroll Systems

In instances where Storm-2755 was unable to successfully manipulate payroll information through impersonation and social engineering, they shifted strategies to directly interact with HR software-as-a-service (SaaS) platforms, such as Workday. In one documented attack, Storm-2755 manually signed into Workday as the victim to update banking information, resulting in direct financial loss for the employee.

Preventative Measures Against Payroll Fraud

This particular campaign was primarily focused on compromising employees in Canada, but similar attacks are frequently launched targeting employees in various countries or specific industries.

To mitigate the risks of such “payroll pirate” attacks, Microsoft recommends utilizing FIDO2/WebAuthn passkeys as a second authentication factor. These passkeys bind authentication to the legitimate origin site and cannot be intercepted by an AiTM proxy, unlike traditional push or OTP-based MFA. Additionally, organizations should monitor for the Axios user-agent in sign-in logs, watch for non-interactive sign-ins to OfficeHome occurring at intervals of approximately 30 minutes, and alert on the creation of new inbox rules filtering financial keywords.

Moreover, HR and payroll teams are encouraged to implement out-of-band verification methods, such as phone calls or in-person confirmations, for any requests related to direct deposit changes. These practices can help safeguard employees against fraudulent activities that may arise from compromised accounts.

Source: Help Net Security News