Investigating Storm-2755: “Payroll pirate” attacks targeting Canadian employees

Microsoft DART observed Storm-2755 conducting a financially motivated payroll-pirate campaign targeting Canadian organizations by using SEO poisoning/malvertising to lure victims to actor-controlled Microsoft 365 sign-in pages, enabling AiTM token theft and session replay (notably with Axios/1.7.9). The actor maintained persistence via replayed tokens and inbox rules to hide HR correspondence, performed discovery to locate payroll processes or SaaS (e.g., Workday), and in at least one case redirected payroll payments to attacker-controlled accounts; the report includes IOCs and actionable mitigations (revoke tokens, remove malicious inbox rules, enforce phishing-resistant MFA and Conditional Access).