Investigating Storm-2755: “Payroll pirate” attacks targeting Canadian employees

Key Takeaways

• Storm-2755 targets Canadian employees using SEO poisoning and malvertising to facilitate Adversary-in-the-Middle (AiTM) attacks.
• The threat actor uses the Axios HTTP client (specifically v1.7.9) to replay stolen authentication tokens and bypass non-phishing-resistant MFA.
• Attackers create malicious Exchange inbox rules to hide correspondence containing keywords like 'direct deposit' or 'bank'.
• The ultimate goal is financial theft by altering payroll direct deposit information, either via social engineering HR or direct manipulation of SaaS apps like Workday.
• Token replay activity is characterized by non-interactive sign-ins to OfficeHome occurring approximately every 30 minutes.

Affected Systems

• Microsoft 365
• Microsoft Entra ID
• Exchange Online
• Workday
• HR and Payroll SaaS platforms

Vulnerabilities (CVEs)

• CVE-2025-27152

Attack Chain

The attack begins with SEO poisoning or malvertising directing users to an actor-controlled AiTM phishing page (bluegraintours.com). Upon credential entry, the attacker captures session cookies and OAuth tokens, bypassing non-phishing-resistant MFA. The attacker maintains persistence by replaying tokens using the Axios v1.7.9 HTTP client every 30 minutes. After discovering HR and payroll processes, the attacker creates inbox rules to hide alerts and either socially engineers HR or directly accesses platforms like Workday to redirect direct deposit payments to attacker-controlled accounts.

Detection Availability

• YARA Rules: No
• Sigma Rules: No
• Snort/Suricata Rules: No
• KQL Queries: Yes
• Splunk SPL Queries: No
• EQL Queries: No
• Other Detection Logic: No
• Platforms: Microsoft Defender XDR, Microsoft Sentinel

The article provides KQL queries for Microsoft Defender XDR and Microsoft Sentinel to detect malicious inbox rule creation, Workday payment election changes, and network/web session IOCs.

Detection Engineering Assessment

EDR Visibility: Low — The attack occurs almost entirely within cloud environments (Entra ID, Exchange Online, Workday) using stolen session tokens, bypassing the endpoint. Network Visibility: Medium — Network logs can capture traffic to the malicious AiTM domains, but the token replay happens from attacker infrastructure directly to Microsoft APIs. Detection Difficulty: Moderate — Detecting token replay requires baseline behavioral analysis of User-Agents and IP anomalies, while inbox rule creation is a reliable but post-compromise indicator.

Required Log Sources

• Entra ID Sign-in Logs
• Exchange Online Audit Logs
• CloudAppEvents (Defender)
• Workday Audit Logs

Hunting Hypotheses

Hypothesis	Telemetry	ATT&CK Stage	FP Risk
Search for Entra ID sign-in logs where the User-Agent suddenly changes to 'Axios' (specifically v1.7.9) while the session ID remains consistent, indicating token replay.	Entra ID Sign-in Logs	Persistence	Medium
Look for the creation of Exchange inbox rules that move messages containing keywords like 'direct deposit' or 'bank' to hidden folders or delete them.	Exchange Online Audit Logs	Defense Evasion	Low
Monitor for Entra ID sign-in interrupt error 50199 immediately followed by a successful sign-in from a different IP or anomalous User-Agent.	Entra ID Sign-in Logs	Initial Access	Medium
Hunt for unusual payment election or bank account changes in Workday audit logs (ActionType 'Change My Account' or 'Manage Payment Elections').	CloudAppEvents / Workday Audit Logs	Impact	Medium

Control Gaps

• Legacy MFA (SMS, Push, OTP)
• Lack of Conditional Access Session Lifetimes
• Absence of Continuous Access Evaluation (CAE)

Key Behavioral Indicators

• User-Agent: Axios/1.7.9
• Sign-in Error Code: 50199
• Inbox rules targeting 'direct deposit' or 'bank'
• Non-interactive sign-ins to OfficeHome every ~30 mins

False Positive Assessment

• Medium. Axios is a legitimate open-source HTTP client, so alerting purely on the User-Agent may yield false positives if developers use it internally. Inbox rules for 'bank' or 'direct deposit' might occasionally be created by users organizing their mail, though moving them to 'Conversation History' or deleting them is highly suspicious.

Recommendations

Immediate Mitigation

• Revoke active session tokens for compromised users immediately.
• Remove malicious inbox rules hiding HR/payroll emails.
• Reset credentials and MFA methods for affected accounts.

Infrastructure Hardening

• Implement phishing-resistant MFA (FIDO2/WebAuthn) to prevent AiTM token theft.
• Enforce device compliance through Conditional Access policies.
• Configure adaptive session lifetime policies to restrict extended session lifetimes.
• Enable Continuous Access Evaluation (CAE) for real-time token revocation.

User Protection

• Block legacy authentication protocols.
• Deploy Global Secure Access (GSA) to extend Zero Trust to the network layer.

Security Awareness

• Train HR and payroll staff to verbally verify requests for direct deposit changes.
• Conduct phishing simulations focusing on AiTM and fake Microsoft 365 login pages.

MITRE ATT&CK Mapping

• T1566.002 - Phishing: Spearphishing Link
• T1185 - Browser Session Hijacking
• T1550.004 - Use Alternate Authentication Material: Web Session Cookie
• T1078.004 - Valid Accounts: Cloud Accounts
• T1564.008 - Hide Artifacts: Email Hiding Rules
• T1586.002 - Compromise Accounts: Email Accounts

Additional IOCs

• Domains:
  • bluegraintours[.]com - AiTM infrastructure domain
• Urls:
  • hxxp://bluegraintours[.]com - AiTM infrastructure URL
  • outlook.office.com/bluegraintours - Malicious redirect link
• Other:
  • 50199 - Entra ID sign-in interrupt error code frequently preceding account compromise in this campaign.
  • Question about direct deposit - Common email subject line used by the threat actor to socially engineer HR staff.