TTPwire Vol. 1 · MITRE ATT&CK·Tagged

← All stories

Microsoft Threat Intelligence

Investigating Storm-2755: “Payroll pirate” attacks targeting Canadian employees

Microsoft Incident Response · 2026-04-09 · Read original ↗

ATT&CK techniques detected

29 predictions
T1071.001Web Protocols
96%
"let lookback = 30d ; let ioc _ domains = dynamic ( [ " http : / / bluegraintours. com " ] ) ; _ im _ networksession ( starttime = todatetime ( ago ( lookback ) ), endtime = now ( ) ) | where dstdomain has _ any ( ioc _ domains ) | summarize imnws _ mintime = min ( timegenerated )…"
T1556.006Multi-Factor Authentication
92%
"aligns with an aitm attack — an evolution of traditional credential phishing techniques — in which threat actors insert malicious infrastructure between the victim and a legitimate authentication service. rather than harvesting only usernames and passwords, aitm frameworks proxy …"
T1556.006Multi-Factor Authentication
90%
"a security information and event management ( siem ) solution enable defenders to quickly establish a clearer baseline of regular and irregular activity to distinguish compromised sessions from legitimate activity. enable microsoft defender to automatically disrupt attacks, revok…"
T1071.001Web Protocols
89%
"##string ( split ( officeobjectid, ' / ' ) [ - 1 ] ), tostring ( split ( officeobjectid, ' \ \ ' ) [ - 1 ] ) ) | summarize count ( ), starttimeutc = min ( timegenerated ), endtimeutc = max ( timegenerated ) by operation, userid, clientipaddress, resultstatus, keyword, originating…"
T1556.006Multi-Factor Authentication
88%
"reduce the chance of a legitimate reauthentication that would invalidate their access. impact the compromise led to a direct financial loss for one user. in this case, storm - 2755 was able to gain access to the user ’ s account and created inbox rules to prevent emails that cont…"
T1137.005Outlook Rules
86%
"not currently deployed, customers can install the threat intelligence solution from the microsoft sentinel content hub to have the analytics rule deployed in their sentinel workspace. malicious inbox rule the query includes filters specific to inbox rule creation, operations for …"
T1564.008Email Hiding Rules
83%
"not currently deployed, customers can install the threat intelligence solution from the microsoft sentinel content hub to have the analytics rule deployed in their sentinel workspace. malicious inbox rule the query includes filters specific to inbox rule creation, operations for …"
T1564.008Email Hiding Rules
83%
"microsoft security copilot integration in microsoft defender threat intelligence, either in the security copilot standalone portal or in the embedded experience in the microsoft defender portal to get more information about this threat actor. hunting queries microsoft defender xd…"
T1070.008Clear Mailbox Data
73%
"microsoft security copilot integration in microsoft defender threat intelligence, either in the security copilot standalone portal or in the embedded experience in the microsoft defender portal to get more information about this threat actor. hunting queries microsoft defender xd…"
T1657Financial Theft
70%
"hr software - as - a - service ( saas ) programs such as workday. while the example below illustrates the attack flow as observed in workday environments, it ’ s important to note that similar techniques could be leveraged against any payroll provider or saas platform. defense ev…"
T1528Steal Application Access Token
70%
"customer infrastructure which effectively bypassed non - phishing resistant mfa and preserved access without requiring repeated sign ins. this replay flow allowed storm - 2755 to maintain these active sessions and proxy legitimate user actions, effectively executing an aitm attac…"
T1078.004Cloud Accounts
68%
"of the attack chain — from initial access through impact — detailing the techniques observed. initial access in the observed campaign, storm - 2755 likely gained initial access through seo poisoning or malvertising that positioned the actor - controlled domain, bluegraintours [. …"
T1608.006SEO Poisoning
56%
"investigating storm - 2755 : “ payroll pirate ” attacks targeting canadian employees microsoft incident response – detection and response team ( dart ) researchers observed an emerging, financially motivated threat actor that microsoft tracks as storm - 2755 conducting payroll pi…"
T1557.001Name Resolution Poisoning and SMB Relay
55%
"url _ has _ any = ioc _ domains ) indicators of compromise in observed compromises associated with hxxp : / / bluegraintours [. ] com, sign - in logs consistently showed a distinctive authentication pattern. this pattern included multiple failed sign ‑ in attempts with various ca…"
T1111Multi-Factor Authentication Interception
53%
"aligns with an aitm attack — an evolution of traditional credential phishing techniques — in which threat actors insert malicious infrastructure between the victim and a legitimate authentication service. rather than harvesting only usernames and passwords, aitm frameworks proxy …"
T1098.002Additional Email Delegate Permissions
51%
"##authentication might involve only one first factor, such as password, fido2 security keys, or passwordless microsoft authenticator, or it might require mfa. leverage continuous access evaluation ( cae ) : for supporting applications to ensure access tokens are re - evaluated in…"
T1564.008Email Hiding Rules
50%
"and phishing campaigns. this playbook helps defenders investigate any incident related to suspicious inbox manipulation rules configured by threat actors and take recommended actions to remediate the attack and protect networks. secure organizational resources through microsoft i…"
T1566Phishing
49%
"investigating storm - 2755 : “ payroll pirate ” attacks targeting canadian employees microsoft incident response – detection and response team ( dart ) researchers observed an emerging, financially motivated threat actor that microsoft tracks as storm - 2755 conducting payroll pi…"
T1137.005Outlook Rules
48%
"microsoft security copilot integration in microsoft defender threat intelligence, either in the security copilot standalone portal or in the embedded experience in the microsoft defender portal to get more information about this threat actor. hunting queries microsoft defender xd…"
T1598Phishing for Information
46%
"perform security tasks efficiently : threat intelligence briefing agent phishing triage agent threat hunting agent dynamic threat detection agent security copilot is also available as a standalone experience where customers can perform specific security - related tasks, such as i…"
T1556.006Multi-Factor Authentication
45%
"customer infrastructure which effectively bypassed non - phishing resistant mfa and preserved access without requiring repeated sign ins. this replay flow allowed storm - 2755 to maintain these active sessions and proxy legitimate user actions, effectively executing an aitm attac…"
T1528Steal Application Access Token
43%
"exploited to intercept authentication tokens. learn more for the latest security research from the microsoft threat intelligence community, check out the microsoft threat intelligence blog. to get notified about new publications and to join discussions on social media, follow us …"
T1586.002Email Accounts
41%
"hr software - as - a - service ( saas ) programs such as workday. while the example below illustrates the attack flow as observed in workday environments, it ’ s important to note that similar techniques could be leveraged against any payroll provider or saas platform. defense ev…"
T1566Phishing
41%
"and phishing campaigns. this playbook helps defenders investigate any incident related to suspicious inbox manipulation rules configured by threat actors and take recommended actions to remediate the attack and protect networks. secure organizational resources through microsoft i…"
T1098Account Manipulation
41%
"hr software - as - a - service ( saas ) programs such as workday. while the example below illustrates the attack flow as observed in workday environments, it ’ s important to note that similar techniques could be leveraged against any payroll provider or saas platform. defense ev…"
T1566.002Spearphishing Link
37%
"and phishing campaigns. this playbook helps defenders investigate any incident related to suspicious inbox manipulation rules configured by threat actors and take recommended actions to remediate the attack and protect networks. secure organizational resources through microsoft i…"
T1078Valid Accounts
36%
"of the attack chain — from initial access through impact — detailing the techniques observed. initial access in the observed campaign, storm - 2755 likely gained initial access through seo poisoning or malvertising that positioned the actor - controlled domain, bluegraintours [. …"
T1078Valid Accounts
31%
"affected organizations and taken multiple disruption efforts to help prevent further compromise, including tenant takedown. microsoft continues to engage affected customers, providing visibility by sharing observed tactics, techniques, and procedures ( ttps ) while supporting mit…"
T1111Multi-Factor Authentication Interception
31%
"reduce the chance of a legitimate reauthentication that would invalidate their access. impact the compromise led to a direct financial loss for one user. in this case, storm - 2755 was able to gain access to the user ’ s account and created inbox rules to prevent emails that cont…"

Summary

Microsoft Incident Response – Detection and Response Team (DART) researchers observed an emerging, financially motivated threat actor, tracked as Storm-2755, compromising Canadian employee accounts to gain unauthorized access to employee profiles and divert salary payments to attacker-controlled accounts.

The post Investigating Storm-2755: “Payroll pirate” attacks targeting Canadian employees appeared first on Microsoft Security Blog.