{"id":60457,"date":"2026-04-09T15:00:00","date_gmt":"2026-04-09T15:00:00","guid":{"rendered":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/?p=146428"},"modified":"2026-04-09T15:00:00","modified_gmt":"2026-04-09T15:00:00","slug":"investigating-storm-2755-payroll-pirate-attacks-targeting-canadian-employees","status":"publish","type":"post","link":"https:\/\/www.threatshub.org\/blog\/investigating-storm-2755-payroll-pirate-attacks-targeting-canadian-employees\/","title":{"rendered":"Investigating Storm-2755: \u201cPayroll pirate\u201d attacks targeting Canadian employees"},"content":{"rendered":"<aside class=\"table-of-contents-block accordion wp-block-bloginabox-theme-table-of-contents\" id=\"accordion-efc95671-81bf-46c7-806d-3f9f33f1a546\" data-bi-an=\"table-of-contents\"> <button class=\"btn btn-collapse\" type=\"button\" aria-expanded=\"true\" aria-controls=\"accordion-collapse-efc95671-81bf-46c7-806d-3f9f33f1a546\"> <span class=\"table-of-contents-block__label\">In this article<\/span> <span class=\"table-of-contents-block__current\" aria-hidden=\"true\"><\/span> <svg class=\"table-of-contents-block__arrow\" aria-label=\"Toggle arrow\" width=\"18\" height=\"11\" viewBox=\"0 0 18 11\" fill=\"none\"> <path d=\"M15.7761 11L18 8.82043L9 0L0 8.82043L2.22394 11L9 4.35913L15.7761 11Z\" fill=\"currentColor\" \/> <\/svg> <\/button> <span class=\"table-of-contents-block__progress-bar\"><\/span><br \/>\n<\/aside>\n<p class=\"wp-block-paragraph\">Microsoft Incident Response \u2013 Detection and Response Team (DART) researchers observed an emerging, financially motivated threat actor that Microsoft tracks as Storm-2755 conducting payroll pirate attacks targeting Canadian users. In this campaign, Storm-2755 compromised user accounts to gain unauthorized access to employee profiles and divert salary payments to attacker-controlled accounts, resulting in direct financial loss for affected individuals and organizations.&nbsp;<\/p>\n<p class=\"wp-block-paragraph\">While similar payroll pirate attacks have been observed in <a href=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2025\/10\/09\/investigating-targeted-payroll-pirate-attacks-affecting-us-universities\/\">other malicious campaigns<\/a>, Storm-2755\u2019s campaign is distinct in both its delivery and targeting. Rather than focusing on a specific industry or organization, the actor relied exclusively on geographic targeting of Canadian users and used malvertising and search engine optimization (SEO) poisoning on industry agnostic search terms to identify victims. The campaign also leveraged adversary\u2011in\u2011the\u2011middle (AiTM) techniques to hijack authenticated sessions, allowing the threat actor to bypass multifactor authentication (MFA) and blend into legitimate user activity.<\/p>\n<p class=\"wp-block-paragraph\">Microsoft has been actively engaged with affected organizations and taken multiple disruption efforts to help prevent further compromise, including tenant takedown. Microsoft continues to engage affected customers, providing visibility by sharing observed tactics, techniques, and procedures (TTPs) while supporting mitigation efforts.<\/p>\n<p class=\"wp-block-paragraph\">In this blog, we present our analysis of Storm-2755\u2019s recent campaign and the TTPs employed across each stage of the attack chain. To support proactive mitigations against this campaign and similar activity, we also provide comprehensive guidance for investigation and remediation, including recommendations such as implementing phishing-resistant MFA to help block these attacks and protect user accounts.<\/p>\n<h2 class=\"wp-block-heading\" id=\"storm-2755-s-attack-chain\">Storm-2755\u2019s attack chain<\/h2>\n<p class=\"wp-block-paragraph\">Analysis of this activity reveals a financially motivated campaign built around session hijacking and abuse of legitimate enterprise workflows. Storm-2755 combined initial credential and token theft with session persistence and targeted discovery to identify payroll and human resources (HR) processes within affected Canadian organizations. By operating through authenticated user sessions and blending into normal business activity, the threat actor was able to minimize detection while pursuing direct financial gain.<\/p>\n<p class=\"wp-block-paragraph\">The sections below examine each stage of the attack chain\u2014from initial access through impact\u2014detailing the techniques observed.<\/p>\n<h3 class=\"wp-block-heading\" id=\"initial-access\">Initial access<\/h3>\n<p class=\"wp-block-paragraph\">In the observed campaign, Storm-2755 likely gained initial access through SEO poisoning or malvertising that positioned the actor-controlled domain, <em>bluegraintours[.]com<\/em>, at the top of search results for generic queries like \u201cOffice 365\u201d or common misspellings like \u201cOffice 265\u201d. Based on data received by DART, unsuspecting users who clicked these links were directed to a malicious Microsoft 365 sign-in page designed to mimic the legitimate experience, resulting in token and credential theft when users entered their credentials.<\/p>\n<p class=\"wp-block-paragraph\">Once a user entered their credentials into the malicious page, sign-in logs reveal that the victim recorded a <a href=\"https:\/\/learn.microsoft.com\/entra\/identity-platform\/reference-error-codes\">50199<\/a> sign-in interrupt error immediately before Storm-2755 successfully compromised the account. When the session shifts from legitimate user activity to threat actor control, the user-agent for the session changes to Axios; typically, version 1.7.9, however the session ID will remain consistent, indicating that the token has been replayed.<\/p>\n<p class=\"wp-block-paragraph\">This activity aligns with an AiTM attack\u2014an evolution of traditional credential phishing techniques\u2014in which threat actors insert malicious infrastructure between the victim and a legitimate authentication service. Rather than harvesting only usernames and passwords, AiTM frameworks proxy the entire authentication flow in real time, enabling the capture session cookies and OAuth access tokens issued upon successful authentication. Due to these tokens representing a fully authenticated session, threat actors can reuse them to gain access to Microsoft services without being prompted for credentials or MFA, effectively bypassing legacy MFA protections not designed to be phishing-resistant; phishing-resistant methods such as FIDO2\/WebAuthN are designed to mitigate this risk.<\/p>\n<p class=\"wp-block-paragraph\">While Axios is not a malicious tool, this attack path seems to take advantage of known vulnerabilities of the open-source software, namely <a href=\"https:\/\/github.com\/advisories\/GHSA-jr5f-v2jv-69x6\">CVE-2025-27152<\/a>, which can lead to server-side request forgeries.<\/p>\n<h3 class=\"wp-block-heading\" id=\"persistence\">Persistence<\/h3>\n<p class=\"wp-block-paragraph\">Storm-2755 leveraged version 1.7.9 of the Axios HTTP client to relay authentication tokens to the customer infrastructure which effectively bypassed non-phishing resistant MFA and preserved access without requiring repeated sign ins.&nbsp;This replay flow allowed Storm-2755 to maintain these active sessions and proxy legitimate user actions, effectively executing an AiTM attack.<\/p>\n<p class=\"wp-block-paragraph\">Microsoft consistently observed non-interactive sign ins to the OfficeHome application associated with the Axios user-agent occurring approximately every 30 minutes until remediation actions revoked active session tokens, which allowed Storm-2755 to maintain these active sessions and proxy legitimate user actions without detection.<\/p>\n<p class=\"wp-block-paragraph\">After around 30 days, we observed that the stolen tokens would then become inactive when Storm-2755 did not continue maintaining persistence within the environment. The refresh token became unusable due to expiration, rotation, or policy enforcement, preventing the issuance of new access tokens after the session token had expired. The compromised sessions primarily featured non-interactive sign ins to OfficeHome and recorded sign ins to Microsoft Outlook, My Sign-Ins, and My Profile. For a more limited set of identities, password and MFA changes were observed to maintain more durable persistence within the environment after the token had expired.<\/p>\n<figure class=\"wp-block-image size-full\"><img decoding=\"async\" src=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2026\/04\/Storm-2755-attack-chain-flow-scaled.webp\" alt=\"A user is lured to an actor-controlled authentication page via SEO poisoning or malvertising and unknowingly submits credentials, enabling the threat actor to replay the stolen session token for impersonation. The actor then maintains persistence through scheduled token replay and conducts follow-on activity such as creating inbox rules or requesting changes in direct deposits until session revocation occurs.\" class=\"wp-image-146431 webp-format\" srcset data-orig-src=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2026\/04\/Storm-2755-attack-chain-flow-scaled.webp\"><figcaption class=\"wp-element-caption\"><em>Figure 1. Storm-2755 attack flow<\/em><\/figcaption><\/figure>\n<h3 class=\"wp-block-heading\" id=\"discovery\">Discovery<\/h3>\n<p class=\"wp-block-paragraph\">Once user accounts have been successfully comprised, discovery actions begin to identify internal processes and mailboxes associated with payroll and HR. Specific intranet searches during compromised sessions focused on keywords such as \u201cpayroll\u201d, \u201cHR\u201d, \u201chuman\u201d, \u201cresources\u201d, \u201dsupport\u201d, \u201cinfo\u201d, \u201cfinance\u201d, \u201daccount\u201d, and \u201cadmin\u201d across several customer environments.<\/p>\n<p class=\"wp-block-paragraph\">Email subject lines were also consistent across all compromised users; \u201cQuestion about direct deposit\u201d, with the goal of socially engineering HR or finance staff members into performing manual changes to payroll instructions on behalf of Storm-2755, removing the need for further hands-on-keyboard activity.<\/p>\n<figure class=\"wp-block-image size-full\"><img decoding=\"async\" src=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2026\/04\/image-23.webp\" alt=\"An example email with several questions regarding direct deposit payments, such as where to send the void cheque, whether the payment can go to a new account, and requesting confirmation of the next payment date.\" class=\"wp-image-146430 webp-format\" srcset data-orig-src=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2026\/04\/image-23.webp\"><figcaption class=\"wp-element-caption\"><em>Figure 2. Example Storm-2755 direct deposit email<\/em><\/figcaption><\/figure>\n<p class=\"wp-block-paragraph\">While similar recent campaigns have observed email content being tailored to the institution and incorporating elements to reference senior leadership contacts, Storm-2755\u2019s attack seems to be focused on compromising employees in Canada more broadly.&nbsp;<\/p>\n<p class=\"wp-block-paragraph\">Where Storm-2755 was unable to successfully achieve changes to payroll information through user impersonation and social engineering of HR personnel, we observed a pivot to direct interaction and manual manipulation of HR software-as-a-service (SaaS) programs such as Workday. While the example below illustrates the attack flow as observed in Workday environments, it\u2019s important to note that similar techniques could be leveraged against any payroll provider or SaaS platform.<\/p>\n<h3 class=\"wp-block-heading\" id=\"defense-evasion\">Defense evasion<\/h3>\n<p class=\"wp-block-paragraph\">Following discovery activities, but prior to email impersonation, Storm-2755 created email inbox rules to move emails containing the keywords \u201cdirect deposit\u201d or \u201cbank\u201d to the compromised user\u2019s conversation history and prevent further rule processing. This rule ensured that the victim would not see the email correspondence from their HR team regarding the malicious request for bank account changes as this correspondence was immediately moved to a hidden folder.<\/p>\n<p class=\"wp-block-paragraph\">This technique was highly effective in disguising the account compromise to the end user, allowing the threat actor to discreetly continue actions to redirect payments to an actor-controlled bank account undisturbed.<\/p>\n<p class=\"wp-block-paragraph\">To further avoid potential detection by the account owner, Storm-2755 renewed the stolen session around 5:00 AM in the user\u2019s time zone, operating outside normal business hours to reduce the chance of a legitimate reauthentication that would invalidate their access.<\/p>\n<h3 class=\"wp-block-heading\" id=\"impact\">Impact<\/h3>\n<p class=\"wp-block-paragraph\">The compromise led to a direct financial loss for one user. In this case, Storm-2755 was able to gain access to the user\u2019s account and created inbox rules to prevent emails that contained \u201cdirect deposit\u201d or \u201cbank\u201d, effectively suppressing alerts from HR. Using the stolen session, the threat actor would email HR to request changes to direct deposit details, HR would then send back the instructions on how to change it. This led Storm-2755 to manually sign in to Workday as the victim to update banking information, resulting in a payroll check being redirected to an attacker-controlled bank account.<\/p>\n<h2 class=\"wp-block-heading\" id=\"defending-against-storm-2755-and-aitm-campaigns\">Defending against Storm-2755 and AiTM campaigns<\/h2>\n<p class=\"wp-block-paragraph\">Organizations should mitigate AiTM attacks by revoking compromised tokens and sessions immediately, removing malicious inbox rules, and resetting credentials and MFA methods for affected accounts.<\/p>\n<p class=\"wp-block-paragraph\">To harden defenses, enforce device compliance enforcement through Conditional Access policies, implement phishing-resistant MFA, and block legacy authentication protocols. Organizations storing data in a security information and event management (SIEM) solution enable Defenders to quickly establish a clearer baseline of regular and irregular activity to distinguish compromised sessions from legitimate activity.<\/p>\n<p class=\"wp-block-paragraph\">Enable <a href=\"https:\/\/www.microsoft.com\/security\/business\/microsoft-defende\">Microsoft Defender<\/a> to automatically disrupt attacks, revoke tokens in real time, monitor for anomalous user-agents like Axios, and audit OAuth applications to prevent persistence. Finally, run phishing simulation campaigns to improve user awareness and reduce susceptibility to credential theft.<\/p>\n<p class=\"wp-block-paragraph\">To proactively protect against this attack pattern and similar patterns of compromise Microsoft recommends:<\/p>\n<ol class=\"wp-block-list\">\n<li class=\"wp-block-list-item\"><a href=\"https:\/\/learn.microsoft.com\/en-us\/security\/zero-trust\/sfi\/phishing-resistant-mfa\">Implement phishing resistant MFA where possible<\/a>: Traditional MFA methods such as SMS codes, email-based one-time passwords (OTPs), and push notifications are becoming less effective against today\u2019s attackers. Sophisticated phishing campaigns have demonstrated that second factors can be intercepted or spoofed.<\/li>\n<li class=\"wp-block-list-item\"><a href=\"https:\/\/learn.microsoft.com\/en-us\/entra\/identity\/conditional-access\/howto-conditional-access-session-lifetime\">Use Conditional Access Policies to configure adaptive session lifetime policies<\/a>: Session lifetime and persistence can be managed in several different ways based on organizational needs. These policies are designed to restrict extended session lifetime by prompting the user for reauthentication. This reauthentication might involve only one first factor, such as password, FIDO2 security keys, or passwordless Microsoft Authenticator, or it might require MFA.<\/li>\n<li class=\"wp-block-list-item\"><a href=\"https:\/\/learn.microsoft.com\/en-us\/entra\/identity\/conditional-access\/concept-continuous-access-evaluation\">Leverage continuous access evaluation (CAE)<\/a>: For supporting applications to ensure access tokens are re-evaluated in near real time when risk conditions change. CAE reduces the effectiveness of stolen access and fresh tokens by allowing access to be promptly revoked following user risk changes, credential resets, or policy enforcement events limiting attacker persistence.\n<ol class=\"wp-block-list\">\n<li class=\"wp-block-list-item\"><a href=\"https:\/\/learn.microsoft.com\/entra\/global-secure-access\/overview-what-is-global-secure-access\">Consider Global Secure Access (GSA) as a complementary network control path<\/a>: Microsoft\u2019s Global Secure Access (Entra Internet Access + Entra Private Access) extends Zero Trust enforcement to the network layer, providing an identity-aware secure network edge that strengthens CAE signal fidelity, enables Compliant Network Conditional Access conditions, and ensures consistent policy enforcement across identity, device, and network\u2014forming a complete third managed path alongside identity and device controls.<\/li>\n<\/ol>\n<\/li>\n<li class=\"wp-block-list-item\"><a href=\"https:\/\/learn.microsoft.com\/en-us\/defender-xdr\/alert-grading-playbook-inbox-manipulation-rules\">Create alerting of suspicious inbox-rule creation<\/a>: This alerting is essential to quickly identify and triage evidence of business email compromise (BEC) and phishing campaigns. This playbook helps defenders investigate any incident related to suspicious inbox manipulation rules configured by threat actors and take recommended actions to remediate the attack and protect networks.<\/li>\n<li class=\"wp-block-list-item\"><a href=\"https:\/\/learn.microsoft.com\/en-us\/intune\/intune-service\/protect\/device-compliance-get-started\">Secure organizational resources through Microsoft Intune compliance policies<\/a>: When integrated with Microsoft Entra Conditional Access policies, Intune offers an added layer of protection based on a devices current compliance status to help ensure that only devices that are compliant are permitted to access corporate resources.<\/li>\n<\/ol>\n<h2 class=\"wp-block-heading\" id=\"microsoft-defender-detection-and-hunting-guidance\">Microsoft Defender detection and hunting guidance<\/h2>\n<p class=\"wp-block-paragraph\"><a href=\"https:\/\/www.microsoft.com\/security\/business\/microsoft-defender\">Microsoft Defender<\/a> customers can refer to the list of applicable detections below. <a href=\"https:\/\/www.microsoft.com\/security\/business\/siem-and-xdr\/microsoft-defender-xdr\">Microsoft Defender XDR<\/a> coordinates detection, prevention, investigation, and response across endpoints, identities, email, apps to provide integrated protection against attacks like the threat discussed in this blog.<\/p>\n<figure class=\"wp-block-table\">\n<table class=\"has-fixed-layout\">\n<tbody readability=\"15.944693094629\">\n<tr readability=\"2\">\n<td><strong>Tactic<\/strong>&nbsp;<\/td>\n<td><strong>Observed activity<\/strong>&nbsp;<\/td>\n<td><strong>Microsoft Defender coverage<\/strong>&nbsp;<\/td>\n<\/tr>\n<tr readability=\"4.4761904761905\">\n<td>Credential access<\/td>\n<td>An OAuth device code authentication was detected in an unusual context based on user behavior and sign-in patterns.<\/td>\n<td><a href=\"https:\/\/www.microsoft.com\/security\/business\/siem-and-xdr\/microsoft-defender-xdr\"><strong>Microsoft Defender XDR<\/strong><\/a> <br \/>\u2013 Anomalous OAuth device code authentication activity<\/td>\n<\/tr>\n<tr readability=\"4.6140350877193\">\n<td>Credential access<\/td>\n<td>A possible token theft has been detected. Threat actor tricked a user into granting consent or sharing an authorization code through social engineering or AiTM techniques.&nbsp;<\/td>\n<td><a href=\"https:\/\/www.microsoft.com\/security\/business\/siem-and-xdr\/microsoft-defender-xdr\"><strong>Microsoft Defender XDR<\/strong><\/a> <br \/>\u2013 Possible adversary-in-the-middle (AiTM) attack detected (ConsentFix)<\/td>\n<\/tr>\n<tr readability=\"6.4029411764706\">\n<td>Initial access<\/td>\n<td>Token replay often result in sign ins from geographically distant IP addresses. The presence of sign ins from non-standard locations should be investigated further to validate suspected token replay. &nbsp;<\/td>\n<td><a href=\"https:\/\/www.microsoft.com\/security\/business\/identity-access\/microsoft-entra-id-protection\"><strong>Microsoft Entra ID Protection<\/strong><\/a> <br \/>\u2013 Atypical Travel <br \/>\u2013 Impossible Travel <br \/>\u2013 Unfamiliar sign-in properties (lower confidence)<\/td>\n<\/tr>\n<tr readability=\"4.5089285714286\">\n<td>Initial access<\/td>\n<td>An authentication attempt was detected that aligns with patterns commonly associated with credential abuse or identity attacks.<\/td>\n<td><a href=\"https:\/\/www.microsoft.com\/security\/business\/siem-and-xdr\/microsoft-defender-xdr\"><strong>Microsoft Defender XDR<\/strong><\/a> <br \/>\u2013 Potential Credential Abuse in Entra ID Authentication &nbsp;<\/td>\n<\/tr>\n<tr readability=\"4.4977168949772\">\n<td>Initial access<\/td>\n<td>A successful sign in using an uncommon user-agent and a potentially malicious IP address was detected in Microsoft Entra.<\/td>\n<td><a href=\"https:\/\/www.microsoft.com\/security\/business\/siem-and-xdr\/microsoft-defender-xdr\"><strong>Microsoft Defender XDR<\/strong><\/a> <br \/>\u2013 Suspicious Sign-In from Unusual User Agent and IP Address<\/td>\n<\/tr>\n<tr readability=\"5.4260869565217\">\n<td>Persistence<\/td>\n<td>A user was suspiciously registered or joined into a new device to Entra, originating from an IP address identified by Microsoft Threat Intelligence.<\/td>\n<td><a href=\"https:\/\/www.microsoft.com\/security\/business\/siem-and-xdr\/microsoft-defender-xdr\"><strong>Microsoft Defender XDR<\/strong><\/a> <br \/>\u2013 Suspicious Entra device join or registration<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/figure>\n<h3 class=\"wp-block-heading\" id=\"microsoft-security-copilot\">Microsoft Security Copilot<\/h3>\n<p class=\"wp-block-paragraph\"><a href=\"https:\/\/www.microsoft.com\/en-us\/security\/business\/ai-machine-learning\/microsoft-security-copilot\" target=\"_blank\" rel=\"noreferrer noopener\">Microsoft Security Copilot<\/a>&nbsp;is&nbsp;<a href=\"https:\/\/learn.microsoft.com\/defender-xdr\/security-copilot-in-microsoft-365-defender\" target=\"_blank\" rel=\"noreferrer noopener\">embedded in Microsoft Defender<\/a>&nbsp;and provides security teams with AI-powered capabilities to summarize incidents, analyze files and scripts, summarize identities, use guided responses, and generate device summaries, hunting queries, and incident reports.&nbsp;&nbsp;<\/p>\n<p class=\"wp-block-paragraph\">Customers can also&nbsp;<a href=\"https:\/\/learn.microsoft.com\/defender-xdr\/security-copilot-agents-defender\" target=\"_blank\" rel=\"noreferrer noopener\">deploy AI agents<\/a>, including the following&nbsp;<a href=\"https:\/\/learn.microsoft.com\/copilot\/security\/agents-overview\" target=\"_blank\" rel=\"noreferrer noopener\">Microsoft Security Copilot agents<\/a>, to perform security tasks efficiently:&nbsp;<\/p>\n<p class=\"wp-block-paragraph\">Security Copilot is also available as a&nbsp;<a href=\"https:\/\/learn.microsoft.com\/en-us\/copilot\/security\/experiences-security-copilot\" target=\"_blank\" rel=\"noreferrer noopener\">standalone experience<\/a>&nbsp;where customers can perform&nbsp;specific security-related tasks, such as incident investigation, user analysis, and vulnerability impact assessment. In addition, Security Copilot&nbsp;offers&nbsp;<a href=\"https:\/\/learn.microsoft.com\/copilot\/security\/developer\/custom-agent-overview\" target=\"_blank\" rel=\"noreferrer noopener\">developer scenarios<\/a>&nbsp;that&nbsp;allow&nbsp;customers&nbsp;to build, test, publish, and integrate&nbsp;AI&nbsp;agents and plugins to meet unique security needs.&nbsp;<\/p>\n<h3 class=\"wp-block-heading\" id=\"threat-intelligence-reports\">Threat intelligence reports<\/h3>\n<p class=\"wp-block-paragraph\">Microsoft Defender XDR customers can use the following&nbsp;<a href=\"https:\/\/learn.microsoft.com\/defender-xdr\/threat-analytics\" target=\"_blank\" rel=\"noreferrer noopener\">threat analytics<\/a>&nbsp;reports in the Defender portal (requires license for at least one Defender XDR product) to get the most up-to-date information about the threat actor, malicious activity, and techniques discussed in this blog. These reports provide the intelligence,&nbsp;protection&nbsp;information, and recommended actions to prevent, mitigate, or respond to associated threats found in customer environments.&nbsp;<\/p>\n<p class=\"wp-block-paragraph\"><strong>Microsoft Defender XDR threat analytics<\/strong><\/p>\n<p class=\"wp-block-paragraph\">Microsoft Security Copilot customers can also use the <a href=\"https:\/\/learn.microsoft.com\/defender\/threat-intelligence\/security-copilot-and-defender-threat-intelligence?bc=%2Fsecurity-copilot%2Fbreadcrumb%2Ftoc.json&amp;toc=%2Fsecurity-copilot%2Ftoc.json#turn-on-the-security-copilot-integration-in-defender-ti\">Microsoft Security Copilot integration<\/a> in Microsoft Defender Threat Intelligence, either in the Security Copilot standalone portal or in the <a href=\"https:\/\/learn.microsoft.com\/defender\/threat-intelligence\/using-copilot-threat-intelligence-defender-xdr\">embedded experience<\/a> in the Microsoft Defender portal to get more information about this threat actor.<\/p>\n<h3 class=\"wp-block-heading\" id=\"hunting-queries\">Hunting queries<\/h3>\n<h4 class=\"wp-block-heading\" id=\"microsoft-defender-xdr\">Microsoft Defender XDR<\/h4>\n<p class=\"wp-block-paragraph\">Microsoft Defender XDR customers can run the following queries to find related activity in their networks:<\/p>\n<p class=\"wp-block-paragraph\"><strong>Review inbox rules created to hide or delete incoming emails from Workday<\/strong><\/p>\n<p class=\"wp-block-paragraph\">Results of the following query may indicate an attacker is trying to delete evidence of Workday activity.<\/p>\n<div class=\"wp-block-syntaxhighlighter-code \" readability=\"11\">\n<pre class=\"brush: plain; auto-links: false; gutter: false; title: ; notranslate\" title>\nCloudAppEvents | where Timestamp &gt;= ago(1d)\n| where Application == \"Microsoft Exchange Online\" and ActionType in (\"New-InboxRule\", \"Set-InboxRule\") | extend Parameters = RawEventData.Parameters \/\/ extract inbox rule parameters\n| where Parameters has \"From\" and Parameters has \"@myworkday.com\" \/\/ filter for inbox rule with From field and @MyWorkday.com in the parameters\n| where Parameters has \"DeleteMessage\" or Parameters has (\"MoveToFolder\") \/\/ email deletion or move to folder (hiding)\n| mv-apply Parameters on (where Parameters.Name == \"From\"\n| extend RuleFrom = tostring(Parameters.Value))\n| mv-apply Parameters on (where Parameters.Name == \"Name\" | extend RuleName = tostring(Parameters.Value))\n<\/pre>\n<\/div>\n<p class=\"wp-block-paragraph\"><strong>Review updates to payment election or bank account information in Workday<\/strong><\/p>\n<p class=\"wp-block-paragraph\">The following query surfaces changes to payment accounts in Workday.<\/p>\n<div class=\"wp-block-syntaxhighlighter-code \" readability=\"9\">\n<pre class=\"brush: plain; auto-links: false; gutter: false; title: ; notranslate\" title>\nCloudAppEvents | where Timestamp &gt;= ago(1d)\n| where Application == \"Workday\"\n| where ActionType == \"Change My Account\" or ActionType == \"Manage Payment Elections\"\n| extend Descriptor = tostring(RawEventData.target.descriptor)\n<\/pre>\n<\/div>\n<h4 class=\"wp-block-heading\" id=\"microsoft-sentinel\">Microsoft Sentinel<\/h4>\n<p class=\"wp-block-paragraph\">Microsoft Sentinel customers can use the TI Mapping analytics (a series of analytics all prefixed with \u2018TI map\u2019) to automatically match the malicious domain indicators mentioned in this blog post with data in their workspace. If the TI Map analytics are not currently deployed, customers can install the Threat Intelligence solution from the <a href=\"https:\/\/learn.microsoft.com\/azure\/sentinel\/sentinel-solutions-deploy\">Microsoft Sentinel Content Hub<\/a> to have the analytics rule deployed in their Sentinel workspace.<\/p>\n<p class=\"wp-block-paragraph\"><strong>Malicious inbox rule<\/strong><\/p>\n<p class=\"wp-block-paragraph\">The query includes filters specific to inbox rule creation, operations for messages with <em>DeleteMessage<\/em>, and suspicious keywords.<\/p>\n<div class=\"wp-block-syntaxhighlighter-code \" readability=\"40\">\n<pre class=\"brush: plain; auto-links: false; gutter: false; title: ; notranslate\" title>\nlet Keywords = dynamic([\"direct deposit\", \u201chr\u201d, \u201cbank\u201d]);\nOfficeActivity\n| where OfficeWorkload =~ \"Exchange\" | where Operation =~ \"New-InboxRule\" and (ResultStatus =~ \"True\" or ResultStatus =~ \"Succeeded\")\n| where Parameters has \"Deleted Items\" or Parameters has \"Junk Email\" or Parameters has \"DeleteMessage\"\n| extend Events=todynamic(Parameters)\n| parse Events with * \"SubjectContainsWords\" SubjectContainsWords '}'*\n| parse Events with * \"BodyContainsWords\" BodyContainsWords '}'*\n| parse Events with * \"SubjectOrBodyContainsWords\" SubjectOrBodyContainsWords '}'*\n| where SubjectContainsWords has_any (Keywords) or BodyContainsWords has_any (Keywords) or SubjectOrBodyContainsWords has_any (Keywords)\n| extend ClientIPAddress = case( ClientIP has \".\", tostring(split(ClientIP,\":\")[0]), ClientIP has \"[\", tostring(trim_start(@'[[]',tostring(split(ClientIP,\"]\")[0]))), ClientIP )\n| extend Keyword = iff(isnotempty(SubjectContainsWords), SubjectContainsWords, (iff(isnotempty(BodyContainsWords),BodyContainsWords,SubjectOrBodyContainsWords )))\n| extend RuleDetail = case(OfficeObjectId contains '\/' , tostring(split(OfficeObjectId, '\/')[-1]) , tostring(split(OfficeObjectId, '\\\\')[-1]))\n| summarize count(), StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated) by Operation, UserId, ClientIPAddress, ResultStatus, Keyword, OriginatingServer, OfficeObjectId, RuleDetail\n| extend AccountName = tostring(split(UserId, \"@\")[0]), AccountUPNSuffix = tostring(split(UserId, \"@\")[1])\n| extend OriginatingServerName = tostring(split(OriginatingServer, \" \")[0])\n<\/pre>\n<\/div>\n<p class=\"wp-block-paragraph\"><strong>Detect network IP and domain indicators of compromise using ASIM<\/strong><\/p>\n<p class=\"wp-block-paragraph\">The following query checks IP addresses and domain IOCs across data sources supported by ASIM network session parser.<\/p>\n<div class=\"wp-block-syntaxhighlighter-code \" readability=\"18\">\n<pre class=\"brush: plain; auto-links: false; gutter: false; title: ; notranslate\" title>\n\/\/IP list and domain list- _Im_NetworkSession\nlet lookback = 30d;\nlet ioc_domains = dynamic([\"http:\/\/bluegraintours.com\"]);\n_Im_NetworkSession(starttime=todatetime(ago(lookback)), endtime=now())\n| where DstDomain has_any (ioc_domains)\n| summarize imNWS_mintime=min(TimeGenerated), imNWS_maxtime=max(TimeGenerated), EventCount=count() by SrcIpAddr, DstIpAddr, DstDomain, Dvc, EventProduct, EventVendor\n<\/pre>\n<\/div>\n<p class=\"wp-block-paragraph\"><strong>Detect domain and URL indicators of compromise using ASIM<\/strong><\/p>\n<p class=\"wp-block-paragraph\">The following query checks domain and URL IOCs across data sources supported by ASIM web session parser.<\/p>\n<div class=\"wp-block-syntaxhighlighter-code \" readability=\"8\">\n<pre class=\"brush: plain; auto-links: false; gutter: false; title: ; notranslate\" title>\n\/\/ file hash list - imFileEvent\n\/\/ Domain list - _Im_WebSession\nlet ioc_domains = dynamic([\"http:\/\/bluegraintours.com\"]);\n_Im_WebSession (url_has_any = ioc_domains)\n<\/pre>\n<\/div>\n<h2 class=\"wp-block-heading\" id=\"indicators-of-compromise\">Indicators of compromise<\/h2>\n<p class=\"wp-block-paragraph\">In observed compromises associated with <em>hxxp:\/\/bluegraintours[.]com<\/em>, sign-in logs consistently showed a distinctive authentication pattern. This pattern included multiple failed sign\u2011in attempts with various causes followed by a failure citing Microsoft Entra error code <a href=\"https:\/\/learn.microsoft.com\/en-us\/entra\/identity-platform\/reference-error-codes\">50199<\/a>, immediately preceding a successful authentication. Upon successful sign in, the user-agent shifted to Axios, while the session ID remained unchanged\u2014an indication that an authenticated session token had been replayed rather than a new session established. This combination of error sequencing, user\u2011agent transition, and session continuity is characteristic of AiTM activity and should be evaluated together when assessing potential compromise tied to this domain<\/p>\n<figure class=\"wp-block-table\">\n<table class=\"has-fixed-layout\">\n<tbody readability=\"3\">\n<tr>\n<td><strong>Indicator<\/strong><\/td>\n<td><strong>Type<\/strong><\/td>\n<td><strong>Description<\/strong><\/td>\n<\/tr>\n<tr readability=\"4\">\n<td><em>hxxp:\/\/bluegraintours[.]com<\/em><\/td>\n<td>URL<\/td>\n<td>Malicious website created to steal user tokens<\/td>\n<\/tr>\n<tr readability=\"2\">\n<td>axios\/1.7.9<\/td>\n<td>User-agent string<\/td>\n<td>User agent string utilized during AiTM attack<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/figure>\n<h3 class=\"wp-block-heading\" id=\"acknowledgments\">Acknowledgments<\/h3>\n<h3 class=\"wp-block-heading\" id=\"learn-more\">Learn more<\/h3>\n<p class=\"wp-block-paragraph\">For the latest security research from the Microsoft Threat Intelligence community, check out the <a href=\"https:\/\/aka.ms\/threatintelblog\">Microsoft Threat Intelligence Blog<\/a>.<\/p>\n<p class=\"wp-block-paragraph\">To get notified about new publications and to join discussions on social media, follow us on <a href=\"https:\/\/www.linkedin.com\/showcase\/microsoft-threat-intelligence\">LinkedIn<\/a>, <a href=\"https:\/\/x.com\/MsftSecIntel\">X (formerly Twitter)<\/a>, and <a href=\"https:\/\/bsky.app\/profile\/threatintel.microsoft.com\">Bluesky<\/a>.<\/p>\n<p class=\"wp-block-paragraph\">To hear stories and insights from the Microsoft Threat Intelligence community about the ever-evolving threat landscape, listen to the <a href=\"https:\/\/thecyberwire.com\/podcasts\/microsoft-threat-intelligence\">Microsoft Threat Intelligence podcast<\/a>.<\/p>\n<p>READ MORE <a href=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2026\/04\/09\/investigating-storm-2755-payroll-pirate-attacks-targeting-canadian-employees\/\">HERE<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Microsoft Incident Response \u2013 Detection and Response Team (DART) researchers observed an emerging, financially motivated threat actor, tracked as Storm-2755, compromising Canadian employee accounts to gain unauthorized access to employee profiles and divert salary payments to attacker-controlled accounts.<br \/>\nThe post Investigating Storm-2755: \u201cPayroll pirate\u201d attacks targeting Canadian employees appeared first on Microsoft Security Blog. READ MORE HERE&#8230;<\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"colormag_page_layout":"default_layout","footnotes":""},"categories":[276],"tags":[10758,10798],"class_list":["post-60457","post","type-post","status-publish","format-standard","hentry","category-microsoft-secure","tag-adversary-in-the-middle-aitm","tag-storm"],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v27.6 - https:\/\/yoast.com\/product\/yoast-seo-wordpress\/ -->\n<title>Investigating Storm-2755: \u201cPayroll pirate\u201d attacks targeting Canadian employees 2026 | ThreatsHub Cybersecurity News<\/title>\n<meta name=\"description\" content=\"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security &amp; Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/www.threatshub.org\/blog\/investigating-storm-2755-payroll-pirate-attacks-targeting-canadian-employees\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Investigating Storm-2755: \u201cPayroll pirate\u201d attacks targeting Canadian employees 2026 | ThreatsHub Cybersecurity News\" \/>\n<meta property=\"og:description\" content=\"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security &amp; Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.threatshub.org\/blog\/investigating-storm-2755-payroll-pirate-attacks-targeting-canadian-employees\/\" \/>\n<meta property=\"og:site_name\" content=\"ThreatsHub Cybersecurity News\" \/>\n<meta property=\"article:published_time\" content=\"2026-04-09T15:00:00+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2025\/05\/Threatshub_Favicon1.jpg\" \/>\n\t<meta property=\"og:image:width\" content=\"432\" \/>\n\t<meta property=\"og:image:height\" content=\"435\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/jpeg\" \/>\n<meta name=\"author\" content=\"TH Author\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:creator\" content=\"@threatshub\" \/>\n<meta name=\"twitter:site\" content=\"@threatshub\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"TH Author\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"15 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\\\/\\\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/investigating-storm-2755-payroll-pirate-attacks-targeting-canadian-employees\\\/#article\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/investigating-storm-2755-payroll-pirate-attacks-targeting-canadian-employees\\\/\"},\"author\":{\"name\":\"TH Author\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#\\\/schema\\\/person\\\/12e0a8671ff89a863584f193e7062476\"},\"headline\":\"Investigating Storm-2755: \u201cPayroll pirate\u201d attacks targeting Canadian employees\",\"datePublished\":\"2026-04-09T15:00:00+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/investigating-storm-2755-payroll-pirate-attacks-targeting-canadian-employees\\\/\"},\"wordCount\":2643,\"publisher\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#organization\"},\"image\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/investigating-storm-2755-payroll-pirate-attacks-targeting-canadian-employees\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/www.microsoft.com\\\/en-us\\\/security\\\/blog\\\/wp-content\\\/uploads\\\/2026\\\/04\\\/Storm-2755-attack-chain-flow-scaled.webp\",\"keywords\":[\"Adversary-in-the-middle (AiTM)\",\"Storm\"],\"articleSection\":[\"Microsoft Secure\"],\"inLanguage\":\"en-US\"},{\"@type\":\"WebPage\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/investigating-storm-2755-payroll-pirate-attacks-targeting-canadian-employees\\\/\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/investigating-storm-2755-payroll-pirate-attacks-targeting-canadian-employees\\\/\",\"name\":\"Investigating Storm-2755: \u201cPayroll pirate\u201d attacks targeting Canadian employees 2026 | ThreatsHub Cybersecurity News\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/investigating-storm-2755-payroll-pirate-attacks-targeting-canadian-employees\\\/#primaryimage\"},\"image\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/investigating-storm-2755-payroll-pirate-attacks-targeting-canadian-employees\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/www.microsoft.com\\\/en-us\\\/security\\\/blog\\\/wp-content\\\/uploads\\\/2026\\\/04\\\/Storm-2755-attack-chain-flow-scaled.webp\",\"datePublished\":\"2026-04-09T15:00:00+00:00\",\"description\":\"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.\",\"breadcrumb\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/investigating-storm-2755-payroll-pirate-attacks-targeting-canadian-employees\\\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/investigating-storm-2755-payroll-pirate-attacks-targeting-canadian-employees\\\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/investigating-storm-2755-payroll-pirate-attacks-targeting-canadian-employees\\\/#primaryimage\",\"url\":\"https:\\\/\\\/www.microsoft.com\\\/en-us\\\/security\\\/blog\\\/wp-content\\\/uploads\\\/2026\\\/04\\\/Storm-2755-attack-chain-flow-scaled.webp\",\"contentUrl\":\"https:\\\/\\\/www.microsoft.com\\\/en-us\\\/security\\\/blog\\\/wp-content\\\/uploads\\\/2026\\\/04\\\/Storm-2755-attack-chain-flow-scaled.webp\"},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/investigating-storm-2755-payroll-pirate-attacks-targeting-canadian-employees\\\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Adversary-in-the-middle (AiTM)\",\"item\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/tag\\\/adversary-in-the-middle-aitm\\\/\"},{\"@type\":\"ListItem\",\"position\":3,\"name\":\"Investigating Storm-2755: \u201cPayroll pirate\u201d attacks targeting Canadian employees\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#website\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/\",\"name\":\"ThreatsHub Cybersecurity News\",\"description\":\"%%focuskw%% Threat Intel \u2013 Threat Intel Services \u2013 CyberIntelligence \u2013 Cyber Threat Intelligence - Threat Intelligence Feeds - Threat Intelligence Reports - CyberSecurity Report \u2013 Cyber Security PDF \u2013 Cybersecurity Trends - Cloud Sandbox \u2013- Threat IntelligencePortal \u2013 Incident Response \u2013 Threat Hunting \u2013 IOC - Yara - Security Operations Center \u2013 SecurityOperation Center \u2013 Security SOC \u2013 SOC Services - Advanced Threat - Threat Detection - TargetedAttack \u2013 APT \u2013 Anti-APT \u2013 Advanced Protection \u2013 Cyber Security Services \u2013 Cybersecurity Services -Threat Intelligence Platform\",\"publisher\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#organization\"},\"alternateName\":\"Threatshub.org\",\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#organization\",\"name\":\"ThreatsHub.org\",\"alternateName\":\"Threatshub.org\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#\\\/schema\\\/logo\\\/image\\\/\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2025\\\/05\\\/Threatshub_Favicon1.jpg\",\"contentUrl\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2025\\\/05\\\/Threatshub_Favicon1.jpg\",\"width\":432,\"height\":435,\"caption\":\"ThreatsHub.org\"},\"image\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#\\\/schema\\\/logo\\\/image\\\/\"},\"sameAs\":[\"https:\\\/\\\/x.com\\\/threatshub\"]},{\"@type\":\"Person\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#\\\/schema\\\/person\\\/12e0a8671ff89a863584f193e7062476\",\"name\":\"TH Author\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g\",\"url\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g\",\"contentUrl\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g\",\"caption\":\"TH Author\"}}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Investigating Storm-2755: \u201cPayroll pirate\u201d attacks targeting Canadian employees 2026 | ThreatsHub Cybersecurity News","description":"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/www.threatshub.org\/blog\/investigating-storm-2755-payroll-pirate-attacks-targeting-canadian-employees\/","og_locale":"en_US","og_type":"article","og_title":"Investigating Storm-2755: \u201cPayroll pirate\u201d attacks targeting Canadian employees 2026 | ThreatsHub Cybersecurity News","og_description":"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.","og_url":"https:\/\/www.threatshub.org\/blog\/investigating-storm-2755-payroll-pirate-attacks-targeting-canadian-employees\/","og_site_name":"ThreatsHub Cybersecurity News","article_published_time":"2026-04-09T15:00:00+00:00","og_image":[{"width":432,"height":435,"url":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2025\/05\/Threatshub_Favicon1.jpg","type":"image\/jpeg"}],"author":"TH Author","twitter_card":"summary_large_image","twitter_creator":"@threatshub","twitter_site":"@threatshub","twitter_misc":{"Written by":"TH Author","Est. reading time":"15 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/www.threatshub.org\/blog\/investigating-storm-2755-payroll-pirate-attacks-targeting-canadian-employees\/#article","isPartOf":{"@id":"https:\/\/www.threatshub.org\/blog\/investigating-storm-2755-payroll-pirate-attacks-targeting-canadian-employees\/"},"author":{"name":"TH Author","@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/person\/12e0a8671ff89a863584f193e7062476"},"headline":"Investigating Storm-2755: \u201cPayroll pirate\u201d attacks targeting Canadian employees","datePublished":"2026-04-09T15:00:00+00:00","mainEntityOfPage":{"@id":"https:\/\/www.threatshub.org\/blog\/investigating-storm-2755-payroll-pirate-attacks-targeting-canadian-employees\/"},"wordCount":2643,"publisher":{"@id":"https:\/\/www.threatshub.org\/blog\/#organization"},"image":{"@id":"https:\/\/www.threatshub.org\/blog\/investigating-storm-2755-payroll-pirate-attacks-targeting-canadian-employees\/#primaryimage"},"thumbnailUrl":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2026\/04\/Storm-2755-attack-chain-flow-scaled.webp","keywords":["Adversary-in-the-middle (AiTM)","Storm"],"articleSection":["Microsoft Secure"],"inLanguage":"en-US"},{"@type":"WebPage","@id":"https:\/\/www.threatshub.org\/blog\/investigating-storm-2755-payroll-pirate-attacks-targeting-canadian-employees\/","url":"https:\/\/www.threatshub.org\/blog\/investigating-storm-2755-payroll-pirate-attacks-targeting-canadian-employees\/","name":"Investigating Storm-2755: \u201cPayroll pirate\u201d attacks targeting Canadian employees 2026 | ThreatsHub Cybersecurity News","isPartOf":{"@id":"https:\/\/www.threatshub.org\/blog\/#website"},"primaryImageOfPage":{"@id":"https:\/\/www.threatshub.org\/blog\/investigating-storm-2755-payroll-pirate-attacks-targeting-canadian-employees\/#primaryimage"},"image":{"@id":"https:\/\/www.threatshub.org\/blog\/investigating-storm-2755-payroll-pirate-attacks-targeting-canadian-employees\/#primaryimage"},"thumbnailUrl":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2026\/04\/Storm-2755-attack-chain-flow-scaled.webp","datePublished":"2026-04-09T15:00:00+00:00","description":"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.","breadcrumb":{"@id":"https:\/\/www.threatshub.org\/blog\/investigating-storm-2755-payroll-pirate-attacks-targeting-canadian-employees\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.threatshub.org\/blog\/investigating-storm-2755-payroll-pirate-attacks-targeting-canadian-employees\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.threatshub.org\/blog\/investigating-storm-2755-payroll-pirate-attacks-targeting-canadian-employees\/#primaryimage","url":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2026\/04\/Storm-2755-attack-chain-flow-scaled.webp","contentUrl":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2026\/04\/Storm-2755-attack-chain-flow-scaled.webp"},{"@type":"BreadcrumbList","@id":"https:\/\/www.threatshub.org\/blog\/investigating-storm-2755-payroll-pirate-attacks-targeting-canadian-employees\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/www.threatshub.org\/blog\/"},{"@type":"ListItem","position":2,"name":"Adversary-in-the-middle (AiTM)","item":"https:\/\/www.threatshub.org\/blog\/tag\/adversary-in-the-middle-aitm\/"},{"@type":"ListItem","position":3,"name":"Investigating Storm-2755: \u201cPayroll pirate\u201d attacks targeting Canadian employees"}]},{"@type":"WebSite","@id":"https:\/\/www.threatshub.org\/blog\/#website","url":"https:\/\/www.threatshub.org\/blog\/","name":"ThreatsHub Cybersecurity News","description":"%%focuskw%% Threat Intel \u2013 Threat Intel Services \u2013 CyberIntelligence \u2013 Cyber Threat Intelligence - Threat Intelligence Feeds - Threat Intelligence Reports - CyberSecurity Report \u2013 Cyber Security PDF \u2013 Cybersecurity Trends - Cloud Sandbox \u2013- Threat IntelligencePortal \u2013 Incident Response \u2013 Threat Hunting \u2013 IOC - Yara - Security Operations Center \u2013 SecurityOperation Center \u2013 Security SOC \u2013 SOC Services - Advanced Threat - Threat Detection - TargetedAttack \u2013 APT \u2013 Anti-APT \u2013 Advanced Protection \u2013 Cyber Security Services \u2013 Cybersecurity Services -Threat Intelligence Platform","publisher":{"@id":"https:\/\/www.threatshub.org\/blog\/#organization"},"alternateName":"Threatshub.org","potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.threatshub.org\/blog\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/www.threatshub.org\/blog\/#organization","name":"ThreatsHub.org","alternateName":"Threatshub.org","url":"https:\/\/www.threatshub.org\/blog\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/logo\/image\/","url":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2025\/05\/Threatshub_Favicon1.jpg","contentUrl":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2025\/05\/Threatshub_Favicon1.jpg","width":432,"height":435,"caption":"ThreatsHub.org"},"image":{"@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/logo\/image\/"},"sameAs":["https:\/\/x.com\/threatshub"]},{"@type":"Person","@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/person\/12e0a8671ff89a863584f193e7062476","name":"TH Author","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/secure.gravatar.com\/avatar\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g","url":"https:\/\/secure.gravatar.com\/avatar\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g","caption":"TH Author"}}]}},"_links":{"self":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/posts\/60457","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/comments?post=60457"}],"version-history":[{"count":0,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/posts\/60457\/revisions"}],"wp:attachment":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/media?parent=60457"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/categories?post=60457"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/tags?post=60457"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}