Payroll‑pirate SEO attacks
A campaign Microsoft calls Storm‑2755 hijacked routine web search results and used malvertising to steal payroll sessions and redirect wages, showing identity abuse can start in ordinary user workflows. The campaign targeted Canadian employees and highlights that session‑hijack and search‑originated compromises are a growing identity risk. (microsoft.com)
Someone in Canada searched for a routine work login, clicked a sponsored result, signed in on a page that looked normal, and later found their paycheck routed to a criminal’s bank account. Microsoft said on April 9, 2026 that the group behind this campaign, Storm-2755, used that path to target Canadian employees across industries, not one company at a time. (microsoft.com) The trick worked because the attack started in an ordinary workflow: a web search for a payroll or Microsoft 365 page. Microsoft said Storm-2755 used malicious advertising and search engine manipulation on broad search terms, then filtered for users in Canada. (microsoft.com) After the click, victims landed on an attacker-run sign-in page that sat between the employee and the real service like a fake receptionist copying your badge before waving you through. Microsoft calls that method adversary-in-the-middle, and it lets the attacker capture passwords and live sign-in tokens while the victim thinks they are logging in normally. (microsoft.com; microsoft.com) That token is the important part because it is the digital wristband that says “this person already passed the check.” Microsoft said Storm-2755 reused stolen authenticated sessions to get around multifactor authentication, which is why even accounts with extra login prompts were still at risk. (microsoft.com; microsoft.com) Once inside, the criminals did not need ransomware or noisy malware because payroll systems already contain the thing they wanted: the bank account field for direct deposit. Microsoft said Storm-2755 used compromised employee sessions to access human resources profiles and change salary payment details to attacker-controlled accounts. (microsoft.com) This is the second Microsoft write-up in six months on “payroll pirate” fraud, but the earlier case looked different. In October 2025, Microsoft described Storm-2657 targeting United States universities and Workday accounts, while the April 2026 Storm-2755 campaign used broad Canada-focused search bait instead of a narrow sector list. (microsoft.com; microsoft.com) That shift matters because it means the weak point was not one payroll vendor. Microsoft said any software as a service system holding human resources or payment data can be targeted if attackers can steal a session, and this campaign showed that the first compromise can begin with something as mundane as a search result. (microsoft.com; microsoft.com) Microsoft’s defensive advice was less about one tool and more about changing the login path. The company recommended phishing-resistant multifactor authentication such as passkeys and stronger monitoring for suspicious payroll-profile changes, because a stolen session is much harder to use when the sign-in method cannot be replayed through a fake middleman. (microsoft.com; microsoft.com) The unnerving part is how little drama the attack needed. No scary attachment arrived, no server room got locked up, and no employee had to install obvious malware; one search, one fake login, and one changed bank account were enough to move real wages out of the normal payroll run. (microsoft.com)
