Payroll accounts targeted by 'payroll pirate' attacks

A worker can do everything right, use a code on their phone, and still have payday sent to a criminal’s bank account. Microsoft said a group it tracks as Storm-2755 did exactly that by breaking into employee payroll profiles and changing where salaries were deposited. (microsoft.com) This was not a smash-and-grab attack on one company. Microsoft said Storm-2755 targeted Canadian users broadly, using geography instead of picking a single industry or employer. (microsoft.com) The trick started in search results, not in a suspicious email. Microsoft said the attackers used malicious ads and search engine poisoning on generic terms so victims landed on fake Microsoft sign-in pages that looked normal enough to trust. (microsoft.com, helpnetsecurity.com) Those fake pages were built as an adversary-in-the-middle attack, which is the online version of a criminal standing between you and the real bank teller. Instead of just stealing a password, the page captured the live sign-in session, which let Storm-2755 ride along as if it were the real employee. (microsoft.com) That matters because multifactor authentication usually checks whether you know your password and have your phone. Microsoft said Storm-2755 stole authenticated sessions, so it could bypass that extra check and blend into ordinary business activity after the victim had already logged in. (microsoft.com) Once inside, the group did not need ransomware or loud malware. Microsoft said the attackers used the employee’s real account to look for payroll and human resources contacts, then abused normal payroll workflows to redirect salary payments. (microsoft.com) That is why this hits payroll vendors and benefits processors, not just the employee who clicked the wrong page. If a vendor account can change bank details or link payroll systems to outside accounts, one stolen session can turn a routine direct-deposit update into a theft event with compliance fallout. (microsoft.com) Microsoft tied this campaign to direct financial loss for both workers and organizations. In plain terms, the attack skips the usual step of stealing company secrets and goes straight for wages, which makes the fraud visible only when payday arrives and the money is missing. (microsoft.com, bleepingcomputer.com) Microsoft’s advice was unusually specific: use phishing-resistant multifactor authentication, investigate suspicious payroll changes, and revoke stolen sessions instead of only resetting passwords. A password reset locks the front door, but a stolen session is more like a copied visitor badge that can still open the office until security cancels it. (microsoft.com) The bigger shift is that payroll itself has become the target surface. Microsoft said Storm-2755’s campaign was distinct in delivery and targeting, and that is a warning that human resources software now sits in the same threat category as email, banking, and identity systems. (microsoft.com)