On April 9, 2026, Microsoft’s security researchers published their investigation into Storm-2755, a financially motivated threat actor running what they are calling “payroll pirate” attacks against Canadian employees. The campaign does not rely on malware, ransomware, or headline-grabbing intrusions. It relies on two things that are already inside your organization: a staff member who Googled “Office 365,” and an HR team that trusts email from colleagues.
The attack is straightforward in its design and devastating in its impact. A Canadian employee searches for “Office 365” or types a common misspelling, clicks on a poisoned ad or search result, and lands on a convincing but fraudulent Microsoft 365 login page. When they authenticate, Storm-2755 does not simply steal their password. The group uses an adversary-in-the-middle (AiTM) technique to capture the session token issued after the login, including the token that proves MFA was completed. The attacker then replays that token to access the victim’s account as a fully authenticated user, bypassing multifactor authentication entirely.
Why Your HR Team Is the Real Target
Once inside the victim’s inbox, Storm-2755 moves quickly and quietly. The group searches for emails referencing payroll, direct deposit, HR, and finance. It creates inbox rules that hide any replies containing words like “bank” or “direct deposit,” so the victim never sees the conversation happening in their name. Then it sends an email, appearing to come from the compromised employee, to the organization’s HR or payroll staff requesting a change to direct deposit information. If HR staff action the request, the next paycheque goes to a bank account Storm-2755 controls.
Where social engineering of HR staff fails, the group escalates. Microsoft’s investigation found that Storm-2755 also logged directly into HR software platforms, including Workday, using the stolen session to update direct deposit records manually, without involving the HR team at all. The FBI’s Internet Crime Complaint Center recorded more than 24,000 business email compromise complaints in 2025, with losses exceeding $3 billion, and this campaign fits squarely within that category.
What Standard Awareness Training Misses
In our work with mid-market Canadian enterprises, we consistently see security awareness programs that exist on paper but never reach the front-line employees who actually face the attacks. The gap between policy and practice is where incidents like this one are born. In the case of Storm-2755, the HR staff receiving the direct deposit change request are not making an error they could have caught with better phishing awareness. They are receiving an email from a real colleague’s actual account, and it looks exactly like every other payroll change request they have ever seen.
This is the part of POPP3R’s approach to managing human cyber risk that often surprises clients: human risk is not just about training employees to recognize suspicious emails. It is about designing workflows so that high-consequence actions, like changing where a salary goes, require verification steps that an attacker cannot intercept from a compromised inbox. An email from a colleague’s account is not verification. A phone call to a known number is.
What Your Organization Can Do This Week
Microsoft’s investigation identified several specific technical indicators that security teams can act on immediately. Any sign-in log showing Axios version 1.7.9 as the user-agent warrants investigation, as Storm-2755 uses this version of the Axios HTTP client to relay authentication tokens between the victim and Microsoft’s authentication service. Inbox rules that filter for words like “bank,” “direct deposit,” or “payroll” and route messages away from the main inbox are a red flag that an account may already be compromised. Tokens and sessions for any suspected account should be revoked and MFA methods reset before access is restored.
At the process level, every Canadian organization that runs payroll through a SaaS platform should require out-of-band verification before any direct deposit change is actioned. Out-of-band means a phone call or in-person confirmation through a channel that cannot be intercepted from the requester’s email account. This single control closes the window that Storm-2755 is currently exploiting. For organizations uncertain how exposed their HR and finance workflows are, POPP3R’s cybersecurity services for Canadian organizations are designed to surface exactly these kinds of process gaps before attackers find them first.
The broader lesson from Storm-2755 is one that applies well beyond payroll: when an attacker can impersonate a colleague perfectly, the only defence is a process that assumes impersonation is possible. That assumption needs to be built into every high-value workflow, not just the ones that IT considers sensitive.
Sources
- Investigating Storm-2755: “Payroll pirate” attacks targeting Canadian employees, Microsoft Security Blog, April 9, 2026
- Microsoft: Canadian employees targeted in payroll pirate attacks, Bleeping Computer, April 10, 2026
- Poisoned “Office 365” search results lead to stolen paycheques, Help Net Security, April 10, 2026
