Office 365 search results hijacked to steal paychecks

A financially motivated threat actor is actively hijacking corporate email accounts to reroute employee paychecks into fraudulent bank accounts. Microsoft researchers have identified a sophisticated campaign, tracked as Storm-2755, that specifically targets Canadian workers. The attack chain begins with search engine poisoning and malicious advertisements for common terms like “Office 365” or even typos such as “Office 265.” Users clicking these links are directed to a highly convincing, counterfeit Microsoft 365 login portal.

This fake page serves a dual purpose. It immediately harvests the victim’s username and password while simultaneously acting as a real-time proxy for the entire authentication session. This technique, known as an adversary-in-the-middle (AiTM) attack, allows the hackers to capture the session token issued after login, effectively bypassing traditional multi-factor authentication (MFA). Microsoft’s analysis notes the group used a specific version of the Axios HTTP client to relay these tokens, enabling them to maintain persistent access without needing to repeatedly phish for credentials.

For many compromised accounts, the attackers simply lurked in the background. In more targeted cases, they took the extra step of resetting the victim’s password and MFA settings. This ensured continued “ownership” of the account even after the initial stolen token expired. The ultimate objective was not just email access, but financial theft. Once inside, the hackers meticulously scoured the victim’s inbox for correspondence related to payroll, HR, and finance.

Posing as the legitimate employee, they then emailed the organization’s HR department from the compromised account to request a change in direct deposit information. Because the request originates from a trusted internal address, it often raises no immediate red flags. To prevent discovery, the attackers proactively create inbox rules that automatically move any HR replies containing keywords like “bank” or “direct deposit” to a hidden folder, keeping the victim unaware.

When social engineering HR personnel failed, Storm-2755 demonstrated adaptability by directly accessing HR software platforms. Microsoft reported instances where the group manually logged into services like Workday using stolen credentials to update banking details themselves, leading to direct financial loss for at least one employee.

While this campaign has a Canadian focus, the payroll diversion tactic is a global threat. To defend against such AiTM attacks, Microsoft strongly advocates for phishing-resistant MFA such as FIDO2 security keys or passkeys. These methods cryptographically tie the authentication process to the legitimate website, preventing token interception by a proxy.

Organizations are advised to bolster their monitoring for specific indicators, including the Axios user-agent in sign-in logs and repeated non-interactive sign-ins at regular intervals. Security teams should also alert on new inbox rules that filter messages based on financial terms. Crucially, HR and payroll departments must implement out-of-band verification, like a confirmed phone call, for any request to modify employee banking information, adding a critical layer of human scrutiny to a process that attackers are eager to automate.