Storm-2755

Storm-2755 is a financially motivated criminal threat actor tracked by Microsoft. The group is associated with "payroll pirate" attacks targeting Canadian users and employees, with reported impacts across multiple sectors including healthcare, manufacturing, and food services. Its objective is direct financial theft by redirecting employee salary payments to attacker-controlled bank accounts. Microsoft reported that Storm-2755 commonly gains initial access through SEO poisoning and malvertising on generic search terms such as "Office 365" and misspellings such as "Office 265," leading victims to actor-controlled infrastructure including bluegraintours[.]com. The group uses adversary-in-the-middle phishing against fake Microsoft 365 sign-in pages to steal credentials, session cookies, and OAuth access tokens, then replays those tokens to bypass non-phishing-resistant or legacy MFA protections. After account compromise, Storm-2755 searches compromised mailboxes and directories for payroll-, HR-, finance-, and direct-deposit-related content, including use of Microsoft Graph API reconnaissance to identify payroll and HR personnel. The actor sends emails from victim accounts, including messages with the subject line "Question about direct deposit," to socially engineer HR or finance staff into changing payroll instructions. When this fails, Microsoft observed the group directly accessing HR SaaS platforms such as Workday using stolen sessions and manually changing banking details. To maintain access and reduce detection, Storm-2755 has been observed renewing stolen sessions, creating malicious inbox rules to hide HR responses containing terms such as "bank" or "direct deposit," and in some cases changing passwords and MFA settings. Microsoft also observed recurring non-interactive OfficeHome sign-ins associated with the Axios 1.7.9 user-agent during token replay activity. Known alias in the provided content: storm_2755.