GoKawiilA financially motivated threat actor tracked as Storm-2755 is stealing Canadian employees' salary payments after hijacking their accounts in payroll pirate attacks.
The attackers used malicious Microsoft 365 sign-in pages to steal victims' authentication tokens and session cookies by redirecting them to domains (e.g., bluegraintours[.]com) hosting malicious web pages (pushed to the top of search engine results through malvertising or SEO poisoning) that masqueraded as Microsoft 365 sign-in forms.
This allowed Storm-2755 to bypass multifactor authentication (MFA) in adversary‑in‑the‑middle (AiTM) attacks by replaying stolen session tokens rather than re-authenticating.
"Rather than harvesting only usernames and passwords, AiTM frameworks proxy the entire authentication flow in real time, enabling the capture session cookies and OAuth access tokens issued upon successful authentication," Microsoft explained.
"Due to these tokens representing a fully authenticated session, threat actors can reuse them to gain access to Microsoft services without being prompted for credentials or MFA, effectively bypassing legacy MFA protections not designed to be phishing-resistant."
Storm-2755 attack flow (Microsoft)
After gaining access to an employee's account, the attacker created inbox rules that automatically moved messages from human resources staff containing the words "direct deposit" or "bank" to hidden folders, preventing the victim from seeing the correspondence.
In the next stage, they searched for "payroll," "HR," "direct deposit," and "finance," then sent emails to human resources staff with the subject line "Question about direct deposit" to trick staff into updating banking information.
Where social engineering failed, the attacker logged directly into HR software platforms such as Workday, using the stolen session to manually update direct deposit details.
Storm-2755 emailing HR staff (Microsoft)
... continue reading