The Phantom Payroll Heist: How Cybercriminals Looted Canadian Paychecks
Subtitle: Sophisticated hackers bypassed security to siphon salaries in a wave of payroll “pirate” attacks, exposing critical weaknesses in workplace defenses.
It began as a trickle of missing paychecks. Then came the frantic calls to HR, the confusion among employees, and the chilling realization: someone-somewhere-was rerouting Canadian workers’ hard-earned salaries into criminal hands. The culprits? A shadowy cybercrime group known as Storm-2755, armed with cutting-edge phishing tactics and a keen eye for payroll vulnerabilities.
The attack unfolded with remarkable cunning. Storm-2755 lured victims onto malicious websites disguised as Microsoft 365 login pages. By manipulating search results and deploying malvertising, these fake sites appeared trustworthy, tricking employees into entering their credentials. But this wasn’t ordinary phishing. The hackers intercepted the entire authentication process in real time, capturing not just passwords but the session tokens and cookies that prove a user’s identity to Microsoft’s cloud services.
With these digital keys in hand, Storm-2755 sidestepped multifactor authentication-security measures that typically require a code sent to a phone or app. By replaying the stolen tokens, the attackers gained undetected access to victims’ inboxes and HR tools. They set up stealthy inbox rules to hide any emails mentioning “direct deposit” or “bank,” ensuring employees remained clueless as their payroll details were quietly hijacked.
The next phase was pure social engineering. The criminals impersonated employees, emailing human resources with urgent requests to update banking details. If HR staff didn’t fall for the ruse, Storm-2755 used the stolen sessions to log directly into payroll systems like Workday, manually changing deposit information and diverting salaries to accounts under their control.
Microsoft, which uncovered the campaign, warns that such “payroll pirate” attacks are a growing variant of business email compromise (BEC) scams. These attacks are lucrative: last year alone, BEC fraud accounted for over $3 billion in reported losses, second only to investment scams. Earlier this year, a related group, Storm-2657, targeted U.S. university employees with similar tactics.
Experts say the best defense starts with blocking outdated authentication methods and implementing phishing-resistant MFA, such as hardware security keys. If compromise is suspected, immediate action-revoking tokens, deleting malicious inbox rules, and resetting credentials-is crucial to stem the damage.
As businesses increasingly rely on cloud services and digital payroll, the stakes have never been higher. The Storm-2755 campaign is a wake-up call: in the battle for our paychecks, vigilance and modern defenses are no longer optional-they’re essential.
WIKICROOK
- Adversary: An adversary is any person or group attempting to breach computer systems or data, often for malicious purposes like theft or disruption.
- Session token: A session token is a unique digital code that keeps users logged in to websites or apps. If stolen, attackers can access accounts without a password.
- Business Email Compromise (BEC): Business Email Compromise (BEC) is a scam where criminals hack or impersonate business emails to trick companies into sending money to fraudulent accounts.
- Phishing: Phishing is a cybercrime where attackers send fake messages to trick users into revealing sensitive data or clicking malicious links.
- Malvertising: Malvertising is the use of online ads to spread malware, often by tricking users into clicking harmful links-even on trusted websites.




