Storm-2755 Hijacks Canadian Payroll via AiTM Attacks

Article Highlights
Off On

A Canadian professional wakes up on a Friday morning expecting the comfort of a fresh direct deposit, only to discover their checking account remains stubbornly and inexplicably empty. This jarring reality is becoming increasingly common across the Canadian workforce as a sophisticated threat actor known as Storm-2755 bypasses digital safeguards that were once considered impenetrable. The victim’s security logs show a successful login, complete with multi-factor authentication (MFA) verification, yet the funds have vanished into the digital ether. This silent intrusion represents a significant shift in the cybercrime landscape, where the traditional security perimeter is no longer breached by brute force, but rather quietly circumvented through the theft of active user sessions.

The Invisible Thief in the Digital Paycheck

The modern security architecture relies heavily on the assumption that a successful MFA challenge equals a legitimate user. However, Storm-2755 exploits a fundamental paradox: a login can be verified and “secure” while remaining entirely under the control of an adversary. By hijacking the session token rather than just the password, attackers effectively step into the victim’s shoes after the security gate has already closed. This technical sleight of hand allows them to bypass the very shields designed to protect sensitive payroll data.

This transition from credential harvesting to session hijacking has rendered many traditional defense layers obsolete. Employees often follow every security protocol, yet they find themselves powerless as their digital identities are cloned in real-time. The sophistication of these attacks lies in their ability to remain invisible to the end user, who sees nothing more than a standard, albeit slightly sluggish, login process. Because the adversary possesses a valid session token, the internal systems of an organization continue to trust the connection, unaware that a silent thief is now navigating the corporate payroll infrastructure.

The Evolution of the “Payroll Pirate” Campaign

Storm-2755 has emerged as a formidable, financially motivated group with a sharp focus on the Canadian workforce. While previous iterations of payroll fraud relied on crude phishing emails and social engineering, this group has transitioned toward advanced Adversary-in-the-Middle (AiTM) frameworks. This evolution reflects a growing maturity in their operational capabilities, allowing them to target a broad spectrum of industries without needing to tailor their technical tools for each specific vertical.

The campaign is notably industry-agnostic, affecting small businesses and large-scale enterprises alike. By focusing on the mechanics of payroll rather than the specific nature of a business, the group ensures a consistent flow of illicit revenue. These “payroll pirates” have fine-tuned their workflows to maximize efficiency, moving from the initial compromise to the redirection of funds with surgical precision. This systematic approach suggests a highly organized structure behind Storm-2755, one that prioritizes the high-value returns found in redirected salaries over more destructive, but often less profitable, ransomware attacks.

The Anatomy of an AiTM Session Hijack

The assault begins with a calculated lure, often utilizing SEO poisoning and malvertising to place fraudulent Microsoft 365 sign-in pages at the top of search results. Unsuspecting employees searching for productivity tools or login portals are funneled toward these rogue domains. These pages are identical to legitimate interfaces, designed to capture the initial interest of the victim and prompt a standard login attempt. Once the user enters their credentials, the technical interception begins in earnest through a sophisticated proxy server. This proxy server acts as the “man in the middle,” passing communication between the user and the legitimate service provider in real-time. When the user completes their MFA challenge, the attacker intercepts the resulting session token—the digital “hall pass” that grants ongoing access without further verification. By possessing this token, Storm-2755 gains immediate, full access to the victim’s account. They maintain persistence by utilizing the Axios HTTP client and exploiting vulnerabilities like CVE-2025-27152 to establish a relay infrastructure. To avoid detection, they often schedule session renewals during early morning hours when security monitoring is less likely to flag suspicious activity.

Executing the Heist: Direct Deposit Diversion

Once the attackers have solidified their presence within an account, they conduct rapid, automated reconnaissance. They scan mailboxes for keywords like “direct deposit,” “payroll,” and “Workday” to understand how the organization handles financial changes. The heist is then executed through one of two primary methods. In the first scenario, the attacker sends an email to the HR department directly from the victim’s account, requesting a change in banking details. Because the request originates from an internal, legitimate address, it often bypasses standard external email filters and triggers less scrutiny from HR personnel.

Alternatively, the group may log directly into HR management platforms to manually update banking information. They use the stolen session tokens to navigate these platforms as if they were the employee. To ensure the victim remains oblivious, Storm-2755 implements malicious inbox rules that automatically delete or archive any confirmation emails or notifications from the HR system. This operational workflow ensures that the redirection is successful and remains undetected until the actual payday arrives, at which point the funds are already moving through a complex network of laundered accounts.

Defensive Strategies Against Session-Level Compromise

Defending against an adversary that bypasses MFA requires a fundamental shift toward phishing-resistant authentication methods. Moving away from SMS-based or app-based codes in favor of FIDO2 security keys provides a hardware-level defense that cannot be intercepted by proxy servers. These keys bind the authentication process to the specific website’s origin, making it impossible for a stolen token to be used elsewhere. Organizations that adopted these standards saw a significant reduction in successful session hijacking attempts, as the physical requirement for the key breaks the attacker’s automated relay chain.

Beyond authentication, security teams implemented Continuous Access Evaluation (CAE) to monitor sessions in real-time. This technology allows for the immediate revocation of access tokens if suspicious behavior, such as a sudden geographic shift or an unusual device profile, is detected. Hardening conditional access policies to enforce shorter session lifetimes also limited the window of opportunity for attackers. Furthermore, HR departments established out-of-band verification processes, requiring a phone call or in-person confirmation for any changes to banking information. These combined technical and procedural layers moved the defense from a reactive posture to a proactive strategy that prioritized session integrity.

Explore more

Compliance Drives Regulated B2B Influencer Marketing in 2026

The shifting landscape of digital authority has fundamentally transformed how enterprise-level organizations engage with industry experts and thought leaders across global markets. As the professional world moves deeper into this period of technological saturation, the superficial tactics of the past have been replaced by a rigorous commitment to transparency and legal precision. In earlier years, the simple inclusion of a

Transforming Voice of the Customer Into Predictive Action

Corporate boardrooms often overflow with real-time dashboards and complex analytics, yet many organizations still find themselves blindsided by sudden shifts in customer loyalty and market demand. While the technology to capture feedback has become ubiquitous, the structural ability to interpret and act upon that data in a meaningful timeframe remains remarkably rare for the average enterprise. Most traditional systems are

How Will Databricks CustomerLake Redefine Agentic Marketing?

The ongoing evolution of the digital landscape has forced a radical reconsideration of how enterprises capture, process, and ultimately utilize the vast oceans of consumer data generated every second of the day. Modern marketing departments have long struggled with the paradox of having too much information but not enough actionable insight to drive meaningful consumer interactions in real time. The

How Can Small Banks Compete With Global Financial Giants?

Nikolai Braiden has seen the evolution of financial architecture from its early blockchain roots to the current wave of institutional modernization, and today he joins us to dissect a pivotal shift in venture capital. With BankTech Ventures recently deploying $15 million into AI and stablecoin solutions, the landscape for regional banking is undergoing a profound transformation. Braiden’s perspective as an

Bullski Presale Tops the List of Best Meme Coins for 2026

The current cryptocurrency market in 2026 has transitioned into a highly sophisticated arena where institutional standards and community-driven viral momentum converge to create unique financial opportunities. Investors are no longer satisfied with speculative assets lacking fundamental safeguards, leading to a significant shift toward projects that prioritize technical transparency and structured growth. In this evolving landscape, the Bullski presale has emerged