Light bulb Limited Spots Available: Secure Your Lifetime Subscription on Gumroad!

Apr 11, 2026 · 6 min read

Hackers Are Stealing Employees' Paychecks by Poisoning "Office 365" Search Results

A threat group called Storm-2755 hijacks corporate email accounts, impersonates employees to HR, and reroutes salary payments to attacker controlled bank accounts.

Corporate office desk with computer showing a payroll interface and a dark shadow symbolizing a hidden threat

The Attack

Microsoft's Detection and Response Team disclosed on April 9, 2026 that a financially motivated threat group tracked as Storm-2755 is actively stealing employee salary payments. The attackers compromise corporate email accounts, impersonate the employee to HR, request direct deposit changes, and redirect paychecks to bank accounts they control.

The campaign primarily targets Canadian employees, though Microsoft has observed similar techniques deployed against organizations in other countries. In at least one documented case, an employee lost their entire paycheck to the scheme.

How It Starts: Poisoned Search Results

Storm-2755 gains initial access through SEO poisoning and malvertising. The group manipulates search engine results so that when employees search for generic terms like "Office 365" or common misspellings like "Office 265," a malicious domain appears at the top.

The fake page is a near perfect replica of the Microsoft 365 sign in experience. When an employee enters their credentials, the attacker infrastructure captures both the password and the authentication session token in real time. This is an adversary in the middle (AiTM) attack: the attacker sits between the user and Microsoft's real login server, relaying everything back and forth while silently recording it.

How MFA Gets Bypassed

The technique bypasses standard multi factor authentication because the attacker captures the authenticated session token, not just the password. Microsoft researchers found that Storm-2755 leverages version 1.7.9 of the Axios HTTP client to relay authentication tokens to attacker infrastructure, preserving valid sessions without requiring repeated sign ins.

Once the attacker has a valid session token, they can access the victim's Microsoft 365 account as if they were the employee. Push notifications, SMS codes, and authenticator app approvals have already been completed by the real user during the initial login. The attacker simply reuses the resulting token.

Inside the Compromised Mailbox

Once inside an employee's email account, the attackers follow a systematic playbook:

  • Search for payroll keywords. The attacker searches the compromised mailbox for terms like "payroll," "HR," "direct deposit," and "bank" to identify the organization's payroll contacts and processes.
  • Send a deposit change request. Using the employee's own email address, the attacker sends a message to HR requesting a change to the employee's direct deposit banking information. Because the email comes from a legitimate internal address, it often passes without suspicion.
  • Hide the evidence. The attacker creates inbox rules that automatically filter any reply containing keywords like "direct deposit" or "bank," moving them out of the victim's inbox so alert emails from HR are never seen.
  • Escalate if needed. When social engineering HR fails, the attackers have been observed directly accessing HR software platforms like Workday to manually update banking information themselves.

Why This Is Hard to Detect

The attack is effective because it uses the employee's legitimate email account. There are no spoofed sender addresses, no suspicious external domains, and no malware payloads that a gateway scanner would flag. The deposit change request looks exactly like a normal employee email because it is one.

The inbox rules that hide HR replies add another layer of stealth. The victim does not see the confirmation email from HR, does not see any follow up questions, and may not discover the theft until their next pay period.

This technique is part of a broader trend in business email compromise where attackers have shifted from crude impersonation to direct account takeover.

What Organizations Should Do

Microsoft recommends several defenses against payroll pirate attacks:

  • Deploy phishing resistant MFA. FIDO2 security keys and WebAuthn passkeys are immune to AiTM token theft because the authentication is bound to the legitimate domain. Push notifications and SMS codes are not sufficient.
  • Require out of band verification for deposit changes. HR teams should confirm any direct deposit modification through a separate channel, such as an in person request or a phone call to a known number, never by replying to the email.
  • Monitor for suspicious inbox rules. New email rules that filter keywords like "payroll," "direct deposit," or "bank" should trigger immediate security alerts.
  • Audit mailbox activity. Unusual mailbox searches, bulk email forwarding, or sign ins from unfamiliar locations should be flagged and investigated.

What Employees Should Do

  • Bookmark your login page. Never search for "Office 365" and click the first result. Use a saved bookmark or type the URL directly.
  • Check your inbox rules. In Outlook, go to Settings and then Mail and then Rules. Look for any rules you did not create, especially those filtering financial keywords.
  • Verify deposit changes independently. If your HR department contacts you about a deposit change you did not request, report it to your IT security team immediately.
  • Use a password manager. Password managers only autofill credentials on the correct domain, which means they will not fill in your password on a phishing page.

The Bottom Line

Storm-2755 demonstrates that email account compromise is not just about reading your messages. A single hijacked mailbox gives an attacker the ability to impersonate you to your own company, redirect your salary, and hide the evidence before you notice. The defense starts with phishing resistant authentication and out of band verification for any financial change.