Microsoft Canada Employees Hit by Payroll Data Breach
Microsoft: Threat Actors Target Canadian Employees in Payroll Pirate Attacks
In recent weeks, a financially motivated threat actor tracked as Storm-2755 has been compromising the accounts of Canadian employees, stealing their salary payments in a series of payroll pirate attacks.
Sophisticated Technique Used by Attackers
The attackers have employed a sophisticated technique known as adversary-in-the-middle (AiTM), which allows them to intercept and manipulate user authentication flows, thereby bypassing multifactor authentication (MFA).
These pages are pushed to the top of search engine results through malvertising or search engine optimization (SEO) poisoning, making it difficult for users to distinguish between legitimate and fake login pages.
Cases Where Social Engineering Attempts Fail
In cases where social engineering attempts fail, the attackers send targeted phishing emails to HR staff, posing as requests for updates to direct deposit information.
Mitigation Measures Recommended by Microsoft
- Implementing phishing-resistant MFA
- Revoking compromised tokens and sessions immediately upon detection
- Resetting affected accounts with new MFA methods and credentials
Payroll pirate attacks are a form of business email compromise (BEC) scam that targets businesses and individuals who regularly make wire transfers. According to the FBI’s Internet Crime Complaint Center (IC3), there were over 24,000 BEC-related complaints filed last year, resulting in losses exceeding $3 billion.
Not the First Time Microsoft Has Addressed Payroll Pirate Attacks
This is not the first time Microsoft has addressed payroll pirate attacks. In October, the company disrupted a campaign targeting Workday accounts, in which a cybercrime gang tracked as Storm-2657 hijacked salary payments from university employees across the United States.
About Author
English