Office 365 Search Results Compromised by Malware Leading to Stolen Paychecks

Vaibhav April 10, 2026
Office-365-Search-Results-Compromised-by-Malware-Leading-to-Stolen-Paychecks
Post Views: 9

Financially Motivated Attack Campaign Targets Canadian Employees

A sophisticated hacking group, tracked by Microsoft as Storm-2755, has been conducting a campaign aimed at stealing Canadian employees’ salaries by exploiting vulnerabilities in Office 365 search results and Microsoft 365 login pages.

The Attack Method

The attackers use search engine optimization (SEO) poisoning and malvertising to redirect victims to fake Microsoft login pages, which steal their login credentials and capture session tokens.

According to Microsoft, the attackers leverage version 1.7.9 of the Axios HTTP client to relay authentication tokens to customer infrastructure, thereby bypassing non-phishing-resistant multifactor authentication (MFA).

This allows them to maintain active sessions and proxy legitimate user actions, effectively executing an automated interactive manipulation (AiTM) attack.

The Tactics Used

  • The attackers search for references to payroll, HR, and finance, and send emails to the organization’s HR staff requesting direct deposit changes.
  • The emails appear to come from the employee’s real email address, making it difficult for HR to suspect anything.
  • If HR complies with the request, the employee’s next paycheck will be redirected to the attacker’s bank account.
  • In some cases, the attackers create an inbox rule that buries any HR replies containing words like “bank” or “direct deposit” in a hidden folder, preventing the victim from seeing them and raising the alarm.

Mitigation Measures

Microsoft recommends several measures to mitigate these types of attacks, including:

  • Using FIDO2/WebAuthn passkeys as a second authentication factor, which binds authentication to the legitimate origin site and cannot be intercepted by an AiTM proxy.
  • Monitoring for the Axios user-agent appearing in sign-in logs.
  • Watching for non-interactive sign-ins to Office Home repeating on roughly 30-minute intervals.
  • Alerting on newly created inbox rules that filter on financial keywords.
  • Adopting out-of-band verification for any direct deposit change requests.

By taking these steps, organizations can reduce the risk of falling victim to these types of attacks and protect their employees’ sensitive information.



Blog Image

About Author

Vaibhav

See author's posts

More Stories

FleetWave-Experiences-Major-Outage-Following-Cybersecurity-Breach

FleetWave Experiences Major Outage Following Cybersecurity Breach

Vaibhav April 10, 2026
Adobe-Reader-Zero-Day-Exploit-Used-in-Months-Long-Cyber-Attack-Campaign

Adobe Reader Zero-Day Exploit Used in Months-Long Cyber Attack Campaign

Vaibhav April 10, 2026
Operation-CyHawk-4-0-Investigation-Uncovers-Additional-Suspects-in-Delhi-Scam

Operation CyHawk 4.0 Investigation Uncovers Additional Suspects in Delhi Scam

Vaibhav April 10, 2026

Latest Cyber Security News

FleetWave-Experiences-Major-Outage-Following-Cybersecurity-Breach

FleetWave Experiences Major Outage Following Cybersecurity Breach

Vaibhav April 10, 2026
AWS-Introduces-Agent-Registry-for-Enhanced-Control-over-AI-Agents

AWS Introduces Agent Registry for Enhanced Control over AI Agents

Vaibhav April 10, 2026
Bitcoin-Depot-Experiences-Significant-Loss-Following-System-Breach

Bitcoin Depot Experiences Significant Loss Following System Breach

Vaibhav April 10, 2026
Adobe-Reader-Zero-Day-Exploit-Used-in-Months-Long-Cyber-Attack-Campaign

Adobe Reader Zero-Day Exploit Used in Months-Long Cyber Attack Campaign

Vaibhav April 10, 2026
Operation-CyHawk-4-0-Investigation-Uncovers-Additional-Suspects-in-Delhi-Scam

Operation CyHawk 4.0 Investigation Uncovers Additional Suspects in Delhi Scam

Vaibhav April 10, 2026
en_USEnglish
en_USEnglish