Storm-2755 Targeting Microsoft Employees: Payroll Account Hijacking as Financial Theft Vector
Storm-2755, a financially motivated threat actor, is compromising Microsoft employee accounts to redirect salary payments. This represents a shift in targeting from external victims to internal credential compromise for direct financial gain.
Affected
Storm-2755 has shifted focus from broad consumer or enterprise targeting to a narrower, higher-value objective: compromising employee accounts at major technology firms to redirect salary payments. The attack leverages credential theft to access payroll systems and modify banking details before salary distributions occur. This approach bypasses external detection mechanisms that typically monitor suspicious outbound transfers, since the attacker operates from within authenticated sessions.
The technical pathway likely involves phishing or credential harvesting targeting Microsoft staff, followed by multi-factor authentication bypass or compromise. Once inside, the actor navigates to payroll systems and modifies banking information associated with employee records. The attack succeeds because payroll systems often have weaker alerting on account modifications compared to sensitive data access, and employees may not immediately notice if the theft occurs just before or during a pay cycle.
This pattern affects not just Microsoft but represents a broader reconnaissance and targeting strategy. Organisations with large employee bases and regular payroll cycles are high-value targets. Sophisticated attackers recognise that payroll redirection is faster and more reliable than ransomware extortion or data theft, which invite law enforcement attention.
Defenders should implement: immutable audit logging on payroll system changes, out-of-band verification for banking detail modifications, conditional access policies that flag payroll system access from unusual locations or devices, and mandatory re-authentication for sensitive payroll operations. Detection should focus on account modification patterns rather than data access anomalies. Employee communication is critical, as staff should verify unexpected payroll changes through secondary channels.
The broader implication is that financially motivated actors are becoming more operationally sophisticated and precise. Rather than mass compromise, Storm-2755 selects high-confidence targets and executes focused attacks on systems that directly convert stolen access into cash. This represents a maturation of cybercrime tactics away from commodity malware toward insider-equivalent attack chains.
Sources