Canadian employees are discovering their paychecks have vanished into thin air, redirected to criminal bank accounts through what appears to be their legitimate Office 365 portal. Storm-2755, a financially motivated threat group tracked by Microsoft, has weaponized the very search results employees use to access their work email, transforming routine logins into sophisticated payroll theft operations. (Source: Helpnetsecurity)

The financial impact extends beyond individual victims losing entire paychecks. Organizations face immediate HR disruptions as teams scramble to reverse fraudulent direct deposit changes, restore legitimate banking information, and issue emergency replacement payments. The reputational damage compounds when employees lose trust in their employer's ability to protect something as fundamental as salary payments.

What makes this campaign particularly insidious is its exploitation of normal business workflows. Employees searching for "Office 365" or even common typos like "Office 265" encounter poisoned search results and malicious advertisements that appear completely legitimate. These fake login pages don't just steal passwords - they capture and replay entire authentication sessions in real time, including multi-factor authentication tokens that organizations rely on for security.

The attackers demonstrate remarkable patience and selectivity. After compromising an employee's email account through their Axios HTTP client version 1.7.9 infrastructure, they maintain silent background access to most victims, waiting and watching. For carefully chosen targets, they escalate their attack by changing passwords and MFA settings to ensure persistent access even after security teams detect and revoke the initial compromise.

The true sophistication emerges in how Storm-2755 monetizes this access. Rather than immediately draining accounts or deploying ransomware, they search compromised mailboxes for references to payroll, HR, and finance systems. They then craft legitimate-looking direct deposit change requests from the victim's own email account to HR departments. Since these requests originate from genuine employee addresses with valid authentication, HR staff process them without suspicion.

To prevent discovery, the attackers create inbox rules that automatically hide any HR responses containing keywords like "bank" or "direct deposit" in obscure folders the victim will never check. This ensures employees remain unaware their next paycheck will land in criminal-controlled accounts until it's too late.

When email-based social engineering fails, Storm-2755 pivots to direct manipulation of HR platforms. Microsoft documented cases where attackers manually signed into Workday systems using stolen credentials, updating banking information directly in the payroll system. These victims suffered immediate financial losses when their salaries were deposited into attacker accounts.

The targeting of Canadian employees suggests Storm-2755 has identified specific vulnerabilities in Canadian payroll processes or banking systems that make these attacks more profitable. However, the techniques they've refined - SEO poisoning, adversary-in-the-middle authentication bypass, and payroll system manipulation - can easily be adapted to target employees in any country or industry where similar HR workflows exist.

The Attack Chain: Poisoning Search Results to Deploy Axios Malware

The attack begins when employees search for their workplace email portal using everyday queries. Storm-2755 exploits this routine behavior by contaminating search engine results for terms like "Office 365" and even common typos such as "Office 265." The attackers leverage both SEO poisoning techniques and malicious advertising campaigns to ensure their fake login pages appear prominently in search results.

When victims click these poisoned search results, they encounter meticulously crafted Microsoft 365 login pages that appear identical to legitimate portals. These counterfeit sites operate as sophisticated proxies, capturing credentials while simultaneously relaying the entire authentication session to Microsoft's actual servers in real time.

The technical sophistication lies in Storm-2755's deployment of Axios HTTP client version 1.7.9 as their primary attack tool. This specific version enables the attackers to relay authentication tokens directly to the customer infrastructure, effectively bypassing non-phishing resistant multi-factor authentication. The Axios client maintains these active sessions by proxying legitimate user actions, executing what Microsoft identifies as an Adversary-in-the-Middle (AiTM) attack.

The Axios implementation creates a transparent bridge between the victim and their real Microsoft 365 account. Every action the user takes gets passed through to the legitimate service, while the attacker captures the session token issued after successful login. This approach eliminates the traditional indicators of phishing - the victim sees their actual emails, contacts, and calendar entries loading normally after authentication.

Storm-2755's use of the Axios client reveals strategic planning. By maintaining the proxy connection at roughly 30-minute intervals through non-interactive sign-ins to OfficeHome, the attackers preserve access without requiring repeated authentications. This persistence mechanism allows them to monitor compromised accounts for extended periods while remaining undetected.

The choice to weaponize Office 365 search results demonstrates calculated targeting. Employees trust their workplace email systems implicitly and access them multiple times daily. Unlike suspicious email attachments or unexpected download prompts, searching for "Office 365" represents normal, expected behavior that triggers no security concerns.

For select high-value targets, Storm-2755 escalates beyond passive monitoring. The attackers modify both passwords and MFA settings on compromised accounts, ensuring continued access even after the original stolen tokens expire or face revocation. This dual-layer persistence strategy transforms temporary session hijacking into permanent account ownership.

The Axios client's role extends beyond initial compromise. Once established within the victim's email ecosystem, it facilitates reconnaissance activities as attackers search compromised mailboxes for references to payroll systems, HR processes, and financial workflows. This intelligence gathering phase identifies the optimal targets for the campaign's ultimate objective - redirecting employee paychecks.

Microsoft's analysis reveals that Storm-2755 specifically chose tools and techniques that exploit the inherent trust in Office 365's authentication flow. By positioning their attack at the search engine level rather than through traditional phishing emails, they bypass email security filters, user awareness training, and most organizational controls designed to prevent credential theft.

Detection: Finding Poisoned Search Results and Axios Indicators

Security teams hunting for Storm-2755's infrastructure need immediate visibility into authentication patterns that deviate from normal user behavior. The campaign's reliance on Axios HTTP client version 1.7.9 creates a distinctive fingerprint in your Office 365 sign-in logs that traditional security tools often overlook.

Your SOC should immediately query Azure AD sign-in logs for user agent strings containing "axios/1.7.9" - this specific version appears when the attackers relay authentication tokens through their proxy infrastructure. These entries will show up as successful authentications but originate from IP addresses that don't match your users' typical geographic locations or device patterns.

The attackers' token replay mechanism generates a predictable pattern of non-interactive sign-ins to OfficeHome that repeat at approximately 30-minute intervals. These automated refreshes maintain the hijacked session without requiring repeated manual logins. Configure your SIEM to alert when any single account shows this repetitive OfficeHome authentication pattern, especially when combined with the Axios user agent.

• Search referrer headers in web proxy logs for misspelled variations like "Office 265" or unusual Office 365 landing pages
• Monitor DNS queries to newly registered domains mimicking Microsoft authentication services
• Track authentication events where the session token age exceeds normal refresh cycles
• Flag accounts showing simultaneous activity from multiple geographic regions within short time windows

Within your Exchange Online audit logs, focus detection efforts on newly created inbox rules that filter messages containing financial keywords. The attackers consistently create rules that move emails with terms like "bank," "direct deposit," "payroll," or "banking information" into archive folders or mark them as read automatically. Query your audit logs for "New-InboxRule" operations and examine the rule conditions for these financial terms.

Network traffic analysis reveals additional indicators when victims interact with the malicious login pages. The fake Microsoft 365 portals proxy authentication requests but introduce measurable latency compared to direct Microsoft connections. Monitor for TLS certificates on Office 365 login pages that don't match Microsoft's legitimate certificate chain or show recent issuance dates.

Your email gateway logs should be configured to detect outbound messages to HR or finance departments that request banking changes, especially when sent outside normal business hours or immediately after password resets. The attackers typically send these requests within hours of compromising an account, creating a narrow detection window.

For organizations using Workday or similar HR platforms, enable audit logging for all banking information changes and correlate these events with recent password or MFA modifications in Office 365. The attackers pivot to direct manipulation of these systems when email-based social engineering fails, making cross-platform correlation essential for detection.

Configure real-time alerts for any authentication event that bypasses conditional access policies you've established for sensitive operations. Storm-2755's token theft allows them to inherit the victim's existing session permissions, potentially circumventing location-based or device-based access controls your organization has implemented.

Containment and Response: Stopping Payroll Data Exfiltration

When Storm-2755 successfully infiltrates your organization through their poisoned search campaigns, immediate containment becomes critical to prevent the theft of employee salary payments. Your response team faces a unique challenge: the attackers maintain persistent access through stolen session tokens while simultaneously manipulating HR systems to redirect payroll deposits.

The first 24 hours after detection determine whether you'll contain the breach or watch multiple paychecks disappear into criminal bank accounts. Your incident response must address both the technical compromise and the financial manipulation occurring in parallel.

Immediate Actions (0-4 Hours)

Your SOC team must immediately suspend all active Office 365 sessions for users who accessed the platform through external search engines in the past 30 days. This broad suspension disrupts the attackers' ability to maintain their proxied connections through the compromised authentication tokens.

IT administrators need to force password resets for all HR and finance personnel, regardless of whether they show signs of compromise. The attackers specifically target these departments through impersonation emails requesting direct deposit changes, making these accounts high-priority for credential rotation.

Your finance team must freeze all pending direct deposit modifications submitted within the last two weeks. Manual verification through phone calls or in-person meetings becomes mandatory before processing any banking information changes, even if the request originated from a legitimate employee email address.

Containment of Active Threats (4-24 Hours)

Security teams should immediately revoke all OAuth tokens and app permissions that show connections through non-standard authentication flows. The attackers' use of token replay means traditional password changes won't eliminate their access - you must invalidate the tokens themselves at the Azure AD level.

Your email administrators need to conduct an organization-wide audit of inbox rules, particularly those filtering messages containing financial keywords into hidden folders. These rules allow attackers to intercept HR communications about payroll changes, preventing victims from discovering the fraud until their paycheck fails to arrive.

HR teams must cross-reference all recent Workday or similar payroll system access logs against employee work schedules and locations. When attackers pivot to directly manipulating these platforms after failed social engineering attempts, they often access them during unusual hours or from geographic locations inconsistent with the employee's normal pattern.

Preventing Data Exfiltration (24-72 Hours)

Network security teams should implement enhanced monitoring on all outbound HTTPS traffic to recently registered domains or IP addresses without established reputation scores. While the primary goal involves payroll redirection, attackers with email access often exfiltrate sensitive employee data, financial records, and organizational charts for future targeting.

Your legal team needs immediate notification to assess regulatory reporting requirements, particularly if employee Social Security numbers, banking information, or other personally identifiable information may have been accessed. The combination of email compromise and HR system manipulation triggers multiple compliance obligations under data breach notification laws.

IT teams must deploy conditional access policies that block sign-ins from countries where your organization has no employees or business operations. Geographic restrictions won't stop sophisticated attackers using residential proxies, but they create additional friction that can slow down automated token replay attempts.

The coordination between technical containment and financial protection defines successful response to these payroll theft campaigns. Each compromised account represents not just a security incident but a potential financial loss for individual employees who depend on their paychecks for basic necessities.

Hardening Office 365 Search Against Poisoning Attacks

Your Office 365 environment becomes vulnerable to Storm-2755's campaign not through traditional security gaps, but through the fundamental architecture of how search engines index and display your organization's web presence. The attackers don't need to breach your systems directly when they can manipulate the path employees take to reach them.

Microsoft's security architecture includes multiple layers designed to protect against credential theft and session hijacking, yet Storm-2755 bypasses these by operating outside your security perimeter entirely. Understanding which Office 365 features can disrupt this attack chain requires examining how your organization appears in search results and who controls that visibility.

Conditional Access policies represent your first line of defense against authentication attempts originating from poisoned search results. Configure these policies to evaluate the risk level of each sign-in attempt based on location, device compliance, and user behavior patterns. When employees attempt to authenticate from unfamiliar locations or devices after clicking through search results, Conditional Access can require additional verification steps or block the attempt entirely.

The challenge lies in balancing security with usability - overly restrictive policies might frustrate legitimate users trying to access Office 365 from new locations.

Your organization's approach to search engine visibility directly impacts Storm-2755's ability to position fake login pages. Many organizations inadvertently expose internal Office 365 URLs through public-facing websites, support documentation, or employee training materials. These legitimate references provide attackers with the exact URLs and branding elements needed to create convincing replicas.

Review your robots.txt files and meta tags to ensure sensitive login portals aren't being indexed by search engines. Consider implementing canonical URLs that direct all authentication attempts through a single, controlled entry point rather than multiple subdomains that attackers can mimic.

Data Loss Prevention (DLP) policies within Office 365 can detect when compromised accounts attempt to access payroll or HR information. Configure DLP rules to monitor for specific patterns in email content and attachments related to direct deposit changes, banking information, or salary data. When these patterns appear alongside unusual account behavior, DLP can automatically block the action and alert your security team.

The sophistication of Storm-2755's campaign means traditional DLP keyword matching alone won't suffice - you need context-aware policies that evaluate multiple risk factors simultaneously.

Microsoft's Azure AD Identity Protection uses machine learning to establish baseline behaviors for each user account. When Storm-2755 maintains background access through stolen tokens, their interaction patterns differ subtly from legitimate users. Identity Protection can detect these anomalies - such as accessing Office 365 from multiple geographic locations simultaneously or performing searches for financial terms immediately after authentication.

Configure risk-based policies that automatically require reauthentication when high-risk behaviors are detected, effectively invalidating any stolen session tokens the attackers might possess.

Your Office 365 tenant's external sharing settings determine whether attackers can leverage compromised accounts to exfiltrate data or establish persistence. Restrict external sharing to specific domains rather than allowing unrestricted sharing, and require approval workflows for sharing sensitive content outside your organization.