Session Hijacking: Storm-2755 Campaign Targets Payroll Systems

The modern threat landscape has undergone a profound metamorphosis. As organizations have matured in their defense against traditional ransomware—deploying robust backup solutions, endpoint detection and response (EDR) agents, and network segmentation—threat actors have pivoted toward more surgical, covert, and high-velocity methods of monetization. The emergence of the Storm-2755 campaign, a sophisticated operation currently targeting Canadian payroll systems through advanced session hijacking, represents a critical shift toward “silent” extortion that bypasses the perimeter-centric defenses many businesses still rely upon.

The Silent Threat: Understanding the Storm-2755 Campaign

Unlike historical ransomware campaigns that rely on “noisy” encryption to extract payment, Storm-2755 operates in the shadows. This financially motivated actor has adopted a “payroll pirate” methodology, specifically aiming to redirect employee salaries to attacker-controlled bank accounts or cryptocurrency wallets. The brilliance—and the danger—of this campaign lies in its subtlety; by the time an employee notices a missing deposit, the funds have often been laundered through multiple mule accounts, making recovery nearly impossible.

The campaign’s success is anchored in its initial access vector: SEO poisoning and malvertising. By manipulating search engine results for terms like “Office 365” or common misspellings such as “Office 265,” the attackers bait unsuspecting employees into clicking on malicious links. These links direct the victim to a replica Microsoft 365 sign-in page, designed with such fidelity that even cautious users are often deceived.

Technical Deep Dive: How Session Hijacking Bypasses MFA

The core of the Storm-2755 operation is not merely credential theft—it is session hijacking facilitated by Adversary-in-the-Middle (AitM) infrastructure. This is a critical distinction that renders traditional Multi-Factor Authentication (MFA) ineffective.

The AitM Mechanism

In a standard phishing attack, an attacker might simply harvest a password. However, when an organization mandates MFA, that stolen password is useless on its own. The AitM approach changes the rules entirely. When a victim engages with the fake phishing portal, the attacker’s infrastructure acts as a transparent reverse proxy between the user and the legitimate identity provider (e.g., Microsoft Entra ID). As the user enters their credentials and completes the MFA prompt, the proxy captures the transaction in real time.

Crucially, the attacker does not just capture the password; they capture the resulting session cookie. This cookie serves as an “authenticated session token,” effectively acting as a digital key that proves to the server that the user has already passed all security gates. By injecting this stolen token into their own browser, the attacker inherits the victim’s authenticated state, effectively “hijacking” the active session. The service provider, seeing a valid, authenticated token, grants the attacker full access to the user’s environment without triggering any additional security challenges.

Operationalizing the Hijack

Once the session is established, Storm-2755 moves with surgical precision. Investigations by Microsoft’s Detection and Response Team (DART) have revealed a highly disciplined workflow:

• Persistence and Stealth: To avoid detection, the attackers use non-interactive sign-ins to the OfficeHome application, often mimicking legitimate user-agents like the Axios HTTP client (version 1.7.9). By refreshing these sessions during the victim’s early morning hours (typically around 5:00 AM local time), they minimize the likelihood of interrupting the user’s active work session.
• Internal Reconnaissance: Upon gaining access to the mailbox, the attackers search for keywords such as “payroll,” “HR,” “finance,” and “direct deposit.”
• Social Engineering: The attackers then impersonate the victim in emails sent to the organization’s HR or finance departments. Because these emails originate from the legitimate account, they appear completely routine.
• Manipulation: If social engineering is insufficient, the attackers pivot directly to SaaS platforms—such as Workday—to manually update direct deposit banking information.
• Obfuscation: To ensure the victim remains unaware of the changes, the attackers configure malicious inbox rules that automatically move any emails from HR regarding banking updates into hidden folders, effectively silencing the confirmation alerts.

The Shift: From Ransomware to Covert Financial Theft

The Storm-2755 campaign is a microcosm of a larger, systemic shift in the cybercrime ecosystem. In 2026, the economics of extortion have changed. As law enforcement globally has improved its ability to track and seize ransomware payments, threat actors have moved toward lower-risk, higher-stealth activities.

Data extortion—stealing sensitive data and threatening to release it—has become increasingly common, but the direct redirection of funds through legitimate corporate workflows, as seen here, is perhaps the ultimate evolution of this trend. It requires no malware payload, which allows attackers to evade many signature-based endpoint detection systems. It exploits the “trust” built into authenticated sessions, a vulnerability inherent in how modern cloud-based identity and SaaS platforms manage persistence.

Defensive Posture: Securing the Session Lifecycle

If password-based MFA is no longer sufficient to stop modern, token-theft-focused adversaries, what is the path forward? Organizations must adopt a defense-in-depth strategy that secures the entire session lifecycle, not just the initial login event.

1. Transition to Phishing-Resistant MFA

The industry consensus is clear: the only robust defense against AitM attacks is the transition to FIDO2-based phishing-resistant MFA. Unlike SMS codes or push notifications, which are “shared secrets” that can be intercepted or proxied, FIDO2/WebAuthn hardware keys use public-key cryptography. This process binds the authentication to the legitimate domain of the service. Even if a user is tricked into visiting a malicious proxy site, the hardware key will detect the domain mismatch and refuse to sign the challenge, effectively neutralizing the phishing attempt at the point of origin.

2. Reduce Session Lifetimes and Enforce Continuous Access

The vulnerability of a stolen token is directly proportional to its lifespan. Organizations should significantly reduce session timeout durations for critical applications (e.g., HR, payroll, finance). Furthermore, implementing Continuous Access Evaluation (CAE) allows identity providers to revoke sessions in real time when risk conditions change—such as an unexpected change in IP address, location, or device context.

3. Tighten SaaS and Application Controls

Because Storm-2755 frequently pivots to SaaS applications like Workday to manipulate data, organizations must implement granular conditional access policies. This includes:

• Blocking access to sensitive payroll applications from non-compliant or unmanaged devices.
• Enforcing strict geo-fencing or IP-range restrictions for administrative access.
• Requiring step-up authentication (e.g., a re-authentication prompt) for high-risk operations, such as modifying bank account details, even if the user already has an active session.

4. Monitoring and Behavioral Analysis

Because these attacks are “silent” from an endpoint perspective, detection must focus on identity and access logs. Security teams should monitor for anomalous sign-in patterns, such as:

• Session IDs suddenly switching between divergent geographical locations or network providers (e.g., a residential ISP to a known VPS provider).
• A single user account accessing multiple sensitive systems (mail, intranet, payroll SaaS) within a very short timeframe from suspicious user-agents.
• The creation of suspicious inbox rules, particularly those designed to hide sensitive correspondence.

Conclusion

The Storm-2755 campaign is a stark reminder that in the hyper-connected, cloud-first corporate environment, the “crown jewels” are no longer just the data—they are the sessions that provide access to that data. By hijacking these active sessions, attackers have effectively bypassed the MFA layer that was, for years, the gold standard of enterprise security. To survive the current threat landscape, security leaders must move beyond perimeter and credential security and toward a comprehensive model of identity and session integrity. The era of the “payroll pirate” is here, and the only path forward is to ensure that every single request—not just the initial login—is validated against the highest standards of security.