Payroll Pirate Attack Hijacks Microsoft 365 Sessions to Steal Pay
A new Payroll Pirate attack is quietly draining paychecks across multiple industries. Security Risk Advisors (SRA) recently flagged active intrusions inside several monitored client networks. Notably, the campaign skips malware entirely. Instead, it hijacks live Microsoft 365 sessions and bypasses multi-factor authentication outright.
What SRA Found
According to SRA, SRA identified an active “Payroll Pirate” intrusion campaign across multiple monitored client environments.
Furthermore, the activity lines up with clusters Microsoft tracks as Storm-2755 and Storm-2657. SRA observed the pattern across healthcare, food service, and manufacturing clients. Meanwhile, Microsoft’s own reporting points to Canadian employees targeted through SEO poisoning and malvertising.
How the Attack Works
This Payroll Pirate attack starts with adversary-in-the-middle session theft. First, the attacker steals an authenticated Microsoft 365 session. Then, they replay that stolen token to slip past MFA entirely. As a result, no password guessing or malware drop is needed.
Hunting for HR and Payroll Staff
Next, the attacker turns to the Microsoft Graph API. The report notes that the Graph reconnaissance queries observed in each environment were nearly identical, targeting users whose attributes match keywords such as payroll, pay, hr, human, resources, support, info, finance, account, and admin.
Consequently, the attacker builds a precise list of finance and HR targets within minutes.
From Recon to Stolen Paychecks
Once the target list exists, the attacker moves toward payment fraud. Specifically, they either social-engineer HR staff directly or edit banking details inside platforms like Workday. Therefore, salary payments quietly reroute to attacker-controlled accounts. Because no endpoint malware appears, traditional antivirus tools stay silent throughout.
A Telling Infrastructure Pattern
Interestingly, the campaign splits its infrastructure by stage. Initial sign-in attempts arrive from US mobile carrier IP space. However, the Graph enumeration traffic shifts to Canadian residential ISPs. This split points toward residential proxy infrastructure supporting the operation.
Why Detection Is Hard
This attack chain lives entirely in the cloud and identity layer. Therefore, endpoint detection tools simply cannot see it. Instead, defenders need Microsoft Entra sign-in logs and Graph activity logs. SRA recommends shipping these logs to a SIEM or data lake immediately.
Recommended Defenses
Organizations should prioritize phishing-resistant MFA, such as FIDO2 passkeys or Windows Hello for Business. Additionally, enforce these methods through Conditional Access policies, not just availability. Teams should also revoke active sessions for any compromised account. Finally, audit application consent grants, since OAuth persistence can survive password resets entirely.
Watch HR Platforms Closely
Connect Workday or similar HR systems to your security monitoring stack. Then, alert on payment changes, new MFA enrollments, and suspicious inbox rules. Rules hiding messages about direct deposit or banking often signal active payroll fraud. In short, this Payroll Pirate attack rewards organizations that watch identity signals closely.
Support Our Threat Intelligence
If you find our technology report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
