Storm-2755 and Storm-2657 Use AiTM Phishing and Microsoft Graph API to Hijack Payroll Direct Deposits

A sophisticated campaign tracked by Microsoft as Storm-2755 and Storm-2657 is exploiting Microsoft's own cloud infrastructure to quietly identify and target payroll and HR employees, ultimately redirecting salary direct deposits to attacker-controlled bank accounts. The operation, detailed in a report by Security Risk Advisors (SRA) and BushidoToken Threat Intel, has been observed across healthcare, food services, and manufacturing sectors, with no endpoint malware left behind for traditional EDR solutions to detect.

The attack chain begins with adversary-in-the-middle (AiTM) phishing pages that intercept the authentication flow between the victim and a fake Microsoft 365 sign-in portal. By capturing the session token, the attackers bypass multi-factor authentication entirely, gaining access to the compromised account without ever needing the user's password. Once inside, the threat actors pivot to the Microsoft Graph API, a legitimate developer tool, to run bulk directory queries searching for keywords such as 'payroll', 'hr', 'human resources', 'finance', and 'admin'. The entire directory scan can be completed within minutes, handing the attackers a clean list of the exact staff they need to target.

The Graph queries observed across compromised environments were nearly identical. Attackers started with a bulk pull of all users using the endpoint /v1.0/users?$top=999, then ran chained search filters across fields like displayName, jobTitle, mail, and userPrincipalName for payroll-related terms, paginated using $skiptoken to harvest every result in bulk. The tokens used during this enumeration carried broad delegated permissions including Directory.Read.All, Files.ReadWrite.All, Group.ReadWrite.All, Chat.ReadWrite, and User.ReadWrite, raising the risk of OAuth-based persistence through consented applications that can survive password resets and token revocations.

The end goal in every case is the same: redirect an employee's direct deposit to an attacker-controlled bank account, often by contacting HR directly or by modifying settings in HR platforms like Workday. Authentication traffic came from US mobile carrier IP ranges, while Graph enumeration traffic traced back to Canadian residential ISPs, a split consistent with residential proxy infrastructure used to mask the operation. Unremediated accounts were still generating non-interactive sign-ins to Office 365 Exchange Online roughly every three hours, using the Firefox 131.0 user-agent and rotating token identifiers with each session, meaning attackers maintained persistent access long after the initial compromise.

Detection for this campaign depends almost entirely on Microsoft Entra sign-in telemetry and Microsoft Graph activity logs, since no malware or endpoint footprint is left behind. SRA strongly recommends enabling Microsoft Graph activity logging and forwarding those logs to a SIEM or security data lake as the single most impactful step any organization can take right now. On the authentication side, deploying phishing-resistant MFA using FIDO2 security keys, Windows Hello for Business, or certificate-based authentication is critical, as standard authenticator app push notifications and SMS codes offer no protection against AiTM token theft.

For organizations already dealing with compromised accounts, remediation must be thorough. Revoking sessions and refresh tokens through the Entra Admin Center, resetting credentials, re-registering MFA methods, and auditing all enterprise application consent grants are required steps. Any direct deposit or payroll changes made during the compromise window must also be reviewed and reversed. HR teams should treat any payroll change request as suspect until verified through an out-of-band channel.