Skip to content
  • Home
  • Cyber Map
  • About Us – Contact
  • Disclaimer
  • Terms and Rules
  • Privacy Policy
Cyber Web Spider Blog – News

Cyber Web Spider Blog – News

Globe Threat Map provides a real-time, interactive 3D visualization of global cyber threats. Monitor DDoS attacks, malware, and hacking attempts with geo-located arcs on a rotating globe. Stay informed with live logs and archive stats.

  • Home
  • Cyber Map
  • Cyber Security News
  • Security Week News
  • The Hacker News
  • How To?
  • Toggle search form
Hackers Exploit AiTM to Misdirect Employee Salaries

Hackers Exploit AiTM to Misdirect Employee Salaries

Posted on April 10, 2026 By CWS

A new wave of cyberattacks by a group identified as Storm-2755 is targeting Canadian employees by rerouting their salary payments to hacker-controlled bank accounts. This financially driven campaign employs adversary-in-the-middle (AiTM) tactics to hijack authenticated online sessions, effectively bypassing multi-factor authentication (MFA) measures.

Understanding Storm-2755’s Methodology

Storm-2755 initiates its attacks through SEO poisoning and malvertising, directing unsuspecting users to rogue websites like bluegraintours[.]com. These sites appear at the top of search results for terms like “Office 365” and its common misspelling “Office 265.” Victims who click these links are led to a counterfeit Microsoft 365 login page. Upon entering their credentials, the attackers capture both the password and active session token in real time, gaining full access without triggering MFA alerts.

Targeting Canadian Employees

Unlike other threat actors, Storm-2755 casts a wide net by targeting a broad range of Canadian employees, regardless of their industry. This strategy utilizes industry-neutral search phrases, making it difficult for standard threat intelligence systems to detect their operations. Once inside a compromised account, the group searches for payroll and HR keywords, sending deceptive emails to HR departments to alter direct deposit details.

Technical Sophistication of AiTM Attacks

What distinguishes Storm-2755 from previous phishing schemes is its sophisticated AiTM approach. By proxying the entire authentication process between the victim and Microsoft’s legitimate login service, the group can intercept session cookies and OAuth tokens. Utilizing the Axios HTTP client version 1.7.9, they maintain session activity without arousing suspicion. They exploit known vulnerabilities like CVE-2025-27152 for server-side request forgery within their relay framework.

In many cases, stolen tokens naturally expire after 30 days of inactivity. However, the attackers often reset account passwords and MFA settings long before expiration to maintain unauthorized access.

Recommendations for Organizations

Organizations are urged to act swiftly by revoking compromised tokens, removing malicious inbox rules, and resetting affected credentials and MFA methods. Implementing phishing-resistant MFA solutions like FIDO2 security keys can thwart AiTM-style token theft. It’s also crucial to configure Conditional Access policies to limit session durations and mandate reauthentication when risks arise. Continuous Access Evaluation (CAE) is recommended to quickly invalidate stolen tokens when risk conditions are detected. Additionally, security teams should monitor for suspicious inbox rule creation and audit HR platforms like Workday for unauthorized payment changes.

Stay informed by following our updates on Google News, LinkedIn, and X. Set CSN as your preferred news source on Google for more insights.

Cyber Security News Tags:AiTM, Canadian workforce, cyberattack prevention, Cybersecurity, employee security, Malvertising, Microsoft 365, multi-factor authentication, salary theft, Storm-2755

Post navigation

Previous Post: EngageSDK Flaw Puts Millions of Crypto Wallets at Risk
Next Post: France Adopts Linux for Government Workstations

Related Posts

New CometJacking Attack Let Attackers Turn Perplexity Browser Against You in One Click New CometJacking Attack Let Attackers Turn Perplexity Browser Against You in One Click Cyber Security News
AMD Zen 5 Processors RDSEED Vulnerability Breaks Integrity With Randomness AMD Zen 5 Processors RDSEED Vulnerability Breaks Integrity With Randomness Cyber Security News
Insider Threats in 2025 Detection and Prevention Strategies Insider Threats in 2025 Detection and Prevention Strategies Cyber Security News
10 Best Data Loss Prevention Software in 2025 10 Best Data Loss Prevention Software in 2025 Cyber Security News
Chinese Cyber Threat Targets Qatar Amid Middle East Unrest Chinese Cyber Threat Targets Qatar Amid Middle East Unrest Cyber Security News
Firefox Releases Security Update to Fix Multiple Vulnerabilities Allowing Arbitrary Code Execution Firefox Releases Security Update to Fix Multiple Vulnerabilities Allowing Arbitrary Code Execution Cyber Security News

Categories

  • Cyber Security News
  • How To?
  • Security Week News
  • The Hacker News

Recent Posts

  • FastNetMon Unveils Netomics for Enhanced Routing Control
  • Hackers Exploit Fake Microsoft Passkey Enrollment for Attacks
  • Top Unified Threat Management Solutions in 2026
  • Study Reveals Security Flaws in Free Android VPN Apps
  • WhatsApp Exploit Turns OpenClaw into Hacker Tool

Pages

  • About Us – Contact
  • Disclaimer
  • Privacy Policy
  • Terms and Rules

Archives

  • July 2026
  • June 2026
  • May 2026
  • April 2026
  • March 2026
  • February 2026
  • January 2026
  • December 2025
  • November 2025
  • October 2025
  • September 2025
  • August 2025
  • July 2025
  • June 2025
  • May 2025

Recent Posts

  • FastNetMon Unveils Netomics for Enhanced Routing Control
  • Hackers Exploit Fake Microsoft Passkey Enrollment for Attacks
  • Top Unified Threat Management Solutions in 2026
  • Study Reveals Security Flaws in Free Android VPN Apps
  • WhatsApp Exploit Turns OpenClaw into Hacker Tool

Pages

  • About Us – Contact
  • Disclaimer
  • Privacy Policy
  • Terms and Rules

Categories

  • Cyber Security News
  • How To?
  • Security Week News
  • The Hacker News

Copyright © 2026 Cyber Web Spider Blog – News.

Powered by PressBook Masonry Dark