Cyber attackers are utilizing Microsoft’s cloud technologies to surreptitiously locate and exploit payroll and HR personnel within corporate systems, diverting salaries to accounts they control. Organizations are urgently responding as this threat spreads across sectors and regions.
Innovative Attack Techniques
The attackers employ a sophisticated method that avoids traditional malware deployment. Instead, they use adversary-in-the-middle (AiTM) phishing tactics to intercept active login sessions, masquerading as a Microsoft 365 login page. This approach allows them to bypass multi-factor authentication, accessing accounts without the need for passwords.
Reports from Security Risk Advisors and BushidoToken Threat Intel highlight the challenge of distinguishing legitimate activity from malicious actions due to the use of Microsoft’s tools. This strategy leaves endpoint detection systems with little to alert on.
Exploiting Microsoft Graph API
Once inside a Microsoft 365 account, attackers leverage the Microsoft Graph API, a developer tool for querying directory data. They conduct bulk searches for employees related to payroll, HR, and finance, rapidly compiling a list of targets.
The campaign, linked to Microsoft-tracked entities Storm-2755 and Storm-2657, has been detected in various industries, including healthcare and manufacturing. The ultimate aim is to alter payroll settings to redirect salaries to attacker-controlled accounts.
Defensive Measures and Recommendations
Detection relies heavily on Microsoft Entra sign-in telemetry and Graph activity logs. Enabling detailed logging and sending this data to security monitoring systems is crucial.
Implementing phishing-resistant multi-factor authentication, such as FIDO2 keys or certificate-based methods, is advised. Standard authentication techniques like SMS codes are inadequate against AiTM tactics.
Compromised organizations must revoke sessions, reset credentials, and audit application permissions thoroughly. Payroll changes during the breach should be scrutinized and verified independently.
For further updates, follow us on Google News, LinkedIn, and X to receive the latest in cybersecurity developments.
