A new wave of cyberattacks by a group identified as Storm-2755 is targeting Canadian employees by rerouting their salary payments to hacker-controlled bank accounts. This financially driven campaign employs adversary-in-the-middle (AiTM) tactics to hijack authenticated online sessions, effectively bypassing multi-factor authentication (MFA) measures.
Understanding Storm-2755’s Methodology
Storm-2755 initiates its attacks through SEO poisoning and malvertising, directing unsuspecting users to rogue websites like bluegraintours[.]com. These sites appear at the top of search results for terms like “Office 365” and its common misspelling “Office 265.” Victims who click these links are led to a counterfeit Microsoft 365 login page. Upon entering their credentials, the attackers capture both the password and active session token in real time, gaining full access without triggering MFA alerts.
Targeting Canadian Employees
Unlike other threat actors, Storm-2755 casts a wide net by targeting a broad range of Canadian employees, regardless of their industry. This strategy utilizes industry-neutral search phrases, making it difficult for standard threat intelligence systems to detect their operations. Once inside a compromised account, the group searches for payroll and HR keywords, sending deceptive emails to HR departments to alter direct deposit details.
Technical Sophistication of AiTM Attacks
What distinguishes Storm-2755 from previous phishing schemes is its sophisticated AiTM approach. By proxying the entire authentication process between the victim and Microsoft’s legitimate login service, the group can intercept session cookies and OAuth tokens. Utilizing the Axios HTTP client version 1.7.9, they maintain session activity without arousing suspicion. They exploit known vulnerabilities like CVE-2025-27152 for server-side request forgery within their relay framework.
In many cases, stolen tokens naturally expire after 30 days of inactivity. However, the attackers often reset account passwords and MFA settings long before expiration to maintain unauthorized access.
Recommendations for Organizations
Organizations are urged to act swiftly by revoking compromised tokens, removing malicious inbox rules, and resetting affected credentials and MFA methods. Implementing phishing-resistant MFA solutions like FIDO2 security keys can thwart AiTM-style token theft. It’s also crucial to configure Conditional Access policies to limit session durations and mandate reauthentication when risks arise. Continuous Access Evaluation (CAE) is recommended to quickly invalidate stolen tokens when risk conditions are detected. Additionally, security teams should monitor for suspicious inbox rule creation and audit HR platforms like Workday for unauthorized payment changes.
Stay informed by following our updates on Google News, LinkedIn, and X. Set CSN as your preferred news source on Google for more insights.
