// Blog / News

Payroll pirate attacks are hijacking Canadian paycheques

Cybersecurity 6 min read intrasec

Picture an employee's pay quietly redirected to a stranger's bank account, with the first sign of trouble being them asking why they weren't paid. That's the entire goal of a campaign Microsoft has been tracking, and it specifically targets Canadian workers.

Microsoft's threat-intelligence team calls the group behind it Storm-2755, and the tactic "payroll pirate." It's a clean example of how attackers now skip the firewall entirely and go straight for the money, and why a small business is very much in scope.

How the scam works

It starts with a search. The attackers use SEO poisoning and paid ads so that their fake site ranks for everyday queries like "Office 365 login." An employee clicks what looks like the normal sign-in page and enters their credentials. The catch: that fake page sits in the middle and relays the login to the real Microsoft in real time, capturing not just the password but the session token Microsoft hands back, which lets the attacker walk straight past multi-factor authentication.

Once inside the mailbox, they go hunting for payroll. They email HR or finance with a subject line as mundane as "Question about direct deposit," asking to update banking details. If that polite request doesn't work, they log into the company's HR or payroll platform (Microsoft cites Workday as an example) and change the deposit account themselves. To buy time, they set inbox rules that quietly hide any replies mentioning payroll, so nobody notices until payday.

Why a small business should care

This isn't a big-enterprise problem you can file away:

  • It targets Canadians on purpose. Microsoft notes the actor selects victims by geography, focusing on Canadian users rather than a specific industry.
  • It runs on Microsoft 365, the email and login that most small businesses already use, so there's nothing exotic to be exposed to it.
  • "We have MFA" was not enough. By stealing the session token, the attackers sidestepped ordinary MFA entirely; the control everyone leans on did not stop this one.
  • The loss is immediate and personal, a real person's paycheque, plus the trust damage of explaining to staff that their pay was stolen through the company's systems.

How to stop it

The defences are specific and, mostly, things you can do this week:

  • Move to phishing-resistant MFA (passkeys or FIDO2 security keys). This is Microsoft's top recommendation precisely because it defeats the token-theft trick ordinary MFA falls for.
  • Verify every banking or payroll change out-of-band. Any request to change direct-deposit details gets confirmed by calling the employee on a known number, the same rule that stops wire fraud.
  • Lock down the payroll/HR system itself with its own MFA, and turn on alerts for changes to banking information.
  • Watch for sneaky inbox rules that auto-delete or forward messages; a rule hiding anything about "payroll" or "direct deposit" is a red flag of a hijacked account.
  • Tell staff to reach Microsoft 365 by bookmark, never by clicking a search result or ad for the login page.

Sources:Microsoft Security Blog, Investigating Storm-2755: Payroll pirate attacks targeting Canadian employeesHelp Net Security, Poisoned Office 365 search results lead to stolen paychecks

Worried your team's logins could be hijacked?

Talk to us

Related

News Cybersecurity Jun 2, 2026

A new phishing kit is bypassing Microsoft 365 MFA

The same adversary-in-the-middle trick that steals session tokens to get past multi-factor authentication on Microsoft 365.

Read article →
News Cybersecurity Jun 7, 2026

AI-powered fraud is hitting Canadian small businesses

Deepfakes, voice clones, and AI-written phishing are driving a record fraud wave. The out-of-band check that stops most of it.

Read article →
Service

Managed Security

We roll out phishing-resistant sign-in, lock down your Microsoft 365, and watch for the account-takeover signs these attacks leave.

Learn more →