Have you heard of payroll pirates? There’s a new term making the rounds in cybersecurity circles — and if you haven’t heard it yet, you need to. Payroll pirates are cybercriminals who don’t bother breaking into your bank account directly. Instead, they hijack your work identity, quietly reroute your paycheck to themselves, and disappear before you even realize your salary never arrived.
Microsoft’s security researchers just sounded the alarm on exactly this type of attack, and the findings should get every employee and HR professional’s attention.
Meet Storm-2755: The Payroll Pirates in Action
A financially motivated threat actor tracked as Storm-2755 has been stealing employees’ salary payments after hijacking their accounts in what Microsoft calls payroll redirection — or “payroll pirates” — attacks. The campaign has specifically targeted Canadian employees, using malicious Microsoft 365 sign-in pages to steal victims’ authentication tokens and session cookies.
What makes Storm-2755 distinct from similar campaigns is its targeting strategy. Rather than focusing on a specific industry or organization, the group relied exclusively on geographic targeting of Canadian users, using malvertising and SEO poisoning on industry-agnostic search terms to identify victims. In other words, they cast a wide net — any Canadian employee searching for common workplace topics online could have been pulled into the trap.
How the Attack Works
This is where it gets technically clever — and deeply unsettling. The attack unfolds in stages:
Step 1 — Steal the session. Attackers redirected victims to fake Microsoft 365 login pages that appeared at the top of search results through malvertising or SEO poisoning. These pages captured not just usernames and passwords, but full session cookies and OAuth access tokens. By replaying those stolen tokens, the attackers could bypass multifactor authentication entirely — no need to re-authenticate.
Step 2 — Hide the evidence. Once inside the victim’s account, the attacker created inbox rules that automatically moved messages from HR staff containing words like “direct deposit” or “bank” into hidden folders, preventing the victim from seeing any suspicious correspondence.
Step 3 — Redirect the paycheck. The attacker then searched the victim’s inbox for payroll-related terms and sent emails to HR staff with the subject line “Question about direct deposit,” socially engineering them into updating banking information. Where that social engineering failed, the attacker simply logged directly into HR platforms like Workday using the stolen session and manually changed the direct deposit details themselves.
The victim keeps going to work. The paycheck goes somewhere else entirely.
This Isn’t an Isolated Incident
Payroll pirates aren’t a one-off threat. In October 2025, Microsoft disrupted a separate payroll pirate campaign targeting Workday accounts, in which a group tracked as Storm-2657 targeted university employees across the United States using the same adversary-in-the-middle tactics to hijack salary payments.
In that earlier campaign, 11 accounts at three universities were compromised and used to send phishing emails to nearly 6,000 email addresses across 25 universities. The attacks then leveraged those newly compromised accounts to spread further — turning each victim into the next attack’s launchpad.
The Bigger Picture: BEC Fraud Is Big Business
Payroll pirate attacks are a variant of business email compromise (BEC) scams. Last year, the FBI’s Internet Crime Complaint Center recorded over 24,000 BEC fraud complaints, resulting in losses exceeding $3 billion — making it the second most lucrative cybercrime category, behind only investment scams.
And critically, these attacks don’t depend on any vulnerability in the payroll platform itself. The issue is the abuse of trusted workflows and insufficient identity protections — a distinction that matters because it widens the problem beyond any single application or vendor. If your organization uses any HR or payroll SaaS platform and your identity controls are weak, you are a potential target for payroll pirates.
What You Can Do Right Now
Microsoft’s guidance for defending against payroll pirates is straightforward but requires action:
- Deploy phishing-resistant MFA. Standard MFA can be bypassed through AiTM techniques, as this campaign demonstrated. Phishing-resistant methods — such as hardware security keys or passkey-based authentication — are significantly harder to defeat.
- Block legacy authentication protocols. Older authentication methods don’t support modern security controls and give attackers a convenient back door.
- Audit your inbox rules regularly. Attackers rely on hidden inbox rules to suppress security notifications. Periodic audits can catch unauthorized rules before damage is done.
- Train HR and finance staff. These teams are the last line of defense against social engineering requests to change direct deposit information. Any such request — even one that looks like it came from a known employee — should be verified through a separate, trusted channel.
- Monitor HR platform logins. Unusual access to payroll and HR systems, especially outside normal hours or from unfamiliar locations, should trigger immediate investigation.
The Bottom Line
Payroll pirates are proof that attackers don’t need to be sophisticated to be effective — they just need to be patient and strategic. By combining fake login pages, MFA bypass techniques, inbox manipulation, and HR social engineering, Storm-2755 turned ordinary employees into unwitting victims without ever deploying a single piece of malware.
Your paycheck is part of your attack surface. Make sure you’re protecting it.
Click here to read more blog articles!