Financially motivated threat actor Storm-2755 targeted Canadian employees of Microsoft using malicious Microsoft 365 sign-in pages to steal authentication tokens and session cookies. This enabled them to bypass MFA and hijack salary payments by manipulating direct deposit information in HR platforms like Workday.
Initial Access
Malvertising Lure
confirmed
Attackers used malvertising or SEO poisoning to push malicious Microsoft 365 sign-in pages to the top of search engine results, luring Canadian employees.
Defender cut points
Implement robust web filtering and ad blockers to prevent access to malicious sitesConduct user awareness training on identifying malvertising and suspicious search results
