A financially motivated hacking group has been discovered targeting Canadian employees with a sophisticated scheme aimed at redirecting salary payments into bank accounts controlled by the attackers. This malicious campaign, identified by researchers, employs various tactics to deceive victims and gain unauthorized access to their payroll information.

Understanding the Attack

The group, referred to as Storm-2755, initiates their attack by poisoning search engine results. They create malicious advertisements linked to common search queries such as “Office 365” or even common misspellings like “Office 265.” When victims click on these links, they are directed to a convincing but fraudulent Microsoft 365 login page.

Upon entering their credentials, victims unknowingly provide the attackers with their login information. Additionally, the attackers utilize a technique that proxies the entire authentication session in real time, capturing the session token generated after login.

Microsoft's incident response team noted, “Storm-2755 leveraged version 1.7.9 of the Axios HTTP client to relay authentication tokens to the customer infrastructure, effectively bypassing non-phishing resistant multi-factor authentication (MFA) and maintaining access without the need for repeated sign-ins.” This method allowed the attackers to maintain active sessions and proxy legitimate user actions, executing what is known as an “Account takeover in the middle” (AiTM) attack.

The Campaign’s Objectives

While the attackers typically maintain quiet access to the victims’ accounts, in some cases, they change the victims’ passwords and MFA settings. This ensures that even after the original stolen token expires, the attackers retain control over the compromised account.

Once inside the victims’ email accounts, the attackers meticulously search for references to payroll, human resources (HR), and finance. They then craft a seemingly legitimate email from the victim’s account to HR, requesting a direct deposit change. Since the email originates from the employee’s genuine address, HR often has no reason to suspect foul play. If HR complies with the request, the next paycheck is diverted to the attackers’ bank account instead of the victim’s.

To further conceal their actions, the attackers create inbox rules that silently filter any HR replies containing keywords like “bank” or “direct deposit” into a hidden folder, preventing the victim from seeing these communications and raising any alarms.

In instances where impersonation and social engineering did not yield results, Storm-2755 pivoted to directly manipulating HR software-as-a-service (SaaS) platforms such as Workday. In one documented incident, the attackers manually logged into Workday as the victim to alter banking information, leading to significant financial losses for the targeted employee.

Preventing Payroll Theft

This particular campaign has been focused on employees in Canada, but similar operations are being launched globally, targeting various sectors and organizations. Microsoft suggests implementing FIDO2/WebAuthn passkeys as a second authentication factor. These passkeys link authentication to the legitimate origin site, making them resistant to interception by AiTM proxies, unlike traditional push notifications or one-time passwords.

Moreover, organizations are encouraged to monitor for the presence of the Axios user-agent in sign-in logs, watch for non-interactive sign-ins to OfficeHome occurring every 30 minutes, and alert on newly created inbox rules that contain financial keywords. HR and payroll departments should also implement out-of-band verification methods, such as phone calls or in-person confirmations, for any requests regarding direct deposit changes.

As cyber threats continue to evolve, it is crucial for both employees and organizations to remain vigilant against these sophisticated attacks that put personal and financial information at risk.

Source: Help Net Security News