A newly uncovered campaign by the threat actor Storm-2755 is shedding light on how cybercriminals are evolving beyond traditional phishing tactics to execute highly targeted financial fraud. Tracked by Microsoft’s Detection and Response Team (DART), this operation focuses on quietly redirecting employee salaries by hijacking active login sessions rather than simply stealing passwords. What makes this campaign particularly concerning is its precise targeting of Canadian organizations, regardless of industry, as long as employees can be tricked into engaging with malicious login pages.
The attack begins subtly, using SEO poisoning and malicious advertisements to push a fake domain to the top of search results for commonly used terms like “Office 365.” Unsuspecting users who click on these links are redirected to a near-perfect replica of a Microsoft 365 login page. However, behind the scenes, this page operates as an adversary-in-the-middle setup, intercepting communication between the user and the legitimate service. This allows attackers to capture not only login credentials but also live session tokens, which are far more valuable because they grant immediate access without raising suspicion.
What distinguishes this campaign is its reliance on session hijacking rather than repeated login attempts. Once attackers obtain valid session tokens, they can access accounts without triggering additional authentication checks, effectively bypassing traditional multi-factor authentication methods that are not designed to resist phishing. The activity leaves behind a unique pattern in sign-in logs, where failed login attempts are followed by a sudden successful session tied to a different user-agent, indicating token reuse instead of a genuine login.
To maintain control, the attackers quietly keep sessions alive by periodically refreshing access in the background, sometimes for weeks. This persistence allows them to monitor accounts and make strategic changes, such as altering payroll or direct deposit details, without alerting the user. Instead of deploying malware or creating obvious disruptions, the campaign prioritizes stealth, making detection significantly more challenging for security teams.
The broader implication of this attack is a shift in how financial cybercrime is executed. Rather than relying on brute force or credential theft alone, attackers are exploiting the trust built into modern authentication systems, particularly session-based access. This highlights the urgent need for organizations to rethink identity security, focusing on stronger authentication methods that cannot be easily intercepted or reused, along with tighter session controls and real-time monitoring.
As campaigns like Storm-2755 continue to evolve, they serve as a reminder that even advanced security measures can be undermined if attackers find ways to exploit the gaps between authentication and session management.
Recommended Cyber Technology News:
- Citrix Launches NetScaler AI Gateway for AI Governance
- DoveRunner Expands Application Security To Apple TV
- Self Acquires Loam To Expand AI Identity Infrastructure
To participate in our interviews, please write to our CyberTech Media Room at info@intentamplify.com
