Cybercriminals are leveraging Microsoft’s own cloud tools to infiltrate corporate networks, specifically targeting payroll and human resources (HR) personnel to reroute employee salaries into attacker-controlled accounts. This sophisticated campaign has been observed across various industries, including healthcare, food services, and manufacturing.
The attackers employ a method that avoids traditional malware or software vulnerabilities. Instead, they utilize adversary-in-the-middle (AiTM) phishing techniques to intercept active login sessions. By setting up phishing pages that mimic legitimate Microsoft 365 sign-in portals, they capture session tokens, allowing them to bypass multi-factor authentication and gain unauthorized access to user accounts without needing passwords.
Once inside a compromised Microsoft 365 account, the attackers exploit the Microsoft Graph API—a legitimate developer tool—to conduct reconnaissance. They execute bulk queries to identify users with job titles or display names containing keywords such as “payroll,” “HR,” “human resources,” “finance,” and “admin.” This process enables them to compile a list of staff members who have access to sensitive payroll information.
Security Risk Advisors (SRA) and BushidoToken Threat Intel have reported that this campaign, associated with threat clusters identified as Storm-2755 and Storm-2657, demonstrates a pattern where attackers blend seamlessly with normal network activity. By avoiding endpoint interactions, they evade detection by traditional Endpoint Detection and Response (EDR) solutions.
The Graph API queries observed in these attacks are methodical. Attackers initiate a bulk retrieval of all users using the endpoint `/v1.0/users?$top=999`, followed by filtered searches across fields like `displayName`, `jobTitle`, `mail`, and `userPrincipalName` for payroll-related terms. They utilize pagination with `$skiptoken` to systematically harvest every relevant result.
The tokens employed during this enumeration carry extensive delegated permissions, including `Directory.Read.All`, `Files.ReadWrite.All`, `Group.ReadWrite.All`, `Chat.ReadWrite`, and `User.ReadWrite`. This broad access not only facilitates data extraction but also raises the risk of establishing persistent access through OAuth applications that can survive password resets and token revocations.
Authentication traffic associated with these attacks originates from U.S. mobile carrier IP ranges, while Graph enumeration traffic traces back to Canadian residential ISPs. This pattern suggests the use of residential proxy infrastructure to mask the attackers’ activities.
Unremediated accounts continue to generate non-interactive sign-ins to Office 365 Exchange Online approximately every three hours, using the Firefox 131.0 user-agent and rotating token identifiers with each session. This indicates that attackers maintain persistent access long after the initial compromise.
To defend against such payroll diversion attacks, organizations should implement robust security measures, including:
- Enhancing phishing detection and prevention mechanisms to identify and block AiTM phishing attempts.
- Monitoring for unusual Graph API activity, such as bulk user enumeration or access to sensitive information.
- Restricting OAuth application permissions to the minimum necessary and regularly reviewing consented applications.
- Implementing conditional access policies that consider factors like device compliance and geographic location.
- Educating employees, especially those in payroll and HR roles, about the risks of phishing and the importance of verifying unusual requests.
This campaign underscores the evolving tactics of cybercriminals who exploit legitimate tools and services to achieve their objectives. Organizations must remain vigilant and adapt their security strategies to address these sophisticated threats.
