Poisoned “Office 365” Search Results Lead to Stolen Paychecks
Cybersecurity

Poisoned “Office 365” Search Results Lead to Stolen Paychecks

Help Net Security
Help Net SecurityApr 10, 2026

Companies Mentioned

Microsoft

Microsoft

MSFT

Workday

Workday

WDAY

Why It Matters

The scheme demonstrates how SEO poisoning combined with AiTM can silently hijack payroll processes, exposing organizations to direct financial loss and highlighting the need for stronger authentication and verification controls.

Key Takeaways

  • Storm‑2755 poisons Office 365 search results to harvest credentials
  • Attackers proxy authentication tokens, bypassing non‑phishing‑resistant MFA
  • Compromised accounts email HR to change direct‑deposit banking details
  • Inbox rules hide HR replies, preventing victim detection
  • Microsoft advises FIDO2 passkeys and monitoring Axios user‑agent logs

Pulse Analysis

The campaign uncovered by Microsoft illustrates a growing use of search‑engine poisoning to lure employees into fake Microsoft 365 login portals. By purchasing malicious ads for generic queries such as “Office 365” or misspelled variants, the group Storm‑2755 directs traffic to a replica sign‑in page that captures credentials and, more importantly, relays the authentication token in real time. This technique, known as authentication‑in‑the‑middle (AiTM), lets attackers maintain a live session without repeatedly prompting the user, making the intrusion virtually invisible. The operation has so far focused on Canadian workers, but the same playbook can be replicated worldwide.

Technical analysis shows Storm‑2755 leveraged version 1.7.9 of the Axios HTTP client to forward session tokens to its own infrastructure, effectively sidestepping non‑phishing‑resistant multi‑factor authentication. Once inside the mailbox, the adversaries scan for payroll‑related terms and craft emails that appear to come from the compromised employee, requesting a direct‑deposit change. To conceal the fraud, they create hidden inbox rules that filter any HR replies containing keywords like “bank” or “direct deposit.” In at least one case the group manually logged into Workday SaaS to alter banking information, resulting in a stolen paycheck.

Defending against such “payroll pirate” attacks requires both technical and procedural controls. Microsoft recommends replacing OTP‑based MFA with FIDO2/WebAuthn passkeys, which bind authentication to the legitimate Microsoft domain and cannot be intercepted by an AiTM proxy. Organizations should also monitor sign‑in logs for the Axios user‑agent, flag repetitive non‑interactive OfficeHome logins, and alert on newly created inbox rules that reference financial keywords. Finally, HR and payroll teams must adopt out‑of‑band verification—such as a phone call—before processing any direct‑deposit modifications, adding a human checkpoint that thwarts automated fraud.

Poisoned “Office 365” search results lead to stolen paychecks

Read Original Article

Comments

Want to join the conversation?

Loading comments...