Canadian Payroll Phishing Campaign Exploits Office 365 Search Poisoning

Executive Summary

A financially motivated threat actor tracked as Storm-2755 is leveraging poisoned search engine results and malvertising to target Canadian employees, ultimately aiming to reroute payroll deposits to attacker-controlled accounts, according to Microsoft researchers.

Technical Analysis

The campaign exploits users' trust in Microsoft services by manipulating search engine optimization (SEO) to promote malicious domains that mimic legitimate Office 365 authentication portals. These domains host credential harvesting pages disguised as legitimate login interfaces, tricking users into entering their account credentials. Once obtained, attackers use these credentials to perform man-in-the-middle (AiTM) attacks on internal HR systems where payroll configurations are managed.

Initial compromise occurs through search queries related to "Office 365 login" or similar terms, which return poisoned organic results or sponsored ads directing victims to attacker-controlled websites such as secure-login-microsoft.online. These sites collect usernames, passwords, and sometimes multi-factor authentication tokens via JavaScript-based keystroke logging or form capture mechanisms.

Post-compromise activities involve accessing email accounts to identify payroll-related communications, followed by social engineering attempts aimed at HR staff responsible for processing direct deposit changes. In some cases, attackers impersonate executives requesting urgent modifications to employee banking details.

Indicators of Compromise

• Domain: secure-login-microsoft[.]online
• Domain: office365-secure-auth[.]com
• URL: http://secure-login-microsoft[.]online/login.php

Additional suspicious domains were observed but not confirmed due to ongoing takedown efforts. None identified at this time beyond those listed above.

Tactics, Techniques & Procedures

• Initial access via SEO poisoning and malvertising, leading to phishing pages mimicking Office 365 logins (T1190).
• Credential harvesting using fake authentication forms and potential front-end input capture (T1056.002).
• Post-access reconnaissance within corporate email environments to locate HR departments and payroll workflows.
• Social engineering tactics including forged executive emails requesting banking information updates (T1566).

The group demonstrates moderate operational security, rotating domain names frequently and hosting infrastructure across multiple cloud providers.

Threat Actor Context

Microsoft attributes this activity to a cluster it designates as Storm-2755, characterized by financially motivated objectives with a focus on payroll fraud. The group has been active since early 2025 and primarily targets organizations based in Canada, though broader English-speaking regions may also be affected.

There is currently no known link to state-sponsored activity; instead, behavior aligns with cybercrime-for-hire models or independent financially driven actors operating at scale.

Mitigations & Recommendations

Organizations should implement robust anti-phishing training programs emphasizing verification of URLs before entering sensitive credentials. Enforcing multi-factor authentication (MFA) can mitigate some risks, although advanced phishing kits increasingly attempt to capture session cookies post-authentication.

Administrative controls over payroll functions should require dual approval processes involving both IT and finance teams. Regular audits of banking records linked to payroll systems could help detect unauthorized changes earlier.

Blocking known malicious domains at network boundaries and deploying browser isolation technologies may reduce exposure. Consider monitoring for typosquatting domains programmatically via certificate transparency feeds and WHOIS analysis.