HomeIntelligenceBrief
🔓 BREACH BRIEF🟠 High🔓 Breach

SEO‑Poisoned Office 365 Search Results Enable Payroll Theft from Canadian Employees

A Microsoft‑tracked group (Storm‑2755) poisoned Office 365 search results, harvested credentials through a fake login page, and used AI‑in‑the‑middle attacks to send fraudulent payroll‑change emails, diverting employee paychecks to attacker‑controlled accounts. The campaign highlights weaknesses in MFA and payroll‑process verification.

🛡️ LiveThreat™ Intelligence · 📅 April 10, 2026· 📰 helpnetsecurity.com
🟠
Severity
High
🔓
Type
Breach
🎯
Confidence
High
🏢
Affected
1 sector(s)
Actions
4 recommended
📰
Source
helpnetsecurity.com

SEO‑Poisoned Office 365 Search Results Enable Payroll Theft from Canadian Employees

What Happened – A financially‑motivated group tracked by Microsoft as Storm‑2755 poisoned search‑engine results and malicious ads for “Office 365” (including misspellings). Victims who clicked were taken to a fake Microsoft 365 login page that harvested credentials and performed an authentication‑in‑the‑middle (AiTM) attack, allowing the attackers to hijack the session, modify mailbox rules, and send fraudulent payroll‑change requests that redirected employee paychecks to attacker‑controlled accounts.

Why It Matters for TPRM

  • Credential‑theft attacks on cloud productivity suites can be leveraged to compromise downstream SaaS (e.g., Workday) and steal funds.
  • The technique bypasses non‑phishing‑resistant MFA, exposing gaps in multi‑factor controls.
  • Payroll‑related social engineering creates direct financial loss, a risk that extends beyond data confidentiality.

Who Is Affected – Organizations that use Microsoft 365 (or similar cloud‑based email/Collaboration platforms) and integrate with payroll or HR SaaS such as Workday, across any industry but with a notable focus on Canadian enterprises.

Recommended Actions

  • Verify that MFA solutions are phishing‑resistant (e.g., FIDO2, hardware tokens).
  • Enforce strict email‑origin verification for payroll change requests (e.g., digital signatures, out‑of‑band confirmation).
  • Monitor for anomalous inbox rules and unusual login locations.
  • Conduct regular phishing‑simulation training that includes SEO‑poisoning scenarios.

Technical Notes – The attackers used SEO poisoning, malvertising, and a fake Microsoft 365 login page to harvest credentials. They leveraged version 1.7.9 of the Axios HTTP client to relay authentication tokens, enabling an AiTM session that bypassed MFA. Compromised mailboxes were used to search for payroll‑related keywords, create hidden inbox rules, and send spoofed HR emails. In some cases, the group directly logged into SaaS payroll platforms (e.g., Workday) to alter banking details. Source: Help Net Security

📰 Original Source
https://www.helpnetsecurity.com/2026/04/10/poisoned-office-365-search-results-lead-to-stolen-paychecks/

This LiveThreat Intelligence Brief is an independent analysis. Read the original reporting at the link above.

🛡️

Monitor Your Vendor Risk with LiveThreat™

Get automated breach alerts, security scorecards, and intelligence briefs when your vendors are compromised.

Start Free Trial → Learn About Scorecards
← All Intelligence Briefs Breach Watch Feed →