Hackers are using Microsoft’s own cloud tools to quietly hunt down payroll and HR staff inside corporate networks, then reroute employee salaries to accounts they control. Security teams are racing to respond as the campaign continues to spread across industries and borders.
The attack method is deceptively clean. Instead of planting malware or exploiting software bugs, the threat actors steal active login sessions through adversary-in-the-middle (AiTM) phishing pages that sit between the victim and a fake Microsoft 365 sign-in portal.
Once the stolen session token is captured, the attacker replays it to bypass multi-factor authentication entirely, slipping into the account without ever needing the user’s password again.
Security Risk Advisors (SRA) and BushidoToken Threat Intel said in a report shared with Cyber Security News (CSN) that the legitimate tooling continues to blur the line between normal activity and active intrusion, a pattern that fits this campaign almost perfectly.
The attackers never touch an endpoint, leaving traditional EDR solutions with almost nothing to detect or alert on.
Once inside a compromised Microsoft 365 account, the attacker pivots to the Microsoft Graph API, a legitimate developer tool used to query directory information.
From there, they run bulk queries searching for users whose job titles or display names contain keywords like payroll, hr, human, resources, finance, and admin.
The entire directory scan can be completed within minutes, handing the attacker a clean list of the exact staff they need to target.
The campaign, linked to clusters Microsoft tracks as Storm-2755 and Storm-2657, has been observed across healthcare, food services, and manufacturing environments.
The end goal in every case is the same: redirect an employee’s direct deposit to an attacker-controlled bank account, often by contacting HR directly or by modifying settings in HR platforms like Workday.
Hackers Use Microsoft Graph Reconnaissance
The Graph queries observed across compromised environments were nearly identical. Attackers started with a bulk pull of all users using the endpoint /v1.0/users?$top=999, then ran chained search filters across fields like displayName, jobTitle, mail, and userPrincipalName for payroll-related terms, paginated using $skiptoken to harvest every result in bulk.
The tokens used during this enumeration carried broad delegated permissions including Directory.Read.All, Files.ReadWrite.All, Group.ReadWrite.All, Chat.ReadWrite, and User.ReadWrite.
This gave attackers far more access than a simple directory lookup, raising the risk of OAuth-based persistence through consented applications that can survive password resets and token revocations.
Authentication traffic came from US mobile carrier IP ranges, while Graph enumeration traffic traced back to Canadian residential ISPs, a split consistent with residential proxy infrastructure used to mask the operation.
Unremediated accounts were still generating non-interactive sign-ins to Office 365 Exchange Online roughly every three hours, using the Firefox 131.0 user-agent and rotating token identifiers with each session, meaning attackers maintained persistent access long after the initial compromise.
Defending Against Payroll Piracy Attacks
Detection for this campaign depends almost entirely on Microsoft Entra sign-in telemetry and Microsoft Graph activity logs, since no malware or endpoint footprint is left behind.
SRA strongly recommends enabling Microsoft Graph activity logging and forwarding those logs to a SIEM or security data lake as the single most impactful step any organization can take right now.
On the authentication side, deploying phishing-resistant MFA using FIDO2 security keys, Windows Hello for Business, or certificate-based authentication is critical.
Standard authenticator app push notifications and SMS codes offer no protection against AiTM token theft. Conditional Access policies should be configured to require compliant or hybrid-joined devices and enable continuous access evaluation to cut off replayed tokens in near real time.
For organizations already dealing with compromised accounts, remediation must be thorough.
Revoking sessions and refresh tokens through the Entra Admin Center, resetting credentials, re-registering MFA methods, and auditing all enterprise application consent grants are required steps.
Any direct deposit or payroll changes made during the compromise window must also be reviewed and reversed. HR teams should treat any payroll change request as suspect until verified through an out-of-band channel.
Indicators of Compromise:-
TypeIndicatorDescriptionUser-Agentaxios/1.7.9HTTP client user-agent observed in Storm-2755 sign-in activityUser-AgentFirefox 131.0 (rv:131.0)User-agent used during Graph token requests and persistent accessUser-AgentFirefox 142.0 (rv:142.0)User-agent observed during initial account takeover sequenceIPv4216.247.226[.]32Attacker infrastructure IP observed in campaignIPv424.53.42[.]79Attacker infrastructure IP observed in campaignIPv499.239.33[.]130Attacker infrastructure IP observed in campaignIPv475.152.86[.]244Attacker infrastructure IP observed in campaignIPv4144.172.190[.]50Attacker infrastructure IP observed in campaignIPv472.143.216[.]88Attacker infrastructure IP observed in campaignIPv4173.178.178[.]139Attacker infrastructure IP observed in campaignIPv4216.16.184[.]145Attacker infrastructure IP observed in campaignIPv4108.208.40[.]144Attacker infrastructure IP observed in campaignIPv470.83.127[.]83Attacker infrastructure IP observed in campaignIPv424.202.0[.]56Attacker infrastructure IP observed in campaignIPv472.45.107[.]194Attacker infrastructure IP observed in campaignIPv447.55.96[.]251Attacker infrastructure IP observed in campaignIPv470.24.235[.]36Attacker infrastructure IP observed in campaignIPv4199.126.64[.]61Attacker infrastructure IP observed in campaignIPv470.67.169[.]118Attacker infrastructure IP observed in campaignIPv499.244.137[.]184Attacker infrastructure IP observed in campaign
Note: IP addresses and domains are intentionally defanged (e.g., [.]) to prevent accidental resolution or hyperlinking. Re-fang only within controlled threat intelligence platforms such as MISP, VirusTotal, or your SIEM.
Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.
The post Hackers Use Microsoft Graph Reconnaissance to Target Payroll and HR Employees appeared first on Cyber Security News.
