Storm-2755 "Payroll Pirate" AiTM hybrid — email to EMPLOYEES (not HR) asking them to sign in to Microsoft 365 / Workday and "update direct deposit" / "confirm bank account" / "re-enroll in payroll" via a SEO-poisoned landing page hosted on a non-Microsoft / non-Workday domain. Landing page is an AiTM proxy that steals SSO session cookies; attackers then log in to Workday and redirect the paycheck. Distinct from HR-side payroll-BEC. Microsoft Security Blog Apr 9 2026 (Canadian variant); Oct 9 2025 Storm-2657 US-universities variant

Sophisticated AiTM hybrid that Microsoft named Storm-2755 (Canadian variant, April 2026) and Storm-2657 (U.S.-universities variant, October 2025). An email lands in an employee's inbox asking them to sign in to Microsoft 365 or Workday to "update direct deposit," "confirm bank account," or "re-enroll in payroll." The link is a SEO-poisoned landing page that looks like the Microsoft 365 or Workday sign-in screen but is hosted on a non-Microsoft / non-Workday domain. The landing page is an adversary-in-the-middle proxy that captures the session cookie; the attacker then logs in to the real Workday as the employee and changes the direct-deposit bank account to an attacker-controlled account, redirecting the paycheck. This is distinct from HR-side payroll-BEC signals (which attack HR / Finance with a forged "employee requesting a change" email) — Storm-2755 attacks the employee directly with a credential-harvesting landing page. Microsoft Security Blog published detailed forensics in both April 9 2026 and October 9 2025 posts; Help Net Security, Okta Threat Intelligence, and GBHackers covered follow-on campaigns. Warning signs: any email instructing you to sign in to Microsoft 365 or Workday to update banking information where the sign-in link is hosted anywhere other than `login.microsoftonline.com` or `<yourtenant>.workday.com`. Go directly to your real Workday via a bookmarked URL or internal SSO instead.