THE Payroll Pirate campaign targets corporate finance departments, focusing on stealing salary payments by compromising HR and payroll accounts. Attackers utilize sophisticated phishing tactics, including AiTM session hijacking, to bypass MFA and intercept user credentials. After gaining access, they conduct bulk reconnaissance using the Microsoft Graph API to harvest sensitive information without detection.
The infrastructure shows a split origin between US mobile networks and Canadian ISPs to obscure the attackers' location. Microsoft links this activity to threat groups Storm-2755 and Storm-2657. Recommended defenses include phishing-resistant authentication and tracking Graph audit telemetry.