Hackers Use Microsoft Graph Reconnaissance to Target Payroll and HR Employees
Cybersecurity NewsArchived Jun 15, 2026✓ Full text saved
Hackers are using Microsoft’s own cloud tools to quietly hunt down payroll and HR staff inside corporate networks, then reroute employee salaries to accounts they control. Security teams are racing to respond as the campaign continues to spread across industries and borders. The attack method is deceptively clean. Instead of planting malware or exploiting software […] The post Hackers Use Microsoft Graph Reconnaissance to Target Payroll and HR Employees appeared first on Cyber Security News .
Full text archived locally
✦ AI Summary· Claude Sonnet
HomeCyber Security News
Hackers Use Microsoft Graph Reconnaissance to Target Payroll and HR Employees
By Tushar Subhra Dutta
June 15, 2026
Hackers are using Microsoft’s own cloud tools to quietly hunt down payroll and HR staff inside corporate networks, then reroute employee salaries to accounts they control. Security teams are racing to respond as the campaign continues to spread across industries and borders.
The attack method is deceptively clean. Instead of planting malware or exploiting software bugs, the threat actors steal active login sessions through adversary-in-the-middle (AiTM) phishing pages that sit between the victim and a fake Microsoft 365 sign-in portal.
Once the stolen session token is captured, the attacker replays it to bypass multi-factor authentication entirely, slipping into the account without ever needing the user’s password again.
Security Risk Advisors (SRA) and BushidoToken Threat Intel said in a report shared with Cyber Security News (CSN) that the legitimate tooling continues to blur the line between normal activity and active intrusion, a pattern that fits this campaign almost perfectly.
The attackers never touch an endpoint, leaving traditional EDR solutions with almost nothing to detect or alert on.
Once inside a compromised Microsoft 365 account, the attacker pivots to the Microsoft Graph API, a legitimate developer tool used to query directory information.
From there, they run bulk queries searching for users whose job titles or display names contain keywords like payroll, hr, human, resources, finance, and admin.
The entire directory scan can be completed within minutes, handing the attacker a clean list of the exact staff they need to target.
The campaign, linked to clusters Microsoft tracks as Storm-2755 and Storm-2657, has been observed across healthcare, food services, and manufacturing environments.
The end goal in every case is the same: redirect an employee’s direct deposit to an attacker-controlled bank account, often by contacting HR directly or by modifying settings in HR platforms like Workday.
Hackers Use Microsoft Graph Reconnaissance
The Graph queries observed across compromised environments were nearly identical. Attackers started with a bulk pull of all users using the endpoint /v1.0/users?$top=999, then ran chained search filters across fields like displayName, jobTitle, mail, and userPrincipalName for payroll-related terms, paginated using $skiptoken to harvest every result in bulk.
The tokens used during this enumeration carried broad delegated permissions including Directory.Read.All, Files.ReadWrite.All, Group.ReadWrite.All, Chat.ReadWrite, and User.ReadWrite.
This gave attackers far more access than a simple directory lookup, raising the risk of OAuth-based persistence through consented applications that can survive password resets and token revocations.
Authentication traffic came from US mobile carrier IP ranges, while Graph enumeration traffic traced back to Canadian residential ISPs, a split consistent with residential proxy infrastructure used to mask the operation.
Unremediated accounts were still generating non-interactive sign-ins to Office 365 Exchange Online roughly every three hours, using the Firefox 131.0 user-agent and rotating token identifiers with each session, meaning attackers maintained persistent access long after the initial compromise.
Defending Against Payroll Piracy Attacks
Detection for this campaign depends almost entirely on Microsoft Entra sign-in telemetry and Microsoft Graph activity logs, since no malware or endpoint footprint is left behind.
SRA strongly recommends enabling Microsoft Graph activity logging and forwarding those logs to a SIEM or security data lake as the single most impactful step any organization can take right now.
On the authentication side, deploying phishing-resistant MFA using FIDO2 security keys, Windows Hello for Business, or certificate-based authentication is critical.
Standard authenticator app push notifications and SMS codes offer no protection against AiTM token theft. Conditional Access policies should be configured to require compliant or hybrid-joined devices and enable continuous access evaluation to cut off replayed tokens in near real time.
For organizations already dealing with compromised accounts, remediation must be thorough.
Revoking sessions and refresh tokens through the Entra Admin Center, resetting credentials, re-registering MFA methods, and auditing all enterprise application consent grants are required steps.
Any direct deposit or payroll changes made during the compromise window must also be reviewed and reversed. HR teams should treat any payroll change request as suspect until verified through an out-of-band channel.
Indicators of Compromise:-
Type Indicator Description
User-Agent axios/1.7.9 HTTP client user-agent observed in Storm-2755 sign-in activity
User-Agent Firefox 131.0 (rv:131.0) User-agent used during Graph token requests and persistent access
User-Agent Firefox 142.0 (rv:142.0) User-agent observed during initial account takeover sequence
IPv4 216.247.226[.]32 Attacker infrastructure IP observed in campaign
IPv4 24.53.42[.]79 Attacker infrastructure IP observed in campaign
IPv4 99.239.33[.]130 Attacker infrastructure IP observed in campaign
IPv4 75.152.86[.]244 Attacker infrastructure IP observed in campaign
IPv4 144.172.190[.]50 Attacker infrastructure IP observed in campaign
IPv4 72.143.216[.]88 Attacker infrastructure IP observed in campaign
IPv4 173.178.178[.]139 Attacker infrastructure IP observed in campaign
IPv4 216.16.184[.]145 Attacker infrastructure IP observed in campaign
IPv4 108.208.40[.]144 Attacker infrastructure IP observed in campaign
IPv4 70.83.127[.]83 Attacker infrastructure IP observed in campaign
IPv4 24.202.0[.]56 Attacker infrastructure IP observed in campaign
IPv4 72.45.107[.]194 Attacker infrastructure IP observed in campaign
IPv4 47.55.96[.]251 Attacker infrastructure IP observed in campaign
IPv4 70.24.235[.]36 Attacker infrastructure IP observed in campaign
IPv4 199.126.64[.]61 Attacker infrastructure IP observed in campaign
IPv4 70.67.169[.]118 Attacker infrastructure IP observed in campaign
IPv4 99.244.137[.]184 Attacker infrastructure IP observed in campaign
Note: IP addresses and domains are intentionally defanged (e.g., [.]) to prevent accidental resolution or hyperlinking. Re-fang only within controlled threat intelligence platforms such as MISP, VirusTotal, or your SIEM.
Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.
Tags
cyber security
cyber security news
Copy URL
Linkedin
Twitter
ReddIt
Telegram
Tushar Subhra Dutta
Tushar is a senior cybersecurity and breach reporter. He specializes in covering cybersecurity news, trends, and emerging threats, data breaches, and malware attacks. With years of experience, he brings clarity and depth to complex security topics.
Trending News
New Linux Kernel Vulnerability Lets Attackers Escalate Privileges to Root
Maine Takes Data Breach Reporting Portal Offline After Fake VRChat and Discord Filings
Hackers Exploiting LiteLLM RCE Vulnerability in the Wild to Run Arbitrary Commands
Hackers Infect npm Package dbmux With Malware to Fully Compromise Developer Systems
Hackers Use Free Spotify Premium Hacks on TikTok and Instagram to Spread Vidar Infostealer
Latest News
Cyber Security News
SearchJack Campaign Uses 23 Chrome Extensions to Hijack Searches of 758,000 Users
Cyber Security News
PromptSnatcher Ad Blocker Extensions Steal AI Chats From ChatGPT, Claude, and Gemini
Cyber Security News
Hackers Abuse LNK Files, PowerShell, and Python Loader to Deploy NarwhalRAT
Cyber Security News
Windows 11 Update KB5094126 Freezes Systems, Forces BitLocker Recovery, and More
Cyber Security News
Critical Wazuh Vulnerability Lets Attackers Tamper with Alerts and Delete Security Evidence