Microsoft Incident Response researchers identified Storm-2755, a financially motivated threat actor conducting payroll pirate attacks against Canadian users. The campaign uses malvertising and SEO poisoning on generic search terms like "Office 365" to lure victims to a fraudulent sign-in page. Through adversary-in-the-middle techniques, the actor captures authentication tokens and session cookies, bypassing MFA protections. Storm-2755 maintains persistence using Axios HTTP client to replay stolen tokens, then conducts discovery for payroll and HR contacts. The actor impersonates compromised users to socially engineer HR staff or directly manipulates payroll systems like Workday. Malicious inbox rules hide correspondence from victims. Attacks resulted in direct financial losses through redirected salary payments to attacker-controlled bank accounts.