Who stands between a worker and their next paycheck — and what happens when that line is crossed? Microsoft says the answer, in at least one recent campaign, is a financially motivated actor that has been taking Canadian employees' salary payments after hijacking their accounts in so-called "payroll pirate" attacks.
The attack in brief
Microsoft reported that a financially motivated threat actor tracked as Storm-2755 has been conducting attacks that result in the theft of salary payments from Canadian employees. The company characterized the incidents as payroll pirate attacks in which adversaries first hijack accounts and then divert or steal wage payments.
What we know about Storm-2755
According to Microsoft, Storm-2755 is financially motivated and has focused its actions on payroll-related accounts belonging to Canadian employees. Beyond the label and the outcome — hijacked accounts and stolen salary payments — Microsoft’s reporting is the primary source of public detail presented about the campaign.
Why it matters
Payroll is both a high-value target and a critical operational function for organizations and workers. When payroll accounts are compromised, the consequences are immediate and personal: missing wages for employees and a scramble for employers to make impacted workers whole and to restore trust. Beyond individual harm, successful attacks on payroll systems can expose broader operational and reputational risks for companies and raise questions about the resilience of the systems that deliver pay.
For policymakers and regulators, incidents that systematically affect employees' pay can prompt scrutiny of financial controls and incident-reporting practices. For technologists, the campaign underscores the business-critical nature of identity and account security in financial workflows. For adversaries, payroll systems remain an attractive, monetizable target precisely because access can translate directly to cash flows.
What stakeholders should consider
- Employers and payroll teams should treat payroll accounts as high-risk assets and review access controls, monitoring, and recovery processes.
- Security teams and technologists should prioritize detection and containment capabilities that can spot account takeovers and unauthorized payment changes early.
- Employees should be informed promptly about potential compromises affecting pay and about steps to verify and recover missing funds.
- Policymakers and regulators may consider how to ensure rapid reporting, consumer protections, and coordination between affected organizations and financial institutions when payroll theft occurs.
Microsoft’s disclosure of Storm-2755’s payroll pirate activity is a reminder that the interface between identity, payroll systems, and financial transfer mechanisms is both a target-rich environment and a point of collective vulnerability. If attackers are willing to turn hijacked accounts into direct theft of wages, what safeguards will organizations, regulators, and users put in place next?




