Hackers Use Microsoft Graph Reconnaissance to Target Payroll and HR Employees
7 min. read 
Published on
Hackers are abusing stolen Microsoft 365 sessions and Microsoft Graph API access to identify payroll, HR, finance, and administrative employees inside corporate tenants. The goal is payroll redirection, where attackers try to move employee salary payments to bank accounts they control.
The campaign was detailed in a new Security Risk Advisors threat bulletin created with BushidoToken Threat Intel. SRA said it observed the activity across multiple monitored client environments, including healthcare, food services, and manufacturing.
Access content across the globe at the highest speed rate.
70% of our readers choose Private Internet Access
70% of our readers choose ExpressVPN
Browse the web from multiple devices with industry-standard security protocols.
Faster dedicated servers for specific actions (currently at summer discounts)
The attacks do not rely on malware or a software exploit. Instead, attackers steal authenticated Microsoft 365 sessions through adversary-in-the-middle phishing, replay the stolen tokens, use Graph API queries to find payroll-related employees, and then attempt to change direct deposit details.
How the Payroll Pirate Attack Works
The attack starts with a fake Microsoft 365 sign-in flow. In related activity, Microsoft said Storm-2755 used SEO poisoning and malvertising to push victims toward fake Office 365 login pages that captured credentials, session cookies, and OAuth access tokens.
Once attackers have a valid session, they can bypass traditional MFA methods that rely on codes, push approvals, or other phishable factors. The attacker does not need to compromise the endpoint, which means many endpoint detection tools may have little or no telemetry to inspect.
After account takeover, the attacker queries Microsoft Graph to search the directory for users linked to payroll operations. SRA said the activity included bulk enumeration of users and searches for terms such as payroll, pay, HR, human, resources, finance, account, support, and admin.
| Attack stage | What attackers do |
|---|---|
| Initial access | Steal Microsoft 365 sessions through AiTM phishing |
| Token replay | Reuse authenticated sessions to bypass non-phishing-resistant MFA |
| Reconnaissance | Query Microsoft Graph for payroll, HR, finance, and admin users |
| Fraud attempt | Contact HR or modify payroll settings in SaaS platforms |
| Persistence | Maintain token-based access or abuse consented applications |
Microsoft Graph Gives Attackers a Fast Directory Map
Microsoft Graph is a legitimate API for querying Microsoft 365 and Entra data. In this campaign, attackers used it for fast internal reconnaissance after stealing a valid user session.
The SRA bulletin says enumeration began with a bulk pull using /v1.0/users?$top=999. Attackers then used OR-chained search queries across fields such as displayName, givenName, surname, jobTitle, mail, and userPrincipalName, with $skiptoken pagination to harvest more results.
The observed tokens carried broad delegated permissions, including Directory.Read.All, Files.ReadWrite.All, Group.ReadWrite.All, Chat.ReadWrite, and User.ReadWrite. That means the risk can extend beyond a simple directory lookup if the compromised account or consented app has excessive access.
Why HR and Payroll Teams Are the Main Targets
The campaign focuses on employees who can approve, change, or influence salary payment details. Once the attacker identifies those people, they can send convincing direct deposit requests from a compromised mailbox or access HR SaaS platforms such as Workday.
Microsoft’s Storm-2755 report said attackers compromised user accounts to access employee profiles and divert salary payments to attacker-controlled accounts. Microsoft also observed inbox rules designed to hide messages containing terms such as direct deposit or bank.
That makes the attack both an identity security problem and a business process problem. Even when the initial compromise happens in Microsoft 365, the final damage may happen through payroll systems, HR portals, email approvals, or manual HR workflows.
- Payroll staff can receive convincing requests from compromised employee accounts.
- HR systems may allow bank detail changes after account takeover.
- Inbox rules can hide warning messages from the real user.
- Stolen sessions can bypass legacy MFA controls.
- Overly broad OAuth permissions can increase the damage.
What Security Teams Should Monitor
Detection depends heavily on Microsoft Entra sign-in logs and Microsoft Graph telemetry. Microsoft says Microsoft Graph activity logs provide an audit trail of HTTP requests that Microsoft Graph receives and processes for a tenant.
Those logs can help defenders find activity by compromised users, unusual Graph API behavior, suspicious request volumes, risky application activity, and Graph requests that correlate with sign-in events.
Microsoft’s Graph activity logging documentation says tenant admins can send logs to Log Analytics, export them to Azure Storage, or stream them through Event Hubs to external SIEM tools for alerting and analysis.
| Detection area | What to look for |
|---|---|
| Graph API activity | Large user enumeration requests and search queries for payroll or HR terms |
| Sign-in telemetry | Non-interactive sign-ins from unmanaged or device-less sessions |
| User agents | axios/1.7.9, Firefox 131.0, or Firefox 142.0 in suspicious sequences |
| Inbox rules | Rules that hide or delete messages containing bank, payroll, or direct deposit terms |
| HR SaaS activity | Payment election changes, bank account edits, and new MFA device enrollments |
Phishing-Resistant MFA Is Now a Priority
Standard MFA does not fully solve this problem because AiTM phishing can steal authenticated tokens after a user completes sign-in. Microsoft says traditional methods such as SMS, email one-time passwords, and authenticator apps can still face remote phishing risk.
The Microsoft Entra authentication overview recommends phishing-resistant authentication methods such as Windows Hello for Business, passkeys based on FIDO2, FIDO2 security keys, and certificate-based authentication.
Organizations should enforce those methods through Conditional Access authentication strength policies for users who access payroll, HR, finance, admin portals, and sensitive SaaS applications. Enabling stronger methods without enforcement can leave weaker fallback paths open.
How to Respond to a Compromised Account
Response must go beyond a password reset. Attackers in this campaign use active sessions, refresh tokens, inbox rules, and possibly OAuth consent grants, so partial cleanup may leave access behind.
Microsoft’s emergency access revocation guidance says admins can disable a user and revoke Microsoft Entra ID refresh tokens, but it also notes that application session tokens may remain under the control of the application that issued them.
For Microsoft Entra-only accounts, the same Microsoft Entra guidance recommends disabling the user, revoking sign-in sessions, and disabling registered devices when access must be cut off quickly.
- Revoke sessions and refresh tokens for affected users.
- Reset credentials and re-register MFA methods.
- Remove malicious inbox rules and forwarding behavior.
- Audit enterprise applications and OAuth consent grants.
- Review payroll, direct deposit, and banking changes during the compromise window.
- Verify any payroll change request through an out-of-band channel.
Known Indicators from the Campaign
SRA listed several user-agent and IP indicators tied to the observed activity. These should support threat hunting, but they should not serve as the only detection layer because attackers can rotate infrastructure quickly.
| Type | Indicator | Use |
|---|---|---|
| User agent | axios/1.7.9 | Observed in Storm-2755 sign-in activity |
| User agent | Firefox 131.0 (rv:131.0) | Observed during Graph token requests and persistent access |
| User agent | Firefox 142.0 (rv:142.0) | Observed during account takeover activity |
| IPv4 | 216.247.226[.]32 | Reported attacker infrastructure |
| IPv4 | 24.53.42[.]79 | Reported attacker infrastructure |
| IPv4 | 99.239.33[.]130 | Reported attacker infrastructure |
| IPv4 | 75.152.86[.]244 | Reported attacker infrastructure |
| IPv4 | 144.172.190[.]50 | Reported attacker infrastructure |
The strongest defense is layered. Use phishing-resistant MFA for critical users, restrict access to managed devices, log Microsoft Graph activity, monitor HR SaaS changes, and require out-of-band verification before changing salary payment details.
The Entra authentication guidance and Graph telemetry both point to the same conclusion: identity systems now need the same level of monitoring and hardening that defenders once reserved for endpoints and servers.
FAQ
It is a cloud identity attack where hackers steal Microsoft 365 sessions, use Microsoft Graph API queries to find payroll and HR employees, and then attempt to redirect salary payments to attacker-controlled accounts.
Attackers use adversary-in-the-middle phishing to capture authenticated session tokens. They then replay those tokens, which can bypass traditional MFA methods that are not phishing-resistant.
Microsoft Graph API gives attackers a fast way to query directory data. In this campaign, they used it to search for job titles, names, and email fields linked to payroll, HR, finance, and admin roles.
Organizations should enforce phishing-resistant MFA such as FIDO2 security keys, passkeys, Windows Hello for Business, or certificate-based authentication, especially for payroll, HR, finance, and administrative users.
They should revoke sessions and refresh tokens, reset credentials, re-register MFA methods, remove malicious inbox rules, audit OAuth consent grants, review HR SaaS activity, and verify any payroll or direct deposit changes made during the compromise window.
Read our disclosure page to find out how can you help VPNCentral sustain the editorial team Read more
Improve this guide
User forum
0 messages