IOC Radar
TLP:WHITE2 IOCs

Investigating Storm-2755: “Payroll pirate” attacks targeting Canadian employees

MT
Microsoft Threat Intelligence
Published April 9, 2026Original Report

Diamond Model

SOCIAL AXISTECHNOLOGY AXISADVERSARYunknownINFRASTRUCTUREhttp://bluegraintours…CAPABILITYunknownVICTIMunknown
Adversary
Infrastructure(1)
Capability
Victim

Attack Flow8 steps · MITRE ATT&CK mapped

Initial AccessTA0001·T1566
1/8
Phishing
ActionPhishing for credentials
Users are directed to a malicious Microsoft 365 sign-in page via SEO poisoning or malvertising, leading to credential theft.

5W+H Threat Analysis

Analysis unavailable

Indicators of Compromise

Indicators of Compromise2

TypeIndicatorConfidenceScoreFirst Seen
CVECVE-2025-27152
exploitintel-blogvulnerability
Medium
51
Jun 2, 26
URLhttp://bluegraintours.com
intel-blogmalwarenetwork
High
58
Jun 2, 26

IOC Relationship Graph

IOC Relationship Graph2 total IOCs
CVEURL
CVE1URL1REPORTInvestigating Storm-2755:
scroll to zoom · drag to pan · click IOC to open