Week in Review247Techify Editorial | April 13, 2026
This week's threat landscape handed Ontario businesses four very good reasons to pay attention — and one very clear action plan. A financially motivated hacking crew is quietly redirecting employee paycheques to offshore accounts. A China-linked ransomware gang is deploying malware within 24 hours of a new vulnerability going public. A software vendor serving 80 percent of Dutch hospitals was ransomwared, exposing patient records and knocking clinics offline. And Microsoft is sounding the alarm over an AI-powered phishing campaign that can bypass multi-factor authentication as though it were never there.
None of these are hypothetical threats aimed at large corporations. They are active campaigns — and several explicitly target Canadian organizations and employees. Here is what happened, what it means for your business, and what you should do before Monday morning.
Story 01Canadian Employees Hit by “Payroll Pirate” Scheme — Microsoft Warns
A threat actor Microsoft calls Storm-2755 has been quietly raiding the paycheques of Canadian workers. The method is unsettlingly simple: the group buys ad space on Google and Bing — or manipulates search results — so that when an employee types “Office 365 login” or even “Office 265” (a common typo), they land on a convincing fake Microsoft sign-in page. Once the employee enters their password, Storm-2755 captures their session token, allowing the attackers to log in as that person even if multi-factor authentication is enabled. From inside the account, they hunt for HR portals like Workday, locate the direct deposit form, and quietly reroute the next paycheque to a bank account they control. They then create hidden inbox rules so any emails about the change vanish before the victim sees them. Microsoft published its investigation on April 9, 2026, calling it a geographically targeted campaign aimed specifically at Canadian users — not a random spray of attacks, but a deliberate focus on this country.
The takeaway for Ontario businesses: Warn all staff never to Google their way to a company login — bookmarked, verified URLs only. Ask your HR team to verify any direct deposit change request with a phone call to the employee at a known number. And consider upgrading to phishing-resistant MFA such as hardware keys or passkeys, which this attack cannot bypass.
Story 02Medusa Ransomware Gang Deploys in Under 24 Hours of a Bug Going Public
Microsoft’s threat intelligence team has published detailed research on Storm-1175, a China-linked cybercriminal group running Medusa ransomware with alarming speed. Their signature move: weaponize software vulnerabilities before most businesses have even heard about the patch. In some confirmed cases, they went from exploiting a newly disclosed bug to fully encrypting a victim’s network in under 24 hours. Their current toolkit targets software many Ontario SMBs rely on — Fortra GoAnywhere file transfer software, SmarterMail email servers, ConnectWise ScreenConnect remote management tools, Microsoft Exchange, and Ivanti products. The group scans for internet-facing login portals, breaks in, moves laterally across the network, steals data using tools like Rclone, then deploys ransomware. Confirmed victims include a U.S. medical imaging company whose breach exposed data on 1.27 million patients, and a university hospital that lost nine days of patient care operations. Healthcare, professional services, education, and finance are the hardest-hit sectors.
The takeaway for Ontario businesses: The window between “patch released” and “attackers exploit it” has collapsed to hours. If your business uses GoAnywhere, SmarterMail, ConnectWise ScreenConnect, or any Ivanti product — confirm with your IT team that those are fully patched today. Anything with a login page visible to the public internet is a door this group will try to kick open.
Story 03Hospital Software Vendor ChipSoft Ransomwared — Patient Records Potentially Exposed
ChipSoft, a Dutch company that provides electronic patient record software to roughly 80 percent of hospitals in the Netherlands, was hit by a ransomware attack on April 7, 2026. The attack forced the company to take its patient portal, mobile app, and hospital integration platform offline. At least eleven healthcare facilities had to shut down their ChipSoft systems as a precaution. The company has confirmed it cannot rule out that patient data — including names, addresses, national identification numbers, diagnoses, treatment histories, and insurance details — was accessed or stolen. As of April 12, no ransomware group has publicly claimed the attack, which security researchers say is unusual and may indicate that negotiations are underway behind the scenes. This incident echoes the 2024 Change Healthcare attack in the United States, where a single vendor’s compromise cascaded through hundreds of hospitals and clinics. For any Canadian business that depends on a single software platform — whether it is an accounting system, practice management software, or an ERP — the lesson is stark: your vendor’s security is your security.
The takeaway for Ontario businesses: Ask your critical software vendors what their incident response plan looks like. Do you have a documented manual fallback for when your key business software goes offline? Every Ontario SMB that relies on cloud-based platforms should have at minimum a short-term continuity plan for their most critical processes.
Story 04AI-Powered Phishing Campaign Bypasses Microsoft 365 MFA at Scale
Microsoft’s Defender Research Team has published details of a sophisticated phishing campaign that uses artificial intelligence end-to-end to compromise Microsoft 365 accounts — and it does not care whether employees have multi-factor authentication turned on. The attack exploits a legitimate Microsoft sign-in method called “device code flow,” normally used for smart TVs and printers that cannot display a browser login. Attackers trick employees into entering a short authentication code on a real Microsoft webpage — making the login look completely legitimate — and then harvest the resulting session token, bypassing MFA entirely. What makes this campaign remarkable is its use of AI to craft highly personalized phishing emails matched to the victim’s job role: invoice requests for accountants, RFPs for procurement managers, manufacturing workflow notices for operations staff. Automation platforms spin up thousands of unique, short-lived web nodes so traditional email filters never see the same link twice. The campaign has already compromised over 340 organizations across five countries.
The takeaway for Ontario businesses: Standard app-push or SMS-based MFA is no longer sufficient against this class of attack. Ask your IT administrator to review your Microsoft 365 Conditional Access policies and block device code flow authentication unless your organization genuinely needs it for kiosks or printers. This single configuration change closes the door on this specific campaign.
“The common thread this week isn’t sophistication — it’s speed. Ransomware within 24 hours. Paycheques rerouted before anyone notices. AI generating perfect phishing bait in seconds. The attackers have automated what used to take days. Ontario businesses need to harden their defences at the same pace.”
Your quick checklist this week
🔖Bookmark login pages and brief your team todayNo one at your organization should be Googling their way to your Microsoft 365, banking, or payroll login. Set up bookmarks on every work device and distribute verified URLs to staff. This single habit blocks the Storm-2755 payroll pirate attack entirely.
🔒Add a phone-call verification step to payroll changesInstruct HR and payroll staff that any request to change banking or direct deposit information — regardless of how legitimate it looks — must be verified by calling the employee at a known number before processing. This stops Storm-2755 cold and costs nothing to implement.
🩹Patch internet-facing software immediatelyIf your business uses GoAnywhere, SmarterMail, ConnectWise ScreenConnect, Ivanti products, or on-premises Microsoft Exchange — confirm with your IT team that all are fully up to date. Storm-1175 exploits new vulnerabilities within 24 hours of public disclosure. The patch window is extremely short.
🚫Block device code flow in Microsoft 365 Conditional AccessUnless your organization uses smart TVs, kiosks, or printers that authenticate with Microsoft 365, there is no reason for device code flow to be enabled. Ask your IT administrator to review Conditional Access policies and disable it — this closes the door on the AI phishing campaign above.
🚀Upgrade to phishing-resistant MFASMS codes and authenticator app push notifications can be bypassed by session token theft. Ask your IT provider about hardware security keys (YubiKey) or Microsoft passkey authentication — these cannot be replayed by an attacker who has stolen your session token.
☁️Ask your critical vendors about their incident response planThe ChipSoft attack is a reminder that your business continuity depends on your software vendors’ resilience. Email your top two or three providers and ask what happens if they are hit by ransomware. If they cannot answer clearly, that tells you something important — and motivates a backup plan.
The bottom line
What stands out this week is how deliberately Canadian businesses and employees are being targeted. Storm-2755 did not accidentally hit Canadian workers — they chose Canada. Cyberattacks on Canadian enterprises surged nearly 80 percent year over year according to data released earlier this month. The widespread belief that hackers focus on large corporations and leave small businesses alone is no longer just incorrect — it is dangerous. SMBs are now the primary target precisely because large companies have strengthened their defences and refuse to pay ransoms, pushing attackers toward softer targets.
The good news is that most of this week’s threats have clear, affordable countermeasures. Better bookmarking habits cost nothing. A phone call before changing payroll details takes two minutes. Faster patching is a scheduling decision. Reviewing one Microsoft 365 policy setting is a single conversation with your IT team. These actions do not require a large security budget — they require awareness and follow-through.
If even one item on this week’s checklist is something your business has not yet addressed, treat it as urgent. The actors making headlines this week move fast. You can too — and with the right support, you do not have to move alone.
Want someone watching your IT environment full time?
247Techify protects Ontario businesses 24/7 — free consultation, no pressure.
