Microsoft Threat Intelligence has uncovered a sophisticated cybercrime operation targeting U.S. universities, where hackers are compromising employee accounts to redirect salary payments directly into their own bank accounts—leaving victims unaware until payday arrives with no deposit.
The financially motivated threat actor, tracked as Storm-2657, has successfully compromised at least 11 accounts across three universities since March 2025, using these foothold positions to launch phishing campaigns targeting nearly 6,000 email accounts across 25 educational institutions.
These "payroll pirate" attacks specifically exploit human resources platforms like Workday, though security experts warn that any HR software storing payment information faces similar risks.
 |
| Attack flow of payroll pirate |
Storm-2657's operation relies on convincing social engineering rather than software vulnerabilities. The group sends realistic phishing emails disguised as campus health alerts about COVID-like illnesses, faculty misconduct reports, or official communications from university presidents.
These messages include links—often appearing as legitimate Google Docs—that redirect victims to attacker-controlled domains designed to harvest credentials and multifactor authentication (MFA) codes through adversary-in-the-middle techniques.
Once inside an account, the attackers move quickly to establish persistence. They enrol their own phone numbers as MFA devices, create inbox rules to automatically delete warning notifications from Workday (using names like "…." or "''''" to avoid detection), and modify victims' direct deposit information to redirect future paychecks.
"These attacks don't represent any vulnerability in the Workday platform or products, but rather financially motivated threat actors using sophisticated social engineering tactics," Microsoft researchers noted, emphasising that the real weakness lies in inadequate authentication protections.
The campaign highlights a critical vulnerability affecting higher education and potentially any organisation using third-party HR platforms. Approximately 10% of recipients who received one phishing email reported it as suspicious—meaning 90% did not, underscoring the effectiveness of Storm-2657's social engineering tactics.
Protection Measures
Microsoft strongly recommends organisations immediately implement phishing-resistant MFA methods, including FIDO2 security keys, Windows Hello for Business, or Microsoft Authenticator passkeys. Traditional MFA codes sent via SMS or voice can still be intercepted through adversary-in-the-middle attacks.
IT administrators should also monitor for suspicious inbox rules, especially those targeting emails from payroll systems, review recently added MFA devices, and enable comprehensive logging through Microsoft Defender for Cloud Apps to correlate suspicious activities across multiple platforms.
For employees, any unexpected notifications about changed direct deposit information should trigger immediate contact with HR and IT security teams—though attackers specifically delete these warnings to maintain stealth.RetryClaude can make mistakes. Please double-check responses. Sonnet 4.5