A cybercrime gang tracked as Storm-2657 has been targeting university employees in the United States to hijack salary payments in “pirate payroll” attacks since March 2025.
Microsoft Threat Intelligence analysts who looked into this campaign found that threat actors are targeting Workday accounts; However, other third-party human resources (HR) software-as-a-service (SaaS) platforms may also be at risk.
“We observed 11 successfully hacked accounts at three universities that were used to send phishing emails to approximately 6,000 email accounts at 25 universities.” Microsoft said In a report Thursday.
“These attacks do not represent any vulnerabilities in the Workday platform or products, but rather represent financially motivated threat actors using sophisticated social engineering tactics and taking advantage of the complete lack of multifactor authentication (MFA) or lack of phishing-resistant MFA to compromise accounts.”
Attackers are using multiple themes custom-tailored to each target in phishing emails, ranging from warnings about disease spread on campus to reports of faculty misconduct, to trick recipients into clicking phishing links.
Other examples include emails impersonating a university president, sharing information about compensation and benefits, or fake documents shared by HR.
In these attacks, Storm-2657 compromised victims’ accounts via phishing emails that used adversary-in-the-middle (AITM) links to steal MFA codes, allowing threat actors to gain access to Exchange Online accounts.
Once inside the breached accounts, they set up inbox rules to delete Workday alert notification emails, allowing them to hide other changes, including changes to payroll configuration and redirecting payments to accounts under their control after accessing victims’ Workday profiles via single sign-on (SSO).
“Following the compromise of email accounts and payroll modifications to Workday, the threat actor took advantage of the newly accessed accounts to distribute phishing emails both within the organization and externally to other universities,” Microsoft said.
In some cases, to establish persistence, threat actors also enrolled their own phone numbers as MFA devices for compromised accounts, through Workday Profiles or Duo MFA settings. This allowed them to avoid detection by allowing further malicious actions on their devices.
Microsoft has identified the affected customers and has reached out to some of them to assist with mitigation efforts. In today’s report, the company also shared guidance for implementing phishing-resistant MFA to help investigate and prevent these attacks and protect user accounts.
Such “payroll pirate” attacks are a type of business email compromise (BEC) scams that target businesses and individuals who regularly make wire transfer payments.
In 2024, the FBI’s Internet Crime Complaint Center (IC3) recorded Over 21,000 BEC fraud complaints, resulting in losses of over $2.7 billion, making it the second most lucrative crime type after investment scams.
However, these numbers are based on known cases reported directly by victims or discovered by law enforcement, and thus likely represent only a fraction of actual losses.
attend Breach and Attack Simulation Summit and experience future of security verificationHear from top experts and see how AI-powered BAS Changing breach and attack simulations.
Don’t miss the event that will shape the future of your security strategy
