A group of hackers is using phishing attacks to hijack salary payments of employees working at universities in the United States.
Researchers at Microsoft Threat Intelligence researchers observed the group, tracked as Storm-2657 and dubbed the “Payroll Pirates”, using phishing emails to compromise employee accounts.
“The threat actor used realistic phishing emails, targeting accounts at multiple universities, to harvest credentials,” the company explains. “Since March 2025, we’ve observed 11 successfully compromised accounts at three universities that were used to send phishing emails to nearly 6,000 email accounts across 25 universities.”
After gaining initial access, the attackers accessed their victims’ employee profiles and changed their payment information to divert salary payments to attacker-controlled accounts. In this campaign, the adversary was specifically targeting Workday accounts, but any SaaS systems storing HR or payment data could be targeted with the same technique, Microsoft warns.
One reason the attacks were so successful was due to the lack of authentication on employee accounts.
“In multiple instances, compromised accounts did not have MFA enabled. In other cases, users were tricked into disclosing MFA codes via AiTM phishing links distributed through email,” Microsoft explains.
AiTM is short for Adversary-in-the-Middle, a sophisticated attack type where a malicious actor intercepts and alters communications between two parties. This is often used to steal login credentials or session cookies, bypassing authentication checks.
Another was the evasive techniques that the actors employed to minimize their likelihood of detection. First, following compromise, the actors created a generic inbox rule to hide or delete incoming notification emails from Workday, which meant victims wouldn’t be notified about changes to their accounts.
Second, the actors enrolled their own phone numbers as authentication devices for victim accounts, allowing them to establish persistent access without the need for further Multi-Factor Authentication (MFA) approval from the victim.
These attacks are a form of Business Email Compromise (BEC), in which attackers use social engineering techniques to steal their victim’s account credentials and, ultimately, take over their employee account entirely. With that access, the attackers can not only divert payments, but also steal sensitive company data.
BEC attacks are one of the most costly types of cybercrime. Last year, the FBI’s Internet Crime Complaint Center (IC3) recorded losses of over $2.7 billion due to BEC scams, making them the second most lucrative form of cyberattack after investment scams.
Mitigation Guidance
Following Microsoft’s disclosure of the attacks, Workday has published guidance for their customers via their community, and Microsoft continues to assist with mitigation efforts.
To secure themselves against social engineering and account compromise attacks, organizations should enforce MFA for all privileged roles across their networks, using phishing-resistant forms of authentication such as FIDO2 security keys and passkeys.
Read More
