Microsoft Warns of “Payroll Pirate” Scam Targeting Employee Paychecks
▼ Summary
– Microsoft warns of an active scam diverting employee paychecks to attacker-controlled accounts after compromising HR service profiles.
– Attackers use phishing emails to steal credentials and intercept multi-factor authentication codes via adversary-in-the-middle tactics.
– The campaign highlights the need for FIDO-compliant MFA, which is immune to such interception methods.
– Once inside accounts, scammers alter payroll settings in Workday to redirect direct deposits to their own accounts.
– Attackers create email rules to block notifications of account changes, preventing detection by the victims.
A sophisticated phishing campaign known as “Payroll Pirate” is actively targeting employee paychecks by hijacking corporate HR accounts. Microsoft has issued a warning about this scam, which manipulates cloud-based HR platforms like Workday to reroute direct deposits into criminal-controlled bank accounts. The scheme begins with convincing phishing emails that trick staff into entering their login details on fraudulent websites.
These attackers employ adversary-in-the-middle techniques to capture not only usernames and passwords but also multi-factor authentication codes. By positioning themselves between the victim and the fake login portal, they intercept the one-time codes and immediately use them to access the legitimate HR system. This method highlights a critical weakness in certain types of MFA, emphasizing why FIDO-compliant multi-factor authentication offers stronger protection against such interception.
Once inside an employee’s HR profile, the fraudsters alter the payroll information. They change the bank account designated for direct deposit, ensuring that the next paycheck is sent to an account they control. To conceal their activity, the scammers set up email filtering rules that prevent Workday’s automatic change notifications from reaching the victim’s inbox. This stealthy move delays discovery, allowing the criminals to collect the stolen funds.
According to Microsoft, the threat actors have sent realistic phishing emails to staff at multiple universities. Since March 2025, they have successfully compromised 11 accounts across three institutions, using them to distribute phishing messages to nearly 6,000 email addresses at 25 different universities. This widespread targeting demonstrates the scam’s scale and the importance of heightened security awareness and advanced authentication measures.
(Source: Ars Technica)
