Microsoft: Hackers Steal University Payroll in Pirate Attacks
▼ Summary
– Storm-2657 has been hijacking university salary payments in “pirate payroll” attacks since March 2025 by targeting Workday and other HR SaaS platforms.
– The attackers use phishing emails with tailored themes like campus illness outbreaks or faculty misconduct to steal MFA codes and compromise accounts.
– After breaching accounts, they delete Workday notifications, alter payment details, and redirect salaries to accounts they control.
– The gang uses compromised accounts to send more phishing emails and enrolls their own MFA devices to maintain access and avoid detection.
– Microsoft has provided guidance on implementing phishing-resistant MFA to help block these attacks, which are a variant of costly BEC scams.
A sophisticated cybercrime group known as Storm-2657 has been systematically targeting university payroll systems across the United States in a series of “pirate payroll” attacks that began in March 2025. Microsoft’s Threat Intelligence team has identified this ongoing campaign, noting that while Workday accounts have been the primary target, other third-party human resources SaaS platforms could face similar risks.
Microsoft’s investigation revealed that threat actors successfully compromised eleven accounts across three different universities. These breached accounts were then used to distribute phishing emails to nearly 6,000 email addresses spanning twenty-five academic institutions. The company emphasized that these incidents do not indicate vulnerabilities within the Workday platform itself. Instead, financially motivated attackers are employing advanced social engineering techniques and exploiting the absence of phishing-resistant multifactor authentication to gain unauthorized access.
The phishing campaigns demonstrate remarkable customization, with attackers tailoring messages to specific targets using various convincing themes. These include fabricated alerts about campus disease outbreaks, false reports of faculty misconduct, and communications impersonating university presidents. Other deceptive emails appear to originate from human resources departments, sharing information about compensation packages or benefits while containing malicious links.
Storm-2657 employs adversary-in-the-middle phishing links to intercept MFA codes, granting them access to Exchange Online accounts. Once inside, they establish inbox rules to automatically delete Workday notification emails, effectively concealing their subsequent activities. This stealth approach allows them to modify salary payment configurations and redirect funds to accounts under their control after accessing victims’ Workday profiles through single sign-on authentication.
The compromised accounts serve as launching points for additional phishing campaigns, both within the originally targeted organization and externally to other universities. In some instances, the threat actors went a step further by registering their own phone numbers as MFA devices for the breached accounts, either through Workday profiles or Duo MFA settings. This persistence mechanism enables them to approve malicious actions directly from their personal devices while avoiding detection.
Microsoft has proactively contacted affected customers to assist with mitigation efforts and has published comprehensive guidance for investigating these attacks. The company strongly recommends implementing phishing-resistant MFA as a critical defense measure to protect user accounts from similar compromises.
These “payroll pirate” operations represent a specialized variation of business email compromise scams that specifically target organizations and individuals conducting regular wire transfers. According to FBI data from 2024, the Internet Crime Complaint Center documented more than 21,000 BEC fraud complaints resulting in losses exceeding $2.7 billion, making it the second most profitable cybercrime category after investment scams. These figures likely represent only a portion of actual losses, as many incidents go unreported or undetected by law enforcement agencies.
(Source: Bleeping Computer)
