A cybercrime group tracked as Storm-2657 has targeted U.S. university employees since March 2025, using “payroll pirate” attacks to compromise accounts and hijack salary payments through sophisticated social engineering tactics meant to bypass security measures.
Microsoft Threat Intelligence analysts who discovered the campaign observed that the threat actors are specifically targeting Workday accounts for payroll diversion. The analysts noted, however, that the attack methods are not exclusive to one platform, indicating that other third-party human resources (HR) software-as-a-service (SaaS) systems could also be vulnerable to similar infiltration techniques. The focus remains on platforms that handle sensitive employee data and financial transactions. According to a report from Microsoft, the scale of the operation has been significant. “We’ve observed 11 successfully compromised accounts at three universities that were used to send phishing emails to nearly 6,000 email accounts across 25 universities,” the company stated, detailing the widespread nature of the phishing effort.
The report explicitly clarifies that the successful breaches are not the result of a software vulnerability within the Workday platform itself. Instead, the attackers’ success hinges on a combination of advanced social engineering and security gaps at the targeted institutions. Microsoft emphasized this point, stating, “These attacks don’t represent any vulnerability in the Workday platform or products, but rather financially motivated threat actors using sophisticated social engineering tactics and taking advantage of the complete lack of multifactor authentication (MFA) or lack of phishing-resistant MFA to compromise accounts.”
To execute the attacks, Storm-2657 crafts phishing emails that are custom-tailored for each target to increase their believability and the likelihood of success. The themes of these emails are varied and designed to provoke an immediate response from the recipient. Examples of these deceptive communications include urgent warnings about campus illness outbreaks, sensitive reports concerning alleged faculty misconduct, and emails that impersonate the university president. Other lures involve messages purporting to be from HR, sharing information about employee compensation and benefits or linking to falsified HR documents that require the user’s credentials to access.
The technical method for the initial compromise involves the use of adversary-in-the-middle (AITM) links embedded within the phishing emails. When a victim clicks these links, they are directed to a fake sign-in page that intercepts their credentials, including any multifactor authentication codes they enter. This theft of MFA codes is what enables the threat actors to gain unauthorized access to the victim’s Exchange Online account, establishing the initial foothold within the university’s network.
Once inside a breached email account, the attackers take immediate steps to cover their tracks and facilitate the financial theft. They configure new inbox rules designed to automatically find and delete any warning notification emails sent from Workday. This action prevents the legitimate user from being alerted to subsequent unauthorized changes made to their profile. With this concealment in place, the attackers use single sign-on (SSO) to pivot from the compromised email account directly into the victim’s Workday profile. From there, they alter salary payment configurations, redirecting future payroll deposits to financial accounts under their control.
The compromised accounts also serve as a launchpad for expanding the attack. “Following the compromise of email accounts and the payroll modifications in Workday, the threat actor leveraged newly accessed accounts to distribute further phishing emails, both within the organization and externally to other universities,” Microsoft added. To maintain long-term access, the attackers established persistence by enrolling their own phone numbers as MFA devices for the compromised accounts. This was done through either the Workday profiles or associated Duo MFA settings, allowing them to approve future malicious actions and evade detection even if passwords were changed.
In response to the campaign, Microsoft has identified the affected customers and has reached out to some to provide assistance with mitigation. The company also released detailed guidance to help organizations investigate these attacks and implement phishing-resistant MFA, a key defense to protect user accounts from this type of compromise. These “payroll pirate” attacks are classified as a variant of business email compromise (BEC) scams, which broadly target businesses and individuals that regularly process wire transfer payments.
