Key Takeaways

• A financially motivated gang tracked as Storm-2657 has run “payroll pirate” attacks against U.S. universities since March 2025, compromising HR/Workday access to redirect salary payments.

• Attackers used adversary-in-the-middle (AITM) phishing links to steal MFA codes, enroll their own phone numbers, and create persistence via inbox rules and Workday single-sign-on access.

• Microsoft observed 11 compromised accounts at three universities that were then used to phish nearly 6,000 email accounts across 25 universities — underscoring the scale and stealth of the campaign.

• Root causes: targeted social engineering combined with lack of phishing-resistant MFA and weak account monitoring. Microsoft recommends implementing phishing-resistant MFA and investigating account enrollments and inbox rules.

What Happened

Microsoft Threat Intelligence uncovered a coordinated campaign in which Storm-2657 targeted university HR employees to seize control of Workday-linked accounts. Attack emails — tailored to each target — used plausible themes (illness alerts, faculty misconduct, compensation notices, even impersonating university leadership) to trick recipients into clicking AITM phishing links. Those links harvested MFA codes, enabling attackers to take over Exchange Online accounts, hide Workday notifications with inbox rules, and then change payroll configurations in Workday via SSO to reroute salary payments.

Who’s Involved

Exposed Capabilities & Techniques

• Adversary-in-the-Middle (AITM) phishing links — used to intercept credentials and MFA codes.

• Prompted social engineering — highly customized lures (fake HR docs, leadership impersonation, compensation notices) to increase click rates.

• Account persistence — attackers enrolled their own phone numbers as MFA devices and set inbox rules to delete or hide notification emails.

• Payroll manipulation via SSO — after gaining mailbox access, attackers accessed Workday through single-sign-on to change payment targets.

Broader Impact

These “payroll pirate” attacks are a sophisticated variant of business email compromise (BEC) that specifically target payroll workflows. Microsoft’s findings — 11 confirmed account compromises propagating phishing to thousands of recipients — highlight how quickly a breach of a few privileged HR accounts can cascade across institutions. The FBI’s IC3 has long warned that BEC remains one of the most costly cybercrime types, with tens of thousands of complaints and billions in losses in recent years; campaigns like this will likely continue to target organizations with payroll and SSO dependencies.

What’s Next (Mitigation & Detection)

• Deploy phishing-resistant MFA (hardware keys or platform MFA that resists AITM interception) for HR and anyone with payroll access.

• Harden SSO and Workday configurations: restrict who can change payroll, log and alert on profile/phone enrollment changes, and require secondary verification for payment changes.

• Monitor and alert on inbox rules and mail forwarding: alert on creation of rules that delete or forward HR notifications.

• Phishing awareness targeted at HR: tabletop exercises and simulated AITM scenarios for HR/payroll teams.

• Incident playbooks: prepare rapid recovery procedures for payroll diversion — including rolling back Workday changes, revoking SSO sessions, and re-enrolling legitimate MFA devices.

Conclusion

Payroll workflows and HR systems are high-value targets for financially motivated attackers. When attackers combine bespoke social engineering, AITM phishing, and weaknesses in MFA/SSO, they can quietly redirect salaries and propagate further compromises across institutions. Universities and organizations that rely on SaaS HR platforms should treat HR accounts like crown jewels: enforce phishing-resistant MFA, tighten SSO change controls, log anomalous enrollment and rule changes, and train HR staff with realistic phishing simulations.

Disclaimer: ClearPhish maintains a strict policy of not participating in the theft, distribution, or handling of stolen data or files. The platform does not engage in exfiltration, downloading, hosting, or reposting any illegally obtained information. Any responsibility or legal inquiries regarding the data should be directed solely at the responsible cybercriminals or attackers, as ClearPhish is not involved in these activities. We encourage parties affected by any breach to seek resolution through legal channels directly with the attackers responsible for such incidents.