Microsoft Threat Intelligence has exposed a campaign of financially motivated cyberattacks against universities across the United States. The threat actor, Storm-2657, is executing "payroll pirate" attacks by exploiting weak authentication to reroute employee salaries into bank accounts controlled by the attackers.
How the Payroll Pirate Attack Works
The group operated throughout the first half of 2025, primarily targeting university employees. The scheme begins with Storm-2657 stealing login credentials and multi-factor authentication (MFA) codes. Once inside an employee's account, the hackers access the human resources (HR) system, most commonly Workday, to change the payroll information and redirect future salary payments.
Microsoft clarified that the attackers are exploiting human error and weak authentication, not any actual vulnerability in the Workday platform itself. The financial motivation behind these schemes makes them a variant of Business Email Compromise (BEC), which relies on deception rather than malware.
Phishing Tactics and Evasion
Storm-2657 used highly convincing phishing campaigns to gain initial access. The emails were crafted to mimic official university communications, tricking recipients into revealing credentials and MFA codes. Starting in March 2025, Microsoft observed that the attackers compromised 11 accounts across three universities, then used those accounts to send phishing emails to nearly 6,000 individuals at 25 other institutions.
The phishing messages often used alarming subject lines, such as "COVID-Like Case Reported" or "Faculty Compliance Notice," or impersonated university officials discussing "compensation updates" to appear authentic.
After gaining access, the attackers were methodical:
- They logged into the victims' email and Workday accounts.
- They created inbox rules to automatically delete any notifications from Workday, ensuring the employee wouldn't see alerts about payroll changes.
- They modified the "Payment Election" settings in Workday, changing the bank account numbers to their own.
- They registered their own phone numbers as MFA devices on the compromised profiles to maintain persistent access.
Microsoft's Recommendations
Microsoft has notified affected universities and shared details of Storm-2657's tactics. The company urges organizations to move beyond simple MFA to adopt phishing-resistant authentication methods, such as FIDO2 security keys or Microsoft Authenticator passkeys. Security teams must also proactively monitor for unusual changes in payroll configurations or the creation of new inbox deletion rules.
Found this article interesting? Follow us on X(Twitter) ,Threads and FaceBook to read more exclusive content we post.
