Microsoft Threat Intelligence is sounding the alarm on a surge of sophisticated “payroll pirate” attacks, in which financially motivated adversaries hijack employee accounts to reroute salary payments to attacker-controlled bank accounts.
In the first half of 2025, Storm-2657 launched a widespread phishing campaign against university staff, harvesting credentials and multifactor authentication (MFA) codes.
Attackers deployed realistic emails themed around campus illness outbreaks or alleged faculty misconduct, containing links to Google Docs pages that redirected victims to adversary-in-the-middle (AITM) phishing domains.
Tracked as Storm-2657, this threat actor has been observed targeting U.S.-based organizations—particularly higher education institutions—by compromising third-party human resources (HR) software-as-a-service (SaaS) platforms such as Workday to alter payroll configurations and siphon wages.
Eleven employee accounts across three universities were successfully compromised, then weaponized to send over 6,000 phishing emails to 25 institutions.
In many cases, the absence of phishing-resistant MFA enabled threat actors to intercept one-time codes and bypass account protections, illustrating the urgent need for stronger authentication measures.
Once inside targeted Exchange Online accounts, Storm-2657 disabled incoming warning emails from Workday by creating inbox rules that deleted any notifications of profile changes.
This invisibility cloak allowed attackers to modify salary payment elections within Workday profiles without alerting victims. By altering bank account details, the threat actor ensured subsequent paychecks were deposited into maliciously controlled accounts.
Approximately 10% of recipients reported the email as a suspected phishing attempt.
To solidify persistence, Storm-2657 enrolled personal phone numbers as MFA devices—either via Workday’s profile settings or Duo MFA—eliminating the need for further approvals from compromised users.
Mitigations
Microsoft has proactively reached out to affected customers, sharing detailed tactics, techniques, and procedures (TTPs) to assist in incident response.
The threat actor might have attempted to stay under the radar and hide their traces from potential reviews by creating rule names solely using special characters or non-alphabetic symbols like “….” or “\’\’\’\’”.
Organizations are urged to bolster defenses by implementing phishing-resistant MFA such as FIDO2 security keys, Windows Hello for Business, or passkeys via Microsoft Authenticator.
Enforcing these methods for all privileged and HR-facing roles in Microsoft Entra ID can dramatically reduce account takeover risks.
For detection, Microsoft Defender for Cloud Apps correlates signals from Exchange Online and Workday, surfacing suspicious inbox rule creations and payroll configuration changes.
Analysts can hunt for deletions of emails containing “Payment Elections” or “Direct Deposit,” as well as audit events labeled “Change My Account” or “Manage Payment Elections.” Defender XDR and Microsoft Sentinel users can leverage prebuilt hunting queries in the CloudAppEvents and EmailEvents tables to identify bulk phishing sends from “.edu” domains, risky sign-ins, and new MFA device registrations occurring within hours of anomalous logins.
In the event of compromise, Microsoft recommends immediate remediation steps: reset credentials and revoke all sessions; remove unauthorized inbox rules; review and re-register or remove suspicious MFA devices; and revert any payroll or bank account changes in HR systems.
Organizations should also enable the Workday connector in Defender for Cloud Apps and deploy Threat Intelligence mapping analytics in Sentinel to automate monitoring of known malicious domains and behavioral patterns.
As cybercriminals increasingly focus on payroll theft, the collaboration between Microsoft and Workday highlights the importance of shared threat intelligence and joint mitigation efforts.
Adopting passwordless, phishing-resistant authentication and leveraging advanced detection capabilities remains critical to protecting user accounts and safeguarding employee compensation from evolving “payroll pirate” schemes.
Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google.
