Microsoft’s Threat Intelligence team has sounded the alarm over a new financially-motivated cybercrime spree that is raiding US university payroll systems.
In a blog post, Redmond said a cybercrime crew it tracks as Storm-2657 has been targeting university employees since March 2025, hijacking salaries by breaking into HR software such as Workday.
The attack is as audacious as it is simple: compromise HR and email accounts, quietly change payroll settings, and redirect pay packets into attacker-controlled bank accounts. Microsoft has dubbed the operation “payroll pirate,” a nod to the way crooks plunder staff wages without touching the employer’s systems directly.
Storm-2657’s campaign begins with phishing emails designed to harvest multifactor authentication (MFA) codes using adversary-in-the-middle (AiTM) techniques. Once in, the attackers breach Exchange Online accounts and insert inbox rules to hide or delete HR messages. From there, they use stolen credentials and SSO integrations to access Workday and tweak direct deposit information, ensuring that future payments go straight to them.
Microsoft stresses that the attacks don’t exploit a flaw in Workday itself. The weak points are poor MFA hygiene and sloppy configurations, with Redmond warning that organizations still relying on legacy or easily-phished MFA are sitting ducks.
“Since March 2025, we’ve observed 11 successfully compromised accounts at three universities that were used to send phishing emails to nearly 6,000 email accounts across 25 universities,” Microsoft explained. It says these lures were crafted with academic precision: fake HR updates, reports of faculty misconduct, or notes about illness clusters, often linked through shared Google Docs to bypass filtering and appear routine.
In one instance, a phishing message urging recipients to “check their illness exposure status” was sent to 500 people within a single university, and only about 10 percent flagged it as suspicious, according to Microsoft.
[…]
Source: Microsoft warns of ‘payroll pirate’ attacks against US unis • The Register
Robin Edgar
Organisational Structures | Technology and Science | Military, IT and Lifestyle consultancy | Social, Broadcast & Cross Media | Flying aircraft