Microsoft is warning of a hacking gang targeting universities to steal salary payments.
The group, known as Storm-2657, has been targeting employees in higher education with emails aimed at gathering MFA codes using adversary-in-the-middle (AITM) phishing links.
The aim was to gain access to third-party HR software as a service (SaaS) platforms, which allowed them to access employee profiles and divert salary payments to accounts controlled by the attackers.
In one campaign during the first half of 2025, Microsoft researchers spotted the actor specifically targeting Workday profiles.
"However, it's important to note that any SaaS systems storing HR or payment and bank account information could be easily targeted with the same technique," Microsoft researchers said.
"These attacks don't represent any vulnerability in the Workday platform or products, but rather financially motivated threat actors using sophisticated social engineering tactics and taking advantage of the complete lack of multifactor authentication (MFA) or lack of phishing-resistant MFA to compromise accounts."
Since March, said Microsoft, it has observed 11 successfully compromised accounts at three universities that were used to send phishing emails to nearly 6,000 email accounts across 25 universities.
Many emails related to illnesses or outbreaks on campus, with others referencing reports or disciplinary proceedings – a clever tactic, said Chance Caldwell, senior director of the Phishing Defense Center at Cofense.
"This particular Payroll Pirate scheme highlights just how advanced phishing has become," he said.
"Instead of using generic malicious links, the attackers are tailoring messages with university-specific language to increase their credibility, and they are using techniques to steal MFA credentials. That level of targeting means that traditional anti-spam or signature-based filters are often insufficient in detecting their malicious behavior."
Some emails contained Google Docs links – making detection tricky, as these are common in academic environments. In many cases, compromised accounts didn't have MFA enabled, while in others users were tricked into disclosing MFA codes via AiTM phishing links distributed through email.
Once the account was compromised, the attackers created a generic inbox rule to hide or delete any incoming warning notification emails from the organization's Workday email service. This made sure the victim wouldn't see the notification emails from Workday about the payroll changes.
The attackers established persistence by enrolling their own phone numbers as MFA devices for victim accounts, either through Workday profiles or Duo MFA settings, and then accessed Workday through single sign-on (SSO) to change the victim's payroll and bank account information.
But, said Nick Tausek, lead security automation architect at Swimlane, this wasn't a particularly sophisticated attack.
"The 'Payroll Pirate' hackers are not running some highly elaborate scheme to gain access to third-party platforms like Workday. The attack tactics are rather simple, but very thorough, and that's what makes them dangerous," he said.
"By impersonating trusted authorities like school officials or medical advisors, evading detection by deleting warning emails from the target third-party platform, and enrolling themselves in MFA for victim accounts to allow longer continued access, the Payroll Pirates have established an effective and easily repeatable hacking methodology."
Make sure to follow ITPro on Google News to keep tabs on all our latest news, analysis, and reviews.
-
Why Dreamforce 2025 will be all about agents, agents, agentsAnalysis Agents won’t be the only thing on the agenda – but they will be the most hyped aspect of Salesforce’s annual event
-
Rocketing number of ransomware groups as new, smaller players emergeNews The good news is that the number of victims remains steady
