A sophisticated financially motivated threat actor known as Storm-2657 has been orchestrating elaborate \u201cpayroll pirate\u201d attacks targeting US universities and other organizations, Microsoft Threat Intelligence has revealed.<\/p>\n
These attacks represent a concerning evolution in cybercriminal tactics, where hackers compromise employee accounts to gain unauthorized access to human resources systems and redirect salary payments to attacker-controlled bank accounts.<\/p>\n
The campaign demonstrates the increasing sophistication of social engineering techniques combined with technical exploitation to achieve maximum financial impact.<\/p>\n
The threat actor has been particularly active in targeting employees within higher education sectors, exploiting their access to third-party Software as a Service (SaaS) platforms like Workday.<\/p>\n
Since March 2025, Microsoft researchers have observed<\/a> 11 successfully compromised accounts at three universities that were subsequently used to launch phishing campaigns targeting nearly 6,000 email accounts across 25 different educational institutions.<\/p>\n The scale and precision of these operations indicate a well-resourced and methodical approach to financial fraud.<\/p>\n The attacks begin with carefully crafted phishing emails<\/a> designed to harvest credentials through adversary-in-the-middle (AITM) phishing techniques.<\/p>\n These emails exploit multiple social engineering<\/a> themes, including fake campus illness outbreaks with subject lines such as \u201cCOVID-Like Case Reported \u2014 Check Your Contact Status\u201d and \u201cConfirmed Case of Communicable Illness.\u201d<\/p>\n The attackers also impersonate legitimate university communications, often referencing specific university presidents or HR departments to enhance credibility and increase victim engagement rates.<\/p>\n Microsoft analysts identified that Storm-2657 exploits organizations\u2019 lack of phishing-resistant multifactor authentication, allowing them to intercept and use stolen MFA codes to gain initial access to Exchange Online accounts.<\/p>\n Once inside the compromised systems, the threat actors demonstrate remarkable persistence and stealth capabilities.<\/p>\n The technical sophistication of Storm-2657\u2019s operations becomes evident in their post-compromise activities.<\/p>\n After gaining access to victim accounts, the threat actors immediately establish persistence by enrolling their own phone numbers as MFA devices within the compromised Workday profiles or Duo MFA<\/a> settings.<\/p>\n This technique ensures continued access without requiring further MFA approval from legitimate users, effectively bypassing security controls that organizations believe protect their systems.<\/p>\n The attackers then create sophisticated inbox rules designed to automatically delete or hide incoming notification emails from Workday\u2019s email service.<\/p>\n These rules are often named using only special characters like \u201c\u2026.\u201d or \u201c\u2019\u2019\u2019’\u201d to avoid detection during casual security reviews.<\/p>\n This technique ensures that victims remain unaware of unauthorized changes to their payroll configurations, as the standard notification emails warning of profile modifications never reach their intended recipients.<\/p>\n Once persistence<\/a> is established, Storm-2657 accesses Workday through single sign-on (SSO) authentication and methodically modifies victims\u2019 salary payment configurations.<\/p>\n The Workday audit logs capture these activities as \u201cChange My Account\u201d or \u201cManage Payment Elections\u201d events, providing forensic evidence of the unauthorized modifications.<\/p>\n Microsoft Defender for Cloud Apps can correlate these activities across both Microsoft Exchange Online and third-party SaaS applications like Workday, enabling comprehensive detection of suspicious cross-platform activities.<\/p>\n The attack methodology demonstrates careful planning to minimize detection while maximizing financial impact.<\/p>\n By leveraging legitimate authentication<\/a> mechanisms and hiding evidence through automated email deletion, Storm-2657 has created a highly effective approach to financial fraud that can operate undetected for extended periods, potentially diverting multiple salary payments before discovery.<\/p>\n Follow us on\u00a0Google News<\/a>,\u00a0LinkedIn<\/a>,\u00a0and\u00a0X<\/a>\u00a0to Get More Instant Updates<\/strong>,\u00a0Set CSN as a Preferred Source in\u00a0Google<\/a>.<\/strong><\/p>\n The post Microsoft Warns of Hackers Compromising Employee Accounts to Steal Salary Payments<\/a> appeared first on Cyber Security News<\/a>.<\/p>\n<\/div>\n![\"\"](\"https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEjK8chIKOdtRqIOKe_tnQKf8pQkQsqfasptaXXfov_fTmfAODg3SEIorWzHBBJO6KuP_lnCqWMGUS_enlA5iOGJuukqBHddh2lTYly6o3lIOL-XLVL9eiFHGwvKWlq6wcfgxlLn9O-w0_R6xo6nXT6nK7q6fIvz0W9D1YcvJHPNcF-gko96lQpilMmyNVc\/s16000\/Attack%2520flow%2520of%2520threat%2520actor%2520activity%2520in%2520a%2520real%2520incident%2520%28Source%2520-%2520Microsoft%29.webp?ssl=1\")
Technical Infiltration and Persistence Mechanisms<\/strong><\/h2>\n