‘Looting US university salaries’: Microsoft warns of ‘payroll pirate’ scam
Microsoft’s Threat Intelligence team has sounded the alarm, reason is: A notorious cybercrime group, tracked as Storm-2657 by Microsoft’s team, has launched a brazen attack on US university payroll systems since March 2025. In a blog post, Redmond said a cybercrime crew it tracks as Storm-2657 has been targeting university employees since March 2025, hijacking salaries by breaking into HR software such as Workday.Dubbed “payroll pirate” by Microsoft’s Threat Intelligence team, the campaign exploits weak security practices to redirect paychecks into attacker-controlled bank accounts. The attackers are said to infiltrate HR platforms like Workday by exploiting compromised email accounts, redirecting paychecks to their own bank accounts.
How hackers steal employee salaries at US universities
According to the Microsoft blog, the attack is said to be as audacious as it is simple: Compromise HR and email accounts, quietly change payroll settings, and redirect pay packets into attacker-controlled bank accounts. Other examples are reported to include emails impersonating the university president, sharing information regarding compensation and benefits, or fake documents shared by HR.The operation begins with phishing emails tailored to academia, such as fake HR updates, faculty misconduct reports, or alerts about illness clusters. These lures, often delivered via shared Google Docs to evade filters, trick users into revealing multifactor authentication (MFA) codes through adversary-in-the-middle (AiTM) techniques. Once inside Exchange Online accounts, the attackers set inbox rules to hide or delete HR notifications, concealing their tracks.Using stolen credentials and single sign-on (SSO) integrations, the group accesses Workday to alter direct deposit settings, funneling salaries to accounts they control. Microsoft emphasized that the attacks exploit weak MFA practices and misconfigured systems, not vulnerabilities in Workday itself.“Following the compromise of email accounts and the payroll modifications in Workday, the threat actor leveraged newly accessed accounts to distribute further phishing emails, both within the organization and externally to other universities,” Microsoft added.“We’ve observed 11 successfully compromised accounts at three universities that were used to send phishing emails to nearly 6,000 email accounts across 25 universities,” Microsoft said in the report.
