Microsoft Warns US Universities Of Alarming Payroll Pirate Attack Security Threat
by
Aaron Leong
—
Friday, October 10, 2025, 11:39 AM EDT
A financially-motivated hacking group, tracked by Microsoft as Storm-2657, has so far successfully compromised employee accounts at three U.S. universities to steal their salaries in what campaign experts are deeming "payroll pirate" attacks. The sophisticated scheme targets human resource (HR) platforms, such as Workday, to redirect direct deposit payments to accounts controlled by the attackers.
Microsoft Threat Intelligence has been investigating the attacks since March 2025, noting that the threat actor gained initial access through highly believable and targeted phishing emails. The emails often employed convincing social engineering methods of impersonating official university communications, like messages from a university president or urgent alerts about compensation and benefits changes.
Other lures included fabricated warnings about illnesses/outbreaks on campus or classroom misconduct reports to entice users into clicking. The emails frequently contained links to a Google Docs page that redirected the victim to an attacker-controlled site designed to harvest their credentials and multi-factor authentication (MFA) codes.
Microsoft found that the lack of strong MFA was a key vulnerability exploited by the hackers. In observed instances some compromised accounts did not have MFA enabled at all, or where users were tricked into giving up their one-time codes via an adversary-in-the-middle (AiTM) phishing link. Once Storm-2657 successfully compromised an employee's account, they moved swiftly and stealthily to make off with the paycheck.
Attack workflow of Storm-2657 (Credit: Microsoft)
The primary objective was to gain access to the victim’s third-party HR platform, such as Workday, using the stolen credentials. To avoid detection, the hackers immediately created inbox rules in the victim’s email account designed to delete any warning notifications sent by the HR system regarding a change in payroll or bank information. Once that path is cleared, the attackers then logged into the employee's profile and changed the direct deposit settings, rerouting the victim’s salary to a different bank account under their control.
Microsoft reported that since March 2025, it's observed 11 successfully compromised accounts across three universities, which were then leveraged to send phishing emails to nearly 6,000 email accounts across 25 different institutions.
While the attacks don't represent a vulnerability in the HR platforms themselves, they highlight the critical need for educational institutions to strengthen their identity protection. Experts emphasize the importance of adopting phishing-resistant MFA methods and implementing stricter, step-up verification for highly sensitive transactions like changing direct deposit information, for example.
Also, as best practice, never click a link in an unexpected email that asks for your login credentials or MFA code, and be vigilant about any communication that invokes a sudden sense of urgency or fear. If a payroll notification seems suspicious, verify the information directly through the official HR portal, not by clicking a link in the email.