CATEGORIES
home News

Microsoft Warns US Universities Of Alarming Payroll Pirate Attack Security Threat

by Aaron LeongFriday, October 10, 2025, 11:39 AM EDT
Hooded hacker wearing an anonymous mask in front of PCs.
A financially-motivated hacking group, tracked by Microsoft as Storm-2657, has so far successfully compromised employee accounts at three U.S. universities to steal their salaries in what campaign experts are deeming "payroll pirate" attacks. The sophisticated scheme targets human resource (HR) platforms, such as Workday, to redirect direct deposit payments to accounts controlled by the attackers.

Microsoft Threat Intelligence has been investigating the attacks since March 2025, noting that the threat actor gained initial access through highly believable and targeted phishing emails. The emails often employed convincing social engineering methods of impersonating official university communications, like messages from a university president or urgent alerts about compensation and benefits changes.

Other lures included fabricated warnings about illnesses/outbreaks on campus or classroom misconduct reports to entice users into clicking. The emails frequently contained links to a Google Docs page that redirected the victim to an attacker-controlled site designed to harvest their credentials and multi-factor authentication (MFA) codes.

Microsoft found that the lack of strong MFA was a key vulnerability exploited by the hackers. In observed instances some compromised accounts did not have MFA enabled at all, or where users were tricked into giving up their one-time codes via an adversary-in-the-middle (AiTM) phishing link. Once Storm-2657 successfully compromised an employee's account, they moved swiftly and stealthily to make off with the paycheck.

attack workflow1
Attack workflow of Storm-2657 (Credit: Microsoft)

The primary objective was to gain access to the victim’s third-party HR platform, such as Workday, using the stolen credentials. To avoid detection, the hackers immediately created inbox rules in the victim’s email account designed to delete any warning notifications sent by the HR system regarding a change in payroll or bank information. Once that path is cleared, the attackers then logged into the employee's profile and changed the direct deposit settings, rerouting the victim’s salary to a different bank account under their control.

Microsoft reported that since March 2025, it's observed 11 successfully compromised accounts across three universities, which were then leveraged to send phishing emails to nearly 6,000 email accounts across 25 different institutions.

While the attacks don't represent a vulnerability in the HR platforms themselves, they highlight the critical need for educational institutions to strengthen their identity protection. Experts emphasize the importance of adopting phishing-resistant MFA methods and implementing stricter, step-up verification for highly sensitive transactions like changing direct deposit information, for example.

Also, as best practice, never click a link in an unexpected email that asks for your login credentials or MFA code, and be vigilant about any communication that invokes a sudden sense of urgency or fear. If a payroll notification seems suspicious, verify the information directly through the official HR portal, not by clicking a link in the email.
Tags:  security, university, cybersecurity, (nasdaq:msft
TOP STORIES
Which New GPU Is For You?
More Results
KEEP INFORMED

Stay updated with the latest news and updates. Subscribe to our newsletter!

Subscribe Now
SITE

Home

Reviews

News

Blogs

Full Site

Sitemap

CATEGORIES

PC Components

Systems

Mobile

IT Infrastructure

Leisure

Videos

COMPANY

About

Advertise

News Tips

Contact

Privacy And Terms

HotTech

MORE

Accessibility

Shop

STAY CONNECTED

Twitter

Facebook

YouTube

RSS

As an Amazon and Howl Technologies Associate, HotHardware earns a commission from qualifying purchases made on this site. This site is intended for informational and entertainment purposes only. The contents are the views and opinion of the author and/or his associates. All products and trademarks are the property of their respective owners. Reproduction in whole or in part, in any form or medium, without express written permission of Hot Hardware, Inc. is prohibited. All content and graphical elements are Copyright © 1999 - 2025 Hot Hardware Inc, Inc.
All rights reserved. Privacy and Terms - Accessibility Commitment