A cybercrime gang tracked as Storm-2657 has been targeting university employees in the United States to hijack salary payments in "pirate payroll" attacks since March 2025.
Microsoft Threat Intelligence analysts who spotted this campaign found that the threat actors are targeting Workday accounts; however, other third-party human resources (HR) software-as-a-service (SaaS) platforms could also be at risk.
"We've observed 11 successfully compromised accounts at three universities that were used to send phishing emails to nearly 6,000 email accounts across 25 universities," Microsoft said in a Thursday report.
"These attacks don't represent any vulnerability in the Workday platform or products, but rather financially motivated threat actors using sophisticated social engineering tactics and taking advantage of the complete lack of multifactor authentication (MFA) or lack of phishing-resistant MFA to compromise accounts."
The attackers are using multiple themes in phishing emails, custom-tailored for each target, ranging from warnings of campus illness outbreaks to reports of faculty misconduct, to trick recipients into clicking phishing links.
Other examples include emails impersonating the university president, sharing information regarding compensation and benefits, or fake documents shared by HR.
Sample phishing email (Microsoft)
In these attacks, Storm-2657 compromised victims' accounts via phishing emails that used adversary-in-the-middle (AITM) links to steal MFA codes, enabling threat actors to gain access to Exchange Online accounts.
Once inside the breached accounts, they set up inbox rules to delete Workday warning notification emails, allowing them to conceal further changes, including altering salary payment configurations and redirecting payments to accounts under their control after accessing the victims' Workday profiles through single sign-on (SSO).
"Following the compromise of email accounts and the payroll modifications in Workday, the threat actor leveraged newly accessed accounts to distribute further phishing emails, both within the organization and externally to other universities," Microsoft added.
... continue reading