Microsoft's Threat Intelligence team has sounded the alarm over a new financially-motivated cybercrime spree that is raiding US university payroll systems.

In a [1]blog post , Redmond said a cybercrime crew it tracks as Storm-2657 has been targeting university employees since March 2025, hijacking salaries by breaking into HR software such as Workday.

The attack is as audacious as it is simple: compromise HR and email accounts, quietly change payroll settings, and redirect pay packets into attacker-controlled bank accounts. Microsoft has dubbed the operation "payroll pirate," a nod to the way crooks plunder staff wages without touching the employer's systems directly.

[2]

Storm-2657's campaign begins with phishing emails designed to harvest multifactor authentication (MFA) codes using adversary-in-the-middle (AiTM) techniques. Once in, the attackers breach Exchange Online accounts and insert inbox rules to hide or delete HR messages. From there, they use stolen credentials and SSO integrations to access Workday and tweak direct deposit information, ensuring that future payments go straight to them.

[3]

[4]

Microsoft stresses that the attacks don't exploit a flaw in Workday itself. The weak points are poor MFA hygiene and sloppy configurations, with Redmond warning that organizations still relying on legacy or easily-phished MFA are sitting ducks.

"Since March 2025, we've observed 11 successfully compromised accounts at three universities that were used to send phishing emails to nearly 6,000 email accounts across 25 universities," Microsoft explained. It says these lures were crafted with academic precision: fake HR updates, reports of faculty misconduct, or notes about illness clusters, often linked through shared Google Docs to bypass filtering and appear routine.

[5]

In one instance, a phishing message urging recipients to "check their illness exposure status" was sent to 500 people within a single university, and only about 10 percent flagged it as suspicious, according to Microsoft.

After securing access, the attackers add their own phone numbers as MFA devices through compromised profiles or Duo settings, ensuring subsequent approvals land in their pockets. The entire process unfolds quietly because the victims never see the altered notifications.

[6]RondoDox botnet fires 'exploit shotgun' at nearly every router and internet-connected home device

[7]Ex-NSA bad-guy hunter listened to Scattered Spider's fake help-desk calls: 'Those guys are good'

[8]Air Force admits SharePoint privacy issue as reports trickle out of possible breach

[9]1,200 undergrads hung out to dry after jailbreak attack on laundry machines

Detecting the scam requires cross-system visibility, something many universities lack. Microsoft advises correlating telemetry between Exchange Online and Workday, and says security teams should watch out for new inbox rules referencing "@myworkday.com," suspicious MFA enrollments, and Workday events like "Change My Account" or "Manage Payment Elections."

According to Microsoft, defense starts with ditching passwords altogether and recommends adopting phishing-resistant methods such as FIDO2 keys, passkeys, or Windows Hello. When a compromise is suspected, immediate steps include resetting credentials, removing rogue MFA devices, purging malicious mail rules, and reverting any payroll changes.

It's time for universities, and any large employer, to batten down their MFA hatches before the next payday walks the plank. ®

Get our [10]Tech Resources



[1] https://www.microsoft.com/en-us/security/blog/2025/10/09/investigating-targeted-payroll-pirate-attacks-affecting-us-universities/

[2] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cybercrime&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=2&c=2aOktl19dI9tTcaz8QVpRAAAAAMo&t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0

[3] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cybercrime&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44aOktl19dI9tTcaz8QVpRAAAAAMo&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0

[4] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cybercrime&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=3&c=33aOktl19dI9tTcaz8QVpRAAAAAMo&t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0

[5] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cybercrime&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44aOktl19dI9tTcaz8QVpRAAAAAMo&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0

[6] https://www.theregister.com/2025/10/09/rondodox_botnet_fires_exploit_shotgun/

[7] https://www.theregister.com/2025/05/18/ex_nsa_scattered_spider_call/

[8] https://www.theregister.com/2025/10/01/us_air_force_investigates_breach/

[9] https://www.theregister.com/2025/09/12/jailbroken_laundry_machines/

[10] https://whitepapers.theregister.com/