Microsoft Threat Intelligence has disclosed a financially motivated campaign targeting U.S. universities, in which attackers compromised payroll systems to reroute salary payments to accounts they control. The threat actor, tracked as Storm-2657, exploited inadequate multifactor authentication and social engineering to gain access to employee HR profiles and alter bank account settings.
The campaign, active since March 2025, began with phishing attacks against university staff. Attackers harvested Multifactor Authentication (MFA) codes via adversary-in-the-middle links, then gained access to Exchange Online mailboxes and human resources systems such as Workday. Once inside a victim’s profile, they established inbox rules to delete notifications from HR systems, preventing alerts about changes to payment arrangements.
“These attacks don’t represent any vulnerability in the Workday platform, but rather financially motivated threat actors using social engineering tactics and exploiting absence of phishing-resistant MFA.” — Microsoft
Universities Targeted Via Phishing of MFA Codes and HR System Access
In its analysis, Microsoft confirmed that Storm-2657 sent sophisticated phishing emails to staff across multiple university systems. The emails employed themes ranging from health alerts and misconduct investigations to compensation updates and benefits notices. Some used Google Docs links to harvest credentials and MFA tokens under the guise of legitimate document sharing.
At least three universities experienced confirmed account compromises affecting 11 staff members, and those accounts were used to distribute phishing emails to nearly 6,000 recipients across 25 additional institutions. In many of these cases, the email accounts lacked MFA or used non-resistant MFA methods.
Microsoft observed that attackers leveraged compromised email access to delete or suppress Workday notifications and then used single sign-on to access the HR system. Once in Workday, the threat actor modified the “Manage Payment Elections” or “Change My Account” settings to redirect salary deposits. Analysts saw changes hidden by inbox rules that filtered or deleted indicator emails with subjects like “Payment Elections” or “Direct Deposit.”
The actor also enrolled attacker-controlled phone numbers as MFA devices, ensuring continued access even after initial credential changes. Stakeholders noted that account takeover followed by stealthy payroll edits is consistent with business email compromise (BEC) tactics but with increased technical sophistication.
Mitigation Steps Offered to Universities and Employers to Prevent Payment Diversion
Microsoft urged affected organizations to adopt phishing-resistant authentication methods such as FIDO2 security keys, Windows Hello for Business, or passkeys in Microsoft Authenticator. It further recommended the enforcement of phishing-resistant MFA for all users with HR or administrative privileges.
Security teams are advised to monitor for suspicious inbox rules targeting HR systems. Queries may filter Exchange Online and Workday logs for actions like “New-InboxRule” or “Set-InboxRule” directed at HR domains. Audits of Workday events should also detect modifications under “Manage Payment Elections” or “Change My Account.”
If a compromise is discovered, Microsoft recommends immediate password resets, removal of unauthorised MFA devices, deletion of malicious inbox rules, and restoration of legitimate payroll settings. Financial teams should be alerted to prevent unauthorized fund transfers. In addition, organizations should review abnormal activity patterns in payroll or HR systems and triangulate with email and single sign-on activity for cross-system correlation.
Microsoft has reached out to confirmed affected universities to assist with threat-hunting and remediation. The company and Workday have also collaborated to distribute guidance for securing HR systems. Workday itself stressed that customers should enable strong authentication methods and introduce additional verification steps for payroll-related changes.
The “payroll pirate” scheme highlights the intersection between classic BEC tactics and modern SaaS HR platforms. It underscores the risk of loosely protected credentials and lack of resilient MFA in environments hosting sensitive payroll and bank routing data.
