Microsoft Threat Intelligence reported that a cybercrime gang tracked as Storm-2657 has targeted university employees in the United States since March 2025 to hijack salary payments in so-called “payroll pirate” attacks, according to the company. Microsoft said it observed the campaign while investigating compromised accounts and related activity.
The attackers focused on Workday accounts but Microsoft cautioned that other third-party human resources software-as-a-service platforms could also be at risk. The company said these incidents do not reflect a vulnerability in the Workday platform, but rather financially motivated actors using social engineering and exploiting the absence of multifactor authentication or the use of non-phishing-resistant MFA.
Microsoft described the attack chain as beginning with tailored phishing emails that used adversary-in-the-middle links to capture MFA codes and compromise Exchange Online accounts. After gaining access, the actors set up inbox rules to delete Workday warning notifications, accessed Workday profiles through single sign-on, and altered salary payment configurations to redirect funds to accounts they controlled.
In some cases the intruders also enrolled their own phone numbers as MFA devices, either through affected Workday profiles or Duo settings, to maintain persistence and approve further actions on their devices without detection. Microsoft said it identified affected customers, reached out to some of them, and shared guidance for investigation and implementing phishing-resistant MFA to help block similar attacks.
The company reported observing 11 successfully compromised accounts at three universities that were used to send phishing emails to nearly 6,000 email accounts across 25 universities, and said the compromised accounts were then used to distribute additional phishing messages both internally and to other institutions.
Microsoft noted that “payroll pirate” attacks are a variant of business email compromise. The FBI Internet Crime Complaint Center recorded more than 21,000 BEC complaints in 2024, with reported losses exceeding $2.7 billion, figures the company cited to place the incidents in context.