In October 2025, Microsoft warned of a threat actor, Storm-2657, conducting financially motivated “payroll pirate” attacks targeting U.S. universities. These attackers hijack employee accounts to redirect salary payments to accounts they control. The campaign primarily exploits HR SaaS platforms like Workday, taking advantage of social engineering tactics and weak multi-factor authentication (MFA).
The attacks do not rely on flaws in the software itself. Instead, phishing emails with adversary-in-the-middle (AiTM) links trick employees into revealing credentials and MFA codes, allowing attackers to gain access to Exchange Online accounts and manipulate payroll through single sign-on. Once inside, they enroll their own MFA devices and create inbox rules to hide notifications of payroll changes.
Microsoft observed 11 compromised accounts at three universities since March 2025, used to send phishing emails to nearly 6,000 accounts across 25 universities. Email lures referenced campus illnesses or faculty misconduct, creating urgency and convincing recipients to click fraudulent links.
Mitigation requires adopting passwordless, phishing-resistant MFA methods like FIDO2 security keys, monitoring accounts for suspicious activity, and educating staff about phishing tactics. AUMINT.io emphasizes proactive simulations, behavioral monitoring, and continuous oversight to detect such attacks before sensitive payroll information is compromised.
Donβt wait for a breach to expose vulnerabilities in your HR systems. Strengthen your defenses today with AUMINT.io β Book your session here and protect your organization from human and procedural gaps.