Microsoft’s Menace Intelligence staff has sounded the alarm, motive is: A infamous cybercrime group, tracked as Storm-2657 by Microsoft’s staff, has launched a brazen assault on US college payroll methods since March 2025. In a weblog put up, Redmond mentioned a cybercrime crew it tracks as Storm-2657 has been concentrating on college workers since March 2025, hijacking salaries by breaking into HR software program akin to Workday.Dubbed “payroll pirate” by Microsoft’s Menace Intelligence staff, the marketing campaign exploits weak safety practices to redirect paychecks into attacker-controlled financial institution accounts. The attackers are mentioned to infiltrate HR platforms like Workday by exploiting compromised e-mail accounts, redirecting paychecks to their very own financial institution accounts.
How hackers steal worker salaries at US universities
In response to the Microsoft weblog, the assault is claimed to be as audacious as it’s easy: Compromise HR and e-mail accounts, quietly change payroll settings, and redirect pay packets into attacker-controlled financial institution accounts. Different examples are reported to incorporate emails impersonating the college president, sharing data concerning compensation and advantages, or faux paperwork shared by HR.The operation begins with phishing emails tailor-made to academia, akin to faux HR updates, school misconduct stories, or alerts about sickness clusters. These lures, typically delivered by way of shared Google Docs to evade filters, trick customers into revealing multifactor authentication (MFA) codes by adversary-in-the-middle (AiTM) methods. As soon as inside Change On-line accounts, the attackers set inbox guidelines to cover or delete HR notifications, concealing their tracks.Utilizing stolen credentials and single sign-on (SSO) integrations, the group accesses Workday to change direct deposit settings, funneling salaries to accounts they management. Microsoft emphasised that the assaults exploit weak MFA practices and misconfigured methods, not vulnerabilities in Workday itself.“Following the compromise of e-mail accounts and the payroll modifications in Workday, the risk actor leveraged newly accessed accounts to distribute additional phishing emails, each throughout the group and externally to different universities,” Microsoft added.“We have noticed 11 efficiently compromised accounts at three universities that have been used to ship phishing emails to just about 6,000 e-mail accounts throughout 25 universities,” Microsoft mentioned within the report.