"In a blog post, Redmond said a cybercrime crew it tracks as Storm-2657 has been targeting university employees since March 2025, hijacking salaries by breaking into HR software such as Workday. The attack is as audacious as it is simple: compromise HR and email accounts, quietly change payroll settings, and redirect pay packets into attacker-controlled bank accounts. Microsoft has dubbed the operation "payroll pirate," a nod to the way crooks plunder staff wages without touching the employer's systems directly."
"Storm-2657's campaign begins with phishing emails designed to harvest multifactor authentication (MFA) codes using adversary-in-the-middle (AiTM) techniques. Once in, the attackers breach Exchange Online accounts and insert inbox rules to hide or delete HR messages. From there, they use stolen credentials and SSO integrations to access Workday and tweak direct deposit information, ensuring that future payments go straight to them."
Storm-2657 has targeted university employees since March 2025 to hijack salaries by accessing HR software such as Workday. The attackers use phishing with adversary-in-the-middle techniques to harvest multifactor authentication codes and breach Exchange Online accounts. They insert inbox rules to hide or delete HR messages, then use stolen credentials and SSO integrations to change direct deposit details so future payments route to attacker-controlled bank accounts. The campaign exploited poor MFA hygiene and weak configurations rather than flaws in Workday. Eleven accounts at three universities were compromised and used to send phishing lures to nearly 6,000 email accounts across 25 universities.
Read at Theregister
Unable to calculate read time
Collection
[
|
...
]