"A threat actor known as Storm-2657 has been observed hijacking employee accounts with the end goal of diverting salary payments to attacker-controlled accounts. "Storm-2657 is actively targeting a range of U.S.-based organizations, particularly employees in sectors like higher education, to gain access to third-party human resources (HR) software as a service (SaaS) platforms like Workday," the Microsoft Threat Intelligence team said in a report."
"In one campaign observed by Microsoft in the first half of 2025, the attacker is said to have obtained initial access through phishing emails that are designed to harvest their credentials and MFA codes using an adversary-in-the-middle (AitM) phishing link, thereby gaining access to their Exchange Online accounts and taking over Workday profiles through single sign-on (SSO). The threat actors have also been observed creating inbox rules to delete incoming warning notification emails from Workday so as to hide the unauthorized changes made to profiles."
Storm-2657 targets U.S. organizations, often higher education employees, to gain access to HR SaaS platforms like Workday and any service storing HR or bank details. The attacks do not exploit software flaws but rely on social engineering and weak or absent multi-factor authentication to seize accounts. Adversary-in-the-middle phishing links harvest credentials and MFA codes, enabling access to Exchange Online and SSO-linked HR profiles. Attackers create inbox rules to delete Workday notifications, change salary payment configurations to attacker accounts, and enroll attacker phone numbers as MFA devices to maintain persistence.
Read at The Hacker News
Unable to calculate read time
Collection
[
|
...
]