In a blog post, Redmond said a cybercrime crew it tracks as Storm-2657 has been targeting university employees since March 2025, hijacking salaries by breaking into HR software such as Workday. The attack is as audacious as it is simple: compromise HR and email accounts, quietly change payroll settings, and redirect pay packets into attacker-controlled bank accounts. Microsoft has dubbed the operation "payroll pirate," a nod to the way crooks plunder staff wages without touching the employer's systems directly.
The attack, a continuation of a campaign conducted in July, involves fraudulent messages asking users to verify their email address for security purposes, and claiming that accounts may be suspended due to lack of action. "This email is fake, and the link goes to pypi-mirror.org which is a domain not owned by PyPI or the PSF [Python Software Foundation]," PSF security developer-in-residence Seth Larson warns. Setting up phishing-resistant multi-factor authentication (MFA), Larson explains, helps PyPI maintainers mitigate the risks associated with phishing attacks.
