A sophisticated financially motivated threat actor known as Storm-2657 has been orchestrating elaborate “payroll pirate” attacks targeting US universities and other organizations, Microsoft Threat Intelligence has revealed.
These attacks represent a concerning evolution in cybercriminal tactics, where hackers compromise employee accounts to gain unauthorized access to human resources systems and redirect salary payments to attacker-controlled bank accounts.
The campaign demonstrates the increasing sophistication of social engineering techniques combined with technical exploitation to achieve maximum financial impact.
The threat actor has been particularly active in targeting employees within higher education sectors, exploiting their access to third-party Software as a Service (SaaS) platforms like Workday.
Since March 2025, Microsoft researchers have observed 11 successfully compromised accounts at three universities that were subsequently used to launch phishing campaigns targeting nearly 6,000 email accounts across 25 different educational institutions.
The scale and precision of these operations indicate a well-resourced and methodical approach to financial fraud.
The attacks begin with carefully crafted phishing emails designed to harvest credentials through adversary-in-the-middle (AITM) phishing techniques.
These emails exploit multiple social engineering themes, including fake campus illness outbreaks with subject lines such as “COVID-Like Case Reported — Check Your Contact Status” and “Confirmed Case of Communicable Illness.”
.webp)
The attackers also impersonate legitimate university communications, often referencing specific university presidents or HR departments to enhance credibility and increase victim engagement rates.
Microsoft analysts identified that Storm-2657 exploits organizations’ lack of phishing-resistant multifactor authentication, allowing them to intercept and use stolen MFA codes to gain initial access to Exchange Online accounts.
Once inside the compromised systems, the threat actors demonstrate remarkable persistence and stealth capabilities.
Technical Infiltration and Persistence Mechanisms
The technical sophistication of Storm-2657’s operations becomes evident in their post-compromise activities.
After gaining access to victim accounts, the threat actors immediately establish persistence by enrolling their own phone numbers as MFA devices within the compromised Workday profiles or Duo MFA settings.
This technique ensures continued access without requiring further MFA approval from legitimate users, effectively bypassing security controls that organizations believe protect their systems.
The attackers then create sophisticated inbox rules designed to automatically delete or hide incoming notification emails from Workday’s email service.
These rules are often named using only special characters like “….” or “’’’’” to avoid detection during casual security reviews.
This technique ensures that victims remain unaware of unauthorized changes to their payroll configurations, as the standard notification emails warning of profile modifications never reach their intended recipients.
Once persistence is established, Storm-2657 accesses Workday through single sign-on (SSO) authentication and methodically modifies victims’ salary payment configurations.
The Workday audit logs capture these activities as “Change My Account” or “Manage Payment Elections” events, providing forensic evidence of the unauthorized modifications.
Microsoft Defender for Cloud Apps can correlate these activities across both Microsoft Exchange Online and third-party SaaS applications like Workday, enabling comprehensive detection of suspicious cross-platform activities.
The attack methodology demonstrates careful planning to minimize detection while maximizing financial impact.
By leveraging legitimate authentication mechanisms and hiding evidence through automated email deletion, Storm-2657 has created a highly effective approach to financial fraud that can operate undetected for extended periods, potentially diverting multiple salary payments before discovery.
Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.
