An unnamed organization recently discovered that several employees’ paychecks had silently vanished not because of a ransomware attack, data-wiping malware, or a cloud breach, but because an attacker convinced people to do exactly what they wanted.
Instead of hacking through firewalls or exploiting zero-days, the threat actor went after the weakest link: operational processes and help desk workflows.
The attack started with a phone call. Posing as legitimate employees, the attacker contacted multiple help desks, including payroll, IT and HR shared services.
Their goal was simple: gain control over employee accounts without ever needing to break into any system directly.
By abusing challenge-response questions and knowledge-based verification, the attacker persuaded help desk staff to perform password resets and re‑enroll multi-factor authentication (MFA) devices in the attacker’s favor.
Once this was done, the criminal effectively “became” the employees in the eyes of the organization’s identity systems.
Open-source information made this even easier. Social platforms and professional networks exposed enough personal and work-related details to help the attacker convincingly answer verification questions.
Repeated callback attempts allowed them to probe what questions were being asked and refine their story until they succeeded.
In parallel, the attacker attempted to establish long-term persistence by registering an external email address as an authentication method for a service account in the organization’s Azure AD. This move signaled an intent to maintain access well beyond a single payroll cycle.
Account Takeover to Payroll Diversion
With valid credentials and working MFA in place, the attacker logged into the payroll system like any normal user. There was no malware, no exploit and no apparent anomaly in the authentication trail.
Once inside, the threat actor moved quickly across multiple compromised employee accounts. They accessed sensitive payroll records and quietly modified direct-deposit details, redirecting salaries into bank accounts under their control.
Because every login looked legitimate and MFA checks passed, the activity blended into normal operations and evaded technical alerts.
The attack only came to light when employees started complaining about missing paychecks. An internal review of account changes found suspicious updates going back weeks.
Legal counsel was engaged, and the case was escalated to Unit 42 for a full-scope investigation and incident response.
Unit 42 deployed Cortex XSIAM to aggregate and correlate telemetry from the payroll and HR systems, as well as logs from the organization’s Next-Generation Firewall.
This investigation confirmed that the incident was constrained to payroll diversion and targeted account compromise, with no clear signs of lateral movement or large-scale data exfiltration inside the core network.
However, the broader threat hunting effort exposed an unrelated but serious issue: evidence of an ongoing WannaCry infection inside a legacy OT environment.
The ransomware, originally unleashed years ago, had been quietly persisting in operational systems without triggering a major incident a stark reminder that unmonitored legacy assets can harbor long-term risk.
Containment, Recovery and Lessons Learned
Working closely with the customer, Unit 42 helped:
- Contain the compromised accounts and reverse the fraudulent payroll changes
- Reassert control over affected cloud identities and remove unauthorized authentication methods
- Begin hardening both IT and OT environments, with a focus on tightening help desk verification, reinforcing MFA enrollment and recovery flows, improving logging into Cortex XSIAM and eradicating the WannaCry foothold in OT systems
Fast action by the organization, combined with the attacker’s narrow financial objective, ultimately limited impact to three employee accounts.
Even so, the incident underscored a critical trend: attackers can achieve high-impact fraud and identity takeover without breaching a single technical control, simply by exploiting human-operated workflows.
For defenders, the takeaway is clear: help desk and similar identity-related interactions must be treated with the same rigor as any technical authentication mechanism.
Unified visibility, skilled security teams and strict verification procedures are now essential to prevent the next paycheck from quietly being redirected elsewhere.
Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google.