A threat actor known as Storm-2657 has been observed hijacking employee accounts with the ultimate goal of diverting payroll payments to accounts controlled by the attacker.
“Storm-2657 is actively targeting employees of various US-based organizations, particularly in sectors such as higher education, and gaining access to third-party human resources (HR) software-as-a-service (SaaS) platforms like Workday,” the Microsoft Threat Intelligence Team said in a report.
However, the tech giant warned that any software-as-a-service (SaaS) platform that stores personnel, payment, or bank account information could be targeted by such financially motivated campaigns. Some aspects of the campaign, codenamed “Payroll Pirate,” have previously been covered by Silent Push, Malwarebytes, and Hunt.io.
What makes this attack notable is that it does not exploit any security flaws in the service itself. Rather, they use social engineering tactics and a lack of multi-factor authentication (MFA) protection to seize control of employee accounts and ultimately modify and route payment information to accounts controlled by threat actors.
In one campaign observed by Microsoft in early 2025, attackers allegedly gained initial access through phishing emails designed to harvest credentials and MFA codes using man-in-the-middle (AitM) phishing links, thereby gaining access to Exchange Online accounts and taking over Workday profiles through single sign-on (SSO).
Threat actors have also been observed creating inbox rules that delete alert notification emails received from Workday in order to hide unauthorized changes made to profiles. This includes changing your payroll settings to redirect future payroll payments to your managed account.
To ensure permanent access to the account, the attacker registers his phone number as an MFA device for the victim account. Additionally, the compromised email account is used to distribute further phishing emails both within the organization and to other universities.
Microsoft announced that it has confirmed that 11 accounts at three universities have been successfully compromised since March 2025, with phishing emails sent to approximately 6,000 email accounts at 25 universities. Email messages contain decoys related to notifications of illness or on-campus misconduct, creating a false sense of urgency and tricking recipients into clicking on a bogus link.
To reduce the risk posed by Storm-2657, we recommend adopting passwordless, phishing-resistant MFA methods, such as FIDO2 security keys, and checking accounts for signs of suspicious activity, such as unknown MFA devices or malicious inbox rules.
Source link
