Microsoft’s Threat Intelligence team has described a stealthy, financially motivated operation dubbed “payroll pirate” that has, since March 2025, targeted U.S. universities to hijack payroll by compromising Exchange Online and HR SaaS accounts such as Workday and quietly redirecting salaries into attacker-controlled bank accounts. This is not a software zero-day against Workday; it is a human-focused, cross-system assault that chains adversary-in-the-middle (AiTM) phishing, mailbox tampering, SSO abuse and payroll‑profile edits — and the practical consequences are immediate and painful for both employees and institutional risk teams.
Background
Microsoft’s analysis shows Storm‑2657 used highly credible, institution‑themed phishing lures (illness exposure notices, HR updates, leadership impersonations) that routed victims through Google Docs or similar paths to attacker-controlled domains. Once credentials or MFA codes were captured via AiTM techniques, attackers gained Exchange Online access, created inbox rules to delete or hide Workday alerts, enrolled attacker-controlled MFA devices, and used SSO paths to change direct‑deposit details in Workday so paychecks would land in accounts under their control. Microsoft observed 11 compromised accounts across three universities that were then used to phish nearly 6,000 email addresses at 25 universities.This campaign is a textbook example of modern Business Email Compromise (BEC) shifted to target payroll workflows — the “crown jewels” for financially motivated actors. Independent reporting and industry analysis corroborate Microsoft’s core findings and recommendations: attackers are exploiting weak or non‑phishing‑resistant MFA, abusing legitimate SSO flows, and using inbox rule and notification suppression as persistence/cover.
Why universities are attractive targets
Universities present a unique attack surface:- Decentralized IT and HR: Many campuses have distributed administration, multiple business systems and local HR contacts, making consistent security policies and rapid detection harder.
- High use of shared collaboration services: Google Docs and similar tools are common and trusted — ideal for attackers to hide malicious redirects.
- Large population of employees and students: Mass-target phishing can reach many potential footholds quickly.
- Reliance on third‑party SaaS for HR/payroll: Outsourced payroll portals such as Workday centralize transactional power in web‑accessible accounts.
- Often inconsistent MFA adoption and monitoring across departments.
The technical playbook: step‑by‑step
1. Targeting and lures
Attackers craft believable, institution‑specific emails with themes like illness clusters, HR updates or leadership messages. They often use legitimate document platforms (Google Docs links) as a first hop to evade filters and appear routine to recipients.2. AiTM phishing and MFA capture
These links redirect victims to an adversary‑in‑the‑middle proxy that relays credentials and captures Multi‑Factor Authentication (MFA) confirmations or session cookies. AiTM PhaaS tools have matured into highly automated kits that make such attacks low‑friction for criminals.3. Mailbox compromise and stealthing
Once in Exchange Online, attackers create inbox rules that delete or move incoming messages from payroll systems (e.g., those from @myworkday.com), preventing victims from seeing notifications of payroll changes. They may also enroll their own phone numbers or devices as MFA methods to retain access.4. SSO abuse to reach Workday
Using the compromised Exchange/Entra identity, attackers leverage SSO integrations to access the Workday profile and alter Manage Payment Elections / Change My Account settings to point salary payments at attacker‑controlled accounts. These modifications, once hidden, let the attacker reap repeated payments.5. Monetization and scale
The financial payoff can be immediate (divert next payroll) and repeated (future pay cycles) unless detected and reversed. The operation’s scale is amplified by reusing compromised accounts to phish additional targets.What Microsoft recommends (and why it matters)
Microsoft’s practical guidance centers around two pillars: make authentication phishing‑resistant and improve cross‑system detection and telemetry.Key recommendations include:
- Replace legacy and easily‑phished MFA (SMS, simple TOTP) with phishing‑resistant MFA: FIDO2 security keys, platform passkeys, or Windows Hello for Business. These rely on public‑key cryptography and origin checks that AiTM proxies cannot reproduce.
- Monitor Exchange Online for suspicious inbox rules, especially those referencing Workday domains, and correlate with Workday activity like “Change My Account” and “Manage Payment Elections.”
- Install and use connectors (Microsoft Defender for Cloud Apps, Microsoft Sentinel Workday connector) to centralize logging and enable hunting for specific events (device additions, payment election changes).
- Shorten session lifetimes and enable automated session revocation where suspicious signals exist; integrate EDR and identity telemetry for conditional access decisions.
Cross‑checked facts and what’s verified
The following statements are grounded in multiple independent sources and Microsoft telemetry:- Storm‑2657 targeted universities and used AiTM phishing to harvest MFA codes and session cookies.
- Microsoft observed 11 compromised accounts across three universities and near‑6,000 phish recipients across 25 institutions. That numeric detail comes directly from the Microsoft Threat Intelligence blog and has been repeated by industry reporting.
- The attacks abused SSO to make payroll changes in Workday; Microsoft explicitly states no Workday software vulnerability was exploited. This is Microsoft’s assessed attribution and technical judgment.
- Phishing‑resistant FIDO2/passkeys and Windows Hello are recommended mitigations because AiTM proxies cannot extract or replay their cryptographic assertions. This is a widely accepted technical property of WebAuthn/FIDO2 and is promoted by vendors as the practical defense.
- Microsoft did not disclose the identities of affected universities, nor total financial losses. Those specifics remain unverified in public reporting and should be treated as internal or sensitive incident details.
Critical analysis: strengths, gaps and operational risks
Strengths in Microsoft’s analysis and guidance
- Clear, actionable telemetry: Microsoft provides concrete hunting queries and recommended logging sources (Workday connector, Defender XDR tables). These give SOCs an immediate roadmap for detection and response.
- Prioritized control: phishing‑resistant MFA: Recommending passkeys/FIDO2 focuses remediation on a single, high‑leverage control that raises the bar for AiTM attacks. Industry corroboration shows this control is effective.
- Cross‑vendor cooperation: Microsoft acknowledges Workday’s partnership and emphasizes SSO/connector use, which is essential given this attack spans identity, mail and HR systems.
Operational and programmatic gaps
- Universities’ inertia and fragmentation: Rolling out passkeys and replacing legacy MFA across multiple campus domains, adjunct staff and student accounts is a major project. Many campuses still rely on SMS or app push for convenience — and attackers know that.
- Detection blindspots between systems: The attack succeeds because many universities lack cross‑system telemetry that correlates Exchange inbox rule creation with Workday payment edits. Installing connectors and building playbooks is non‑trivial.
- Human factors and social engineering: The attack’s effectiveness hinges on high‑quality lures. Even well‑trained users will fall for realistic, time‑pressured messages (the Microsoft data point that ~10% reported a phishing email as suspicious in one campaign shows most recipients didn’t). Training alone is insufficient.
Threat evolution and attacker economics
- The rise of Phishing‑as‑a‑Service (PhaaS) and AiTM kits means attackers with modest budgets can run advanced campaigns. These kits automate proxying, CAPTCHA gating and session cookie capture, lowering attacker skill requirements and increasing scale. This market dynamic explains why payroll hijacking — a relatively low‑effort, high‑reward crime — is re‑emerging.
Immediate response playbook for suspected compromise
If an organization suspects a payroll pirate compromise, execute this prioritized containment checklist without delay:- Identify and isolate impacted accounts
- Disable compromised Entra/M365 accounts and force sign‑out of all sessions.
- Revoke refresh tokens and active sessions across services.
- Remove attacker persistence
- Review and delete suspicious inbox rules in Exchange Online (search for rules referencing Workday or using DeleteMessage actions).
- Remove unauthorized MFA devices and phone numbers in account profiles and Duo/Authenticator enrollments.
- Lock down HR/SaaS controls
- Immediately freeze Workday payment elections for affected accounts and the HR admin role.
- Require secondary validation (phone confirmation to HR via pre‑established HR phone number) before applying payment changes.
- Investigate and restore
- Use the Workday connector, Defender for Cloud Apps and Sentinel to pull CloudAppEvents (Change My Account, Manage Payment Elections, device additions).
- Revert unauthorized bank account changes and coordinate with finance to stop or recover diverted payments where possible.
- Communicate and remediate
- Notify affected employees and HR; instruct employees to contact bank and HR immediately.
- Engage legal/compliance, and consider notifying law enforcement and banking partners for recovery. Note public disclosure obligations under state breach notification laws may apply depending on assets taken. (Specific legal requirements depend on jurisdiction and are not provided here.)
- Hunt for lateral movement
- Examine logs for API calls or Graph activity indicating mailbox exports or app consent grants. Attackers often pivot after mailbox access.
Strategic controls and rollout priorities for higher education
Moving from emergency fixes to sustainable defenses requires programmatic changes. Prioritize the following:- Enforce phishing‑resistant MFA first for:
- HR and payroll administrators
- Finance personnel with payment privileges
- IT and identity admins
- Tighten SSO change controls:
- Require step‑up authentication and dual approval for payment‑related profile edits in HR systems
- Limit and monitor service principal consent and OAuth app registrations that could be abused for persistence
- Implement cross‑system telemetry:
- Deploy Workday connectors, Defender for Cloud Apps and Sentinel analytics to correlate mailbox rules with HR events
- Shorten session lifetime and automate session revocation upon high‑risk signals
- Harden email ingestion:
- Enforce DMARC/SPF/DKIM, and apply URL rewriting and scanning for inbound links, plus block known PhaaS redirect chains
- Run frequent, context‑rich phishing simulations focused on HR and admin workflows (not just generic lures)
Practical considerations for deploying passkeys and FIDO2 on campus
Adopting passkeys and FIDO2 is the most resilient technical control, but it carries operational considerations:- Device and platform support: Modern desktops, laptops and mobile platforms increasingly support passkeys and Windows Hello; inventory and capability surveys are required before a broad rollout.
- Enrollment and recovery: Create secure fallback and recovery options for lost hardware keys that do not reintroduce easy‑to‑phish recovery flows.
- Phased deployment: Start with high‑risk staff (HR, payroll, finance, admins) and then expand to broader user populations.
- Cost and distribution: Hardware tokens have per‑user costs; platform passkeys and built‑in Windows Hello can reduce hardware needs but may require device posture checks.
- User training and change management: Clear, role‑specific communications and helpdesk readiness are essential to avoid service disruption.
Broader implications for payroll, vendors and public policy
- Payroll is a high‑value fraud target across sectors; universities should set institutional guardrails that treat payroll accounts as “high risk” systems requiring the strongest authentication and approval workflows.
- SaaS vendors like Workday need robust, auditable write event logs and customer guidance for protecting SSO chains — Microsoft explicitly welcomes Workday’s collaboration in mitigation.
- Banks and payment processors should implement and advertise hold/verification workflows for suspicious new direct‑deposit accounts when employer notifications or red flags appear; coordinated fraud detection between employers and banks is a recovery lever.
- Regulators and compliance functions should consider payroll‑diversion incidents as a category requiring standardized notification and reporting to enable aggregate understanding of scope and losses. At present, public disclosure of total losses in this campaign is not available.
Final assessment — what organizations must do now
The “payroll pirate” pattern illustrates a simple but devastating formula: targeted social engineering + weak phishing resistance + SSO/notification suppression = clean theft of salary funds. The defensive recipe is equally straightforward, if programmatically challenging:- Treat HR and payroll identities as privileged — lock them down immediately with phishing‑resistant MFA.
- Gain cross‑system telemetry so that Exchange rules and Workday changes are correlated in near‑real time.
- Harden SSO change workflows and require out‑of‑band validation for payment edits.
- Prepare incident playbooks that include rapid session revocation, inbox rule audits, and bank coordination to stop or recover diverted funds.
The payroll on the next payday shouldn’t be the metric that reveals whether defenses worked. Organizations must act before the money leaves the bank.
Source: theregister.com Microsoft warns of 'payroll pirate' attacks against US unis
