Cyber Blog

Microsoft has issued a warning about a threat actor identified as Storm-2657, which is hijacking employee accounts to reroute salary payments into accounts controlled by attackers. The group has reportedly focused on U.S. organizations, particularly in sectors like higher education, exploiting HR software–as–a–service (SaaS) platforms such as Workday. Although Microsoft notes that any SaaS system housing payroll or bank account data can be targeted, the campaign—dubbed “Payroll Pirates”—relies less on system flaws and more on social engineering and weak security safeguards.

In observed attacks during early 2025, Storm-2657 gained initial access through phishing campaigns that captured both credentials and multi-factor authentication (MFA) codes via adversary-in-the-middle (AitM) tactics. The perpetrators then used single sign-on (SSO) to infiltrate HR systems from compromised Exchange Online accounts. Once inside, they created email inbox rules to delete alerts from HR systems, modified payroll information to redirect funds, and enrolled their own phone numbers as MFA devices to retain control.

This operation has already caused reported damage: Microsoft identified 11 compromised accounts at three universities, which were used to send phishing emails to nearly 6,000 accounts across 25 institutions. Those lures referenced urgent matters like illnesses or campus misconduct to trick recipients into interacting with fake HR portals.

To defend against Payroll Pirates, Microsoft recommends adopting phishing-resistant MFA solutions like FIDO2 security keys, scrutinizing accounts for suspicious changes (such as unknown MFA devices or unusual inbox rules), and enforcing stronger change-verification protocols for critical settings—especially those related to banking or pay data. Security teams should also monitor for phishing campaigns, malvertising, and “honeypot” SEO attacks targeting HR systems.