- Storm-2657 hackers hit university email accounts to launch phishing and redirect salary payments
- Attackers exploited lack of MFA and used AITM tactics to access HR SaaS platforms
- Microsoft is helping victims and warns this is a BEC-style “payroll pirate” campaign
Hackers are breaking into human resources SaaS platform accounts at universities across the United States and redirecting salaries to their own accounts, Microsoft has warned.
Its report claims the attacks started in March 2025, when a financially motivated group tracked as Storm-2657 used social engineering, as well as the fact that there was no multi-factor authentication (MFA) set up, to break into 11 email accounts at three universities.
Using these accounts, they sent phishing emails to almost 6,000 email accounts across 25 universities, with themes varying from warnings of campus illness outbreaks, to reports of faculty misconduct. The goal was to get the victims to click on phishing links, and through adversary-in-the-middle (AITM) attacks gain access to their Exchange Online accounts.
Payroll pirate
The campaign is called “payroll pirate” and is a variation of the dreaded business email compromise (BEC) scam that is popular among cybercriminals.
Once inside, the hackers used the access to get into Workday (or other third-party HR SaaS platforms) and change salary payment configurations to redirect payments to accounts under their control.
They also set up inbox rules to delete any incoming email messages from these platforms, to make sure the victims never get notified about the ominous changes.
Then, they would propagate their attacks further: “Following the compromise of email accounts and the payroll modifications in Workday, the threat actor leveraged newly accessed accounts to distribute further phishing emails, both within the organization and externally to other universities,” Microsoft said.
In its report, Microsoft said it identified the people who fell for the phishing attack and had their payment data compromised. It is now reaching out to them, helping with mitigation. It also released tips and guidance to help potential victims investigate if they were compromised or not.
Via BleepingComputer
Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews, and opinion in your feeds. Make sure to click the Follow button!
And of course you can also follow TechRadar on TikTok for news, reviews, unboxings in video form, and get regular updates from us on WhatsApp too.
