Hackers target US universities in ‘payroll pirate’ phishing scheme

A cybercrime group known as Storm-2657 is hijacking university payroll systems using phishing emails and MFA theft.

What happened

Since March 2025, Microsoft has tracked a financially motivated cybercrime group, Storm-2657, targeting US university employees to intercept salary payments in a type of phishing campaign known as “payroll pirate” attacks. The group uses custom phishing emails to trick recipients into surrendering login credentials and MFA codes, enabling access to university HR systems.

Microsoft confirmed 11 account compromises across three universities, which were used to send nearly 6,000 phishing emails to staff at 25 other institutions.

Going deeper

The attackers primarily target Workday accounts, though other third-party HR SaaS platforms may be affected. These attacks do not exploit any technical vulnerability in Workday, but rather take advantage of weak or missing phishing-resistant MFA.

Phishing emails have impersonated university leadership and HR teams, often using believable themes like faculty misconduct notices or compensation updates. The campaign uses adversary-in-the-middle (AiTM) phishing pages to intercept MFA codes. Once a victim logs in, the attackers gain full access to Exchange Online and Workday through SSO, allowing them to change salary payment details and redirect funds.

To evade detection, inbox rules are created to hide Workday alerts. In some cases, attackers even enrolled their own phone numbers as MFA devices to maintain access and continue unauthorized activity.

Microsoft has begun contacting affected institutions and issued guidance on investigating breaches and implementing phishing-resistant MFA.

What was said

“These attacks don’t represent any vulnerability in the Workday platform or products,” Microsoft stated. Instead, the success of the campaign reflects gaps in user awareness, email protections, and authentication processes.

The tactics resemble broader business email compromise (BEC) scams, which the FBI reports caused over $2.7 billion in known losses in 2024 alone, making it the second most costly cybercrime category after investment scams.

The big picture

The “payroll pirate” campaign shows how phishing is being used to steal data and directly reroute money. Attackers exploit weak MFA setups and user trust in familiar HR systems like Workday to quietly divert salaries. Because the emails come from real university accounts and use believable HR themes, traditional filters rarely flag them as suspicious.

Paubox recommends Inbound Email Security to help stop these attacks before they start. Its generative AI reviews the tone, sender behavior, and intent of each message to spot subtle signs of social engineering that typical spam filters miss. Combined with phishing-resistant MFA and tighter identity controls, this approach helps universities protect staff accounts and payroll systems from being hijacked.

FAQs

What makes phishing-resistant MFA different from regular MFA?

Phishing-resistant MFA, such as FIDO2 keys or device-bound passkeys, cannot be intercepted by attackers through spoofed login pages unlike SMS codes or app-generated tokens.

How can inbox rules be used maliciously during a breach?

Attackers create email rules to automatically delete or hide warning messages, such as security alerts or login notices, reducing the chances of detection by the account owner.

What is adversary-in-the-middle (AiTM) phishing?

AiTM phishing intercepts both login credentials and MFA codes in real time, allowing attackers to bypass two-factor authentication even when it’s enabled.

Why are universities frequent targets for payroll scams?

Universities often have decentralized IT structures, many third-party platforms, and varied adoption of security practices, making them vulnerable to social engineering attacks.

What should universities do immediately after a suspected payroll hijack?

They should disable affected accounts, audit changes in HR systems, reset MFA devices, check inbox rules, and notify impacted staff while enhancing MFA across all systems.