In a recent cybersecurity development, Microsoft has identified a threat actor, designated as Storm-2657, actively compromising employee accounts to reroute salary payments into accounts under their control. This campaign, dubbed Payroll Pirates, primarily targets U.S.-based organizations, with a notable focus on the higher education sector.
Modus Operandi of Storm-2657
Storm-2657’s strategy involves infiltrating third-party human resources (HR) software-as-a-service (SaaS) platforms, such as Workday. The attackers employ sophisticated social engineering techniques, including phishing emails designed to harvest user credentials and multi-factor authentication (MFA) codes. By utilizing adversary-in-the-middle (AitM) phishing links, they gain unauthorized access to victims’ Exchange Online accounts. Leveraging single sign-on (SSO) mechanisms, they subsequently take control of associated Workday profiles.
Tactics for Concealment and Persistence
Once access is secured, the attackers implement several measures to maintain control and evade detection:
– Inbox Rule Manipulation: They create email rules to automatically delete incoming notifications from Workday, effectively concealing unauthorized changes made to employee profiles.
– Salary Diversion: The attackers alter salary payment configurations, redirecting future salary disbursements to bank accounts they manage.
– MFA Device Enrollment: To ensure continued access, they enroll their own phone numbers as MFA devices on the compromised accounts.
– Propagation of Phishing Campaigns: Compromised email accounts are utilized to disseminate additional phishing emails within the organization and to other universities, expanding their reach and potential impact.
Scope and Impact
Since March 2025, Microsoft has observed 11 successful account compromises across three universities. These accounts were used to send phishing emails to nearly 6,000 recipients across 25 universities. The phishing emails often contain lures related to health issues or misconduct notices on campus, creating a false sense of urgency and prompting recipients to click on malicious links.
Recommendations for Mitigation
To counteract the threat posed by Storm-2657, Microsoft recommends the following measures:
– Adopt Phishing-Resistant MFA Methods: Implement passwordless, phishing-resistant MFA solutions, such as FIDO2 security keys, to enhance account security.
– Monitor for Suspicious Activity: Regularly review accounts for signs of unauthorized access, including unknown MFA devices and malicious inbox rules.
– Educate Employees: Conduct training sessions to raise awareness about phishing tactics and the importance of verifying the authenticity of emails, especially those requesting sensitive information or urgent actions.
– Implement Robust Access Controls: Ensure that access to HR and payroll systems is restricted to authorized personnel and that permissions are regularly reviewed and updated.
– Regularly Update and Patch Systems: Keep all software and systems up to date with the latest security patches to mitigate vulnerabilities that could be exploited by attackers.
Conclusion
The Payroll Pirates campaign underscores the evolving tactics of cybercriminals targeting financial assets through sophisticated social engineering and exploitation of SaaS platforms. Organizations, particularly in the higher education sector, must remain vigilant and proactively implement security measures to safeguard employee information and financial transactions.
