In a recent disclosure, Microsoft Threat Intelligence has identified a financially motivated cybercriminal group, designated as Storm-2657, orchestrating intricate payroll pirate attacks. These operations primarily target U.S. universities and various organizations, aiming to compromise employee accounts to illicitly reroute salary payments into attacker-controlled bank accounts.
The Evolution of Cybercriminal Tactics
The emergence of Storm-2657 signifies a notable advancement in cybercriminal methodologies. By merging sophisticated social engineering strategies with technical exploitation, these attackers achieve significant financial gains. Their primary focus has been on employees within the higher education sector, leveraging access to third-party Software as a Service (SaaS) platforms, notably Workday.
Scope and Impact of the Attacks
Since March 2025, Microsoft’s research indicates that Storm-2657 successfully compromised 11 accounts across three universities. These breaches facilitated phishing campaigns targeting nearly 6,000 email accounts spanning 25 educational institutions. The precision and scale of these operations suggest a well-resourced and methodical approach to financial fraud.
Initial Attack Vectors
The attack sequence commences with meticulously crafted phishing emails designed to harvest credentials through adversary-in-the-middle (AITM) techniques. These emails exploit various social engineering themes, including fabricated campus health alerts with subject lines like COVID-Like Case Reported — Check Your Contact Status and Confirmed Case of Communicable Illness. By impersonating legitimate university communications and referencing specific university officials or HR departments, the attackers enhance the credibility of their messages, increasing the likelihood of victim engagement.
Exploitation of Authentication Weaknesses
Microsoft analysts have observed that Storm-2657 capitalizes on organizations’ lack of phishing-resistant multifactor authentication (MFA). This vulnerability allows them to intercept and utilize stolen MFA codes to gain initial access to Exchange Online accounts. Once inside, the threat actors exhibit remarkable persistence and stealth capabilities.
Technical Infiltration and Persistence Mechanisms
Upon gaining access to victim accounts, Storm-2657 immediately establishes persistence by enrolling their own phone numbers as MFA devices within the compromised Workday profiles or Duo MFA settings. This tactic ensures continued access without requiring further MFA approval from legitimate users, effectively bypassing security controls that organizations believe protect their systems.
The attackers then create sophisticated inbox rules designed to automatically delete or hide incoming notification emails from Workday’s email service. These rules are often named using only special characters like …. or ”” to avoid detection during casual security reviews. This technique ensures that victims remain unaware of unauthorized changes to their payroll configurations, as the standard notification emails warning of profile modifications never reach their intended recipients.
Manipulation of Payroll Systems
With persistence established, Storm-2657 accesses Workday through single sign-on (SSO) authentication and methodically modifies victims’ salary payment configurations. The Workday audit logs capture these activities as Change My Account or Manage Payment Elections events, providing forensic evidence of the unauthorized modifications. Microsoft Defender for Cloud Apps can correlate these activities across both Microsoft Exchange Online and third-party SaaS applications like Workday, enabling comprehensive detection of suspicious cross-platform activities.
Broader Implications and Related Incidents
The tactics employed by Storm-2657 are not isolated incidents. Similar methods have been observed in other cyberattacks targeting employee accounts to reroute salary payments. For instance, a recent campaign involved hackers impersonating organizations to steal payroll logins and redirect payments. In this scheme, attackers used search engine optimization (SEO) poisoning to create fraudulent websites that appeared at the top of search results when employees searched for their company’s payroll portal. Unsuspecting employees were then directed to fake login pages, where their credentials were harvested and used to access payroll systems, resulting in salary payments being diverted to attacker-controlled accounts.
Recommendations for Organizations
To mitigate the risks associated with such sophisticated attacks, organizations are advised to implement the following measures:
1. Enhance Employee Training: Educate staff about recognizing phishing attempts and the importance of verifying the authenticity of communications, especially those requesting sensitive information.
2. Implement Phishing-Resistant MFA: Adopt multifactor authentication methods that are resistant to phishing, such as hardware tokens or biometric verification, to strengthen access controls.
3. Regularly Monitor Account Activities: Establish continuous monitoring of account activities to detect unusual behaviors, such as unexpected changes to MFA settings or email forwarding rules.
4. Restrict Access to Payroll Systems: Limit access to payroll and HR systems to only those employees who require it for their job functions, reducing the potential attack surface.
5. Conduct Regular Security Audits: Perform periodic security assessments to identify and remediate vulnerabilities within the organization’s IT infrastructure.
Conclusion
The emergence of groups like Storm-2657 underscores the evolving landscape of cyber threats, where attackers employ a combination of social engineering and technical exploitation to achieve their objectives. Organizations must remain vigilant, continuously updating their security protocols and educating employees to recognize and respond to such threats effectively.
