Payroll Piracy: Hackers Storm-2657 Exploit MFA Flaws to Hijack University Salary Payments via Workday
Ddos 
Attack flow of threat actor activity in a real incident | Image: Microsoft
Microsoft Threat Intelligence has issued a warning about a financially motivated campaign conducted by a threat actor tracked as Storm-2657, dubbed by researchers as a “payroll pirate.” The group has been compromising employee accounts at U.S. universities to divert salary payments into attacker-controlled bank accounts.
According to Microsoft, “Storm-2657 is actively targeting a range of US-based organizations, particularly employees in sectors like higher education, to gain access to third-party human resources (HR) SaaS platforms like Workday.”
The operation, observed during the first half of 2025, relies heavily on social engineering and phishing emails. Attackers send realistic messages designed to steal multifactor authentication (MFA) codes through adversary-in-the-middle (AiTM) phishing links. Once access is gained, they hijack Exchange Online accounts and modify victims’ Workday payroll profiles to reroute salary payments.
Microsoft clarified that “these attacks don’t represent any vulnerability in the Workday platform or products,” but rather exploit weak or absent MFA protections.
Since March 2025, Microsoft has tracked 11 compromised accounts across three universities, which were then used to send nearly 6,000 phishing emails to employees at 25 institutions.
The emails used convincing themes, such as health alerts (“COVID-Like Case Reported — Check Your Contact Status”), or internal misconduct reports (“Faculty Compliance Notice – Classroom Misconduct Report”), and even official-looking HR updates (“[UNIVERSITY NAME] 2025 Compensation and Benefits Update”). To appear legitimate, some emails included Google Docs links, making them harder to detect in academic environments.
After compromising accounts, Storm-2657 set up inbox rules to automatically delete Workday notification emails, preventing victims from seeing payroll change alerts. In several cases, the attacker also added their own phone numbers as MFA devices, allowing continued access without user approval.
Once inside, the attacker modified bank account and payroll information via Workday’s “Change My Account” or “Manage Payment Elections” functions — effectively rerouting salaries to attacker-owned accounts.
Microsoft highlights that organizations can detect these intrusions by correlating signals between Microsoft Exchange Online and third-party SaaS systems like Workday. “Only by correlating first-party and third-party signals is it possible to detect this activity spawning across multiple systems,” the report notes.
The company urges organizations to implement phishing-resistant MFA, monitor audit logs for suspicious account or payment changes, and leverage Microsoft Defender for Cloud Apps to trace malicious inbox rules and payroll edits.
Donate