TITLE: Microsoft Warns of University Payroll Phishing Attacks
Payroll Pirates Target Higher Education Institutions
Microsoft has issued a warning about sophisticated payroll attacks targeting university employees across the United States. According to the tech giant’s security team, hackers are infiltrating human resources SaaS platform accounts and redirecting employee salaries to their own bank accounts.
Attack Timeline and Methodology
The campaign, which Microsoft tracks as beginning in March 2025, involves a financially motivated group identified as Storm-2657. The attackers exploited the absence of multi-factor authentication (MFA) and used social engineering techniques to compromise 11 email accounts at three universities initially.
From these compromised accounts, the threat actors sent phishing emails to nearly 6,000 email addresses across 25 different universities. The messages used various convincing themes, including campus illness outbreak warnings and faculty misconduct reports, designed to trick recipients into clicking malicious links.
Sophisticated Attack Chain
Microsoft describes this as a “payroll pirate” campaign, which represents a variation of business email compromise (BEC) scams. Through adversary-in-the-middle (AITM) attacks, the hackers gained access to victims’ Exchange Online accounts after they clicked the phishing links.
Once inside university systems, the attackers accessed Workday and other third-party HR platforms to modify salary payment configurations. They redirected payments to accounts under their control and established inbox rules to automatically delete notifications from these HR platforms, ensuring victims remained unaware of the unauthorized changes.
Expanding the Attack
The campaign demonstrated significant persistence, with Microsoft noting that “following the compromise of email accounts and the payroll modifications in Workday, the threat actor leveraged newly accessed accounts to distribute further phishing emails, both within the organization and externally to other universities.”
Response and Protection
Microsoft has identified individuals who fell victim to these phishing attacks and had their payment information compromised. The company is currently reaching out to affected parties and providing mitigation assistance. Additional guidance has been released to help potential victims determine if they’ve been compromised and secure their systems.
This report builds on earlier coverage of university cybersecurity threats, highlighting the evolving nature of payroll-focused attacks in the education sector.
