Microsoft Uncovers "Payroll Pirate" Attacks Targeting U.S. Universities

In October 2025, Microsoft revealed new research into a wave of cyberattacks it calls "Payroll Pirate", in an attack campaign targeting university employees across the United States. The attackers behind it are not after student data or research secrets. Instead, they aim to redirect staff paychecks into their own bank accounts.

According to Microsoft's security researchers, the company has been tracking a financially motivated hacking group known as Storm-2657. Their method combines phishing emails, identity theft, and manipulation of human resources software used for payroll. Rather than hacking the software itself, the criminals exploit weak login protections and trick employees into handing over access to their own accounts.

Microsoft's investigation found that the campaign has been active since at least early 2025. The hackers began by sending phishing emails to HR and payroll staff at several universities. These messages often appeared to come from trusted colleagues or supervisors and contained links that resembled standard document-sharing services, such as Google Docs.

When the targets clicked the links, they were taken to a fake login page that captured their usernames, passwords, and even multifactor authentication (MFA) codes. In some cases, MFA —a security layer designed to verify users through their phones or apps —was bypassed entirely through an "adversary-in-the-middle" trick, where the attacker intercepts the authentication process in real-time.

Once inside a victim's email account, the hackers moved quickly to cover their tracks. Microsoft found that they created hidden mailbox rules that automatically deleted or hid warning messages, particularly those from payroll systems like Workday. These rules ensured that if the HR platform later sent an alert about a changed bank account or payment detail, the real employee would never see it.

Next, the attackers used the employee's single sign-on credentials to enter the HR portal. Inside, they changed the bank account information linked to payroll, diverting future paychecks to accounts they controlled. In some cases, the hackers even registered new phone numbers or devices for MFA, effectively locking the legitimate employee out of their own account.

Microsoft's telemetry shows that with just a handful of initial compromises, the group sent phishing messages to nearly 6,000 people at 25 different universities, attempting to expand their access across the sector.

Universities have become increasingly attractive targets for cybercriminals due to their extensive and diverse staff bases and decentralized IT systems. Many organizations utilize cloud-based HR tools, such as Workday, which are convenient and accessible from anywhere in the world. If an employee's account is not adequately protected, it can provide a direct path to sensitive payroll data.

Moreover, universities often rely on temporary staff, research assistants, and contractors who may not have strong cybersecurity awareness training. This creates a perfect storm for phishing schemes that rely on human error rather than software flaws.
Microsoft emphasized that the issue does not lie in a vulnerability in Workday or similar platforms, but in how criminals exploit trust and weak account security.

While Microsoft's report focuses on universities, similar attacks have been unfolding elsewhere for years. Security company SilentPush has also been tracking "Payroll Pirate" attacks, describing them as a persistent group of online scammers that specialize in HR-themed phishing.

SilentPush researchers discovered that these criminals frequently set up fake HR or payroll websites designed to look like legitimate company portals. Sometimes they even buy online ads that appear in search results when users type phrases such as "HR login" or "update payroll information." These fake sites then harvest credentials from unsuspecting employees.

The company has cataloged hundreds of phishing domains associated with this activity, demonstrating the organization and scalability of the operation. Their research suggests that while universities have been recent targets, private companies, state agencies, and hospitals have also faced similar scams.

The New Jersey Cybersecurity and Communications Integration Cell (NJCCIC) has also issued alerts about the trend. Their advisory warns that even organizations not using Workday can be at risk because any HR or payroll system that allows online access could be exploited in the same way.

Cybersecurity journalists at Bleeping Computer have noted that these incidents represent a new twist on business email compromise (BEC) scams, which have historically tricked companies into wiring money to fraudulent accounts. In this case, however, the attackers skip the finance department and go straight to the source: employees' paychecks.

Why the attacks work

The success of payroll redirection scams stems from human trust and the complexity of institutions. Organizations tend to focus on obvious targets, such as IT systems or financial databases, while HR platforms are sometimes overlooked. Because payroll is considered routine and automated, staff may not scrutinize an email claiming to come from HR.

Attackers also take advantage of MFA fatigue and security shortcuts. If MFA prompts are delivered by text message, an attacker who tricks an employee into sharing a code can bypass the protection. Microsoft stresses that phishing-resistant MFA, such as hardware security keys or biometric logins, is far more effective.

Finally, once the attackers are inside, traditional monitoring tools may not be able to detect their actions. Changing a bank account number or adding a new MFA device looks like a routine administrative task. Unless there are alerts or secondary approvals for those changes, the theft can go unnoticed until an employee misses a paycheck.

Experts from Microsoft, SilentPush, and NJCCIC agree that there is no single fix for the payroll pirate problem. Instead, defense depends on tightening identity controls, monitoring HR systems, and raising awareness among employees.

Some key measures include:

• Use phishing-resistant MFA: Hardware or app-based authentication should replace text-message codes.
• Monitor payroll changes: Flag or verify any update to employee banking details before processing.
• Audit mailbox rules: Automatically check for hidden or suspicious rules that might hide alert emails.
• Educate employees: Teach staff to pause and verify unexpected HR messages or document requests.

Organizations can also benefit from sharing intelligence. SilentPush, for instance, offers tracking data on infrastructure used by these phishing campaigns, while Microsoft has shared technical guidance to help defenders hunt for signs of compromise.

Ultimately, these attacks remind everyone that cybersecurity isn't only about technology; it's about awareness, vigilance, and ensuring that every employee, not just IT staff, understands the value of their digital identity.