'Payroll pirate' hackers diverting salary payments from university employees, Microsoft says

Cybercriminals are focusing on universities and different U.S. organizations with a marketing campaign to divert wage funds from workers to accounts managed by the attackers. 

Dubbed “payroll pirates,” the hackers are utilizing phishing emails to achieve entry to third-party platforms like Workday, in line with Microsoft. 

“Since March 2025, we’ve noticed 11 efficiently compromised accounts at three universities that have been used to ship phishing emails to just about 6,000 e-mail accounts throughout 25 universities,” Microsoft defined. 

The corporate’s researchers found the marketing campaign all through the primary half of 2025 — noting that whereas the risk actors are focusing on Workday accounts, a number of different programs holding HR or cost data for workers might be in danger. 

Microsoft stated the hackers used phishing emails with malicious hyperlinks to steal multifactor authentication codes. With the codes in hand, the risk actors have been in a position to hijack a sufferer’s Workday profile. 

As soon as inside an worker’s account, the hackers created an inbox rule that deleted any warning emails from Workday, permitting them to make checking account modifications with out being caught.  

Microsoft referred to as the risk actors Storm-2657 and stated it has reached out to a few of the affected prospects with recommendation on how you can handle the marketing campaign.

A Workday spokesperson stated they “encourage our prospects to allow phishing-resistant MFA strategies and add additional steps round delicate modifications like payroll to guard in opposition to threats like these.”

‘COVID-Like Case Reported’

The phishing emails got here in a number of completely different varieties and have been geared toward a number of universities. A number of of the emails had Google Docs hyperlinks and have been sometimes centered round themes involving COVID-19 or classroom misconduct allegations. 

A number of the topic strains had names like “COVID-Like Case Reported — Test Your Contact Standing” or “College Compliance Discover – Classroom Misconduct Report.”

One state of affairs concerned a phishing e-mail about sickness publicity standing that was despatched to 500 individuals at one group. Simply 10% of recipients reported the e-mail as a phishing try. 

“Probably the most lately recognized theme concerned phishing emails impersonating a reputable college or an entity related to a college,” Microsoft defined. “To make their messages seem convincing, Storm-2657 tailor-made the content material based mostly on the recipient’s establishment.” 

A number of the emails have been made to appear like official communications from the college president or emails from HR about modifications to compensation. 

Along with deleting all Workday emails from a sufferer’s inbox, the risk actors additionally enrolled their very own gadgets for multifactor authentication, permitting them to keep up entry for an extended period of time. 

The scheme is a variant of enterprise e-mail compromise (BEC), the place hackers take over e-mail threads or accounts and change reputable accounts with their very own. 

Enterprise e-mail compromise continues to be one of many thorniest — and costliest — digital crimes. For 2024, the FBI reported greater than $2 billion in losses because of enterprise e-mail compromise assaults. 

Most schemes goal companies that cope with wire transfers or automated clearing home funds, with the top purpose being to get victims to mistakenly ship funds to hacker-controlled accounts. 

Final 12 months, about $60 million was stolen from one of many main suppliers of carbon merchandise after an worker was tricked into making a number of wire transfers to cybercriminals. A faculty district in Tennessee was additionally tricked into handing over tens of millions. 

Be taught extra.