Payroll Pirate Phishing Attacks Targeting US University Employees
Cybercriminals identified as 'payroll pirates' have launched a targeted phishing campaign against US universities, aiming to divert salary payments from employees to accounts under their control. Microsoft Threat Intelligence reported that since March 2025, at least 11 accounts across three universities were successfully compromised, with phishing emails sent to nearly 6,000 recipients at 25 different universities. The attackers primarily targeted third-party platforms such as Workday, which are commonly used for HR and payroll management in higher education institutions. The phishing emails often contained malicious links and were crafted to steal multifactor authentication (MFA) codes, enabling the attackers to bypass security measures and hijack employee accounts. Once inside a compromised account, the threat actors established inbox rules to automatically delete warning emails from Workday, thereby concealing unauthorized changes to bank account information. This allowed the attackers to redirect salary payments without immediate detection by the victims. The phishing lures were varied, with some emails referencing COVID-19 exposure or faculty misconduct, and often included links to Google Docs to increase credibility. In one instance, a phishing email about illness exposure was sent to 500 individuals at a single organization. Microsoft attributed the campaign to a group it tracks as Storm-2657 and has proactively contacted affected customers with mitigation advice. The campaign demonstrates a sophisticated understanding of university HR processes and leverages social engineering themes relevant to academic environments. The attackers' use of MFA code theft highlights the evolving tactics used to bypass common security controls. Microsoft emphasized that while Workday was a primary target, other HR and payment systems could also be at risk. The scale of the campaign, with thousands of potential victims, underscores the need for heightened vigilance and improved security awareness among university staff. The incident has raised concerns about the security of third-party platforms used for payroll and HR functions in the education sector. Workday, the platform most frequently targeted, did not respond to requests for comment regarding the incident. Microsoft’s response included sharing technical indicators and recommended best practices to help organizations defend against similar attacks. The campaign is ongoing, and universities are urged to review their security protocols, especially around MFA and email filtering. The incident highlights the persistent threat of phishing and the importance of layered security defenses in protecting sensitive financial information.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
7 events from the most recent confirmed update back to the earliest known activity.
Microsoft reports Storm-2755 payroll attacks targeting Canadian employees
Microsoft said financially motivated threat actor Storm-2755 is targeting Canadian employees by hijacking Microsoft 365 accounts and redirecting salary payments. The campaign uses adversary-in-the-middle phishing to steal session cookies and OAuth tokens, then abuses HR workflows and platforms such as Workday to alter direct-deposit details.
Workday urges customers to enable phishing-resistant MFA
Following reporting on the campaign, Workday advised customers to use phishing-resistant MFA and additional data-protection measures to reduce the risk of payroll-account takeover.
Microsoft publicly discloses Storm-2657 'payroll pirate' campaign
On October 9, 2025, Microsoft Threat Intelligence published details of the 'payroll pirate' campaign, attributing it to Storm-2657 and stating the activity abused weak identity protections rather than exploiting a Workday vulnerability.
Microsoft notifies some affected customers and prepares mitigation guidance
As part of its investigation, Microsoft said it contacted some affected customers and developed hunting, remediation, and incident-response guidance focused on removing malicious inbox rules, rogue MFA devices, and reversing payroll changes.
Compromised university accounts are used to expand phishing campaign
During the first half of 2025, the attackers used compromised university email accounts to send additional phishing messages, ultimately targeting nearly 6,000 accounts across 25 universities. The lures included institution-tailored themes such as HR notices, misconduct allegations, and health-related alerts.
Attackers successfully compromise accounts at three universities
Microsoft observed 11 successful account compromises across three universities. The attackers used access to Exchange Online and SSO-linked HR platforms such as Workday to alter employee payroll direct-deposit details and divert salary payments.
Storm-2657 begins payroll-diversion attacks on U.S. universities
Beginning in March 2025, Microsoft observed the financially motivated actor Storm-2657 targeting U.S.-based organizations, especially universities, with phishing aimed at stealing credentials and MFA codes to hijack payroll accounts.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
12 references tracked. Mallory keeps watching after this page renders.
Alert: Payroll-Hijacking Attacks Are Targeting Canadian Employees
blog.knowbe4.com
Open sourceHackers Use AiTM Session Hijacking to Redirect Employee Salaries in New Storm-2755 Campaign
cybersecuritynews.com
Open sourceMicrosoft: Canadian employees targeted in payroll pirate attacks
bleepingcomputer.com
Open sourcePoisoned "Office 365" search results lead to stolen paychecks - Help Net Security
helpnetsecurity.com
Open sourceUS universities subjected to ‘payroll pirate’ intrusions
scworld.com
Open source'Payroll pirate' hackers diverting salary payments from university employees, Microsoft says | The Record from Recorded Future News
therecord.media
Open sourceInvestigating targeted “payroll pirate” attacks affecting US universities | Microsoft Security Blog
microsoft.com
Open sourceMicrosoft: Hackers target universities in “payroll pirate” attacks
bleepingcomputer.com
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Payroll Pirate Uses Microsoft Graph and AiTM Session Theft to Redirect Salaries
Attackers in the **Payroll Pirate** campaign are targeting HR, payroll, finance, and administrative staff by using adversary-in-the-middle phishing pages to steal active Microsoft 365 session tokens and take over accounts without needing passwords or defeating MFA directly. Researchers linked the activity to Microsoft-tracked clusters **Storm-2755** and **Storm-2657**, which have targeted organizations across sectors including healthcare, manufacturing, and food services to alter direct-deposit details and reroute employee pay to attacker-controlled bank accounts. After gaining access, the actors use **Microsoft Graph** API queries to enumerate directory users and identify payroll-related roles, leaving little or no endpoint evidence and shifting detection to Microsoft Entra sign-in telemetry and Graph activity logs. Investigators observed authentication traffic from U.S. mobile carrier IP ranges and follow-on directory reconnaissance from Canadian residential ISP addresses, suggesting proxy-backed operations; defenders were urged to enable Graph logging, revoke compromised sessions and tokens, tighten Conditional Access, deploy phishing-resistant MFA such as FIDO2 or Windows Hello for Business, audit OAuth consent and enterprise applications for persistence, and review payroll changes made during the compromise window.
Jun 15, 2026
Phishing Campaigns Targeting US Universities and Higher Education
A coordinated phishing campaign targeted at least 18 American universities over several months used the open-source Evilginx phishing kit to bypass multi-factor authentication (MFA) and compromise student and staff accounts. Attackers employed adversary-in-the-middle (AiTM) tactics, leveraging personalized emails with short-lived TinyURLs that mimicked university single sign-on (SSO) portals. By capturing both credentials and session cookies, the attackers were able to fully take over accounts, despite MFA protections. The campaign demonstrated advanced operational security, including frequent changes to attack links and the use of services like Cloudflare to obscure infrastructure, as detailed in Infoblox's investigation. Separately, Harvard University experienced a breach of its Alumni Affairs and Development office systems, attributed to a successful mobile phishing ("mishing") attack. The attacker gained access to internal systems, which the university subsequently secured. This incident highlights the growing trend of mobile-first phishing strategies that bypass traditional desktop and network defenses, posing significant risks to organizations with distributed workforces and sensitive data. The breach underscores the need for dedicated mobile threat defense solutions, as standard MDM and UEM tools are insufficient against sophisticated mobile phishing attacks.
Mar 21, 2026
Storm-2755 Hijacks Microsoft 365 Sessions to Redirect Payroll Deposits
Microsoft said the financially motivated threat actor **Storm-2755** targeted Canadian employees in payroll diversion attacks by compromising Microsoft 365 accounts and changing salary payments to attacker-controlled bank accounts. The campaign used SEO poisoning and malvertising to lure victims to `bluegraintours[.]com`, where an adversary-in-the-middle phishing flow captured credentials, session cookies, and OAuth tokens, allowing the attackers to bypass MFA through token replay and gain persistent access to victim accounts. After entering compromised tenants, Storm-2755 searched for payroll and HR workflows, created inbox rules to hide messages about direct-deposit or banking changes, and in some cases manually accessed HR SaaS platforms such as **Workday** to alter payment details. Microsoft reported indicators including Entra error code `50199`, a user-agent shift to **Axios 1.7.9** with the same session ID, and recurring non-interactive **OfficeHome** sign-ins about every 30 minutes; the company said it assisted affected organizations, carried out tenant takedowns, and urged defenses including phishing-resistant MFA, token revocation, Conditional Access, continuous access evaluation, suspicious inbox-rule monitoring, and device compliance enforcement.
May 25, 2026