Universities Under Siege in Payroll Pirate Attacks

Summary Points

1. The Storm-2657 cybercrime gang has been conducting "pirate payroll" attacks on US university employees since March 2025, targeting Workday and other HR SaaS platforms to hijack salary payments.
2. They utilize sophisticated social engineering tactics, including tailored phishing emails impersonating university officials and threats, to steal MFA codes via adversary-in-the-middle (AITM) links and compromise email accounts.
3. After gaining access, attackers modify payroll settings, delete warning notifications, and redirect payments to accounts under their control while employing MFA enrollment tactics to embed persistence.
4. These attacks are a form of business email compromise (BEC), with over 21,000 complaints and $2.7 billion losses reported in 2024, highlighting the high financial stakes and need for better phishing-resistant MFA protections.

The Core Issue

Since March 2025, a sophisticated cybercrime group known as Storm-2657 has been executing “pirate payroll” attacks aimed at university employees in the United States, primarily targeting their Workday accounts and other HR-related SaaS platforms. These threat actors employ advanced social engineering tactics, crafting highly tailored phishing emails—ranging from warnings about campus health issues to impersonations of university leaders—that deceive recipients into clicking malicious links. By exploiting the absence or weakness of multi-factor authentication (MFA), Storm-2657 manages to compromise email accounts via adversary-in-the-middle attacks, allowing them to access and manipulate payroll information covertly. They establish persistence by enrolling their own MFA devices, then use the compromised accounts to modify salary settings, redirect funds, and distribute further phishing campaigns across the academic network.

The reporting, carried out by Microsoft Threat Intelligence analysts, highlights that these breaches have already affected at least three universities, with nearly 6,000 email accounts targeted and 11 successfully compromised. These attacks not only put victims in financial jeopardy—for example, by redirecting salary payments—but also facilitate further phishing and malicious activity within the affected institutions. The FBI’s data underscores the scale of such business email compromise schemes, which in 2024 alone resulted in over $2.7 billion in losses. Microsoft’s investigators have identified the attack flow, provided guidance for mitigation, and warned that these tactics are part of a broader trend of financially motivated cyber operations exploiting weak MFA defenses.

Security Implications

Since March 2025, the cybercrime group Storm-2657 has conducted highly targeted “pirate payroll” attacks on U.S. university employees, exploiting weak security measures like the absence of multifactor authentication (MFA) to hijack salary payments via sophisticated social engineering and phishing tactics. By sending personalized phishing emails—impersonating university officials or warning of campus issues—they trick recipients into clicking malicious links and revealing MFA codes, which attackers then use to compromise email and HR accounts, disable security notifications, and reroute payroll funds to accounts under their control. Once inside, they even enroll their own devices as MFA methods to maintain access and evade detection. These breaches not only result in immediate financial theft but also enable the distribution of further malicious emails, jeopardizing institutional trust and financial security. Such “payroll pirate” schemes, a subset of business email compromise (BEC), exemplify how cybercriminals leverage social engineering and technical vulnerabilities—particularly the lack of MFA—to exploit organizations, contributing to over $2.7 billion in 2024 losses across reported cases, and underscoring the urgent need for robust cybersecurity protocols.

Possible Next Steps

Timely remediation in the face of "payroll pirate" attacks aimed at universities is crucial to protect sensitive financial data, prevent financial losses, and preserve institutional integrity. Rapid response minimizes the window of vulnerability, limits potential damage, and safeguards student and staff trust in the institution’s cybersecurity resilience.

Mitigation Strategies

• Immediate Containment: Isolate affected systems to prevent virus or malware spread.
• Vulnerability Patching: Install updates and patches for all software to close exploited security gaps.
• Access Control: Strengthen authentication protocols, enforce multi-factor authentication, and review access privileges.
• Security Monitoring: Implement real-time monitoring tools to detect unusual activity or unauthorized access attempts.
• User Training: Educate staff and students about phishing, social engineering, and secure password practices.
• Backup Procedures: Ensure secure, recent backups are available to restore systems swiftly.

Remediation Approaches

• Incident Investigation: Conduct detailed analysis to understand attack vectors and affected systems.
• Communication: Notify relevant authorities, stakeholders, and affected individuals promptly.
• Credential Reset: Force password resets on compromised accounts to prevent further misuse.
• Legal Action: Collaborate with law enforcement to track and prosecute perpetrators.
• Policy Revision: Update security policies and incident response plans to address vulnerabilities exposed by the attack.

Stay Ahead in Cybersecurity

Discover cutting-edge developments in Emerging Tech and industry Insights.

Understand foundational security frameworks via NIST CSF on Wikipedia.

Disclaimer: The information provided may not always be accurate or up to date. Please do your own research, as the cybersecurity landscape evolves rapidly. Intended for secondary references purposes only.

Cyberattacks-V1