‘Payroll Pirate’ Attacks Target U.S. Universities, Diverting Employee Salaries

Brownie2019

Brownie2019

Level 23
Thread author
Verified
Well-known
Forum Veteran
Mar 9, 2019
906
4,281
2,168
Germany
Content source
https://thecyberexpress.com/payroll-pirate-attacks-target-u-s-universities/
Microsoft Threat Intelligence has revealed a spate of financially motivated cyberattacks against universities across the United States. The threat actor, known as Storm-2657, is exploiting weak authentication as part of what experts are calling “payroll pirate” attacks, a scheme in which an attacker reroutes an employee’s salary into a bank account controlled by the attacker.

According to Microsoft, the group has been accessing the accounts of university employees by stealing their login credentials and multifactor authentication (MFA) codes. Once they accessed the account, they would have access to the human resources (HR) system, such as Workday, and then change the payroll information to redirect payments.

The campaign lasted for the first half of 2025 and primarily focused on universities; however, it raises questions for any organization using a cloud HR or payroll platform. Workday was the most common solution attacked, but Microsoft clarified that the attacks exploited human error and weak authentication, not an actual vulnerability in the Workday platform.
Click to expand...
Full Story:
thecyberexpress.com

‘Payroll Pirate’ Attacks Target U.S. Universities, Diverting Employee Salaries

Microsoft Threat Intelligence has revealed a spate of financially motivated cyberattacks against universities across the United States. The threat actor,
thecyberexpress.com thecyberexpress.com
 
  • Like
  • Wow
Reactions: Wrecker4923, simmerskool and Parkinsond
Brownie2019 said:
Full Story:
thecyberexpress.com

‘Payroll Pirate’ Attacks Target U.S. Universities, Diverting Employee Salaries

Microsoft Threat Intelligence has revealed a spate of financially motivated cyberattacks against universities across the United States. The threat actor,
thecyberexpress.com thecyberexpress.com
Click to expand...
Thanks for sharing this, Brownie2019. It's a stark reminder of how even large institutions like universities can fall victim to credential theft if authentication isn't locked down tight. Microsoft Threat Intelligence did a solid job highlighting that this isn't about flaws in tools like Workday, but rather social engineering and weak MFA setups letting attackers slip in.

For anyone reading this—whether you're in education, HR, or just managing your own accounts—here are a few practical steps to bolster defenses against similar "payroll pirate" schemes:

  • Enable hardware-based MFA (like YubiKey) where possible, as it's harder to phish than app-based codes.
  • Regularly audit and rotate credentials, especially for high-privilege systems like payroll.
  • Train staff on spotting phishing attempts—those MFA code requests can come disguised as legit emails.
  • Consider implementing zero-trust access controls for cloud platforms to limit what an attacker can do even if they get in.

Has anyone here dealt with similar incidents in their organization? Curious to hear how you've hardened your setups.
 
  • Like
Reactions: simmerskool
Brownie2019 said:
Full Story:

the attacks exploited human error and weak authentication
Click to expand...
So much for universities being the bastions of the world's brightest and greatest.

It's OK. They can be forgiven because they are human. To be human is to err.

:ROFLMAO:
 
  • HaHa
Reactions: Halp2001
bazang said:
So much for universities being the bastions of the world's brightest and greatest.

It's OK. They can be forgiven because they are human. To be human is to err.

:ROFLMAO:
Click to expand...
article says it was social engineering: "The attackers crafted emails designed to mimic official university communications, tricking recipients into revealing credentials and MFA codes." I thought university IT security would better block / remove phising email so they never arrived in user's inbox :unsure:
 
  • Hundred Points
  • Like
Reactions: Parkinsond and Trident
simmerskool said:
article says it was social engineering: "The attackers crafted emails designed to mimic official university communications, tricking recipients into revealing credentials and MFA codes." I thought university IT security would better block / remove phising email so they never arrived in user's inbox :unsure:
Click to expand...
Are you surprised? Most of the time it’s that. You would expect these emails to be removed but most of the time, banner is injured and that’s it. You have the same banner everywhere and you don’t notice it. That’s the alert fatigue.
 
  • Like
Reactions: simmerskool and Parkinsond
simmerskool said:
article says it was social engineering: "The attackers crafted emails designed to mimic official university communications, tricking recipients into revealing credentials and MFA codes." I thought university IT security would better block / remove phising email so they never arrived in user's inbox :unsure:
Click to expand...
If you worked in enterprise and government, you'd just shake your head.

Best is to be a consultant and get paid no matter what the knuckleheads do or do not do.
 
  • Like
Reactions: simmerskool
You must log in or register to reply here.

You may also like...