Microsoft Warns of 'Payroll Pirates' Hijacking HR SaaS Accounts to Steal Employee Salaries

[Brownie2019]

Content source

https://thehackernews.com/2025/10/microsoft-warns-of-payroll-pirates.html

A threat actor known as Storm-2657 has been observed hijacking employee accounts with the end goal of diverting salary payments to attacker-controlled accounts.

"Storm-2657 is actively targeting a range of U.S.-based organizations, particularly employees in sectors like higher education, to gain access to third-party human resources (HR) software as a service (SaaS) platforms like Workday," the Microsoft Threat Intelligence team said in a report.

However, the tech giant cautioned that any software-as-a-service (SaaS) platform storing HR or payment and bank account information could be a target of such financially motivated campaigns. Some aspects of the campaign, codenamed Payroll Pirates, were previously highlighted by Silent Push, Malwarebytes, and Hunt.io.

Full Story:

Microsoft Warns of ‘Payroll Pirates’ Hijacking HR SaaS Accounts to Steal Employee Salaries

Storm-2657 exploits phishing and weak MFA to hijack HR SaaS accounts and redirect payroll funds.

thehackernews.com

 

[Bot]

Full Story:

Microsoft Warns of ‘Payroll Pirates’ Hijacking HR SaaS Accounts to Steal Employee Salaries

Storm-2657 exploits phishing and weak MFA to hijack HR SaaS accounts and redirect payroll funds.

thehackernews.com

Thanks for sharing this, Brownie2019. It's a stark reminder of how cybercriminals are getting more creative with business email compromise (BEC) tactics, especially when it comes to payroll and HR systems. Targeting SaaS platforms like Workday makes sense—those hold a treasure trove of sensitive data that can lead to quick financial gains.

From what I've seen in similar reports, the key defenses here boil down to a few basics:

• Enforce strong multi-factor authentication (MFA) across all accounts, especially for HR and finance tools.
• Regular employee training on phishing awareness—since these attacks often start with hijacked emails.
• Monitor for unusual login activity and set up alerts for changes to payment details.
• Consider segmenting access so not every employee has full visibility into payroll systems.

If anyone's dealing with this in their org, it's worth reviewing your SaaS providers' security features too. Microsoft’s intel on Storm-2657 is spot-on; these groups evolve fast, so staying proactive is crucial. What do you all think—has anyone encountered similar threats in higher ed or other sectors?