Payroll Pirates

A threat actor known as Storm-2657 has been observed hijacking employee accounts with the end goal of diverting salary payments to attacker-controlled accounts.

"Storm-2657 is actively targeting a range of U.S.-based organizations, particularly employees in sectors like higher education, to gain access to third-party human resources (HR) software as a service (SaaS) platforms like Workday," the Microsoft Threat Intelligence team said in a report.

However, the tech giant cautioned that any software-as-a-service (SaaS) platform storing HR or payment and bank account information could be a target of such financially motivated campaigns. Some aspects of the campaign, codenamed Payroll Pirates, were previously highlighted by Silent Push, Malwarebytes, and Hunt.io.

DFIR Retainer Services

What makes the attacks notable is that they don't exploit any security flaw in the services themselves. Rather, they leverage social engineering tactics and a lack of multi-factor authentication (MFA) protections to seize control of employee accounts and ultimately modify payment information to route them to accounts managed by the threat actors.

In one campaign observed by Microsoft in the first half of 2025, the attacker is said to have obtained initial access through phishing emails that are designed to harvest their credentials and MFA codes using an adversary-in-the-middle (AitM) phishing link, thereby gaining access to their Exchange Online accounts and taking over Workday profiles through single sign-on (SSO).

The threat actors have also been observed creating inbox rules to delete incoming warning notification emails from Workday so as to hide the unauthorized changes made to profiles. This includes altering the salary payment configuration to redirect future salary payments to accounts under their control.

To ensure persistent access to the accounts, the attackers enroll their own phone numbers as MFA devices for victim accounts. What's more, the compromised email accounts are used to distribute further phishing emails, both within the organization and to other universities.

Microsoft said it observed 11 successfully compromised accounts at three universities since March 2025 that were used to send phishing emails to nearly 6,000 email accounts across 25 universities. The email messages feature lures related to illnesses or misconduct notices on campus, inducing a false sense of urgency and tricking recipients into clicking on the fake links.

To mitigate the risk posed by Storm-2657, it's recommended to adopt passwordless, phishing-resistant MFA methods such as FIDO2 security keys, and review accounts for signs of suspicious activity, such as unknown MFA devices and malicious inbox rules.

Update

"Storm-2657 is the same threat actor named by Silent Push as Payroll Pirates and tracked by a wide range of organizations across the cybersecurity industry," Zach Edwards, senior threat researcher at Silent Push, told The Hacker News. "The report from Microsoft includes significant new details about new health and education phishing lures, which are creative ways to try and trick someone into logging into a fake HR portal."

CIS Build Kits

Silent Push, which has been tracking the threat since December 2024, said the threat actor has singled out several industries, including grocery stores, governments, insurance organizations, and others that have a large number of employees who may be susceptible to a phishing attack and may not likely immediately notice the changes to their account information.

The cybersecurity company also characterized the group's pivot to universities as something of an "odd departure," given that college students don't receive regular paychecks and their direct deposit information is not available within these systems. That said, it's possible that the phishing attempts are aimed at obtaining personal identifiable information that could set the stage for future attacks. The threat actors have been linked to over 150 domains.

"For organizations targeted by Payroll Pirates, we'd strongly recommend setting up additional email notifications and 2FA requirements for any attempts to change important details within an HR portal, including efforts to change email and phone numbers, and especially for any changes to banking information used to collect paychecks," Edwards added.

"Organizations who support or defend HR Portals should remain on the lookout for Payroll Pirates attacks coming from email phishing, malvertising and SEO honeypot campaigns."

(The story was updated after publication on October 15, 2025, with additional insights from Silent Push.)

Found this article interesting? Follow us on Google News, Twitter and LinkedIn to read more exclusive content we post.