TITLE: Microsoft Alerts Universities to Payroll Phishing Attacks
Payroll Pirates Target University Employees
Microsoft has issued a warning about a sophisticated phishing campaign targeting university payroll systems across the United States. Hackers are infiltrating human resources SaaS platforms and redirecting employee salaries to accounts under their control.
How the Attack Unfolded
The attacks began in March 2025 when a financially motivated group tracked as Storm-2657 exploited social engineering techniques and the absence of multi-factor authentication (MFA) to compromise email accounts at three universities. Using these compromised accounts, the attackers sent phishing emails to nearly 6,000 accounts across 25 institutions.
The phishing emails used various convincing themes, including:
- Campus illness outbreak warnings
- Faculty misconduct reports
- Other urgent campus notifications
Sophisticated Attack Methodology
This campaign, dubbed “Payroll Pirate,” represents a sophisticated variation of business email compromise (BEC) scams. Through adversary-in-the-middle (AITM) attacks, the hackers gained access to victims’ Exchange Online accounts when they clicked on malicious links.
Once inside university systems, the attackers:
- Accessed Workday and other HR SaaS platforms
- Modified salary payment configurations
- Redirected payments to accounts they controlled
- Set up inbox rules to delete notification emails
Self-Propagating Threat
Microsoft revealed that the attackers didn’t stop with initial compromises. “Following the compromise of email accounts and the payroll modifications in Workday, the threat actor leveraged newly accessed accounts to distribute further phishing emails, both within the organization and externally to other universities,” the company stated in its report.
Protection and Response Measures
Microsoft has identified affected individuals and is actively reaching out to help with mitigation efforts. The company has also released comprehensive guidance to help universities and employees determine if they’ve been compromised and how to protect against future attacks.
Essential protective measures include:
- Implementing multi-factor authentication across all systems
- Training staff to recognize sophisticated phishing attempts
- Regularly monitoring payroll configuration changes
- Establishing multiple verification channels for financial changes
As this threat continues to evolve, university administrators and employees should remain vigilant about unexpected emails and regularly verify their payroll information. Additional details about this emerging threat are available through security research channels.
