Payroll Pirate” phishing scam that takes over Workday accounts steals paychecks

by Nathan Cole • 3 min read • Updated: November 3, 2025

Payroll Pirate Scam Hijacks Workday Accounts to Steal Paychecks

Special Offer Banner

Industrial Monitor Direct produces the most advanced manufacturing execution system pc solutions recommended by automation professionals for reliability, ranked highest by controls engineering firms.

Microsoft Warns of Sophisticated Payroll Diversion Scheme

Microsoft has issued an urgent warning about an active phishing campaign dubbed “Payroll Pirate” that hijacks employee accounts on Workday and other cloud-based HR platforms to redirect paychecks to attacker-controlled bank accounts. The sophisticated attack has already compromised accounts at multiple universities and demonstrates how even multi-factor authentication can be bypassed by determined threat actors.

According to Microsoft’s security team, the campaign uses convincing phishing emails to harvest employee credentials, then employs adversary-in-the-middle techniques to intercept multi-factor authentication codes. Once inside the HR systems, attackers immediately modify payroll direct deposit information to divert payments to their own accounts while creating email rules to hide confirmation messages from legitimate users.

How the Payroll Pirate Attack Chain Works

The attack begins with highly targeted phishing emails that use realistic themes relevant to university employees. One common lure warns recipients about potential exposure to communicable diseases on campus, while another claims there have been changes to employee benefits. Both include links to attacker-controlled pages disguised as legitimate login portals for work accounts.

“The threat actor used realistic phishing emails, targeting accounts at multiple universities, to harvest credentials,” Microsoft reported in their security advisory. “Since March 2025, we’ve observed 11 successfully compromised accounts at three universities that were used to send phishing emails to nearly 6,000 email accounts across 25 universities.”

Once victims enter their credentials on the fake login pages, the attackers use adversary-in-the-middle tactics to simultaneously submit the information to the real Workday portal, capturing both passwords and MFA codes in the process. This approach has become increasingly common against organizations relying on weaker forms of multi-factor authentication.

The Critical Weakness in Multi-Factor Authentication

Security experts emphasize that not all MFA provides equal protection. Traditional methods that rely on one-time codes, text messages, or push notifications remain vulnerable to these interception attacks. The Cybersecurity and Infrastructure Security Agency has long recommended stronger authentication methods for precisely this reason.

“This tactic underscores the importance of adopting FIDO-compliant forms of MFA, which are immune to such attacks,” Microsoft’s analysis noted. FIDO2 security keys and passkeys provide phishing-resistant authentication by using cryptographic proofs rather than transferable codes that can be intercepted.

Research from Gartner shows that organizations implementing FIDO-compliant security keys have seen near-elimination of account takeover incidents stemming from credential phishing campaigns.

Protecting Against Payroll Diversion Attacks

Organizations can take several steps to defend against Payroll Pirate and similar campaigns:

  • Implement phishing-resistant MFA: Deploy FIDO2 security keys or passkeys instead of SMS or authenticator app codes
  • Monitor payroll changes: Establish alerts for any modifications to direct deposit information
  • Employee training: Conduct regular phishing awareness exercises focusing on HR-themed lures
  • Email security: Implement advanced protection against adversary-in-the-middle phishing kits

The Workday security team recommends that organizations enable additional verification steps for payroll changes and regularly audit account recovery settings to ensure attackers haven’t added their own backup methods. In some Payroll Pirate incidents, attackers successfully added phone numbers they controlled as account recovery options, granting them persistent access to compromised accounts.

As payroll diversion scams become more sophisticated, the need for stronger authentication and heightened vigilance around HR system access has never been more critical for organizations of all sizes.

Industrial Monitor Direct manufactures the highest-quality 1366×768 panel pc solutions featuring fanless designs and aluminum alloy construction, recommended by leading controls engineers.

Related Posts

Yokogawa's Dual Acquisition Strategy Reshapes Energy Cybersecurity - Professional coverage
Yokogawa’s Dual Acquisition Strategy Reshapes Energy Cybersecurity

Yokogawa Electric Corporation’s strategic acquisition of Intellisync and WiSNAM signals a major shift in energy infrastructure protection. The move creates an integrated platform bridging cybersecurity with grid management for renewable energy systems. This consolidation reflects growing industry co

AWS Outage Fallout: $581M Loss Estimate Signals Cloud Risk - According to CRN, Amazon's recent AWS outage affecting thousands
AWS Outage Fallout: $581M Loss Estimate Signals Cloud Risk

Amazon’s recent AWS outage, caused by automated system conflicts affecting DNS resolution, could result in up to $581 million in insured losses. The incident highlights fundamental risks in cloud infrastructure design and reliability.

Companies Lose $95 Billion on Broken Identity Systems - Professional coverage
Companies Lose $95 Billion on Broken Identity Systems

A new report reveals that outdated identity systems are costing companies billions in lost revenue. The problem isn’t just fraud – it’s the friction that drives customers away during onboarding and transactions.

Leave a Reply

Your email address will not be published. Required fields are marked *