Source URL: https://www.microsoft.com/en-us/security/blog/2025/10/09/investigating-targeted-payroll-pirate-attacks-affecting-us-universities/
Source: Microsoft Security Blog
Title: Investigating targeted “payroll pirate” attacks affecting US universities
Feedly Summary: Microsoft Threat Intelligence has identified a financially motivated threat actor that we track as Storm-2657 compromising employee accounts to gain unauthorized access to employee profiles and divert salary payments to attacker-controlled accounts, attacks that have been dubbed “payroll pirate”.
The post Investigating targeted “payroll pirate” attacks affecting US universities appeared first on Microsoft Security Blog.
AI Summary and Description: Yes
Summary: The text describes a targeted attack by a financially motivated threat actor, Storm-2657, focusing on compromising employee accounts through sophisticated phishing techniques, ultimately altering payroll information in Workday accounts. This highlights significant vulnerabilities in user identity security, directly related to the absence of robust multifactor authentication (MFA) measures.
Detailed Description:
The text outlines a detailed analysis of a cybersecurity threat involving a financially motivated group known as Storm-2657, which has developed a methodical approach to infiltrate employee accounts, specifically targeting HR software systems like Workday. This case exemplifies critical areas of concern for security and compliance professionals regarding identity and access management (IAM), highlighting how weak authentication practices can lead to substantial financial and operational impacts.
Key Points:
– **Target and Methodology**:
– Storm-2657 primarily targets US-based organizations and has focused on sectors, such as higher education.
– The actor employs phishing tactics to capture credentials and multifactor authentication (MFA) codes, leading to unauthorized access to employee accounts and subsequent payroll manipulations.
– **Compromise Mechanism**:
– Initial access is gained through finely crafted phishing emails (e.g., themes related to health alerts or misconduct reports).
– Following successful compromises, distinct tactics are employed, including:
– Creation of inbox rules to delete alerts from Workday notifying users of changes.
– Persistence strategies such as enrolling attacker-controlled devices as MFA devices.
– **Impact of Attack**:
– The attack results in the manipulation of payroll data, redirecting payments to accounts controlled by the attacker, which represents a significant financial threat.
– Analysts observed that phishing attacks were especially difficult to detect due to their usage of realistic themes and popular platforms like Google Docs.
– **Recommendations for Mitigation**:
– Organizations are advised to enforce phishing-resistant MFA methods, such as passwordless methods using FIDO2 security keys.
– Tailored remediation steps include resetting credentials, removing unauthorized inbox rules, and reversing unauthorized financial changes.
– Enhanced security measures and proactive monitoring through tools like Microsoft Defender are crucial for identifying and stopping such ongoing attacks.
– **Recommendations for Security Professionals**:
– The text provides detailed guidelines for investigating and mitigating risks associated with similar attacks, focusing on the importance of robust MFA solutions and user education to prevent social engineering.
– Security teams should implement continuous monitoring practices and adopt procedures for rapid response to detect and counteract unauthorized access.
In summary, this case study serves as an urgent reminder to bolster identity security measures, particularly in organizations using third-party SaaS platforms, emphasizing the necessity for implementing secure authentication practices to safeguard against advanced phishing threats and account compromises.