Payroll Pirates Strike Microsoft Warns of HR SaaS Account Hijackings to Steal Employee Salaries
“Microsoft has released an alert, alerting people of Payroll Pirates attacking HR SaaS A/cs to steal employees’ salaries.”
Storm-2657 is a threat actor that has been seen stealing employee accounts in order to transfer salary payments to accounts under the attacker’s control.
Microsoft Threat Intelligence Team, Report
| “To obtain access to third-party human resources (HR) software as a service (SaaS) platforms like Workday, Storm-2657 is aggressively targeting a variety of U.S.-based enterprises, especially workers in industries like higher education.” |
But the internet behemoth warned that such profit-driven efforts might target any software-as-a-service (SaaS) platform that stores bank account, payment, or human resources data. Silent Push, Malwarebytes, and Hunt.io have already highlighted some of the campaign’s features under the moniker Payroll Pirates.
The assaults are noteworthy since they don’t take advantage of any security holes in the services themselves. Instead, they take control of employee accounts and change payment information to direct it to accounts controlled by the threat actors by using social engineering techniques and a lack of multi-factor authentication (MFA) safeguards.
According to a Microsoft campaign seen in the first half of 2025, the attacker gained initial access to the target’s Exchange Online accounts and Workday profiles through single sign-on (SSO) by sending phishing emails that were intended to harvest their credentials and MFA codes using an adversary-in-the-middle (AitM) phishing link.
In order to conceal the unauthorized profile modifications, the threat actors have also been seen setting up inbox filters to remove incoming Workday warning notification emails. In order to reroute future salary payments to accounts under their control, this involves changing the settings of the salary payment system.
The attackers set up their personal phone numbers as MFA devices for victim accounts to guarantee ongoing access to the accounts. Furthermore, additional phishing emails are sent to other colleges as well as within the company using the hijacked email accounts.
Since March 2025, Microsoft has reported that it has seen 11 successfully hijacked accounts at three colleges, sending phishing emails to around 6,000 email accounts at 25 other universities. In order to create a false sense of urgency and fool readers into clicking on the phony links, the email messages contain lures pertaining to sickness or misconduct notices on campus.
It is advised to use FIDO2 security keys and other passwordless, phishing-resistant MFA techniques to reduce the risk posed by Storm-2657. Additionally, accounts should be examined for indications of unusual activity, such as malicious inbox rules and unrecognized MFA devices.
About The Author
Suraj Koli is a content specialist in technical writing about cybersecurity & information security. He has written many amazing articles related to cybersecurity concepts, with the latest trends in cyber awareness and ethical hacking. Find out more about “Him.”
In order to conceal the unauthorized profile modifications, the threat actors have also been seen setting up inbox filters to remove incoming Workday warning notification emails. In order to reroute future salary payments to accounts under their control, this involves changing the settings of the salary payment system.
The attackers set up their personal phone numbers as MFA devices for victim accounts to guarantee ongoing access to the accounts. Furthermore, additional phishing emails are sent to other colleges as well as within the company using the hijacked email accounts.
Since March 2025, Microsoft has reported that it has seen 11 successfully hijacked accounts at three colleges, sending phishing emails to around 6,000 email accounts at 25 other universities. In order to create a false sense of urgency and fool readers into clicking on the phony links, the email messages contain lures pertaining to sickness or misconduct notices on campus.
It is advised to use FIDO2 security keys and other passwordless, phishing-resistant MFA techniques to reduce the risk posed by Storm-2657. Additionally, accounts should be examined for indications of unusual activity, such as malicious inbox rules and unrecognized MFA devices.
About The Author
Suraj Koli is a content specialist in technical writing about cybersecurity & information security. He has written many amazing articles related to cybersecurity concepts, with the latest trends in cyber awareness and ethical hacking. Find out more about “Him.”
Read More:
Bug Bounty’s Maximum Limit is Doubled by Apple to $2M for zero-click RCEs
About Author
English