Particle.news
Download on the App Store
4 ARTICLES
·
8h ago

Microsoft Flags 'Payroll Pirate' Campaign Draining University Salaries Through Workday Access

Redmond attributes the thefts to social engineering rather than a Workday vulnerability.

Storm-2657 hijacks Workday payrolls via phishing
Image

Overview

  • Microsoft says the Storm-2657 crew has targeted U.S. universities since March 2025 to divert paychecks by tampering with payroll settings.
  • At least 11 accounts at three universities were compromised and then used to send phishing to nearly 6,000 recipients across 25 institutions.
  • The operation uses adversary-in-the-middle phishing to capture MFA codes, seize Exchange Online accounts, and create inbox rules that delete Workday alerts.
  • Attackers pivot through single sign-on to edit direct-deposit details in Workday and maintain access by enrolling their own phone numbers as MFA devices, including through Duo.
  • Microsoft has notified affected customers and published guidance urging phishing-resistant MFA, monitoring for rogue inbox rules and new MFA enrollments, and reviews of SSO and Workday events; the scheme aligns with BEC patterns tracked by the FBI’s IC3, which logged over 21,000 BEC complaints in 2024 with losses topping $2.7 billion.