Microsoft analysts have discovered that since March 2025, the group Storm-2657 has been targeting employees at U.S. universities, taking over accounts and redirecting paychecks to its own accounts.
“Storm-2657 is actively targeting U.S. organizations, especially higher-education employees, to gain access to third-party HR platforms like Workday,” the Microsoft Threat Intelligence team explains.
It is also emphasized that any SaaS platform that stores HR data or payment and bank account information can be targeted by such attacks.
It is worth noting that this malicious activity, which researchers call Payroll Pirates, was previously covered by specialists from Silent Push, Malwarebytes, and Hunt.io.
The attackers do not exploit any vulnerabilities; instead, they use “sophisticated social engineering schemes” and take advantage of the lack of multi-factor authentication (MFA) to take over employee accounts and change payment details, redirecting victims’ paychecks to their own accounts.
For example, in one campaign Microsoft observed in the first half of 2025, the attackers gained initial access via phishing emails that harvested credentials and MFA codes through a phishing link. As a result, the adversaries gained access to Exchange Online accounts and took over victims’ Workday profiles via single sign-on (SSO).
Researchers also report that the attackers created rules in victims’ mailboxes to delete alert emails from Workday and conceal unauthorized changes in profiles. Specifically, the hackers modified payment settings, redirecting future paychecks to accounts they controlled.
To maintain persistent access to victims’ accounts, the attackers added their phone numbers to the compromised accounts’ MFA settings. Moreover, the compromised email accounts were used to send new phishing emails — both within the organizations and to other universities.
Microsoft reported that since March 2025 it has identified 11 successfully compromised accounts across three universities. These mailboxes were subsequently used to send phishing emails to nearly 6,000 addresses at 25 other institutions. The scam emails referenced staff illnesses and campus violation notices, creating a false sense of urgency and prompting recipients to click on fraudulent links.
To reduce the risks associated with Storm-2657, it is recommended to use passwordless, phishing-resistant multi-factor authentication methods (e.g., FIDO2 hardware keys), and to review accounts for signs of suspicious activity — for example, unknown MFA devices and malicious inbox rules.