Redazione RHC : 28 October 2025 06:40
According to a new report from Microsoft Threat Intelligence , the financially motivated Storm-2657 group is conducting large-scale attacks against universities and businesses , using stolen employee accounts to redirect salaries to their own bank accounts.
Experts call this type of attack ” payroll hacking.” During the campaign, attackers attempted to access cloud-based HR platforms, such as Workday, to alter victims’ payroll data.
An investigation by Microsoft revealed that the campaign had been active since the first half of 2025. The attackers used carefully crafted phishing emails to steal multi-factor authentication codes using Adversary-in-the-Middle (AitM) schemes.
After obtaining login credentials, they infiltrated employee inboxes and corporate HR services, where they changed payment settings . To hide their tracks, Storm-2657 created Outlook rules that automatically suppressed Workday notifications for any profile changes.
Microsoft recorded at least 11 successful account compromises at three universities. These addresses were then used to send thousands of phishing emails to other campuses, totaling approximately 6,000 potential victims at 25 universities .
Some messages appeared to be sick notes or an investigation into a campus incident . Subject lines included ” COVID-like case reported: Check your contact’s status ” or ” Faculty misconduct report .” Other emails mimicked human resources emails and contained links to supposedly official documents about salaries and compensation . Google Docs, a common tool in academia, was often used for camouflage, making the attacks difficult to detect.
Once they gained access, the attackers modified the victims’ profiles, often replacing the bank accounts used for payroll transfers . In some cases, they also added their own phone numbers as MFA devices, thus maintaining control of the profile without the owner’s knowledge. These actions were recorded in Workday logs as ” Change Account ” or ” Manage Payment Options ” events, but users were not notified of them due to email filters.
Microsoft emphasizes that the attacks are not related to vulnerabilities in Workday products themselves. The problem lies in the lack or weakness of MFA protection . Therefore, the company urges organizations to migrate to advanced, phishing-resistant authentication methods: FIDO2 keys , Windows Hello for Business, and Microsoft Authenticator .
Administrators are advised to force these methods in Login ID and implement passwordless authentication.
Microsoft’s publication outlines calls for security tools that can detect signs of intrusion, from suspicious email rules to changes in payment details and new MFA devices .
The company also reports that it has already contacted several affected organizations, providing them with information on the TTPs used and recommendations for restoring security.
Redazione