No worker would accept their paycheck disappearing without explanation. It was precisely from a series of internal reports of this nature that an organization began investigating an apparently administrative anomaly, discovering instead a targeted cyber attack . An external party had managed to modify the salary payment details, diverting payments to accounts under its control.
The incident’s origin wasn’t a sophisticated technical breach, but a simple phone call. According to Unit 42’s Global Incident Response Report 2025 – Social Engineering Edition , 36% of incidents handled during the period analyzed were triggered by social engineering techniques. These include phishing, vishing, search engine manipulation, fake system prompts, and fraudulent help desk interactions.
Despite the availability of advanced security tools, attackers continue to successfully exploit tried-and-true tactics. Rather than hacking systems or distributing malware, they often choose to circumvent technological controls by targeting the people who manage business processes directly.
The initial access did not occur through a technical vulnerability. The attacker deployed a social engineering campaign, posing as an employee and contacting multiple help desks, including IT, HR, and payroll services. Through these interactions, he bypassed challenge/response verification mechanisms, prompting staff to reset their passwords and re-register their multi-factor authentication devices.
Social networks played a key role. Publicly available information allowed the attacker to prepare credible answers to verification questions. In some cases, calls were repeated multiple times to understand the type of controls in place, gradually gathering the data needed for successful access. The growing amount of personal and professional information online made this reconnaissance phase particularly effective.
Once they gained access, the individual attempted to establish a sustained presence by registering an external email address as an authentication method for a service account within the organization’s Azure AD environment. This clearly indicated an intent beyond immediate payroll fraud.
After authenticating to the payroll system, the attackers acted swiftly. Several employee accounts were compromised, allowing access to sensitive data. Direct deposit information was changed, and paychecks were redirected to bank accounts controlled by the attacker.
Because the credentials used were valid and the multifactor authentication was in place, the activities did not immediately raise alarms. The incident only became known when some employees reported the non-payment. The internal investigation identified suspicious changes dating back weeks, leading the organization to engage legal counsel and subsequently Unit 42 for a full analysis.
Once tasked, Unit 42 launched an in-depth investigation. The team conducted threat hunting using Cortex XSIAM, correlating data from multiple sources: payroll systems, HR platforms, and logs from the organization’s next-generation firewalls.
Analysis confirmed that the impact of the incident was limited to account compromise and payroll diversion, with no evidence of lateral movement or data exfiltration from the internal network.
During the investigation, however, a further critical issue emerged: the presence of an active compromise attributable to the WannaCry ransomware within the organization’s legacy OT environment. This threat has been known for years, but has remained silent in industrial operating systems.
Unit 42 worked with the client to quickly block compromised accounts, reverse fraudulent payroll changes, and restore control of the affected cloud identities. At the same time, guidance was provided on hardening the IT and OT environments.
Recommendations included improving help desk verification procedures, strengthening multi-factor authentication application and recovery flows, more comprehensive event logging with integration into Cortex XSIAM, and targeted interventions to address the spread of WannaCry in OT systems.
Despite the initial attack, the overall impact was limited to three employee accounts. This result is linked both to the organization’s rapid response and the attacker’s objective, which was focused on financial gain rather than a broader network compromise.
The incident highlights a growing trend: attackers are targeting operational processes and human interactions, particularly help desks, bypassing traditional technical controls. Activities such as password resets or MFA enrollment, if not managed with rigorous procedures, can become high-impact vulnerabilities.
The case also demonstrates how investigations into small fraud cases can uncover deeper structural issues, such as the prolonged presence of malware in industrial environments.
Given these dynamics, organizations are required to treat flows managed by humans with the same level of scrutiny as technical authentication mechanisms. Key elements remain unified visibility of the environment, trained security teams, and rigorous verification procedures for every digital identity-related request.
Follow us on Google News to receive daily updates on cybersecurity. Contact us if you would like to report news, insights or content for publication.
