‘Payroll pirate’ attackers are going after university employees

Avast! University employees are getting ambushed by pirate attacks, and not the kind that occur while sailing the seven seas.

Earlier this month, Microsoft Threat Intelligence published research on a scam campaign targeting US university employees, where threat actors successfully divert salary payments from employee accounts to their own. The scheme has been dubbed a “payroll pirate” attack by the broader industry.

How it works. Microsoft researchers referred to the threat actor behind the scheme by the alias Storm-2657. In the observed campaign, Storm-2657 gained access to employee accounts through adversary-in-the-middle phishing, a form of credential phishing malicious actors use to bypass multi-factor authentication (MFA).

Phishing emails used to lure victims targeted accounts at universities, according to the researchers. Some of these convincing phishing emails alluded that the receiver may have been exposed to a campus illness outbreak. Others focused on classroom misconduct reports. Phishing emails also featured Google Docs links, which are commonplace in academic settings.

After obtaining an MFA code, Storm-2657 compromised victims’s Microsoft Exchange Online accounts and gained access to their Workday profiles, then covered their tracks by enforcing automated instructions to delete “warning notifications” from the software platform. From there, the attacker redirected future employee salary payments to bank accounts of their own.

Storm-2657 used some successfully compromised emails to send out even more phishing emails. Microsoft said it observed 11 successfully compromised accounts at three universities that collectively sent phishing emails to 6,000 email accounts since March.

The threat actor focused on Workday profiles in the observed campaign, which took place in H1 2025. However, the researchers claim the same technique can be used to target other SaaS systems storing HR or banking information. Microsoft said the pirate payroll attacks don’t reflect any vulnerabilities in Workday’s platform and that the SaaS company has already released guidance for consumers.

Tough semester. Payroll pirates aren’t the only type of criminals educational institutions are warding off. IT Brew previously reported the growing problem of ghost students, malicious actors who pose as university and college students to reap financial aid and other student benefits.

Malicious actors continue to launch classic ransomware attacks against the education sector. Comparitech data found that schools, colleges, and universities experienced a 23% uptick in ransomware attacks YOY in H1 2025.

Defending against payroll pirates. Microsoft recommends organizations protect themselves from payroll pirate attacks by ditching traditional credentials and embracing passwordless workflows: “Microsoft recommends enforcing phishing-resistant MFA for privileged roles in Microsoft Entra ID to significantly reduce the risk of account compromise.”