- Storm-2657 hackers attack university email accounts to phishing and redirect salary payments
- Attackers took advantage of the lack of MFA and used AITM tactics to access HR SaaS platforms.
- Microsoft helps victims and warns that this is a BEC-style “payroll hacking” campaign
Hackers are breaking into HR SaaS platform accounts at universities across the United States and redirecting salaries to their own accounts, Microsoft warned.
Their report states that the attacks began in March 2025, when a financially motivated group tracked as Storm-2657 used social engineering, as well as the lack of multi-factor authentication (MFA), to break into 11 email accounts at three universities.
Using these accounts, they sent phishing emails to nearly 6,000 email accounts at 25 universities, with topics ranging from warnings about disease outbreaks on campus to reports of faculty misconduct. The goal was to get victims to click on phishing links and, through adversary-in-the-middle (AITM) attacks, gain access to their Exchange Online accounts.
Payroll Hacker
The campaign is called “payroll hacking” and is a variation of the feared business email compromise (BEC) scam that is popular among cybercriminals.
Once inside, the hackers used the access to access Workday (or other third-party HR SaaS platforms) and change salary payment settings to redirect payments to accounts under their control.
They also set up inbox rules to delete any incoming email messages from these platforms, to ensure that victims are never notified about the sinister changes.
They would then spread their attacks further: “Following the compromise of email accounts and payroll modifications at Workday, the threat actor leveraged the newly accessed accounts to distribute more phishing emails, both within the organization and externally to other universities,” Microsoft said.
In its report, Microsoft said it identified people who fell for the phishing attack and whose payment data was compromised. Now he is reaching out to them, helping them with mitigation. It also published tips and guidance to help potential victims investigate whether or not they were compromised.
Through beepcomputer
Follow TechRadar on Google News and add us as a preferred source to receive news, reviews and opinions from our experts in your feeds. Be sure to click the Follow button!
And of course you can also follow TechRadar on TikTok for news, reviews, unboxings in video form and receive regular updates from us on WhatsApp also.
