Storm-2657 Hackers Steal University Salaries by Hijacking Workday HR Accounts

According to a new report from Microsoft Threat Intelligence, the financially motivated group Storm-2657 is conducting large-scale attacks against universities and private companies, using stolen employee credentials to redirect payroll funds into their own accounts. Experts have dubbed this type of operation “payroll piracy.” During the campaign, the attackers sought access to cloud-based HR platforms such as Workday in order to modify victims’ payment details.

Microsoft’s investigation revealed that the campaign has been active since the first half of 2025. The attackers employed carefully crafted phishing emails designed to steal multi-factor authentication (MFA) codes through adversary-in-the-middle (AitM) techniques. Once in possession of login data, they infiltrated employee mailboxes and corporate HR systems, where they altered salary-payment settings. To conceal their activity, Storm-2657 configured Outlook rules that automatically deleted Workday notifications about any profile changes.

Microsoft recorded at least 11 successful account compromises across three universities. From these accounts, thousands of phishing emails were distributed to other campuses — roughly 6,000 potential victims spanning 25 institutions. Some messages masqueraded as health or incident alerts on campus, bearing subject lines such as “COVID-like case reported — check your contact status” or “Faculty misconduct report.” Others mimicked HR communications and contained links to purported official documents on payroll or compensation. To enhance credibility, the attackers frequently leveraged Google Docs, a familiar tool in academic environments, making detection especially difficult.

Once inside, the attackers modified victim profiles — most often replacing bank-account numbers used for payroll deposits. In certain instances, they also added their own phone numbers as MFA devices, enabling persistent control without the user’s knowledge. Such operations appeared in Workday logs under events like “Change My Account” or “Manage Payment Elections,” but the related alerts never reached users due to the mail filters the attackers had created.

Microsoft emphasized that the attacks did not exploit vulnerabilities within Workday itself. The underlying issue was the absence or weakness of multi-factor authentication. Consequently, Microsoft urges organizations to adopt phishing-resistant authentication methods such as FIDO2 keys, Windows Hello for Business, and Microsoft Authenticator. Administrators are advised to enforce these measures in Entra ID and implement passwordless sign-in.

In its publication, Microsoft provided detection queries for identifying signs of compromise — from suspicious mail rules to payment-detail alterations and newly registered MFA devices. The company also confirmed that it has contacted affected institutions, supplying details of the attackers’ TTPs (tactics, techniques, and procedures) and offering guidance for restoring security posture.

Support Our Threat Intelligence

If you find our technology report and cybersecurity news helpful, consider supporting our work.

Buy Me a Coffee PayPal Crypto

USDT (TRC20):

TN8BdV8cp4T1Cd28gK9qTAnZknzzuwyUtm Copy

USDT (ERC20):

0x3725e1a7d3bc5765499fa6aaafe307fabcd75bce Copy