6 months ago
50
ARTICLE AD BOX
Microsoft's Threat Intelligence squad has sounded the alarm, crushed is: A notorious cybercrime group, tracked arsenic Storm-2657 by Microsoft’s team, has launched a brazen onslaught connected US assemblage payroll systems since March 2025.
In a blog post, Redmond said a cybercrime unit it tracks arsenic Storm-2657 has been targeting assemblage employees since March 2025, hijacking salaries by breaking into HR bundle specified arsenic Workday.Dubbed "payroll pirate" by Microsoft’s Threat Intelligence team, the run exploits anemic information practices to redirect paychecks into attacker-controlled slope accounts. The attackers are said to infiltrate HR platforms similar Workday by exploiting compromised email accounts, redirecting paychecks to their ain slope accounts.
How hackers bargain worker salaries astatine US universities
According to the Microsoft blog, the onslaught is said to beryllium arsenic audacious arsenic it is simple: Compromise HR and email accounts, softly alteration payroll settings, and redirect wage packets into attacker-controlled slope accounts. Other examples are reported to see emails impersonating the assemblage president, sharing accusation regarding compensation and benefits, oregon fake documents shared by HR.The cognition begins with phishing emails tailored to academia, specified arsenic fake HR updates, module misconduct reports, oregon alerts astir unwellness clusters.
These lures, often delivered via shared Google Docs to evade filters, instrumentality users into revealing multifactor authentication (MFA) codes done adversary-in-the-middle (AiTM) techniques. Once wrong Exchange Online accounts, the attackers acceptable inbox rules to fell oregon delete HR notifications, concealing their tracks.Using stolen credentials and azygous sign-on (SSO) integrations, the radical accesses Workday to change nonstop deposit settings, funneling salaries to accounts they control.
Microsoft emphasized that the attacks exploit anemic MFA practices and misconfigured systems, not vulnerabilities successful Workday itself."Following the compromise of email accounts and the payroll modifications successful Workday, the menace histrion leveraged recently accessed accounts to administer further phishing emails, some wrong the enactment and externally to different universities," Microsoft added."We've observed 11 successfully compromised accounts astatine 3 universities that were utilized to nonstop phishing emails to astir 6,000 email accounts crossed 25 universities," Microsoft said successful the report.
