One Line in Outlook — and Your Salary is Gone to Hackers. New Attack Turns Work Email into an ATM
Cybercriminals have found a way to completely rewrite the rules of payroll payments.
Cybercriminals have found a way to completely rewrite the rules of payroll payments.
According to a new report from Microsoft Threat Intelligence, the financially motivated group Storm-2657 is conducting large-scale attacks on universities and companies, using stolen employee accounts to redirect salaries to their own bank accounts. Experts call this type of attack "payroll pirate." During the campaign, the attackers sought access to cloud HR platforms like Workday to change the payment details of their victims.
The Microsoft investigation revealed that the campaign has been active since the first half of 2025. In it, the attackers used carefully crafted phishing emails aimed at stealing multi-factor authentication (MFA) codes using adversary-in-the-middle (AitM) schemes. After obtaining the login credentials, they infiltrated employee mailboxes and corporate HR services, where they altered payment settings. To cover their tracks, Storm-2657 created rules in Outlook to automatically delete Workday notifications about any profile changes.
Microsoft recorded at least 11 successful account compromises across three universities. From these addresses, thousands of phishing emails were subsequently sent to other campuses—totaling about 6,000 potential victims across 25 universities. Some messages appeared to be notifications about illness or an incident investigation on campus, with subject lines like "COVID-like case reported — check your contact status" or "Faculty misconduct report." Other emails mimicked HR department broadcasts and contained links to supposedly official documents about payments and compensation. Google Docs—a familiar tool in academic environments—was often used for disguise, making the attacks difficult to detect.
Once they gained access, the attackers made changes to the victims' profiles—most often replacing the bank accounts for salary deposits. In some cases, they also added their own phone numbers as MFA devices, allowing them to maintain control of the profile without the owner's knowledge. Such operations were logged in Workday as "Change My Account" or "Manage Payment Elections" events, but notifications about them did not reach users due to the created email filters.
Microsoft notes that the attacks are not related to vulnerabilities in the Workday products themselves. The problem lies in the absence of or weak MFA protection. Therefore, the company urges organizations to transition to phishing-resistant authentication methods: FIDO2 security keys, Windows Hello for Business, and the Microsoft Authenticator app. For administrators, it is recommended to forcibly enable such methods in Entra ID and implement passwordless authorization.
The Microsoft publication includes queries for security tools to help detect signs of intrusion—from suspicious email rules to changes in payment details and new MFA devices. The company also reports that it has already contacted some affected organizations, providing them with data on the TTPs used and recommendations for restoring security.
