Microsoft Threat Intelligence has linked a wave of account‑takeover campaigns against U.S. universities to the threat group Storm‑2657, active since March 2025. The actors compromise faculty and staff accounts, tamper with payroll profiles, and redirect salaries to attacker‑controlled bank accounts. Similar activity has been documented by Silent Push, Malwarebytes, and Hunt.io under the moniker Payroll Pirates, underscoring a broader trend of university payroll fraud and HR SaaS exploitation.
Why higher education and HR SaaS platforms are prime targets
Universities manage large, distributed user populations and frequently rely on external HR platforms such as Workday. This mix of diverse identities, third‑party integrations, and trusted internal communications creates favorable conditions for social engineering. Any HR SaaS that stores employee data, bank details, and payroll actions is a high‑value target, especially where single sign‑on (SSO) and weak multi‑factor authentication (MFA) converge.
Attack chain: from phishing to payroll redirection
In early 2025, Microsoft observed credential‑phishing emails driving victims to look‑alike pages that captured usernames, passwords, and MFA codes. With stolen passwords and session tokens in hand, Storm‑2657 logged into Exchange Online and, via SSO, accessed integrated HR systems such as Workday—piggybacking on trusted corporate sessions rather than exploiting software vulnerabilities.
SSO abuse and weak MFA enable persistent access
SSO simplifies user experience but grants broad access once an identity is compromised. Where MFA is misconfigured or relies on legacy factors (for example, SMS/voice codes), attackers can intercept or socially engineer challenges. Microsoft also observed cases where the attackers enrolled their own phone numbers or authenticators to victim accounts, cementing persistence and complicating incident recovery.
Covering tracks with email rules and trusted senders
After mailbox access, Storm‑2657 created server‑side mail rules to auto‑delete or redirect Workday notifications. This concealed unauthorized profile edits and bank detail changes. Compromised university mailboxes were then weaponized to send additional phishing across campus and to other institutions, leveraging legitimate sender domains to increase trust and click‑through rates.
Scale and impact across campuses
Since March 2025, Microsoft identified 11 successfully compromised accounts across three U.S. universities. Those mailboxes were used to distribute nearly 6,000 phishing messages to recipients in 25 additional universities. Lures exploited urgency and social context—such as employee illness or campus incidents—to drive rapid responses.
Beyond Workday: technique works against any HR SaaS
While some incidents involved Workday, the technique is broadly applicable to cloud payroll, benefits, and HR portals. The threat model centers on social engineering and abuse of trusted access paths rather than vulnerability exploitation. Relevant MITRE ATT&CK techniques include T1566 (Phishing), T1078 (Valid Accounts), T1098/T1556 (Account/MFA Manipulation), and T1114 (Email Collection and rule abuse).
Defensive measures universities and enterprises should implement
Defenders can materially reduce risk by hardening identity controls, monitoring high‑risk workflows, and tightening HR SaaS governance. Key steps include:
- Adopt phishing‑resistant MFA: Deploy FIDO2/WebAuthn security keys and disable SMS/voice codes; require MFA re‑challenge for sensitive actions like payroll or bank detail changes. Guidance aligns with NIST SP 800‑63B and CISA recommendations.
- Harden SSO and session management: Shorten session lifetimes, enforce conditional access and risk‑based policies, and block legacy/Basic authentication protocols.
- Monitor and alert on mailbox rules: Generate alerts for creation or modification of server‑side rules, especially those suppressing HR or security notifications.
- Audit MFA enrollments: Regularly review trusted devices, phone numbers, and authenticators; revoke suspicious registrations and require re‑enrollment.
- Out‑of‑band payroll verification: Confirm any bank account changes via a second channel (e.g., verified phone call) before processing.
- Targeted security awareness: Run phishing simulations themed on HR notices and urgent campus messages; teach users to validate URLs and report anomalies.
- Centralized logging and anomaly detection: Track unusual sign‑in locations/user agents, mass mailing spikes, and anomalous HR profile edits across SaaS platforms.
Storm‑2657’s campaigns highlight a structural shift: attackers increasingly bypass software exploits and instead weaponize identity infrastructure, SSO, and suboptimal MFA. Accelerating adoption of phishing‑resistant authentication, adding strong controls around payroll changes, and continuously monitoring email rules can disrupt this fraud model and help universities and enterprises detect and contain account‑takeover attempts before salaries are diverted.
