'Payroll pirate' hackers diverting salary payments from university employees, Microsoft says

Cybercriminals are targeting universities and other U.S. organizations with a campaign to divert salary payments from employees to accounts controlled by the attackers. 

Dubbed “payroll pirates,” the hackers are using phishing emails to gain access to third-party platforms like Workday, according to Microsoft. 

“Since March 2025, we’ve observed 11 successfully compromised accounts at three universities that were used to send phishing emails to nearly 6,000 email accounts across 25 universities,” Microsoft explained. 

The company’s researchers discovered the campaign throughout the first half of 2025 — noting that while the threat actors are targeting Workday accounts, several other systems holding HR or payment information for employees could be at risk. 

Microsoft said the hackers used phishing emails with malicious links to steal multifactor authentication codes. With the codes in hand, the threat actors were able to hijack a victim’s Workday profile. 

Once inside an employee’s account, the hackers created an inbox rule that deleted any warning emails from Workday, allowing them to make bank account changes without being caught.  

Microsoft called the threat actors Storm-2657 and said it has reached out to some of the affected customers with advice on how to address the campaign.

A Workday spokesperson said they “encourage our customers to enable phishing-resistant MFA methods and add extra steps around sensitive changes like payroll to protect against threats like these.”

‘COVID-Like Case Reported’

The phishing emails came in several different forms and were aimed at multiple universities. Several of the emails had Google Docs links and were typically centered around themes involving COVID-19 or classroom misconduct allegations. 

Some of the subject lines had names like “COVID-Like Case Reported — Check Your Contact Status” or “Faculty Compliance Notice – Classroom Misconduct Report.”

One situation involved a phishing email about illness exposure status that was sent to 500 people at one organization. Just 10% of recipients reported the email as a phishing attempt. 

“The most recently identified theme involved phishing emails impersonating a legitimate university or an entity associated with a university,” Microsoft explained. “To make their messages appear convincing, Storm-2657 tailored the content based on the recipient’s institution.” 

Some of the emails were made to look like official communications from the university president or emails from HR about changes to compensation. 

In addition to deleting all Workday emails from a victim’s inbox, the threat actors also enrolled their own devices for multifactor authentication, allowing them to maintain access for a longer amount of time. 

The scheme is a variant of business email compromise (BEC), where hackers take over email threads or accounts and replace legitimate accounts with their own. 

Business email compromise continues to be one of the thorniest — and costliest — digital crimes. For 2024, the FBI reported more than $2 billion in losses as a result of business email compromise attacks. 

Most schemes target businesses that deal with wire transfers or automated clearing house payments, with the end goal being to get victims to mistakenly send funds to hacker-controlled accounts. 

Last year, about $60 million was stolen from one of the leading suppliers of carbon products after an employee was tricked into making several wire transfers to cybercriminals. A school district in Tennessee was also tricked into handing over millions.