- Storm-2657 Hackers Attacked University Email Accounts to Phish and Redirect Salary Payments
- Attackers exploited the lack of MFA and used AITM tactics to gain access to HR SaaS platforms.
- Microsoft is helping victims and warning that this is a BEC-style “payroll hijack” campaign.
Hackers are breaking into human resources SaaS platform accounts at universities across the United States and redirecting salaries to their own accounts, Microsoft has warned.
Its report claims the attacks began in March 2025, when a financially motivated group tracked under the name Storm-2657 used social engineering, as well as no multi-factor authentication (MFA) in place, to break into 11 email accounts at three universities.
Using these accounts, they sent phishing emails to nearly 6,000 email accounts at 25 universities, with themes ranging from warnings of disease outbreaks on campus to reports of faculty misconduct. The goal was to trick victims into clicking on phishing links and, through adversary-in-the-middle (AITM) attacks, gaining access to their Exchange Online accounts.
Payroll Hacker
The campaign is called “payroll hack” and is a variation of the dreaded BEC (Business Email Compromise) scam, popular among cybercriminals.
Once inside, the hackers used this access to gain access to Workday (or other third-party HR SaaS platforms) and modify salary payment configurations to redirect payments to accounts under their control.
They also implemented inbox rules to delete all incoming emails from these platforms, to ensure that victims are never informed of the worrying changes.
Then they would spread their attacks further: “Following the compromise of email accounts and payroll changes in Workday, the threat actor leveraged the newly accessed accounts to distribute additional phishing emails, both within the organization and externally to other universities,” Microsoft said.
In its report, Microsoft said it has identified the people who fell victim to the phishing attack and whose payment data was compromised. He is now reaching out to them and helping them mitigate the effects of the disaster. It has also published advice and guidance to help potential victims investigate whether or not they have been compromised.
Via BeepComputer
Follow TechRadar on Google News And add us as your favorite source to get our news, reviews and expert opinions in your feeds. Make sure to click the Follow button!
And of course you can too follow TechRadar on TikTok for news, reviews, unboxings in video form and receive regular updates from us on WhatsApp Also.
