A cybercrime gang tracked as Storm-2657 has been targeting university employees in the United States to hijack salary payments in “pirate payroll” attacks since March 2025.
Microsoft Threat Intelligence analysts who spotted this campaign found that the threat actors are targeting Workday accounts; however, other third-party human resources (HR) software-as-a-service (SaaS) platforms could also be at risk.
“We’ve observed 11 successfully compromised accounts at three universities that were used to send phishing emails to nearly 6,000 email accounts across 25 universities,” Microsoft said in a Thursday report.
“These attacks don’t represent any vulnerability in the Workday platform or products, but rather financially motivated threat actors using sophisticated social engineering tactics and taking advantage of the complete lack of multifactor authentication (MFA) or lack of phishing-resistant MFA to compromise accounts.”
Read more: bleepingcomputer.com
