Oct 10, 2025Ravie LakshmananSaaS Safety / Risk Intelligence
A menace actor referred to as Storm-2657 has been noticed hijacking worker accounts with the top aim of diverting wage funds to attacker-controlled accounts.
“Storm-2657 is actively concentrating on a spread of U.S.-based organizations, significantly workers in sectors like increased training, to achieve entry to third-party human assets (HR) software program as a service (SaaS) platforms like Workday,” the Microsoft Risk Intelligence workforce stated in a report.
Nevertheless, the tech big cautioned that any software-as-a-service (SaaS) platform storing HR or cost and checking account data could possibly be a goal of such financially motivated campaigns. Some features of the marketing campaign, codenamed Payroll Pirates, had been beforehand highlighted by Silent Push, Malwarebytes, and Hunt.io.
What makes the assaults notable is that they do not exploit any safety flaw within the companies themselves. Fairly, they leverage social engineering techniques and an absence of multi-factor authentication (MFA) protections to grab management of worker accounts and in the end modify cost data to route them to accounts managed by the menace actors.
In a single marketing campaign noticed by Microsoft within the first half of 2025, the attacker is alleged to have obtained preliminary entry via phishing emails which are designed to reap their credentials and MFA codes utilizing an adversary-in-the-middle (AitM) phishing hyperlink, thereby having access to their Alternate On-line accounts and taking on Workday profiles via single sign-on (SSO).
The menace actors have additionally been noticed creating inbox guidelines to delete incoming warning notification emails from Workday in order to cover the unauthorized adjustments made to profiles. This consists of altering the wage cost configuration to redirect future wage funds to accounts underneath their management.
To make sure persistent entry to the accounts, the attackers enroll their very own telephone numbers as MFA units for sufferer accounts. What’s extra, the compromised e-mail accounts are used to distribute additional phishing emails, each inside the group and to different universities.
Microsoft stated it noticed 11 efficiently compromised accounts at three universities since March 2025 that had been used to ship phishing emails to just about 6,000 e-mail accounts throughout 25 universities. The e-mail messages function lures associated to diseases or misconduct notices on campus, inducing a false sense of urgency and tricking recipients into clicking on the faux hyperlinks.
To mitigate the danger posed by Storm-2657, it is beneficial to undertake passwordless, phishing-resistant MFA strategies corresponding to FIDO2 safety keys, and evaluation accounts for indicators of suspicious exercise, corresponding to unknown MFA units and malicious inbox guidelines.
