Latest Job Opportunities in India
Discover top job listings and career opportunities across India. Stay updated with the latest openings in IT, government, and more.
Check Out Jobs!Read More
Payroll hackers strike Microsoft warns of hijacking HR SaaS accounts to steal employee salaries –
Post views: 1
“Microsoft has issued an alert alerting people of payroll hackers who are attacking HR SaaS A/cs systems to steal employee payroll.”
Storm-2657 is a threat actor seen hijacking employee accounts in order to transfer salary payments to accounts under the attacker’s control.
Microsoft Threat Intelligence Team report
| “To gain access to third-party human resources (HR) software-as-a-service (SaaS) platforms like Workday, Storm-2657 aggressively targets a variety of U.S.-based organizations, especially those in industries like higher education.” |
But the internet giant warned that such for-profit efforts could target any software-as-a-service (SaaS) platform that stores bank account, payment or human resources data. Silent Push, Malwarebytes, and Hunt.io have already highlighted some of the campaign features under the Payroll Pirates moniker.
The attacks are noteworthy because they do not exploit any vulnerabilities in the services themselves. Instead, they take control of employee accounts and alter payment information to direct them to accounts controlled by threat actors using social engineering techniques and lacking multi-factor authentication (MFA) safeguards.
According to a Microsoft campaign seen in the first half of 2025, the attacker gained initial access to the target’s Exchange Online accounts and Workday profiles through single sign-on (SSO) by sending phishing emails that were intended to obtain credentials and MFA codes using an aggressive phishing in the middle (AitM) link.
In order to hide unauthorized profile modifications, threat actors have also been seen setting up inbox filters to remove incoming Business Day warning notification emails. In order to redirect future salary payments to accounts under their control, this involves changing the settings of the payroll system.
The attackers set up their personal phone numbers as MFA devices for the victims’ accounts to ensure constant access to the accounts. Furthermore, additional phishing emails are sent to other colleges as well as within the company using hijacked email accounts.
Since March 2025, Microsoft reported that it had seen 11 accounts successfully compromised at three colleges, sending phishing emails to about 6,000 email accounts at 25 other universities. In order to create a false sense of urgency and trick readers into clicking on bogus links, emails contain lures related to notifications of sickness or campus misconduct.
It is recommended to use FIDO2 security keys and other passwordless, phishing-resistant MFA technologies to reduce the risks posed by Storm-2657. Additionally, accounts should be scanned for indicators of unusual activity, such as malicious inbox rules and unknown MFA devices.
About the author
Suraj Kohli Content specialist in technical writing about cybersecurity and information security. He has written many great articles related to cyber security concepts, with the latest trends in cyber awareness and ethical hacking. Find out more about “He”.
In order to hide unauthorized profile modifications, threat actors have also been seen setting up inbox filters to remove incoming Business Day warning notification emails. In order to redirect future salary payments to accounts under their control, this involves changing the settings of the payroll system.
The attackers set up their personal phone numbers as MFA devices for the victims’ accounts to ensure constant access to the accounts. Furthermore, additional phishing emails are sent to other colleges as well as within the company using hijacked email accounts.
Since March 2025, Microsoft reported that it had seen 11 accounts successfully compromised at three colleges, sending phishing emails to about 6,000 email accounts at 25 other universities. In order to create a false sense of urgency and trick readers into clicking on bogus links, emails contain lures related to notifications of sickness or campus misconduct.
It is recommended to use FIDO2 security keys and other passwordless, phishing-resistant MFA technologies to reduce the risks posed by Storm-2657. Additionally, accounts should be scanned for indicators of unusual activity, such as malicious inbox rules and unknown MFA devices.
About the author
Suraj Kohli Content specialist in technical writing about cybersecurity and information security. He has written many great articles related to cyber security concepts, with the latest trends in cyber awareness and ethical hacking. Find out more about “He”.
Read more:
The maximum Bug Bounty has been doubled by Apple to $2 million for zero-click RCE operations
About the author
Payroll Pirates Strike Microsoft Warns of HR SaaS Account Hijackings to Steal Employee Salaries
