Full Report
A cybercrime gang tracked as Storm-2657 has been targeting university employees in the United States to hijack salary payments in "pirate payroll" attacks since March 2025. [...]
Analysis Summary
# Threat Actor: Storm-2657
## Attribution & Identity
* **Identification:** Cybercrime gang tracked by Microsoft Threat Intelligence as Storm-2657.
* **Association:** Operates as a financially motivated threat actor conducting "payroll pirate" attacks, a variant of Business Email Compromise (BEC) scams.
## Activity Summary
The group has been actively targeting university employees in the United States since March 2025 to hijack salary payments ("payroll pirate" attacks). Microsoft observed 11 successfully compromised accounts across three universities, which were subsequently used to send phishing emails to nearly 6,000 accounts at 25 universities. The primary goal is to gain access to HR/payroll systems (specifically Workday) to redirect salary payments.
## Tactics, Techniques & Procedures
* **Phishing:** Using sophisticated, custom-tailored social engineering tactics. Phishing themes include warnings of campus illness outbreaks, reports of faculty misconduct, compensation/benefits information, and fake HR documents.
* **Initial Compromise:** Using Adversary-in-the-Middle (AITM) links within phishing emails to steal Multi-Factor Authentication (MFA) codes and compromise Exchange Online accounts.
* **Persistence/Evasion:** Setting up inbox rules in compromised email accounts to delete Workday warning notification emails, concealing subsequent payroll modifications.
* **Persistence:** Enrolling their own phone numbers as MFA devices for compromised accounts, either via Workday profiles or Duo MFA settings, to approve further malicious actions.
* **Lateral Movement:** Leveraging newly accessed accounts to distribute further phishing emails both internally and externally to other universities.
## Targeting
* **Sectors:** Higher Education (Universities).
* **Geography:** United States.
* **Victims:** Employees at universities, specifically targeting Workday accounts/profiles and HR personnel access.
## Tools & Infrastructure
* **Malware Families Used:** Not explicitly named, but relies on **AITM phishing links** for credential and MFA code harvesting.
* **Infrastructure (C2, domains, IPs):** No specific infrastructure details (IPs/Domains) were provided in the summary context, other than leveraging compromised **Exchange Online** and **Workday** SaaS platforms after initial compromise.
## Implications
Storm-2657 demonstrates a highly motivated and methodical financial threat actor group targeting payroll systems within the higher education sector. Their successful use of AITM phishing indicates mature techniques capable of bypassing standard MFA protections, posing a significant risk for large-scale financial fraud via BEC. The attacks exploit the complete lack of, or insufficient implementation of, phishing-resistant MFA.
## Mitigations
* Implement **phishing-resistant Multi-Factor Authentication (MFA)** across all critical systems, including email and HR/payroll platforms like Workday.
* Users should be educated on sophisticated social engineering tactics used in custom-tailored phishing campaigns.
* Organizations should review inbox rules for suspicious automated actions, particularly those deleting system-generated notifications.
* Validate MFA device registrations associated with user accounts.