Microsoft researchers have surfaced a new phishing campaign where cybercriminals are stealing university employees’ salaries by redirecting their payroll deposits to accounts under their control. The group behind the attacks has been named “Storm-2657” by Microsoft.
The hackers have been carrying out these attacks since March 2025, targeting staff at multiple U.S. universities and organizations that use third-party HR and payroll platforms, including Workday.
According to Microsoft’s report, at least 11 employee accounts across three universities were compromised and later used to send phishing emails to nearly 6,000 individuals in 25 universities. The scale of the attack suggests a coordinated attempt to infiltrate university payroll systems through deception and stolen credentials.
How the Attack Works
The attackers send phishing emails that appear to come from legitimate university sources or human resources departments. These emails often carry urgent subjects like “COVID-Like Case Reported — Check Your Contact Status” or “Faculty Compliance Notice – Classroom Misconduct Report.”
When recipients click on the embedded links, they are redirected to fake login pages designed to steal their login details and multifactor authentication (MFA) codes. With these details, the hackers gain full access to the victim’s Workday or HR accounts.
Once inside, the criminals create inbox rules that automatically delete emails from Workday, particularly notifications about payroll or bank account changes, ensuring victims remain unaware of any tampering. They also register their own devices for MFA, allowing them to retain access even if the victim later changes their password.
This enables the attackers to quietly change the employee’s bank account information, diverting salary payments into accounts they control.
Broader Pattern of Business Email Compromise
Experts classify this as a variant of Business Email Compromise (BEC), a fraud method where attackers infiltrate or impersonate legitimate business accounts to redirect payments or steal sensitive data.
According to the FBI’s 2024 Internet Crime Report, BEC scams caused over $2 billion in losses last year alone. Many victims include corporations, suppliers, and even schools that handle large financial transactions through wire transfers or automated clearing house (ACH) systems.
In one notable 2024 case, cybercriminals stole $60 million from a major carbon products supplier, while a Tennessee school district also lost millions through similar fraudulent transfers.
Microsoft and Workday Respond
Microsoft said it has alerted affected institutions and shared recommendations to contain the threat. The company advised organizations to adopt phishing-resistant MFA options, monitor for suspicious inbox rules, and require extra verification for any changes to payroll details.
A Workday spokesperson also encouraged clients to strengthen their MFA policies and implement additional review steps before processing sensitive updates like salary or banking information.
Protecting Employees and Institutions
Cybersecurity experts emphasize the importance of employee awareness and vigilant reporting. Staff should avoid clicking on unsolicited HR emails and instead confirm any urgent requests directly with their university’s payroll or IT department.
With education institutions increasingly targeted by financially motivated hackers, proactive defenses and real-time verification remain the most effective safeguards against salary diversion scams.
