Storm-2657 Targets University HR Employees in Payroll Hijacking Campaign

First reported

09.10.2025 22:38

Last updated

1 unique sources, 1 articles

Summary

Hide ▲

A cybercrime gang, Storm-2657, has been targeting university employees in the United States since March 2025 to hijack salary payments. The attackers have successfully compromised 11 accounts at three universities, sending phishing emails to nearly 6,000 email accounts across 25 universities. The campaign exploits a lack of multifactor authentication (MFA) or phishing-resistant MFA to compromise Workday accounts and other third-party HR SaaS platforms. The attackers use sophisticated social engineering tactics and adversary-in-the-middle (AITM) links to steal MFA codes, enabling them to gain access to Exchange Online accounts. Once inside, they alter salary payment configurations and redirect payments to accounts under their control. The attacks have been ongoing since March 2025, with Microsoft identifying affected customers and providing mitigation guidance.

Timeline

09.10.2025 22:38 1 articles · 13h ago

Storm-2657 Targets University HR Employees in Payroll Hijacking Campaign
Since March 2025, the cybercrime gang Storm-2657 has been targeting university employees in the United States to hijack salary payments. The attackers have successfully compromised 11 accounts at three universities, sending phishing emails to nearly 6,000 email accounts across 25 universities. The campaign exploits a lack of multifactor authentication (MFA) or phishing-resistant MFA to compromise Workday accounts and other third-party HR SaaS platforms. The attackers use sophisticated social engineering tactics and adversary-in-the-middle (AITM) links to steal MFA codes, enabling them to gain access to Exchange Online accounts. Once inside, they alter salary payment configurations and redirect payments to accounts under their control. The attacks have been ongoing since March 2025, with Microsoft identifying affected customers and providing mitigation guidance.
Show sources

Microsoft: Hackers target universities in “payroll pirate” attacks — www.bleepingcomputer.com — 09.10.2025 22:38
Open in new tab

Information Snippets

Storm-2657 targets university employees to hijack salary payments.
First reported: 09.10.2025 22:38

1 source, 1 article
Show sources
- Microsoft: Hackers target universities in “payroll pirate” attacks — www.bleepingcomputer.com — 09.10.2025 22:38
The campaign exploits a lack of multifactor authentication (MFA) or phishing-resistant MFA.
First reported: 09.10.2025 22:38

1 source, 1 article
Show sources
- Microsoft: Hackers target universities in “payroll pirate” attacks — www.bleepingcomputer.com — 09.10.2025 22:38
The attackers use sophisticated social engineering tactics and AITM links to steal MFA codes.
First reported: 09.10.2025 22:38

1 source, 1 article
Show sources
- Microsoft: Hackers target universities in “payroll pirate” attacks — www.bleepingcomputer.com — 09.10.2025 22:38
The attackers compromise Workday accounts and other third-party HR SaaS platforms.
First reported: 09.10.2025 22:38

1 source, 1 article
Show sources
- Microsoft: Hackers target universities in “payroll pirate” attacks — www.bleepingcomputer.com — 09.10.2025 22:38
The attackers alter salary payment configurations and redirect payments to accounts under their control.
First reported: 09.10.2025 22:38

1 source, 1 article
Show sources
- Microsoft: Hackers target universities in “payroll pirate” attacks — www.bleepingcomputer.com — 09.10.2025 22:38
The campaign has been ongoing since March 2025.
First reported: 09.10.2025 22:38

1 source, 1 article
Show sources
- Microsoft: Hackers target universities in “payroll pirate” attacks — www.bleepingcomputer.com — 09.10.2025 22:38
Microsoft has identified affected customers and provided mitigation guidance.
First reported: 09.10.2025 22:38

1 source, 1 article
Show sources
- Microsoft: Hackers target universities in “payroll pirate” attacks — www.bleepingcomputer.com — 09.10.2025 22:38