Find notable cyber news and cases, enriched with sources, timelines, and signals.

Storm-2657 Payroll Pirates HR SaaS salary-diversion campaign

Campaign
First reported
Last updated
Happening score
H score 34
1 unique sources, 1 articles

Summary

Hide ▲

The Storm-2657 Payroll Pirates operation is hijacking employee accounts to redirect salary payments, creating immediate fraud risk for U.S.-based organizations and especially higher education. The group uses phishing, adversary-in-the-middle (AitM) credential theft, and SSO takeover to reach HR systems such as Workday. Compromised mailboxes are then used to hide warnings, persist access, and push follow-on phishing across universities.

Related Happenings

Instagram accounts for Obama White House hit by account takeover attack

Incident
H score40 First: 01.06.2026 20:32 Last: 01.06.2026 20:32 Sources 1

About this happening: The **Instagram** accounts for the **Obama White House** and the **Chief Master Sergeant of the U.S. Space Force** were briefly **defaced** after attackers abused **Meta’s AI supp...

Kali365 Microsoft 365 device-code phishing campaign

Campaign
H score46 First: 25.05.2026 15:45 Last: 25.05.2026 15:45 Sources 1

About this happening: A **Kali365** phishing campaign is targeting **Microsoft 365** environments worldwide with **device-code login lures**, putting accounts at risk of **token theft** and **MFA bypas...

Code of conduct-themed Microsoft AiTM phishing campaign

Campaign
H score53 First: 05.05.2026 09:35 Last: 05.05.2026 09:35 Sources 1

About this happening: A **large-scale phishing campaign** used code of conduct-themed lures and **legitimate email services** to push victims to attacker-controlled domains and steal **authentication t...

Amazon SES phishing and BEC abuse campaign

Campaign
H score29 First: 04.05.2026 23:03 Last: 04.05.2026 23:03 Sources 1

About this happening: A phishing campaign is abusing Amazon Simple Email Service (SES) to send convincing emails that can bypass standard authentication and reputation-based defenses. Attackers are usi...

BlackFile vishing extortion campaign targeting retail and hospitality organizations

Campaign
H score37 First: 24.04.2026 21:26 Last: 24.04.2026 21:26 Sources 1

About this happening: The **BlackFile** campaign is driving **vishing-based data theft and extortion** against **retail and hospitality organizations**, putting employee credentials and enterprise data...

Timeline

  1. 10.10.2025 16:31 2 articles · 9mo ago

    Microsoft discloses Storm-2657 Payroll Pirates campaign

    Initial Disclosure

    Microsoft reported that Storm-2657 is actively targeting U.S.-based organizations, especially higher education employees, to hijack Workday and Exchange Online accounts and divert salary payments to attacker-controlled accounts. The campaign uses phishing and adversary-in-the-middle credential theft to seize employee accounts, create inbox rules that hide Workday warning messages, enroll attacker-controlled MFA devices, and push follow-on phishing to other universities.

    Show sources