Find notable cyber news and cases, enriched with sources, timelines, and signals.
Home Browse News Feed Stats Watchlists Beta About Contact

Storm-2657 Payroll Pirates HR SaaS salary-diversion campaign

Campaign
First reported
Last updated
Happening score
H score 33
1 unique sources, 1 articles

Summary

Hide ▲

The Storm-2657 Payroll Pirates operation is hijacking employee accounts to redirect salary payments, creating immediate fraud risk for U.S.-based organizations and especially higher education. The group uses phishing, adversary-in-the-middle (AitM) credential theft, and SSO takeover to reach HR systems such as Workday. Compromised mailboxes are then used to hide warnings, persist access, and push follow-on phishing across universities.

Related Happenings

Kali365 Microsoft 365 device-code phishing campaign

Campaign
First: 25.05.2026 15:45 Last: 25.05.2026 15:45 Sources 1

About this happening: A **Kali365** phishing campaign is targeting **Microsoft 365** environments worldwide with **device-code login lures**, putting accounts at risk of **token theft** and **MFA bypas...

Open Happening

Code of conduct-themed Microsoft AiTM phishing campaign

Campaign
First: 05.05.2026 09:35 Last: 05.05.2026 09:35 Sources 1

About this happening: A **large-scale phishing campaign** used code of conduct-themed lures and **legitimate email services** to push victims to attacker-controlled domains and steal **authentication t...

Open Happening

Amazon SES phishing and BEC abuse campaign

Campaign
First: 04.05.2026 23:03 Last: 04.05.2026 23:03 Sources 1

About this happening: A phishing campaign is abusing Amazon Simple Email Service (SES) to send convincing emails that can bypass standard authentication and reputation-based defenses. Attackers are usi...

Open Happening

BlackFile vishing extortion campaign targeting retail and hospitality organizations

Campaign
First: 24.04.2026 21:26 Last: 24.04.2026 21:26 Sources 1

About this happening: The **BlackFile** campaign is driving **vishing-based data theft and extortion** against **retail and hospitality organizations**, putting employee credentials and enterprise data...

Open Happening

W3LL Microsoft 365 adversary-in-the-middle phishing campaign

Campaign
First: 13.04.2026 21:55 Last: 13.04.2026 21:55 Sources 1

About this happening: The **W3LL** phishing operation turned into a high-volume **Microsoft 365** credential-theft campaign, exposing **more than 17,000 victims worldwide** to **BEC** risk. The kit use...

Open Happening

Timeline

  1. 10.10.2025 16:31 2 articles · 7mo ago

    Microsoft discloses Storm-2657 Payroll Pirates campaign

    Initial Disclosure

    Microsoft reported that Storm-2657 is actively targeting U.S.-based organizations, especially higher education employees, to hijack Workday and Exchange Online accounts and divert salary payments to attacker-controlled accounts. The campaign uses phishing and adversary-in-the-middle credential theft to seize employee accounts, create inbox rules that hide Workday warning messages, enroll attacker-controlled MFA devices, and push follow-on phishing to other universities.

    Show sources
    Open in new tab