Storm-2657 Targets Universities with Payroll Phishing Scams

Published 2025-10-25 16:29:39 | www.foxnews.com
Phishing Cybercrime Universities Storm 2657 Payroll Theft Actor: Storm-2657 Sector: Education Region: United States

🎙️ Paranoid Newscast

🎭
Credibility
70%
📊
Risk Score
56%
🎲
Likelihood
8/10
💥
Impact
7/10
🛡️
Priority
4/5
A new hacking group, Storm-2657, is targeting U.S. universities with sophisticated phishing attacks aimed at hijacking payroll payments. These 'pirate payroll' attacks exploit social engineering tactics to manipulate staff into providing sensitive login information.

Phishing scams target every kind of institution, whether it's a hospital, a big tech firm or even a fast-food chain. Educational institutions aren't an exception, especially in 2025, when attackers are actively directing their efforts toward them. Universities across the U.S. are facing a new type of cybercrime where attackers are targeting staff to hijack salary payments. Researchers have discovered that since March 2025, a hacking group known as Storm-2657 has been running "pirate payroll" attacks, using phishing tactics to gain access to payroll accounts.

According to Microsoft Threat Intelligence, Storm-2657 primarily targets Workday, a widely used human resources platform, though other payroll and HR software could be at risk as well. The attackers begin with highly convincing phishing emails, carefully crafted to appeal to individual staff members. Some messages warn of a sudden campus illness outbreak, creating a sense of urgency, while others claim that a faculty member is under investigation, prompting recipients to check documents immediately. In some cases, emails impersonate the university president or HR department, sharing "important" updates about compensation and benefits.

These emails contain links designed to capture login credentials and multi-factor authentication (MFA) codes in real time using adversary-in-the-middle techniques. Once a staff member enters their information, the attackers can access the account as if they were the legitimate user. After gaining control, the hackers set up inbox rules to delete Workday notifications, so the victims do not see alerts about changes. This stealthy approach allows the attackers to modify payroll profiles, adjust salary payment settings and redirect funds to accounts they control, all without raising immediate suspicion.

The hackers don't stop at a single account. Once they control one mailbox, they use it to spread the attack further. Microsoft reports that from just 11 compromised accounts at three universities, Storm-2657 sent phishing emails to nearly 6,000 email addresses at 25 institutions. By using trusted internal accounts, their emails appear more legitimate, increasing the likelihood that recipients will fall for the scam. To maintain access over time, the attackers sometimes enroll their own phone numbers as MFA devices, either through Workday profiles or through Duo MFA. This gives them persistent access, allowing them to approve further malicious actions without needing to phish again.

Microsoft emphasizes that these attacks don't exploit a flaw in Workday itself. Instead, they rely on social engineering, the absence of strong phishing-resistant MFA and careful manipulation of internal systems. In essence, the threat comes from human behavior and insufficient protection, not software bugs.

Protecting yourself from payroll and phishing scams isn't complicated. By taking a few careful steps, you can make it much harder for attackers to gain access to your accounts or personal information. Here are six ways to stay safe from payroll and phishing scams...