Close Menu
TechurzTechurz

    Subscribe to Updates

    Get the latest creative news from FooBar about art, design and business.

    What's Hot

    Feeling lonely at work? You’re not alone – 5 ways to boost your team’s morale

    October 12, 2025

    New Oracle E-Business Suite Bug Could Let Hackers Access Data Without Login

    October 12, 2025

    These Bose headphones took my favorite AirPods Max battery feature – and did it even better

    October 12, 2025
    Facebook X (Twitter) Instagram
    Trending
    • Feeling lonely at work? You’re not alone – 5 ways to boost your team’s morale
    • New Oracle E-Business Suite Bug Could Let Hackers Access Data Without Login
    • These Bose headphones took my favorite AirPods Max battery feature – and did it even better
    • Dating app Cerca will show how Gen Z really dates at TechCrunch Disrupt 2025
    • I thought the Bose QuietComfort headphones already hit their peak – then I tried the newest model
    • Is this the best smart monitor for home entertainment? My verdict after a week of testing
    • Ready to ditch your Windows PC? I found a powerful mini PC that’s optimized for Linux
    • Spotty Wi-Fi at home? 5 products I recommend to fix it once and for all
    Facebook X (Twitter) Instagram Pinterest Vimeo
    TechurzTechurz
    • Home
    • AI
    • Apps
    • News
    • Guides
    • Opinion
    • Reviews
    • Security
    • Startups
    TechurzTechurz
    Home»Security»Microsoft Warns of ‘Payroll Pirates’ Hijacking HR SaaS Accounts to Steal Employee Salaries
    Security

    Microsoft Warns of ‘Payroll Pirates’ Hijacking HR SaaS Accounts to Steal Employee Salaries

    TechurzBy TechurzOctober 10, 2025No Comments3 Mins Read
    Share Facebook Twitter Pinterest LinkedIn Tumblr Reddit Telegram Email
    Payroll Pirates
    Share
    Facebook Twitter LinkedIn Pinterest Email


    Oct 10, 2025Ravie LakshmananSaaS Security / Threat Intelligence

    A threat actor known as Storm-2657 has been observed hijacking employee accounts with the end goal of diverting salary payments to attacker-controlled accounts.

    “Storm-2657 is actively targeting a range of U.S.-based organizations, particularly employees in sectors like higher education, to gain access to third-party human resources (HR) software as a service (SaaS) platforms like Workday,” the Microsoft Threat Intelligence team said in a report.

    However, the tech giant cautioned that any software-as-a-service (SaaS) platform storing HR or payment and bank account information could be a target of such financially motivated campaigns. Some aspects of the campaign, codenamed Payroll Pirates, were previously highlighted by Silent Push, Malwarebytes, and Hunt.io.

    What makes the attacks notable is that they don’t exploit any security flaw in the services themselves. Rather, they leverage social engineering tactics and a lack of multi-factor authentication (MFA) protections to seize control of employee accounts and ultimately modify payment information to route them to accounts managed by the threat actors.

    In one campaign observed by Microsoft in the first half of 2025, the attacker is said to have obtained initial access through phishing emails that are designed to harvest their credentials and MFA codes using an adversary-in-the-middle (AitM) phishing link, thereby gaining access to their Exchange Online accounts and taking over Workday profiles through single sign-on (SSO).

    The threat actors have also been observed creating inbox rules to delete incoming warning notification emails from Workday so as to hide the unauthorized changes made to profiles. This includes altering the salary payment configuration to redirect future salary payments to accounts under their control.

    To ensure persistent access to the accounts, the attackers enroll their own phone numbers as MFA devices for victim accounts. What’s more, the compromised email accounts are used to distribute further phishing emails, both within the organization and to other universities.

    Microsoft said it observed 11 successfully compromised accounts at three universities since March 2025 that were used to send phishing emails to nearly 6,000 email accounts across 25 universities. The email messages feature lures related to illnesses or misconduct notices on campus, inducing a false sense of urgency and tricking recipients into clicking on the fake links.

    To mitigate the risk posed by Storm-2657, it’s recommended to adopt passwordless, phishing-resistant MFA methods such as FIDO2 security keys, and review accounts for signs of suspicious activity, such as unknown MFA devices and malicious inbox rules.

    Accounts employee hijacking Microsoft Payroll pirates SaaS Salaries steal warns
    Share. Facebook Twitter Pinterest LinkedIn Tumblr Email
    Previous ArticleKalshi hits $5B valuation days after rival Polymarket gets $2B NYSE backing at $8B
    Next Article Get a phone line with unlimited 5G for $25/month from Metro by T-Mobile – here’s how
    Techurz
    • Website

    Related Posts

    Security

    Feeling lonely at work? You’re not alone – 5 ways to boost your team’s morale

    October 12, 2025
    Security

    New Oracle E-Business Suite Bug Could Let Hackers Access Data Without Login

    October 12, 2025
    Security

    These Bose headphones took my favorite AirPods Max battery feature – and did it even better

    October 12, 2025
    Add A Comment
    Leave A Reply Cancel Reply

    Top Posts

    The Reason Murderbot’s Tone Feels Off

    May 14, 20259 Views

    Start Saving Now: An iPhone 17 Pro Price Hike Is Likely, Says New Report

    August 17, 20258 Views

    CNET’s Daily Tariff Price Tracker: I’m Keeping Tabs on Changes as Trump’s Trade Policies Shift

    May 27, 20258 Views
    Stay In Touch
    • Facebook
    • YouTube
    • TikTok
    • WhatsApp
    • Twitter
    • Instagram
    Latest Reviews

    Subscribe to Updates

    Get the latest tech news from FooBar about tech, design and biz.

    Most Popular

    The Reason Murderbot’s Tone Feels Off

    May 14, 20259 Views

    Start Saving Now: An iPhone 17 Pro Price Hike Is Likely, Says New Report

    August 17, 20258 Views

    CNET’s Daily Tariff Price Tracker: I’m Keeping Tabs on Changes as Trump’s Trade Policies Shift

    May 27, 20258 Views
    Our Picks

    Feeling lonely at work? You’re not alone – 5 ways to boost your team’s morale

    October 12, 2025

    New Oracle E-Business Suite Bug Could Let Hackers Access Data Without Login

    October 12, 2025

    These Bose headphones took my favorite AirPods Max battery feature – and did it even better

    October 12, 2025

    Subscribe to Updates

    Get the latest creative news from FooBar about art, design and business.

    Facebook X (Twitter) Instagram Pinterest
    • About Us
    • Contact Us
    • Privacy Policy
    • Terms and Conditions
    • Disclaimer
    © 2025 techurz. Designed by Pro.

    Type above and press Enter to search. Press Esc to cancel.