Universities across the U.S. are facing a wave of phishing attacks targeting payroll systems, with the hacking group Storm-2657 exploiting social engineering tactics to redirect funds from staff accounts.
Cybercriminals are increasingly targeting educational institutions, and recent reports indicate that U.S. universities are now facing a significant threat from a hacking group known as Storm-2657. This group has been conducting “pirate payroll” attacks since March 2025, utilizing sophisticated phishing tactics to gain access to payroll accounts and redirect salary payments.
According to Microsoft Threat Intelligence, Storm-2657 has sent phishing emails to approximately 6,000 addresses across 25 universities. The group primarily targets Workday, a popular human resources platform, but other payroll and HR software systems may also be vulnerable.
The phishing emails are meticulously crafted to appear legitimate and often create a sense of urgency. Some messages warn recipients about a sudden outbreak of illness on campus, while others claim that a faculty member is under investigation, prompting immediate action. In many instances, the emails impersonate high-ranking officials, such as the university president or HR department, and contain “important” updates regarding compensation and benefits.
These deceptive emails include links designed to capture login credentials and multi-factor authentication (MFA) codes in real time. By employing adversary-in-the-middle techniques, attackers can access accounts as if they were the legitimate users. Once they gain control, they often set up inbox rules to delete notifications from Workday, preventing victims from seeing alerts about changes to their accounts.
This stealthy approach allows the hackers to modify payroll profiles, adjust salary payment settings, and redirect funds to accounts they control without raising immediate suspicion. The attacks do not exploit any flaws in Workday itself; rather, they rely on social engineering tactics and the absence of strong phishing-resistant MFA.
Once a single account is compromised, the attackers use it to launch further phishing attempts. Microsoft reports that from just 11 compromised accounts at three universities, Storm-2657 was able to send phishing emails to nearly 6,000 email addresses at various institutions. By leveraging trusted internal accounts, the attackers increase the likelihood that recipients will fall victim to the scam.
To maintain persistent access, the attackers sometimes enroll their own phone numbers as MFA devices, either through Workday profiles or Duo MFA. This tactic allows them to approve further malicious actions without needing to conduct additional phishing attempts. Combined with inbox rules that hide notifications, this strategy enables them to operate undetected for extended periods.
Experts emphasize that protecting oneself from payroll and phishing scams is not overly complicated. By taking a few precautionary steps, individuals can significantly reduce the risk of falling victim to these attacks.
One effective method is to limit the amount of personal information available online. Scammers often use publicly available data to craft convincing phishing messages. Services that monitor and remove personal data from the internet can help reduce exposure and make it more challenging for attackers to create targeted emails.
While no service can guarantee complete removal of personal data from the internet, utilizing a data removal service can provide peace of mind. These services actively monitor and systematically erase personal information from numerous websites, thereby reducing the risk of being targeted by scammers.
Additionally, individuals should be cautious when receiving emails that appear to be from HR departments or university leadership. It is essential to verify the legitimacy of any email that mentions salary changes or requires action. Contacting the HR office or the person directly using known contact information can help prevent falling victim to phishing attempts.
Installing antivirus software on all devices is another critical step in safeguarding against phishing emails and ransomware scams. This protection can alert users to potential threats and keep personal information secure.
Using unique passwords for different accounts is vital, as scammers often attempt to use credentials stolen from previous breaches. A password manager can assist in generating strong passwords and securely storing them, reducing the risk of unauthorized access.
Enabling two-factor authentication (2FA) on all accounts that support it adds an extra layer of security. Even if a password is compromised, a second verification step can prevent unauthorized logins.
Finally, monitoring accounts for unusual activity is essential. Quickly identifying unauthorized transactions can help prevent significant losses and alert individuals to potential scams before they escalate.
The Storm-2657 attacks underscore the importance of vigilance in the face of evolving cyber threats. Educational institutions are particularly appealing targets due to their payroll systems, which handle direct financial transactions. The scale and sophistication of these attacks highlight the vulnerabilities that even well-established organizations face against financially motivated cybercriminals.
As the landscape of cyber threats continues to evolve, it is crucial for individuals and institutions alike to remain informed and proactive in their defense against phishing and payroll scams.
Source: Original article