Key Takeaways
- A cybercriminal group known as Storm-2657 has launched “payroll pirate” attacks against U.S. universities since March 2025, using phishing to hijack payroll systems on platforms like Workday.
- Attackers impersonated campus leadership and HR departments, sending realistic messages about benefits or compliance to trick staff into revealing credentials and multi-factor authentication (MFA) codes.
- Once inside, the attackers redirected salaries to their own accounts, hid HR notifications using inbox rules, and enrolled their own phone numbers for continued access.
- The campaign spread across at least 25 universities and compromised nearly 6,000 email addresses, turning compromised accounts into new phishing sources.
- Experts emphasize that the attacks exploit human and procedural weaknesses, not software flaws, underscoring the need for phishing-resistant MFA, payroll change verification, and better HR communication controls.
A sophisticated phishing campaign is targeting U.S. universities, aiming not for research data or credentials but for paychecks. Beginning earlier this year, a financially motivated group labeled Storm-2657 began infiltrating higher-education payroll systems by deceiving university staff into handing over credentials through highly customized emails.
Researchers tracking the campaign have described it as one of the most organized phishing waves to hit academia in recent years. Emails often appeared to come from senior administrators or HR departments and mimicked official formats. Some warned about “urgent payroll updates,” while others claimed there were health or compliance notices requiring immediate review. Because these messages appeared to originate from trusted internal sources, faculty and staff were more likely to click.
Until universities strengthen both awareness and verification, attackers will continue to find payrolls an inviting target.
Once a recipient clicked the link, they were taken to a site that looked identical to the institution’s login portal. There, attackers used an adversary-in-the-middle technique to capture usernames, passwords, and even MFA codes in real time. This gave them full access to both the victim’s email and connected services like Workday or similar HR platforms.
With credentials in hand, the attackers made rapid, calculated moves. They changed payroll deposit information to divert paychecks into accounts they controlled. They created inbox rules that deleted or hid automated notifications about payroll changes, ensuring that the victim would not be alerted. They also registered their own phone numbers and devices as MFA factors, allowing them to retain access even if passwords were later reset.
Microsoft’s security researchers said that from a few dozen compromised accounts, Storm-2657 managed to spread across the academic ecosystem. The attackers used compromised university email addresses to send new phishing waves to partner institutions, exploiting the interconnectivity of academia. Over the course of several months, at least 25 universities and 6,000 email accounts were targeted.
Critically, investigators found no vulnerability in the underlying HR software. Instead, the weakness was human and procedural. The attack succeeded because staff trusted familiar email addresses and relied on outdated or easily spoofed MFA methods such as SMS codes or push notifications.
The result was direct financial theft and significant disruption. In some cases, employees didn’t realize their pay had been stolen until a deposit failed to appear in their bank account. HR departments, faced with unexplained payroll changes, had to suspend payments and investigate potential breaches.
While many universities have incident-response plans for ransomware or data loss, few are prepared for targeted financial fraud on this scale. Experts say the campaign shows a shift toward exploiting identity systems and institutional workflows rather than deploying malware or encryption.
Security professionals recommend a multi-layered response. The first step is implementing phishing-resistant MFA, such as security keys or passkeys that can’t be intercepted through a man-in-the-middle attack. Second, any payroll or bank account change should require manual verification, ideally through a separate communication channel. Automatic alerts should also be configured so that HR or payroll administrators receive confirmations when account details are modified.
Training remains essential. Staff should be skeptical of any unexpected request involving pay or benefits, even when it appears to come from a legitimate internal address. Verification by phone or in person can prevent the kind of credential theft used in this campaign.
Universities should also monitor for signs of persistence within email systems. Suspicious inbox rules, new MFA enrollments, or access attempts from unfamiliar IP addresses can signal that an account has been compromised. Centralized logging and threat-intelligence sharing among institutions can further reduce exposure.
The attack pattern fits a growing global trend in which cybercriminals pursue direct financial gains instead of traditional data theft. For universities, where thousands of employees use shared cloud systems, the challenge is balancing accessibility and security. Many academic environments lack the centralized IT governance that large corporations use, making them attractive targets.
The incident also underscores how cyberattacks are evolving to blend technical skill with psychological manipulation. Instead of breaking through firewalls, attackers rely on trust and urgency—convincing people that a routine HR matter requires instant action. Once that initial click occurs, even strong technology can be undermined.
For staff and leadership alike, this wave serves as a reminder that cybersecurity is not just an IT concern but a financial one. Protecting payroll data now demands the same rigor as protecting research or student records. Institutions are advised to coordinate across IT, HR, and finance to develop rapid-response procedures, including temporary freezes on account changes following suspected phishing activity.
Ultimately, the “payroll pirate” campaign is less about advanced malware and more about exploiting the natural rhythms of academic operations—trust, delegation, and decentralized communication. It demonstrates how easily routine business processes can be subverted when social engineering meets weak identity safeguards.
As one analyst put it, “These attacks succeed not because the systems are broken, but because people are busy and trust their own institutions.” Until universities strengthen both awareness and verification, attackers will continue to find payrolls an inviting target. Consider top MSPs/IT service providers or even an MSSP to help you stay secure.
If you liked this post, you’ll love one of the the leading global business communications and technology events since 1999, the ITEXPO #TECHSUPERSHOW, Feb 10-12, 2026 Fort Lauderdale, Florida.
Don’t forget the collocated MSP Expo – just for managed service providers!
Aside from his role as CEO of TMC and chairman of ITEXPO #TECHSUPERSHOW Feb 10-12, 2026, Rich Tehrani is CEO of RT Advisors and a Registered Representative (investment banker) with and offering securities through Four Points Capital Partners LLC (Four Points) (Member FINRA/SIPC). He handles capital/debt raises as well as M&A. RT Advisors is not owned by Four Points.
The above is not an endorsement or recommendation to buy/sell any security or sector mentioned. No companies mentioned above are current or past clients of RT Advisors.
The views and opinions expressed above are those of the participants. While believed to be reliable, the information has not been independently verified for accuracy. Any broad, general statements made herein are provided for context only and should not be construed as exhaustive or universally applicable.
Portions of this article may have been developed with the assistance of artificial intelligence, which may have contributed to ideation, content generation, factual review, or editing
