Microsoft has issued a warning about a sophisticated scam known as “Payroll Pirate,” which is currently targeting employees by redirecting their paycheck deposits into accounts controlled by fraudsters. This attack begins with the compromise of employee profiles on platforms like Workday or other cloud-based HR services.
The scammers initiate the breach by sending phishing emails designed to deceive recipients into revealing their login credentials. Once the attackers gain access to the victims’ HR portals, they deploy adversary-in-the-middle tactics. This technique allows them to intercept multi-factor authentication codes as victims attempt to log in to what they believe is the legitimate site—only to find they are entering their details on a fraudulent webpage operated by the attackers.
Following the acquisition of compromised credentials, including any MFA codes, the attackers input this information into the genuine site. This increasingly prevalent tactic emphasizes the critical need for organizations to implement FIDO-compliant multi-factor authentication solutions, which provide stronger security against such attacks.
Upon infiltrating the employee accounts, the attackers manipulate payroll configurations to reroute direct deposit payments from the original accounts selected by the employees to accounts they control. To prevent detection, the scammers set up email filters that block notifications from Workday regarding any changes made to account details, effectively silencing alerts that could warn employees about the unauthorized alterations.
Microsoft has indicated that this campaign has primarily targeted academic institutions. In a report, the company noted that since March 2025, it has documented 11 compromised accounts across three universities, which were utilized to send phishing emails to approximately 6,000 email accounts spanning 25 universities.
This breach highlights several MITRE ATT&CK tactics and techniques that may have been employed in the attack. Initial access was achieved through phishing, while persistence was established by creating email rules to block alerts. Privilege escalation occurred as attackers manipulated payroll settings to gain financial control.
Overall, the ongoing “Payroll Pirate” campaign serves as a stark reminder of the vulnerabilities present in digital systems and underscores the necessity for organizations to bolster their defenses against such sophisticated cyber threats. As these tactics evolve, proactive measures and robust security protocols become imperative for safeguarding sensitive employee information and financial assets.
