Universities Targeted: Storm-2657 Orchestrates 2025 Business Email Compromise via Payroll Phishing
Executive Summary
In March 2025, a financially motivated threat group tracked as Storm-2657 launched a series of "payroll pirate" attacks targeting U.S. university staff. The attackers leveraged advanced social engineering and adversary-in-the-middle (AITM) phishing techniques to compromise HR-related SaaS accounts, notably Workday. After stealing MFA credentials, they accessed Exchange Online accounts, manipulated payroll settings to hijack salary payments, set inbox rules for concealment, and enrolled attacker-controlled MFA devices for persistence. At least 11 accounts across three universities were breached, enabling phishing campaigns to almost 6,000 recipients spanning 25 institutions.
The incident showcases a significant escalation in business email compromise (BEC) targeting the education sector, exploiting gaps in MFA and SSO implementations. With BEC attacks surging industry-wide—resulting in multimillion-dollar annual losses—this campaign emphasizes the urgent need for phishing-resistant MFA and robust email monitoring across academia and beyond.
Why This Matters Now
This breach demonstrates that even sophisticated SaaS and cloud environments are vulnerable when phishing-resistant MFA is not enforced. The surge in BEC attacks targeting universities highlights an industry-wide gap, making the deployment of resilient identity and access controls, as well as improved user awareness, urgently necessary.
Attack Path Analysis
Attackers initially compromised university email accounts using phishing with adversary-in-the-middle techniques to steal credentials and MFA tokens. After gaining access, they escalated privileges by registering their own devices for MFA, ensuring persistent access. The threat actors then moved laterally by leveraging compromised accounts to access HR systems like Workday and modify payroll details. C2 was maintained via continued inbox rule manipulation and possibly remote sessions, allowing them to evade detection. Exfiltration occurred as attackers redirected payroll payments to external accounts they controlled. The overall impact was financial loss through payroll diversion and propagation of phishing to other organizations.
Kill Chain Progression
Initial Compromise
Description
Phishing campaigns with adversary-in-the-middle infrastructure were used to steal credentials and MFA codes, granting attackers access to university email accounts.
MITRE ATT&CK® Techniques
Spearphishing Link
Adversary-in-the-Middle
Valid Accounts
Account Manipulation: Additional Cloud Credentials
Email Collection: Email Forwarding Rule
Man-in-the-Middle: Adversary-in-the-Middle (AiTM)
Impair Defenses: Disable or Modify Tools
Account Discovery: Email Account
Potential Compliance Exposure
Mapping incident impact across multiple compliance frameworks.
PCI DSS 4.0 – Use Multi-Factor Authentication for All Non-Console Administrative Access
Control ID: 8.3.1
NYDFS 23 NYCRR 500 – Multi-Factor Authentication
Control ID: 500.12
DORA (Digital Operational Resilience Act) – ICT Risk Management Framework
Control ID: Chapter II, Article 8
CISA ZTMM 2.0 – Identity Verification and Access Controls
Control ID: Identity Pillar – Enforce Phishing-Resistant MFA
NIS2 Directive – Implementation of Policies on Access Control and Security of Network and Information Systems
Control ID: Article 21(2)(d)
Sector Implications
Industry-specific impact of the vulnerabilities, including operational, regulatory, and cloud security risks.
Higher Education/Acadamia
Primary target of Storm-2657's payroll pirate attacks exploiting Workday systems, requiring enhanced MFA and east-west traffic security to prevent account compromise and salary theft.
Human Resources/HR
Critical exposure through compromised HR SaaS platforms like Workday, necessitating zero trust segmentation and threat detection capabilities to protect payroll modification processes.
Financial Services
Vulnerable to BEC-based payroll redirection attacks causing $2.7 billion losses, requiring egress security policy enforcement and encrypted traffic protection for payment systems.
Information Technology/IT
Must implement phishing-resistant MFA and multicloud visibility controls to prevent AITM attacks compromising SSO systems and enabling lateral movement across platforms.
Sources
- Microsoft: Hackers target universities in “payroll pirate” attackshttps://www.bleepingcomputer.com/news/security/hackers-target-university-hr-employees-in-payroll-pirate-attacks/Verified
- Investigating targeted 'payroll pirate' attacks affecting US universitieshttps://www.microsoft.com/en-us/security/blog/2025/10/09/investigating-targeted-payroll-pirate-attacks-affecting-us-universities/Verified
- Microsoft warns of new 'Payroll Pirate' scam stealing employees’ direct depositshttps://arstechnica.com/security/2025/10/payroll-pirate-phishing-scam-that-takes-over-workday-accounts-steals-paychecks/Verified
- Microsoft warns university employees are being hit by payroll attacks, so stay on your guardhttps://www.techradar.com/pro/security/microsoft-warns-university-employees-are-being-hit-by-payroll-attacks-so-stay-on-your-guardVerified
Frequently Asked Questions
Cloud Native Security Fabric Mitigations and ControlsCNSF
Zero Trust segmentation, strong policy enforcement for egress and internal traffic, and comprehensive anomaly detection could have significantly limited the blast radius, detected abuse, or blocked malicious actions across every stage of this attack. Fine-grained access control and visibility would have disrupted attacker persistence and potential lateral SaaS movement.
Control: Threat Detection & Anomaly Response
Mitigation: Rapid detection of credential harvesting and anomalous authentication attempts.
Control: Multicloud Visibility & Control
Mitigation: Visibility into privilege changes and real-time policy audits.
Control: Zero Trust Segmentation
Mitigation: Lateral movement blocked between user identities and sensitive SaaS systems.
Control: Egress Security & Policy Enforcement
Mitigation: Outbound connections to malicious C2 domains detected and/or blocked.
Control: Threat Detection & Anomaly Response
Mitigation: Real-time alerts on anomalous payroll changes and data exfiltration attempts.
Comprehensive incident visibility supports rapid containment and recovery.
Impact at a Glance
Affected Business Functions
- Payroll Processing
- Human Resources Management
Estimated downtime: 7 days
Estimated loss: $500,000
Unauthorized access to employee payroll information, including bank account details, leading to potential identity theft and financial fraud.
Recommended Actions
Key Takeaways & Next Steps
- • Enforce Zero Trust segmentation and least-privilege access policies to prevent lateral movement between user identities and critical SaaS systems.
- • Mandate phishing-resistant MFA and continuously monitor for anomalous authentication activity across cloud and SaaS environments.
- • Deploy centralized, real-time anomaly detection to baseline user and admin behavior and accelerate incident response.
- • Implement granular egress policy enforcement to block unauthorized outbound connections and exfiltration attempts.
- • Establish robust visibility and control across multi-cloud workloads and SaaS to quickly detect, audit, and remediate identity or privilege abuse.
