Full Report
A threat actor known as Storm-2657 has been observed hijacking employee accounts with the end goal of diverting salary payments to attacker-controlled accounts. "Storm-2657 is actively targeting a range of U.S.-based organizations, particularly employees in sectors like higher education, to gain access to third-party human resources (HR) software as a service (SaaS) platforms like Workday," the
Analysis Summary
# Threat Actor: Storm-2657 (Payroll Pirates)
## Attribution & Identity
* **Name/Alias:** Storm-2657
* **Known Aliases/Campaign Name:** Payroll Pirates (codenamed by Microsoft)
* **Known Associations:** Previously highlighted in aspects of the campaign by Silent Push, Malwarebytes, and Hunt.io.
## Activity Summary
Storm-2657 is an active threat actor focused on hijacking employee accounts within organizations to divert salary payments to attacker-controlled accounts. The activity appears to be financially motivated.
In H1 2025, a specific campaign involved attackers gaining initial access via phishing emails designed to harvest credentials and MFA codes using Adversary-in-the-Middle (AitM) techniques. This led to the compromise of Exchange Online accounts, which were then used to take over Workday profiles via Single Sign-On (SSO).
Observed activity (since March 2025) includes 11 confirmed compromised accounts at three universities, which were used to launch secondary phishing campaigns targeting nearly 6,000 email accounts across 25 universities.
The ultimate goal is to alter HR/payroll settings (e.g., in Workday) to redirect future salary payments.
## Tactics, Techniques & Procedures
* **Initial Access:** Phishing emails designed to harvest credentials and MFA codes.
* **Credential/MFA Harvesting:** Leveraging Adversary-in-the-Middle (AitM) phishing links.
* **Credential Stuffing/Replay:** Utilizing harvested credentials to gain access to Exchange Online accounts.
* **Lateral Movement/Privilege Escalation:** Using compromised email accounts (via SSO) to access and compromise third-party HR SaaS platforms (e.g., Workday).
* **Defense Evasion:** Creating inbox rules in the compromised email accounts to delete incoming warning notifications from SaaS platforms (like Workday) concerning unauthorized profile changes.
* **Persistence:** Enrolling their own phone numbers as MFA devices on victim accounts.
* **Command and Control (C2):** Not explicitly detailed, but the process relies on established SSO architecture following initial compromise.
* **Secondary Phishing:** Using compromised accounts to distribute further phishing emails internally and externally using lures related to illness or misconduct notices.
## Targeting
* **Sectors:** Higher Education (specifically observed targeting US universities). Any SaaS platform storing HR or payment/bank account information is considered a potential target.
* **Geography:** U.S.-based organizations.
* **Victims:** Employees within targeted organizations responsible for HR/payroll access—specifically targeting accounts granting access to Workday or similar HR SaaS platforms.
## Tools & Infrastructure
* **Malware Families Used:** Not explicitly detailed, but the focus is on credential harvesting and account takeover.
* **Infrastructure (C2, domains, IPs):** AitM phishing links were utilized, but specific domain/IP infrastructure is not detailed in the summary. The exploitation relies on compromising legitimate Microsoft 365/Exchange Online environments.
## Implications
Storm-2657 represents a significant threat pivot toward financial fraud leveraging established, trusted cloud service providers (Microsoft 365) to compromise specialized, high-value HR systems (Workday). The threat actors successfully bypassed traditional MFA protecting the initial endpoint access by using AitM phishing to capture session tokens/MFA codes instantly, showcasing advanced social engineering against common enterprise cloud users. The rapid spread via subsequent phishing campaigns highlights the severe risk to interconnected institutions like universities.
## Mitigations
* Adopt passwordless, phishing-resistant Multi-Factor Authentication (MFA) methods, such as FIDO2 security keys.
* Rigorously review all accounts for signs of suspicious activity, specifically checking for:
* Unknown or newly added MFA devices.
* Creation of malicious inbox forwarding rules or deletion rules.
* Organizations should review access controls regarding SSO connections between primary cloud accounts (like Exchange Online) and critical SaaS platforms (like Workday).