TLDR
Storm-2657 steals payroll data by compromising employee accounts. The group targets U.S. universities and redirects salary payments to attacker‑controlled accounts.
Use password‑less MFA, audit HR SaaS activity, and watch for unusual email flows to stop the threat.
What happened
Microsoft observed a new campaign that focuses on payroll systems. The threat actor, identified as Storm-2657, hijacks employee credentials. The attackers then change payment details in HR platforms. The goal is to divert salary deposits to accounts they control.
The campaign starts with a phishing email. The message appears to come from a trusted source. It often references payroll or HR processes. Recipients are asked to click a link or open an attachment. The link leads to a credential‑harvesting site. The site mimics a legitimate login page for the organization’s HR SaaS provider.
When a user enters a username and password, the site captures the data. In many cases the site also prompts for a one‑time passcode. The attacker uses the same page to collect MFA codes. This technique defeats basic two‑factor authentication. The attacker now has a valid credential pair and a recent MFA token.
With the stolen credentials, the actor logs into the HR SaaS platform. Microsoft has seen the group target Workday most frequently. Inside Workday, the attackers locate the employee’s payment profile. They edit the bank account number, routing number, or PayPal address. The new details point to accounts owned by the threat actor.
After the change, the next payroll cycle sends money to the attacker. The victim organization often does not notice until the employee reports a missing paycheck. In some cases, the attackers also create new employee records. Those fake records receive regular salary deposits.
Storm-2657 does not stop at a single compromised account. The attacker uses the initial foothold to send more phishing emails. The compromised account becomes a relay. Thousands of additional users receive the same lure. This amplifies the attack surface and increases the chance of more payroll hijacks.
Microsoft’s telemetry shows the campaign is active across many U.S. higher‑education institutions. The attackers prefer schools because they often have large HR SaaS deployments and less stringent MFA enforcement. The group also targets other U.S. enterprises that run payroll in the cloud.
The campaign is sophisticated. It blends social engineering with technical exploitation. The attackers understand the workflow of payroll processing. They time their changes to align with payroll runs, reducing the window for detection.
Microsoft has shared indicators of compromise. These include malicious sender addresses, phishing URLs, and file hashes. The threat actor also leaves behind specific user‑agent strings in the HTTP requests used to harvest credentials.
Why it matters
Payroll is a critical business function. It moves money directly to employees. When attackers alter payment details, they steal real cash. The loss is immediate and often unrecoverable.
Financial impact can be severe. A single successful hijack can drain thousands of dollars. When the attack scales across dozens of employees, the total loss can reach six figures.
Beyond the direct theft, there are compliance implications. Regulations such as FLSA, GDPR, and state data‑protection laws require safeguarding employee data. A breach of payroll information can trigger fines and legal actions.
The reputational damage is also significant. Employees lose trust in the organization’s ability to protect their wages. In higher education, this can affect faculty morale and student perception of the institution’s security posture.
Insurance carriers may raise premiums after a payroll breach. Some policies exclude losses caused by inadequate MFA. The organization may find itself without coverage for the very attack it suffered.
The attack also reveals a broader security gap. MFA is widely recommended, yet many organizations still rely on SMS or push notifications. Storm‑2657 demonstrates that these methods can be bypassed with real‑time code harvesting.
Furthermore, the use of cloud‑based HR SaaS expands the attack surface. A compromised cloud account can affect the entire payroll pipeline. The attacker does not need on‑premises access to cause damage.
Finally, the campaign shows the danger of lateral phishing. A single compromised account can become a launchpad for thousands of additional emails. This amplifies the risk and makes containment harder.
Who is affected
The primary victims are U.S. organizations that process payroll in the cloud. This includes:
- Universities and colleges that use Workday, SAP SuccessFactors, or Oracle HCM.
- Public and private sector agencies that outsource payroll to SaaS providers.
- Large enterprises with global payroll operations hosted on cloud platforms.
Within those organizations, the following groups are most at risk:
- HR staff who have privileged access to employee payment data.
- Finance teams that manage payroll runs and approve changes.
- Regular employees who receive phishing emails that appear to come from HR or payroll.
Even employees who are not directly involved in payroll can be compromised. Their accounts can be used as relays to spread the phishing campaign. This means the entire user base is a potential entry point.
Small and medium‑size businesses are not immune. Any organization that integrates a cloud HR system without strong MFA is a viable target. The attack does not require sophisticated zero‑day exploits; it relies on credential theft and social engineering.
International subsidiaries of U.S. firms can also be impacted. If the parent company shares a single HR SaaS tenant, a breach in one region can affect payroll for employees worldwide.
How to check exposure
Begin with a credential audit. Identify all accounts that have access to payroll or HR SaaS platforms. Verify whether each account uses password‑based MFA, SMS, or push notifications.
Next, review sign‑in logs from the SaaS provider. Look for the following indicators:
- Logins from unusual geographic locations, especially from regions not associated with the user.
- Multiple successful MFA challenges within a short time window.
- Logins from IP addresses flagged for malicious activity.
Check for changes to payment information. Most HR SaaS platforms keep an audit trail for profile edits. Search for records where bank account numbers were modified in the last 30 days.
Scan email logs for outbound messages that contain payroll‑related attachments or links. A sudden spike in such emails from a single user may indicate a compromised account being used as a relay.
Use Microsoft Defender for Identity or Azure AD Identity Protection to detect anomalous authentication patterns. Enable risk‑based conditional access policies that block sign‑ins deemed high‑risk.
Conduct a phishing simulation. Send a test phishing email that mimics the observed lure. Measure how many users click the link or submit credentials. This helps gauge susceptibility and informs training needs.
Finally, engage with your HR SaaS vendor. Request a security review of your tenant configuration. Ask for a list of recent administrative changes and any alerts they have generated.
Fast mitigation
Switch to passwordless MFA immediately. Options include Windows Hello for Business, FIDO2 security keys, or Microsoft Authenticator’s passwordless flow. These methods eliminate the reusable code that Storm‑2657 harvests.
Enforce MFA for all privileged accounts. Do not make exceptions for service accounts that can be protected with certificate‑based authentication.
Reset passwords for any account that has accessed the HR SaaS platform in the past 90 days. Force a password change on next sign‑in and require MFA enrollment.
Lock down payment‑information fields. Configure the HR SaaS platform so that only a small, vetted group can edit bank details. Enable multi‑approver workflows for any change to payroll data.
Activate conditional access policies that require compliant devices for HR SaaS sign‑ins. Block access from unmanaged or jail‑broken devices.
Implement real‑time alerts for payment‑detail modifications. Set up a SIEM rule that triggers when a bank account number is changed, and require manual verification before the change takes effect.
Review and tighten email forwarding rules. Disable automatic forwarding to external domains for all HR‑related mailboxes.
Conduct a rapid security awareness session. Highlight the specific phishing template used by Storm‑2657. Emphasize the importance of verifying sender addresses and hovering over links.
Coordinate with your payroll provider. Ask them to place a temporary hold on outgoing payments until the investigation is complete. This prevents further loss while remediation is underway.
Document all findings and actions taken. Maintain an incident response log that includes timestamps, affected accounts, and remediation steps. This documentation will be valuable for post‑incident analysis and compliance reporting.
Leave a Reply