Hacker typing on laptop showing social engineering attacks

“Payroll Pirate” Social Engineering Attacks on Workday Divert Employees’ Wages

Microsoft is warning about sophisticated social engineering attacks on human resources (HR) software-as-a-service (SaaS) platforms to divert employees’ salaries to threat actor-controlled accounts.

Dubbed “Payroll Pirate,” the campaign is attributed to threat actor Storm-2657. It targets US-based organizations like universities through human capital management platforms like Workday.

“In a campaign observed in the first half of 2025, we identified the actor specifically targeting Workday profiles,” Microsoft stated.

How Workday social engineering attacks result in lost wages

While the social engineering attacks have specifically targeted Workday, Microsoft warned that any payroll or SaaS system hosting employee information could become a target.

According to the tech giant, the threat actor targets employees with realistic email messages to harvest credentials using compromised email addresses. They also use the newly compromised inboxes to send more phishing messages within the company or other external organizations.

“Since March 2025, we’ve observed 11 successfully compromised accounts at three universities that were used to send phishing emails to nearly 6,000 email accounts across 25 universities,” Microsoft explained.

The attackers use attention-grabbing email subjects like false alerts for COVID-like disease outbreaks or allegations of faculty misconduct to trick victims into opening the phishing messages.

“In one instance, a phishing email was sent to 500 individuals within a single organization, encouraging targets to check their illness exposure status,” noted Microsoft.

They also attach Google Docs to create trust since such links are common within universities. The social engineering attacks also leverage other tricks like warning employees about false changes to compensation and impersonating top executives.

“The most recently identified theme involved phishing emails impersonating a legitimate university or an entity associated with a university,” Microsoft noted. “To make their messages appear convincing, Storm-2657 tailored the content based on the recipient’s institution.”

While some compromised emails lacked two-factor authentication, others were breached by hijacking multi-factor authentication (MFA) codes via adversary-in-the-middle (AiTM) phishing links.

The attackers also enrolled their MFA devices to maintain persistence and approve additional malicious actions without the risk of detection. In some cases, they used compromised MFA codes to access employees’ Exchange Online accounts.

Upon taking over employees’ email accounts, the threat actor created inbox rules to silently delete Workday’s notification messages. They then altered the employee’s Workday profile by changing payment details, essentially diverting all their future salaries to a threat actor-controlled bank account.

“Universities are prime targets for threat actors due to the transient nature of their employees and students,” opined Chance Caldwell, Senior Director of the Phishing Defense Center at Cofense.

“Universities tend to have high turnover, with individuals frequently joining and leaving within short periods of time. These users are easy targets, as they may not receive the same level of phishing awareness training as long-standing employees and may be less familiar with the university’s policies.”

Microsoft and Workday recommend phishing-resistant MFA after social engineering attacks

Meanwhile, Microsoft has notified impacted customers, while Workday has encouraged employees to use phishing-resistant MFA to avoid becoming victims.

Redmond is also assisting impacted employees with mitigation efforts. It also published guidelines on how to enroll phishing-resistant MFA and the threat actor’s tactics, techniques, and procedures (TTPs) to identify and block these social engineering attacks.

Nevertheless, Microsoft emphasized that the social engineering attacks do not leverage any Workday system vulnerabilities but rely on the users’ failure to enable MFA.

“These attacks don’t represent any vulnerability in the Workday platform or products, but rather financially motivated threat actors using sophisticated social engineering tactics and taking advantage of the complete lack of multifactor authentication (MFA) or lack of phishing-resistant MFA to compromise accounts,” Microsoft said.