- A threat group named Storm-2657 targets employee accounts to redirect salary payments.
- The attacks focus on U.S. organizations, especially higher education employees using HR SaaS platforms like Workday.
- The group uses phishing and social engineering, not software vulnerabilities, exploiting weak multi-factor authentication (MFA).
- The attackers maintain access by adding their own phone numbers to MFA and deleting warning emails from victims’ accounts.
- Microsoft recommends adopting phishing-resistant MFA methods and monitoring accounts for suspicious activity to prevent these attacks.
A threat actor identified as Storm-2657 has been hijacking employee accounts in U.S. organizations since early 2025 to redirect salary payments to accounts they control. The group primarily targets employees in sectors such as higher education by compromising access to third-party human resources (HR) software-as-a-service (SaaS) platforms, including Workday.
According to the Microsoft Threat Intelligence team’s report, the attacks involve phishing campaigns that harvest employee credentials and multi-factor authentication (MFA) codes. One observed approach uses an adversary-in-the-middle (AitM) phishing link to gain access to Exchange Online accounts and then exploit single sign-on (SSO) to control Workday profiles.
The attackers create rules in compromised email accounts to delete warning notifications from Workday, hiding unauthorized changes like rerouting salary payments to their accounts. They also add their own phone numbers as MFA devices to maintain persistent access. The compromised accounts then send phishing emails internally and to other universities.
Microsoft reported 11 confirmed account compromises at three universities since March 2025, leading to nearly 6,000 phishing emails sent across 25 institutions. These emails often contain urgent lures involving health issues or disciplinary notices to trick recipients into clicking malicious links.
The security firm advises organizations to implement phishing-resistant MFA methods such as FIDO2 security keys and to monitor accounts for suspicious activity, including unknown MFA devices and malicious inbox rules. The attackers do not exploit software flaws but capitalize on social engineering and insufficient MFA protections in HR SaaS platforms that manage payment details. More details are available in the Microsoft report found here.
✅ Follow BITNEWSBOT on Telegram, Facebook, LinkedIn, X.com, and Google News for instant updates.
Previous Articles:
- Major Global Banks Unite to Launch Joint Stablecoin Initiative
- EU Prepares New Trade Deal Plan, Rejects Trump Regulatory Demands
- Polymarket Traders Suspected of Insider Bets on Peace Prize Winner
- Singapore Delays New Crypto Bank Rules to 2027 Amid Industry Pushback
- Stealit Malware Abuses Node.js SEA to Spread Ransomware
