Microsoft researchers have surfaced a new phishing campaign where cybercriminals are stealing university employees’ salaries by redirecting their payroll deposits to accounts under their control. The group behind the attacks has been named “Storm-2657” by Microsoft.
The hackers have been carrying out these attacks since March 2025, targeting staff at multiple U.S. universities and organizations that use third-party HR and payroll platforms, including Workday.
According to Microsoft’s report, at least 11 employee accounts across three universities were compromised and later used to send phishing emails to nearly 6,000 individuals in 25 universities. The scale of the attack suggests a coordinated attempt to infiltrate university payroll systems through deception and stolen credentials.
How the Attack Works
The attackers send phishing emails that appear to come from legitimate university sources or human resources departments. These emails often carry urgent subjects like “COVID-Like Case Reported — Check Your Contact Status” or “Faculty Compliance Notice – Classroom Misconduct Report.”
When recipients click on the embedded links, they are redirected to fake login pages designed to steal their login details and multifactor authentication (MFA) codes. With these details, the hackers gain full access to the victim’s Workday or HR accounts.
Once i
[…]
Content was cut in order to protect the source.Please visit the source for the rest of the article.
Read the original article: