Storm-2657

Storm-2657, also referred to as Payroll Pirates, is a financially motivated cybercrime threat actor tracked by Microsoft. The group has conducted "payroll pirate" attacks since at least March 2025, primarily targeting U.S.-based organizations, especially higher education, with additional activity linked alongside Storm-2755 in healthcare, manufacturing, and food services environments. Microsoft reported the actor targeted university employees across the United States and used compromised accounts at three universities to send phishing emails to nearly 6,000 accounts across 25 universities. The actor’s objective is to gain unauthorized access to employee HR and payroll profiles and redirect salary payments to attacker-controlled bank accounts. Storm-2657 has targeted third-party HR SaaS platforms such as Workday, though Microsoft explicitly stated the activity does not reflect a vulnerability in Workday itself. The attacks rely on social engineering and weak identity protections, including missing MFA or non-phishing-resistant MFA. Observed tradecraft includes phishing emails, including institution-tailored lures themed around illness exposure, faculty misconduct, HR compensation or benefits updates, and impersonation of university leadership. Microsoft reported the use of adversary-in-the-middle phishing to steal credentials and MFA codes or active Microsoft 365 session tokens, enabling access to Exchange Online and bypass of MFA. After compromise, the actor has used Microsoft Graph API queries to enumerate users associated with payroll, HR, finance, resources, and admin functions. Storm-2657 also created inbox rules to delete or hide Workday warning notifications and, in some cases, enrolled attacker-controlled phone numbers as MFA devices through Workday profiles or Duo settings to maintain persistence. The actor then used SSO access to modify Workday payment elections or other payroll settings to divert direct deposits. In some reporting, the actor also contacted HR directly to facilitate payroll redirection. The campaign has been described as a variant of business email compromise focused on payroll diversion. Known alias: Payroll Pirates.