Microsoft has uncovered a sophisticated payroll diversion campaign targeting university employees across the United States, with hackers stealing credentials through phishing emails to redirect salaries to fraudulent accounts. The tech giant’s Digital Security Unit identified 11 compromised email accounts at three universities beginning in March 2025, which threat actors used to distribute nearly 6,000 phishing emails across 25 institutions in a coordinated financial theft operation.
Social Engineering Tactics Bypass Security Measures
The financially motivated group tracked as Storm-2657 employed carefully crafted social engineering lures to trick university staff into revealing their credentials. According to Microsoft’s security report, attackers sent emails with themes ranging from campus health alerts to faculty misconduct reports, creating urgency that prompted recipients to click malicious links. The campaign specifically targeted institutions where multi-factor authentication wasn’t enforced, allowing direct access to Exchange Online accounts through adversary-in-the-middle techniques that intercepted login credentials.
Microsoft’s investigation revealed the attackers exploited human psychology rather than technical vulnerabilities. “The threat actor leveraged social engineering tactics to compromise accounts where MFA wasn’t enabled,” the company stated in its security advisory. This approach highlights the critical importance of security awareness training alongside technical controls. The Cybersecurity and Infrastructure Security Agency has repeatedly emphasized that social engineering remains one of the most effective attack vectors, with educational institutions being particularly vulnerable due to their open information-sharing cultures.
Payroll System Manipulation and Concealment
Once inside university email systems, attackers methodically accessed HR platforms like Workday to redirect employee salaries to accounts under their control. Microsoft documented how Storm-2657 modified direct deposit information in payroll systems, ensuring stolen funds flowed directly to attacker-controlled bank accounts. The sophistication extended to establishing inbox rules that automatically deleted notifications from HR systems, preventing victims from discovering the unauthorized changes until payday arrived.
The Federal Bureau of Investigation’s Internet Crime Complaint Center reported that business email compromise schemes resulted in $2.9 billion in losses in 2023, with educational institutions increasingly targeted. Microsoft’s findings show attackers maintained access for extended periods, monitoring payroll cycles and making incremental changes to avoid detection. Workday’s security documentation emphasizes that organizations should implement additional verification for payroll modifications, particularly for changes to banking information.
Attack Propagation Across Higher Education
The campaign demonstrated self-propagating characteristics, with compromised accounts used to launch additional phishing attacks both within the same organization and externally to other universities. Microsoft’s analysis showed how Storm-2657 leveraged the credibility of legitimate university email accounts to increase phishing success rates. “Following the compromise of email accounts and payroll modifications, the threat actor leveraged newly accessed accounts to distribute further phishing emails to other universities,” the security team reported.
This cross-institutional propagation created a compounding effect, with each successful compromise enabling wider attacks. The EDUCAUSE Cybersecurity Initiative has documented similar patterns in higher education, where trust relationships between institutions can be exploited. A 2024 SANS Institute analysis found that education sector attacks increased 44% year-over-year, with financial motives driving most incidents. Microsoft has contacted identified victims and provided specific guidance for investigating potential compromises.
Protective Measures and Industry Response
Microsoft recommends several critical security measures to prevent similar attacks, emphasizing that multi-factor authentication could have blocked most of the credential theft attempts. The company advises organizations to implement conditional access policies, monitor for suspicious inbox rules, and establish additional approval workflows for payroll changes. Security teams should also monitor for anomalous login patterns and configure alerts for financial system modifications.
The National Institute of Standards and Technology recommends defense-in-depth strategies for educational institutions, including security awareness training that specifically addresses business email compromise tactics. Microsoft’s security team has released detection rules through its Defender platform and recommends organizations conduct immediate audits of payroll system access logs and modification histories. As Storm-2657 continues targeting the education sector, institutions must balance accessibility with security controls that protect financial and personal data.
References:
1. Microsoft Security Response Center: https://msrc.microsoft.com/blog/
2. CISA Cloud Security Technical Reference Architecture: https://www.cisa.gov/news-events/news/cloud-security-technical-reference-architecture
3. FBI IC3 2023 Internet Crime Report: https://www.ic3.gov/Media/PDF/AnnualReport/2024_IC3Report.pdf
4. Workday Security & Trust: https://www.workday.com/en-us/security/trust-security.html
5. EDUCAUSE Cybersecurity Initiative: https://www.educause.edu/focus-areas/cybersecurity-and-information-security
