Hackers exploited weak MFA and stolen credentials to breach U.S. university Workday accounts, redirecting payrolls and launching large phishing campaigns.

Hackers Hijack U.S. University Payrolls Using Workday Accounts, Microsoft Warns

The420 Web Desk
4 Min Read

A cybercrime group tracked by Microsoft has launched a sophisticated campaign targeting U.S. universities, hijacking employee salaries through HR software compromises. The attacks expose how weak security practices—rather than software flaws—can lead to large-scale payroll fraud.

A Brazen Campaign Uncovered

Microsoft’s Threat Intelligence team has sounded the alarm over a coordinated cyberattack campaign targeting U.S. university payroll systems since March 2025. The threat actor, tracked as Storm-2657, has been infiltrating higher-education institutions by compromising email and HR accounts linked to Workday, a widely used human resources and payroll platform.

According to Microsoft, the attackers’ strategy is deceptively simple yet effective. They begin by sending tailored phishing emails to university staff, posing as HR departments, faculty administrators, or even university presidents. These messages often contain links to shared Google Docs, which trick users into entering their credentials or multifactor authentication (MFA) codes. Once inside, the attackers quietly change payroll settings and redirect salaries to attacker-controlled bank accounts.

Microsoft confirmed that it has observed 11 compromised accounts across three universities, which were then used to launch phishing campaigns against nearly 6,000 accounts spanning 25 universities.

Only Two Weeks Left: FCRF Invites Enrolment for Certified Cyber Law Practitioner (CCLP) Program

How the Operation Works

After gaining access, the cybercriminals use stolen credentials and single sign-on (SSO) integrations to enter the Workday environment. From there, they modify direct deposit details, diverting employee salaries without raising immediate suspicion. The threat actors also manipulate inbox rules to delete HR or payroll notifications, effectively covering their tracks.

The group is not exploiting any vulnerability in Workday itself, Microsoft clarified, but rather taking advantage of weak MFA enforcement, misconfigured access settings, and poor credential hygiene.

The attack chain reportedly starts with fake HR notifications, faculty misconduct alerts, or illness outbreak reports—emails that blend seamlessly into academic communication. Once trust is established, the criminals use adversary-in-the-middle (AiTM) tactics to intercept authentication tokens and escalate their access privileges.

A Wider Web of Compromise

The campaign’s scope extends beyond payroll theft. Once the attackers secure control over compromised email accounts, they use them to send secondary phishing waves, both internally and externally. The aim is to expand their foothold within the academic network and to other institutions.

Microsoft said the compromised university accounts were leveraged to distribute additional phishing campaigns to thousands of users, compounding the scale of the threat. The attackers also impersonated senior administrators and HR officials to share false compensation updates, fake benefit reports, or malicious attachments disguised as official correspondence.

The company’s report underscores that this is not an isolated incident but part of a growing pattern where cybercriminals exploit institutional trust and administrative workflows rather than exploiting software flaws.

Universities on Alert

The revelation has prompted universities across the United States to tighten access controls, strengthen MFA enforcement, and audit HR software configurations. Microsoft’s advisory recommends immediate review of single sign-on policies, isolation of compromised accounts, and user education on phishing defense.

Cybersecurity experts say the incident highlights a persistent vulnerability in higher education — a sector rich in sensitive data but often constrained by limited IT resources and inconsistent security standards. “Universities operate in an open, collaborative ecosystem, which makes them easy targets for social engineering and account compromise,” one analyst noted.

As investigations continue, Microsoft warned that similar campaigns may emerge in other sectors using integrated HR and payroll systems. The case underscores a crucial reality in cybersecurity: the weakest link is rarely the software—it is the human user behind it.

 

Stay Connected