Phishing toolkits can capture payment information without an explicit form submission by tracking victims' keystrokes in real time and can bypass multi-factor authentication by eliciting legitimate verification codes and prompting victims to enter them on fake screens.
November 12, 2025
high
technical
Describes technical mechanisms used to steal credentials, payment data, and to defeat multi-factor authentication.
In 2025, Storm-2657 primarily targeted Workday and other payroll and HR software by sending phishing emails that capture login credentials and multi-factor authentication (MFA) codes in real time using adversary-in-the-middle techniques.
March 01, 2025
high
temporal
Describes the primary technical target and credential-capture method used in payroll-directed phishing campaigns.
In 2025, attackers commonly set inbox rules to delete platform notifications and enrolled attacker-controlled phone numbers as MFA devices to maintain persistent access and conceal unauthorized payroll changes.
March 01, 2025
high
temporal
Describes persistence and stealth tactics used after initial credential compromise in payroll fraud campaigns.
The FBI reported that 'Scattered Spider' relies on social engineering techniques that impersonate employees or contractors to deceive IT help desks into granting access and frequently uses methods to bypass multi-factor authentication by convincing help desk staff to add unauthorized MFA devices to compromised accounts.
high
temporal
Description of attack techniques and MFA-bypass methods attributed to a named cybercriminal group in an FBI advisory.