Since March 2025, a hacking group known as Storm-2657 has conducted "pirate payroll" attacks that target university staff to hijack salary payments.
March 01, 2025
high
temporal
Describes the onset and nature of a class of payroll-targeting attacks against higher-education institutions.
In 2025, Storm-2657 primarily targeted Workday and other payroll and HR software by sending phishing emails that capture login credentials and multi-factor authentication (MFA) codes in real time using adversary-in-the-middle techniques.
March 01, 2025
high
temporal
Describes the primary technical target and credential-capture method used in payroll-directed phishing campaigns.
Using a small number of compromised internal accounts increases the credibility of phishing messages and enables large-scale spreading; Microsoft reported that 11 compromised accounts at three universities were used to send phishing emails to nearly 6,000 addresses at 25 institutions in 2025.
March 01, 2025
high
temporal
Quantifies how attackers scale campaigns by leveraging trusted internal accounts to improve phishing success.