Microsoft is warning organizations of a new, targeted scam dubbed “Payroll Pirate” that steals employees’ direct deposit payments by compromising HR accounts. Since march 2025, attackers have successfully breached accounts at three U.S. universities, using the compromised credentials to send phishing emails to nearly 6,000 accounts across 25 universities.
The campaign gains access to HR portals – including workday and other cloud-based HR services – through realistic phishing emails designed to steal login credentials. Attackers are circumventing multi-factor authentication (MFA) using “adversary-in-the-middle” (AiTM) phishing tactics, intercepting credentials and MFA codes via fake login pages. they then use this data to log into the legitimate site.Once inside,the scammers alter payroll configurations to redirect direct deposit payments to accounts they control. They also create email rules to suppress Workday‘s automated notifications alerting users to account changes.
“The threat actor used realistic phishing emails, targeting accounts at multiple universities, to harvest credentials,” Microsoft said in a thursday post. “Not all MFA is created equal,” highlighting the importance of adopting FIDO-compliant MFA, which is resistant to thes types of attacks.
