Storm-2657: Hackers steal university salaries with perfidious phishing emails

A sophisticated cyberattack is rocking American universities: Criminals are systematically diverting university employees' salary payments to their own accounts. The attackers, dubbed "Payroll Pirates," are so sophisticated that even multi-factor authentication fails to stop them.

Microsoft Threat Intelligence identified the campaign by the Storm-2657 hacker group, which has been targeting the education sector since March of this year. The attacks reveal a disturbing vulnerability: perfectly disguised phishing emails that appear to originate from university presidents or human resources departments.

Deceptively real scam emails with fatal consequences

The Storm 2657 group's formula for success is based on meticulously crafted phishing emails. Instead of crude spam messages, the criminals send tailored emails that perfectly mimic official university communications. Subject lines like "Faculty Compliance Notice - Classroom Misconduct" or "COVID-like Case Reported - Check Contact Status" create urgency and credibility.

The insidious thing is that the linked websites use so-called "adversary-in-the-middle" technology. This not only intercepts passwords but even circumvents multi-factor authentication by intercepting session cookies and MFA codes in real time.

Once an employee account is compromised , attackers gain access to HR platforms like Workday via single sign-on systems. To remain undetected, they install automatic deletion rules for HR software alerts, allowing them to discreetly change bank details for payroll deposits.

Shocking results: 6,000 targets at 25 universities

The scale of the attack is considerable: Microsoft has documented 11 successfully compromised accounts at three universities since March. The hackers used these accounts as a springboard for further attacks – nearly 6,000 email accounts at a total of 25 universities received phishing emails.

Particularly alarming: When 500 people received a fake email about disease exposure, only 10 percent reported it as a phishing attempt. This demonstrates how successful cybercriminals' psychological manipulation techniques are.

The attackers are not exploiting a specific vulnerability in Workday, but rather taking advantage of human factors and institutional security gaps, such as the lack of phishing-resistant multi-factor authentication.

Evolution of Business Email Compromise

Security experts classify these "Payroll Pirate" attacks as a new variant of Business Email Compromise (BEC) – a particularly costly form of cybercrime. While BEC traditionally attacks companies with wire transfers, this development directly targets payroll systems.

The FBI has already warned about such salary diversion scams, in which stolen credentials are misused to access HR portals. According to the Internet Crime Complaint Center (IC3), BEC attacks caused over €1.7 billion in damages in 2024.

Storm-2657's tactics are particularly insidious : They quietly plunder employee salaries without directly attacking the university's primary financial systems. This makes the breaches difficult to detect. By the time victims notice their missing salary, the funds have already been transferred and are often irretrievable.

Defense against the new cyber pirates

In response, security experts are urging stronger defenses. Microsoft and Workday strongly recommend phishing-resistant multi-factor authentication—such as FIDO2 security keys instead of SMS codes or app notifications.

Universities should conduct ongoing security training. Key recommendations : Verify links by hovering over them before clicking, and never enter login credentials after navigating through an email. Instead, employees should always access HR portals by directly typing the official URL.

Advertisement: While sophisticated phishing campaigns circumvent even MFA, the smartphone often remains the underestimated vulnerability in everyday life. Many Android users overlook the 5 most important security measures – especially with WhatsApp, online banking, and PayPal. A free guide shows you step by step how to secure your Android without expensive add-on apps and close common gaps. Download the free Android security package now.

As Storm-2657 continues to attack the education sector, only the combination of technological protection measures and well-informed, vigilant employees will be able to stop these financially devastating attacks.