In recent developments, Microsoft has issued a stark warning regarding a growing phishing scam dubbed “Payroll Pirate.” This scheme specifically targets employees by compromising their profiles on cloud-based HR services like Workday, ultimately redirecting their paycheck payments to accounts controlled by attackers. Such security breaches significantly undermine employee trust and carry dire financial consequences.
Understanding the Mechanism of Payroll Pirate
The operation begins with the distribution of convincing phishing emails, which trick victims into providing their credentials for logging into their HR portals. The attackers leverage adversary-in-the-middle tactics, allowing them to intercept multi-factor authentication (MFA) codes. By positioning themselves between the victim and the legitimate site, the scammers can harvest sensitive information without arousing suspicion.
The Flaw in MFA Systems
While MFA is generally a robust security measure, not all implementations are created equal. In this case, the attackers utilize their stolen credentials, including the intercepted MFA codes, to gain access to the victim’s actual account. This evolving tactic highlights a significant challenge within existing MFA systems, emphasizing the need for FIDO-compliant solutions that are less susceptible to such malicious schemes.
Manipulating Payroll Configurations
Once the attackers gain access to employees’ accounts, they can make detrimental changes to payroll settings. This manipulation diverts direct-deposit payments away from the original bank accounts, redirecting funds to accounts that the scammers control. To further evade detection, attackers can create email rules that prevent alert messages from appearing in victims’ inboxes, effectively covering their tracks.
Recent Statistics Reveal Scope of the Threat
According to Microsoft’s findings, the threat actors have targeted multiple universities and have successfully compromised 11 accounts across three institutions since March 2025. These accounts have been used to disseminate phishing emails to nearly 6,000 recipients across 25 universities, showcasing the extensive reach of this malicious activity.
As educational institutions and businesses increasingly rely on digital HR systems, the importance of stepping up security measures cannot be overstated. Organizations must not only educate their employees about phishing tactics but also adopt advanced security protocols that can thwart sophisticated attacks like Payroll Pirate.
For more information on how to protect yourself and your organization from such threats, check out the detailed report from Microsoft and Ars Technica Here.
Image Credit: arstechnica.com
