- Storm-2657 hackers hit the university’s e-mail accounts to launch phishing and redirect wage payments
- Attackers utilized a lack of MFA and used AITM tactics to access HR SAAS platforms
- Microsoft helps victims and warns that this is a BEC style “payroll” campaign
Hackers break into Human Resources SaaS platform accounts at universities across the United States and redirects wages to their own accounts, Microsoft has warned.
Its report claims that the attacks started in March 2025, when an economically motivated group is traced as Storm-2657 used social engineering, as well as the fact that there was no multi-factor approval (MFA) created to break into 11 e-mail accounts at three universities.
Using these accounts, they sent phishing -e emails to nearly 6,000 E -mail accounts across 25 universities, with themes varying from warnings about campus disease outbreaks to reports of the faculty mismatch. The goal was to get the victims to click on phishing links, and through opponent-in-the-mid (AITM) attacks gain access to their Exchange Online Accounts.
Salary Pirate
The campaign is called “payroll” and is a variation of the dreaded business E -mail -Compromis (BEC) wind that is popular with cyber criminals.
Once inside, the hackers used the access to enter the work day (or other third-party HR SAAS platforms) and change wage payment configurations to redirect payments to accounts under their control.
They also created inbox rules to delete any incoming e -mail messages from these platforms to make sure the victims are never notified of the ominous changes.
Then, they would further spread their attacks: “After the compromise with E -mail accounts and the payroll changes in the work day, the threat actor recently utilized access to accounts to distribute additional phishing -e emails, both in the organization and externally to other universities,” Microsoft said.
In his report, Microsoft said it identified the people who fell for the phishing attack and got their payment data compromised. It now reaches out to them and helps with mitigation. It also released tips and guidance to help potential victims investigate whether they were compromised or not.
Via Bleeping computer
Follow Techradar on Google News and Add us as a preferred source To get our expert news, reviews and meaning in your feeds. Be sure to click the Follow button!
And of course you can too Follow Techradar at Tiktok For news, reviews, unboxings in video form and get regular updates from us at WhatsApp also.
