{
	"id": "48eeaa49-8385-4670-b626-99a499aa7297",
	"created_at": "2026-04-06T00:08:22.533228Z",
	"updated_at": "2026-04-10T03:36:00.975068Z",
	"deleted_at": null,
	"sha1_hash": "b3d60662e282059cc6824b31009f75e9d8c0382f",
	"title": "Investigating targeted “payroll pirate” attacks affecting US universities | Microsoft Security Blog",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1698419,
	"plain_text": "Investigating targeted “payroll pirate” attacks affecting US\r\nuniversities | Microsoft Security Blog\r\nBy Microsoft Threat Intelligence\r\nPublished: 2025-10-09 · Archived: 2026-04-02 11:24:53 UTC\r\nMicrosoft Threat Intelligence has observed a financially motivated threat actor that we track as Storm-2657\r\ncompromising employee accounts to gain unauthorized access to employee profiles and divert salary payments to\r\nattacker-controlled accounts. These types of attacks have been dubbed “payroll pirate” by the industry. Storm-2657 is actively targeting a range of US-based organizations, particularly employees in sectors like higher\r\neducation, to gain access to third-party human resources (HR) software as a service (SaaS) platforms like\r\nWorkday.  \r\nIn a campaign observed in the first half of 2025, we identified the actor specifically targeting Workday profiles.\r\nHowever, it’s important to note that any SaaS systems storing HR or payment and bank account information could\r\nbe easily targeted with the same technique. These attacks don’t represent any vulnerability in the Workday\r\nplatform or products, but rather financially motivated threat actors using sophisticated social engineering tactics\r\nand taking advantage of the complete lack of multifactor authentication (MFA) or lack of phishing-resistant MFA\r\nto compromise accounts. Workday has published guidance for their customers in their community, and we thank\r\nWorkday for their partnership and support in helping to raise awareness on how to mitigate this threat.\r\nMicrosoft has identified and reached out to some of the affected customers to share tactics, techniques, and\r\nprocedures (TTPs) and assist with mitigation efforts. In this blog, we present our analysis of Storm-2657’s recent\r\ncampaign and the TTPs employed in attacks. We offer comprehensive guidance for investigation and remediation,\r\nincluding implementing phishing-resistant MFA to help block these attacks and protect user accounts.\r\nAdditionally, we provide comprehensive detections and hunting queries to enable organizations to defend against\r\nthis attack and disrupt threat actor activity.\r\nAnalysis of the campaign\r\nIn the observed campaign, the threat actor gained initial access through phishing emails crafted to steal MFA\r\ncodes using adversary-in-the-middle (AITM) phishing links. After obtaining MFA codes, the threat actor was able\r\nto gain unauthorized access to the victims’ Exchange Online and later hijacked and modified their Workday\r\nprofiles.\r\nAfter gaining access to compromised employee accounts, the threat actor created inbox rules to delete incoming\r\nwarning notification emails from Workday, hiding the actor’s changes to the HR profiles. Storm-2657 then\r\nstealthily moved on to modify the employee’s salary payment configuration in their HR profile, thereby\r\nredirecting future salary payments to accounts under the actor’s control, causing financial harm to their victims.\r\nWhile the following example illustrates the attack flow as observed in Workday environments, it’s important to\r\nnote that similar techniques could be leveraged against any payroll provider or SaaS platform.\r\nhttps://www.microsoft.com/en-us/security/blog/2025/10/09/investigating-targeted-payroll-pirate-attacks-affecting-us-universities/\r\nPage 1 of 14\n\nFigure 1. Attack flow of threat actor activity in a real incident\r\nInitial access\r\nThe threat actor used realistic phishing emails, targeting accounts at multiple universities, to harvest credentials.\r\nSince March 2025, we’ve observed 11 successfully compromised accounts at three universities that were used to\r\nsend phishing emails to nearly 6,000 email accounts across 25 universities.\r\nSome phishing emails contained Google Docs links, making detection challenging, as these are common in\r\nacademic environments. In multiple instances, compromised accounts did not have MFA enabled. In other cases,\r\nusers were tricked into disclosing MFA codes via AiTM phishing links distributed through email. Following the\r\ncompromise of email accounts and the payroll modifications in Workday, the threat actor leveraged newly\r\naccessed accounts to distribute further phishing emails, both within the organization and externally to other\r\nuniversities.\r\nThe threat actor used several themes in their phishing emails. One common theme involved messages about\r\nillnesses or outbreaks on campus, suggesting that recipients might have been exposed. These emails included a\r\nlink to a Google Docs page that then redirected to an attacker-controlled domain.\r\nSome examples of the email subject lines are:\r\nCOVID-Like Case Reported — Check Your Contact Status\r\nConfirmed Case of Communicable Illness\r\nConfirmed Illness\r\nIn one instance, a phishing email was sent to 500 individuals within a single organization, encouraging targets to\r\ncheck their illness exposure status. Approximately 10% of recipients reported the email as a suspected phishing\r\nattempt.\r\nhttps://www.microsoft.com/en-us/security/blog/2025/10/09/investigating-targeted-payroll-pirate-attacks-affecting-us-universities/\r\nPage 2 of 14\n\nFigure 2. Sample of a phishing email sent by the threat actor with illness exposure related theme\r\nThe second theme involved reports of misconduct or actions by individuals within the faculty, with the goal of\r\ntricking recipients into checking the link to determine if they are mentioned in the report.\r\nSome examples of the subject lines are:\r\nFaculty Compliance Notice – Classroom Misconduct Report\r\nReview Acknowledgment Requested – Faculty Misconduct Mention\r\nThe most recently identified theme involved phishing emails impersonating a legitimate university or an entity\r\nassociated with a university. To make their messages appear convincing, Storm-2657 tailored the content based on\r\nthe recipient’s institution. Examples included messages that appear to be official communications from the\r\nuniversity president, information about compensation and benefits, or documents shared by HR with recipients.\r\nMost of the time the subject line contained either the university name or the university’s president name, further\r\nenhancing the email’s legitimacy and appeal to the intended target.\r\nSome examples of the subject lines are:\r\nPlease find the document forwarded by the HR Department for your review\r\n[UNIVERSITY NAME] 2025 Compensation and Benefits Update\r\nA document authored by [UNIVERSITY PRESIDENT NAME] has been shared for your examination.\r\nhttps://www.microsoft.com/en-us/security/blog/2025/10/09/investigating-targeted-payroll-pirate-attacks-affecting-us-universities/\r\nPage 3 of 14\n\nFigure 3. Sample of a phishing email sent by the threat actor with HR related theme\r\nDefense evasion\r\nFollowing account compromise, the threat actor created a generic inbox rule to hide or delete any incoming\r\nwarning notification emails from the organization’s Workday email service. This rule ensured that the victim\r\nwould not see the notification emails from Workday about the payroll changes made by the threat actor, thereby\r\nminimizing the likelihood of detection by the victim. In some cases, the threat actor might have attempted to stay\r\nunder the radar and hide their traces from potential reviews by creating rule names solely using special characters\r\nor non-alphabetic symbols like “….” or “\\’\\’\\’\\’”.\r\nhttps://www.microsoft.com/en-us/security/blog/2025/10/09/investigating-targeted-payroll-pirate-attacks-affecting-us-universities/\r\nPage 4 of 14\n\nFigure 4. An example of inbox rule creation to delete all incoming emails from Workday portal\r\ncaptured through Microsoft Defender for Cloud Apps\r\nPersistence\r\nIn observed cases, the threat actor established persistence by enrolling their own phone numbers as MFA devices\r\nfor victim accounts, either through Workday profiles or Duo MFA settings. By doing so, they bypassed the need\r\nfor further MFA approval from the legitimate user, enabling continued access without detection.\r\nImpact\r\nThe threat actor subsequently accessed Workday through single sign-on (SSO) and changed the victim’s\r\npayroll/bank account information.\r\nWith the Workday connector enabled in Microsoft Defender for Cloud Apps, analysts can efficiently investigate\r\nand identify attack traces by examining Workday logs and Defender-recorded actions. There are multiple\r\nindicators available to help pinpoint these changes. For example, one indicator from the Workday logs generated\r\nby such threat actor changes is an event called “Change My Account” or “Manage Payment Elections”, depending\r\non the type of modifications performed in the Workday application audit logs:\r\nhttps://www.microsoft.com/en-us/security/blog/2025/10/09/investigating-targeted-payroll-pirate-attacks-affecting-us-universities/\r\nPage 5 of 14\n\nFigure 5. Example of payment modification audit log as captured through Microsoft Defender for\r\nCloud Apps\r\nThese payroll modifications are frequently accompanied by notification emails informing users that payroll or\r\nbank details have been changed or updated. As previously discussed, threat actors might attempt to eliminate these\r\nmessages either through manual deletion or by establishing inbox rules. These deletions can be identified by\r\nmonitoring Exchange Online events such as SoftDelete, HardDelete, and MoveToDeletedItems. The subjects of\r\nthese emails typically contain the following terms:\r\n“Payment Elections”\r\n“Payment Election”\r\n“Direct Deposit”\r\nMicrosoft Defender for Cloud Apps correlates signals from both Microsoft Exchange Online (first-party SaaS\r\napplication) and Workday (third-party SaaS application), enabling thorough detection of suspicious activities that\r\nspan multiple systems, as seen in the image below. Only by correlating first party and third-party signals is it\r\npossible to detect this activity spawning across multiple systems.\r\nFigure 6. Example of audit logs captured through Microsoft Defender for Cloud Apps showcasing\r\nan inbox rule creation in Microsoft Exchange Online followed by payroll account modification in\r\nWorkday\r\nMitigation and protection guidance\r\nhttps://www.microsoft.com/en-us/security/blog/2025/10/09/investigating-targeted-payroll-pirate-attacks-affecting-us-universities/\r\nPage 6 of 14\n\nMitigating threats from actors like Storm-2657 begins with securing user identity by eliminating traditional\r\ncredentials and adopting passwordless, phishing-resistant MFA methods such as FIDO2 security keys, Windows\r\nHello for Business, and Microsoft Authenticator passkeys.\r\nMicrosoft recommends enforcing phishing-resistant MFA for privileged roles in Microsoft Entra ID to\r\nsignificantly reduce the risk of account compromise. Learn how to require phishing-resistant MFA for admin\r\nroles and plan a passwordless deployment.\r\nPasswordless authentication improves security as well as enhances user experience and reduces IT overhead.\r\nExplore Microsoft’s overview of passwordless authentication and authentication strength guidance to understand\r\nhow to align your organization’s policies with best practices. For broader strategies on defending against identity-based attacks, refer to Microsoft’s blog on evolving identity attack techniques.\r\nIf Microsoft Defender alerts indicate suspicious activity or confirmed compromised account or a system, it’s\r\nessential to act quickly and thoroughly. Below are recommended remediation steps for each affected identity:\r\n1. Reset credentials – Immediately reset the account’s password and revoke any active sessions or tokens.\r\nThis ensures that any stolen credentials can no longer be used.\r\n2. Re-register or remove MFA devices – Review users MFA devices, specifically those recently added or\r\nupdated.\r\n3. Revert unauthorized payroll or financial changes – If the attacker modified payroll or financial\r\nconfigurations, such as direct deposit details, revert them to their original state and notify the appropriate\r\ninternal teams.\r\n4. Remove malicious inbox rules – Attackers often create inbox rules to hide their activity or forward\r\nsensitive data. Review and delete any suspicious or unauthorized rules.\r\n5. Verify MFA reconfiguration – Confirm that the user has successfully reconfigured MFA and that the new\r\nsetup uses secure, phishing-resistant methods.\r\nMicrosoft Defender XDR detections\r\nMicrosoft Defender XDR coordinates detection, prevention, investigation, and response across endpoints,\r\nidentities, email, apps to provide integrated protection against attacks like the threat discussed in this blog.\r\nCustomers with provisioned access can also use Microsoft Security Copilot in Microsoft Defender to investigate\r\nand respond to incidents, hunt for threats, and protect their organization with relevant threat intelligence.\r\nTactic Observed activity Microsoft Defender coverage\r\nInitial\r\naccess\r\nThreat actor gains access to account\r\nthrough phishing\r\nMicrosoft Defender for Office 365\r\n– Email messages removed after\r\ndelivery\r\n– Email reported by user as malware or\r\nphish\r\nhttps://www.microsoft.com/en-us/security/blog/2025/10/09/investigating-targeted-payroll-pirate-attacks-affecting-us-universities/\r\nPage 7 of 14\n\nMicrosoft Defender XDR\r\n– Compromised user account in a\r\nrecognized attack pattern\r\n– Anonymous IP address\r\nDefense\r\nEvasion\r\nThreat actor creates an inbox rule to\r\ndelete incoming emails from\r\nWorkday\r\nMicrosoft Defender for Cloud apps\r\n– Possible BEC-related inbox rule\r\n– Suspicious inbox manipulation rule\r\n– Suspicious Workday inbox rule\r\ncreation followed by a Workday\r\nsession\r\n– Malicious inbox rule manipulation\r\npossibly related to BEC payroll fraud\r\nattempt\r\nImpact\r\nThreat actor gains access to victim’s\r\nWorkday profile and modifies payroll\r\nelections\r\nMicrosoft Defender for Cloud apps\r\n– Suspicious payroll configuration user\r\nactivity in Workday\r\nHunting queries\r\nMicrosoft Defender XDR\r\nThe Microsoft Defender for Cloud Apps connector for Workday includes write events such as Workday account\r\nupdates, payroll configuration changes, etc. These are available in the Defender XDR CloudAppEvents hunting\r\ntables for further investigation. Important events related to this attack include but are not limited:\r\nAdd iOS Device\r\nAdd Android Device\r\nChange My Account\r\nManage Payment Elections\r\nInstall the Microsoft Defender for Cloud Apps connector for Workday to take advantage of these logging,\r\ninvestigation, and detection capabilities.\r\nReview inbox rules created to hide or delete incoming emails from Workday\r\nResults of the following query may indicate an attacker is trying to delete evidence of Workday activity.\r\nCloudAppEvents\r\n| where Timestamp \u003e= ago(1d)\r\n| where Application == \"Microsoft Exchange Online\" and ActionType in (\"New-InboxRule\", \"Set-InboxRule\")\r\nhttps://www.microsoft.com/en-us/security/blog/2025/10/09/investigating-targeted-payroll-pirate-attacks-affecting-us-universities/\r\nPage 8 of 14\n\n| extend Parameters = RawEventData.Parameters // extract inbox rule parameters\r\n| where Parameters has \"From\" and Parameters has \"@myworkday.com\" // filter for inbox rule with From\r\nfield and @MyWorkday.com in the parameters\r\n| where Parameters has \"DeleteMessage\" or Parameters has (\"MoveToFolder\") // email deletion or move\r\nto folder (hiding)\r\n| mv-apply Parameters on (where Parameters.Name == \"From\"\r\n| extend RuleFrom = tostring(Parameters.Value))\r\n| mv-apply Parameters on (where Parameters.Name == \"Name\"\r\n| extend RuleName = tostring(Parameters.Value))\r\nReview updates to payment election or bank account information in Workday\r\nThe following query surfaces changes to payment accounts in Workday.\r\nCloudAppEvents\r\n| where Timestamp \u003e= ago(1d)\r\n| where Application == \"Workday\"\r\n| where ActionType == \"Change My Account\" or ActionType == \"Manage Payment Elections\"\r\n| extend Descriptor = tostring(RawEventData.target.descriptor)\r\nReview device additions in Workday\r\nThe following query looks for recent device additions in Workday. If the device is unknown, it may indicate an\r\nattacker joined their own device for persistence and MFA evasion.\r\nCloudAppEvents\r\n| where Timestamp \u003e= ago(1d)\r\n| where Application == \"Workday\"\r\n| where ActionType has \"Add iOS Device\" or ActionType has \"Add Android Device\"\r\n| extend Descriptor = tostring(RawEventData.target.descriptor) // will contain information of the\r\ndevice\r\nHunt for bulk suspicious emails from .edu sender\r\nThe following query identifies email from .edu senders sent to a high number of users.\r\nEmailEvents\r\nhttps://www.microsoft.com/en-us/security/blog/2025/10/09/investigating-targeted-payroll-pirate-attacks-affecting-us-universities/\r\nPage 9 of 14\n\n| where Timestamp \u003e= ago(7d)\r\n| where SenderFromDomain has \"edu\" or SenderMailFromDomain has \"edu\"\r\n| where EmailDirection == \"Inbound\"\r\n| summarize dcount(RecipientEmailAddress), dcount(InternetMessageId), make_set(InternetMessageId),\r\ndcount(Subject), dcount(NetworkMessageId), take_any(NetworkMessageId) by bin(Timestamp,1d),\r\nSenderFromAddress\r\n| where dcount_RecipientEmailAddress \u003e 100 // number can be adjusted, usually the sender will send\r\nemails to around 100-600 recipients per day\r\nHunt for phishing URL from identified .edu phish sender\r\nIf a suspicious .edu sender has been identified, use the following query to surface email events from this sender\r\naddress.\r\nEmailEvents\r\n| where Timestamp \u003e= ago(1d)\r\n| where SenderFromAddress == \"\u003cidentified .edu=\"\" phish=\"\" sender=\"\"\u003e\"\r\n| where EmailDirection == \"Inbound\"\r\n| project NetworkMessageId, Subject, InternetMessageId\r\n| join EmailUrlInfo on NetworkMessageId\r\n| where Timestamp \u003e= ago(1d)\r\n| project Url, NetworkMessageId, Subject, InternetMessageId\r\n\u003c/identified\u003e\r\nHunt for user clicks to suspicious URL from the identified .edu phish sender (previous query)\r\nIf a suspicious .edu sender has been identified, use the below query to surface user clicks that may indicate a\r\nmalicious link was accessed.\r\nEmailEvents\r\n| where Timestamp \u003e= ago(1d)\r\n| where SenderFromAddress == \"\u003cidentified .edu=\"\" phish=\"\" sender=\"\"\u003e\"\r\n| where EmailDirection == \"Inbound\"\r\n| project NetworkMessageId, Subject, InternetMessageId\r\nhttps://www.microsoft.com/en-us/security/blog/2025/10/09/investigating-targeted-payroll-pirate-attacks-affecting-us-universities/\r\nPage 10 of 14\n\n| join UrlClickEvents on NetworkMessageId\r\n| where Timestamp \u003e= ago(1d)\r\n| project AccountUpn, Subject, InternetMessageId, DetectionMethods, ThreatTypes, IsClickedThrough //\r\nthese users very likely fall into the phishing attack\r\n\u003c/identified\u003e\r\nMicrosoft Sentinel\r\nInstall the Workday connector for Microsoft Sentinel. Microsoft Sentinel has a range of detection and threat\r\nhunting content that customers can use to detect the post exploitation activity detailed in this blog.\r\nMicrosoft Sentinel customers can use the TI Mapping analytics (a series of analytics all prefixed with ‘TI map’) to\r\nautomatically match the malicious domain indicators mentioned in this blog post with data in their workspace. If\r\nthe TI Map analytics are not currently deployed, customers can install the Threat Intelligence solution from the\r\nMicrosoft Sentinel Content Hub to have the analytics rule deployed in their Sentinel workspace.\r\nMalicious inbox rule\r\nThe query includes filters specific to inbox rule creation, operations for messages with ‘DeleteMessage’, and\r\nsuspicious keywords.\r\nlet Keywords = dynamic([\"helpdesk\", \" alert\", \" suspicious\", \"fake\", \"malicious\", \"phishing\", \"spam\",\r\n\"do not click\", \"do not open\", \"hijacked\", \"Fatal\"]);\r\nOfficeActivity\r\n| where OfficeWorkload =~ \"Exchange\"\r\n| where Operation =~ \"New-InboxRule\" and (ResultStatus =~ \"True\" or ResultStatus =~ \"Succeeded\")\r\n| where Parameters has \"Deleted Items\" or Parameters has \"Junk Email\" or Parameters has\r\n\"DeleteMessage\"\r\n| extend Events=todynamic(Parameters)\r\n| parse Events with * \"SubjectContainsWords\" SubjectContainsWords '}'*\r\n| parse Events with * \"BodyContainsWords\" BodyContainsWords '}'*\r\n| parse Events with * \"SubjectOrBodyContainsWords\" SubjectOrBodyContainsWords '}'*\r\n| where SubjectContainsWords has_any (Keywords)\r\nor BodyContainsWords has_any (Keywords)\r\nor SubjectOrBodyContainsWords has_any (Keywords)\r\nhttps://www.microsoft.com/en-us/security/blog/2025/10/09/investigating-targeted-payroll-pirate-attacks-affecting-us-universities/\r\nPage 11 of 14\n\n| extend ClientIPAddress = case( ClientIP has \".\", tostring(split(ClientIP,\":\")[0]), ClientIP has \"\r\n[\", tostring(trim_start(@'[[]',tostring(split(ClientIP,\"]\")[0]))), ClientIP )\r\n| extend Keyword = iff(isnotempty(SubjectContainsWords), SubjectContainsWords,\r\n(iff(isnotempty(BodyContainsWords),BodyContainsWords,SubjectOrBodyContainsWords )))\r\n| extend RuleDetail = case(OfficeObjectId contains '/' , tostring(split(OfficeObjectId, '/')[-1]) ,\r\ntostring(split(OfficeObjectId, '\\\\')[-1]))\r\n| summarize count(), StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated) by\r\nOperation, UserId, ClientIPAddress, ResultStatus, Keyword, OriginatingServer, OfficeObjectId,\r\nRuleDetail\r\n| extend AccountName = tostring(split(UserId, \"@\")[0]), AccountUPNSuffix = tostring(split(UserId,\r\n\"@\")[1])\r\n| extend OriginatingServerName = tostring(split(OriginatingServer, \" \")[0])\r\nRisky sign-in with new MFA method\r\nThis query identifies scenarios of risky sign-ins tied to new MFA methods being added.\r\nlet mfaMethodAdded=CloudAppEvents\r\n| where ActionType =~ \"Update user.\"\r\n| where RawEventData has \"StrongAuthenticationPhoneAppDetail\"\r\n| where isnotempty(RawEventData.ObjectId) and isnotempty(RawEventData.Target[1].ID)\r\n| extend AccountUpn = tostring(RawEventData.ObjectId)\r\n| extend AccountObjectId = tostring(RawEventData.Target[1].ID)\r\n| project MfaAddedTimestamp=Timestamp,AccountUpn,AccountObjectId;\r\nlet usersWithNewMFAMethod=mfaMethodAdded\r\n| distinct AccountObjectId;\r\nlet hasusersWithNewMFAMethod = isnotempty(toscalar(usersWithNewMFAMethod));\r\nlet riskySignins=AADSignInEventsBeta\r\n| where hasusersWithNewMFAMethod\r\n| where AccountObjectId in (usersWithNewMFAMethod)\r\n| where RiskLevelDuringSignIn in (\"50\",\"100\") //Medium and High sign-in risk level.\r\nhttps://www.microsoft.com/en-us/security/blog/2025/10/09/investigating-targeted-payroll-pirate-attacks-affecting-us-universities/\r\nPage 12 of 14\n\n| where Application in (\"Office 365 Exchange Online\", \"OfficeHome\")\r\n| where isnotempty(SessionId)\r\n| project SignInTimestamp=Timestamp, Application, SessionId, AccountObjectId,\r\nIPAddress,RiskLevelDuringSignIn\r\n| summarize SignInTimestamp=argmin(SignInTimestamp,*) by Application,SessionId,\r\nAccountObjectId, IPAddress,RiskLevelDuringSignIn;\r\nmfaMethodAdded\r\n| join riskySignins on AccountObjectId\r\n| where MfaAddedTimestamp - SignInTimestamp \u003c 6h //Time delta between risky sign-in and device\r\nregistration less than 6h\r\n| project-away AccountObjectId1\r\nMicrosoft Security Copilot\r\nSecurity Copilot customers can use the standalone experience to create their own prompts or run the following\r\nprebuilt promptbooks to automate incident response or investigation tasks related to this threat:\r\nIncident investigation\r\nMicrosoft User analysis\r\nThreat actor profile\r\nThreat Intelligence 360 report based on MDTI article\r\nVulnerability impact assessment\r\nNote that some promptbooks require access to plugins for Microsoft products such as Microsoft Defender XDR or\r\nMicrosoft Sentinel.\r\nAcknowledgments\r\nWe would like to thank Workday for their collaboration and assistance in responding to this threat.\r\nWorkday customers can refer to the guidance published by Workday on their community:\r\nhttps://community.workday.com/alerts/customer/1229867.\r\nLearn more\r\nFor the latest security research from the Microsoft Threat Intelligence community, check out the Microsoft Threat\r\nIntelligence Blog.\r\nTo get notified about new publications and to join discussions on social media, follow us on LinkedIn, X\r\n(formerly Twitter), and Bluesky.\r\nhttps://www.microsoft.com/en-us/security/blog/2025/10/09/investigating-targeted-payroll-pirate-attacks-affecting-us-universities/\r\nPage 13 of 14\n\nTo hear stories and insights from the Microsoft Threat Intelligence community about the ever-evolving threat\r\nlandscape, listen to the Microsoft Threat Intelligence podcast.\r\nSource: https://www.microsoft.com/en-us/security/blog/2025/10/09/investigating-targeted-payroll-pirate-attacks-affecting-us-universities/\r\nhttps://www.microsoft.com/en-us/security/blog/2025/10/09/investigating-targeted-payroll-pirate-attacks-affecting-us-universities/\r\nPage 14 of 14",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MISPGALAXY",
		"Malpedia"
	],
	"references": [
		"https://www.microsoft.com/en-us/security/blog/2025/10/09/investigating-targeted-payroll-pirate-attacks-affecting-us-universities/"
	],
	"report_names": [
		"investigating-targeted-payroll-pirate-attacks-affecting-us-universities"
	],
	"threat_actors": [
		{
			"id": "d9069339-ff51-49f4-a04a-90def2a03d20",
			"created_at": "2026-01-23T02:00:03.280976Z",
			"updated_at": "2026-04-10T02:00:03.926956Z",
			"deleted_at": null,
			"main_name": "Storm-2657",
			"aliases": [],
			"source_name": "MISPGALAXY:Storm-2657",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		}
	],
	"ts_created_at": 1775434102,
	"ts_updated_at": 1775792160,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/b3d60662e282059cc6824b31009f75e9d8c0382f.pdf",
		"text": "https://archive.orkl.eu/b3d60662e282059cc6824b31009f75e9d8c0382f.txt",
		"img": "https://archive.orkl.eu/b3d60662e282059cc6824b31009f75e9d8c0382f.jpg"
	}
}