Microsoft is warning of an energetic scam that diverts employees’ paycheck payments to attacker-controlled accounts after first taking up their profiles on Workday or other cloud-based HR services.
Payroll Pirate, as Microsoft says the campaign has been dubbed, gains access to victims’ HR portals by sending them phishing emails that trick the recipients into providing their credentials for logging in to the cloud account. The scammers are in a position to recuperate multi-factor authentication codes through the use of adversary-in-the-middle tactics, which work by sitting between the victims and the positioning they think they’re logging in to, which is, in reality, a fake site operated by the attackers.
Not all MFA is created equal
The attackers then enter the intercepted credentials, including the MFA code, into the true site. This tactic, which has grown increasingly common lately, underscores the importance of adopting FIDO-compliant types of MFA, that are resistant to such attacks.
Once inside the workers’ accounts, the scammers make changes to payroll configurations inside Workday. The changes cause direct-deposit payments to be diverted from accounts originally chosen by the worker and as a substitute flow to an account controlled by the attackers. To dam messages Workday mechanically sends to users when such account details have been modified, the attackers create email rules that keep the messages from appearing within the inbox.
“The threat actor used realistic phishing emails, targeting accounts at multiple universities, to reap credentials,” Microsoft said in a Thursday post. “Since March 2025, we’ve observed 11 successfully compromised accounts at three universities that were used to send phishing emails to just about 6,000 email accounts across 25 universities.”