Cybercriminals are increasingly focusing on educational institutions in 2025, employing sophisticated phishing schemes to manipulate staff and hijack salary payments. Universities across the United States are facing a new wave of cyber threats orchestrated by a hacking group known as Storm-2657, which has been conducting “pirate payroll” attacks since March 2025. These attacks aim to compromise payroll accounts, alter payment details, and redirect funds to criminal-controlled accounts, all while avoiding detection.

The Mechanics of the Attack

Storm-2657 primarily targets popular human resources and payroll platforms like Workday, exploiting vulnerabilities through highly convincing phishing emails. These messages often mimic official communications from university leadership or HR departments, creating a sense of urgency by citing issues such as campus health crises or investigations into faculty members. Some emails impersonate university presidents or HR officials, sharing urgent updates about salaries or benefits.

The emails contain malicious links designed to steal login credentials and multi-factor authentication (MFA) codes via man-in-the-middle techniques. Once attackers gain access, they set up mailbox rules to hide notifications about payroll changes, allowing them to silently modify payment details and divert salaries without alerting employees.

The Reach and Impact of the Attacks

Storm-2657’s operations extend beyond individual accounts. By compromising just a handful of email accounts at three universities, the group has successfully sent phishing emails to nearly 6,000 addresses across 25 institutions. The use of internal, trusted accounts significantly boosts the likelihood of successful scams, as recipients are more inclined to trust internal messages. To maintain persistent access, attackers often add their own phone numbers as MFA devices, enabling them to approve fraudulent transactions indefinitely.

Microsoft Threat Intelligence reports that these attacks rely heavily on social engineering and weak security practices, rather than software flaws. This underscores the importance of strong security protocols and user awareness to prevent infiltration.

Protecting Yourself and Your Institution

Preventive measures are straightforward but vital. Employees should verify any unexpected requests related to payroll or benefits by contacting HR directly through known contact details, rather than clicking on links in suspicious emails. Installing reputable antivirus software and enabling multi-factor authentication on all accounts adds crucial layers of defense.

Individuals can also reduce their exposure by limiting the amount of personal data available online. Data removal services can help by actively monitoring and erasing personal information from web sources, decreasing the chances of targeted phishing attempts. Regularly checking accounts for unusual activity and using secure, unique passwords stored in a password manager further bolster security.

Universities and staff members must stay vigilant, especially as cybercriminals exploit trust and social engineering tactics to bypass technical safeguards. The evolving threat landscape emphasizes the need for ongoing cybersecurity education and robust authentication practices to safeguard finances and sensitive information.

Ethan Cole

I'm Ethan Cole, a tech journalist with a passion for uncovering the stories behind innovation. I write about emerging technologies, startups, and the digital trends shaping our future. Read me on x.com