Microsoft is warning of an active scam that diverts employees' paycheck payments to attacker-controlled accounts after first taking over their profiles on Workday or other cloud-based HR services.
Payroll Pirate, as Microsoft says the campaign has been dubbed, gains access to victims’ HR portals by sending them phishing emails that trick the recipients into providing their credentials for logging in to the cloud account. The scammers are able to recover multi-factor authentication codes by using adversary-in-the-middle tactics, which work by sitting between the victims and the site they think they’re logging in to, which is, in fact, a fake site operated by the attackers.
Not all MFA is created equal
The attackers then enter the intercepted credentials, including the MFA code, into the real site. This tactic, which has grown increasingly common in recent years, underscores the importance of adopting FIDO-compliant forms of MFA, which are immune to such attacks.
Once inside the employees’ accounts, the scammers make changes to payroll configurations within Workday. The changes cause direct-deposit payments to be diverted from accounts originally chosen by the employee and instead flow to an account controlled by the attackers. To block messages Workday automatically sends to users when such account details have been changed, the attackers create email rules that keep the messages from appearing in the inbox.
“The threat actor used realistic phishing emails, targeting accounts at multiple universities, to harvest credentials,” Microsoft said in a Thursday post. “Since March 2025, we’ve observed 11 successfully compromised accounts at three universities that were used to send phishing emails to nearly 6,000 email accounts across 25 universities.”
The phishing lures use a variety of themes to trick recipients. In one case, the email claimed employees may have been exposed to a recently discovered communicable disease on campus. It then provides a link to a page that will disclose if the individual is among those exposed. A second theme is that there has been a recent change in employee benefits along with a link for the recipient to learn more. The links lead to an attacker-controlled page that’s disguised as a login page for the employees' work account.
In some cases, the attackers successfully added a phone number they controlled as a backup form of account recovery. The move allows the attackers to gain persistent access to the breached account.
Microsoft’s warning is a good reminder why forms of MFA that rely on one-time codes, emails, text messages, and push notifications should be avoided whenever possible. Much more secure alternatives are passkeys, physical security keys, and other forms of FIDO-compliant authentication. To date, there have been no known instances of FIDO MFA falling to such scams. Of course, when end-user or cloud-based systems are already compromised or online services allow non-FIDO fallbacks, all bets are off.
It’s also a good idea to periodically check email filtering rules in search of any that may be blocking security-related emails from Workday or other services.
Ukrainian journalist Roshchyna posthumously named Press Freedom Hero