Digital Event Horizon
The "Payroll Pirate" scam has been identified by Microsoft as a growing threat to employees' paycheck payments. This campaign uses phishing tactics and adversary-in-the-middle techniques to gain access to cloud-based HR accounts, compromising payroll configurations in the process. Understanding the measures being taken by Microsoft to address this issue is crucial for protecting employee paychecks.
Micorsoft has issued a warning about the "Payroll Pirate" scam targeting employees' paycheck payments. The scammers use phishing emails to trick victims into providing their credentials for cloud-based HR services. Attackers recover multi-factor authentication codes and enter them into the real site using adversary-in-the-middle tactics. Direct-deposit payments are diverted from employees' original accounts to accounts controlled by attackers. Microsoft observed 11 compromised accounts at three universities sent phishing emails to nearly 6,000 email addresses. The scammers used various themes to trick recipients, including claims of a communicable disease or change in employee benefits. Micorsoft recommends using FIDO-compliant multi-factor authentication and avoiding one-time codes via email or text messages.
Microsoft has issued a warning about a sophisticated scam targeting employees' paycheck payments, which it has dubbed the "Payroll Pirate." This campaign involves phishing emails that trick victims into providing their credentials for logging in to cloud-based HR services. The scammers use adversary-in-the-middle tactics to recover multi-factor authentication codes and then enter them into the real site.
Once inside the employees' accounts, the attackers make changes to payroll configurations within Workday, causing direct-deposit payments to be diverted from the original account chosen by the employee to an account controlled by the attackers. To block messages sent by Workday when such account details have been changed, the attackers create email rules that keep these messages from appearing in the inbox.
Microsoft observed 11 successfully compromised accounts at three universities, which were used to send phishing emails to nearly 6,000 email addresses across 25 universities. The scammers employed various themes to trick recipients, including a claim that employees had been exposed to a communicable disease on campus or that there had been a recent change in employee benefits.
The attackers successfully added a phone number they controlled as a backup form of account recovery, allowing them to gain persistent access to the breached account. Microsoft emphasizes the importance of adopting FIDO-compliant forms of multi-factor authentication, which are immune to such attacks.
In contrast, one-time codes sent via email, text messages, or push notifications should be avoided whenever possible. Passkeys and physical security keys are considered more secure alternatives. Furthermore, it is recommended to periodically check email filtering rules for any that may be blocking security-related emails from Workday or other services.
Related Information:
https://www.digitaleventhorizon.com/articles/A-Comprehensive-Look-into-the-Payroll-Pirate-Scam-A-Threat-to-Employee-Paychecks-deh.shtml
https://arstechnica.com/security/2025/10/payroll-pirate-phishing-scam-that-takes-over-workday-accounts-steals-paychecks/
https://thehackernews.com/2025/10/microsoft-warns-of-payroll-pirates.html
Published: Wed Oct 15 03:40:40 2025 by llama3.2 3B Q4_K_M
