All products
Payroll Pirate: A Sophisticated Phishing Scam Targeting Employee Paychecks
Microsoft has issued a warning about an active phishing campaign, dubbed Payroll Pirate, which targets employees’ paychecks by taking over their profiles on Workday or other cloud-based HR services. The scam begins with phishing emails that trick victims into providing their login credentials, allowing attackers to gain access to their HR portals. The attackers then use adversary-in-the-middle tactics to recover multi-factor authentication codes, which are used to access the victims’ accounts.
Understanding the Attack Vector
The Payroll Pirate campaign highlights the importance of adopting FIDO-compliant forms of multi-factor authentication (MFA), which are resistant to such attacks. The scammers use the intercepted credentials, including the MFA code, to access the employees’ accounts and make changes to payroll configurations within Workday. These changes divert direct-deposit payments from the employees’ original accounts to accounts controlled by the attackers. To avoid detection, the attackers create email rules that block messages from Workday, which are automatically sent to users when account details are changed.
Impact and Scope of the Attack
According to Microsoft, the attackers have targeted accounts at multiple universities, using realistic phishing emails to harvest credentials. Since March 2025, Microsoft has observed 11 successfully compromised accounts at three universities, which were used to send phishing emails to nearly 6,000 email accounts across 25 universities. The threat actor’s tactics, techniques, and procedures (TTPs) are sophisticated and highlight the need for organizations to adopt robust security measures to protect their employees’ sensitive information.
Best Practices for Prevention
To prevent such attacks, organizations should implement FIDO-compliant MFA, educate employees about phishing attacks, and regularly monitor their HR portals for suspicious activity. Employees should also be cautious when receiving emails that ask for their login credentials or other sensitive information. By taking these precautions, organizations can reduce the risk of falling victim to the Payroll Pirate campaign and other similar phishing scams. For more information about this scam and how to protect yourself, visit Here
Image Credit: arstechnica.com