In October 2025, Microsoft published research on Storm-2657, a financially motivated group running what the industry now calls "Payroll Pirates" attacks. The mechanics are simple. Phish an HR employee, take over their Microsoft 365 account, follow single sign-on into Workday, and change the direct deposit details on as many employee profiles as you can reach. On payday, the salaries land in accounts the attacker controls.
Microsoft tracked phishing emails reaching nearly 6,000 accounts across 25 US universities, sent from 11 compromised accounts at three institutions. None of it exploited a Workday vulnerability. The accounts lacked phishing-resistant MFA, and the attackers logged in like anyone else. The campaign model is also spreading: in April 2026, Microsoft documented Storm-2755 running the same play against Canadian employees.
Workday notifies an employee whenever their bank details change, so the attackers create inbox rules that make those notifications disappear before anyone reads them. In the case Microsoft documented, the rules deleted the warnings. In a customer case Mitiga investigated, the rule forwarded matching mail to an external address.
That customer case is the core of the new Mitiga Minute. Security Researcher Idan Cohen joins Field CISO Brian Contos to walk through the campaign, then opens the platform on the real investigation, sanitized into a demo tenant. The incident view correlates the pivot from Microsoft 365 into Workday in one place: an interactive sign-in from a new country, a new external-domain inbox forwarding rule, then a critical alert when multiple bank account transfer configurations were created — four of them, inside 12 minutes, from a sign-in originating in Qatar. AI Insights validates the evidence on the alert, and Helios AIDR recommends the response, so an analyst sees the status, transfer type, and source account without stitching logs across two platforms.
Idan closes the episode with some good Monday morning hardening advice. Enable and ingest every log you have and build detections on them, hunt proactively on a schedule, route security notifications to a mailbox a compromised account can't touch, and disable legacy authentication.
Attackers no longer break in. They log in. And payroll is where logging in pays fastest. Mitiga's Agentic Runtime Security for cloud, SaaS, and AI catches that activity from anomalies and threat intelligence and contains it before the money moves.
