Microsoft is warning of an active scam that is redirecting employee payroll payments to accounts controlled by attackers after first hijacking their profiles on Workday or other cloud-based HR services.
Payroll Pirate, as Microsoft says the campaign has been named, gains access to victims' HR portals by sending them phishing emails that trick recipients into providing their cloud account login credentials. Fraudsters can recover multi-factor authentication codes using enemy in the middle a tactic that works by standing between victims and the site they think they are visiting, which is actually a fake site run by the attackers.
Not all MFAs are created equal
The attackers then enter the intercepted credentials, including the MFA code, into the real site. This tactic, which has become increasingly common in recent years, highlights the importance of adopting FIDO-compliant MFA forms that are immune to such attacks.
Once scammers have infiltrated employee accounts, they make changes to Workday payroll settings. The changes result in direct deposit payments being diverted from the accounts originally selected by the employee and instead going to an account controlled by the attackers. To block messages that Workday automatically sends to users when account information changes, attackers create email rules that prevent messages from appearing in their inboxes.
“The attacker used realistic phishing emails targeting accounts at multiple universities to collect credentials,” Microsoft said in Thursday's post. “Since March 2025, we have observed 11 successfully compromised accounts at three universities, which were used to send phishing emails to nearly 6,000 email accounts at 25 universities.”
