Storm-2657 Payroll Hijacking: Workday Account Attacks & Prevention Guide

Executive Summary

Storm-2657—also known as the “Payroll Pirates”—is a financially motivated threat actor targeting higher various institutions in the United States. Their campaigns focus on hijacking HR and payroll accounts to redirect employee salaries to attacker-controlled bank accounts.

Rather than exploiting software vulnerabilities, Storm-2657 relies on advanced social engineering, adversary-in-the-middle (AiTM) phishing, and poor identity governance practices to gain access and maintain persistence.

What Is Storm-2657? (Threat Actor Overview)

Storm-2657 is a Microsoft-tracked threat actor specializing in payroll fraud, credential theft, and Workday account compromise. Their campaigns primarily target:

• Higher education institutions
• HR and payroll teams
• Workday, ADP, and similar HR systems
• Organizations using SSO with Azure AD / Entra ID

Primary objective: Modify payroll settings such as “Manage Payment Elections” to redirect direct deposit salaries.

Storm-2657 Attack Flow: How Payroll Hijacking Happens

Attack Pattern & Stages of Intrusion

Storm-2657’s operations follow a structured, multi-stage kill chain:

1. Reconnaissance & Target Selection

• Targets HR and payroll administrators at universities
• Identifies institutions using Workday and Exchange Online
• Crafts tailored phishing lures based on campus themes (e.g., illness alerts, misconduct notices, HR updates)

2. Initial Access via AiTM Phishing

• Sends phishing emails with links to Google Docs or fake HR portals
• Links redirect to AiTM phishing proxies that capture credentials and MFA codes in real time
• Victims unknowingly provide login and MFA details, enabling full account takeover

3. Mailbox Compromise & Stealth Establishment

• Gains access to Exchange Online mailboxes
• Creates inbox rules to delete or hide emails from Workday or HR systems
  • Example: Rules named with special characters like “…” or “\’\’\’\’” to evade detection

  Fig: An example of inbox rule creation to delete all incoming emails.

• Enrolls attacker-controlled phone numbers or MFA devices via Duo or Workday settings

4. Payroll Manipulation via SSO

• Uses SSO access to log into Workday
• Navigates to “Manage Payment Elections” or equivalent payroll settings
• Changes bank account details to redirect future salary payments to attacker-controlled accounts

5. Lateral Movement & Phishing Propagation

• Compromised accounts used to send phishing emails to other university staff
• In one campaign, 11 accounts were used to target over 6,000 recipients across 25 universities

Indicators of Compromise (IOCs)

Security teams should monitor for the following IOCs:

• Phishing Domains:
  • AiTM proxy URLs mimicking HR portals or Google Docs
  • Redirects to credential harvesting pages
• Suspicious Inbox Rules:
  • Rules deleting or moving emails from domains like @workday.com, @university.edu
  • Rule names using non-alphabetic characters or symbols
• MFA & Device Changes:
  • Newly registered phone numbers or hardware tokens
  • MFA device changes without user initiation
• Workday Audit Logs:
  • Changes to “Manage Payment Elections” or direct deposit settings
  • Logins from unusual IPs or geolocations
• Email Behavior:
  • Outbound phishing emails from internal HR accounts
  • Sudden spike in email volume or external recipients

Risk & Business Impact of Storm-2657 Payroll Attacks

These attacks are not just IT problems—they’re business problems.

• Financial Loss: Salary theft through unauthorized bank transfers
• Operational Disruption: Payroll delays and HR system compromise
• Reputational Damage: Loss of trust among employees and stakeholders
• Regulatory Exposure: Violations of data protection and financial compliance laws

These attacks represent a sophisticated evolution of business email compromise (BEC), specifically targeting payroll workflows and exploiting identity weaknesses.

How to Protect Against Storm-2657 (Mitigation Guide)

• Deploy Phishing-Resistant MFA
  • Use FIDO2 security keys, passkeys, or Microsoft Authenticator with phishing protection
  • Avoid SMS or email-based MFA methods
• Enforce Conditional Access Policies
  • Require strong authentication for HR/payroll system access
  • Block legacy authentication protocols
• Audit MFA Device Registrations
  • Regularly review and revoke unrecognized MFA devices
  • Monitor for changes in Duo or Workday MFA settings
• Monitor Inbox Rules & Email Logs
  • Flag rules that delete or move HR-related emails
  • Alert on rule names with symbols or non-standard characters
• Enhance Payroll Change Controls
  • Require manual approval for direct deposit updates
  • Notify users via alternate channels when payroll changes occur
• Incident Response Readiness
  • Establish playbooks for account compromise
  • Include steps for credential resets, rule removal, and payroll reversal