Storm-2657 is a threat actor group that hijacks employee accounts in U.S.-based organizations, especially in higher education, to redirect salary payments. They exploit social engineering and lack of multi-factor authentication to gain control over HR and payment systems, using phishing and account manipulation techniques. #Storm-2657 #PayrollPirates
Keypoints
- Storm-2657 targets organizations using HR SaaS platforms like Workday to hijack employee accounts.
- The attacks rely on social engineering, phishing, and the absence of multi-factor authentication for access.
- Threat actors modify payment settings and enroll MFA devices to maintain persistent control over accounts.
- Compromised email accounts are used to launch widespread phishing campaigns within and across universities.
- Recommendations include using phishing-resistant MFA methods such as FIDO2 security keys and monitoring accounts for suspicious activity.
Read More: https://thehackernews.com/2025/10/microsoft-warns-of-payroll-pirates.html