“Payroll Pirate” phishing scam that takes over Workday accounts steals paychecks

Microsoft has issued a warning regarding a sophisticated phishing scam known as 'Payroll Pirate,' which is designed to hijack employees' payroll accounts. This scheme diverts paycheck deposits to accounts controlled by cybercriminals after gaining access to victims’ profiles on Workday and other cloud-based HR platforms. The attackers initiate their breach by sending deceptive emails that trick employees into revealing their login credentials. Once victims enter their information, the scammers employ adversary-in-the-middle tactics to intercept multi-factor authentication (MFA) codes, allowing them to access the legitimate sites. This tactic highlights the pressing need for more secure forms of MFA, such as those compliant with FIDO standards, which are resistant to these types of attacks. After infiltrating the employees’ accounts, the criminals proceed to alter payroll settings within Workday, rerouting direct deposits from the employees' chosen accounts to their own. To further conceal their actions, the attackers set up email rules that prevent any alerts from reaching the victims when changes are made to their account information. Microsoft reported that since March 2025, they have identified 11 compromised accounts across three universities, leading to phishing attempts directed at nearly 6,000 email addresses at 25 different institutions.