The 'Payroll Pirate' campaign involves phishing emails that trick university employees into entering credentials on fake login pages mimicking their HR portals, such as Workday. Scammers employ adversary-in-the-middle tactics to intercept multi-factor authentication codes, allowing them to access real accounts despite security measures.

Once inside, attackers alter payroll settings to redirect direct deposits to their controlled accounts. To avoid detection, they create email rules that block Workday's automatic notifications about these changes. In some instances, they add a phone number they control as a backup recovery option for persistent access.

Microsoft reported that since March 2025, threat actors have compromised 11 accounts at three universities. These were used to send phishing emails to nearly 6,000 accounts across 25 universities. The lures vary: one theme claims exposure to a communicable disease on campus, with a link to check status; another mentions recent changes in employee benefits, leading to a disguised login page.

“The threat actor used realistic phishing emails, targeting accounts at multiple universities, to harvest credentials,” Microsoft stated in its advisory.

The campaign highlights vulnerabilities in non-FIDO multi-factor authentication methods, such as one-time codes via email or text, which are susceptible to interception. Microsoft recommends adopting FIDO-compliant options like passkeys or physical security keys, noting no known breaches via these methods. Users should also periodically review email filtering rules for unauthorized blocks on security alerts.

This scam underscores the need for robust authentication in cloud HR systems, particularly as phishing evolves to target educational institutions.