Microsoft has issued a warning about an active scam dubbed Payroll Pirate that diverts employees’ paychecks into attacker-controlled accounts after compromising their cloud-based HR profiles, such as Workday.
In this campaign, phishers obtain victims’ credentials via targeted emails and then bypass multi-factor authentication using adversary-in-the-middle techniques that intercept MFA codes while the user logs in to a fake site that mimics the real HR portal. The attackers then submit the intercepted credentials and MFA code on the real site to gain access.
Not all MFA is created equal
The attackers then enter the intercepted credentials, including the MFA code, into the real site. This tactic, which has grown increasingly common in recent years, underscores the importance of adopting FIDO-compliant forms of MFA, which are immune to such attacks.
Once inside the HR portal, the scammers alter payroll settings within Workday so that direct-deposit payments are redirected to accounts they control. They also create email rules to suppress Workday’s security notifications about changes to payment details.
Microsoft notes that the campaign has already affected at least 11 compromised accounts across three universities since March 2025, with the attackers using those accounts to send phishing messages to thousands of staff at dozens of universities. Organizations are urged to review payroll configurations, monitor for unusual login activity, and tighten MFA with FIDO-compliant methods.
