Microsoft Warns Universities and Companies of New “Payroll Pirate” Cyberattack Targeting Employee Salaries

Microsoft has issued a warning to universities and companies about a newly identified cyberattack known as “Payroll Pirate”, a scheme designed to steal employee salaries without either party noticing, according to a report by Ars Technica.

The company explained that the attack relies on a combination of phishing emails and fake website replicas, with the goal of altering bank account details within corporate and university HR portals so that salaries are redirected to accounts controlled by the attacker rather than the legitimate employee.

According to the report, attackers send highly convincing, professionally crafted phishing emails that direct victims to websites mimicking HR management systems or university portals.

Once victims enter their credentials into these fraudulent pages, attackers capture the information — including two-factor authentication codes generated by apps or received via text messages — and use it to gain access to HR systems.

Microsoft noted that the attack has been particularly widespread on the popular HR platform Workday, where attackers, after logging in, immediately change account settings, adding their own phone number, email address, and bank account information.

The company first detected this attack in March, and it has since been used against more than 6,000 victims across 25 different universities.

Microsoft warned that the attack results in stolen funds from both the employee and the organization, with neither side initially aware of the theft: organizations believe they have deposited salaries correctly, while victims never receive their payments.

The report urged organizations to adopt biometric-based two-factor authentication tools, such as secure key options on smartphones or physical security keys, as these methods are significantly more difficult for attackers to compromise.