Universities Targeted by Sophisticated 'Payroll Pirate' Cyberattacks

Universities Targeted by Sophisticated 'Payroll Pirate' Cyberattacks

Alex Cipher's Profile Pictire Alex Cipher 4 min read

Universities are facing a new wave of cyberattacks, dubbed “Payroll Pirate” campaigns, that blend cunning social engineering with technical exploitation. Hackers are zeroing in on university HR departments, sending highly customized phishing emails that mimic trusted campus figures and reference urgent, relatable topics—think faculty misconduct or health scares. These emails are more than just convincing; they’re engineered to intercept multifactor authentication (MFA) codes using adversary-in-the-middle (AITM) tactics, allowing attackers to slip past security barriers and seize control of Exchange Online accounts (BleepingComputer, 2024).

Once inside, the attackers exploit weak or absent MFA protections, enrolling their own devices to maintain access. They then manipulate Workday accounts—an essential HR and payroll platform—by deleting warning notifications and rerouting salary payments to their own accounts. The compromised email accounts become launchpads for further phishing, leveraging the trust of internal addresses to ensnare more victims both within and beyond the university. The financial fallout is staggering: the FBI’s IC3 logged over 21,000 business email compromise (BEC) fraud complaints in 2024, with losses topping $2.7 billion, underscoring the scale and sophistication of these attacks (BleepingComputer, 2024).

Attack Methodology

Phishing Tactics

The attackers employ sophisticated phishing tactics to compromise university HR employees’ accounts. These phishing emails are custom-tailored for each target, utilizing themes that resonate with the university environment. For instance, emails may impersonate university officials, such as the president, or HR personnel, sharing seemingly legitimate information about compensation, benefits, or urgent campus issues like illness outbreaks or faculty misconduct. The aim is to trick recipients into clicking on malicious links embedded in these emails. These links often use adversary-in-the-middle (AITM) techniques to intercept and steal multifactor authentication (MFA) codes, which are then used to gain unauthorized access to the victims’ Exchange Online accounts. (source)

Exploitation of MFA Weaknesses

A critical aspect of the attack methodology is the exploitation of weaknesses in the MFA implementation. The attackers take advantage of the absence of MFA or the use of non-phishing-resistant MFA solutions. Once they gain access to an account, they often enroll their own phone numbers as MFA devices, either through compromised Workday profiles or Duo MFA settings. This enables them to approve further malicious actions on their own devices, maintaining persistence within the compromised accounts. The lack of robust MFA measures significantly contributes to the success of these attacks. (source)

Manipulation of Workday Accounts

After compromising email accounts, the attackers proceed to manipulate Workday accounts, a platform widely used for HR and payroll management. They set up inbox rules to delete warning notification emails from Workday, concealing their activities. This allows them to alter salary payment configurations and redirect payments to accounts under their control. The attackers exploit single sign-on (SSO) vulnerabilities to access Workday profiles seamlessly, making unauthorized changes without raising immediate suspicion. This manipulation is a key component of the “payroll pirate” attacks, enabling financial theft from the targeted institutions. (source)

Distribution of Further Phishing Emails

The compromised accounts are not only used for financial theft but also serve as a platform for distributing further phishing emails. The attackers leverage the trust associated with internal university email addresses to send phishing emails both within the organization and to other universities. This propagation strategy helps them expand their reach and potentially compromise additional accounts. The use of legitimate-looking email addresses increases the likelihood of recipients falling for the phishing attempts, perpetuating the cycle of attacks. (source)

Financial Impact and Broader Implications

The financial impact of these attacks is significant, with the FBI’s Internet Crime Complaint Center (IC3) recording over 21,000 business email compromise (BEC) fraud complaints in 2024 alone, resulting in losses exceeding $2.7 billion. These figures highlight the lucrative nature of such cybercrimes, second only to investment scams. However, it is important to note that these numbers likely represent only a fraction of the actual losses, as many cases go unreported or undetected. The broader implications of these attacks extend beyond financial loss, affecting the reputation and operational integrity of the targeted institutions. Universities, being centers of education and research, face heightened risks as their compromised accounts can be used to disseminate misinformation or further cyber threats. (source)

Final Thoughts

The “Payroll Pirate” attacks highlight a sobering reality: even institutions dedicated to knowledge and innovation are not immune to evolving cyber threats. By exploiting both human trust and technical vulnerabilities—especially in MFA and SSO systems—attackers are able to inflict significant financial and reputational damage. The ripple effects extend beyond lost funds, threatening the operational integrity and public trust in universities. As cybercriminals continue to refine their tactics, universities must prioritize robust, phishing-resistant MFA solutions and foster a culture of cybersecurity awareness among staff. Staying vigilant and proactive is essential to outmaneuvering these digital pirates (BleepingComputer, 2024).

References

Related Articles