Storm-2657 is a financially motivated threat actor group actively targeting employee accounts within third-party human resources SaaS platforms, notably Workday, to divert salary payments to attacker-controlled bank accounts. The attack vector does not exploit software vulnerabilities but leverages social engineering and credential theft through adversary-in-the-middle (AitM) phishing attacks. These phishing campaigns harvest both user credentials and MFA codes, enabling attackers to bypass multi-factor authentication protections. Once access is gained, attackers manipulate single sign-on (SSO) integrations to take over Workday profiles and modify payment details. They also create inbox rules to delete warning emails from Workday, preventing victims from detecting unauthorized changes. To maintain persistence, attackers enroll their own phone numbers as MFA devices on compromised accounts. Additionally, compromised email accounts are weaponized to distribute further phishing emails within the victim organization and to other institutions, particularly universities, using lures related to campus illnesses or misconduct to induce urgency and clicks. Microsoft observed multiple successful compromises at universities, with phishing emails sent to thousands of accounts across numerous institutions. The campaign highlights the critical risk posed by weak or absent phishing-resistant MFA and insufficient monitoring of account changes in SaaS HR platforms. Microsoft recommends implementing passwordless, phishing-resistant MFA methods such as FIDO2 security keys and conducting thorough reviews of account activities for anomalies like unknown MFA devices and malicious inbox rules. This threat underscores the importance of securing SaaS platforms that handle sensitive payroll and banking information, as attackers can cause direct financial loss without exploiting technical vulnerabilities in the software itself.

For European organizations, this threat poses a significant risk of direct financial theft through payroll diversion, leading to monetary losses and potential reputational damage. Organizations using HR SaaS platforms like Workday or similar services without robust phishing-resistant MFA are vulnerable to account takeover and fraudulent payment modifications. The stealthy nature of the attack—deleting notification emails and enrolling attacker-controlled MFA devices—makes detection difficult, increasing the risk of prolonged unauthorized access and larger financial impact. Additionally, compromised accounts can be used to launch further phishing campaigns internally and externally, potentially leading to broader credential theft and compromise across the organization and its partners. The impact extends beyond financial loss to include operational disruption, erosion of employee trust, and regulatory consequences under GDPR if personal and banking data are mishandled or exposed. European organizations in sectors with high SaaS adoption and sensitive payroll data, such as higher education, finance, and large enterprises, are particularly at risk. The campaign also illustrates the broader threat landscape where social engineering and poor authentication practices enable attackers to bypass technical security controls, emphasizing the need for enhanced identity and access management.

European organizations should implement phishing-resistant, passwordless multi-factor authentication methods such as FIDO2 security keys to prevent credential and MFA code theft via phishing. Regularly audit HR SaaS accounts and associated email accounts for suspicious activities, including unknown MFA device enrollments and malicious inbox rules that delete or redirect notification emails. Enforce strict monitoring and alerting on changes to payroll and payment information within HR platforms. Conduct targeted user awareness training focused on recognizing sophisticated phishing attempts, especially those employing adversary-in-the-middle techniques. Implement conditional access policies that restrict access based on device compliance and location to reduce risk from compromised credentials. Employ email security solutions with advanced anti-phishing capabilities and anomaly detection to identify and block phishing campaigns early. Establish incident response procedures specifically for SaaS account compromises involving payroll systems, including rapid revocation of unauthorized MFA devices and account recovery steps. Collaborate with SaaS providers to leverage their security features and ensure timely updates on emerging threats. Finally, conduct regular penetration testing and red team exercises simulating social engineering attacks to evaluate organizational resilience against such threats.