Microsoft Warns of “Payroll Pirate” Phishing Attacks Targeting US Universities and Workday Systems

October 12, 2025 admin

Readers help support Windows Report. We may get a commission if you buy through our links.

Microsoft has issued a warning about a large-scale phishing campaign dubbed “Payroll Pirate.” According to the published advisory, the phising attack is actively targeting universities and educational institutions across the United States. The attackers aim to compromise Workday accounts used for managing payroll and HR systems.

Microsoft says the attackers use spoofed .edu email domains to impersonate trusted university accounts and send phishing messages to staff.

Once users click on the embedded links, they are redirected to fake Workday login portals, where credentials are harvested. The stolen information is then used to divert payroll deposits or access sensitive HR data.

As hinted by Microsoft’s internal telemetry and Microsoft Defender XDR findings, these campaigns have been active for weeks, primarily impacting institutions that rely heavily on Microsoft 365 and Workday integration. Microsoft says the group uses automation to scale their phishing operations, sending hundreds of emails per day from compromised .edu addresses.

To help security teams investigate, Microsoft shared Kusto Query Language (KQL) scripts for Microsoft Sentinel and Defender for Endpoint. These allow admins to detect suspicious .edu senders, inbox rule manipulations, and risky sign-ins associated with new MFA methods.

Microsoft recommends immediate tenant-wide phishing audits, enforcing MFA, and deploying the Workday connector for Microsoft Sentinel for enhanced visibility. It also advises checking for malicious inbox rules and URL click events linked to compromised accounts.

Moreover, the company credits Workday’s collaboration in mitigating this threat and urges affected organizations to follow its official security guidance published on the Workday Community portal.

via: Bleeping Computer

Rishaj Upadhyay

News Editor

Rishaj is a tech writer who has been writing professionally for over four years, with a passion for Android, Windows, and all things tech. He initially joined Windows Report as a tech journalist and is now taking over as a news editor. When he’s not breaking the keyboard, you can find him cooking, or listening to music/podcasts.