Anatomy of an AiTM Payroll Heist: The Storm-2657 Campaign
A sophisticated, financially motivated campaign by the threat actor Storm-2657 is actively targeting employee accounts to execute payroll diversion fraud. While this specific operation focuses on HR SaaS platforms, the underlying TTPs—particularly the bypass of non-phishing-resistant multi-factor authentication (MFA)—serve as a critical case study for AI security professionals and red teamers.
The compromise of a single privileged account, whether it guards payroll data or a production LLM environment, follows a similar attack path. This analysis dissects the Storm-2657 campaign observed in the first half of 2025 to provide actionable intelligence for hardening defenses across all critical enterprise systems.
The campaign has been observed targeting a range of US-based organizations, with a notable focus on the higher education sector. The primary objective is to gain unauthorized access to employee profiles within third-party HR SaaS platforms, such as Workday, and reroute salary payments to attacker-controlled accounts. It is crucial to understand that these attacks do not exploit any vulnerability within the Workday platform itself. Instead, they weaponize advanced social engineering and prey on weak identity security controls—specifically, the absence of MFA or the presence of MFA that is susceptible to phishing.
The Attack Chain: From Phishing to Payout
From a red team perspective, Storm-2657’s attack flow is a textbook example of efficient, multi-stage compromise. The actor demonstrates proficiency in initial access, credential harvesting, defense evasion, and persistence to achieve their final objective. While this campaign targets Workday, the same methodology could be trivially adapted to any SaaS platform holding sensitive financial or proprietary data, including AI development platforms or data annotation services.
Phase 1: Initial Access via AiTM Phishing
The entry point is a series of meticulously crafted phishing emails. Storm-2657 leverages adversary-in-the-middle (AiTM) phishing sites to harvest not just credentials but also session cookies and MFA codes in real-time. This technique effectively neutralizes weaker forms of MFA like SMS or push notifications.
Since March 2025, our analysis has identified 11 successfully compromised accounts at three universities. These initial footholds were then weaponized to launch further phishing attacks against nearly 6,000 email accounts across 25 different universities, demonstrating the actor’s ability to scale their operation rapidly. In some cases, links were embedded within Google Docs, a common collaboration tool in academic environments, to lower suspicion and complicate detection by security filters.
The social engineering themes are tailored and designed to evoke urgency and curiosity—tactics that LLMs can now generate with high fidelity at a massive scale:
- Health and Safety Alerts: Emails claim potential exposure to campus illnesses or outbreaks, prompting users to click a link to check their status. In one observed blast, an email sent to 500 individuals within a single organization resulted in approximately 10% of recipients reporting the attempt, indicating the theme’s effectiveness.
- Misconduct Allegations: Lures referencing reports of faculty or staff misconduct trick recipients into clicking a link to see if they are named.
- Impersonated Official Communications: The most targeted theme involves emails impersonating a university president, HR department, or other official entity. The subject lines and content are customized using the target university’s name and branding, discussing topics like compensation, benefits, or shared HR documents.
Phase 2: Account Takeover, Defense Evasion, and Persistence
Upon successfully capturing credentials and MFA codes via AiTM, Storm-2657 gains access to the victim’s Exchange Online account. Their first post-exploitation action is defense evasion.
- Inbox Rule Creation: The actor creates inbox rules to automatically and silently delete warning notification emails from the HR platform (e.g., Workday). This ensures that subsequent changes to payroll information do not trigger an alert to the legitimate user. To further evade detection by security analysts, rule names are often obfuscated using only special characters, such as “….” or “\’\’\’\’”.
- MFA Hijacking: To establish persistence, the actor enrolls their own device (e.g., a phone number) for MFA within the victim’s account settings, either directly in the SaaS platform or through an associated identity provider like Duo. This solidifies their access and removes the dependency on phishing the user for future logins.
Phase 3: Objective Execution
With persistent and undetected access secured, the actor pivots to the target SaaS application. Leveraging the compromised user’s single sign-on (SSO) session, they access the Workday platform and modify the employee’s direct deposit information, redirecting future salary payments to their own financial accounts.
Investigation and Threat Hunting
Detecting this multi-platform attack requires correlating signals from both email systems and the target SaaS application. A siloed view of either Microsoft Exchange Online or Workday logs would fail to reveal the full attack chain.
Key Investigative Indicators
Within Workday audit logs, look for events corresponding to payroll modifications. Key event names include:
Change My AccountManage Payment Elections
In Exchange Online, hunt for evidence of automated email deletion targeting these notifications. Monitor for a high volume of events like SoftDelete, HardDelete, and MoveToDeletedItems where the subject line contains keywords such as:
- “payroll”
- “bank details”
- “updated”
- “changed”
Advanced Hunting Queries
For security teams using Microsoft Defender XDR and Microsoft Sentinel, the following queries can be used to proactively hunt for this activity.
Microsoft Defender XDR Queries (KQL)
Review inbox rules created to hide Workday emails:
CloudAppEvents
| where AppName == "Microsoft Exchange Online"
| where ActionType == "New-InboxRule"
| where RawEventData.Parameters has "Workday" and RawEventData.Parameters has "DeleteMessage"
| project Timestamp, AccountDisplayName, RawEventData.ParametersReview updates to payment information in Workday:
(Requires Defender for Cloud Apps connector for Workday)
CloudAppEvents
| where AppName == "Workday"
| where ActionType in ("Change My Account", "Manage Payment Elections")
| project Timestamp, AccountDisplayName, IPAddress, UserAgent, ActivityObjects
Review new device additions in Workday:
CloudAppEvents
| where AppName == "Workday"
| where ActionType == "Add Device" // Note: ActionType may vary based on exact event logging
| project Timestamp, AccountDisplayName, IPAddress, UserAgent
| summarize by Timestamp, AccountDisplayName, IPAddress
Hunt for bulk phishing emails from .edu sender:
EmailEvents
| where SenderFromDomain endswith ".edu"
| summarize RecipientCount = dcount(RecipientEmailAddress) by SenderFromAddress, Subject
| where RecipientCount > 100 // Adjust threshold as needed
Microsoft Sentinel Detections
Malicious Inbox Rule Creation:
OfficeActivity
| where Operation == "New-InboxRule"
| where Parameters has_all ("Deleted Items", "Workday") // Customize keywords as needed
| project TimeGenerated, UserId, ClientIP, Parameters
Risky Sign-in Followed by New MFA Method:
SigninLogs
| where ResultType == 0 and RiskLevelDuringSignIn > 50 // High-risk sign-in
| join (
AuditLogs
| where OperationName == "User registered security info"
) on AADUserId
| project TimeGenerated, UserPrincipalName, IPAddress, Location, OperationName
Mitigation and Strategic Recommendations
Defending against threats like Storm-2657 requires a strategic shift in identity security, moving beyond legacy controls to a modern, phishing-resistant posture. This is not just about protecting payroll; it’s about securing the “keys to the kingdom” for every critical system, including AI models, training data, and MLOps pipelines.
1. Enforce Phishing-Resistant MFA
The single most effective mitigation is to mandate the use of phishing-resistant MFA. These methods are not vulnerable to AiTM attacks because they require a cryptographic verification between the user’s device and the service provider. Prioritize deployment for all users, especially privileged roles like administrators, developers, and data scientists.
- FIDO2 Security Keys: Hardware tokens providing the strongest form of authentication.
- Windows Hello for Business: Biometric or PIN-based authentication tied to trusted hardware.
- Certificate-Based Authentication: A robust method for managed devices.
- Microsoft Authenticator passkeys: A modern, passwordless standard.
2. Harden SaaS and Email Security
Implement security controls to detect and block suspicious behavior at the earliest stages of the attack chain.
- Conditional Access Policies: Enforce strict access controls based on user, device health, location, and risk signals. Block sign-ins from non-compliant devices or anomalous locations.
- SaaS Security Posture Management (SSPM): Use tools to continuously monitor SaaS applications for misconfigurations, suspicious user activity, and potential threats.
- Advanced Email Filtering: Deploy solutions that can detect and block sophisticated phishing attempts, including those using legitimate services like Google Docs for redirection.
3. Continuous Monitoring and User Education
Assume compromise and hunt relentlessly. The provided queries are a starting point. Develop a robust threat hunting program that looks for anomalies in user behavior across your entire digital estate. While technical controls are paramount, continue to train users to recognize and report sophisticated social engineering attempts. An informed user who reports a phish is a powerful human sensor in your defense-in-depth strategy.