Hackers Target University Payrolls in Sophisticated Microsoft 365 Phishing Scheme
By Medha Cloud Security Desk
A new wave of phishing attacks is targeting higher-education institutions across the United States, exploiting trust in Microsoft 365 login pages to compromise employee accounts and divert payroll funds, according to Microsoft Threat Intelligence.
Dubbed Storm-2657, the campaign uses adversary-in-the-middle (AiTM) phishing kits capable of intercepting multifactor-authentication (MFA) tokens in real time. Once credentials and session cookies are captured, attackers quietly access HR platforms such as Workday, update direct-deposit details, and reroute salaries to attacker-controlled bank accounts.
Security analysts from ITPro note that this campaign combines phishing, session hijacking, and cloud identity abuse in a single workflow — even employees who use MFA remain vulnerable when malicious intermediaries steal authentication tokens.
Microsoft’s report highlights that universities are prime targets due to decentralized IT environments, extensive user bases, and shared domain configurations across departments — factors that make phishing lures appear authentic and credential reuse common.
Experts recommend tightening conditional-access policies, deploying phishing-resistant MFA such as FIDO2 security keys, and enabling continuous monitoring through Microsoft Defender for Office 365 or similar solutions. In multiple confirmed incidents, administrators found unauthorized OAuth apps and malicious token registrations created within university tenants.
The broader implication extends beyond academia. The same AiTM toolkit can easily be re-used against corporate and government users of Microsoft 365. As attackers automate credential theft and session proxying, security leaders are urged to prioritize identity hardening and real-time session validation to contain future breaches.
????️ Protect Your Microsoft 365 Environment Now
Safeguard your organization from emerging attacks like Storm-2657 with proactive monitoring, advanced MFA controls, and expert-managed defense services from Medha Cloud.
→ Learn more about Microsoft 365 Managed Services