""However, it's important to note that any SaaS systems storing HR or payment and bank account information could be easily targeted with the same technique," Microsoft researchers said. "These attacks don't represent any vulnerability in the Workday platform or products, but rather financially motivated threat actors using sophisticated social engineering tactics and taking advantage of the complete lack of multifactor authentication (MFA) or lack of phishing-resistant MFA to compromise accounts.""
""This particular Payroll Pirate scheme highlights just how advanced phishing has become," he said. "Instead of using generic malicious links, the attackers are tailoring messages with university-specific language to increase their credibility, and they are using techniques to steal MFA credentials. That level of targeting means that traditional anti-spam or signature-based filters are often insufficient in detecting their malicious behavior.""
Microsoft identified Storm-2657 targeting university employees with adversary-in-the-middle phishing links designed to capture MFA codes. The attackers sought access to third-party HR SaaS platforms such as Workday to view employee profiles and change bank details so salary payments could be redirected to accounts they control. Since March, 11 compromised accounts at three universities were observed sending phishing to nearly 6,000 addresses across 25 universities. Phishing messages referenced campus illnesses, outbreaks, reports, or disciplinary proceedings to increase credibility. Attackers exploit absence of phishing-resistant MFA, and traditional anti-spam or signature-based filters often fail to stop these campaigns.
Read at IT Pro
Unable to calculate read time
Collection
[
|
...
]