Microsoft warns of new “Payroll Pirate” scam stealing employees’ direct deposits

Microsoft is warning of a new scam called "Payroll Pirate" that targets employees by diverting their paychecks to attacker-controlled accounts. The scammers gain access to victims' HR portals through phishing emails that trick recipients into providing login credentials. By using adversary-in-the-middle tactics, the attackers intercept multi-factor authentication codes to access the victims' accounts. To prevent such attacks, Microsoft recommends adopting FIDO-compliant forms of MFA. The scammers manipulate payroll configurations within cloud-based HR services like Workday to reroute direct deposits to their accounts. Microsoft observed successful compromises at universities, leading to phishing emails being sent to thousands of accounts.