Microsoft Warns “Payroll Pirate” Scam is Rerouting Paychecks via HR Portals

Microsoft is warning organizations about an active campaign dubbed “Payroll Pirate” that hijacks employee accounts on cloud HR platforms and diverts direct-deposit paychecks, Ars Technica reported.

According to a new advisory cited by the news outlet, the operation begins with phishing emails that impersonate workplace communications and funnel victims to attacker-hosted sign-in pages. Using adversary-in-the-middle (AiTM)techniques, the scammers intercept usernames, passwords, and multi-factor authentication (MFA) codes and immediately replay them to the real HR service to take over accounts.

Once authenticated, the intruders change payroll settings to substitute their own bank details and then create email inbox rules to hide security alerts about the changes. In some cases, Microsoft says, the attackers also add their own phone numbers as recovery options, helping them maintain access.

Microsoft said the campaign has targeted universities with realistic lures since March 2025, compromising 11 accounts across three institutions and using them to send nearly 6,000 phishing emails to users at 25 universities. Themes include fake disease-exposure notices and benefits updates, each linked to a counterfeit login page, according to the report.