Microsoft has issued a warning about a large-scale phishing campaign dubbed “Payroll Pirate.” According to the published advisory, the phising attack is actively targeting universities and educational institutions across the United States. The attackers aim to compromise Workday accounts used for managing payroll and HR systems.

Microsoft says the attackers use spoofed .edu email domains to impersonate trusted university accounts and send phishing messages to staff.

Once users click on the embedded links, they are redirected to fake Workday login portals, where credentials are harvested. The stolen information is then used to divert payroll deposits or access sensitive HR data.

As hinted by Microsoft’s internal telemetry and Microsoft Defender XDR findings, these campaigns have been active for weeks, primarily impacting institutions that rely heavily on Microsoft 365 and Workday integration. Microsoft says the group uses automation to scale their phishing operations, sending hundreds of emails per day from compromised .edu addresses.

To help security teams investigate, Microsoft shared Kusto Query Language (KQL) scripts for Microsoft Sentinel and Defender for Endpoint. These allow admins to detect suspicious .edu senders, inbox rule manipulations, and risky sign-ins associated with new MFA methods.

Microsoft recommends immediate tenant-wide phishing audits, enforcing MFA, and deploying the Workday connector for Microsoft Sentinel for enhanced visibility. It also advises checking for malicious inbox rules and URL click events linked to compromised accounts.

Moreover, the company credits Workday’s collaboration in mitigating this threat and urges affected organizations to follow its official security guidance published on the Workday Community portal.

